Package: release.debian.org
Severity: important
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: c...@packages.debian.org
Control: affects -1 + src:crun
[ Reason ]
Linux v6.6 blocked the mode change of symlinks, with commit
5d1f903f75a80daa4dfb3d84e114ec8ecbf29956 ("attr: block mode changes of
symlinks").
This was in turn backported to v6.1.55, with
6a84939cc7dd6f970c2621ded82c4d9ea0068b1b, and is part of src:linux
6.1.55-1, which is the version currently in bookworm.
This breaks crun 1.8.1, as found in bookworm, when running containers
with systemd as the init system.
The issue has been addressed upstream with commit
57262a2710c83fa08767f0ce3ba7a80993515bb2 ("ignore ENOTSUP when chmod a
symlink"), as well as 14afa8a46e2e83608a3a219402bce8ea8d071192 ("utils:
fix ignore ENOTSUP when chmod a symlink"), both part of crun 1.9.1.
[ Impact ]
Users are unable to start containers running systemd as their init
system. For example this now fails:
podman run --rm -d docker.io/jrei/systemd-debian:12
[ Tests ]
The manual test as mentioned above, as well as non-systemd images that
continue to work, like:
podman run --rm -it debian:sid
(Sadly we don't have any automated tests. crun in unstable now has
autopkgtests, but even these have the isolation-machine restriction and
are thus inoperable in Debian's CI, so I've elected to not backport them
here.)
[ Risks ]
The code is pretty trivial, I think, and has been part of upstream since
v1.9.1, released in September 26. trixie has v1.11, and sid has v1.11.1.
No alternatives that I know of.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
One change, effectively: to ignore ENOTSUP when chmod'ing a symlink,
/run/shm in the most popular broken case.
[ Other info ]
This has been reported by multiple users, cf. #1053821.
Given this constitutes a regression introduced by another package's
stable update, I consider this is an urgent issue, and ask for RMs to
copy this to stable-updates.
Thanks,
Faidon
diff -Nru crun-1.8.1/debian/changelog crun-1.8.1/debian/changelog
--- crun-1.8.1/debian/changelog 2023-02-27 22:01:38.000000000 +0200
+++ crun-1.8.1/debian/changelog 2023-11-02 18:52:46.000000000 +0200
@@ -1,3 +1,13 @@
+crun (1.8.1-1+deb12u1) bookworm; urgency=medium
+
+ * Backport two commits from upstream ("ignore ENOTSUP when chmod a
+ symlink"), that restore containers with systemd as their init system, when
+ running under Linux >= v6.6 and >= v6.1.55, i.e. bookworm's current stable
+ kernel. (Closes: #1053821)
+ * Move myself to Maintainer, and Dmitry to Uploaders.
+
+ -- Faidon Liambotis <parav...@debian.org> Thu, 02 Nov 2023 18:52:46 +0200
+
crun (1.8.1-1) unstable; urgency=medium
* New bugfix upstream release.
diff -Nru crun-1.8.1/debian/control crun-1.8.1/debian/control
--- crun-1.8.1/debian/control 2023-02-27 22:01:38.000000000 +0200
+++ crun-1.8.1/debian/control 2023-11-02 18:52:46.000000000 +0200
@@ -2,9 +2,9 @@
Section: admin
Priority: optional
Standards-Version: 4.6.2
-Maintainer: Dmitry Smirnov <only...@debian.org>
+Maintainer: Faidon Liambotis <parav...@debian.org>
Uploaders:
- Faidon Liambotis <parav...@debian.org>,
+ Dmitry Smirnov <only...@debian.org>,
Reinhard Tartler <siret...@tauware.de>,
Build-Depends:
automake,
diff -Nru crun-1.8.1/debian/patches/series crun-1.8.1/debian/patches/series
--- crun-1.8.1/debian/patches/series 1970-01-01 02:00:00.000000000 +0200
+++ crun-1.8.1/debian/patches/series 2023-11-02 18:52:46.000000000 +0200
@@ -0,0 +1,2 @@
+utils-ignore-ENOTSUP-when-chmod-a-symlink.patch
+utils-fix-ignore-ENOTSUP-when-chmod-a-symlink.patch
diff -Nru
crun-1.8.1/debian/patches/utils-fix-ignore-ENOTSUP-when-chmod-a-symlink.patch
crun-1.8.1/debian/patches/utils-fix-ignore-ENOTSUP-when-chmod-a-symlink.patch
---
crun-1.8.1/debian/patches/utils-fix-ignore-ENOTSUP-when-chmod-a-symlink.patch
1970-01-01 02:00:00.000000000 +0200
+++
crun-1.8.1/debian/patches/utils-fix-ignore-ENOTSUP-when-chmod-a-symlink.patch
2023-11-02 18:52:46.000000000 +0200
@@ -0,0 +1,36 @@
+From 60296f112fddc74f4926f8ca6f6e1ef7a61ef5b9 Mon Sep 17 00:00:00 2001
+From: Giuseppe Scrivano <gscri...@redhat.com>
+Date: Tue, 26 Sep 2023 11:51:19 +0200
+Subject: [PATCH] utils: fix ignore ENOTSUP when chmod a symlink
+
+when ENOTSUP is encountered we must continue copying the other files,
+not doing an early return.
