109 Commits

Author SHA1 Message Date
Akihiro Suda c5cd23698c Merge pull request #5260 from alliasgher/chore/5240-unify-curl
ci: switch build scripts from wget to curl
2026-06-23 11:24:50 +09:00
Aleksa Sarai d47bf88349 deps: update to libpathrs v0.2.5
This update includes a few breaking API changes that I needed to get in
before an actual runc release depends on it, so that we don't need to
deal with compatibility shims for them (or bumping the SOVERSION).

From a Go API perspective, there were no major changes -- though this
bump did also require a bump to github.com/cyphar/filepath-securejoin
because one of the wrapped APIs changed from int to uint64 as a flag
argument type. Again, better to get this done before we really depend on
this in a public way.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-06-18 11:57:38 +02:00
Ali 40f5fbd3cf ci: switch build scripts from wget to curl
runc's build scripts and CI setup used a mix of wget (4 sites) and
curl (8 sites) for HTTPS fetches. Standardise the three script sites on
curl, which is already required by the majority of call sites.

* script/build-libpathrs.sh and script/build-seccomp.sh: replace
  wget "<url>"{,.asc} with curl -fsSLO "<url>"{,.asc}. Bash brace
  expansion still yields two separate downloads (the tarball and its
  .asc signature).
* script/setup_host.sh: replace wget with curl in the Fedora RPM
  install list.

Leaving the single wget call in Dockerfile untouched per review
feedback -- the trixie base image already ships wget, and switching
would add an extra apt-get update && install step before the existing
single-pass package install.

Refs #5240

Signed-off-by: Ali <alliasgher123@gmail.com>
2026-04-24 03:33:06 +05:00
Akihiro Suda 9d697a9222 Complete migration from Cirrus CI to GHA (Lima)
Fix issue 5238

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2026-04-14 19:17:07 +09:00
Akhil Mohan 28d5ffbab0 use POSIX regex in libpathrs build
word boundary anchor \> is present only in GNU awk implementation. This
will not work if we are building libpathrs inside a container like
debian/ubuntu which uses mawk. Therefore switch to a POSIX compatible
regex that can be used with all implementations of awk to find the
system libc path

Signed-off-by: Akhil Mohan <akhilerm@gmail.com>
Signed-off-by: Aleksa Sarai <aleksa@amutable.com>
2026-03-24 21:20:45 +11:00
Aleksa Sarai 7322b05f41 ci: build and install libpathrs
libpathrs will be opt-out in a future patch so we need to test with it
in our CI.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-12 17:58:11 +09:00
Aleksa Sarai 8689e50cbe build: enable builds with libpathrs
pathrs-lite supports transparently switching to libpathrs.so as the
backend with the "libpathrs" build tag. In order to make this work
properly with our CI and release build scripts, we we need to have a
similar setup as with we do with libseccomp.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-12 17:58:10 +09:00
Aleksa Sarai b1a9047c7a script: seccomp.sh -> build-seccomp.sh
This name is far more descriptive.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-12 17:58:10 +09:00
Aleksa Sarai 8292574e7a build: rename /opt/libseccomp cdylib directory
In a future patch this will contain other cdylibs so it deserves a
slightly more general name.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-12 17:58:10 +09:00
Aleksa Sarai 51ae8de054 build: treat armhf as ARMv7
The intention of commit 531e29e192 ("script/lib.sh: set GOARM=5 for
armel, GOARM=6 for armhf") was to properly support older ARM platforms
with our release builds.

However, we have never been able to support ARMv6 for our builds because
we use the Debian compiler to build the libseccomp we statically compile
into our binaries and (as per the now-deleted comment itself) Debian
treats armhf as being ARMv7 so the final binaries we produced were
always only ever compatible with ARMv7+.

This was a bit of an oddity before but when building libpathrs for
releases we will need to use Rust which makes the target more explicit
(and while it does support armhf, we are using the Debian-packaged Rust
cross-compiler and thus are in the same dilemma with what Debian
considers "armhf" to be).

All-in-all, it's better to just bite the bullet and just follow Debian
here properly.

