Commit Graph

6197 Commits

Author SHA1 Message Date
Sebastiaan van Stijn 6419fbabfb Merge pull request #4382 from rata/Makefile-override-fixes
[1.1] Revert "allow overriding VERSION value in Makefile" and add EXTRA_VERSION
2024-08-23 22:36:03 +02:00
Rodrigo Campos 0514204d6f Makefile: Add EXTRA_VERSION
Add this new make variable so users can specify build information
without modifying the runc version nor the source code.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
(cherry picked from commit cc2078ccdd)
2024-08-19 16:55:02 +02:00
Rodrigo Campos 18cdc3476f Revert "allow overriding VERSION value in Makefile"
This reverts commit 9d9273c926.

This commit broke the build for several other projects (see comments
here: https://github.com/opencontainers/runc/pull/4270, after the merge)
and we don't really need this to be able to set the version without
changing the file.

With this commit reverted, we can still run:

	make VERSION="1.2.3"

and it just works. It doesn't take it from an env variable, but that is
what broke all the other projects (VERSION is just too generic as an env
var, especially for a project like runc that is embedded in many
others).

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
(cherry picked from commit f4cc3d8313)
2024-08-19 16:52:10 +02:00
Akihiro Suda f3f71a9347 Merge pull request #4372 from kolyshkin/1.1-go123
[1.1] Add Go 1.23, drop 1.21
2024-08-14 19:20:04 +09:00
Kir Kolyshkin 7f75aec407 [1.1] Add Go 1.23, drop 1.21
As of commit 096e6f88f0 we are ready for Go 1.23.

All that's left to do is:
 - Cirrus CI: switch from Go 1.21 to Go 1.22;
 - GHA CI: drop go 1.21, add 1.23 to test matrix;
 - Dockerfile: switch from Go 1.21.x to 1.22.x.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-08-13 15:26:40 -07:00
Kir Kolyshkin 931f46304b Merge pull request #4361 from austinvazquez/backport-protobuf-updates-to-1.1
[1.1 backport] vendor: google.golang.org/protobuf 1.33.0
2024-08-01 01:22:08 -07:00
dependabot[bot] 1f587049fd build(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0
Bumps google.golang.org/protobuf from 1.32.0 to 1.33.0.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit 7ab66b187c)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2024-07-29 22:42:49 +00:00
dependabot[bot] 31f29447d3 build(deps): bump google.golang.org/protobuf from 1.31.0 to 1.32.0
Bumps google.golang.org/protobuf from 1.31.0 to 1.32.0.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit 43306be3f0)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2024-07-29 22:42:10 +00:00
dependabot[bot] ac5fc48ad1 build(deps): bump google.golang.org/protobuf from 1.30.0 to 1.31.0
Bumps google.golang.org/protobuf from 1.30.0 to 1.31.0.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit a57d94d3ad)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2024-07-29 22:40:41 +00:00
dependabot[bot] 3b5bf8f2a9 build(deps): bump google.golang.org/protobuf from 1.29.1 to 1.30.0
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.29.1 to 1.30.0.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](https://github.com/protocolbuffers/protobuf-go/compare/v1.29.1...v1.30.0)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit 8f0d0c4dc8)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2024-07-29 22:39:09 +00:00
dependabot[bot] 81461edc12 build(deps): bump google.golang.org/protobuf from 1.29.0 to 1.29.1
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.29.0 to 1.29.1.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](https://github.com/protocolbuffers/protobuf-go/compare/v1.29.0...v1.29.1)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit a7046b8387)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2024-07-29 22:38:13 +00:00
dependabot[bot] 2a9acb99b4 build(deps): bump google.golang.org/protobuf from 1.28.1 to 1.29.0
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.28.1 to 1.29.0.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](https://github.com/protocolbuffers/protobuf-go/compare/v1.28.1...v1.29.0)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit 6b41f8ed26)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2024-07-29 22:37:23 +00:00
dependabot[bot] 19c47f652d build(deps): bump google.golang.org/protobuf from 1.28.0 to 1.28.1
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.28.0 to 1.28.1.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](https://github.com/protocolbuffers/protobuf-go/compare/v1.28.0...v1.28.1)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit 450dd3e237)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2024-07-29 22:36:23 +00:00
dependabot[bot] 88f54b20fc build(deps): bump google.golang.org/protobuf from 1.27.1 to 1.28.0
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.27.1 to 1.28.0.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](https://github.com/protocolbuffers/protobuf-go/compare/v1.27.1...v1.28.0)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit 82bc042d27)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2024-07-29 22:34:00 +00:00
lfbzhm 615068f17a Merge pull request #4334 from cyphar/1.1-rootfs-mountfd
[1.1] rootfs: fix 'can we mount on top of /proc' check
2024-07-05 12:02:49 +08:00
Aleksa Sarai a0292ca6ff [1.1] rootfs: fix 'can we mount on top of /proc' check
(This is a cherry-pick of cdff09ab87 but
modified so that changes like 8e8b136c49 and a60933bb24 don't also
need to be backported. Ideally we would backport the entire "remove all
mount logic from nsexec" series, but that would be a bit too much.)

