diff --git a/0001-add-self-def-runtime-for-shimv2.patch b/0001-add-self-def-runtime-for-shimv2.patch index 9f3c3ec..d1865ca 100644 --- a/0001-add-self-def-runtime-for-shimv2.patch +++ b/0001-add-self-def-runtime-for-shimv2.patch @@ -1,7 +1,7 @@ From 717a0c83e3032c2255b257531cfd160b98cd8180 Mon Sep 17 00:00:00 2001 From: gaohuatao Date: Tue, 16 Nov 2021 11:30:03 +0800 -Subject: [PATCH] add self def runtime for shimv2 +Subject: [PATCH 01/14] add self def runtime for shimv2 Signed-off-by: gaohuatao --- @@ -181,5 +181,5 @@ index 8801bea6..0f9ef044 100644 create_request->image = util_strdup_s(image.c_str()); -- -2.20.1 +2.25.1 diff --git a/0002-fix-memleak-when-use-multiple-volumes-from.patch b/0002-fix-memleak-when-use-multiple-volumes-from.patch index a7dac15..40a0622 100644 --- a/0002-fix-memleak-when-use-multiple-volumes-from.patch +++ b/0002-fix-memleak-when-use-multiple-volumes-from.patch @@ -1,7 +1,7 @@ From 2e6f54021ee4b2b81fb0119714f1c4fffb4a031f Mon Sep 17 00:00:00 2001 From: WangFengTu Date: Fri, 19 Nov 2021 15:11:23 +0800 -Subject: [PATCH] fix memleak when use multiple --volumes-from +Subject: [PATCH 02/14] fix memleak when use multiple --volumes-from Signed-off-by: WangFengTu --- diff --git a/0003-Modified-the-procedure-of-running-a-pod-to-adapt-to-.patch b/0003-Modified-the-procedure-of-running-a-pod-to-adapt-to-.patch new file mode 100644 index 0000000..efde3b6 --- /dev/null +++ b/0003-Modified-the-procedure-of-running-a-pod-to-adapt-to-.patch @@ -0,0 +1,1395 @@ +From 1b3922edcd0c254b39d57d91b9e027069cd8c82f Mon Sep 17 00:00:00 2001 +From: chengzrz +Date: Mon, 22 Nov 2021 15:34:04 +0800 +Subject: [PATCH 03/14] Modified the procedure of running a pod to adapt to + kata 2.0 + +Signed-off-by: chengzrz +--- + src/common/constants.h | 2 + + src/daemon/entry/cri/cni_network_plugin.cc | 33 ++++- + src/daemon/entry/cri/cri_constants.cc | 1 + + src/daemon/entry/cri/cri_constants.h | 1 + + src/daemon/entry/cri/cri_helpers.cc | 1 + + src/daemon/entry/cri/cri_helpers.h | 1 + + .../cri_pod_sandbox_manager_service_impl.cc | 128 +++++++++++----- + .../cri_pod_sandbox_manager_service_impl.h | 2 +- + src/daemon/entry/cri/cri_security_context.cc | 3 + + .../executor/container_cb/execution_create.c | 65 +++++++++ + .../executor/container_cb/execution_network.c | 3 +- + .../executor/container_cb/execution_network.h | 1 - + .../modules/api/network_namespace_api.h | 35 +++++ + src/daemon/modules/api/specs_api.h | 4 +- + src/daemon/modules/container/container_unix.c | 1 + + .../modules/service/inspect_container.c | 35 +++++ + .../modules/service/network_namespace_api.c | 80 ++++++++++ + .../modules/service/service_container.c | 15 +- + src/daemon/modules/spec/specs.c | 64 ++++++-- + src/daemon/modules/spec/specs_namespace.c | 86 ++++++++++- + src/daemon/modules/spec/specs_namespace.h | 5 + + src/utils/cutils/namespace.h | 18 +++ + src/utils/cutils/utils_file.c | 23 +++ + src/utils/cutils/utils_file.h | 2 + + src/utils/cutils/utils_network.c | 138 ++++++++++++++++++ + src/utils/cutils/utils_network.h | 33 +++++ + 26 files changed, 713 insertions(+), 67 deletions(-) + create mode 100644 src/daemon/modules/api/network_namespace_api.h + create mode 100644 src/daemon/modules/service/network_namespace_api.c + create mode 100644 src/utils/cutils/utils_network.c + create mode 100644 src/utils/cutils/utils_network.h + +diff --git a/src/common/constants.h b/src/common/constants.h +index 94640fa5..cb6ce189 100644 +--- a/src/common/constants.h ++++ b/src/common/constants.h +@@ -129,6 +129,8 @@ extern "C" { + #define EVENT_ARGS_MAX 255 + #define EVENT_EXTRA_ANNOTATION_MAX 255 + ++#define NETNS_LEN 16 ++ + /* container id max length */ + #define CONTAINER_ID_MAX_LEN 64 + +diff --git a/src/daemon/entry/cri/cni_network_plugin.cc b/src/daemon/entry/cri/cni_network_plugin.cc +index 35273c3e..ffdbeb10 100644 +--- a/src/daemon/entry/cri/cni_network_plugin.cc ++++ b/src/daemon/entry/cri/cni_network_plugin.cc +@@ -28,6 +28,7 @@ + #include "utils.h" + #include "errors.h" + #include "service_container_api.h" ++#include "network_namespace_api.h" + + namespace Network { + static auto GetLoNetwork(std::vector binDirs) -> std::unique_ptr +@@ -486,9 +487,15 @@ void CniNetworkPlugin::SetUpPod(const std::string &ns, const std::string &name, + if (err.NotEmpty()) { + return; + } +- std::string netnsPath = GetNetNS(id, err); +- if (err.NotEmpty()) { +- ERROR("CNI failed to retrieve network namespace path: %s", err.GetCMessage()); ++ ++ auto iter = annotations.find(CRIHelpers::Constants::POD_SANDBOX_KEY); ++ if (iter == annotations.end()) { ++ ERROR("Failed to find sandbox key from annotations"); ++ return; ++ } ++ const std::string netnsPath = iter->second; ++ if (netnsPath.length() == 0) { ++ ERROR("Failed to get network namespace path"); + return; + } + +@@ -517,7 +524,6 @@ void CniNetworkPlugin::SetUpPod(const std::string &ns, const std::string &name, + err.AppendError(tmpErr.GetMessage()); + } + } +- + UnlockNetworkMap(err); + } + +@@ -593,10 +599,21 @@ void CniNetworkPlugin::TearDownPod(const std::string &ns, const std::string &nam + } + Errors tmpErr; + +- std::string netnsPath = GetNetNS(id, err); +- if (err.NotEmpty()) { +- WARN("CNI failed to retrieve network namespace path: %s", err.GetCMessage()); +- err.Clear(); ++ auto iter = annotations.find(CRIHelpers::Constants::POD_SANDBOX_KEY); ++ if (iter == annotations.end()) { ++ ERROR("Failed to find sandbox key from annotations"); ++ return; ++ } ++ std::string netnsPath = iter->second; ++ if (netnsPath.length() == 0) { ++ ERROR("Failed to get network namespace path"); ++ return; ++ } ++ ++ // When netns file does not exist, netnsPath is assigned to an ++ // empty string so that lxc can handle the path properly ++ if (!util_file_exists(netnsPath.c_str())) { ++ netnsPath = ""; + } + + RLockNetworkMap(err); +diff --git a/src/daemon/entry/cri/cri_constants.cc b/src/daemon/entry/cri/cri_constants.cc +index b557d56a..265e38e5 100644 +--- a/src/daemon/entry/cri/cri_constants.cc ++++ b/src/daemon/entry/cri/cri_constants.cc +@@ -16,6 +16,7 @@ + + namespace CRI { + const std::string Constants::namespaceModeHost { "host" }; ++const std::string Constants::namespaceModeFile { "file" }; + const std::string Constants::nameDelimiter { "_" }; + const std::string Constants::kubePrefix { "k8s" }; + const std::string Constants::sandboxContainerName { "POD" }; +diff --git a/src/daemon/entry/cri/cri_constants.h b/src/daemon/entry/cri/cri_constants.h +index 4e964714..95b82660 100644 +--- a/src/daemon/entry/cri/cri_constants.h ++++ b/src/daemon/entry/cri/cri_constants.h +@@ -20,6 +20,7 @@ namespace CRI { + class Constants { + public: + const static std::string namespaceModeHost; ++ const static std::string namespaceModeFile; + // sandboxname default values + const static std::string nameDelimiter; + constexpr static char nameDelimiterChar { '_' }; +diff --git a/src/daemon/entry/cri/cri_helpers.cc b/src/daemon/entry/cri/cri_helpers.cc +index f45c669f..525d65a0 100644 +--- a/src/daemon/entry/cri/cri_helpers.cc ++++ b/src/daemon/entry/cri/cri_helpers.cc +@@ -42,6 +42,7 @@ const std::string Constants::CONTAINER_TYPE_LABEL_CONTAINER { "container" }; + const std::string Constants::CONTAINER_LOGPATH_LABEL_KEY { "cri.container.logpath" }; + const std::string Constants::CONTAINER_HUGETLB_ANNOTATION_KEY { "cri.container.hugetlblimit" }; + const std::string Constants::SANDBOX_ID_LABEL_KEY { "cri.sandbox.id" }; ++const std::string Constants::POD_SANDBOX_KEY { "sandboxkey" }; + const std::string Constants::KUBERNETES_CONTAINER_NAME_LABEL { "io.kubernetes.container.name" }; + const std::string Constants::POD_INFRA_CONTAINER_NAME { "POD" }; + const std::string Constants::DOCKER_IMAGEID_PREFIX { "docker://" }; +diff --git a/src/daemon/entry/cri/cri_helpers.h b/src/daemon/entry/cri/cri_helpers.h +index 9eccc1da..5c2f6517 100644 +--- a/src/daemon/entry/cri/cri_helpers.h ++++ b/src/daemon/entry/cri/cri_helpers.h +@@ -39,6 +39,7 @@ public: + static const std::string CONTAINER_LOGPATH_LABEL_KEY; + static const std::string CONTAINER_HUGETLB_ANNOTATION_KEY; + static const std::string SANDBOX_ID_LABEL_KEY; ++ static const std::string POD_SANDBOX_KEY; + static const std::string KUBERNETES_CONTAINER_NAME_LABEL; + static const std::string POD_INFRA_CONTAINER_NAME; + // DOCKER_IMAGEID_PREFIX is the prefix of image id in container status. +diff --git a/src/daemon/entry/cri/cri_pod_sandbox_manager_service_impl.cc b/src/daemon/entry/cri/cri_pod_sandbox_manager_service_impl.cc +index 0f9ef044..eb1cd09f 100644 +--- a/src/daemon/entry/cri/cri_pod_sandbox_manager_service_impl.cc ++++ b/src/daemon/entry/cri/cri_pod_sandbox_manager_service_impl.cc +@@ -13,6 +13,8 @@ + * Description: provide cri pod sandbox manager service implementation + *********************************************************************************/ + #include "cri_pod_sandbox_manager_service_impl.h" ++ ++#include + #include "isula_libutils/log.h" + #include "isula_libutils/host_config.h" + #include "isula_libutils/container_config.h" +@@ -24,7 +26,11 @@ + #include "naming.h" + #include "service_container_api.h" + #include "cxxutils.h" ++#include "network_namespace_api.h" + #include "cri_image_manager_service_impl.h" ++#include "utils_network.h" ++#include "namespace.h" ++#include "constants.h" + + namespace CRI { + auto PodSandboxManagerServiceImpl::EnsureSandboxImageExists(const std::string &image, Errors &error) -> bool +@@ -49,7 +55,8 @@ auto PodSandboxManagerServiceImpl::EnsureSandboxImageExists(const std::string &i + } + + void PodSandboxManagerServiceImpl::ApplySandboxLinuxOptions(const runtime::v1alpha2::LinuxPodSandboxConfig &lc, +- host_config *hc, container_config *custom_config, Errors &error) ++ host_config *hc, container_config *custom_config, ++ Errors &error) + { + CRISecurity::ApplySandboxSecurityContext(lc, custom_config, hc, error); + if (error.NotEmpty()) { +@@ -279,8 +286,8 @@ error_out: + } + + container_create_request *PodSandboxManagerServiceImpl::GenerateSandboxCreateContainerRequest( +- const runtime::v1alpha2::PodSandboxConfig &config, const std::string &image, +- std::string &jsonCheckpoint, const std::string &runtimeHandler, Errors &error) ++ const runtime::v1alpha2::PodSandboxConfig &config, const std::string &image, std::string &jsonCheckpoint, ++ const std::string &runtimeHandler, Errors &error) + { + container_create_request *create_request = nullptr; + host_config *hostconfig = nullptr; +@@ -338,7 +345,8 @@ cleanup: + + auto PodSandboxManagerServiceImpl::CreateSandboxContainer(const runtime::v1alpha2::PodSandboxConfig &config, + const std::string &image, std::string &jsonCheckpoint, +- const std::string &runtimeHandler, Errors &error) -> std::string ++ const std::string &runtimeHandler, Errors &error) ++-> std::string + { + std::string response_id; + container_create_request *create_request = +@@ -464,16 +472,12 @@ cleanup: + } + + void PodSandboxManagerServiceImpl::SetupSandboxNetwork(const runtime::v1alpha2::PodSandboxConfig &config, +- const std::string &response_id, const std::string &jsonCheckpoint, +- Errors &error) ++ const std::string &response_id, ++ const std::string &jsonCheckpoint, const container_inspect *inspect_data, Errors &error) + { + std::map stdAnnos; + std::map networkOptions; +- +- container_inspect *inspect_data = CRIHelpers::InspectContainer(response_id, error, false); +- if (error.NotEmpty()) { +- return; +- } ++ const char* sandbox_key = get_sandbox_key(inspect_data); + + // Setup sandbox files + if (config.has_dns_config() && inspect_data->resolv_conf_path != nullptr) { +@@ -493,7 +497,10 @@ void PodSandboxManagerServiceImpl::SetupSandboxNetwork(const runtime::v1alpha2:: + CRIHelpers::ProtobufAnnoMapToStd(config.annotations(), stdAnnos); + stdAnnos[CRIHelpers::Constants::POD_CHECKPOINT_KEY] = jsonCheckpoint; + networkOptions["UID"] = config.metadata().uid(); +- ++ if (sandbox_key == NULL) { ++ goto cleanup; ++ } ++ stdAnnos.insert(std::pair(CRIHelpers::Constants::POD_SANDBOX_KEY, sandbox_key)); + m_pluginManager->SetUpPod(config.metadata().namespace_(), config.metadata().name(), + Network::DEFAULT_NETWORK_INTERFACE_NAME, response_id, stdAnnos, networkOptions, error); + if (error.NotEmpty()) { +@@ -503,15 +510,16 @@ void PodSandboxManagerServiceImpl::SetupSandboxNetwork(const runtime::v1alpha2:: + } + + cleanup: +- free_container_inspect(inspect_data); ++ return; + } + +- + auto PodSandboxManagerServiceImpl::RunPodSandbox(const runtime::v1alpha2::PodSandboxConfig &config, + const std::string &runtimeHandler, Errors &error) -> std::string + { + std::string response_id; + std::string jsonCheckpoint; ++ container_inspect *inspect_data = nullptr; ++ char *netnsPath = nullptr; + + if (m_cb == nullptr || m_cb->container.create == nullptr || m_cb->container.start == nullptr) { + error.SetError("Unimplemented callback"); +@@ -539,13 +547,33 @@ auto PodSandboxManagerServiceImpl::RunPodSandbox(const runtime::v1alpha2::PodSan + error.Clear(); + } + +- // Step 4: Start the sandbox container. +- StartSandboxContainer(response_id, error); ++ // Step 4: mount network namespace when network mode is file ++ inspect_data = CRIHelpers::InspectContainer(response_id, error, true); + if (error.NotEmpty()) { + goto cleanup; + } ++ if (inspect_data == nullptr || inspect_data->host_config == nullptr) { ++ error.Errorf("Failed to retrieve inspect data"); ++ ERROR("Failed to retrieve inspect data"); ++ goto cleanup; ++ } ++ netnsPath = get_sandbox_key(inspect_data); ++ if (namespace_is_file(inspect_data->host_config->network_mode)) { ++ if (!util_file_exists(netnsPath) || util_mount_namespace(netnsPath) != 0) { ++ error.Errorf("Failed to mount network namespace"); ++ ERROR("Failed to mount network namespace"); ++ goto cleanup; ++ } ++ } ++ + // Step 5: Setup networking for the sandbox. +- SetupSandboxNetwork(config, response_id, jsonCheckpoint, error); ++ SetupSandboxNetwork(config, response_id, jsonCheckpoint, inspect_data, error); ++ if (error.NotEmpty()) { ++ goto cleanup; ++ } ++ ++ // Step 6: Start the sandbox container. ++ StartSandboxContainer(response_id, error); + if (error.NotEmpty()) { + goto cleanup; + } +@@ -555,13 +583,21 @@ cleanup: + SetNetworkReady(response_id, true, error); + DEBUG("set %s ready", response_id.c_str()); + error.Clear(); ++ } else { ++ if (netnsPath != nullptr && remove_network_namespace(netnsPath) != 0) { ++ ERROR("Failed to remove network namespace"); ++ } + } ++ free_container_inspect(inspect_data); ++ free(netnsPath); + return response_id; + } + + auto PodSandboxManagerServiceImpl::GetRealSandboxIDToStop(const std::string &podSandboxID, bool &hostNetwork, +- std::string &name, std::string &ns, std::string &realSandboxID, +- std::map &stdAnnos, Errors &error) -> int ++ std::string &name, std::string &ns, ++ std::string &realSandboxID, ++ std::map &stdAnnos, Errors &error) ++-> int + { + Errors statusErr; + +@@ -670,16 +706,32 @@ auto PodSandboxManagerServiceImpl::GetNetworkReady(const std::string &podSandbox + } + + auto PodSandboxManagerServiceImpl::ClearCniNetwork(const std::string &realSandboxID, bool hostNetwork, +- const std::string &ns, +- const std::string &name, std::vector &errlist, ++ const std::string &ns, const std::string &name, ++ std::vector &errlist, + std::map &stdAnnos, Errors & + /*error*/) -> int + { + Errors networkErr; ++ container_inspect* inspect_data = nullptr; + + bool ready = GetNetworkReady(realSandboxID, networkErr); + if (!hostNetwork && (ready || networkErr.NotEmpty())) { + Errors pluginErr; ++ ++ // hostNetwork has indicated network mode which render host config unnecessary ++ // so that with_host_config is set to be false. ++ inspect_data = CRIHelpers::InspectContainer(realSandboxID, pluginErr, false); ++ if (pluginErr.NotEmpty()) { ++ ERROR("Failed to inspect container"); ++ } ++ ++ char* netnsPath = get_sandbox_key(inspect_data); ++ if (netnsPath == nullptr) { ++ ERROR("Failed to get network namespace path"); ++ return 0; ++ } ++ ++ stdAnnos.insert(std::pair(CRIHelpers::Constants::POD_SANDBOX_KEY, netnsPath)); + m_pluginManager->TearDownPod(ns, name, Network::DEFAULT_NETWORK_INTERFACE_NAME, realSandboxID, stdAnnos, + pluginErr); + if (pluginErr.NotEmpty()) { +@@ -691,8 +743,13 @@ auto PodSandboxManagerServiceImpl::ClearCniNetwork(const std::string &realSandbo + if (pluginErr.NotEmpty()) { + WARN("set network ready: %s", pluginErr.GetCMessage()); + } ++ // umount netns when cni removed network successfully ++ if (util_umount_namespace(netnsPath) != 0) { ++ ERROR("Failed to umount directory %s:%s", netnsPath, strerror(errno)); ++ } + } + } ++ free_container_inspect(inspect_data); + return 0; + } + +@@ -806,7 +863,6 @@ void PodSandboxManagerServiceImpl::ClearNetworkReady(const std::string &podSandb + } + } + +- + int PodSandboxManagerServiceImpl::DoRemovePodSandbox(const std::string &realSandboxID, std::vector &errors) + { + int ret = 0; +@@ -878,8 +934,8 @@ cleanup: + error.SetAggregate(errors); + } + +-auto PodSandboxManagerServiceImpl::SharesHostNetwork(const container_inspect *inspect) -> +-runtime::v1alpha2::NamespaceMode ++auto PodSandboxManagerServiceImpl::SharesHostNetwork(const container_inspect *inspect) ++-> runtime::v1alpha2::NamespaceMode + { + if (inspect != nullptr && inspect->host_config != nullptr && (inspect->host_config->network_mode != nullptr) && + std::string(inspect->host_config->network_mode) == CRI::Constants::namespaceModeHost) { +@@ -1032,10 +1088,9 @@ void PodSandboxManagerServiceImpl::GetIPs(const std::string &podSandboxID, const + error.Clear(); + } + +-void PodSandboxManagerServiceImpl::SetSandboxStatusNetwork(const container_inspect *inspect, +- const std::string &podSandboxID, +- std::unique_ptr &podStatus, +- Errors &error) ++void PodSandboxManagerServiceImpl::SetSandboxStatusNetwork( ++ const container_inspect *inspect, const std::string &podSandboxID, ++ std::unique_ptr &podStatus, Errors &error) + { + std::vector ips; + size_t i; +@@ -1052,10 +1107,9 @@ void PodSandboxManagerServiceImpl::SetSandboxStatusNetwork(const container_inspe + } + } + +-void PodSandboxManagerServiceImpl::PodSandboxStatusToGRPC(const container_inspect *inspect, +- const std::string &podSandboxID, +- std::unique_ptr &podStatus, +- Errors &error) ++void PodSandboxManagerServiceImpl::PodSandboxStatusToGRPC( ++ const container_inspect *inspect, const std::string &podSandboxID, ++ std::unique_ptr &podStatus, Errors &error) + { + int64_t createdAt {}; + runtime::v1alpha2::NamespaceOption *options { nullptr }; +@@ -1129,8 +1183,8 @@ PodSandboxManagerServiceImpl::PodSandboxStatus(const std::string &podSandboxID, + } + + void PodSandboxManagerServiceImpl::ListPodSandboxFromGRPC(const runtime::v1alpha2::PodSandboxFilter *filter, +- container_list_request **request, bool *filterOutReadySandboxes, +- Errors &error) ++ container_list_request **request, ++ bool *filterOutReadySandboxes, Errors &error) + { + *request = (container_list_request *)util_common_calloc_s(sizeof(container_list_request)); + if (*request == nullptr) { +@@ -1175,9 +1229,9 @@ void PodSandboxManagerServiceImpl::ListPodSandboxFromGRPC(const runtime::v1alpha + } + } + +-void PodSandboxManagerServiceImpl::ListPodSandboxToGRPC(container_list_response *response, +- std::vector> *pods, +- bool filterOutReadySandboxes, Errors &error) ++void PodSandboxManagerServiceImpl::ListPodSandboxToGRPC( ++ container_list_response *response, std::vector> *pods, ++ bool filterOutReadySandboxes, Errors &error) + { + for (size_t i = 0; i < response->containers_len; i++) { + std::unique_ptr pod(new runtime::v1alpha2::PodSandbox); +diff --git a/src/daemon/entry/cri/cri_pod_sandbox_manager_service_impl.h b/src/daemon/entry/cri/cri_pod_sandbox_manager_service_impl.h +index fa5d153c..34907fa6 100644 +--- a/src/daemon/entry/cri/cri_pod_sandbox_manager_service_impl.h ++++ b/src/daemon/entry/cri/cri_pod_sandbox_manager_service_impl.h +@@ -82,7 +82,7 @@ private: + void SetNetworkReady(const std::string &podSandboxID, bool ready, Errors &error); + void StartSandboxContainer(const std::string &response_id, Errors &error); + void SetupSandboxNetwork(const runtime::v1alpha2::PodSandboxConfig &config, const std::string &response_id, +- const std::string &jsonCheckpoint, Errors &error); ++ const std::string &jsonCheckpoint, const container_inspect *inspect_data, Errors &error); + void SetupSandboxFiles(const std::string &resolvPath, const runtime::v1alpha2::PodSandboxConfig &config, + Errors &error); + void StopContainerHelper(const std::string &containerID, Errors &error); +diff --git a/src/daemon/entry/cri/cri_security_context.cc b/src/daemon/entry/cri/cri_security_context.cc +index b6a5fcdc..3ff8a0cb 100644 +--- a/src/daemon/entry/cri/cri_security_context.cc ++++ b/src/daemon/entry/cri/cri_security_context.cc +@@ -169,6 +169,9 @@ static void ModifyHostNetworkOptionForSandbox(const runtime::v1alpha2::Namespace + hostConfig->network_mode = util_strdup_s(CRI::Constants::namespaceModeHost.c_str()); + free(hostConfig->uts_mode); + hostConfig->uts_mode = util_strdup_s(CRI::Constants::namespaceModeHost.c_str()); ++ } else { ++ free(hostConfig->network_mode); ++ hostConfig->network_mode = util_strdup_s(CRI::Constants::namespaceModeFile.c_str()); + } + // Note: default networkMode is not supported + } +diff --git a/src/daemon/executor/container_cb/execution_create.c b/src/daemon/executor/container_cb/execution_create.c +index 05c0fd78..95a7d9ab 100644 +--- a/src/daemon/executor/container_cb/execution_create.c ++++ b/src/daemon/executor/container_cb/execution_create.c +@@ -46,6 +46,7 @@ + #include "utils.h" + #include "error.h" + #include "constants.h" ++#include "namespace.h" + #include "events_sender_api.h" + #include "sysinfo.h" + #include "service_container_api.h" +@@ -58,6 +59,7 @@ + #include "utils_verify.h" + #include "selinux_label.h" + #include "opt_log.h" ++#include "network_namespace_api.h" + + static int do_init_cpurt_cgroups_path(const char *path, int recursive_depth, const char *mnt_root, + int64_t cpu_rt_period, int64_t cpu_rt_runtime); +@@ -1395,6 +1397,63 @@ out: + return res; + } + ++static char *new_pod_sandbox_key(void) ++{ ++ int nret = 0; ++ char random[NETNS_LEN + 1] = { 0x00 }; ++ char netns[PATH_MAX] = { 0x00 }; ++ const char *netns_fmt = "/var/run/netns/isulacni-%s"; ++ ++ nret = util_generate_random_str(random, NETNS_LEN); ++ if (nret != 0) { ++ ERROR("Failed to generate random netns"); ++ return NULL; ++ } ++ ++ nret = snprintf(netns, sizeof(netns), netns_fmt, random); ++ if (nret < 0 || (size_t)nret >= sizeof(netns)) { ++ ERROR("snprintf netns failed"); ++ return NULL; ++ } ++ ++ return util_strdup_s(netns); ++} ++ ++static int generate_network_settings(const host_config *host_config, container_config_v2_common_config *v2_spec) ++{ ++ container_config_v2_common_config_network_settings *settings = NULL; ++ ++ if (!namespace_is_file(host_config->network_mode)) { ++ return 0; ++ } ++ ++ settings = (container_config_v2_common_config_network_settings *)util_common_calloc_s(sizeof( ++ container_config_v2_common_config_network_settings)); ++ if (settings == NULL) { ++ ERROR("Out of memory"); ++ return -1; ++ } ++ ++ settings->sandbox_key = new_pod_sandbox_key(); ++ if (settings->sandbox_key == NULL) { ++ ERROR("Failed to generate sandbox key"); ++ goto err_out; ++ } ++ ++ if (prepare_network_namespace(settings->sandbox_key) != 0) { ++ ERROR("Failed to create network namespace"); ++ goto err_out; ++ } ++ ++ v2_spec->network_settings = settings; ++ ++ return 0; ++ ++err_out: ++ free_container_config_v2_common_config_network_settings(settings); ++ return -1; ++} ++ + static int cpurt_controller_init(const char *cgroups_path) + { + int ret = 0; +@@ -1568,6 +1627,12 @@ int container_create_cb(const container_create_request *request, container_creat + goto umount_shm; + } + ++ if (generate_network_settings(host_spec, v2_spec) != 0) { ++ ERROR("Failed to generate network settings"); ++ cc = ISULAD_ERR_EXEC; ++ goto umount_shm; ++ } ++ + if (merge_config_for_syscontainer(request, host_spec, v2_spec->config, oci_spec) != 0) { + ERROR("Failed to merge config for syscontainer"); + cc = ISULAD_ERR_EXEC; +diff --git a/src/daemon/executor/container_cb/execution_network.c b/src/daemon/executor/container_cb/execution_network.c +index 2c662bc1..5532e3fc 100644 +--- a/src/daemon/executor/container_cb/execution_network.c ++++ b/src/daemon/executor/container_cb/execution_network.c +@@ -34,6 +34,7 @@ + #include "err_msg.h" + #include "utils_file.h" + #include "utils_string.h" ++#include "network_namespace_api.h" + + static int write_hostname_to_file(const char *rootfs, const char *hostname) + { +@@ -1038,4 +1039,4 @@ int init_container_network_confs(const char *id, const char *rootpath, const hos + + out: + return ret; +-} ++} +\ No newline at end of file +diff --git a/src/daemon/executor/container_cb/execution_network.h b/src/daemon/executor/container_cb/execution_network.h +index dee56fed..b6428b05 100644 +--- a/src/daemon/executor/container_cb/execution_network.h ++++ b/src/daemon/executor/container_cb/execution_network.h +@@ -29,7 +29,6 @@ extern "C" { + int merge_network(const host_config *host_spec, const char *rootfs, const char *runtime_root, + const char *id, const char *hostname); + +- + int init_container_network_confs(const char *id, const char *rootpath, const host_config *hc, + container_config_v2_common_config *common_config); + +diff --git a/src/daemon/modules/api/network_namespace_api.h b/src/daemon/modules/api/network_namespace_api.h +new file mode 100644 +index 00000000..9a18b1c0 +--- /dev/null ++++ b/src/daemon/modules/api/network_namespace_api.h +@@ -0,0 +1,35 @@ ++/****************************************************************************** ++ * Copyright (c) Huawei Technologies Co., Ltd. 2021. All rights reserved. ++ * iSulad licensed under the Mulan PSL v2. ++ * You can use this software according to the terms and conditions of the Mulan PSL v2. ++ * You may obtain a copy of Mulan PSL v2 at: ++ * http://license.coscl.org.cn/MulanPSL2 ++ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR ++ * PURPOSE. ++ * See the Mulan PSL v2 for more details. ++ * Author: chengzeruizhi ++ * Create: 2021-10-19 ++ * Description: set up CRI network namespace ++ *********************************************************************************/ ++ ++#ifndef DAEMON_MODULES_API_NETWORK_NAMESPACE_API ++#define DAEMON_MODULES_API_NETWORK_NAMESPACE_API ++ ++#include ++ ++#include "container_api.h" ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++int prepare_network_namespace(const char *netns_path); ++int remove_network_namespace(const char *netns); ++char *get_sandbox_key(const container_inspect *inspect_data); ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif // DAEMON_MODULES_API_NETWORK_NAMESPACE_API +diff --git a/src/daemon/modules/api/specs_api.h b/src/daemon/modules/api/specs_api.h +index 6c4db007..c4ad79aa 100644 +--- a/src/daemon/modules/api/specs_api.h ++++ b/src/daemon/modules/api/specs_api.h +@@ -37,7 +37,9 @@ int save_oci_config(const char *id, const char *rootpath, const oci_runtime_spec + int parse_security_opt(const host_config *host_spec, bool *no_new_privileges, char ***label_opts, + size_t *label_opts_len, char **seccomp_profile); + +-int merge_share_namespace(oci_runtime_spec *oci_spec, const host_config *host_spec); ++int merge_share_namespace(oci_runtime_spec *oci_spec, const host_config *host_spec, ++ const container_config_v2_common_config_network_settings *network_settings); ++ + #ifdef __cplusplus + } + #endif +diff --git a/src/daemon/modules/container/container_unix.c b/src/daemon/modules/container/container_unix.c +index 1904161e..98f91ea9 100644 +--- a/src/daemon/modules/container/container_unix.c ++++ b/src/daemon/modules/container/container_unix.c +@@ -45,6 +45,7 @@ + #include "utils_file.h" + #include "utils_string.h" + #include "volume_api.h" ++#include "namespace.h" + + static int parse_container_log_configs(container_t *cont); + +diff --git a/src/daemon/modules/service/inspect_container.c b/src/daemon/modules/service/inspect_container.c +index d678f7bb..b060fe12 100644 +--- a/src/daemon/modules/service/inspect_container.c ++++ b/src/daemon/modules/service/inspect_container.c +@@ -31,6 +31,7 @@ + #include "container_api.h" + #include "isulad_config.h" + #include "err_msg.h" ++#include "namespace.h" + + static int dup_path_and_args(const container_t *cont, char **path, char ***args, size_t *args_len) + { +@@ -458,6 +459,36 @@ out: + return ret; + } + ++static int pack_inspect_network_settings(const container_t *cont, container_inspect *inspect) ++{ ++ if (cont == NULL || cont->common_config == NULL) { ++ ERROR("Failed to get v2 common config from container"); ++ return -1; ++ } ++ ++ if (!namespace_is_file(cont->hostconfig->network_mode)) { ++ return 0; ++ } ++ ++ if (cont->common_config->network_settings == NULL) { ++ ERROR("Failed to get network settings from container"); ++ return -1; ++ } ++ ++ if (inspect->network_settings == NULL) { ++ inspect->network_settings = ++ (container_inspect_network_settings *)util_common_calloc_s(sizeof(container_inspect_network_settings)); ++ if (inspect->network_settings == NULL) { ++ ERROR("Out of memory"); ++ return -1; ++ } ++ } ++ ++ inspect->network_settings->sandbox_key = util_strdup_s(cont->common_config->network_settings->sandbox_key); ++ ++ return 0; ++} ++ + static int merge_default_ulimit_with_ulimit(container_inspect *out_inspect) + { + int ret = 0; +@@ -509,6 +540,10 @@ static container_inspect *pack_inspect_data(const container_t *cont, bool with_h + ERROR("Failed to pack inspect general data, continue to pack other information"); + } + ++ if (pack_inspect_network_settings(cont, inspect) != 0) { ++ ERROR("Failed to pack inspect network settings, continue to pack other information"); ++ } ++ + if (pack_inspect_container_state(cont, inspect) != 0) { + ERROR("Failed to pack inspect state data, continue to pack other information"); + } +diff --git a/src/daemon/modules/service/network_namespace_api.c b/src/daemon/modules/service/network_namespace_api.c +new file mode 100644 +index 00000000..e28e6f74 +--- /dev/null ++++ b/src/daemon/modules/service/network_namespace_api.c +@@ -0,0 +1,80 @@ ++/****************************************************************************** ++ * Copyright (c) Huawei Technologies Co., Ltd. 2021. All rights reserved. ++ * iSulad licensed under the Mulan PSL v2. ++ * You can use this software according to the terms and conditions of the Mulan PSL v2. ++ * You may obtain a copy of Mulan PSL v2 at: ++ * http://license.coscl.org.cn/MulanPSL2 ++ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR ++ * PURPOSE. ++ * See the Mulan PSL v2 for more details. ++ * Author: chengzeruizhi ++ * Create: 2021-10-19 ++ * Description: set up CRI network namespace ++ *********************************************************************************/ ++#define _GNU_SOURCE ++ ++#include "network_namespace_api.h" ++ ++#include ++ ++#include "utils_network.h" ++ ++int prepare_network_namespace(const char *netns_path) ++{ ++ if (netns_path == NULL) { ++ ERROR("Invalid netns_path"); ++ return -1; ++ } ++ ++ if (util_create_netns_file(netns_path) != 0) { ++ ERROR("Failed to prepare network namespace file"); ++ return -1; ++ } ++ ++ return 0; ++} ++ ++int remove_network_namespace(const char *netns_path) ++{ ++ int get_err = 0; ++ ++ if (netns_path == NULL) { ++ ERROR("Invalid netns_path"); ++ return -1; ++ } ++ ++ if (!util_file_exists(netns_path)) { ++ WARN("Namespace file does not exist"); ++ return 0; ++ } ++ ++ if (umount2(netns_path, MNT_DETACH) != 0 && errno != EINVAL) { ++ ERROR("Failed to umount directory %s:%s", netns_path, strerror(errno)); ++ return -1; ++ } ++ ++ if (!util_force_remove_file(netns_path, &get_err)) { ++ ERROR("Failed to remove file %s, error: %s", netns_path, strerror(get_err)); ++ return -1; ++ } ++ ++ return 0; ++} ++ ++char *get_sandbox_key(const container_inspect *inspect_data) ++{ ++ char *sandbox_key = NULL; ++ ++ if (inspect_data == NULL) { ++ ERROR("Invalid container"); ++ return NULL; ++ } ++ if (inspect_data->network_settings == NULL) { ++ ERROR("Inspect data does not have network settings"); ++ return NULL; ++ } ++ sandbox_key = util_strdup_s(inspect_data->network_settings->sandbox_key); ++ ++ return sandbox_key; ++} +\ No newline at end of file +diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c +index 0bcfb0e9..27288f6d 100644 +--- a/src/daemon/modules/service/service_container.c ++++ b/src/daemon/modules/service/service_container.c +@@ -59,6 +59,8 @@ + #include "utils_string.h" + #include "utils_verify.h" + #include "volume_api.h" ++#include "utils_network.h" ++#include "network_namespace_api.h" + + #define KATA_RUNTIME "kata-runtime" + +@@ -227,7 +229,7 @@ static int renew_oci_config(const container_t *cont, oci_runtime_spec *oci_spec) + goto out; + } + +- ret = merge_share_namespace(oci_spec, cont->hostconfig); ++ ret = merge_share_namespace(oci_spec, cont->hostconfig, cont->common_config->network_settings); + if (ret != 0) { + ERROR("Failed to merge share ns"); + goto out; +@@ -895,6 +897,10 @@ int start_container(container_t *cont, const char *console_fifos[], bool reset_r + } + + set_stopped: ++ if (namespace_is_file(cont->hostconfig->network_mode) && ++ util_umount_namespace(cont->common_config->network_settings->sandbox_key) != 0) { ++ ERROR("Failed to clean up network namespace"); ++ } + container_state_set_error(cont->state, (const char *)g_isulad_errmsg); + util_contain_errmsg(g_isulad_errmsg, &exit_code); + container_state_set_stopped(cont->state, exit_code); +@@ -1085,6 +1091,13 @@ static int do_delete_container(container_t *cont) + goto out; + } + ++ // clean up mounted network namespace ++ if (cont->common_config->network_settings != NULL && ++ util_file_exists(cont->common_config->network_settings->sandbox_key) ++ && remove_network_namespace(cont->common_config->network_settings->sandbox_key) != 0) { ++ ERROR("Failed to remove network when deleting container %s", cont->common_config->id); ++ } ++ + ret = snprintf(container_state, sizeof(container_state), "%s/%s", statepath, id); + if (ret < 0 || (size_t)ret >= sizeof(container_state)) { + ERROR("Failed to sprintf container_state"); +diff --git a/src/daemon/modules/spec/specs.c b/src/daemon/modules/spec/specs.c +index d8d05ba0..fc53bd14 100644 +--- a/src/daemon/modules/spec/specs.c ++++ b/src/daemon/modules/spec/specs.c +@@ -22,14 +22,14 @@ + #include + #include + #include ++#include ++#include ++#include ++#include + #include + #include + +-#include "isula_libutils/log.h" + #include "specs_api.h" +-#include "isula_libutils/oci_runtime_spec.h" +-#include "isula_libutils/oci_runtime_hooks.h" +-#include "isula_libutils/host_config.h" + #include "utils.h" + #include "isulad_config.h" + #include "namespace.h" +@@ -1377,10 +1377,9 @@ out: + return ret; + } + +-static int merge_share_namespace_helper(const oci_runtime_spec *oci_spec, const char *path, const char *type) ++static int merge_share_namespace_helper(const oci_runtime_spec *oci_spec, const char *ns_path, const char *type) + { + int ret = -1; +- char *ns_path = NULL; + size_t len = 0; + size_t org_len = 0; + size_t i = 0; +@@ -1390,11 +1389,6 @@ static int merge_share_namespace_helper(const oci_runtime_spec *oci_spec, const + len = oci_spec->linux->namespaces_len; + work_ns = oci_spec->linux->namespaces; + +- ret = get_share_namespace_path(type, path, &ns_path); +- if (ret != 0) { +- ERROR("Failed to get share ns type:%s path:%s", type, path); +- goto out; +- } + for (i = 0; i < org_len; i++) { + if (strcmp(type, work_ns[i]->type) == 0) { + free(work_ns[i]->path); +@@ -1433,7 +1427,6 @@ static int merge_share_namespace_helper(const oci_runtime_spec *oci_spec, const + } + ret = 0; + out: +- free(ns_path); + if (work_ns != NULL) { + oci_spec->linux->namespaces = work_ns; + oci_spec->linux->namespaces_len = len; +@@ -1443,14 +1436,55 @@ out: + + static int merge_share_single_namespace(const oci_runtime_spec *oci_spec, const char *path, const char *type) + { ++ int ret = 0; ++ char *ns_path = NULL; ++ + if (path == NULL) { + return 0; + } + +- return merge_share_namespace_helper(oci_spec, path, type); ++ ret = get_share_namespace_path(type, path, &ns_path); ++ if (ret != 0) { ++ ERROR("Failed to get share ns type:%s path:%s", type, path); ++ return -1; ++ } ++ ++ ret = merge_share_namespace_helper(oci_spec, ns_path, type); ++ if (ret != 0) { ++ ERROR("Failed to merge share namespace namespace helper"); ++ } ++ ++ free(ns_path); ++ return ret; ++} ++ ++static int merge_share_network_namespace(oci_runtime_spec *oci_spec, const host_config *host_spec, ++ const container_config_v2_common_config_network_settings *network_settings, const char *type) ++{ ++ int ret = 0; ++ char *ns_path = NULL; ++ ++ if (host_spec->network_mode == NULL) { ++ return 0; ++ } ++ ++ ret = get_network_namespace_path(host_spec, network_settings, type, &ns_path); ++ if (ret != 0) { ++ ERROR("Failed to get network namespace path"); ++ return -1; ++ } ++ ++ ret = merge_share_namespace_helper(oci_spec, ns_path, type); ++ if (ret != 0) { ++ ERROR("Failed to merge share namespace namespace helper"); ++ } ++ ++ free(ns_path); ++ return ret; + } + +-int merge_share_namespace(oci_runtime_spec *oci_spec, const host_config *host_spec) ++int merge_share_namespace(oci_runtime_spec *oci_spec, const host_config *host_spec, ++ const container_config_v2_common_config_network_settings *network_settings) + { + int ret = -1; + +@@ -1475,7 +1509,7 @@ int merge_share_namespace(oci_runtime_spec *oci_spec, const host_config *host_sp + } + + // network +- if (merge_share_single_namespace(oci_spec, host_spec->network_mode, TYPE_NAMESPACE_NETWORK) != 0) { ++ if (merge_share_network_namespace(oci_spec, host_spec, network_settings, TYPE_NAMESPACE_NETWORK) != 0) { + ret = -1; + goto out; + } +diff --git a/src/daemon/modules/spec/specs_namespace.c b/src/daemon/modules/spec/specs_namespace.c +index e291f092..eea0b3ff 100644 +--- a/src/daemon/modules/spec/specs_namespace.c ++++ b/src/daemon/modules/spec/specs_namespace.c +@@ -17,15 +17,16 @@ + #include + #include + #include +-#include + #include + #include ++#include ++#include + +-#include "isula_libutils/log.h" + #include "utils.h" + #include "namespace.h" + #include "container_api.h" + #include "err_msg.h" ++#include "network_namespace_api.h" + + static char *parse_share_namespace_with_prefix(const char *type, const char *path) + { +@@ -133,3 +134,84 @@ char *get_container_process_label(const char *cid) + out: + return result; + } ++ ++typedef int (*namespace_mode_check)(const host_config *host_spec, ++ const container_config_v2_common_config_network_settings *network_settings, ++ const char *type, char **dest_path); ++ ++struct get_netns_path_handler { ++ char *mode; ++ namespace_mode_check handle; ++}; ++ ++static int handle_get_path_from_none(const host_config *host_spec, ++ const container_config_v2_common_config_network_settings *network_settings, ++ const char *type, char **dest_path) ++{ ++ *dest_path = NULL; ++ return 0; ++} ++ ++static int handle_get_path_from_host(const host_config *host_spec, ++ const container_config_v2_common_config_network_settings *network_settings, ++ const char *type, char **dest_path) ++{ ++ *dest_path = namespace_get_host_namespace_path(host_spec->network_mode); ++ if (*dest_path == NULL) { ++ return -1; ++ } ++ return 0; ++} ++ ++static int handle_get_path_from_container(const host_config *host_spec, ++ const container_config_v2_common_config_network_settings *network_settings, const char *type, ++ char **dest_path) ++{ ++ *dest_path = parse_share_namespace_with_prefix(type, host_spec->network_mode); ++ if (*dest_path == NULL) { ++ return -1; ++ } ++ return 0; ++} ++ ++static int handle_get_path_from_file(const host_config *host_spec, ++ const container_config_v2_common_config_network_settings *network_settings, ++ const char *type, char **dest_path) ++{ ++ if (network_settings == NULL || network_settings->sandbox_key == NULL) { ++ ERROR("Invalid sandbox key for file mode network"); ++ return -1; ++ } ++ ++ *dest_path = util_strdup_s(network_settings->sandbox_key); ++ return 0; ++} ++ ++int get_network_namespace_path(const host_config *host_spec, ++ const container_config_v2_common_config_network_settings *network_settings, ++ const char *type, char **dest_path) ++{ ++ int index; ++ int ret = -1; ++ struct get_netns_path_handler handler_jump_table[] = { ++ { SHARE_NAMESPACE_NONE, handle_get_path_from_none }, ++ { SHARE_NAMESPACE_HOST, handle_get_path_from_host }, ++ { SHARE_NAMESPACE_PREFIX, handle_get_path_from_container }, ++ { SHARE_NAMESPACE_FILE, handle_get_path_from_file }, ++ }; ++ size_t jump_table_size = sizeof(handler_jump_table) / sizeof(handler_jump_table[0]); ++ const char *network_mode = host_spec->network_mode; ++ ++ if (network_mode == NULL || dest_path == NULL) { ++ return -1; ++ } ++ ++ for (index = 0; index < jump_table_size; ++index) { ++ if (strncmp(network_mode, handler_jump_table[index].mode, strlen(handler_jump_table[index].mode)) == 0) { ++ ret = handler_jump_table[index].handle(host_spec, network_settings, type, dest_path); ++ return ret; ++ } ++ } ++ ++ return ret; ++} +\ No newline at end of file +diff --git a/src/daemon/modules/spec/specs_namespace.h b/src/daemon/modules/spec/specs_namespace.h +index 526ad4e0..68e41399 100644 +--- a/src/daemon/modules/spec/specs_namespace.h ++++ b/src/daemon/modules/spec/specs_namespace.h +@@ -17,6 +17,8 @@ + + #include + #include ++#include ++#include + + #ifdef __cplusplus + extern "C" { +@@ -24,6 +26,9 @@ extern "C" { + + int get_share_namespace_path(const char *type, const char *src_path, char **dest_path); + char *get_container_process_label(const char *path); ++int get_network_namespace_path(const host_config *host_spec, ++ const container_config_v2_common_config_network_settings *network_settings, ++ const char *type, char **dest_path); + + #ifdef __cplusplus + } +diff --git a/src/utils/cutils/namespace.h b/src/utils/cutils/namespace.h +index cf768056..26a9bb19 100644 +--- a/src/utils/cutils/namespace.h ++++ b/src/utils/cutils/namespace.h +@@ -37,6 +37,8 @@ typedef enum { + #define SHARE_NAMESPACE_HOST "host" + #define SHARE_NAMESPACE_NONE "none" + #define SHARE_NAMESPACE_SHAREABLE "shareable" ++#define SHARE_NAMESPACE_BRIDGE "bridge" ++#define SHARE_NAMESPACE_FILE "file" + + #define SHARE_NAMESPACE_PID_HOST_PATH "/proc/1/ns/pid" + #define SHARE_NAMESPACE_NET_HOST_PATH "/proc/1/ns/net" +@@ -82,6 +84,22 @@ static inline bool namespace_is_container(const char *mode) + return false; + } + ++static inline bool namespace_is_bridge(const char *mode) ++{ ++ if (mode != NULL && strcmp(mode, SHARE_NAMESPACE_BRIDGE) == 0) { ++ return true; ++ } ++ return false; ++} ++ ++static inline bool namespace_is_file(const char *mode) ++{ ++ if (mode != NULL && strcmp(mode, SHARE_NAMESPACE_FILE) == 0) { ++ return true; ++ } ++ return false; ++} ++ + static inline bool namespace_is_shareable(const char *mode) + { + if (mode != NULL && strcmp(mode, SHARE_NAMESPACE_SHAREABLE) == 0) { +diff --git a/src/utils/cutils/utils_file.c b/src/utils/cutils/utils_file.c +index 302e4e32..f4fa4ece 100644 +--- a/src/utils/cutils/utils_file.c ++++ b/src/utils/cutils/utils_file.c +@@ -275,6 +275,29 @@ out: + return ret; + } + ++bool util_force_remove_file(const char *fname, int *saved_errno) ++{ ++ if (unlink(fname) == 0) { ++ return true; ++ } ++ ++ WARN("Failed to delete %s: %s", fname, strerror(errno)); ++ if (*saved_errno == 0) { ++ *saved_errno = errno; ++ } ++ ++ if (mark_file_mutable(fname) != 0) { ++ WARN("Failed to mark file mutable"); ++ } ++ ++ if (unlink(fname) != 0) { ++ ERROR("Failed to delete \"%s\": %s", fname, strerror(errno)); ++ return false; ++ } ++ ++ return true; ++} ++ + static int recursive_rmdir_next_depth(struct stat fstat, const char *fname, int recursive_depth, int *saved_errno, + int failure) + { +diff --git a/src/utils/cutils/utils_file.h b/src/utils/cutils/utils_file.h +index 125f43a3..a7fbbb6b 100644 +--- a/src/utils/cutils/utils_file.h ++++ b/src/utils/cutils/utils_file.h +@@ -36,6 +36,8 @@ bool util_file_exists(const char *f); + + int util_path_remove(const char *path); + ++bool util_force_remove_file(const char *fname, int *saved_errno); ++ + ssize_t util_write_nointr(int fd, const void *buf, size_t count); + + ssize_t util_write_nointr_in_total(int fd, const char *buf, size_t count); +diff --git a/src/utils/cutils/utils_network.c b/src/utils/cutils/utils_network.c +new file mode 100644 +index 00000000..a5d77c93 +--- /dev/null ++++ b/src/utils/cutils/utils_network.c +@@ -0,0 +1,138 @@ ++/****************************************************************************** ++ * Copyright (c) Huawei Technologies Co., Ltd. 2021. All rights reserved. ++ * iSulad licensed under the Mulan PSL v2. ++ * You can use this software according to the terms and conditions of the Mulan PSL v2. ++ * You may obtain a copy of Mulan PSL v2 at: ++ * http://license.coscl.org.cn/MulanPSL2 ++ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR ++ * PURPOSE. ++ * See the Mulan PSL v2 for more details. ++ * Author: chengzeruizhi ++ * Create: 2021-11-17 ++ * Description: provide common network functions ++ ********************************************************************************/ ++ ++#define _GNU_SOURCE ++ ++#include "utils_network.h" ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include "utils_fs.h" ++#include "utils_file.h" ++#include "constants.h" ++ ++int util_create_netns_file(const char *netns_path) ++{ ++ int ret = 0; ++ int fd = -1; ++ char *netns_dir = NULL; ++ ++ if (util_file_exists(netns_path)) { ++ ERROR("Namespace file %s exists", netns_path); ++ return -1; ++ } ++ netns_dir = util_path_dir(netns_path); ++ if (netns_dir == NULL) { ++ ERROR("Failed to get path dir for %s", netns_path); ++ return -1; ++ } ++ if (!util_dir_exists(netns_dir) && util_mkdir_p(netns_dir, DEFAULT_HIGHEST_DIRECTORY_MODE) != 0) { ++ ERROR("Failed to create directory for %s", netns_path); ++ ret = -1; ++ goto out; ++ } ++ ++ fd = util_open(netns_path, O_RDWR | O_CREAT | O_TRUNC, DEFAULT_SECURE_FILE_MODE); ++ if (fd < 0) { ++ ERROR("Failed to create namespace file: %s", netns_path); ++ ret = -1; ++ goto out; ++ } ++ close(fd); ++ ++out: ++ free(netns_dir); ++ return ret; ++} ++ ++static void mount_netns(void *netns_path) ++{ ++ int failure = EXIT_FAILURE; ++ int success = EXIT_SUCCESS; ++ char fullpath[PATH_MAX] = { 0x00 }; ++ int ret = 0; ++ ++ if (unshare(CLONE_NEWNET) != 0) { ++ pthread_exit((void *)&failure); ++ } ++ ++ ret = snprintf(fullpath, sizeof(fullpath), "/proc/%d/task/%ld/ns/net", getpid(), (long int)syscall(__NR_gettid)); ++ if (ret < 0 || (size_t)ret >= sizeof(fullpath)) { ++ pthread_exit((void *)&failure); ++ } ++ ++ if (util_mount(fullpath, (char *)netns_path, "none", "bind") != 0) { ++ pthread_exit((void *)&failure); ++ } ++ pthread_exit((void *)&success); ++} ++ ++// this function mounts netns path to /proc/%d/task/%d/ns/net ++int util_mount_namespace(const char *netns_path) ++{ ++ pthread_t newns_thread = 0; ++ int ret = 0; ++ void *status = NULL; ++ ++ ret = pthread_create(&newns_thread, NULL, (void *)&mount_netns, (void *)netns_path); ++ if (ret != 0) { ++ ERROR("Failed to create thread"); ++ return -1; ++ } ++ ++ ret = pthread_join(newns_thread, &status); ++ if (ret != 0) { ++ ERROR("Failed to join thread"); ++ return -1; ++ } else { ++ if (*(int *)status != 0) { ++ ERROR("Failed to initialize network namespace"); ++ return -1; ++ } ++ } ++ return 0; ++} ++ ++int util_umount_namespace(const char *netns_path) ++{ ++ int i = 0; ++ if (netns_path == NULL) { ++ WARN("Invalid path to umount"); ++ } ++ ++ for (i = 0; i < 50; i++) { ++ if (umount2(netns_path, MNT_DETACH) < 0) { ++ switch (errno) { ++ case EBUSY: ++ usleep(50); ++ continue; ++ case EINVAL: ++ return 0; ++ default: ++ continue; ++ } ++ } ++ } ++ ERROR("Failed to umount target %s", netns_path); ++ return -1; ++} +diff --git a/src/utils/cutils/utils_network.h b/src/utils/cutils/utils_network.h +new file mode 100644 +index 00000000..6ec912d8 +--- /dev/null ++++ b/src/utils/cutils/utils_network.h +@@ -0,0 +1,33 @@ ++/****************************************************************************** ++ * Copyright (c) Huawei Technologies Co., Ltd. 2021. All rights reserved. ++ * iSulad licensed under the Mulan PSL v2. ++ * You can use this software according to the terms and conditions of the Mulan PSL v2. ++ * You may obtain a copy of Mulan PSL v2 at: ++ * http://license.coscl.org.cn/MulanPSL2 ++ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR ++ * PURPOSE. ++ * See the Mulan PSL v2 for more details. ++ * Author: chengzeruizhi ++ * Create: 2021-11-17 ++ * Description: provide common network functions ++ ********************************************************************************/ ++ ++#ifndef UTILS_CUTILS_UTILS_NETWORK_H ++#define UTILS_CUTILS_UTILS_NETWORK_H ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++int util_create_netns_file(const char *netns_path); ++ ++int util_mount_namespace(const char *netns_path); ++ ++int util_umount_namespace(const char *netns_path); ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif // UTILS_CUTILS_UTILS_NETWORK_H +\ No newline at end of file +-- +2.25.1 + diff --git a/0004-add-new-function-mock-for-ut.patch b/0004-add-new-function-mock-for-ut.patch new file mode 100644 index 0000000..4694946 --- /dev/null +++ b/0004-add-new-function-mock-for-ut.patch @@ -0,0 +1,58 @@ +From 1d89d1d6fce7a3f89ce2a984500dede6529c8f53 Mon Sep 17 00:00:00 2001 +From: haozi007 +Date: Fri, 26 Nov 2021 09:45:20 +0000 +Subject: [PATCH 04/14] add new function mock for ut + +Signed-off-by: haozi007 +--- + test/mocks/namespace_mock.cc | 10 ++++++++++ + test/mocks/namespace_mock.h | 1 + + test/specs/specs/specs_ut.cc | 1 + + 3 files changed, 12 insertions(+) + +diff --git a/test/mocks/namespace_mock.cc b/test/mocks/namespace_mock.cc +index 5c0cba6c..da24e406 100644 +--- a/test/mocks/namespace_mock.cc ++++ b/test/mocks/namespace_mock.cc +@@ -47,3 +47,13 @@ char *get_container_process_label(const char *path) + } + return nullptr; + } ++ ++int get_network_namespace_path(const host_config *host_spec, ++ const container_config_v2_common_config_network_settings *network_settings, ++ const char *type, char **dest_path) ++{ ++ if (g_namespace_mock != nullptr) { ++ return g_namespace_mock->GetNetworkNamespacePath(host_spec, network_settings, type, dest_path); ++ } ++ return 0; ++} +\ No newline at end of file +diff --git a/test/mocks/namespace_mock.h b/test/mocks/namespace_mock.h +index b835e028..80e75b0b 100644 +--- a/test/mocks/namespace_mock.h ++++ b/test/mocks/namespace_mock.h +@@ -26,6 +26,7 @@ public: + MOCK_METHOD1(ConnectedContainer, char *(const char *mode)); + MOCK_METHOD3(GetShareNamespacePath, int(const char *type, const char *src_path, char **dest_path)); + MOCK_METHOD1(GetContainerProcessLabel, char *(const char *path)); ++ MOCK_METHOD4(GetNetworkNamespacePath, int(const host_config *, const container_config_v2_common_config_network_settings *, const char *, char **)); + }; + + void MockNamespace_SetMock(MockNamespace *mock); +diff --git a/test/specs/specs/specs_ut.cc b/test/specs/specs/specs_ut.cc +index 2f2a2524..c4014e2e 100644 +--- a/test/specs/specs/specs_ut.cc ++++ b/test/specs/specs/specs_ut.cc +@@ -19,6 +19,7 @@ + #include "mock.h" + #include "isula_libutils/oci_runtime_spec.h" + #include "specs_api.h" ++#include "specs_namespace.h" + #include "isula_libutils/host_config.h" + #include "isula_libutils/container_config.h" + #include "oci_ut_common.h" +-- +2.25.1 + diff --git a/0005-delete-isulad-h-flag.patch b/0005-delete-isulad-h-flag.patch new file mode 100644 index 0000000..92b6074 --- /dev/null +++ b/0005-delete-isulad-h-flag.patch @@ -0,0 +1,28 @@ +From 07b81da5e3d357c34cf7f5379ba507a16617a5ed Mon Sep 17 00:00:00 2001 +From: gaohuatao +Date: Sat, 27 Nov 2021 11:14:40 +0800 +Subject: [PATCH 05/14] delete isulad h flag + +Signed-off-by: gaohuatao +--- + src/cmd/isulad/isulad_commands.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/cmd/isulad/isulad_commands.c b/src/cmd/isulad/isulad_commands.c +index d0ab029c..c2826c83 100644 +--- a/src/cmd/isulad/isulad_commands.c ++++ b/src/cmd/isulad/isulad_commands.c +@@ -213,8 +213,8 @@ int parse_args(struct service_arguments *args, int argc, const char **argv) + + if (args->argc > 0) { + printf("unresolved arguments: %s;\t" +- "run `%s --help` or `%s -h` for help.\n", +- args->argv[0], argv[0], argv[0]); ++ "run `%s --help` for help.\n", ++ args->argv[0], argv[0]); + return -1; + } + +-- +2.25.1 + diff --git a/0006-Fix-memory-leak-in-ClearCniNetwork-when-calling-get_.patch b/0006-Fix-memory-leak-in-ClearCniNetwork-when-calling-get_.patch new file mode 100644 index 0000000..7016e28 --- /dev/null +++ b/0006-Fix-memory-leak-in-ClearCniNetwork-when-calling-get_.patch @@ -0,0 +1,26 @@ +From d3d44e344d2ea2213c7d595c957e8ebf0a661fd2 Mon Sep 17 00:00:00 2001 +From: chengzrz +Date: Sat, 27 Nov 2021 11:31:13 +0800 +Subject: [PATCH 06/14] Fix memory leak in ClearCniNetwork when calling + get_sandbox_key + +Signed-off-by: chengzrz +--- + src/daemon/entry/cri/cri_pod_sandbox_manager_service_impl.cc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/daemon/entry/cri/cri_pod_sandbox_manager_service_impl.cc b/src/daemon/entry/cri/cri_pod_sandbox_manager_service_impl.cc +index eb1cd09f..0a577849 100644 +--- a/src/daemon/entry/cri/cri_pod_sandbox_manager_service_impl.cc ++++ b/src/daemon/entry/cri/cri_pod_sandbox_manager_service_impl.cc +@@ -748,6 +748,7 @@ auto PodSandboxManagerServiceImpl::ClearCniNetwork(const std::string &realSandbo + ERROR("Failed to umount directory %s:%s", netnsPath, strerror(errno)); + } + } ++ free(netnsPath); + } + free_container_inspect(inspect_data); + return 0; +-- +2.25.1 + diff --git a/0007-fix-cri-libwebsockets-sync_close_sem-memory-leak.patch b/0007-fix-cri-libwebsockets-sync_close_sem-memory-leak.patch new file mode 100644 index 0000000..0ab4b26 --- /dev/null +++ b/0007-fix-cri-libwebsockets-sync_close_sem-memory-leak.patch @@ -0,0 +1,26 @@ +From 23ab9ac224056a2efef00b20cfc973c8e98a1e1d Mon Sep 17 00:00:00 2001 +From: zhangxiaoyu +Date: Fri, 26 Nov 2021 09:51:52 +0800 +Subject: [PATCH 07/14] fix cri libwebsockets sync_close_sem memory leak + +Signed-off-by: zhangxiaoyu +--- + src/daemon/entry/cri/websocket/service/ws_server.cc | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/daemon/entry/cri/websocket/service/ws_server.cc b/src/daemon/entry/cri/websocket/service/ws_server.cc +index 509f821e..e4b3a1b4 100644 +--- a/src/daemon/entry/cri/websocket/service/ws_server.cc ++++ b/src/daemon/entry/cri/websocket/service/ws_server.cc +@@ -191,6 +191,8 @@ void WebsocketServer::CloseWsSession(int socketID) + } + (void)sem_wait(session->sync_close_sem); + (void)sem_destroy(session->sync_close_sem); ++ delete session->sync_close_sem; ++ session->sync_close_sem = nullptr; + close(session->pipes.at(0)); + delete session->session_mutex; + session->session_mutex = nullptr; +-- +2.25.1 + diff --git a/0008-fix-cpu-variant-get-error.patch b/0008-fix-cpu-variant-get-error.patch new file mode 100644 index 0000000..317094c --- /dev/null +++ b/0008-fix-cpu-variant-get-error.patch @@ -0,0 +1,96 @@ +From 198daf0e54215f76ddb62caa8bea41ff6625db40 Mon Sep 17 00:00:00 2001 +From: WangFengTu +Date: Sat, 27 Nov 2021 14:15:34 +0800 +Subject: [PATCH 08/14] fix cpu variant get error + +Signed-off-by: WangFengTu +--- + src/utils/cutils/utils.c | 14 +++++--------- + src/utils/cutils/utils_file.c | 6 +++++- + src/utils/cutils/utils_file.h | 5 +++++ + 3 files changed, 15 insertions(+), 10 deletions(-) + +diff --git a/src/utils/cutils/utils.c b/src/utils/cutils/utils.c +index a3e192fe..511cde96 100644 +--- a/src/utils/cutils/utils.c ++++ b/src/utils/cutils/utils.c +@@ -1299,12 +1299,11 @@ restart: + static char *get_cpu_variant() + { + char *variant = NULL; +- char *cpuinfo = NULL; ++ char cpuinfo[1024] = { 0 }; + char *start_pos = NULL; + char *end_pos = NULL; + +- cpuinfo = util_read_text_file("/proc/cpuinfo"); +- if (cpuinfo == NULL) { ++ if (util_file2str("/proc/cpuinfo", cpuinfo, sizeof(cpuinfo)) < 0) { + ERROR("read /proc/cpuinfo failed"); + return NULL; + } +@@ -1312,7 +1311,7 @@ static char *get_cpu_variant() + start_pos = strstr(cpuinfo, "CPU architecture"); + if (start_pos == NULL) { + ERROR("can not found the key \"CPU architecture\" when try to get cpu variant"); +- goto out; ++ return NULL; + } + end_pos = strchr(start_pos, '\n'); + if (end_pos != NULL) { +@@ -1321,17 +1320,14 @@ static char *get_cpu_variant() + start_pos = strchr(start_pos, ':'); + if (start_pos == NULL) { + ERROR("can not found delimiter \":\" when try to get cpu variant"); +- goto out; ++ return NULL; + } ++ start_pos += 1; // skip char ":" + util_trim_newline(start_pos); + start_pos = util_trim_space(start_pos); + + variant = util_strings_to_lower(start_pos); + +-out: +- free(cpuinfo); +- cpuinfo = NULL; +- + return variant; + } + +diff --git a/src/utils/cutils/utils_file.c b/src/utils/cutils/utils_file.c +index f4fa4ece..00825bea 100644 +--- a/src/utils/cutils/utils_file.c ++++ b/src/utils/cutils/utils_file.c +@@ -815,7 +815,11 @@ char *util_add_path(const char *path, const char *name) + return new_path; + } + +-/* note: This function can only read small text file. */ ++/* notes: ++ * 1. Do not use this function to read proc file because proc file in armv8 does not ++ * support fseek and the result of this function is nill string which is unexpected. ++ * 2. This function can only read small text file. ++ */ + char *util_read_text_file(const char *path) + { + char *buf = NULL; +diff --git a/src/utils/cutils/utils_file.h b/src/utils/cutils/utils_file.h +index a7fbbb6b..1465ca7e 100644 +--- a/src/utils/cutils/utils_file.h ++++ b/src/utils/cutils/utils_file.h +@@ -68,6 +68,11 @@ char *util_path_dir(const char *path); + + char *util_add_path(const char *path, const char *name); + ++/* notes: ++ * 1. Do not use this function to read proc file because proc file in armv8 does not ++ * support fseek and the result of this function is nill string which is unexpected. ++ * 2. This function can only read small text file. ++ */ + char *util_read_text_file(const char *path); + + int64_t util_file_size(const char *filename); +-- +2.25.1 + diff --git a/0009-fix-unit-test-error-of-registry-in-armv8.patch b/0009-fix-unit-test-error-of-registry-in-armv8.patch new file mode 100644 index 0000000..5cdbadc --- /dev/null +++ b/0009-fix-unit-test-error-of-registry-in-armv8.patch @@ -0,0 +1,40 @@ +From 688254c48fd4a672081d11e1f50ff70e807402f3 Mon Sep 17 00:00:00 2001 +From: WangFengTu +Date: Mon, 29 Nov 2021 11:41:44 +0800 +Subject: [PATCH 09/14] fix unit test error of registry in armv8 + +use the data same as x86 to do unit test in armv8 + +Signed-off-by: WangFengTu +--- + test/image/oci/registry/data/oci/index | 2 +- + test/image/oci/registry/data/v2/manifest_list | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/test/image/oci/registry/data/oci/index b/test/image/oci/registry/data/oci/index +index d713bde3..c3f09482 100644 +--- a/test/image/oci/registry/data/oci/index ++++ b/test/image/oci/registry/data/oci/index +@@ -20,7 +20,7 @@ Etag: "sha256:bd28e852703450d93220e6733a9f0901b92cd558911528b03fdba56156ae0a02" + "size": 527 + }, + { +- "digest": "sha256:134252904112f8563a17a360957d9ad192e5c1e77463e04be74e71cffd4b41ba", ++ "digest": "sha256:106429d73f57137cc587d2d4f1ad7ffb8c4cedcb564d3fb44a8769e602a4a4ec", + "mediaType": "application/vnd.oci.image.manifest.v1+json", + "platform": { + "architecture": "arm64", +diff --git a/test/image/oci/registry/data/v2/manifest_list b/test/image/oci/registry/data/v2/manifest_list +index b4cf93c5..c1962e3e 100644 +--- a/test/image/oci/registry/data/v2/manifest_list ++++ b/test/image/oci/registry/data/v2/manifest_list +@@ -8,4 +8,4 @@ Docker-Content-Digest: sha256:9ddee63a712cea977267342e8750ecbc60d3aab25f04ceacfa + Docker-Distribution-Api-Version: registry/2.0 + Etag: "sha256:9ddee63a712cea977267342e8750ecbc60d3aab25f04ceacfa795e6fce341793" + +-{"manifests":[{"digest":"sha256:2131f09e4044327fd101ca1fd4043e6f3ad921ae7ee901e9142e6e36b354a907","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"amd64","os":"linux"},"size":527},{"digest":"sha256:ea84577ce8331aaceefd586104ba283201b89b5a614b10ec44b9884722db49d8","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"arm","os":"linux","variant":"v5"},"size":527},{"digest":"sha256:296361e74fe78e932cdd807743b5e37469518194f95c042135a6c3320ca52ef1","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"arm","os":"linux","variant":"v6"},"size":527},{"digest":"sha256:5cbe4404234f93a5401b58e0c50408d5c9caace822b70867e4f3e787be83eee9","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"arm","os":"linux","variant":"v7"},"size":527},{"digest":"sha256:134252904112f8563a17a360957d9ad192e5c1e77463e04be74e71cffd4b41ba","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"arm64","os":"linux","variant":"v8"},"size":527},{"digest":"sha256:414aeb860595d7078cbe87abaeed05157d6b44907fbd7db30e1cfba9b6902448","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"386","os":"linux"},"size":527},{"digest":"sha256:116dccaef9ca8b121565a39bd568ede437f084c94bb0642d2aba6b441e38d2f8","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"mips64le","os":"linux"},"size":527},{"digest":"sha256:5477c332ec926f8221e82a6c9e37dd9d84a401e3b5f71ba7d498956552c880ac","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"ppc64le","os":"linux"},"size":528},{"digest":"sha256:c304d497f3e0f87f8457401787df738f6f6e62b367bfd7c5f73f5b880b30ab4f","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"s390x","os":"linux"},"size":528}],"mediaType":"application\/vnd.docker.distribution.manifest.list.v2+json","schemaVersion":2} +\ No newline at end of file ++{"manifests":[{"digest":"sha256:2131f09e4044327fd101ca1fd4043e6f3ad921ae7ee901e9142e6e36b354a907","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"amd64","os":"linux"},"size":527},{"digest":"sha256:ea84577ce8331aaceefd586104ba283201b89b5a614b10ec44b9884722db49d8","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"arm","os":"linux","variant":"v5"},"size":527},{"digest":"sha256:296361e74fe78e932cdd807743b5e37469518194f95c042135a6c3320ca52ef1","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"arm","os":"linux","variant":"v6"},"size":527},{"digest":"sha256:5cbe4404234f93a5401b58e0c50408d5c9caace822b70867e4f3e787be83eee9","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"arm","os":"linux","variant":"v7"},"size":527},{"digest":"sha256:2131f09e4044327fd101ca1fd4043e6f3ad921ae7ee901e9142e6e36b354a907","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"arm64","os":"linux","variant":"v8"},"size":527},{"digest":"sha256:414aeb860595d7078cbe87abaeed05157d6b44907fbd7db30e1cfba9b6902448","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"386","os":"linux"},"size":527},{"digest":"sha256:116dccaef9ca8b121565a39bd568ede437f084c94bb0642d2aba6b441e38d2f8","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"mips64le","os":"linux"},"size":527},{"digest":"sha256:5477c332ec926f8221e82a6c9e37dd9d84a401e3b5f71ba7d498956552c880ac","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"ppc64le","os":"linux"},"size":528},{"digest":"sha256:c304d497f3e0f87f8457401787df738f6f6e62b367bfd7c5f73f5b880b30ab4f","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"s390x","os":"linux"},"size":528}],"mediaType":"application\/vnd.docker.distribution.manifest.list.v2+json","schemaVersion":2} +-- +2.25.1 + diff --git a/0010-Modified-cmakelist-of-storage_layer-and-added-a-new-.patch b/0010-Modified-cmakelist-of-storage_layer-and-added-a-new-.patch new file mode 100644 index 0000000..1e281c9 --- /dev/null +++ b/0010-Modified-cmakelist-of-storage_layer-and-added-a-new-.patch @@ -0,0 +1,68 @@ +From 7e4b7304134eb0f85b83b02aeeee3c10b2303446 Mon Sep 17 00:00:00 2001 +From: chengzrz +Date: Mon, 29 Nov 2021 14:41:47 +0800 +Subject: [PATCH 10/14] Modified cmakelist of storage_layer and added a new + mock function in isulad_config_mock to fix errors that happen when compiling + with UT option turned on + +Signed-off-by: chengzrz +--- + test/image/oci/storage/layers/CMakeLists.txt | 4 ++++ + test/mocks/isulad_config_mock.cc | 8 ++++++++ + test/mocks/isulad_config_mock.h | 1 + + 3 files changed, 13 insertions(+) + +diff --git a/test/image/oci/storage/layers/CMakeLists.txt b/test/image/oci/storage/layers/CMakeLists.txt +index 4cae382c..3fe8ab7c 100644 +--- a/test/image/oci/storage/layers/CMakeLists.txt ++++ b/test/image/oci/storage/layers/CMakeLists.txt +@@ -22,6 +22,8 @@ add_executable(${DRIVER_EXE} + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../../src/utils/sha256/sha256.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../../src/daemon/common/err_msg.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../../src/daemon/common/selinux_label.c ++ ${CMAKE_CURRENT_SOURCE_DIR}/../../../../../src/daemon/config/daemon_arguments.c ++ ${CMAKE_CURRENT_SOURCE_DIR}/../../../../../src/daemon/config/isulad_config.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../../src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../../src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../../src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/driver_devmapper.c +@@ -89,6 +91,8 @@ add_executable(${LAYER_EXE} + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../../src/utils/tar/util_archive.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../../src/utils/tar/util_gzip.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../../src/utils/sha256/sha256.c ++ ${CMAKE_CURRENT_SOURCE_DIR}/../../../../../src/daemon/config/daemon_arguments.c ++ ${CMAKE_CURRENT_SOURCE_DIR}/../../../../../src/daemon/config/isulad_config.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../../src/daemon/common/err_msg.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../../src/daemon/common/selinux_label.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../../src/daemon/modules/image/oci/storage/layer_store/layer.c +diff --git a/test/mocks/isulad_config_mock.cc b/test/mocks/isulad_config_mock.cc +index a333c176..eb6970d7 100644 +--- a/test/mocks/isulad_config_mock.cc ++++ b/test/mocks/isulad_config_mock.cc +@@ -170,3 +170,11 @@ isulad_daemon_constants *get_isulad_daemon_constants() + } + return &g_isulad_daemon_constants; + } ++ ++char *conf_get_isulad_userns_remap() ++{ ++ if (g_isulad_conf_mock != nullptr) { ++ return g_isulad_conf_mock->ConfGetIsuladUsernsRemap(); ++ } ++ return nullptr; ++} +\ No newline at end of file +diff --git a/test/mocks/isulad_config_mock.h b/test/mocks/isulad_config_mock.h +index b91b5465..7af20ca5 100644 +--- a/test/mocks/isulad_config_mock.h ++++ b/test/mocks/isulad_config_mock.h +@@ -39,6 +39,7 @@ public: + MOCK_METHOD0(ConfGetUseDecryptedKeyFlag, bool (void)); + MOCK_METHOD0(InitIsuladDaemonConstants, int (void)); + MOCK_METHOD0(GetIsuladDaemonConstants, isulad_daemon_constants * (void)); ++ MOCK_METHOD0(ConfGetIsuladUsernsRemap, char *(void)); + }; + + void MockIsuladConf_SetMock(MockIsuladConf *mock); +-- +2.25.1 + diff --git a/0011-add-fuzz-build-in-CI.patch b/0011-add-fuzz-build-in-CI.patch new file mode 100644 index 0000000..465a399 --- /dev/null +++ b/0011-add-fuzz-build-in-CI.patch @@ -0,0 +1,120 @@ +From db952e8122e584dbb24d28d36abc2ac1b8ad0c77 Mon Sep 17 00:00:00 2001 +From: zhangxiaoyu +Date: Mon, 29 Nov 2021 16:07:39 +0800 +Subject: [PATCH 11/14] add fuzz build in CI + +Signed-off-by: zhangxiaoyu +--- + CI/make-and-install.sh | 9 +++++++++ + CMakeLists.txt | 4 ++-- + test/fuzz/CMakeLists.txt | 25 +++++++++++++++++++------ + 3 files changed, 30 insertions(+), 8 deletions(-) + +diff --git a/CI/make-and-install.sh b/CI/make-and-install.sh +index 602878bf..3fd88b84 100755 +--- a/CI/make-and-install.sh ++++ b/CI/make-and-install.sh +@@ -74,12 +74,21 @@ rm -rf build + mkdir build && cd build + cmake -DCMAKE_BUILD_TYPE=Debug -DENABLE_UT=ON -DENABLE_SHIM_V2=ON .. + make -j $(nproc) ++make install + ctest -T memcheck --output-on-failure + if [[ $? -ne 0 ]]; then + exit 1 + fi + echo_success "===================RUN DT-LLT TESTCASES END=========================" + ++# build fuzz ++cd $ISULAD_COPY_PATH ++rm -rf build ++mkdir build ++cd build ++cmake -DCMAKE_BUILD_TYPE=Debug -DENABLE_FUZZ=ON .. ++make -j $(nproc) ++ + # build rest version + cd $ISULAD_COPY_PATH + rm -rf build +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 0f7d6b9c..8fc03f2d 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -86,9 +86,9 @@ IF(ENABLE_UT) + add_subdirectory(${CMAKE_CURRENT_SOURCE_DIR}/test) + ENDIF(ENABLE_UT) + +-IF(ENABLE_FUZZ) ++IF(ENABLE_FUZZ AND (NOT ENABLE_UT)) + add_subdirectory(${CMAKE_CURRENT_SOURCE_DIR}/test) +-ENDIF(ENABLE_FUZZ) ++ENDIF(ENABLE_FUZZ AND (NOT ENABLE_UT)) + + # install all files + install(FILES ${CMAKE_BINARY_DIR}/conf/isulad.pc +diff --git a/test/fuzz/CMakeLists.txt b/test/fuzz/CMakeLists.txt +index 816dd3cf..61ab47d7 100644 +--- a/test/fuzz/CMakeLists.txt ++++ b/test/fuzz/CMakeLists.txt +@@ -20,9 +20,18 @@ SET(EXE1 im_config_image_exist_fuzz) + SET(EXE2 im_get_image_count_fuzz) + SET(EXE3 test_volume_mount_spec_fuzz) + SET(EXE4 test_volume_parse_volume_fuzz) +-add_executable(${EXE0} im_oci_image_exist_fuzz.cc) +-add_executable(${EXE1} im_config_image_exist_fuzz.cc) +-add_executable(${EXE2} im_get_image_count_fuzz.cc) ++add_executable(${EXE0} ++ ${CMAKE_CURRENT_SOURCE_DIR}/../../src/daemon/config/isulad_config.c ++ ${CMAKE_CURRENT_SOURCE_DIR}/../../src/daemon/config/daemon_arguments.c ++ im_oci_image_exist_fuzz.cc) ++add_executable(${EXE1} ++ ${CMAKE_CURRENT_SOURCE_DIR}/../../src/daemon/config/isulad_config.c ++ ${CMAKE_CURRENT_SOURCE_DIR}/../../src/daemon/config/daemon_arguments.c ++ im_config_image_exist_fuzz.cc) ++add_executable(${EXE2} ++ ${CMAKE_CURRENT_SOURCE_DIR}/../../src/daemon/config/isulad_config.c ++ ${CMAKE_CURRENT_SOURCE_DIR}/../../src/daemon/config/daemon_arguments.c ++ im_get_image_count_fuzz.cc) + add_executable(${EXE3} + ${CMAKE_CURRENT_SOURCE_DIR}/../../src/utils/cutils/utils.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../src/utils/cutils/path.c +@@ -36,6 +45,8 @@ add_executable(${EXE3} + ${CMAKE_CURRENT_SOURCE_DIR}/../../src/utils/cutils/utils_verify.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../src/utils/sha256/sha256.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../src/utils/cutils/utils_mount_spec.c ++ ${CMAKE_CURRENT_SOURCE_DIR}/../../src/daemon/config/isulad_config.c ++ ${CMAKE_CURRENT_SOURCE_DIR}/../../src/daemon/config/daemon_arguments.c + test_volume_mount_spec_fuzz.cc + ) + add_executable(${EXE4} +@@ -51,6 +62,8 @@ add_executable(${EXE4} + ${CMAKE_CURRENT_SOURCE_DIR}/../../src/utils/cutils/utils_verify.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../src/utils/sha256/sha256.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../src/daemon/modules/spec/parse_volume.c ++ ${CMAKE_CURRENT_SOURCE_DIR}/../../src/daemon/config/isulad_config.c ++ ${CMAKE_CURRENT_SOURCE_DIR}/../../src/daemon/config/daemon_arguments.c + test_volume_parse_volume_fuzz.cc + ) + +@@ -96,15 +109,15 @@ target_include_directories(${EXE4} PUBLIC + + set_target_properties(${EXE0} PROPERTIES LINKER_LANGUAGE CXX) + set_target_properties(${EXE0} PROPERTIES LINK_FLAGS "-fsanitize=address -fsanitize-coverage=trace-pc") +-target_link_libraries(${EXE0} ${CMAKE_THREAD_LIBS_INIT} ${ISULA_LIBUTILS_LIBRARY} ${LIB_FUZZING_ENGINE} pthread rt -lisulad_img) ++target_link_libraries(${EXE0} ${CMAKE_THREAD_LIBS_INIT} ${ISULA_LIBUTILS_LIBRARY} ${LIB_FUZZING_ENGINE} pthread rt -lisulad_img -lgcov) + + set_target_properties(${EXE1} PROPERTIES LINKER_LANGUAGE CXX) + set_target_properties(${EXE1} PROPERTIES LINK_FLAGS "-fsanitize=address -fsanitize-coverage=trace-pc") +-target_link_libraries(${EXE1} ${CMAKE_THREAD_LIBS_INIT} ${ISULA_LIBUTILS_LIBRARY} ${LIB_FUZZING_ENGINE} pthread rt -lisulad_img) ++target_link_libraries(${EXE1} ${CMAKE_THREAD_LIBS_INIT} ${ISULA_LIBUTILS_LIBRARY} ${LIB_FUZZING_ENGINE} pthread rt -lisulad_img -lgcov) + + set_target_properties(${EXE2} PROPERTIES LINKER_LANGUAGE CXX) + set_target_properties(${EXE2} PROPERTIES LINK_FLAGS "-fsanitize=address -fsanitize-coverage=trace-pc") +-target_link_libraries(${EXE2} ${CMAKE_THREAD_LIBS_INIT} ${ISULA_LIBUTILS_LIBRARY} ${LIB_FUZZING_ENGINE} pthread rt -lisulad_img) ++target_link_libraries(${EXE2} ${CMAKE_THREAD_LIBS_INIT} ${ISULA_LIBUTILS_LIBRARY} ${LIB_FUZZING_ENGINE} pthread rt -lisulad_img -lgcov) + + set_target_properties(${EXE3} PROPERTIES LINKER_LANGUAGE CXX) + set_target_properties(${EXE3} PROPERTIES LINK_FLAGS "-fsanitize=address -fsanitize-coverage=trace-pc") +-- +2.25.1 + diff --git a/0012-print-valgrind-log.patch b/0012-print-valgrind-log.patch new file mode 100644 index 0000000..54d2074 --- /dev/null +++ b/0012-print-valgrind-log.patch @@ -0,0 +1,26 @@ +From cd3cda2bf3880d1e805406cba6e5c6510ef8832b Mon Sep 17 00:00:00 2001 +From: zhangxiaoyu +Date: Wed, 1 Dec 2021 10:14:33 +0800 +Subject: [PATCH 12/14] print valgrind log + +Signed-off-by: zhangxiaoyu +--- + CI/test_cases/helpers.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/CI/test_cases/helpers.sh b/CI/test_cases/helpers.sh +index 27f04749..dd1bf943 100755 +--- a/CI/test_cases/helpers.sh ++++ b/CI/test_cases/helpers.sh +@@ -146,7 +146,7 @@ function check_valgrind_log() { + cat $valgrind_log | grep "are definitely lost" | grep "==$pid==" + if [ $? -eq 0 ];then + echo "Memory leak may checked by valgrind, see valgrind log file: $valgrind_log" +- sed -n '/definitely lost/,// p' $valgrind_log ++ cat $valgrind_log + exit 1 + fi + return 0 +-- +2.25.1 + diff --git a/0013-fix-cri-version-memory-leak.patch b/0013-fix-cri-version-memory-leak.patch new file mode 100644 index 0000000..b1e2f35 --- /dev/null +++ b/0013-fix-cri-version-memory-leak.patch @@ -0,0 +1,32 @@ +From 3750c2f7d6c13289bbfbb278e0e09667468286d0 Mon Sep 17 00:00:00 2001 +From: zhangxiaoyu +Date: Thu, 2 Dec 2021 15:24:11 +0800 +Subject: [PATCH 13/14] fix cri version memory leak + +Signed-off-by: zhangxiaoyu +--- + src/daemon/entry/cri/cri_runtime_versioner_service_impl.cc | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/daemon/entry/cri/cri_runtime_versioner_service_impl.cc b/src/daemon/entry/cri/cri_runtime_versioner_service_impl.cc +index 4316b190..6c4ba515 100644 +--- a/src/daemon/entry/cri/cri_runtime_versioner_service_impl.cc ++++ b/src/daemon/entry/cri/cri_runtime_versioner_service_impl.cc +@@ -44,10 +44,10 @@ void RuntimeVersionerServiceImpl::Version(const std::string &apiVersion, + } else { + error.SetError("Failed to call version callback"); + } +- free_container_version_response(response); +- return; ++ } else { ++ VersionResponseToGRPC(response, versionResponse); + } + +- VersionResponseToGRPC(response, versionResponse); ++ free_container_version_response(response); + } + } // namespace CRI +\ No newline at end of file +-- +2.25.1 + diff --git a/0014-fix-undefined-reference-in-libisulad_img.so.patch b/0014-fix-undefined-reference-in-libisulad_img.so.patch new file mode 100644 index 0000000..80710ac --- /dev/null +++ b/0014-fix-undefined-reference-in-libisulad_img.so.patch @@ -0,0 +1,25 @@ +From 861a635c95254c7429bc8c23552f529c5a083762 Mon Sep 17 00:00:00 2001 +From: WangFengTu +Date: Thu, 2 Dec 2021 15:24:31 +0800 +Subject: [PATCH 14/14] fix undefined reference in libisulad_img.so + +Signed-off-by: WangFengTu +--- + src/daemon/modules/image/CMakeLists.txt | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/daemon/modules/image/CMakeLists.txt b/src/daemon/modules/image/CMakeLists.txt +index 86b7d8a6..0a004835 100644 +--- a/src/daemon/modules/image/CMakeLists.txt ++++ b/src/daemon/modules/image/CMakeLists.txt +@@ -71,6 +71,7 @@ add_library(${LIB_ISULAD_IMG} ${LIBTYPE} + ${CMAKE_SOURCE_DIR}/src/utils/tar/isulad_tar.c + ${CMAKE_SOURCE_DIR}/src/utils/tar/util_archive.c + ${CMAKE_SOURCE_DIR}/src/utils/tar/util_gzip.c ++ ${CMAKE_SOURCE_DIR}/src/daemon/config/isulad_config.c + ) + + target_include_directories(${LIB_ISULAD_IMG} PUBLIC +-- +2.25.1 + diff --git a/iSulad.spec b/iSulad.spec index bb90053..9a2c139 100644 --- a/iSulad.spec +++ b/iSulad.spec @@ -1,5 +1,5 @@ %global _version 2.0.10 -%global _release 5 +%global _release 7 %global is_systemd 1 %global enable_shimv2 1 @@ -14,6 +14,18 @@ BuildRoot: {_tmppath}/iSulad-%{version} Patch0001: 0001-add-self-def-runtime-for-shimv2.patch Patch0002: 0002-fix-memleak-when-use-multiple-volumes-from.patch +Patch0003: 0003-Modified-the-procedure-of-running-a-pod-to-adapt-to-.patch +Patch0004: 0004-add-new-function-mock-for-ut.patch +Patch0005: 0005-delete-isulad-h-flag.patch +Patch0006: 0006-Fix-memory-leak-in-ClearCniNetwork-when-calling-get_.patch +Patch0007: 0007-fix-cri-libwebsockets-sync_close_sem-memory-leak.patch +Patch0008: 0008-fix-cpu-variant-get-error.patch +Patch0009: 0009-fix-unit-test-error-of-registry-in-armv8.patch +Patch0010: 0010-Modified-cmakelist-of-storage_layer-and-added-a-new-.patch +Patch0011: 0011-add-fuzz-build-in-CI.patch +Patch0012: 0012-print-valgrind-log.patch +Patch0013: 0013-fix-cri-version-memory-leak.patch +Patch0014: 0014-fix-undefined-reference-in-libisulad_img.so.patch %ifarch x86_64 aarch64 Provides: libhttpclient.so()(64bit) @@ -227,6 +239,18 @@ fi %endif %changelog +* Thu Dec 02 2021 wangfengtu - 2.0.10-7 +- Type: bugfix +- ID: NA +- SUG: NA +- DESC: sync patches from upstream + +* Tue Nov 23 2021 chengzeruizhi - 2.0.10-6 +- Type: enhancement +- ID: NA +- SUG: NA +- DESC: modify the procedure of running a pod + * Fri Nov 19 2021 gaohuatao - 2.0.10-5 - Type: enhancement - ID: NA