Commit Graph

7139 Commits

Author SHA1 Message Date
Kir Kolyshkin 59923ef18c VERSION: release v1.2.5
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
v1.2.5
2025-02-13 14:58:49 -08:00
Aleksa Sarai 165b1035de release: explicitly set --keyserver in release signing scripts
On my machine, the --recv-keys steps to get upstream keys started
producing errors recently, and even setting a default keyserver in the
global gpg configuration doesn't seem to help:

  + gpg --homedir=/tmp/runc-sign-tmpkeyring.qm0IP6
        --no-default-keyring --keyring=seccomp.keyring
        --recv-keys 0x47A68FCE37C7D7024FD65E11356CE62C2B524099
  gpg: keybox '/tmp/runc-sign-tmpkeyring.qm0IP6/seccomp.keyring' created
  gpg: keyserver receive failed: No keyserver available

So just explicitly specify a reputable keyserver. Ideally we would use
an .onion-address keyserver to avoid potential targeted attacks but not
everybody runs a Tor proxy on their machine.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 26cfe14231)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-13 14:58:28 -08:00
Kir Kolyshkin 66c6d08ba9 Merge pull request #4632 from lifubang/1.2-bump-xnet-to-0.33.0
[1.2] build(deps): bump golang.org/x/net from 0.24.0 to 0.33.0
2025-02-13 14:38:37 -08:00
lifubang 615240a870 build(deps): bump golang.org/x/net from 0.24.0 to 0.33.0
There is a security patch for CVE-2024-45338 in this version.
Ref: https://github.com/advisories/GHSA-w32m-9786-jp63

Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-02-13 04:27:31 +00:00
Akihiro Suda d0ed7f7ae6 Merge pull request #4619 from kolyshkin/1.2-4616
[1.2] libc/int/userns: add build tag to C file
2025-02-07 13:34:05 +09:00
Akihiro Suda 6635338757 Merge pull request #4615 from kolyshkin/1.2-4612
[1.2] libct/cg/sd: set the DeviceAllow property before DevicePolicy
2025-02-07 13:33:48 +09:00
Brad Davidson 04468c038d libc/int/userns: add build tag to C file
This fixes k3s cross-compilation on Windows, broken by commit
1912d5988b ("*: actually support joining a userns with a new
container").

[@kolyshkin: commit message]

Fixes: 1912d5988b
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit ccb589bd7d)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-06 19:10:39 -08:00
Kir Kolyshkin 9742b6cf10 libct/cg/sd: set the DeviceAllow property before DevicePolicy
Every unit created by runc need daemon reload since systemd v230.
This breaks support for NVIDIA GPUs, see
https://github.com/opencontainers/runc/issues/3708#issuecomment-2216967210

A workaround is to set DeviceAllow before DevicePolicy.

Also:
 - add a test case (which fails before the fix) by @kolyshkin
 - better explain why we need empty DeviceAllow (by @cyphar)

Fixes 4568.

Reported-by: Jian Wen <wenjianhn@gmail.com>
Co-authored-by: Jian Wen <wenjianhn@gmail.com>
Co-authored-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit d84388ae10)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-05 12:18:12 -08:00
Rodrigo Campos de92f4b40d Merge pull request #4608 from kolyshkin/1.2-4590
[1.2] deps: update to github.com/cyphar/filepath-securejoin@v0.4.1
2025-02-05 09:01:31 -03:00
Aleksa Sarai 00f4a5cc4f deps: update to github.com/cyphar/filepath-securejoin@v0.4.1
This release includes a minor breaking API change that requires us to
rework the types of our wrappers, but there is no practical behaviour
change.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 70e500e7d1)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-05 22:05:15 +11:00
Aleksa Sarai 456d770f22 merge #4611 into opencontainers/runc:release-1.2
Kir Kolyshkin (1):
  CI: fix criu-dev compile

LGTMs: rata cyphar
2025-02-05 22:04:29 +11:00
Kir Kolyshkin bb445c1933 CI: fix criu-dev compile
As of [1], criu requires uuid library.

