Commit Graph

5897 Commits

Author SHA1 Message Date
Akihiro Suda 5fd4c4d144 Release 1.1.4
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
v1.1.4
2022-08-24 09:45:13 +09:00
Akihiro Suda 46a5a84616 Merge pull request #3554 from kolyshkin/1.1-fix-dev-pts
[1.1] Fix failed exec after systemctl daemon-reload (regression in 1.1.3)
2022-08-19 08:50:49 +09:00
Kir Kolyshkin 204c673cce [1.1] fix failed exec after systemctl daemon-reload
A regression reported for runc v1.1.3 says that "runc exec -t" fails
after doing "systemctl daemon-reload":

> exec failed: unable to start container process: open /dev/pts/0: operation not permitted: unknown

Apparently, with commit 7219387eb7 we are no longer adding
"DeviceAllow=char-pts rwm" rule (because os.Stat("char-pts") returns
ENOENT).

The bug can only be seen after "systemctl daemon-reload" because runc
also applies the same rules manually (by writing to devices.allow for
cgroup v1), and apparently reloading systemd leads to re-applying the
rules that systemd has (thus removing the char-pts access).

The fix is to do os.Stat only for "/dev" paths.

Also, emit a warning that the path was skipped. Since the original idea
was to emit less warnings, demote the level to debug.

Note this also fixes the issue of not adding "m" permission for block-*
and char-* devices.

A test case is added, which reliably fails before the fix
on both cgroup v1 and v2.

This is a backport of commit 58b1374f0a
to release-1.1 branch.

Fixes: https://github.com/opencontainers/runc/issues/3551
Fixes: 7219387eb7
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-08-18 15:22:40 -07:00
Kir Kolyshkin 1c6dc7650c Merge pull request #3562 from kolyshkin/1.1-ci-codespell-2.2
[1.1] ci: fix for codespell 2.2
2022-08-18 15:14:51 -07:00
Kir Kolyshkin ec2efc2ccb ci: fix for codespell 2.2
Recently released codespell 2.2 adds some more false positives,
such as:

	./Makefile:78: ro ==> to, row, rob, rod, roe, rot
	./Makefile:88: ro ==> to, row, rob, rod, roe, rot
	./notify_socket.go:51: ro ==> to, row, rob, rod, roe, rot
	./LICENSE:128: complies ==> compiles
	./go.sum:59: BU ==> BY
	./types/features/features.go:17: ro ==> to, row, rob, rod, roe, rot
	./libcontainer/rootfs_linux.go:52: ro ==> to, row, rob, rod, roe, rot
	./libcontainer/rootfs_linux.go:166: ro ==> to, row, rob, rod, roe, rot
	....
	./tests/integration/cgroup_delegation.bats:38: inh ==> in
	...

To fix:
 - exclude go.sum;
 - add ro and complies to the list of ignored words;
 - s/inh/inherit in cgroup_delegation.bats.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit df9e32bc6a)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-08-18 14:42:55 -07:00
Akihiro Suda 7c69bcc620 Merge pull request #3558 from kolyshkin/1.1-fix-cross-386
[1.1] ci/gha: fix cross-386 job vs go 1.19
2022-08-17 08:21:49 +09:00
Kir Kolyshkin c778598c44 [1.1] ci/gha: fix cross-386 job vs go 1.19
When golang 1.19 is used to build unit tests on 386, it fails like this:

 sudo -E PATH="$PATH" -- make GOARCH=386 CGO_ENABLED=1 localunittest
 <...>
 go test -timeout 3m -tags "seccomp"  -v ./...
 <...>
 # github.com/opencontainers/runc/libcontainer/capabilities.test
 runtime/cgo(.text): unknown symbol __stack_chk_fail_local in pcrel
 runtime/cgo(.text): unknown symbol __stack_chk_fail_local in pcrel
 runtime/cgo(.text): unknown symbol __stack_chk_fail_local in pcrel
 runtime/cgo(.text): unknown symbol __stack_chk_fail_local in pcrel
 runtime/cgo(.text): unknown symbol __stack_chk_fail_local in pcrel
 runtime/cgo(.text): relocation target __stack_chk_fail_local not defined
 runtime/cgo(.text): relocation target __stack_chk_fail_local not defined

The fix is to add CGO_CFLAGS=-fno-stack-protector.

