From 3d30cba255cb03221198becc45ed8d8a613538e9 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Fri, 18 Mar 2022 14:31:56 -0500
Subject: [PATCH] rootfs: Add patch for runc 1.1.0 bug issue #3387
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

There is apparently a bug in *runc* 1.1.0 that prevents privileged
containers from starting:

> docker: Error response from daemon: failed to create shim: OCI runtime
> create failed: runc create failed: unable to start container process:
> unable to apply cgroup configuration: chown
> /sys/fs/cgroup/system.slice/docker-….scope/memory.oom.group: no such
> file or directory: unknown.

A patch is available but has not been integrated into an official
release yet.
---
 configs/jenkinsagent_defconfig                |  1 +
 ...b981005361daaa8a4f58e4ca7448b5459250.patch | 91 +++++++++++++++++++
 2 files changed, 92 insertions(+)
 create mode 100644 patches/runc/1.1.0/8c04b981005361daaa8a4f58e4ca7448b5459250.patch

diff --git a/configs/jenkinsagent_defconfig b/configs/jenkinsagent_defconfig
index a0d1aab..0d7116d 100644
--- a/configs/jenkinsagent_defconfig
+++ b/configs/jenkinsagent_defconfig
@@ -1,6 +1,7 @@
 BR2_aarch64=y
 BR2_cortex_a72=y
 BR2_ARM_FPU_VFPV4=y
+BR2_GLOBAL_PATCH_DIR="$(BR2_EXTERNAL_jenkinsagent_PATH)/patches"
 BR2_TOOLCHAIN_BUILDROOT_GLIBC=y
 BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_5_10=y
 BR2_TOOLCHAIN_BUILDROOT_CXX=y
diff --git a/patches/runc/1.1.0/8c04b981005361daaa8a4f58e4ca7448b5459250.patch b/patches/runc/1.1.0/8c04b981005361daaa8a4f58e4ca7448b5459250.patch
new file mode 100644
index 0000000..a1d3c20
--- /dev/null
+++ b/patches/runc/1.1.0/8c04b981005361daaa8a4f58e4ca7448b5459250.patch
@@ -0,0 +1,91 @@
+From 8c04b981005361daaa8a4f58e4ca7448b5459250 Mon Sep 17 00:00:00 2001
+From: Kir Kolyshkin <kolyshkin@gmail.com>
+Date: Mon, 21 Feb 2022 10:34:27 -0800
+Subject: [PATCH] libct/cg/sd/v2: fix ENOENT on cgroup delegation
+
+Apparently, not all files listed in /sys/kernel/cgroup/delegate must
+exist in every cgroup, so we should ignore ENOENT.
+
+Dot not ignore ENOENT on the directory itself though.
+
+Change cgroupFilesToChown to not return ".", and refactor it to not do
+any dynamic slice appending in case we're using the default built-in
+list of files.
+
+Fixes: 35d20c4e0
+Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
+---
+ libcontainer/cgroups/systemd/v2.go | 36 +++++++++++++++++++-----------
+ 1 file changed, 23 insertions(+), 13 deletions(-)
+
+diff --git a/libcontainer/cgroups/systemd/v2.go b/libcontainer/cgroups/systemd/v2.go
+index c31f0ecfd2..de0cb974d4 100644
+--- a/libcontainer/cgroups/systemd/v2.go
++++ b/libcontainer/cgroups/systemd/v2.go
+@@ -2,6 +2,7 @@ package systemd
+ 
+ import (
+ 	"bufio"
++	"errors"
+ 	"fmt"
+ 	"math"
+ 	"os"
+@@ -292,6 +293,12 @@ func (m *unifiedManager) Apply(pid int) error {
+ 	}
+ 
+ 	if c.OwnerUID != nil {
++		// The directory itself must be chowned.
++		err := os.Chown(m.path, *c.OwnerUID, -1)
++		if err != nil {
++			return err
++		}
++
+ 		filesToChown, err := cgroupFilesToChown()
+ 		if err != nil {
+ 			return err
+@@ -299,7 +306,8 @@ func (m *unifiedManager) Apply(pid int) error {
+ 
+ 		for _, v := range filesToChown {
+ 			err := os.Chown(m.path+"/"+v, *c.OwnerUID, -1)
+-			if err != nil {
++			// Some files might not be present.
++			if err != nil && !errors.Is(err, os.ErrNotExist) {
+ 				return err
+ 			}
+ 		}
+@@ -312,21 +320,23 @@ func (m *unifiedManager) Apply(pid int) error {
+ // uid in /sys/kernel/cgroup/delegate.  If the file is not present
+ // (Linux < 4.15), use the initial values mentioned in cgroups(7).
+ func cgroupFilesToChown() ([]string, error) {
+-	filesToChown := []string{"."} // the directory itself must be chowned
+ 	const cgroupDelegateFile = "/sys/kernel/cgroup/delegate"
++
+ 	f, err := os.Open(cgroupDelegateFile)
+-	if err == nil {
+-		defer f.Close()
+-		scanner := bufio.NewScanner(f)
+-		for scanner.Scan() {
+-			filesToChown = append(filesToChown, scanner.Text())
+-		}
+-		if err := scanner.Err(); err != nil {
+-			return nil, fmt.Errorf("error reading %s: %w", cgroupDelegateFile, err)
+-		}
+-	} else {
+-		filesToChown = append(filesToChown, "cgroup.procs", "cgroup.subtree_control", "cgroup.threads")
++	if err != nil {
++		return []string{"cgroup.procs", "cgroup.subtree_control", "cgroup.threads"}, nil
+ 	}
++	defer f.Close()
++
++	filesToChown := []string{}
++	scanner := bufio.NewScanner(f)
++	for scanner.Scan() {
++		filesToChown = append(filesToChown, scanner.Text())
++	}
++	if err := scanner.Err(); err != nil {
++		return nil, fmt.Errorf("error reading %s: %w", cgroupDelegateFile, err)
++	}
++
+ 	return filesToChown, nil
+ }
+