Fixes: 531e29e192 ("script/lib.sh: set GOARM=5 for armel, GOARM=6 for armhf")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-12 17:58:09 +09:00
Aleksa Sarai 936a59b07f keyring: validate: allow maintainers to have no keys
Some maintainers appear to have removed their PGP keys, which causes
"gpg --import" during "make validate-keyring" to fail. The solution is
to switch to a non-fatal warning if no keys were imported.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-05 00:42:06 +11:00
Kir Kolyshkin f4710e5023 Bump seccomp to v2.6.0
This version was released almost a year ago.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-03 10:22:14 -08:00
Aleksa Sarai 7c8fccd646 release: use runc-$version.tar.xz as archive name
Because we add the runc-$version/ prefix to the archive we generate,
including the version in the name makes it easier for some tools to
operate on as it matches most other projects (for openSUSE we rename the
archive file to this format in order for the automated RPM scripts to
work properly).

Also, when doing several releases at the same time, being able to
double-check that the correct artefact versions were uploaded for each
release can be quite handy.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-30 15:10:36 +11:00
Kir Kolyshkin 7d6848f883 script/setup_rootless.sh: chown nit
This fixes the following warning (seen on Fedora 42 and Ubuntu 24.04):

	+ sudo chown -R rootless.rootless /home/rootless
	chown: warning: '.' should be ':': ‘rootless.rootless’

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-09-16 13:27:56 -07:00
Kir Kolyshkin 3b533b23a6 script/lib.sh: remove obsoleted comment
Since commit 871057d8 we no longer have cc_platform.mk.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-08-04 16:46:57 -07:00
Kir Kolyshkin 3e3e04824d ci: upgrade to criu-4.1-2 in Fedora
Package criu-4.1-1 has a known bug [1] which is fixed in criu-4.1-2 [2],
which is currently only available in updates-testing. Add a kludge to
install newer criu if necessary to fix CI.

This will not be needed in ~2 weeks once the new package is promoted to
updates.

[1]: https://github.com/checkpoint-restore/criu/issues/2650
[2]: https://bodhi.fedoraproject.org/updates/FEDORA-2025-d374d8ce17

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-22 19:35:09 -07:00
Kir Kolyshkin 87ae2f8466 Unify and fix rootless key setup
For some reason, ssh-keygen is unable to write to /root even as root on
AlmaLinux 8:

	# id
	uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0
	# id -Z
	ls -ld /root
	# ssh-keygen -t ecdsa -N "" -f /root/rootless.key || cat /var/log/audit/audit.log
	Saving key "/root/rootless.key" failed: Permission denied

The audit.log shows:

> type=AVC msg=audit(1744834995.352:546): avc:  denied  { dac_override } for  pid=13471 comm="ssh-keygen" capability=1  scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:system_r:ssh_keygen_t:s0 tclass=capability permissive=0
> type=SYSCALL msg=audit(1744834995.352:546): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5641c7587520 a2=241 a3=180 items=0 ppid=4978 pid=13471 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)␝ARCH=x86_64 SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"

A workaround is to use /root/.ssh directory instead of just /root.

While at it, let's unify rootless user and key setup into a single place.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-17 16:16:31 -07:00
Kir Kolyshkin 8e653e40c6 script/setup_host_fedora.sh: use bash arrays
This makes the code more robust and allows to remove the
"shellcheck disable=SC2086" annotation.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-13 10:21:55 -07:00
Kir Kolyshkin a76a1361b4 script/setup_host_fedora.sh: remove -p from mkdir
1. There is no need to have -p option in mkdir here, since
   /home/rootless was already created by useradd above.

