Commit Graph

6160 Commits

Author SHA1 Message Date
wineway d160116055 libct: use unix.Getwd instead of os.Getwd to avoid symlink
Signed-off-by: wineway <wangyuweihx@gmail.com>
2022-05-11 17:25:34 -07:00
wineway cab3888575 go.mod: golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5
to include https://go-review.googlesource.com/c/sys/+/387194 which ensured unix::Getwd returned path is absolute

Signed-off-by: wineway <wangyuweihx@gmail.com>
2022-05-11 17:25:34 -07:00
Kir Kolyshkin a14cc4059d release: add riscv64 binary
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 17:23:45 -07:00
Akihiro Suda 1d7b297128 libct/seccomp: add riscv64
Co-authored-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 17:23:45 -07:00
Kir Kolyshkin dafcacb522 Makefile: set CGO_ENABLED=1 when needed
It doesn't matter whether static or dynamic linking is used, runc
always needs libcontainer/nsenter, which is written in C and thus
requires cgo. Same is true for libcontainer/integration.

In addition, contrib/pkg/seccompagent also needs cgo (if seccomp build
tag is set), as it need to be linked against libseccomp C library.

By default, cgo is disabled when cross-compiling, meaning that
CGO_ENABLED=1 has to be set explicitly in such cases.

In all other cases (e.g. other contrib binaries) we do not need cgo.

Remove CGO_ENABLED=1 from GO_BUILD_STATIC (as it does not have anything
to do with static linking), and add it to all targets that require it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 17:23:45 -07:00
Kir Kolyshkin 21e32d47d3 Makefile: add support for static PIE
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 17:23:45 -07:00
Kir Kolyshkin ab5c60d02f Makefile: fix GO_BUILDMODE setting
1. Set to empty value by default.

2. Assume Linux (remove GOOS check, since we do not support other OSes).

3. Instead of using a "not-supported" list, use a "supported" list
   (as Go release notes usually say which platforms are supported).
   As of today, -buildmode=pie is supported for:

 * linux/386, linux/amd64, linux/arm, linux/arm64, and linux/ppc64le
   (since Go 1.6, see https://tip.golang.org/doc/go1.6#compiler)

 * linux/s390x (since Go 1.7, which adds the initial port)

 * linux/riscv64 (since Go 1.16, see
   https://tip.golang.org/doc/go1.16#riscv)

   NOTE this does not mean we support these architectures; it is merely
   a way to see if -buildmode=pie can be used.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 17:23:45 -07:00
Kir Kolyshkin f2f6e59937 Makefile: add LDFLAGS_COMMON and LDFLAGS_STATIC
LDFLAGS_COMMON are used from two places, so it makes sense to dedup.

LDFLAGS_STATIC is a preparation for the next commit.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 17:23:45 -07:00
Kir Kolyshkin f0f1b5f969 Dockerfile: don't use crossbuild-essential-*
All we need is gcc, libc-dev, and binutils. In addition to that,
crossbuild-essential installs g++, libstdc++-dev, and a bunch of perl
packages and libraries which we do not need.

This should speed up image building, as well as make it smaller.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 17:23:45 -07:00
Kir Kolyshkin 476aa18abe Dockerfile: rm dpkg --add-architecture lines
Dockerfile used to install libseccomp-dev packages for different
architectures. This is no longer true since commit f30244ee1b, which
changed to cross-compiling libseccomp (so we can get a static library
to link against).

Thus, adding extra architectures is no longer needed.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 17:23:45 -07:00
Kir Kolyshkin d542ad65ba Dockerfile: nit
We do not use all the files from scripts, only seccomp.sh and lib.sh.

