Commit Graph

7178 Commits

Author SHA1 Message Date
lfbzhm 948cefeb5b Merge pull request #4742 from kolyshkin/1.2-4670
[1.2] ci fixes (ssh-keygen and criu version bumps for almalinux 8 and fedora)
2025-04-23 12:28:16 +08:00
Kir Kolyshkin 21e70de6d8 ci: upgrade to criu-4.1-2 in Fedora
Package criu-4.1-1 has a known bug [1] which is fixed in criu-4.1-2 [2],
which is currently only available in updates-testing. Add a kludge to
install newer criu if necessary to fix CI.

This will not be needed in ~2 weeks once the new package is promoted to
updates.

[1]: https://github.com/checkpoint-restore/criu/issues/2650
[2]: https://bodhi.fedoraproject.org/updates/FEDORA-2025-d374d8ce17

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 3e3e04824d)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-22 19:45:57 -07:00
Kir Kolyshkin a703687437 Unify and fix rootless key setup
For some reason, ssh-keygen is unable to write to /root even as root on
AlmaLinux 8:

	# id
	uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0
	# id -Z
	ls -ld /root
	# ssh-keygen -t ecdsa -N "" -f /root/rootless.key || cat /var/log/audit/audit.log
	Saving key "/root/rootless.key" failed: Permission denied

The audit.log shows:

> type=AVC msg=audit(1744834995.352:546): avc:  denied  { dac_override } for  pid=13471 comm="ssh-keygen" capability=1  scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:system_r:ssh_keygen_t:s0 tclass=capability permissive=0
> type=SYSCALL msg=audit(1744834995.352:546): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5641c7587520 a2=241 a3=180 items=0 ppid=4978 pid=13471 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)␝ARCH=x86_64 SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"

A workaround is to use /root/.ssh directory instead of just /root.

While at it, let's unify rootless user and key setup into a single place.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 87ae2f8466)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-22 19:28:25 -07:00
Kir Kolyshkin 6b108eb624 ci: install newer criu for almalinux-8
We are seeing a ton on flakes on almalinux-8 CI job, all caused by criu
inability to freeze a cgroup. This was worked around in criu [1], but
obviously we can't rely on a distro vendor to update the package.

Let's use a copr (thanks to Adrian Reber!)

[1]: https://github.com/checkpoint-restore/criu/pull/2545

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit b520f750ef)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-22 19:28:25 -07:00
Kir Kolyshkin 5082191d70 script/setup_host_fedora.sh: use bash arrays
This makes the code more robust and allows to remove the
"shellcheck disable=SC2086" annotation.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 8e653e40c6)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-22 19:26:20 -07:00
Kir Kolyshkin fd3bc5d0e2 script/setup_host_fedora.sh: remove -p from mkdir
1. There is no need to have -p option in mkdir here, since
   /home/rootless was already created by useradd above.

2. When there is no -p, there is no need to suppress the shellcheck
   warning (which looked like this):

> In script/setup_host_fedora.sh line 21:
> mkdir -m 0700 -p /home/rootless/.ssh
>       ^-- SC2174 (warning): When used with -p, -m only applies to the deepest directory.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit a76a1361b4)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-22 19:26:10 -07:00
Kir Kolyshkin 7d1df7b66b tests/int: rm some "shellcheck disable" annotations
Those are no longer needed with shellcheck v0.10.0 (possibly with an
earlier version, too, but I am too lazy to check that).

While at it, fix a typo in the comment.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit af386d1df1)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-22 19:26:10 -07:00
Kir Kolyshkin 4d1f79ca45 ci: bump shellcheck to v0.10.0
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit b48dd65114)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-22 19:26:02 -07:00
Kir Kolyshkin e0f47b73dd Makefile: bump shfmt to v3.11.0
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 6e5ffb7cbc)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-22 19:26:02 -07:00
lfbzhm 244d3c5d19 Merge pull request #4720 from kolyshkin/1.2-4709
[1.2] runc pause/unpause/ps: get rid of excessive warning
2025-04-10 07:05:05 +08:00
Kir Kolyshkin f6026143a4 runc pause/unpause/ps: get rid of excessive warning
This issue was originally reported in podman PR 25792.

When calling runc pause/unpause for an ordinary user, podman do not
provide --systemd-cgroups option, and shouldUseRootlessCgroupManager
returns true. This results in a warning:

	$ podman pause sleeper
	WARN[0000] runc pause may fail if you don't have the full access to cgroups
	sleeper

Actually, it does not make sense to call shouldUseRootlessCgroupManager
at this point, because we already know if we're rootless or not, from
the container state.json (same for systemd).

