Commit Graph

6243 Commits

Author SHA1 Message Date
Kir Kolyshkin 4d3e52f207 tests/int: fix a bad typo
As a result, cgroup v1 only tests are being skipped.

Fixes: a2123baf63
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-06 13:46:21 -07:00
Sebastiaan van Stijn aac018175e Merge pull request #3369 from kolyshkin/more-tests-nits
tests/int: nits and cleanups
2022-05-06 13:22:11 +02:00
Kir Kolyshkin 2ce40b6ad7 Remove tun/tap from the default device rules
Looking through git blame, this was added by commit 9fac18329
aka "Initial commit of runc binary", most probably by mistake.

Obviously, a container should not have access to tun/tap device, unless
it is explicitly specified in configuration.

Now, removing this might create a compatibility issue, but I see no
other choice.

Aside from the obvious misconfiguration, this should also fix the
annoying

> Apr 26 03:46:56 foo.bar systemd[1]: Couldn't stat device /dev/char/10:200: No such file or directory

messages from systemd on every container start, when runc uses systemd
cgroup driver, and the system runs an old (< v240) version of systemd
(the message was presumably eliminated by [1]).

[1] https://github.com/systemd/systemd/pull/10996/commits/d5aecba6e0b7c73657c4cf544ce57289115098e7

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-04 15:38:58 -07:00
Sebastiaan van Stijn da6f3b06e2 Merge pull request #3465 from crazy-max/update-libseccomp
vendor: bump seccomp/libseccomp-golang to f33da4d
2022-05-04 21:00:17 +02:00
Kir Kolyshkin 68427f33d0 libct/seccomp/config: add missing KillThread, KillProcess
OCI spec added SCMP_ACT_KILL_THREAD and SCMP_ACT_KILL_PROCESS almost two
years ago ([1], [2]), but runc support was half-finished [3].

Add these actions, and modify the test case to check them.

In addition, "runc features" now lists the new actions.

[1] https://github.com/opencontainers/runtime-spec/pull/1044
[2] https://github.com/opencontainers/runtime-spec/pull/1064
[3] https://github.com/opencontainers/runc/pulls/3204

Fixes: 4a4d4f109b
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit e74fdeb88a)
2022-05-04 16:22:09 +02:00
CrazyMax df2bc1380e vendor: bump seccomp/libseccomp-golang to f33da4d
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-05-03 13:15:02 +02:00
CrazyMax 29a56b5206 fix deprecated ActKill
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-05-03 13:15:01 +02:00
Mrunal Patel 48464417f4 Merge pull request #3461 from kolyshkin/bump-urfave-cli
vendor: bump urfave/cli to v1.22.6
2022-04-25 16:06:37 -07:00
Sebastiaan van Stijn 255fe4099e Merge pull request #3445 from kolyshkin/gha-ro
ci/gha: limit jobs permissions
2022-04-22 20:44:37 +02:00
Sebastiaan van Stijn 062fc87995 Merge pull request #3451 from dsouzai/ns_last_pid
Allow mounting of /proc/sys/kernel/ns_last_pid
2022-04-22 20:41:58 +02:00
Kir Kolyshkin 9c710564fd vendor: bump urfave/cli to v1.22.6
This finally fixes the regression of not allowing -1 as an argument,
which is reported in https://github.com/urfave/cli/pull/1135.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-04-21 19:36:49 -07:00
Sebastiaan van Stijn 238717ddd3 Merge pull request #3457 from kolyshkin/ci-merge-lint-extra
ci/gha: convert lint-extra from a job to a step
2022-04-14 13:42:40 +02:00
Sebastiaan van Stijn 727aa42fd7 Merge pull request #3378 from kolyshkin/ci-verify-more
shellcheck/shfmt more files; run check-config in CI
2022-04-14 13:39:29 +02:00
Kir Kolyshkin 4642d5282e Merge pull request #3458 from opencontainers/dependabot/github_actions/actions/cache-3.0.2
build(deps): bump actions/cache from 3.0.1 to 3.0.2
2022-04-13 22:35:00 -07:00
Kir Kolyshkin fa83a17c57 ci/gha: convert lint-extra from a job to a step
There is no need to parallelize lint and lint-extra jobs,
and they only differ with the arguments to golangci-lint.
Given that the longest time spent in these jobs is installing
libseccomp-dev, and that the second linter run can probably
benefit a lot from caching, it makes sense to merge them.

