Akihiro Suda
2b221a6ab7
Merge pull request #3787 from kolyshkin/rec-fixup
...
mountToRootfs: minor refactor
2023-03-28 12:53:38 +09:00
Kir Kolyshkin
3e3db2883b
Merge pull request #3778 from kolyshkin/skip-flaky-ce7
...
libct/cg/dev: skip flaky test of CentOS 7
2023-03-27 13:39:36 -07:00
Kir Kolyshkin
da98076c97
mountToRootfs: minor refactor
...
The setRecAttr is only called for "bind" case, as cases end with a
return statement. Indeed, recursive mount attributes only make sense for
bind mounts.
Move the code to under case "bind" to improve readability. No change in
logic.
Fixes: 382eba4354
Reported-by: Sebastiaan van Stijn <github@gone.nl >
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com >
2023-03-27 12:47:05 -07:00
Akihiro Suda
da5047c5d8
Merge pull request #3781 from yanggangtony/fix-typo
...
fix wrong notes for `const MaxNameLen`
2023-03-26 07:02:40 +09:00
Akihiro Suda
948ef27c7a
Merge pull request #3773 from kolyshkin/no-symlinks
...
Prohibit /proc and /sys to be symlinks
2023-03-25 22:58:27 +09:00
Kir Kolyshkin
a7a836effa
libct/cg/dev: skip flaky test of CentOS 7
...
There is some kind of a race in CentOS 7 which sometimes result in one
of these tests failing like this:
systemd_test.go:136: mkdir /sys/fs/cgroup/hugetlb/system.slice/system-runc_test_pods.slice: no such file or directory
or
systemd_test.go:187: open /sys/fs/cgroup/cpuset/system.slice/system-runc_test_pods.slice/cpuset.mems: no such file or directory
As this is only happening on CentOS 7, let's skip this test on this
platform.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com >
2023-03-22 20:01:39 -07:00
yanggang
65df6b91b9
fix wrong notes for const MaxNameLen
...
Signed-off-by: yanggang <gang.yang@daocloud.io >
2023-03-23 10:31:15 +08:00
Akihiro Suda
efad7a3b80
Merge pull request #3735 from kolyshkin/int-fix-flake
...
libct/int: make TestFdLeaks more robust
2023-03-21 06:15:43 +09:00
Kir Kolyshkin
e67dc399ba
Merge pull request #3739 from AkihiroSuda/fix-acl
...
specconv: avoid mapping "acl" to MS_POSIXACL
2023-03-20 14:15:15 -07:00
Akihiro Suda
f08b4a9c43
Merge pull request #3775 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.30.0
...
build(deps): bump google.golang.org/protobuf from 1.29.1 to 1.30.0
2023-03-18 19:15:44 +09:00
Kir Kolyshkin
0d72adf96d
Prohibit /proc and /sys to be symlinks
...
Commit 3291d66b98 introduced a check for /proc and /sys, making sure
the destination (dest) is a directory (and not e.g. a symlink).
Later, a hunk from commit 0ca91f44f switched from using filepath.Join
to SecureJoin for dest. As SecureJoin follows and resolves symlinks,
the check whether dest is a symlink no longer works.
To fix, do the check without/before using SecureJoin.
Add integration tests to make sure we won't regress.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com >
2023-03-17 11:03:44 -07:00
Kir Kolyshkin
c6624e66b2
Merge pull request #3772 from kolyshkin/retry-unshare
...
nsexec: retry unshare on EINVAL
2023-03-17 09:54:14 -07:00
dependabot[bot]
8f0d0c4dc8
build(deps): bump google.golang.org/protobuf from 1.29.1 to 1.30.0
...
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go ) from 1.29.1 to 1.30.0.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases )
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash )
- [Commits](https://github.com/protocolbuffers/protobuf-go/compare/v1.29.1...v1.30.0 )
---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2023-03-17 05:00:52 +00:00
Kir Kolyshkin
cecb039d24
nsexec: retry unshare on EINVAL
...
Older kernels may return EINVAL on unshare when a process is reading
runc's /proc/$PID/status or /proc/$PID/maps. This was fixed by kernel
commit 12c641ab8270f ("unshare: Unsharing a thread does not require
unsharing a vm") in Linuxt v4.3.
For CentOS 7, the fix was backported to CentOS 7.7 (kernel 3.10.0-1062).
To work around this kernel bug, let's retry on EINVAL a few times.
Reported-by: zzyyzte <zhang.yu58@zte.com.cn >
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com >
2023-03-16 10:45:02 -07:00
Kir Kolyshkin
206008ab9c
Merge pull request #3767 from AkihiroSuda/fix-issue-template-config
...
.github/ISSUE_TEMPLATE/config.yml: fix contact links
2023-03-16 10:41:23 -07:00
Kir Kolyshkin
784f583884
Merge pull request #3771 from opencontainers/dependabot/github_actions/actions/setup-go-4
...
build(deps): bump actions/setup-go from 3 to 4
2023-03-16 10:35:09 -07:00
dependabot[bot]
e3cf217cf1
build(deps): bump actions/setup-go from 3 to 4
...
