Commit Graph

7526 Commits

Author SHA1 Message Date
Kir Kolyshkin 488fc13e1f VERSION: release 1.3.5
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
v1.3.5
2026-03-17 09:27:57 -07:00
Kir Kolyshkin c5f4a413c2 Merge pull request #5181 from kolyshkin/1.3-go126
[1.3] ci: add go 1.26
2026-03-17 09:25:22 -07:00
Kir Kolyshkin 692817afb2 ci: add go 1.26
Same as commit b9e3eec in release-1.4 branch.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-03-16 14:13:13 -07:00
Aleksa Sarai 9183ee6e5a Merge pull request #5158 from kolyshkin/1.3-5153
[1.3] Revert "Preventing containers from being unable to be deleted"
2026-03-10 20:02:18 +09:00
Kir Kolyshkin 3755b0e48c Revert "Preventing containers from being unable to be deleted"
This fixes random failures to start a container in conmon integration
tests (see issue 5151).

I guess we need to find another way to fix issue 4645.

This reverts commit 1b39997e73.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 5996fe143a)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-03-09 17:26:27 -07:00
Kir Kolyshkin abf41c1f3c Merge pull request #5146 from cyphar/1.3-keyring-fixes
[1.3] keyring fixes
2026-03-04 17:14:54 -08:00
Aleksa Sarai 030e224e7f keyring: update AkihiroSuda's key
This comes from <https://github.com/AkihiroSuda.gpg> and is a valid
update of the key metadata.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 9ad18b1347)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-05 01:15:04 +11:00
Aleksa Sarai ccea037662 keyring: validate: allow maintainers to have no keys
Some maintainers appear to have removed their PGP keys, which causes
"gpg --import" during "make validate-keyring" to fail. The solution is
to switch to a non-fatal warning if no keys were imported.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 936a59b07f)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-05 00:45:51 +11:00
Aleksa Sarai e001bca433 keyring: remove asarai@suse.de key
I no longer work at SUSE and thus this key (and email address) are no
longer associated with me.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit a691486c83)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-05 00:45:51 +11:00
Akihiro Suda ffd5a10d58 Merge pull request #5135 from kolyshkin/1.3-5124
[1.3] tests/int: Disable coredumps for SCMP_ACT_KILL tests
2026-03-01 03:21:35 +09:00
Ricardo Branco d6fd9457e1 tests/int: Disable coredumps for SCMP_ACT_KILL tests
SCMP_ACT_KILL terminates the process with a fatal signal, which may
produce a core dump depending on the host configuration.

While this is harmless on ephemeral CI instances, it can leave unwanted
core files on developer or customer systems. It also interferes with
test environments that detect unexpected core dumps.

Signed-off-by: Ricardo Branco <rbranco@suse.de>
(cherry picked from commit f18e97d312)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-26 18:38:01 -08:00
Aleksa Sarai 1566d1d0e0 merge #5126 into opencontainers/runc:release-1.3
Kir Kolyshkin (1):
  ci: update policycoreutils for CentOS 10

LGTMS: AkihiroSuda cyphar
2026-02-26 17:39:09 +11:00
Kir Kolyshkin 72b10af772 ci: update policycoreutils for CentOS 10
When container-selinux 4:2.246.0-1.el10 is installed, it produces the
following %post script warnings:

> ...
>   Running scriptlet: container-selinux-4:2.246.0-1.el10.noarch            26/37
>   Installing       : container-selinux-4:2.246.0-1.el10.noarch            26/37
>   Running scriptlet: container-selinux-4:2.246.0-1.el10.noarch            26/37
> libsemanage.semanage_pipe_data: Child process /usr/libexec/selinux/hll/pp failed with code: 255. (No data available).
> libsemanage.semanage_compile_module: container: libsepol.policydb_read: policydb module version 24 does not match my version range 4-23.
> libsemanage.semanage_compile_module: container: libsepol.sepol_module_package_read: invalid module in module package (at section 0).
> libsemanage.semanage_compile_module: container: libsepol.sepol_ppfile_to_module_package: Failed to read policy package.
> libsemanage.semanage_direct_commit: Failed to compile hll files into cil files. (No data available).
> semodule:  Failed!
> ...

For some reason, dnf install still succeeds, but when the selinux tests
fail with:

> chcon: failed to change context of '/tmp/bats-run-3MMyYP/runc.szTqBc/bundle/runc' to ‘system_u:object_r:container_runtime_exec_t:s0’: Invalid argument

All this is fixed once policycoreutils is added to the list of RPMS so
it is updated (from 3.9-3.el10 to 3.10-1.el10) during the same
transaction.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 3235c5a90a)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-25 13:46:12 -08:00
Aleksa Sarai 20f15488eb merge #5115 into opencontainers/runc:release-1.3
Li Fubang (1):
  libct/specconv: fix partial clear of atime mount flags

LGTMs: rata cyphar
2026-02-12 03:29:07 +11:00
lifubang bb7d09e63e libct/specconv: fix partial clear of atime mount flags
When parsing mount options into recAttrSet and recAttrClr,
the code sets attr_clr to individual atime flags (e.g.
MOUNT_ATTR_NOATIME or MOUNT_ATTR_STRICTATIME) when clearing
atime attributes. However, this violates the kernel's
requirement documented in mount_setattr(2)[1]:

> Note that, since the access-time values are an enumeration
> rather than bit values, a caller wanting to transition to a
> different access-time setting cannot simply specify the
> access-time setting in attr_set, but must also include
> MOUNT_ATTR__ATIME in the attr_clr field.  The kernel will
> verify that MOUNT_ATTR__ATIME isn't partially set in
> attr_clr (i.e., either all bits in the MOUNT_ATTR__ATIME
> bit field are either set or clear), and that attr_set
> doesn't have any access-time bits set if MOUNT_ATTR__ATIME
> isn't set in attr_clr.

Passing only a single atime flag (e.g. MOUNT_ATTR_RELATIME) in
attr_clr causes mount_setattr() to fail with EINVAL.

This change ensures that whenever an atime mode is updated,
attr_clr includes MOUNT_ATTR__ATIME to properly reset the
entire access-time attribute field before applying the new mode.

[1] https://man7.org/linux/man-pages/man2/mount_setattr.2.html

Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit 5560d55bfd)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2026-02-11 10:18:18 +00:00
Rodrigo Campos Catelin e669727247 Merge pull request #5111 from kolyshkin/1.3-backports
[1.3] misc backports + Go 1.24->1.25
2026-02-11 11:03:26 +01:00
Kir Kolyshkin 2d035157f1 [1.3] ci: remove Go 1.24.x, add 1.25.x
Go 1.24 is no longer supported, and Go 1.25 (which we use in Dockerfile
for official binaries) is not being tested against.

So remove Go 1.24.x and add Go 1.25.x.

We keep Go 1.23.x is this is a minimally required version for this
branch.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-10 14:31:04 -08:00
Kir Kolyshkin 551ed37e5a ci: bump shellcheck to v0.11.0
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 68771cfe51)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-10 14:17:32 -08:00
Kir Kolyshkin 4bce3cc13c Use Go 1.25 for official builds
(as well as for testing on Cirrus CI)

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 79b97d4642)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-10 14:17:32 -08:00
Kir Kolyshkin 7162479052 Bump seccomp to v2.6.0
This version was released almost a year ago.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit f4710e5023)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-10 14:17:24 -08:00
Kir Kolyshkin 3808341ef4 ci: bump bats to 1.12.0
This which is already using in CI on Fedora.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit f128234354)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-10 14:17:24 -08:00
Kir Kolyshkin f6ad11b287 ci: show criu version in criu-dev testing
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 2a7ce15e68)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-10 14:15:40 -08:00
Kir Kolyshkin 09c5eeea73 ci: bump bats to 1.11.1
Bump bats to the version from Fedora 42 (used in "fedora" job), so we
have the same version everywhere.

This also fixes an issue introduced by commit d31e6b87 (which forgot to
bump bats in GHA CI), and adds a note to the yaml in order to avoid the
same issue in the future.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 6af1d637ba)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-10 14:15:34 -08:00
Aleksa Sarai 478edba3b8 merge #5044 into opencontainers/runc:release-1.3
Li Fu Bang (2):
  VERSION: back to development
  VERSION: release 1.3.4

LGTMs: rata cyphar
2025-11-28 10:34:01 +11:00
lifubang 13cc7e92cf VERSION: back to development
Signed-off-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-28 02:58:07 +11:00
lifubang d6d73eb8c6 VERSION: release 1.3.4
Signed-off-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
v1.3.4
2025-11-28 02:58:07 +11:00
Kir Kolyshkin 2e68e04979 Merge pull request #5042 from lifubang/backport-5014-fd-leaks-flake-1.3
[1.3] libct/int: TestFdLeaks: deflake
2025-11-26 17:57:56 -08:00
Kir Kolyshkin e1a6adc946 libct/int: TestFdLeaks: deflake
Since the recent CVE fixes, TestFdLeaksSystemd sometimes fails:

	=== RUN   TestFdLeaksSystemd
	    exec_test.go:1750: extra fd 9 -> /12224/task/13831/fd
	    exec_test.go:1753: found 1 extra fds after container.Run
	--- FAIL: TestFdLeaksSystemd (0.10s)

It might have been caused by the change to the test code in commit
ff6fe13 ("utils: use safe procfs for /proc/self/fd loop code") -- we are
now opening a file descriptor during the logic to get a list of file
descriptors. If the file descriptor happens to be allocated to a
different number, you'll get an error.

Let's try to filter out the fd used to read a directory.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 5fbc3bb019)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-26 14:14:27 +00:00
Akihiro Suda cef8c323d0 Merge pull request #5028 from lifubang/ci-detect-fdleak-try-best-1.3
[1.3] fix fd leaks and detect them as comprehensively as possible
2025-11-26 12:48:12 +09:00
lifubang ebea1f8553 integration: verify syscall compatibility after seccomp enforcement
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit d8706501cf)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-20 11:52:48 +00:00
lifubang 34e84588af downgrade github.com/cyphar/filepath-securejoin from v0.6.0 to v0.5.2
The dependency was initially slated for an upgrade from v0.6.0 to v0.6.1
to address an fd leak. However, due to compatibility constraints, we
instead downgrade to v0.5, using v0.5.2 which includes a backported fix
for the same issue.

Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-20 11:52:35 +00:00
lifubang ae8839acc2 bump github.com/opencontainers/s
elinux from v1.13.0 to v1.13.1

Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-20 11:52:35 +00:00
lifubang 52192a8e24 libct: add a defer fd close in createDeviceNode
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit 9a5e6262f0bf4e3e654b1a0d71bb804093948f85)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-20 11:52:35 +00:00
lifubang 98dc593f13 libct: always close m.dstFile in mountToRootfs
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit e0272886047915899ec06e06665723fc453d3cbf)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-20 11:52:35 +00:00
lifubang 167fa3f8e7 ci: detect file descriptor leaks as comprehensively as possible
Co-authored-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit ba7f46d7119dc4bf57e2a13017333d1980494ea9)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-20 11:52:35 +00:00
lfbzhm 769fc75893 Merge pull request #4999 from kolyshkin/1.3-check-go
[1.3] check/bump go version in Dockerfile
2025-11-20 17:51:06 +08:00
Kir Kolyshkin 7a5a90e807 Use Go 1.24.x for release binaries
Since Go 1.23 is no longer supported, we should not use it.
Go 1.23 is still supported and is probably the best bet for
the release-1.2 branch.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-20 15:24:46 +08:00
Kir Kolyshkin 99cc7bcb48 ci: add checking Go version from Dockerfile
This is to ensure that Go version in Dockerfile (which is used to build
release binaries) is:
 - currently supported;
 - used in CI tests.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit df4acc8867)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-20 15:24:46 +08:00
Kir Kolyshkin 4b76986b98 ci: faster git clone
For some reason, some jobs in .github/workflows/validate.yml
have "fetch-depth: 0" argument to actions/checkout, meaning
"all history for all branches and tags". Obviously this is
not needed here.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit e0b00171eb0f338cf024760019abdd4e7dec690f)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 0200ccb53d9265c43f203fb98a9862407835eb23)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-20 15:24:46 +08:00
dependabot[bot] 59a7a5270c build(deps): bump actions/checkout from 4 to 5
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit cfb22c9a0f)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-20 15:24:46 +08:00
lfbzhm b1be4553c4 Merge pull request #5031 from cyphar/1.3-5017-ci-pin-parent-cgroup
[1.3] ci: ensure the cgroup parent always exists for rootless
2025-11-20 09:14:16 +08:00
lifubang 9ddb71d163 ci: ensure the cgroup(v1) parent always exists for rootless
On some systems (e.g., AlmaLinux 8), systemd automatically removes cgroup paths
when they become empty (i.e., contain no processes). To prevent this, we spawn
a dummy process to pin the cgroup in place.
Fix: https://github.com/opencontainers/runc/issues/5003

Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit bba7647d09)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-20 03:28:40 +11:00
Aleksa Sarai d30192b5b0 Merge pull request #4996 from kolyshkin/1.3-4970
[1.3] disable golangci-lint cache
2025-11-11 15:05:25 +11:00
lfbzhm c8787a6c5c Merge pull request #4975 from cyphar/1.3-tmpfs-mode
[1.3] rootfs: only set mode= for tmpfs mount if target already existed
2025-11-11 09:28:04 +08:00
lfbzhm c5656667e4 Merge pull request #4979 from cyphar/1.3-selinux-1.13
[1.3] deps: update to github.com/opencontainers/selinux@v0.13.0
2025-11-11 09:23:43 +08:00
dependabot[bot] 612d46ea37 build(deps): bump golangci/golangci-lint-action from 8 to 9
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 8 to 9.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/v8...v9)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-version: '9'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit c0db4632d2)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-10 15:53:25 -08:00
dependabot[bot] 1a40cc91a9 build(deps): bump golangci/golangci-lint-action from 7 to 8
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 7 to 8.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/v7...v8)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-version: '8'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit c1958d8844)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-10 15:53:21 -08:00
Kir Kolyshkin be6ea0662f ci: bump golangci-lint to v2.6
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 49780ce734)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-10 15:52:32 -08:00
Kir Kolyshkin f17a5e1515 ci: disable golangci-lint cache
This will result in slower runs but we are having issues with
golangci-lint (false positives) that are most probably related
to caching.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 96dfa9de54)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-10 15:52:14 -08:00
Aleksa Sarai daf9664eb4 rootfs: only set mode= for tmpfs mount if target already existed
This was always the intended behaviour but commit 72fbb34f50 ("rootfs:
switch to fd-based handling of mountpoint targets") regressed it when
adding a mechanism to create a file handle to the target if it didn't
already exist (causing the later stat to always succeed).

A lot of people depend on this functionality, so add some tests to make
sure we don't break it in the future.

Fixes: 72fbb34f50 ("rootfs: switch to fd-based handling of mountpoint targets")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 9a9719eeb4)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-11 03:11:53 +11:00