2. When there is no -p, there is no need to suppress the shellcheck
   warning (which looked like this):

> In script/setup_host_fedora.sh line 21:
> mkdir -m 0700 -p /home/rootless/.ssh
>       ^-- SC2174 (warning): When used with -p, -m only applies to the deepest directory.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-13 10:21:55 -07:00
Akihiro Suda 135552e5e4 CI: migrate Vagrant + Cirrus to Lima + GHA
- Unlike proprietary Vagrant, Lima remains to be an open source project
- GHA now natively supports nested virt on Linux runners

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2025-03-07 12:48:02 +09:00
Rodrigo Campos 199a307569 Merge pull request #4625 from kolyshkin/seccomp256
build: bump libseccomp to v2.5.6
2025-02-13 08:00:38 -03:00
Aleksa Sarai 26cfe14231 release: explicitly set --keyserver in release signing scripts
On my machine, the --recv-keys steps to get upstream keys started
producing errors recently, and even setting a default keyserver in the
global gpg configuration doesn't seem to help:

  + gpg --homedir=/tmp/runc-sign-tmpkeyring.qm0IP6
        --no-default-keyring --keyring=seccomp.keyring
        --recv-keys 0x47A68FCE37C7D7024FD65E11356CE62C2B524099
  gpg: keybox '/tmp/runc-sign-tmpkeyring.qm0IP6/seccomp.keyring' created
  gpg: keyserver receive failed: No keyserver available

So just explicitly specify a reputable keyserver. Ideally we would use
an .onion-address keyserver to avoid potential targeted attacks but not
everybody runs a Tor proxy on their machine.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-02-13 14:42:24 +11:00
Kir Kolyshkin 0e3b5d5b37 build: bump libseccomp to v2.5.6
A new libseccomp releases (v2.5.6 and v2.6.0) were cut last month.

Theoretically, we could use v2.6.0 but let's stay conservative for now.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-12 07:58:34 -08:00
Kir Kolyshkin ee1bced18c script/check-config.sh: add OVERLAY_FS check
While this is used by the majority of upper container runtimes, it was
not needed for runc itself. Since commit 515f09f7 runc uses overlay,
too, so let's add a check for this.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-29 16:57:25 -07:00
Kir Kolyshkin 2cb46c6e0d script/keyring_validate.sh: fix a typo
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-13 08:03:08 -07:00
Kir Kolyshkin 760105ab11 script/*: fix gpg usage wrt keyboxd
I used script/keyring_validate.sh, which gave me this error:

> [*] User cyphar in runc.keyring is not a maintainer!

Apparently, when gnupg 2.4.1+ sees a fresh install (i.e. no ~/.gnupg
directory), it configures itself to use keyboxd instead of keyring
files, and when just silently ignores options like --keyring and
--no-default-keyring, working with keyboxd all the time.

The only way I found to make it not use keyboxd is to set --homedir.
Let's do that when we explicitly want a separate keyring.

Similar change is made to script/release_key.sh.

Also, change "--import --import-options=show-only" to "--show-keys"
which is a shortcut. When using this, there is no need to protect
the default keyring since this command does not read or modify it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-05 17:05:05 -07:00
Aleksa Sarai cdccf6d615 build: update libseccomp to v2.5.5
This adds support for syscalls up to Linux 6.7-rc3.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-03-15 17:57:54 +11:00
Christian Happ 2a473a7630 Add CONFIG_NETFILTER_XT_MATCH_COMMENT to check
It seems that newer podman versions need the kernel comment flag too.

By podman run, iptables using -m comment in the iptables-command to add the corresponding network rules.

Signed-off-by: Christian Happ <Christian.Happ@jumo.net>
2024-01-08 12:00:08 +01:00
Kir Kolyshkin 5a4f52178d script/check-config.sh: check CONFIG_BLK_CGROUP_IOCOST
For `io.weight`

Co-authored-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-12-20 10:07:43 -08:00
Kir Kolyshkin d87366f019 scripts/check-config: fix kernel version checks
Looking at the code, I found out that kernel_lt function was actually
doing le ("less than or equal") rather than lt ("less than") operation.
Let's fix this and do exactly what the name says.

A bigger issue is, the function use was not consistent (some uses
implied "less than or equal").

To fix the usage, find out all relevant kernel commits and kernel
versions that have them (the latter is done using "git describe
--contains $sha"), and fix the wrong cases. While at it, add references
to all these kernel commits for the future generations of
check-config.sh hackers.

Also, add kernel_ge function which is the opposite of kernel_lt,
and document both.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-12-20 10:07:43 -08:00
Akihiro Suda 7f65cc75c7 script/check-config.sh: check CONFIG_CHECKPOINT_RESTORE
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-12-20 10:07:43 -08:00
Kir Kolyshkin 6aa4c1a13e script/check-config: disable colors
...when the stdout is not a terminal, and also when NO_COLOR environment
variable is set to any non-empty value (as per no-color.org).