This prevents unneeded rebuild of the image if e.g.
scripts/release_build.sh has changed.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 17:23:45 -07:00
Akihiro Suda 2661d59287 Merge pull request #3471 from kolyshkin/fix-fedora-ci-git
Vagrantfile.fedora: fix build wrt new git
2022-05-12 09:05:58 +09:00
Aleksa Sarai d04de3a9b7 Merge pull request from GHSA-f3fp-gc8g-vw66
runc: do not set inheritable capabilities
2022-05-12 08:15:42 +10:00
Kir Kolyshkin 98fe566c52 runc: do not set inheritable capabilities
Do not set inheritable capabilities in runc spec, runc exec --cap,
and in libcontainer integration tests.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-12 08:14:50 +10:00
Kir Kolyshkin 009e627cb0 Vagrantfile.fedora: fix build wrt new git
With the updated git in Fedora 35, we can't build it via sudo:

	ssh default 'sudo -i make -C /vagrant localunittest'
	make: Entering directory '/vagrant'
	fatal: unsafe repository ('/vagrant' is owned by someone else)
	To add an exception for this directory, call:

		git config --global --add safe.directory /vagrant
	go build -trimpath "-buildmode=pie"  -tags "seccomp" -ldflags "-X main.gitCommit= -X main.version=1.1.0+dev " -o runc .
	error obtaining VCS status: exit status 128
		Use -buildvcs=false to disable VCS stamping.
	make: Leaving directory '/vagrant'

This commit should fix this.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 15:03:32 -07:00
Sebastiaan van Stijn 94105ca31d Merge pull request #3468 from kolyshkin/no-tun
Remove tun/tap from the default device rules
2022-05-11 00:28:55 +02:00
Akihiro Suda 33946701db Merge pull request #3469 from kolyshkin/fix-ci-typo
tests/int: fix a bad typo
2022-05-07 15:25:27 +09:00
Kir Kolyshkin 4d3e52f207 tests/int: fix a bad typo
As a result, cgroup v1 only tests are being skipped.

Fixes: a2123baf63
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-06 13:46:21 -07:00
Sebastiaan van Stijn aac018175e Merge pull request #3369 from kolyshkin/more-tests-nits
tests/int: nits and cleanups
2022-05-06 13:22:11 +02:00
Kir Kolyshkin 2ce40b6ad7 Remove tun/tap from the default device rules
Looking through git blame, this was added by commit 9fac18329
aka "Initial commit of runc binary", most probably by mistake.

Obviously, a container should not have access to tun/tap device, unless
it is explicitly specified in configuration.

Now, removing this might create a compatibility issue, but I see no
other choice.

Aside from the obvious misconfiguration, this should also fix the
annoying

> Apr 26 03:46:56 foo.bar systemd[1]: Couldn't stat device /dev/char/10:200: No such file or directory

messages from systemd on every container start, when runc uses systemd
cgroup driver, and the system runs an old (< v240) version of systemd
(the message was presumably eliminated by [1]).

[1] https://github.com/systemd/systemd/pull/10996/commits/d5aecba6e0b7c73657c4cf544ce57289115098e7

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-04 15:38:58 -07:00
Sebastiaan van Stijn da6f3b06e2 Merge pull request #3465 from crazy-max/update-libseccomp
vendor: bump seccomp/libseccomp-golang to f33da4d
2022-05-04 21:00:17 +02:00
Kir Kolyshkin 68427f33d0 libct/seccomp/config: add missing KillThread, KillProcess
OCI spec added SCMP_ACT_KILL_THREAD and SCMP_ACT_KILL_PROCESS almost two
years ago ([1], [2]), but runc support was half-finished [3].

Add these actions, and modify the test case to check them.

In addition, "runc features" now lists the new actions.

[1] https://github.com/opencontainers/runtime-spec/pull/1044
[2] https://github.com/opencontainers/runtime-spec/pull/1064
[3] https://github.com/opencontainers/runc/pulls/3204

