Prevent --l3-cache-schema from clearing the intel_rdt.memBwSchema state
and --mem-bw-schema clearing l3_cache_schema, respectively.
Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
(cherry picked from commit 57b6a317bb)
This was added in 2ee9cbbd12 ("It's /proc/stat, not /proc/stats") with
no actual justification, and doesn't really make much sense on further
inspection:
* /proc/net is a symlink to "self/net", which means that /proc/net/dev
is a per-process file, and so overmounting it would only affect pid1.
Any other program that cares about /proc/net/dev would see their own
process's configuration, and unprivileged processes wouldn't be able
to see /proc/1/... data anyway.
In addition, the fact that this is a symlink means that runc will
deny the overmount because /proc/1/net/dev is not in the proc
overmount allowlist. This means that this has not worked for many
years, and probably never worked in the first place.
* /proc/self/net is already namespaced with network namespaces, so the
primary argument for allowing /proc overmounts (lxcfs-like masking of
procfs files to emulate namespacing for files that are not properly
namespaced for containers -- such as /proc/cpuinfo) is moot.
It goes without saying that lxcfs has never overmounted
/proc/self/net/... files, so the general "because lxcfs"
justification doesn't hold water either.
* The kernel has slowly been moving towards blocking overmounts in
/proc/self/. Linux 6.12 blocked overmounts for fd, fdinfo, and
map_files; future Linux versions will probably end up blocking
everything under /proc/self/.
Fixes: 2ee9cbbd12 ("It's /proc/stat, not /proc/stats")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry-picked from commit 3620185d06b79da836559b75161027c6273fff7b.)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
The dmem controller is added into kernel v6.13 and is now enabled in
Fedora 42 kernels. Yet, systemd is not aware of dmem.
This fixes the test case failure on Fedora.
For the initial test case, see commit 27515719.
For earlier commits similar to this one, see
commits 601cf582, 05272718, e83ca519.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit b3432118ed)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
The per-file deprecation in cgroup_deprecated.go is not working,
let's replace it.
Link to Hooks.Run in Hook.Run deprecation notice.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit b25bcaa8b3)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
When we run CI not on a pull request, the commit job is skipped, as a
result, all-done is also skipped.
To allow all-done to succeed, modify the commit job to succeed for
non-PRs.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 43955a0d28b1f8748ddcc3fcb65fbbf3d2d52d27)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
... or from another job.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 9d970f1dfb890e8c28f1cec7ad58cf414fab3684)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Commit 874207492 neglects to update the exclusion rules when bumping Go
releases, and so we no longer exclude running on actuated with older Go
release, or running with criu-dev with older Go release.
Fixes: 874207492 ("CI: add Go 1.24, drop go1.22")
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 0628b1e5a0d909627594f4e2df20a8e4ee57e51c)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
We already have the indirect require for 1.17.3, that comes
opencontainers/cgroups[1]. That module requires that version as min, so
go can't use older versions. We can just remove the excludes.
There might be cases where people can use runc as a dependency and use
replace to override it (not sure, but probably). We were clear on what
our dependencies are, so we can sleep fine. In the unlikely case that
some project uses runc as a dependency and:
* Uses a replace for cilium v0.17.x but not the latest patch release (0.17.3 is fixed)
* they run with 32bits
* and hit this (that didn't happen always on CI)
* Ignore the changelog for 0.17.3 that mentions the buffer overflow on
32 bits platforms[2].
In that case, if we have a bug report, we can point them to the right
place. But 0.17.3 was released for some months now (most people probably
update) and 0.18.0 was released recently. I wouldn't worry about someone
hitting this in real life.
Also, the excludes directives prevent go install from working, so let's
just remove them.
[1]: https://github.com/opencontainers/cgroups/blob/9657f5a18b8d60a0f39fbb34d0cb7771e28e6278/go.mod#L6
[2]: https://github.com/cilium/ebpf/releases/tag/v0.17.3
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
(cherry picked from commit 67b8a68599)
This ensures that if runc is built without the provided Makefile, the
version is still properly set.
No change in the output.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit c12c99b7d2)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Instead of setting cli.App.Version in main, let's set up
cli.VersionPrinter. This way, we only get various versions
when needed.
Note it does not change the output of runc --version.
It changes the output of runc --help though, and I think it's for the
better.
Before this patch:
> $ runc help
> ...
> USAGE:
> runc [global options] command [command options] [arguments...]
>
> VERSION:
> 1.3.0-rc.1+dev
> commit: v1.3.0-rc.1-93-g932e8342
> spec: 1.2.1
> go: go1.24.2
> libseccomp: 2.5.5
>
> COMMANDS:
> checkpoint checkpoint a running container
> ...
After:
> $ runc help
> ...
> USAGE:
> runc [global options] command [command options] [arguments...]
>
> VERSION:
> 1.3.0-rc.1+dev
>
> COMMANDS:
> checkpoint checkpoint a running container
> ...
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit d54eaaf2c2)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
The new configuration file was initially generated by golangci-lint
migrate, when tweaked to minimize and simplify.
golangci-lint v2 switches to a new version of staticcheck which shows
much more warnings. Some of them were fixed by a few previous commits,
and the rest of them are disabled.
In particular, ST1005 had to be disabled (an attempt to fix it was made
in https://github.com/opencontainers/runc/pull/3857 but it wasn't
merged).