Move lint-extra from a separate job to a step in lint job.

The implementation is motivated by [1] and relies on the fact
that the last commit being fetched is the merge commit. So,
we need to set fetch-depth to 2 to be able to see the diff of
the merge commit -- and this is what golangci-lint is using.

[1] https://github.com/golangci/golangci-lint-action/issues/449#issuecomment-1096995821

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-04-13 20:20:15 -07:00
Akihiro Suda b6e337ac93 Merge pull request #3459 from opencontainers/dependabot/go_modules/github.com/moby/sys/mountinfo-0.6.1
build(deps): bump github.com/moby/sys/mountinfo from 0.6.0 to 0.6.1
2022-04-13 16:05:56 +09:00
dependabot[bot] de25777a4b build(deps): bump github.com/moby/sys/mountinfo from 0.6.0 to 0.6.1
Bumps [github.com/moby/sys/mountinfo](https://github.com/moby/sys) from 0.6.0 to 0.6.1.
- [Release notes](https://github.com/moby/sys/releases)
- [Commits](https://github.com/moby/sys/compare/signal/v0.6.0...mountinfo/v0.6.1)

---
updated-dependencies:
- dependency-name: github.com/moby/sys/mountinfo
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-13 04:17:00 +00:00
Kir Kolyshkin 98d3b5a495 Merge pull request #3455 from opencontainers/dependabot/github_actions/actions/upload-artifact-3
build(deps): bump actions/upload-artifact from 2 to 3
2022-04-12 14:31:53 -07:00
Sebastiaan van Stijn 66d12b5a0b Merge pull request #3456 from kolyshkin/ci-rm-stable
ci/gha: remove stable: when installing Go
2022-04-12 09:28:18 +02:00
dependabot[bot] d73579cabc build(deps): bump actions/cache from 3.0.1 to 3.0.2
Bumps [actions/cache](https://github.com/actions/cache) from 3.0.1 to 3.0.2.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.1...v3.0.2)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-12 06:35:18 +00:00
Kir Kolyshkin 66be704d02 ci/gha: remove stable: when installing Go
Since the recent bump of actions/setup-go to v3 (commit
9d2268b9db), specifying "stable:" is no longer needed
when we want to try a beta or rc version of Go.

Remove it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-04-11 17:14:13 -07:00
Sebastiaan van Stijn 36585a8f0a Merge pull request #3454 from opencontainers/dependabot/github_actions/actions/setup-go-3
build(deps): bump actions/setup-go from 2 to 3
2022-04-12 00:01:17 +02:00
dependabot[bot] b6eb94762a build(deps): bump actions/upload-artifact from 2 to 3
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 2 to 3.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-11 04:16:44 +00:00
dependabot[bot] 9d2268b9db build(deps): bump actions/setup-go from 2 to 3
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 2 to 3.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-11 04:16:41 +00:00
Irwin D'Souza b76b6b9338 Allow mounting of /proc/sys/kernel/ns_last_pid
The CAP_CHECKPOINT_RESTORE linux capability provides the ability to
update /proc/sys/kernel/ns_last_pid. However, because this file is under
/proc, and by default both K8s and CRI-O specify that /proc/sys should
be mounted as Read-Only, by default even with the capability specified,
a process will not be able to write to ns_last_pid.

To get around this, a pod author can specify a volume mount and a
hostpath to bind-mount /proc/sys/kernel/ns_last_pid. However, runc does
not allow specifying mounts under /proc.

This commit adds /proc/sys/kernel/ns_last_pid to the validProcMounts
string array to enable a pod author to mount ns_last_pid as read-write.
The default remains unchanged; unless explicitly requested as a volume
mount, ns_last_pid will remain read-only regardless of whether or not
CAP_CHECKPOINT_RESTORE is specified.

Signed-off-by: Irwin D'Souza <dsouzai.gh@gmail.com>
2022-04-07 14:08:59 -04:00
Kir Kolyshkin 67e06706ef ci/gha: limit jobs permissions
Most jobs only require to read the repo. Some require to read PRs as
well.

