Commit Graph

8006 Commits

Author SHA1 Message Date
Curd Becker 536e183451 Replace os.Is* error checking functions with their errors.Is counterpart
Signed-off-by: Curd Becker <me@curd-becker.de>
2025-12-11 03:16:02 +01:00
Kir Kolyshkin 3741f9186d libct/configs: mark MPOL_* constants as deprecated
Alas, these new constants are already in v1.4.0 release so we can't
remove those right away, but we can mark them as deprecated now
and target removal for v1.5.0.

So,
 - mark them as deprecated;
 - redefine via unix.MPOL_* counterparts;
 - fix the validator code to use unix.MPOL_* directly.

This amends commit a0e809a8.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-08 15:36:29 -08:00
Kir Kolyshkin 6ede591761 internal/systemd: simplify
Remove unused code and argument from the ActivationFiles,
and simplify its usage.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-08 15:34:58 -08:00
Kir Kolyshkin ba9e60f7a8 Remove crypto/tls dependency
It appears that when we import github.com/coreos/go-systemd/activation,
it brings in the whole crypto/tls package (which is not used by runc
directly or indirectly), making the runc binary size larger and
potentially creating issues with FIPS compliance.

Let's copy the code of function we use from go-systemd/activation
to avoid that.

The space savings are:

$ size runc.before runc.after
   text	   data	    bss	    dec	    hex	filename
7101084	5049593	 271560	12422237	 bd8c5d	runc.before
6508796	4623281	 229128	11361205	 ad5bb5	runc.after

Reported-by: Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-08 15:31:42 -08:00
lfbzhm e0adafb4ca Merge pull request #5054 from kolyshkin/alma10
Add EL10 to CI
2025-12-05 11:43:58 +08:00
Rodrigo Campos ee8f6b61be Merge pull request #5012 from kolyshkin/criu-dev-ignore-fails
ci: don't fail CI if criu-dev test fails
2025-12-05 04:15:31 +01:00
Kir Kolyshkin 5407cfe4a1 ci: don't fail CI if criu-dev test fails
In view of recent criu-dev failure, let's not fail the
required "all-done" job when criu-dev tests fail.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-05 10:54:00 +08:00
Kir Kolyshkin 4f93f06fb7 ci: add centos-cloud-10 run
Alas there's no almalinux-10 so we use centos-stream-10.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-03 23:16:29 -08:00
Kir Kolyshkin 94167dae29 .cirrus.yml: use dnf not yum
Since we dropped EL7, we can use dnf everywhere.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-03 23:16:29 -08:00
Akihiro Suda 14cc644c33 Merge pull request #5053 from kolyshkin/misc-bumps
Various version bumps (mostly CI)
2025-12-04 08:19:30 +09:00
Kir Kolyshkin 68771cfe51 ci: bump shellcheck to v0.11.0
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-03 10:22:14 -08:00
Kir Kolyshkin 79b97d4642 Use Go 1.25 for official builds
(as well as for testing on Cirrus CI)

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-03 10:22:14 -08:00
Kir Kolyshkin f4710e5023 Bump seccomp to v2.6.0
This version was released almost a year ago.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-03 10:22:14 -08:00
Kir Kolyshkin f128234354 ci: bump bats to 1.12.0
This which is already using in CI on Fedora.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-03 10:22:14 -08:00
Kir Kolyshkin 54d8257ec1 Merge pull request #5052 from cyphar/release-tarball
release: use runc-$version.tar.xz as archive name
2025-12-03 09:13:15 -08:00
Kir Kolyshkin fd185882e5 Merge pull request #5009 from kolyshkin/defer-close-init
Close fds on error
2025-12-02 17:35:12 -08:00
Kir Kolyshkin 93792e6c13 notify_socket: close fds on error
Reported in issue 5008.

Reported-by: Arina Cherednik <arinacherednik034@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-02 15:15:23 -08:00
Kir Kolyshkin 8a9b4dcda6 libct: mountFd: close mountFile on error
Reported in issue 5008.

Reported-by: Arina Cherednik <arinacherednik034@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-02 15:15:23 -08:00
Kir Kolyshkin c24965b742 libct: newProcessComm: close fds on error
Reported in issue 5008.

Reported-by: Arina Cherednik <arinacherednik034@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-02 15:15:23 -08:00
Kir Kolyshkin 88f897160c libct: startInitialization: add defer close
This function calls Init what normally never returns, so the defer only
works if there is an error and we can safely use it to close those fds
we opened. This was done for most but not all fds.

Reported in issue 5008.

Reported-by: Arina Cherednik <arinacherednik034@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-02 15:15:23 -08:00
Kir Kolyshkin 1f1ff4be06 Merge pull request #5051 from cyphar/libct-utils-deprecated
libct/utils: remove Deprecated functions
2025-12-02 15:06:01 -08:00
Aleksa Sarai 7c8fccd646 release: use runc-$version.tar.xz as archive name
Because we add the runc-$version/ prefix to the archive we generate,
including the version in the name makes it easier for some tools to
operate on as it matches most other projects (for openSUSE we rename the
archive file to this format in order for the automated RPM scripts to
work properly).