See also:
 - https://github.com/docker-library/golang/pull/426
 - https://go.dev/issue/52919
 - https://go.dev/issue/54313
 - https://go-review.googlesource.com/c/go/+/421935

Cherry picked from commit 589a9d5082.

Conflict in .github/workflows/test.yml due to missing commit dafcacb522.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-08-16 10:07:32 -07:00
Mrunal Patel b54084fb6f Merge pull request #3541 from kolyshkin/1.1-exec-noexec
[1.1] Fix error from runc run on noexec fs
2022-08-02 12:11:14 -07:00
Kir Kolyshkin d83a861d95 Fix error from runc run on noexec fs
When starting a new container, and the very last step of executing of a
user process fails (last lines of (*linuxStandardInit).Init), it is too
late to print a proper error since both the log pipe and the init pipe
are closed.

This is partially mitigated by using exec.LookPath() which is supposed
to say whether we will be able to execute or not. Alas, it fails to do
so when the binary to be executed resides on a filesystem mounted with
noexec flag.

A workaround would be to use access(2) with X_OK flag. Alas, it is not
working when runc itself is a setuid (or setgid) binary. In this case,
faccessat2(2) with AT_EACCESS can be used, but it is only available
since Linux v5.8.

So, use faccessat2(2) with AT_EACCESS if available. If not, fall back to
access(2) for non-setuid runc, and do nothing for setuid runc (as there
is nothing we can do). Note that this check if in addition to whatever
exec.LookPath does.

Fixes https://github.com/opencontainers/runc/issues/3520

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 957d97bcf4)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-07-28 12:15:43 -07:00
Aleksa Sarai 69734b9958 merge branch 'pr-3536' into release-1.1
guodong (1):
  [1.1] libct/nsenter: switch to sane_kill()

LGTMs: AkihiroSuda cyphar
Closes #3536
2022-07-29 02:14:37 +10:00
guodong d614445dd8 [1.1] libct/nsenter: switch to sane_kill()
Signed-off-by: guodong <guodong9211@gmail.com>
2022-07-28 21:17:42 +10:00
Aleksa Sarai f4aaf0d840 merge branch 'pr-3538' into release-1.1
Kir Kolyshkin (4):
  CI: workaround CentOS Stream 9 criu issue
  tests/int: don't use --criu
  [1.1] ci: fix delete.bats for GHA
  tests/int: runc delete: fix flake, enable for rootless

LGTMs: AkihiroSuda cyphar
Closes #3538
2022-07-28 21:16:40 +10:00
Kir Kolyshkin 3ca5673f78 CI: workaround CentOS Stream 9 criu issue
Older criu builds fail to work properly on CentOS Stream 9 due to
changes in glibc's rseq.

Skip criu tests if an older criu version is found.

Fixes: https://github.com/opencontainers/runc/issues/3532

Cherry picked from commit 4fd4af5b1c.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-07-27 18:22:18 -07:00
Kir Kolyshkin c3986e5371 tests/int: don't use --criu
This is a partial backport of commit 6e1d476aad from main branch.

Instead of specifying path to criu binary, use whatever is found in
$PATH.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-07-27 18:20:28 -07:00
Kir Kolyshkin f46c0dad65 [1.1] ci: fix delete.bats for GHA
A couple of test cases in delete.bats check that a particular cgroup
exists (or doesn't exist) using find. This is now resulting in errors
like these:

        find: ‘/sys/fs/cgroup/blkio/azsec’: Permission denied
        find: ‘/sys/fs/cgroup/blkio/azsec_clamav’: Permission denied
        find: ‘/sys/fs/cgroup/cpu,cpuacct/azsec’: Permission denied
        find: ‘/sys/fs/cgroup/cpu,cpuacct/azsec_clamav’: Permission denied
        find: ‘/sys/fs/cgroup/memory/azsec’: Permission denied
        find: ‘/sys/fs/cgroup/memory/azsec_clamav’: Permission denied

leading to test case failures.