Bumps [actions/setup-go](https://github.com/actions/setup-go ) from 3 to 4.
- [Release notes](https://github.com/actions/setup-go/releases )
- [Commits](https://github.com/actions/setup-go/compare/v3...v4 )
---
updated-dependencies:
- dependency-name: actions/setup-go
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2023-03-16 05:11:04 +00:00
Akihiro Suda
b3a68fe77b
Merge pull request #3769 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.29.1
...
build(deps): bump google.golang.org/protobuf from 1.29.0 to 1.29.1
2023-03-16 09:40:59 +09:00
dependabot[bot]
a7046b8387
build(deps): bump google.golang.org/protobuf from 1.29.0 to 1.29.1
...
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go ) from 1.29.0 to 1.29.1.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases )
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash )
- [Commits](https://github.com/protocolbuffers/protobuf-go/compare/v1.29.0...v1.29.1 )
---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
2023-03-15 05:10:21 +00:00
Akihiro Suda
afeffb7ea8
.github/ISSUE_TEMPLATE/config.yml: fix contact links
...
`contact_links` without `about` properties are not shown in
https://github.com/opencontainers/runc/issues/new/choose
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp >
2023-03-10 09:45:41 +09:00
Akihiro Suda
d5be3e2605
Merge pull request #3766 from AkihiroSuda/issue-template
...
Add `.github/ISSUE_TEMPLATE/config.yml`
2023-03-10 09:36:44 +09:00
Kir Kolyshkin
4ec7b90489
Merge pull request #3764 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.29.0
...
build(deps): bump google.golang.org/protobuf from 1.28.1 to 1.29.0
2023-03-09 14:46:39 -08:00
Akihiro Suda
7d940bdf99
Add .github/ISSUE_TEMPLATE/config.yml
...
After merging this PR, the "Report a security vulnerability" button
will appear in "New issue" screen.
Demo: https://github.com/containerd/nerdctl/issues
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp >
2023-03-10 00:03:41 +09:00
dependabot[bot]
6b41f8ed26
build(deps): bump google.golang.org/protobuf from 1.28.1 to 1.29.0
...
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go ) from 1.28.1 to 1.29.0.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases )
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash )
- [Commits](https://github.com/protocolbuffers/protobuf-go/compare/v1.28.1...v1.29.0 )
---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2023-03-09 04:59:44 +00:00
Kir Kolyshkin
6d0261c1ac
Merge pull request #3757 from opencontainers/dependabot/go_modules/golang.org/x/net-0.8.0
...
build(deps): bump golang.org/x/net from 0.7.0 to 0.8.0
2023-03-07 11:00:03 -08:00
dependabot[bot]
6faef164f5
build(deps): bump golang.org/x/net from 0.7.0 to 0.8.0
...
Bumps [golang.org/x/net](https://github.com/golang/net ) from 0.7.0 to 0.8.0.
- [Release notes](https://github.com/golang/net/releases )
- [Commits](https://github.com/golang/net/compare/v0.7.0...v0.8.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/net
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2023-03-06 05:03:16 +00:00
Kir Kolyshkin
69225fa919
Merge pull request #3724 from kinvolk/rata/nsexec-fixes
...
nsexec: Remove bogus kill to stage_2_pid
2023-03-01 15:50:00 -08:00
Kir Kolyshkin
58c192a1be
Merge pull request #3661 from Wang-squirrel/dev1
...
Add support for umask when exec container
2023-02-27 19:33:03 -08:00
Wang-squirrel
7b4c3fc111
Add support for umask when exec container
...
Signed-off-by: WangXiaoSong <wang.xiaosong1@zte.com.cn >
2023-02-23 10:04:47 +08:00
Kir Kolyshkin
f2e71b085d
libct/int: make TestFdLeaks more robust
...
The purpose of this test is to check that there are no extra file
descriptors left open after repeated calls to runContainer. In fact,
the first call to runContainer leaves a few file descriptors opened,
and this is by design.
Previously, this test relied on two things:
1. some other tests were run before it (and thus all such opened-once
file descriptors are already opened);
2. explicitly excluding fd opened to /sys/fs/cgroup.
Now, if we run this test separately, it will fail (because of 1 above).
The same may happen if the tests are run in a random order.
To fix this, add a container run before collection the initial fd list,
so those fds that are opened once are included and won't be reported.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com >
2023-02-22 02:58:47 -08:00
Kir Kolyshkin
be7e03940f
libct/int: wording nits
...
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com >
2023-02-22 02:58:47 -08:00
Kir Kolyshkin
7c75e84e22
libc/int: add/use runContainerOk wrapper
...
This is to de-duplicate the code that checks that err is nil
and that the exit code is zero.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com >
2023-02-22 02:58:47 -08:00
Kir Kolyshkin
5a0642d6fd
Merge pull request #3728 from AITsygunka/3727-bug-fix
...