Also, when doing several releases at the same time, being able to
double-check that the correct artefact versions were uploaded for each
release can be quite handy.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-30 15:10:36 +11:00
Rodrigo Campos 20a9532fd0 Merge pull request #5049 from cyphar/changelog-update
CHANGELOG: forward-port changelog entries
2025-11-28 08:34:57 -03:00
Akihiro Suda 64c3c8eea6 Merge pull request #4994 from kolyshkin/gofumpt-extra
Enable gofumpt extra rules
2025-11-28 09:30:57 +09:00
Aleksa Sarai a412bd93e9 libct/utils: remove Deprecated functions
These were all marked for deprecation in runc 1.5.0, so remove them now
to make sure we don't forget.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-28 11:11:11 +11:00
Aleksa Sarai bf258ce163 RELEASES: remove <= 1.1.x special casing
Now that runc 1.4.0 has been released, there is no need to single out
1.1.x and earlier as no longer being supported, as latest-2 is now 1.2.x
and thus 1.1.x would no longer be supported even with the new support
model.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-28 11:07:47 +11:00
Aleksa Sarai 0c150f4c3a RELEASES: remove 'draft' section of policy
We have used this release policy for a year and it seems to work well
for everyone and we haven't received much feedback, so it seems
reasonable to say that we are committed to this policy now.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-28 11:06:41 +11:00
Aleksa Sarai 48de3431a1 CHANGELOG: forward-port changelog entries
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-28 11:04:33 +11:00
lfbzhm 52c3a0e794 Merge pull request #4985 from cyphar/hallucinated-paths
pathrs: add "hallucination" helpers for SecureJoin magic
2025-11-26 22:12:59 +08:00
lifubang 15d7c214cd integration: add some tests for bind mount through dangling symlinks
We intentionally broke this in commit d40b3439a9 ("rootfs: switch to
fd-based handling of mountpoint targets") under the assumption that most
users do not need this feature. Sadly it turns out they do, and so
commit 3f925525b4 ("rootfs: re-allow dangling symlinks in mount
targets") added a hotfix to re-add this functionality.

This patch adds some much-needed tests for this behaviour, since it
seems we are going to need to keep this for compatibility reasons (at
least until runc v2...).

Co-developed-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-26 21:04:05 +11:00
Aleksa Sarai 195e9551e4 pathrs: add MkdirAllParentInRoot helper
While CreateInRoot supports hallucinating the target path, we do not use
it directly when constructing device inode targets because we need to
have different handling for mknod and bind-mounts.

The solution is to simply have a more generic MkdirAllParentInRoot
helper that MkdirAll's the parent directory of the target path and then
allows the caller to create the trailing component however they like.
(This can be used by CreateInRoot internally as well!)

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-26 21:04:05 +11:00
Aleksa Sarai cfb74326be pathrs: add "hallucination" helpers for SecureJoin magic
In order to maintain compatibility with previous releases of runc (which
permitted dangling symlinks as path components by permitting
non-existent path components to be treated like real directories) we
have to first do SecureJoin to construct a target path that is
compatible with the old behaviour but has all dangling symlinks (or
other invalid paths like ".." components after non-existent directories)
removed.

This is effectively a more generic verison of commit 3f925525b4
("rootfs: re-allow dangling symlinks in mount targets") and will let us
remove the need for open-coding SecureJoin workarounds.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-26 21:04:05 +11:00
Aleksa Sarai 20c5a8ec4a pathrs: rename MkdirAllInRootOpen -> MkdirAllInRoot
Now that MkdirAllInRoot has been removed, we can make MkdirAllInRootOpen
less wordy by renaming it to MkdirAllInRoot. This is a non-functional
change.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-26 21:04:04 +11:00
Aleksa Sarai 9dbd37e06f libct: switch final WithProcfd users to WithProcfdFile
This probably should've been done as part of commit d40b3439a9
("rootfs: switch to fd-based handling of mountpoint targets") but it
seems I missed them when doing the rest of the conversions.

This also lets us remove utils.WithProcfd entirely, as well as
pathrs.MkdirAllInRoot. Unfortunately, WithProcfd was exposed in the
externally-importable "libcontainer/utils" package and so we need to
have a deprecation notice to remove it in runc 1.5.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-26 21:03:30 +11:00
Aleksa Sarai 42a1e19d67 libcontainer: move CleanPath and StripRoot to internal/pathrs
These helpers will be needed for the compatibility code added in future
patches in this series, but because "internal/pathrs" is imported by
"libcontainer/utils" we need to move them so that we can avoid circular
dependencies.