Apparently, GHA runs something else on a test box, so we get this.

To fix, ignore non-zero exit code from find, and redirect its stderr
to /dev/null.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-07-26 13:17:18 -07:00
Kir Kolyshkin 6b94849d22 tests/int: runc delete: fix flake, enable for rootless
The following failure was observed in CI (on centos-stream-8 in
integration-cgroup suite):

	not ok 42 runc delete
	 (from function `fail' in file tests/integration/helpers.bash, line 338,
	  in test file tests/integration/delete.bats, line 30)
	   `[ "$output" = "" ] || fail "cgroup not cleaned up correctly: $output"' failed
	....
	cgroup not cleaned up correctly: /sys/fs/cgroup/pids/system.slice/tmp-bats\x2drun\x2d68012-runc.IPOypI-state-testbusyboxdelete-runc.zriC8C.mount
	/sys/fs/cgroup/cpu,cpuacct/system.slice/tmp-bats\x2drun\x2d68012-runc.IPOypI-state-testbusyboxdelete-runc.zriC8C.mount
	...

Apparently, this is a cgroup systemd creates for a mount unit which
appears then runc does internal /proc/self/exe bind-mount. The test
case should not take it into account.

The second problem with this test is it does not check that cgroup
actually exists when the container is running (so checking that it
was removed after makes less sense). For example, in rootless mode
the cgroup might not have been created.

Fix the find arguments to look for a specific cgroup name, and add
a check that these arguments are correct (i.e. the cgroup is found
when the container is running).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 728571c16f)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-07-26 13:15:43 -07:00
Aleksa Sarai afda6b7ca8 merge branch 'pr-3511' into release-1.1
Kir Kolyshkin (1):
  libct: fix mounting via wrong proc fd

LGTMs: AkihiroSuda cyphar
Closes #3511
2022-07-20 14:27:54 +10:00
Kir Kolyshkin fa3354dc03 libct: fix mounting via wrong proc fd
Due to a bug in commit 9c444070ec, when the user and mount namespaces
are used, and the bind mount is followed by the cgroup mount in the
spec, the cgroup is mounted using the bind mount's mount fd.

This can be reproduced with podman 4.1 (when configured to use runc):

$ podman run --uidmap 0:100:10000 quay.io/libpod/testimage:20210610 mount
Error: /home/kir/git/runc/runc: runc create failed: unable to start container process: error during container init: error mounting "cgroup" to rootfs at "/sys/fs/cgroup": mount /proc/self/fd/11:/sys/fs/cgroup/systemd (via /proc/self/fd/12), flags: 0x20502f: operation not permitted: OCI permission denied

or manually with the spec mounts containing something like this:

    {
      "destination": "/etc/resolv.conf",
      "type": "bind",
      "source": "/userdata/resolv.conf",
      "options": [
        "bind"
      ]
    },
    {
      "destination": "/sys/fs/cgroup",
      "type": "cgroup",
      "source": "cgroup",
      "options": [
        "rprivate",
        "nosuid",
        "noexec",
        "nodev",
        "relatime",
        "ro"
      ]
    }

The issue was not found earlier since it requires using userns, and even then
mount fd is ignored by mountToRootfs, except for bind mounts, and all the bind
mounts have mountfd set, except for the case of cgroup v1's /sys/fs/cgroup
which is internally transformed into a bunch of bind mounts.

This is a minimal fix for the issue, suitable for backporting.

A test case is added which reproduces the issue without the fix applied.