[1]: https://github.com/checkpoint-restore/criu/pull/2550/commits/9a2b7d6b3baa2b3183489ed9cebece039f9f488f

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit f414b5349a)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-04 16:25:19 -08:00
Aleksa Sarai 2a424616f0 merge #4581 into opencontainers/runc:release-1.2
Aleksa Sarai (2):
  VERSION: back to development
  VERSION: release v1.2.4

LGTMs: lifubang kolyshkin
2025-01-07 17:29:02 +11:00
Aleksa Sarai 48ea727898 VERSION: back to development
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-01-07 10:20:22 +11:00
Aleksa Sarai 6c52b3fc54 VERSION: release v1.2.4
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
v1.2.4
2025-01-07 10:20:22 +11:00
Kir Kolyshkin 5243eba185 Merge pull request #4556 from cyphar/1.2-readd-tuntap
[1.2] Re-add tun/tap to default device rules
2024-12-16 21:51:09 -08:00
Kir Kolyshkin 33ed43bdfa [1.2] Re-add tun/tap to default device rules
Since v1.2.0 was released, a number of users complained that the removal
of tun/tap device access from the default device ruleset is causing a
regression in their workloads.

Additionally, it seems that some upper-level orchestration tools
(Docker Swarm, Kubernetes) makes it either impossible or cumbersome
to supply additional device rules.

While it's probably not quite right to have /dev/net/tun in a default
device list, it was there from the very beginning, and users rely on it.
Let's keep it there for the sake of backward compatibility.

This reverts commit 2ce40b6ad7.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(Cherry-pick of commit 394f4c3b7012674ebe0232c560713e57cbd653e6.)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-12-17 14:14:11 +11:00
Akihiro Suda 2dec17d9a5 Merge pull request #4554 from kolyshkin/1.2-4553
[1.2] keyring: update @kolyshkin key expiry
2024-12-16 16:36:18 +09:00
Kir Kolyshkin e9c9dad4de keyring: update @kolyshkin key expiry
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit b15fcc1be6)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-15 17:26:37 -08:00
Aleksa Sarai d4534b2d9e merge #4552 into opencontainers/runc:release-1.2
lifubang (2):
  VERSION: back to development
  VERSION: release v1.2.3

LGTMs: cyphar thaJeztah kolyshkin
2024-12-11 12:25:54 +11:00
lifubang b01ffa03c0 VERSION: back to development
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-12-10 18:14:40 +08:00
lifubang 0d37cfd4b5 VERSION: release v1.2.3
Signed-off-by: lifubang <lifubang@acmcoder.com>
v1.2.3
2024-12-10 18:14:40 +08:00
lfbzhm a640df5739 Merge pull request #4550 from cyphar/1.2-racing-mkdirall
[1.2] deps: update to github.com/cyphar/filepath-securejoin@v0.3.5
2024-12-08 09:31:45 +08:00
lfbzhm fceb5ef8f2 Merge pull request #4551 from cyphar/1.2-ebf-enotsup
[1.2] cgroups: ebpf: use link.Anchor to check for BPF_F_REPLACE support
2024-12-08 00:01:54 +08:00
Aleksa Sarai 7242ffa4bf [1.2] cgroup: ebpf: make unexpected errors in haveBpfProgReplace louder
(This is a cherry-pick of c0044c7aa403ecf2d9172bd9386d05433b011076.)

If we get an unexpected error here, it is probably because of a library
or kernel change that could cause our detection logic to be invalid. As
a result, these warnings should be louder so users have a chance to tell
us about them sooner (or so we might notice them before doing a release,
as happened with the 1.2.0 regression).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-12-08 00:21:59 +11:00
Aleksa Sarai e26e0fde01 [1.2] cgroups: ebpf: also check for ebpf.ErrNotSupported
(This is a cherry-pick of dea0e04dd93d3922083e68667d20aac532d31129.)

