nspawn: accept OCI runtime-spec 1.x bundles#42665
Conversation
github-actions
Bot
added
nspawn
util-lib
tests
sd-event
please-review
There was a problem hiding this comment.
this really shouldn't be commited
| #endif | ||
| #ifdef SEGV_MTESERR | ||
| [SEGV_MTESERR] = "SEGV_MTESERR", | ||
| #endif |
There was a problem hiding this comment.
hmm, we usually prefer if we just update the uapi headers that define them in our tree.
| s = sd_json_variant_string(v); | ||
| if (isempty(s)) | ||
| return log_error_errno(SYNTHETIC_ERRNO(EINVAL), | ||
| "OCI bundle version is missing or empty."); |
There was a problem hiding this comment.
this if check should really move to oci_version_parse() i am sure, it's part of parsing
|
|
||
| r = extract_first_word(&p, &patch, ".", EXTRACT_DONT_COALESCE_SEPARATORS); | ||
| if (r <= 0 || p) | ||
| return -EINVAL; |
There was a problem hiding this comment.
are oci versions guaranteed to have all three versions? shouldn#t we be graceful here, and be ok minor or micro are missing, and only insist on major?
There was a problem hiding this comment.
Everything I looked through showed all three but I agree with you it should handle that. Deciding if it's equivalent to a patch of 0 or if 1.3 is technically < 1.3.0. I don't think it would matter either direction.
poettering
added
reviewed/needs-rework 🔨
|
so the compat support i am not convinced by, but @daandemeyer can comment on that. can you separate out the compat support from the other stuff that makes newer oci stuff work? |
Co-developed-by: OpenAI Codex <noreply@openai.com>
Co-developed-by: OpenAI Codex <noreply@openai.com>
russell-parks
force-pushed
the
feat/oci-runtime-spec-1x
branch
from
373217f to
e0c050b
Compare
2 participants
Accept any OCI runtime-spec 1.x bundle that
systemd-nspawncan safely interpret.This relaxes the current
1.0.0-only acceptance to the whole runtime-spec 1.x line, while still rejecting malformed version strings. The implementation keeps the policy narrow: accept newer 1.x bundles that are structurally compatible with what nspawn already interprets, without claiming support for unrelated OCI specs.Changes in this PR:
1.xbundles instead of requiring exactly1.0.0Fork-side CI compatibility fixes observed while validating this branch on
rezzell/systemd:#42650libc: provide openat2 syscall number fallback#42657libc: provide mount_setattr syscall number fallback#42658libc: add close_range fallbacks for older libc#42659sd-event: tolerate older glibc without mallinfo2#42660basic: resolve strerrorname_np at runtime#42661basic: guard newer SEGV si_code constantsThose failures were exposed by fork-side
ClusterFuzzLitePR fuzzing while testing this branch and are not currently reproduced in upstream CI.