tests/int: allow cpu quota cgroup v1 files fds

Since switching to Go 1.25 in go.mod, the "detect fd leaks" test fails
like this:

> not ok 57 runc create[detect fd leak as comprehensively as possible]
> # (in test file tests/integration/create.bats, line 76)
> #   `[ "$violation_found" -eq 0 ]' failed
> ...
> # Violation: FD 9 -> '/system.slice/runc-test_busybox.scope/cpu.cfs_quota_us'
> # Violation: FD 10 -> '/system.slice/runc-test_busybox.scope/cpu.cfs_period_us'
> ...

This happens because Go 1.25 adds a feature to dynamically set GOMAXPROC
based on current CPU quota values. This feature can be disabled by setting

	GODEBUG=containermaxprocs=0,updatemaxprocs=0

but it is harmless to keep it (except for the above test failure).

Add an exception to the test case.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This commit is contained in:
Kir Kolyshkin
2026-03-30 11:40:49 -07:00
parent 400f3dd460
commit f9a9a36fa8
+3 -1
View File
@@ -38,7 +38,9 @@ is_allowed_fdtarget() {
# overlayfs binary reference (CVE-2019-5736)
grep -Ex "/runc" <<<"$target" ||
# memfd cloned binary (CVE-2019-5736)
grep -Fx "/memfd:runc_cloned:/proc/self/exe (deleted)" <<<"$target"
grep -Fx "/memfd:runc_cloned:/proc/self/exe (deleted)" <<<"$target" ||
# Go 1.25+ runtime opens these cgroup v1 files (see https://go.dev/cl/670497).
grep -Ex ".*/cpu.cfs_(quota|period)_us" <<<"$target"
} >/dev/null
return "$?"
}