Fixes: 9c444070ec ("Open bind mount sources from the host userns")
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit d370e3c046)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-06-16 11:57:12 -07:00
Aleksa Sarai 1e7bb5b773 merge branch 'pr-3490' into release-1.1
Kir Kolyshkin (3):
  VERSION: back to development
  VERSION: release 1.1.3
  ci: add basic checks for CHANGELOG.md

LGTMs: thaJeztah cyphar
Closes #3490
2022-06-09 10:01:44 +10:00
Kir Kolyshkin eb1552a0b9 VERSION: back to development
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-06-08 11:46:47 -07:00
Kir Kolyshkin 6724737f99 VERSION: release 1.1.3
* Changelog for v1.1.3.
* Fixed 1.1.2 release date.
* Fixed the order of footnotes.

Note that backport (rather than original) PRs are listed as references,
since this makes it easier to cross-check against the git log.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
v1.1.3
2022-06-08 11:46:47 -07:00
Kir Kolyshkin 91fa032da4 ci: add basic checks for CHANGELOG.md
Perform some basic checks for CHANGELOG.md.

In particular, check for
 - missing periods;
 - extra spaces at EOL;
 - non-ASCII characters.

Fix the issues found.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-06-08 11:46:47 -07:00
Sebastiaan van Stijn 5d74e0f027 Merge pull request #3504 from cyphar/1.1-systemd-devices-nonexistent-files
[1.1] cgroups: systemd: skip adding device paths that don't exist
2022-06-08 19:04:24 +02:00
Aleksa Sarai 7219387eb7 cgroups: systemd: skip adding device paths that don't exist
systemd emits very loud warnings when the path specified doesn't exist
(which can be the case for some of our default rules). We don't need the
ruleset we give systemd to be completely accurate (we discard some kinds
of wildcard rules anyway) so we can safely skip adding these.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2022-06-08 09:48:24 +10:00
Kir Kolyshkin da9b9d9357 Merge pull request #3494 from eriksjolund/1.1-backport-3489
[1.1] libcontainer: relax getenv_int sanity check
2022-06-02 10:07:56 -07:00
Erik Sjölund 93d1807b53 libcontainer: relax getenv_int sanity check
Remove upper bound in integer sanity check
to not restrict the number of socket-activated
sockets passed in.

Closes #3488

Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
(cherry picked from commit 03a210d0f2)
Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
2022-06-02 06:28:13 +02:00
Aleksa Sarai ff14258e8e merge branch 'pr-3481' into release-1.1
Kir Kolyshkin (2):
  script/seccomp.sh: check tarball sha256
  Dockerfile,scripts/release: bump libseccomp to v2.5.4

LGTMs: AkihiroSuda cyphar
Closes #3481
2022-05-27 12:18:12 +10:00
Kir Kolyshkin 8242c05dab script/seccomp.sh: check tarball sha256
Add checking of downloaded tarball checksum.

In case it doesn't match the hardcoded value, the error is like this:

	libseccomp-2.5.4.tar.gz: FAILED
	sha256sum: WARNING: 1 computed checksum did NOT match

In case the checksum for a particular version is not specified in the
script, the error will look like this:

	./script/seccomp.sh: line 29: SECCOMP_SHA256[${ver}]: unbound variable

In case the the hardcoded value in the file is of wrong format/length,
we'll get:

	sha256sum: 'standard input': no properly formatted SHA256 checksum lines found

In any of these cases, the script aborts (due to set -e).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 95f1e2e18872de54a17d64b2d808255463ee3d93)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-27 12:17:45 +10:00
Kir Kolyshkin 017cb29b32 Dockerfile,scripts/release: bump libseccomp to v2.5.4
Release notes: https://github.com/seccomp/libseccomp/releases/tag/v2.5.4

This affects the released static binaries (as they are statically linked
against libseccomp).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit f7b07fd54c)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-27 12:17:45 +10:00
Akihiro Suda 131222d6a0 Merge pull request #3493 from cyphar/1.1-ns_last_pid
[1.1] Allow mounting of /proc/sys/kernel/ns_last_pid
2022-05-27 11:00:28 +09:00
Irwin D'Souza 51649a7d38 Allow mounting of /proc/sys/kernel/ns_last_pid
The CAP_CHECKPOINT_RESTORE linux capability provides the ability to
update /proc/sys/kernel/ns_last_pid. However, because this file is under
/proc, and by default both K8s and CRI-O specify that /proc/sys should
be mounted as Read-Only, by default even with the capability specified,
a process will not be able to write to ns_last_pid.