It is possible for LinkAttachProgram to return ErrNotSupported if
program attachment is not supported at all (which doesn't matter in this
case), but it seems possible that upstream will start returning
ErrNotSupported for BPF_F_REPLACE at some point so it's best to make
sure we don't cause additional regressions here.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-12-08 00:21:49 +11:00
Aleksa Sarai e623414959 [1.2] cgroups: ebpf: use link.Anchor to check for BPF_F_REPLACE support
(This is a cherry-pick of dea0e04dd93d3922083e68667d20aac532d31129.)

In v0.13.0, cilium/ebpf stopped supporting setting BPF_F_REPLACE as an
explicit flag and instead requires us to use link.Anchor to specify
where the program should be attached.

Commit 216175a9ca ("Upgrade Cilium's eBPF library version to 0.16")
did update this correctly for the actual attaching logic, but when
checking for kernel support we still passed BPF_F_REPLACE. This would
result in a generic error being returned, which our feature-support
checking logic would treat as being an error the indicates that
BPF_F_REPLACE *is* supported, resulting in a regression on pre-5.6
kernels.

It turns out that our debug logging saying that this unexpected error
was happening was being output as a result of this change, but nobody
noticed...

Fixes: 216175a9ca ("Upgrade Cilium's eBPF library version to 0.16")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-12-08 00:21:22 +11:00
Aleksa Sarai 6b904f3e7e [1.2] deps: update to github.com/cyphar/filepath-securejoin@v0.3.5
(This is a cherry-pick of 2f1b6626f38c63ee37930267caa3a9bf57a2ea79.)

This fixes a regression in use of securejoin.MkdirAll, where multiple
runc processes racing to create the same mountpoint in a shared rootfs
would result in spurious EEXIST errors. In particular, this regression
caused issues with BuildKit.

Fixes: dd827f7b71 ("utils: switch to securejoin.MkdirAllHandle")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-12-07 22:44:45 +11:00
Aleksa Sarai 21cabde608 [1.2] deps: update to golang.org/x/sys@v0.28.0
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-12-07 22:44:09 +11:00
Aleksa Sarai 819bce9955 merge #4532 into opencontainers/runc:release-1.2
Kir Kolyshkin (2):
  VERSION: back to development
  VERSION: release v1.2.2

LGTMs: AkihiroSuda lifubang cyphar
2024-11-16 12:36:41 +11:00
Kir Kolyshkin 510a5a0932 VERSION: back to development
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-11-15 13:20:54 -08:00
Kir Kolyshkin 7cb363254b VERSION: release v1.2.2
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
v1.2.2
2024-11-15 13:20:24 -08:00
Kir Kolyshkin 24591c0b16 Merge pull request #4530 from lifubang/backport-4509-4525
[1.2] dmz: overlay: minor fixups
2024-11-15 13:18:56 -08:00
Aleksa Sarai eb676de151 memfd-bind: elaborate kernel requirements for overlayfs protection
Arguably these docs should live elsewhere (especially if we plan to
remove memfd-bind in the future), but for now this is the only place
that fully explains this issue.

Suggested-by: Rodrigo Campos <rodrigoca@microsoft.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit ac435895b9)
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-11-15 10:28:39 -08:00
Aleksa Sarai 82f3af8553 readme: drop unused memfd-bind reference
Fixes: 871057d863 ("drop runc-dmz solution according to overlay solution")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit b9dfb22dbf)
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-11-15 10:28:39 -08:00
Aleksa Sarai 2421b59267 memfd-bind: mention that overlayfs obviates the need for it
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit aa505bfa89)
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-11-15 10:28:39 -08:00
Aleksa Sarai b1f733b8ed dmz: overlay: set xino=off to disable dmesg spam
If /run/runc and /usr/bin are on different filesystems, overlayfs may
enable the xino feature which results in the following log message:

  kernel: overlayfs: "xino" feature enabled using 3 upper inode bits.