Our previous test for whether we can mount on top of /proc incorrectly
assumed that it would only be called with bind-mount sources. This meant
that having a non bind-mount entry for a pseudo-filesystem (like
overlayfs) with a dummy source set to /proc on the host would let you
bypass the check, which could easily lead to security issues.

In addition, the check should be applied more uniformly to all mount
types, so fix that as well. And add some tests for some of the tricky
cases to make sure we protect against them properly.

Fixes: 331692baa7 ("Only allow proc mount if it is procfs")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-07-04 14:18:41 +10:00
Kir Kolyshkin b36a0f4537 Merge pull request #4336 from cyphar/1.1-rm-c7
[1.1] ci/cirrus: switch from CentOS to Almalinux
2024-07-02 22:35:26 -07:00
Kir Kolyshkin 5b89027afc [1.1] ci/cirrus: switch from CentOS to Almalinux
(This is a backport of b18d052bb83cbf0a6ad79aa1e79d5c9f75eddda7.)

Remove CentOS 7 as it is EOL.

Add back RHEL 8 clone (CentOS Stream 8 was removed by commit
40bb9c468e).

Switch from CentOS Stream 9 to Almalinux 9.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-07-03 10:54:30 +10:00
Kir Kolyshkin ed406952fc Merge pull request #4318 from lifubang/release-1.1.13
Release 1.1.13
2024-06-13 08:05:44 -07:00
lifubang ec1bc45d46 VERSION: back to development
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-06-13 18:23:57 +08:00
lifubang 58aa9203c1 VERSION: release 1.1.13
Signed-off-by: lifubang <lifubang@acmcoder.com>
v1.1.13
2024-06-13 18:23:48 +08:00
Kir Kolyshkin 2b3a2472d1 Merge pull request #4316 from lifubang/backport-4189
[1.1] script/*: fix gpg usage wrt keyboxd
2024-06-11 16:55:14 -07:00
Kir Kolyshkin 3507adac19 Merge pull request #4315 from lifubang/backport-4311
[1.1] fix a debug msg for user ns in nsexec
2024-06-11 16:54:55 -07:00
Kir Kolyshkin 0f7150ade8 script/*: fix gpg usage wrt keyboxd
I used script/keyring_validate.sh, which gave me this error:

> [*] User cyphar in runc.keyring is not a maintainer!

Apparently, when gnupg 2.4.1+ sees a fresh install (i.e. no ~/.gnupg
directory), it configures itself to use keyboxd instead of keyring
files, and when just silently ignores options like --keyring and
--no-default-keyring, working with keyboxd all the time.

The only way I found to make it not use keyboxd is to set --homedir.
Let's do that when we explicitly want a separate keyring.

Similar change is made to script/release_key.sh.

Also, change "--import --import-options=show-only" to "--show-keys"
which is a shortcut. When using this, there is no need to protect
the default keyring since this command does not read or modify it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 760105ab11)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-06-10 07:26:54 +08:00
lfbzhm 80186fec5c fix a debug msg for user ns in nsexec
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
(cherry picked from commit 24c2d28d1f)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-06-10 07:18:53 +08:00
lfbzhm 8407d3c602 Merge pull request #4313 from kolyshkin/1.1-backport-4292
[1.1] Support Go 1.22, bump some CI deps
2024-06-10 06:46:19 +08:00
Kir Kolyshkin 7219e0afff Dockerfile: bump Debian to 12, Go to 1.21
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit b74b33c439)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 11:37:56 -07:00
Kir Kolyshkin c9beabc8d8 ci: switch to go 1.22 as main version
Now when Go 1.22.4 is out it should no longer be a problem.

Leave Go 1.21 for CentOS testing (CentOS 7 and 8 have older glibc)
and Dockerfile (Debian 11 have older glibc).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit a3302f2054)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 11:37:56 -07:00
Kir Kolyshkin 4578c6c5db libct/nsenter: stop blacklisting go 1.22+
Go 1.23 includes a fix (https://go.dev/cl/587919) so go1.23.x can be
used. This fix is also backported to 1.22.4, so go1.22.x can also be
used (when x >= 4). Finally, for glibc >= 2.32 it doesn't really matter.