To get around this, a pod author can specify a volume mount and a
hostpath to bind-mount /proc/sys/kernel/ns_last_pid. However, runc does
not allow specifying mounts under /proc.

This commit adds /proc/sys/kernel/ns_last_pid to the validProcMounts
string array to enable a pod author to mount ns_last_pid as read-write.
The default remains unchanged; unless explicitly requested as a volume
mount, ns_last_pid will remain read-only regardless of whether or not
CAP_CHECKPOINT_RESTORE is specified.

Signed-off-by: Irwin D'Souza <dsouzai.gh@gmail.com>
2022-05-27 09:00:21 +10:00
Aleksa Sarai 9d00472f06 merge branch 'pr-3479' into release-1.1
Kir Kolyshkin (1):
  ci: drop docker layer caching from release job

LGTMs: thaJeztah cyphar
Closes #3479
2022-05-27 08:59:04 +10:00
Kir Kolyshkin 3a09da6b5a ci: drop docker layer caching from release job
This job is failing with "No space left on device" lately, and this
helps to fix it.

Besides, it seems that caching does not help to shorten execution times
(validate/release job succeeds in under 8 minutes now; ymmv).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-26 13:50:47 -07:00
Akihiro Suda fa7cca98a0 Merge pull request #3478 from cyphar/1.1-seccomp-enosys-setup
[1.1] seccomp: enosys: always return -ENOSYS for setup(2) on s390(x)
2022-05-25 17:24:11 +09:00
Aleksa Sarai 8b93f9fb3c seccomp: enosys: always return -ENOSYS for setup(2) on s390(x)
On s390x, syscalls above 255 are multiplexed using the (now otherwise
unused) setup(2) syscall (syscall number 0). If the kernel supports the
syscall then it will correctly translate the syscall number such that
seccomp will correctly detect it -- however, for unknown syscalls the
syscall number remains unchanged. This can be verified by running the
following program under strace:

	int main(void)
	{
		scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_TRAP);
		seccomp_load(ctx);

		return syscall(439, AT_FDCWD, "asdf", X_OK, 0);
	}

Which will then die with the following signal (on pre-5.8 kernels):

	--- SIGSYS {si_signo=SIGSYS, si_code=SYS_SECCOMP,
	            si_call_addr=0x3ffb3006c22, si_syscall=__NR_setup,
	            si_arch=AUDIT_ARCH_S390X} ---

(Note that the si_syscall is __NR_setup, not __NR_faccessat2.)

As a result, the -ENOSYS handling we had previously did not work
completely correctly on s390x because any syscall not supported by the
kernel would be treated as syscall number 0 rather than the actual
syscall number.

Always returning -ENOSYS will not cause any issues because in all of the
cases where this multiplexing occurs, seccomp will see the remapped
syscall number -- and no userspace program will call setup(2)
intentionally (the syscall has not existed in Linux for decades and was
originally a hack used early in Linux init prior to spawning pid1 -- so
you will get -ENOSYS from the kernel anyway).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2022-05-24 12:51:51 +10:00
Kir Kolyshkin 1839c392cc Merge pull request #3476 from kolyshkin/1.1-dbus-err
[1.1] libct/cg/sd: check dbus.ErrClosed instead of isDbusError
2022-05-23 10:45:06 -07:00
Kang Chen fc2a8fe13b libct/cg/sd: check dbus.ErrClosed instead of isDbusError
Signed-off-by: Kang Chen <kongchen28@gmail.com>
(cherry picked from commit 0ca0bb9fee)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-23 16:48:12 +10:00
Aleksa Sarai 13e164dbb0 merge branch 'pr-3477' into release-1.1
CrazyMax (1):
  fix deprecated ActKill

Kir Kolyshkin (2):
  libct/seccomp/config: add missing KillThread, KillProcess
  [1.1] vendor: bump seccomp/libseccomp-golang to f33da4d

LGTMs: AkihiroSuda cyphar
Closes #3477
2022-05-23 16:46:52 +10:00
Kir Kolyshkin d105e052d3 libct/seccomp/config: add missing KillThread, KillProcess
OCI spec added SCMP_ACT_KILL_THREAD and SCMP_ACT_KILL_PROCESS almost two
years ago ([1], [2]), but runc support was half-finished [3].