Fix runc crushes when parsing invalid JSON specification file
2023-02-22 02:57:20 -08:00
Akihiro Suda
71f8b2af5c
Merge pull request #3734 from kinvolk/rata/nsexec-add-debug-log
...
nsexec: Add debug logs to send mount sources
2023-02-22 13:19:06 +09:00
Akihiro Suda
7d4fde26f8
Merge pull request #3716 from AkihiroSuda/spec-v1.1.0-rc.1
...
go:mod: runtime-spec v1.1.0-rc.1; add docs/spec-conformance.md
2023-02-22 09:23:41 +09:00
Andrey Tsygunka
97ea1255ed
Fix runc crushes when parsing invalid JSON
...
Signed-off-by: Andrey Tsygunka <dreamsider@mail.ru >
2023-02-16 15:45:19 +03:00
Kir Kolyshkin
537645fd52
Merge pull request #3747 from opencontainers/dependabot/go_modules/golang.org/x/net-0.7.0
...
build(deps): bump golang.org/x/net from 0.6.0 to 0.7.0
2023-02-15 17:31:13 -08:00
dependabot[bot]
b3b0bde69b
build(deps): bump golang.org/x/net from 0.6.0 to 0.7.0
...
Bumps [golang.org/x/net](https://github.com/golang/net ) from 0.6.0 to 0.7.0.
- [Release notes](https://github.com/golang/net/releases )
- [Commits](https://github.com/golang/net/compare/v0.6.0...v0.7.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/net
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2023-02-15 04:59:08 +00:00
Akihiro Suda
4e3699c74c
Merge pull request #3746 from crazy-max/fix-static-pie
...
Makefile: fix typo in LDFLAGS_STATIC
2023-02-15 11:35:09 +09:00
CrazyMax
2e44a20280
Makefile: fix typo in LDFLAGS_STATIC
...
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com >
2023-02-14 21:27:26 +01:00
Kir Kolyshkin
b199fb2e3f
Merge pull request #3573 from chuanchang/add_tests_for_capabilities
...
tests: add tests for capabilities
2023-02-13 17:49:54 -08:00
Akihiro Suda
514ea70993
Merge pull request #3740 from kinvolk/rata/fix-basename-test
...
tests: Fix weird error on centos-9
2023-02-11 22:52:10 +09:00
Akihiro Suda
92a4ccb84e
specconv: avoid mapping "acl" to MS_POSIXACL
...
From https://github.com/torvalds/linux/commit/caaef1ba8c9ee7a54b53dd8bf4bb7e8658185583 :
> In fact SB_POSIXACL is an internal flag, and accepting MS_POSIXACL on
> the mount(2) interface is possibly a bug.
Fix issue 3738
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp >
2023-02-11 22:50:41 +09:00
Rodrigo Campos
2adeb6f952
nsexec: Remove bogus kill to stage_2_pid
...
stage_2_pid is not yet assigned, so this kills the PID -1, but as
the sane_kill() wrapper is just a nop in that case. Just remove these
calls to kill stage_2_pid before it is cloned/assigned.
I've checked by executing the error paths that no binary is left by mistake.
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com >
2023-02-10 16:07:51 +01:00
Rodrigo Campos
4d0a60ca7f
tests: Fix weird error on centos-9
...
centos-9 unit test sometimes fails with:
=== RUN TestPodSkipDevicesUpdate
systemd_test.go:114: container stderr not empty: basename: missing operand
Try 'basename --help' for more information.
--- FAIL: TestPodSkipDevicesUpdate (0.11s)
I'm not sure why the container output is an error in basename. It seems
likely that the bashrc in that distro is kind of broken. Let's just run
a sleep command and forget about bash.
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com >
2023-02-10 14:49:56 +01:00
Rodrigo Campos
2ca3d230e2
nsexec: Add debug logs to send mount sources
...
I was adding it to new code I was writing, and for completeness I added
to this case too.
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com >
2023-02-10 08:25:08 -03:00
Akihiro Suda
e412b4e88c
docs: add docs/spec-conformance.md
...
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp >
2023-02-10 12:10:18 +09:00
Akihiro Suda
787fcf09e7
go.mod: github.com/opencontainers/runtime-spec v1.1.0-rc.1
...
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp >
2023-02-10 12:10:14 +09:00
Kir Kolyshkin
5c2a1a0191
Merge pull request #3733 from opencontainers/dependabot/go_modules/golang.org/x/net-0.6.0
...
build(deps): bump golang.org/x/net from 0.5.0 to 0.6.0
2023-02-09 18:05:27 -08:00
Kir Kolyshkin
aa21df97d0
Merge pull request #3732 from opencontainers/dependabot/go_modules/github.com/opencontainers/selinux-1.11.0
...
build(deps): bump github.com/opencontainers/selinux from 1.10.2 to 1.11.0
2023-02-09 18:03:54 -08:00