Co-authored-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-12-20 10:06:52 -08:00
Kir Kolyshkin b94b559058 scripts/check-config: don't check MEMCG_SWAP on newer kernels
Kernel commit e55b9f96860f (which made its way into Linux v6.1-rc1)
removes CONFIG_MEMCG_SWAP entirely, so there's no sense to check for in
on newer kernels.

Make the check conditional.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-12-19 17:28:32 -08:00
Akihiro Suda 531e29e192 script/lib.sh: set GOARM=5 for armel, GOARM=6 for armhf
"armhf" means ARMv7 for Debian, ARMv6 for Raspbian.
ARMv6 is chosen here for compatibility.

https://wiki.debian.org/RaspberryPi

> Raspberry Pi OS builds a single image for all of the Raspberry families,
> so you will get an armhf 32-bit, hard floating-point system, but built
> for the ARMv6 ISA (with VFP2), unlike Debian's ARMv7 ISA (with VFP3)
> port.

Prior to this commit, the script was setting GOARM=6 for armel,
GOARM=7 for armhf.

Fix issue 4033

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-09-27 05:48:02 +09:00
Aleksa Sarai 321aa20c49 scripts: add proper 386 and amd64 target triples and builds
We need these to match the Makefile detection of the right gcc for
runc-dmz, as well as making sure that everything builds properly for our
cross-i386 tests. While we're at it, add x86 to the list of build
targets for release builds (presumably nobody will use it, but since we
do test builds of this anyway it probably won't hurt).

In addition, clean up the handling of the native architecture build by
treating it the same as any other build (ensuring that building runc
from a different platform will work the same way regardless of the
native architecture). In practice, the build works the same way as
before.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-09-22 15:13:18 +10:00
Kir Kolyshkin cfc801b7ed Fix running tests under Docker/Podman and cgroup v2
For "make integration", the tests are run inside a Docker/Podman
container. Problem is, if cgroup v2 is used, the in-container
/sys/fs/cgroup/cgroup.subtree_control is empty.

The added script, used as Docker entrypoint, moves the current process
into a sub-cgroup, and then adds all controllers in top-level
cgroup.subtree_control.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-08-02 23:00:46 -07:00
Aleksa Sarai cfc3c6da39 scripts: keyring validate: print some more information
Add a little bit more diagnostic information to "make validate-keyring".

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-04-23 13:45:03 +10:00
Aleksa Sarai 22538f896a keyring: verify runc.keyring has legitimate maintainer keys
These checks ensure that all of the keys in the runc.keyring list are
actually the keys of the specified user and that the users themselves
are actually maintainers.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-04-19 13:48:14 +10:00
Aleksa Sarai 957bccfe2f scripts: release: add verification checks for signing keys
We need to make sure the release is being signed by a key that is
actually listed as a trusted signing key, and we also need to ask the
person cutting the release whether the list of trusted keys is
acceptable.

Also add some verification checks after a release is signed to make sure
everything was signed with the correct keys.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-04-19 13:48:14 +10:00
Aleksa Sarai 872149470b release: add runc.keyring file and script
In order to allow any of the maintainers to cut releases for runc,
create a keyring file that distributions can use to verify that releases
are signed by one of the maintainers.

The format matches the gpg-offline format used by openSUSE packaging,
but it can be easily imported with "gpg --import" so any distribution
should be able to handle this keyring format wtihout issues.

Each key includes the GitHub handle of the associated user. There isn't
any way for this information to be automatically verified (outside of
using something like keybase.io) but since all changes of this file need
to be approved by maintainers this is okay for now.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-04-14 01:00:27 +10:00
dharmicksai 29a28848de Add check for CONFIG_CGROUP_BPF in check-config.sh
cgroup v2 requires CONFIG_CGROUP_BPF kernel option to be set
else runc can not start containers.

check-config.sh script checks if the CONFIG_CGROUP_BPF option
is set. The script checks if version of kernel is atleast
4.15 and cgroup v2 is being used before checking if the
CONFIG_CGROUP_BPF option is set.

