Merge pull request #440 from kzys/runc-upgrade

Kazuyoshi Kato · web-flow · commit 588cafdad743 · 2020-11-16T11:22:10.000-08:00
Upgrade runc from 1.0-rc10 to 1.0-rc92
diff --git a/_submodules/runc b/_submodules/runc
@@ -1 +1 @@
-Subproject commit dc9208a3303feef5b3839f4323d9beb36df0a9dd
+Subproject commit ff819c7e9184c13b7c2607fe6c30ae19403a7aff
diff --git a/runtime/service_integ_test.go b/runtime/service_integ_test.go
@@ -32,6 +32,7 @@ import (
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/api/events"
 	"github.com/containerd/containerd/cio"
+	"github.com/containerd/containerd/containers"
 	"github.com/containerd/containerd/namespaces"
 	"github.com/containerd/containerd/oci"
 	"github.com/containerd/containerd/pkg/ttrpcutil"
@@ -657,6 +658,24 @@ func TestLongUnixSocketPath_Isolated(t *testing.T) {
 	}
 }
 
+func allowDeviceAccess(_ context.Context, _ oci.Client, _ *containers.Container, s *oci.Spec) error {
+	// By default, all devices accesses are forbidden.
+	s.Linux.Resources.Devices = append(
+		s.Linux.Resources.Devices,
+		specs.LinuxDeviceCgroup{Allow: true, Access: "r"},
+	)
+
+	// Exposes the host kernel's /dev as /dev.
+	// By default, runc creates own /dev with a minimal set of pseudo devices such as /dev/null.
+	s.Mounts = append(s.Mounts, specs.Mount{
+		Type:        "bind",
+		Options:     []string{"bind"},
+		Destination: "/dev",
+		Source:      "/dev",
+	})
+	return nil
+}
+
 func TestStubBlockDevices_Isolated(t *testing.T) {
 	prepareIntegTest(t)
 
@@ -706,15 +725,6 @@ func TestStubBlockDevices_Isolated(t *testing.T) {
 			oci.WithProcessArgs("/bin/sh", "/var/firecracker-containerd-test/scripts/lsblk.sh"),
 
 			oci.WithMounts([]specs.Mount{
-				// Exposes the host kernel's /dev as /dev.
-				// By default, runc creates own /dev with a minimal set of pseudo devices such as /dev/null.
-				{
-					Type:        "bind",
-					Options:     []string{"bind"},
-					Destination: "/dev",
-					Source:      "/dev",
-				},
-
 				// Exposes test scripts from the host kernel
 				{
 					Type:        "bind",
@@ -723,8 +733,7 @@ func TestStubBlockDevices_Isolated(t *testing.T) {
 					Source:      "/var/firecracker-containerd-test/scripts",
 				},
 			}),
-			// Make the host kernel's /dev readable
-			oci.WithParentCgroupDevices,
+			allowDeviceAccess,
 		),
 	)
 	require.NoError(t, err, "failed to create container %s", containerName)
diff --git a/tools/docker/scripts/lsblk.sh b/tools/docker/scripts/lsblk.sh
@@ -1,6 +1,6 @@
 #! /bin/sh
 # tiny lsblk(8) equivalent to make integration tests distro-agnostic
-set -eu
+set -euo pipefail
 
 echo 'NAME MAJ:MIN RM      SIZE RO | MAGIC'
 