For details, see
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

Reported-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-04-06 14:25:22 -07:00
Kir Kolyshkin b802def2f6 Merge pull request #3444 from opencontainers/dependabot/github_actions/actions/cache-3.0.1
build(deps): bump actions/cache from 2 to 3.0.1
2022-03-31 09:36:24 -07:00
dependabot[bot] 7260bae675 build(deps): bump actions/cache from 2 to 3.0.1
Bumps [actions/cache](https://github.com/actions/cache) from 2 to 3.0.1.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v2...v3.0.1)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-31 04:15:06 +00:00
Kir Kolyshkin ae6cb653f4 man/*sh: fix shellcheck warnings, add to shellcheck
Now the only remaining file that needs shellcheck warnings to be fixed
is bash-completion. Note that in Makefile's TODO.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-30 20:47:45 -07:00
Kir Kolyshkin cacc823724 ci: add call to check-config.sh
This is done to make sure the script is working correctly in different
environments (distro and kernel versions). In addition, we can see in
test logs which kernel features are enabled.

Note that I didn't want to have a separate job for GHA CI, so I just
added this to the end of shellcheck one.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-30 20:47:45 -07:00
Kir Kolyshkin 5d1ef78cad script/check-config.sh: enable set -u, fix issues
One particularly bad one is ${codes[@]} which is fine in bash 4.4+,
but gives "codes[@]: unbound variable" with older bash versions,
such as with bash 4.2 used on CentOS 6. It's good that this is the only
array in the script that can potentially be empty.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-30 20:47:45 -07:00
Kir Kolyshkin d66498e771 script/check-config.sh: fix remaining shellcheck warnings
... and add this file to shellcheck target in Makefile.

These:

	In script/check-config.sh line 27:
	kernelMinor="${kernelVersion#$kernelMajor.}"
				     ^----------^ SC2295 (info): Expansions inside ${..} need to be quoted separately, otherwise they match as patterns.

	Did you mean:
	kernelMinor="${kernelVersion#"$kernelMajor".}"

	In script/check-config.sh line 103:
		source /etc/os-release 2>/dev/null || /bin/true
		       ^-------------^ SC1091 (info): Not following: /etc/os-release was not specified as input (see shellcheck -x).

	In script/check-config.sh line 267:
		NET_CLS_CGROUP $netprio
			       ^------^ SC2206 (warning): Quote to prevent word splitting/globbing, or split robustly with mapfile or read -a.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-30 20:47:45 -07:00
Kir Kolyshkin baa06227a4 script/check-config.sh: fix SC2166 warnings
Like this one:

	In ./script/check-config.sh line 215:
	if [ "$kernelMajor" -lt 5 ] || [ "$kernelMajor" -eq 5 -a "$kernelMinor" -le 1 ]; then
							      ^-- SC2166 (warning): Prefer [ p ] && [ q ] as [ p -a q ] is not well defined.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-30 20:47:45 -07:00
Kir Kolyshkin dc73d236ea script/check-config.sh: fix wrap_color usage
1. Allow wrap_bad and wrap_good to have an optional arguments.

2. Remove unneeded echos; this fixes the shellcheck warnings like

	In ./script/check-config.sh line 178:
			echo "$(wrap_bad 'cgroup hierarchy' 'nonexistent??')"
                             ^-- SC2005 (style): Useless echo? Instead of 'echo $(cmd)', just use 'cmd'.

3. Fix missing color argument in calls to wrap_color (when printing the
   hint about how to install apparmor).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-30 20:47:45 -07:00
Kir Kolyshkin 6b16d0051f shfmt: add more files
…and fix a single format issue found.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-30 20:47:45 -07:00
Mrunal Patel 8cf61d9b15 Merge pull request #3441 from opencontainers/dependabot/go_modules/github.com/opencontainers/selinux-1.10.1
build(deps): bump github.com/opencontainers/selinux from 1.10.0 to 1.10.1
2022-03-30 20:32:57 -07:00
Mrunal Patel 885cfd7b46 Merge pull request #3443 from kolyshkin/ci-main
ci/gha: run on main branch
2022-03-30 20:04:35 -07:00
Kir Kolyshkin 01f30162d2 ci/gha: run on main branch
Since we have renamed our default branch, GHA CI is no longer testing
it (see https://github.com/opencontainers/runc/actions).