+
+commit 57262a2710c83fa08767f0ce3ba7a80993515bb2 introduced the
+regression with the Podman CI.
+
+Signed-off-by: Giuseppe Scrivano <gscri...@redhat.com>
+
+Origin: upstream,
https://github.com/containers/crun/commit/14afa8a46e2e83608a3a219402bce8ea8d071192
+Bug: https://github.com/containers/crun/issues/1308
+Bug-Debian: https://bugs.debian.org/1053821
+---
+ src/libcrun/utils.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libcrun/utils.c b/src/libcrun/utils.c
+index e5a82be..74bcf62 100644
+--- a/src/libcrun/utils.c
++++ b/src/libcrun/utils.c
+@@ -2081,7 +2081,7 @@ copy_recursive_fd_to_fd (int srcdirfd, int dfd, const
char *srcname, const char
+ {
+ /* If the operation fails with ENOTSUP we are dealing with a
symlink, so ignore it. */
+ if (errno == ENOTSUP)
+- return 0;
++ continue;
+
+ if (UNLIKELY (ret < 0))
+ return crun_make_error (err, errno, "chmod `%s/%s`", destname,
de->d_name);
+--
+2.39.2
+
diff -Nru
crun-1.8.1/debian/patches/utils-ignore-ENOTSUP-when-chmod-a-symlink.patch
crun-1.8.1/debian/patches/utils-ignore-ENOTSUP-when-chmod-a-symlink.patch
--- crun-1.8.1/debian/patches/utils-ignore-ENOTSUP-when-chmod-a-symlink.patch
1970-01-01 02:00:00.000000000 +0200
+++ crun-1.8.1/debian/patches/utils-ignore-ENOTSUP-when-chmod-a-symlink.patch
2023-11-02 18:52:46.000000000 +0200
@@ -0,0 +1,49 @@
+From 3bc67556e2f077337e574e4c3aaf18488410b2f5 Mon Sep 17 00:00:00 2001
+From: Giuseppe Scrivano <gscri...@redhat.com>
+Date: Fri, 22 Sep 2023 11:34:19 +0200
+Subject: [PATCH] utils: ignore ENOTSUP when chmod a symlink
+
+commit 5d1f903f75a80daa4dfb3d84e114ec8ecbf29956 in the kernel, present
+in a release since Linux 6.6 doesn't allow anymore to change the
+mode of a symlink, so just ignore the failure.
+
+Closes: https://github.com/containers/crun/issues/1308
+
+Signed-off-by: Giuseppe Scrivano <gscri...@redhat.com>
+
+Origin: upstream,
https://github.com/containers/crun/commit/57262a2710c83fa08767f0ce3ba7a80993515bb2
+Bug: https://github.com/containers/crun/issues/1308
+Bug-Debian: https://bugs.debian.org/1053821
+---
+ src/libcrun/utils.c | 14 ++------------
+ 1 file changed, 2 insertions(+), 12 deletions(-)
+
+diff --git a/src/libcrun/utils.c b/src/libcrun/utils.c
+index 5afdc09..e5a82be 100644
+--- a/src/libcrun/utils.c
++++ b/src/libcrun/utils.c
+@@ -2079,19 +2079,9 @@ copy_recursive_fd_to_fd (int srcdirfd, int dfd, const
char *srcname, const char
+ ret = fchmodat (destdirfd, de->d_name, mode & ALLPERMS,
AT_SYMLINK_NOFOLLOW);
+ if (UNLIKELY (ret < 0))
+ {
++ /* If the operation fails with ENOTSUP we are dealing with a
symlink, so ignore it. */
+ if (errno == ENOTSUP)
+- {
+- proc_fd_path_t proc_path;
+- cleanup_close int fd = -1;
+-
+- fd = openat (destdirfd, de->d_name, O_PATH | O_NOFOLLOW);
+- if (UNLIKELY (fd < 0))
+- return crun_make_error (err, errno, "open `%s/%s`", destname,
de->d_name);
+-
+- get_proc_self_fd_path (proc_path, fd);
+-
+- ret = chmod (proc_path, mode & ALLPERMS);
+- }
++ return 0;
+
+ if (UNLIKELY (ret < 0))
+ return crun_make_error (err, errno, "chmod `%s/%s`", destname,
de->d_name);
+--
+2.39.2
+