Also, golangci-extra was modified to include ALL staticcheck linters.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 127e8e68d3)
Signed-off-by: lifubang <lifubang@acmcoder.com>
> libcontainer/intelrdt/cmt.go:5:1: ST1020: comment on exported function IsCMTEnabled should be of the form "IsCMTEnabled ..." (staticcheck)
> // Check if Intel RDT/CMT is enabled.
> ^
> libcontainer/intelrdt/intelrdt.go:419:1: ST1020: comment on exported function IsCATEnabled should be of the form "IsCATEnabled ..." (staticcheck)
> // Check if Intel RDT/CAT is enabled
> ^
> libcontainer/intelrdt/intelrdt.go:425:1: ST1020: comment on exported function IsMBAEnabled should be of the form "IsMBAEnabled ..." (staticcheck)
> // Check if Intel RDT/MBA is enabled
> ^
> libcontainer/intelrdt/intelrdt.go:446:1: ST1020: comment on exported method Apply should be of the form "Apply ..." (staticcheck)
> // Applies Intel RDT configuration to the process with the specified pid
> ^
> libcontainer/intelrdt/intelrdt.go:481:1: ST1020: comment on exported method Destroy should be of the form "Destroy ..." (staticcheck)
> // Destroys the Intel RDT container-specific 'container_id' group
> ^
> libcontainer/intelrdt/intelrdt.go:497:1: ST1020: comment on exported method GetPath should be of the form "GetPath ..." (staticcheck)
> // Returns Intel RDT path to save in a state file and to be able to
> ^
> libcontainer/intelrdt/intelrdt.go:506:1: ST1020: comment on exported method GetStats should be of the form "GetStats ..." (staticcheck)
> // Returns statistics for Intel RDT
> ^
> libcontainer/intelrdt/mbm.go:6:1: ST1020: comment on exported function IsMBMEnabled should be of the form "IsMBMEnabled ..." (staticcheck)
> // Check if Intel RDT/MBM is enabled.
> ^
> 8 issues:
> * staticcheck: 8
While at it, add missing periods.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 9b3ccc19a6)
Signed-off-by: lifubang <lifubang@acmcoder.com>
I was pretty sure we have a linter for these but apparently we did not.
> libcontainer/capabilities/capabilities.go:108:1: ST1020: comment on exported method ApplyCaps should be of the form "ApplyCaps ..." (staticcheck)
> // Apply sets all the capabilities for the current process in the config.
> ^
>
>
> types/events.go:15:1: ST1021: comment on exported type Stats should be of the form "Stats ..." (with optional leading article) (staticcheck)
> // stats is the runc specific stats structure for stability when encoding and decoding stats.
> ^
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 30f8acabf6)
Signed-off-by: lifubang <lifubang@acmcoder.com>
> notify_socket.go:44:24: ST1016: methods on the same type should have the same receiver name (seen 1x "n", 5x "s") (staticcheck)
> func (s *notifySocket) Close() error {
> ^
As reported by staticcheck from golangci-lint v2.0.0
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit fdb691632d)
Signed-off-by: lifubang <lifubang@acmcoder.com>
While debugging an issue involving failing mounts, I discovered that
just returning the plain mount error message when we are in the fallback
code for handling locked mounts leads to unnecessary confusion.
It also doesn't help that podman currently forcefully sets "rw" on
mounts, which means that rootless containers are likely to hit the
locked mounts issue fairly often.
So we should improve our error messages to explain why the mount is
failing in the locked flags case.
Fixes: 7c71a22705 ("rootfs: remove --no-mount-fallback and finally fix MS_REMOUNT")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 58c3ab77b0)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
When reading mount errors, it is quite hard to make sense of mount flags
in their hex form. As this is the error path, the minor performance
impact of constructing a string is probably not worth hyper-optimising.
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 30302a2850)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
For some reason, ssh-keygen is unable to write to /root even as root on
AlmaLinux 8:
# id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0
# id -Z
ls -ld /root
# ssh-keygen -t ecdsa -N "" -f /root/rootless.key || cat /var/log/audit/audit.log
Saving key "/root/rootless.key" failed: Permission denied
The audit.log shows:
> type=AVC msg=audit(1744834995.352:546): avc: denied { dac_override } for pid=13471 comm="ssh-keygen" capability=1 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:system_r:ssh_keygen_t:s0 tclass=capability permissive=0
> type=SYSCALL msg=audit(1744834995.352:546): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5641c7587520 a2=241 a3=180 items=0 ppid=4978 pid=13471 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)␝ARCH=x86_64 SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
A workaround is to use /root/.ssh directory instead of just /root.
While at it, let's unify rootless user and key setup into a single place.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 87ae2f8466)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
We are seeing a ton on flakes on almalinux-8 CI job, all caused by criu
inability to freeze a cgroup. This was worked around in criu [1], but
obviously we can't rely on a distro vendor to update the package.
Let's use a copr (thanks to Adrian Reber!)
[1]: https://github.com/checkpoint-restore/criu/pull/2545
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit b520f750ef)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This makes the code more robust and allows to remove the
"shellcheck disable=SC2086" annotation.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 8e653e40c6)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
1. There is no need to have -p option in mkdir here, since
/home/rootless was already created by useradd above.
2. When there is no -p, there is no need to suppress the shellcheck
warning (which looked like this):
> In script/setup_host_fedora.sh line 21:
> mkdir -m 0700 -p /home/rootless/.ssh
> ^-- SC2174 (warning): When used with -p, -m only applies to the deepest directory.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit a76a1361b4)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Those are no longer needed with shellcheck v0.10.0 (possibly with an
earlier version, too, but I am too lazy to check that).
While at it, fix a typo in the comment.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit af386d1df1)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>