Each time we have to protect /proc/self/exe. So disable xino to remove
the log message (we don't care about the inode numbers of the files
anyway).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 9bc42d61bb)
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-11-15 10:28:39 -08:00
Sebastiaan van Stijn 1b42ebc7f7 Merge pull request #4531 from lifubang/backport-4523
[1.2] runc delete: fix for rootless cgroup + ro cgroupfs
2024-11-15 09:07:47 +01:00
lfbzhm 832faf08fa libct/cg: add test for remove a non-existent dir in a ro mount point
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
(cherry picked from commit 119111a0df)
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-11-15 00:00:15 +00:00
Akihiro Suda 8bfc3b560c Merge pull request #4528 from lifubang/backport-4505
[1.2] CI: bump Fedora 40 -> 41
2024-11-14 00:07:10 -07:00
Kir Kolyshkin e41cc272b6 libct/cg: RemovePath: improve comments
Let's explain in greater details what's happening here and why.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit ba3d026e52)
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-11-13 13:51:20 +00:00
Kir Kolyshkin 79cdf119b6 libct/cg: RemovePath: simplify logic
If the sub-cgroup RemovePath has failed for any reason, return the
error right away. This way, we don't have to check for err != nil
before retrying rmdir.

This is a cosmetic change and should not change any functionality.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 12e06a7c4f)
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-11-13 13:51:20 +00:00
Kir Kolyshkin e01db0028d runc delete: fix for rootless cgroup + ro cgroupfs
An issue with runc 1.2.0 was reported to buildkit, in which
runc delete returns with an error, with the log saying:

> unable to destroy container: unable to remove container's cgroup: open /sys/fs/cgroup/snschvixiy3s74w74fjantrdg: no such file or directory

Apparently, what happens is runc is running with no cgroup access
(because /sys/fs/cgroup is mounted read-only). In this case error to
create a cgroup path (in runc create/run) is ignored, but cgroup removal
(in runc delete) is not.

This is caused by commit d3d7f7d, which changes the cgroup removal
logic in RemovePath. In the current code, if the initial rmdir has
failed (in this case with EROFS), but the subsequent os.ReadDir returns
ENOENT, it is returned (instead of being ignored -- as the path does not
exist and so there is nothing to remove).

Here is the minimal fix for the issue.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit db59489b68)
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-11-13 13:51:20 +00:00
Kir Kolyshkin 213e12165e Vagrantfile.fedora: stop using dnf shell
In Fedora 41, dnf5 is used and it does not have dnf shell. Let's use
old dnf update; dnf install instead. It is two transactions instead
of one, but dnf5 is faster.

While at it:
 - add `--setopt=tsflags=nodocs` as we don't need docs in CI;
 - change golang-go to golang as this is a new rpm name;
 - remove gcc as it is now required by golang-bin;
 - remove container-selinux, criu, fuse-sshfs, iptables from rpms
   as they are already installed.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 609e9a5134)
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-11-13 13:31:19 +00:00
Akihiro Suda 2d6fe54e60 Vagrantfile.fedora: bump Fedora to 41
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 9ce7392b59)
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-11-13 13:31:01 +00:00
Aleksa Sarai 2327ec22c4 merge #4507 into opencontainers/runc:release-1.2
Akihiro Suda (1):
  docs: remove prompt symbols from shell snippets

LGTMs: AkihiroSuda cyphar
2024-11-05 05:09:40 +11:00
Akihiro Suda 6575ab1d7f docs: remove prompt symbols from shell snippets
Remove prompt symbols (`$`, `%`) for ease of copy-pasting

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit c8f5d033c2)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2024-11-02 12:21:37 -07:00
Aleksa Sarai 7a8738e0c0 merge #4500 into opencontainers/runc:release-1.2
Rodrigo Campos (2):
  VERSION: back to development
  VERSION: release v1.2.1

LGTMs: AkihiroSuda kolyshkin cyphar
2024-11-02 09:00:11 +11:00
Rodrigo Campos 5fc3558626 VERSION: back to development
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2024-11-02 08:59:12 +11:00
Rodrigo Campos d7735e388e VERSION: release v1.2.1
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
v1.2.1
2024-11-02 08:58:52 +11:00