Fix this.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-30 11:06:25 -07:00
dependabot[bot] d77f898ff5 build(deps): bump github.com/opencontainers/selinux
Bumps [github.com/opencontainers/selinux](https://github.com/opencontainers/selinux) from 1.10.0 to 1.10.1.
- [Release notes](https://github.com/opencontainers/selinux/releases)
- [Commits](https://github.com/opencontainers/selinux/compare/v1.10.0...v1.10.1)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/selinux
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-30 04:16:27 +00:00
Kir Kolyshkin 08a7e18dbf Merge pull request #3440 from masahir0y/trivial
Trivial changes
2022-03-29 16:09:34 -07:00
Masahiro Yamada 5222928650 libct/specconv: use a local variable in CreateCgroupConfig()
Use r instead of spec.Linux.Resources to be consistent throughout
this code hunk.

Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
2022-03-29 22:48:06 +09:00
Akihiro Suda 8d48ce2c69 Merge pull request #3433 from kolyshkin/dont-panic
libct/cg: IsCgroup2HybridMode: don't panic
2022-03-28 20:06:25 +09:00
Kir Kolyshkin d0c89dfac3 libct/cg: IsCgroup2HybridMode: don't panic
In case statfs("/sys/fs/cgroup/unified") fails with any error other
than ENOENT, current code panics. As IsCgroup2HybridMode is called from
libcontainer/cgroups/fs's init function, this means that any user of
libcontainer may panic during initialization, which is ugly.

Avoid panicking; instead, do not enable hybrid hierarchy support and
report the error (under debug level, not to confuse anyone).

Basically, replace the panic with "turn off hybrid mode support"
(which makes total sense since we were unable to statfs its root).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-26 18:14:08 -07:00
Sebastiaan van Stijn 86d6898f30 Merge pull request #3375 from kolyshkin/rm-container-iface
libct: rm BaseContainer and Container interfaces
2022-03-23 21:23:50 +01:00
Akihiro Suda cae822862c Merge pull request #3428 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.28.0
build(deps): bump google.golang.org/protobuf from 1.27.1 to 1.28.0
2022-03-24 04:37:01 +09:00
dependabot[bot] 82bc042d27 build(deps): bump google.golang.org/protobuf from 1.27.1 to 1.28.0
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.27.1 to 1.28.0.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](https://github.com/protocolbuffers/protobuf-go/compare/v1.27.1...v1.28.0)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-23 18:14:30 +00:00
Kir Kolyshkin d620a401d7 tests/int: remove $ROOTLESS, use $EUID
The variable $ROOTLESS, as set by helpers.bash and used in many places,
provides the same value as $EUID which is always set by bash. Since we
are using bash, we can rely on $EUID being omnipresent.

Modify all uses accordingly, and since the value is known to be a
number, omit the quoting.

Similarly, replace all uses of $(id -u) to $EUID.

Do some trivial cleanups along the way, such as
 - simplify some if A; then B; to A && B;
 - do not use [[ instead of [ where not necessary.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-23 11:12:44 -07:00
Kir Kolyshkin d330f94b57 tests/int/update.bats: fix extra reqs
This test requires both rootless and root, which does not make sense.

Remove the rootless part.

Fixes: d41a273da
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-23 11:12:44 -07:00
Kir Kolyshkin a2123baf63 tests/int: replace CGROUP_UNIFIED with CGROUP_V{1,2}
This makes it work similar to all the other variables we use as binary
flags.

The new 'shellcheck disable' is due to a bug in shellcheck (basically,
it does not track the scope of variables or execution order, assuming
everything is executed as soon as it is seen).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-23 11:12:44 -07:00
Kir Kolyshkin 25ef852ad6 tests/int: use = in test for strings comparison
Strictly speaking, == is for [[ only, not for [ / test,
and, unlike =, the right side is a pattern.

To avoid confusion, use =. In cases where we compare with empty string,
use -z instead.

Keep using [[ in some cases since it does not require quoting the left
and right side of comparison (I trust shellcheck on that one).

This should have no effect (other than the code being a tad more
strict).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-23 11:12:44 -07:00