Fixes: 4a4d4f109b
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit e74fdeb88a)
2022-05-04 16:22:09 +02:00
CrazyMax df2bc1380e vendor: bump seccomp/libseccomp-golang to f33da4d
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-05-03 13:15:02 +02:00
CrazyMax 29a56b5206 fix deprecated ActKill
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-05-03 13:15:01 +02:00
Mrunal Patel 48464417f4 Merge pull request #3461 from kolyshkin/bump-urfave-cli
vendor: bump urfave/cli to v1.22.6
2022-04-25 16:06:37 -07:00
Sebastiaan van Stijn 255fe4099e Merge pull request #3445 from kolyshkin/gha-ro
ci/gha: limit jobs permissions
2022-04-22 20:44:37 +02:00
Sebastiaan van Stijn 062fc87995 Merge pull request #3451 from dsouzai/ns_last_pid
Allow mounting of /proc/sys/kernel/ns_last_pid
2022-04-22 20:41:58 +02:00
Kir Kolyshkin 9c710564fd vendor: bump urfave/cli to v1.22.6
This finally fixes the regression of not allowing -1 as an argument,
which is reported in https://github.com/urfave/cli/pull/1135.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-04-21 19:36:49 -07:00
Sebastiaan van Stijn 238717ddd3 Merge pull request #3457 from kolyshkin/ci-merge-lint-extra
ci/gha: convert lint-extra from a job to a step
2022-04-14 13:42:40 +02:00
Sebastiaan van Stijn 727aa42fd7 Merge pull request #3378 from kolyshkin/ci-verify-more
shellcheck/shfmt more files; run check-config in CI
2022-04-14 13:39:29 +02:00
Kir Kolyshkin 4642d5282e Merge pull request #3458 from opencontainers/dependabot/github_actions/actions/cache-3.0.2
build(deps): bump actions/cache from 3.0.1 to 3.0.2
2022-04-13 22:35:00 -07:00
Kir Kolyshkin fa83a17c57 ci/gha: convert lint-extra from a job to a step
There is no need to parallelize lint and lint-extra jobs,
and they only differ with the arguments to golangci-lint.
Given that the longest time spent in these jobs is installing
libseccomp-dev, and that the second linter run can probably
benefit a lot from caching, it makes sense to merge them.

Move lint-extra from a separate job to a step in lint job.

The implementation is motivated by [1] and relies on the fact
that the last commit being fetched is the merge commit. So,
we need to set fetch-depth to 2 to be able to see the diff of
the merge commit -- and this is what golangci-lint is using.

[1] https://github.com/golangci/golangci-lint-action/issues/449#issuecomment-1096995821

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-04-13 20:20:15 -07:00
Akihiro Suda b6e337ac93 Merge pull request #3459 from opencontainers/dependabot/go_modules/github.com/moby/sys/mountinfo-0.6.1
build(deps): bump github.com/moby/sys/mountinfo from 0.6.0 to 0.6.1
2022-04-13 16:05:56 +09:00
dependabot[bot] de25777a4b build(deps): bump github.com/moby/sys/mountinfo from 0.6.0 to 0.6.1
Bumps [github.com/moby/sys/mountinfo](https://github.com/moby/sys) from 0.6.0 to 0.6.1.
- [Release notes](https://github.com/moby/sys/releases)
- [Commits](https://github.com/moby/sys/compare/signal/v0.6.0...mountinfo/v0.6.1)

---
updated-dependencies:
- dependency-name: github.com/moby/sys/mountinfo
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-13 04:17:00 +00:00
Kir Kolyshkin 98d3b5a495 Merge pull request #3455 from opencontainers/dependabot/github_actions/actions/upload-artifact-3
build(deps): bump actions/upload-artifact from 2 to 3
2022-04-12 14:31:53 -07:00
Sebastiaan van Stijn 66d12b5a0b Merge pull request #3456 from kolyshkin/ci-rm-stable
ci/gha: remove stable: when installing Go
2022-04-12 09:28:18 +02:00
dependabot[bot] d73579cabc build(deps): bump actions/cache from 3.0.1 to 3.0.2
Bumps [actions/cache](https://github.com/actions/cache) from 3.0.1 to 3.0.2.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.1...v3.0.2)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-12 06:35:18 +00:00
Kir Kolyshkin 66be704d02 ci/gha: remove stable: when installing Go
Since the recent bump of actions/setup-go to v3 (commit
9d2268b9db), specifying "stable:" is no longer needed
when we want to try a beta or rc version of Go.

Remove it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-04-11 17:14:13 -07:00
Sebastiaan van Stijn 36585a8f0a Merge pull request #3454 from opencontainers/dependabot/github_actions/actions/setup-go-3
build(deps): bump actions/setup-go from 2 to 3
2022-04-12 00:01:17 +02:00
dependabot[bot] b6eb94762a build(deps): bump actions/upload-artifact from 2 to 3
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 2 to 3.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-11 04:16:44 +00:00
dependabot[bot] 9d2268b9db build(deps): bump actions/setup-go from 2 to 3
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 2 to 3.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-11 04:16:41 +00:00
Irwin D'Souza b76b6b9338 Allow mounting of /proc/sys/kernel/ns_last_pid
The CAP_CHECKPOINT_RESTORE linux capability provides the ability to
update /proc/sys/kernel/ns_last_pid. However, because this file is under
/proc, and by default both K8s and CRI-O specify that /proc/sys should
be mounted as Read-Only, by default even with the capability specified,
a process will not be able to write to ns_last_pid.