Add a note about Go 1.22.x > 1.22.4 to README as well.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit e660ef61a5)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 11:37:56 -07:00
lifubang c488d13a53 use go mod instead of go get in spec.bats
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit 75e02193c2)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 11:37:54 -07:00
Kir Kolyshkin ae85f058cc ci/gha: bump golangci-lint to v1.57
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit d63018c252)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 11:33:03 -07:00
Kir Kolyshkin 327e07e968 ci/gha: bump golangci-lint to v1.54
Currently, it is at v1.54.2.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 17e7e230bd)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 11:33:03 -07:00
Kir Kolyshkin 65bdf604dd libct/user: gofumpt -w
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 11:32:50 -07:00
Kir Kolyshkin 4d097af534 ci/gha: bump golangci-lint-action from 5 to 6
Note that github-actions output format is deprecated and no longer supported,
and it is also no longer needed since setup-go problem matcher already
handles default golangci-lint output format ("colored-line-number").

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit f452f667c0)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 11:18:12 -07:00
Kir Kolyshkin fb23608437 ci/gha: bump golangci/golangci-lint-action to v5
Since v5 removes caching [1], re-enable setup-go cache.

[1] https://github.com/golangci/golangci-lint-action/pull/1024

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 6bcc736122)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 11:18:12 -07:00
Akihiro Suda 8bfc75a25d CI: run apt with -y
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 30dc98f577)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 11:18:12 -07:00
Kir Kolyshkin e546ddeec8 ci/gha: switch some jobs to ubuntu-22.04
This is a partial backport of commits 953e1cc48 and b32655d2
from the main branch.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 11:18:12 -07:00
dependabot[bot] 0d19e78b84 build(deps): bump actions/setup-go from 4 to 5
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4 to 5.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit e66ba70f50)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 11:18:12 -07:00
Kir Kolyshkin b36844518a build(deps): bump actions/checkout from 3 to 4
Same as commit 2d0cd0b3 in main branch.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 11:18:12 -07:00
dependabot[bot] cb2d85dcde build(deps): bump tim-actions/commit-message-checker-with-regex
Bumps [tim-actions/commit-message-checker-with-regex](https://github.com/tim-actions/commit-message-checker-with-regex) from 0.3.1 to 0.3.2.
- [Release notes](https://github.com/tim-actions/commit-message-checker-with-regex/releases)
- [Commits](https://github.com/tim-actions/commit-message-checker-with-regex/compare/v0.3.1...v0.3.2)

---
updated-dependencies:
- dependency-name: tim-actions/commit-message-checker-with-regex
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit fe6f33b2c0)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 11:18:12 -07:00
dependabot[bot] 25e27d7eef build(deps): bump actions/upload-artifact from 3 to 4
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3 to 4.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit 7b655782bf)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 11:18:12 -07:00
dependabot[bot] 2ac8b11f48 build(deps): bump golangci/golangci-lint-action from 3 to 4
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 3 to 4.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/v3...v4)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit 27cbabd00d)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 11:18:12 -07:00
Kir Kolyshkin 7d86e7d9ec Merge pull request #4299 from kolyshkin/1.1-4290
[1.1] libct/system: ClearRlimitNofileCache for go 1.23
2024-06-06 14:34:04 -07:00
Kir Kolyshkin 096e6f88f0 [1.1] libct/system: ClearRlimitNofileCache for go 1.23
Go 1.23 tightens access to internal symbols, and even puts runc into
"hall of shame" for using an internal symbol (recently added by commit
da68c8e3). So, while not impossible, it becomes harder to access those
internal symbols, and it is a bad idea in general.

Since Go 1.23 includes https://go.dev/cl/588076, we can clean the
internal rlimit cache by setting the RLIMIT_NOFILE for ourselves,
essentially disabling the rlimit cache.

Once Go 1.22 is no longer supported, we will remove the go:linkname hack.

(cherry picked from commit 584afc6756)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-05 12:51:15 -07:00
lfbzhm 14181f438e Merge pull request #4308 from kolyshkin/1.1-rm-cs8
[1.1] ci/cirrus: rm centos stream 8
2024-06-05 18:29:42 +08:00
Kir Kolyshkin fc7af59a6b ci/cirrus: rm centos stream 8
It is past EOL and has been removed from GCE public images.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 40bb9c468e)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-04 23:09:46 -07:00
Kir Kolyshkin a1610b56a4 Merge pull request #4305 from lifubang/backport-cs8eol
[1.1] ci: workaround for centos stream 8 being EOLed
2024-06-04 10:44:40 -07:00
Kir Kolyshkin 9629fd9554 ci: workaround for centos stream 8 being EOLed
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 48c4e733f4)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-06-04 18:21:52 +08:00
Kir Kolyshkin 20ef9762da Merge pull request #4300 from lifubang/backport-codespell-2.3.0
[1.1] Fix codespell warnings
2024-06-03 17:02:16 -07:00
Kir Kolyshkin 3b7fcf76ef ci: pin codespell
CI should not fail and require attention every time a new codespell
version is released.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit b24fc9d2c4)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-06-03 09:04:41 +08:00