Closes #3547

Signed-off-by: dharmicksai <dharmicksaik@gmail.com>
2022-09-08 14:28:47 +05:30
Kir Kolyshkin e1d04cdfeb script/seccomp.sh: check tarball sha256
Add checking of downloaded tarball checksum.

In case it doesn't match the hardcoded value, the error is like this:

	libseccomp-2.5.4.tar.gz: FAILED
	sha256sum: WARNING: 1 computed checksum did NOT match

In case the checksum for a particular version is not specified in the
script, the error will look like this:

	./script/seccomp.sh: line 29: SECCOMP_SHA256[${ver}]: unbound variable

In case the the hardcoded value in the file is of wrong format/length,
we'll get:

	sha256sum: 'standard input': no properly formatted SHA256 checksum lines found

In any of these cases, the script aborts (due to set -e).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-25 18:29:07 -07:00
Kir Kolyshkin f7b07fd54c Dockerfile,scripts/release: bump libseccomp to v2.5.4
Release notes: https://github.com/seccomp/libseccomp/releases/tag/v2.5.4

This affects the released static binaries (as they are statically linked
against libseccomp).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-23 12:56:35 -07:00
Kir Kolyshkin a14cc4059d release: add riscv64 binary
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 17:23:45 -07:00
Kir Kolyshkin 5d1ef78cad script/check-config.sh: enable set -u, fix issues
One particularly bad one is ${codes[@]} which is fine in bash 4.4+,
but gives "codes[@]: unbound variable" with older bash versions,
such as with bash 4.2 used on CentOS 6. It's good that this is the only
array in the script that can potentially be empty.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-30 20:47:45 -07:00
Kir Kolyshkin d66498e771 script/check-config.sh: fix remaining shellcheck warnings
... and add this file to shellcheck target in Makefile.

These:

	In script/check-config.sh line 27:
	kernelMinor="${kernelVersion#$kernelMajor.}"
				     ^----------^ SC2295 (info): Expansions inside ${..} need to be quoted separately, otherwise they match as patterns.

	Did you mean:
	kernelMinor="${kernelVersion#"$kernelMajor".}"

	In script/check-config.sh line 103:
		source /etc/os-release 2>/dev/null || /bin/true
		       ^-------------^ SC1091 (info): Not following: /etc/os-release was not specified as input (see shellcheck -x).

	In script/check-config.sh line 267:
		NET_CLS_CGROUP $netprio
			       ^------^ SC2206 (warning): Quote to prevent word splitting/globbing, or split robustly with mapfile or read -a.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-30 20:47:45 -07:00
Kir Kolyshkin baa06227a4 script/check-config.sh: fix SC2166 warnings
Like this one:

	In ./script/check-config.sh line 215:
	if [ "$kernelMajor" -lt 5 ] || [ "$kernelMajor" -eq 5 -a "$kernelMinor" -le 1 ]; then
							      ^-- SC2166 (warning): Prefer [ p ] && [ q ] as [ p -a q ] is not well defined.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-30 20:47:45 -07:00
Kir Kolyshkin dc73d236ea script/check-config.sh: fix wrap_color usage
1. Allow wrap_bad and wrap_good to have an optional arguments.

2. Remove unneeded echos; this fixes the shellcheck warnings like

	In ./script/check-config.sh line 178:
			echo "$(wrap_bad 'cgroup hierarchy' 'nonexistent??')"
                             ^-- SC2005 (style): Useless echo? Instead of 'echo $(cmd)', just use 'cmd'.

3. Fix missing color argument in calls to wrap_color (when printing the
   hint about how to install apparmor).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-30 20:47:45 -07:00
Kir Kolyshkin 6d2067a4bf script/seccomp.sh: fix argc check
This check was always broken, and it slipped through the cracks because
we never run it without additional architectures now.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-12-09 00:59:47 -08:00
Kir Kolyshkin 457ca62f1f script/release_*.sh: fix usage
- release_build: fix -H <hash_cmd> option (was -h)
- release_sign: add -H and -S options

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-12-09 00:59:43 -08:00