Because the old functions were in a non-internal package it is possible
some downstreams use them, so add some wrappers but mark them as
deprecated.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-26 21:03:29 +11:00
Akihiro Suda 475473d869 Merge pull request #5026 from lifubang/ci-detect-fdleak-try-best
fix fd leaks and detect them as comprehensively as possible
2025-11-26 08:33:53 +09:00
lfbzhm a7a402a7ea Merge pull request #4928 from kolyshkin/better-init-errors
Better errors from `runc init`
2025-11-22 15:02:52 +08:00
Kir Kolyshkin f944ccecb2 runc create/run/exec: show fatal errors from init
In case early stage of runc init (nsenter) fails for some reason, it
logs error(s) with FATAL log level, via bail().

The runc init log is read by a parent (runc create/run/exec) and is
logged via normal logrus mechanism, which is all fine and dandy, except
when `runc init` fails, we return the error from the parent (which is
usually not too helpful, for example):

	runc run failed: unable to start container process: can't get final child's PID from pipe: EOF

Now, the actual underlying error is from runc init and it was logged
earlier; here's how full runc output looks like:

	FATA[0000] nsexec-1[3247792]: failed to unshare remaining namespaces: No space left on device
	FATA[0000] nsexec-0[3247790]: failed to sync with stage-1: next state
	ERRO[0000] runc run failed: unable to start container process: can't get final child's PID from pipe: EOF

The problem is, upper level runtimes tend to ignore everything except
the last line from runc, and thus error reported by e.g. docker is not
very helpful.

This patch tries to improve the situation by collecting FATAL errors
from runc init and appending those to the error returned (instead of
logging). With it, the above error will look like this:

	ERRO[0000] runc run failed: unable to start container process: can't get final child's PID from pipe: EOF; runc init error(s): nsexec-1[141549]: failed to unshare remaining namespaces: No space left on device; nsexec-0[141547]: failed to sync with stage-1: next state

Yes, it is long and ugly, but at least the upper level runtime will
report it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-22 12:11:20 +07:00
Aleksa Sarai 21ad0e4399 Merge pull request #5037 from opencontainers/dependabot/github_actions/actions/checkout-6
build(deps): bump actions/checkout from 5 to 6
2025-11-21 17:22:16 +11:00
dependabot[bot] 257fb71e45 build(deps): bump actions/checkout from 5 to 6
Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v5...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-11-21 04:02:45 +00:00
lifubang d8706501cf integration: verify syscall compatibility after seccomp enforcement
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-20 19:43:22 +08:00
lifubang 75188fab73 bump github.com/cyphar/filepath-securejoin from 0.6.0 to 0.6.1
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-20 19:43:22 +08:00
lifubang 6ac151d69b libct: add a defer fd close in createDeviceNode
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-20 19:43:22 +08:00
lifubang 69785c117c libct: always close m.dstFile in mountToRootfs
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-20 19:43:22 +08:00
lifubang b209358db3 ci: detect file descriptor leaks as comprehensively as possible
Co-authored-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-20 19:43:22 +08:00
lfbzhm 9504c6f2ad Merge pull request #5014 from kolyshkin/fd-leaks-flake
libct/int: TestFdLeaks: deflake
2025-11-20 17:53:40 +08:00
Kir Kolyshkin 5fbc3bb019 libct/int: TestFdLeaks: deflake
Since the recent CVE fixes, TestFdLeaksSystemd sometimes fails:

	=== RUN   TestFdLeaksSystemd
	    exec_test.go:1750: extra fd 9 -> /12224/task/13831/fd
	    exec_test.go:1753: found 1 extra fds after container.Run
	--- FAIL: TestFdLeaksSystemd (0.10s)

It might have been caused by the change to the test code in commit
ff6fe13 ("utils: use safe procfs for /proc/self/fd loop code") -- we are
now opening a file descriptor during the logic to get a list of file
descriptors. If the file descriptor happens to be allocated to a
different number, you'll get an error.

Let's try to filter out the fd used to read a directory.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-20 15:36:14 +08:00
lfbzhm f2aa133feb Merge pull request #5001 from opencontainers/dependabot/go_modules/golang.org/x/net-0.47.0
build(deps): bump golang.org/x/net from 0.46.0 to 0.47.0
2025-11-20 10:16:13 +08:00
dependabot[bot] da4ec2375c build(deps): bump golang.org/x/net from 0.46.0 to 0.47.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.46.0 to 0.47.0.
- [Commits](https://github.com/golang/net/compare/v0.46.0...v0.47.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.47.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-11-20 09:52:34 +08:00
lfbzhm db1b9368e1 Merge pull request #5018 from opencontainers/dependabot/go_modules/github.com/godbus/dbus/v5-5.2.0
build(deps): bump github.com/godbus/dbus/v5 from 5.1.0 to 5.2.0
2025-11-20 09:51:28 +08:00