Add these actions, and modify the test case to check them.

In addition, "runc features" now lists the new actions.

[1] https://github.com/opencontainers/runtime-spec/pull/1044
[2] https://github.com/opencontainers/runtime-spec/pull/1064
[3] https://github.com/opencontainers/runc/pulls/3204

Fixes: 4a4d4f109b
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit e74fdeb88a)
(cherry picked from commit 68427f33d0)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-20 13:25:51 -07:00
Kir Kolyshkin e4474ef881 [1.1] vendor: bump seccomp/libseccomp-golang to f33da4d
This is the same as commit df2bc1380e
but for release-1.1 branch.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-20 13:25:36 -07:00
CrazyMax dc083b2bb7 fix deprecated ActKill
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
(cherry picked from commit 29a56b5206)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-20 11:30:16 -07:00
Sebastiaan van Stijn b507e2da6c Merge pull request #3472 from kolyshkin/1.1-fix-fedora-ci-git
[1.1] Make CI green again
2022-05-12 11:54:14 +02:00
Kir Kolyshkin bf1cd884d9 ci: use golangci-lint-action v3, GO_VERSION
golangci-lint-action v3 no longer installs golang itself, and the
version that comes with Ubuntu is not new/good enough.

Install go 1.17.x explicitly.

Introduce GO_VERSION environment variable to avoid duplication,
and use it instead of 1.x in other places, so that implicit go update
won't bring some unexpected failures.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit f7637defb8)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 16:46:59 -07:00
Kir Kolyshkin 1feafc31f8 ci: bump golangci-lint to v1.44
Also, remove "must be specified without patch version" as this is no
longer true.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit f7d4613492)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 16:46:59 -07:00
Kir Kolyshkin 89f79ff06d libct: StartInitialization: fix %w related warning
(on Go 1.18 this is actually an error)

> libcontainer/factory_linux.go:341:10: fmt.Errorf format %w has arg e of wrong type interface{}

Unfortunately, fixing it results in an errorlint warning:

> libcontainer/factory_linux.go#L344 non-wrapping format verb for fmt.Errorf. Use `%w` to format errors (errorlint)

so we have to silence that one.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 907aefd43c)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 16:46:59 -07:00
Kir Kolyshkin 3b7f260510 Format sources using gofumpt 0.2.1
... which adds a wee more whitespace fixes.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 89733cd055)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 16:42:50 -07:00
dependabot[bot] eeac4e7721 build(deps): bump actions/checkout from 2 to 3
Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit a43485c92c)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 16:35:41 -07:00
Kir Kolyshkin cd7fa00d6b Vagrantfile.fedora: fix build wrt new git
With the updated git in Fedora 35, we can't build it via sudo:

	ssh default 'sudo -i make -C /vagrant localunittest'
	make: Entering directory '/vagrant'
	fatal: unsafe repository ('/vagrant' is owned by someone else)
	To add an exception for this directory, call:

		git config --global --add safe.directory /vagrant
	go build -trimpath "-buildmode=pie"  -tags "seccomp" -ldflags "-X main.gitCommit= -X main.version=1.1.0+dev " -o runc .
	error obtaining VCS status: exit status 128
		Use -buildvcs=false to disable VCS stamping.
	make: Leaving directory '/vagrant'

This commit should fix this.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 009e627cb0)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 16:25:09 -07:00
Aleksa Sarai 8acb6a0771 Merge pull request from GHSA-f3fp-gc8g-vw66
runc: do not set inheritable capabilities
2022-05-12 08:15:42 +10:00
Kir Kolyshkin cdfdbe55fb VERSION: back to development
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-05 12:50:18 -07:00