To get around this, a pod author can specify a volume mount and a
hostpath to bind-mount /proc/sys/kernel/ns_last_pid. However, runc does
not allow specifying mounts under /proc.

This commit adds /proc/sys/kernel/ns_last_pid to the validProcMounts
string array to enable a pod author to mount ns_last_pid as read-write.
The default remains unchanged; unless explicitly requested as a volume
mount, ns_last_pid will remain read-only regardless of whether or not
CAP_CHECKPOINT_RESTORE is specified.

Signed-off-by: Irwin D'Souza <dsouzai.gh@gmail.com>
2022-04-07 14:08:59 -04:00
Kir Kolyshkin 67e06706ef ci/gha: limit jobs permissions
Most jobs only require to read the repo. Some require to read PRs as
well.

For details, see
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

Reported-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-04-06 14:25:22 -07:00
Kir Kolyshkin b802def2f6 Merge pull request #3444 from opencontainers/dependabot/github_actions/actions/cache-3.0.1
build(deps): bump actions/cache from 2 to 3.0.1
2022-03-31 09:36:24 -07:00
dependabot[bot] 7260bae675 build(deps): bump actions/cache from 2 to 3.0.1
Bumps [actions/cache](https://github.com/actions/cache) from 2 to 3.0.1.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v2...v3.0.1)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-31 04:15:06 +00:00
Kir Kolyshkin ae6cb653f4 man/*sh: fix shellcheck warnings, add to shellcheck
Now the only remaining file that needs shellcheck warnings to be fixed
is bash-completion. Note that in Makefile's TODO.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-30 20:47:45 -07:00
Kir Kolyshkin cacc823724 ci: add call to check-config.sh
This is done to make sure the script is working correctly in different
environments (distro and kernel versions). In addition, we can see in
test logs which kernel features are enabled.

Note that I didn't want to have a separate job for GHA CI, so I just
added this to the end of shellcheck one.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-30 20:47:45 -07:00
Kir Kolyshkin 5d1ef78cad script/check-config.sh: enable set -u, fix issues
One particularly bad one is ${codes[@]} which is fine in bash 4.4+,
but gives "codes[@]: unbound variable" with older bash versions,
such as with bash 4.2 used on CentOS 6. It's good that this is the only
array in the script that can potentially be empty.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-30 20:47:45 -07:00
Kir Kolyshkin d66498e771 script/check-config.sh: fix remaining shellcheck warnings
... and add this file to shellcheck target in Makefile.

These:

	In script/check-config.sh line 27:
	kernelMinor="${kernelVersion#$kernelMajor.}"
				     ^----------^ SC2295 (info): Expansions inside ${..} need to be quoted separately, otherwise they match as patterns.

	Did you mean:
	kernelMinor="${kernelVersion#"$kernelMajor".}"

	In script/check-config.sh line 103:
		source /etc/os-release 2>/dev/null || /bin/true
		       ^-------------^ SC1091 (info): Not following: /etc/os-release was not specified as input (see shellcheck -x).

	In script/check-config.sh line 267:
		NET_CLS_CGROUP $netprio
			       ^------^ SC2206 (warning): Quote to prevent word splitting/globbing, or split robustly with mapfile or read -a.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-30 20:47:45 -07:00
Kir Kolyshkin baa06227a4 script/check-config.sh: fix SC2166 warnings
Like this one:

	In ./script/check-config.sh line 215:
	if [ "$kernelMajor" -lt 5 ] || [ "$kernelMajor" -eq 5 -a "$kernelMinor" -le 1 ]; then
							      ^-- SC2166 (warning): Prefer [ p ] && [ q ] as [ p -a q ] is not well defined.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-30 20:47:45 -07:00