Also, busctl binary is not available either in this context, so
shouldUseRootlessCgroupManager would not work properly.

Finally, it doesn't really matter if we use systemd or not, because we
use fs/fs2 manager to freeze/unfreeze, and it will return something like
EPERM (or tell that cgroups is not configured, for a true rootless
container).

So, let's only print the warning after pause/unpause failed,
if the error returned looks like a permission error.

Same applies to "runc ps".

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit c5ab4b6e30)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-09 09:32:38 -07:00
Kir Kolyshkin 8fe7f17ad4 pause: refactor
This is to simplify code review for the next commit.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit fda034c9ec)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-09 09:32:38 -07:00
Akihiro Suda 1aa51988e1 Merge pull request #4714 from kolyshkin/1.2-4696
[1.2] criu: Add time namespace to container config after checkpoint/restore
2025-04-08 18:02:35 +09:00
Andrei Vagin c248c8ecdf criu: Add time namespace to container config after checkpoint/restore
Since v3.14, CRIU always restores processes into a time namespace to
prevent backward jumps of monotonic and boottime clocks. This change
updates the container configuration to ensure that `runc exec` launches
new processes within the container's time namespace.

Fixes #2610

Signed-off-by: Andrei Vagin <avagin@gmail.com>
(cherry picked from commit b68cbdff34)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-07 17:09:08 -07:00
Akihiro Suda 1c50804572 Merge pull request #4683 from kolyshkin/1.2-ch-nits
[1.2] CHANGELOG: v1.2.6 formatting fixes
2025-03-21 09:14:52 +09:00
Kir Kolyshkin 6345aa2910 CHANGELOG: v1.2.6 formatting fixes
Fix headers

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-17 14:13:24 -07:00
Kir Kolyshkin b44b3b6b0e Merge pull request #4674 from rata/release-1.2
Release 1.2.6
2025-03-17 12:27:37 -07:00
Rodrigo Campos 048d07adec VERSION: Switch back to dev
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2025-03-14 16:32:15 +01:00
Rodrigo Campos e89a29929c VERSION: Release 1.2.6
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
v1.2.6
2025-03-14 11:54:49 +01:00
Akihiro Suda b5ec91d1f8 Merge pull request #4678 from kolyshkin/1.2-4671
[1.2] .cirrus.yml: install less dependencies
2025-03-14 09:08:44 +09:00
Kir Kolyshkin b582187ce9 .cirrus.yml: install less dependencies
In a nutshell:
 - use git-core instead of git;
 - do not install weak deps;
 - do not install docs.

This results in less packages to install:
 - 25 instead of 72 for almalinux-8
 - 24 instead of 90 for almalinux-9

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 1d9bea5378)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-13 11:19:27 -07:00
lfbzhm 9d0c86a72d Merge pull request #4668 from AkihiroSuda/cherrypick-4664-1.2
[1.2] CI: migrate Vagrant + Cirrus to Lima + GHA
2025-03-10 19:28:07 +08:00
Akihiro Suda 96f68384bb CI: migrate Vagrant + Cirrus to Lima + GHA
- Unlike proprietary Vagrant, Lima remains to be an open source project
- GHA now natively supports nested virt on Linux runners

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 135552e5e4)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2025-03-09 02:49:55 +09:00
Aleksa Sarai 4dbf9ac5ae merge #4647 into opencontainers/runc:release-1.2
Evan Phoenix (1):
  libcontainer: Prevent startup hang when CloseExecFrom errors

LGTMs: lifubang cyphar
2025-02-27 16:06:02 +11:00
Aleksa Sarai 35d1d6e7a0 merge #4649 into opencontainers/runc:release-1.2
lifubang (2):
  libct: don't send config to nsexec when joining an existing timens
  test: exec into a container with private time ns

LGTMs: cyphar lifubang
2025-02-27 16:05:17 +11:00
Aleksa Sarai 58c8c815b0 merge #4650 into opencontainers/runc:release-1.2
Evan Phoenix (1):
  Retry direct unix package calls if observing EINTR

LGTMs: cyphar lifubang
2025-02-27 16:04:42 +11:00
lfbzhm 13d44fb2aa Merge pull request #4651 from kolyshkin/1.2-4641
[1.2] exeseal: do not use F_SEAL_FUTURE_WRITE
2025-02-27 12:45:13 +08:00
Evan Phoenix e64390545e libcontainer: Prevent startup hang when CloseExecFrom errors
The previous logic caused runc to hang if CloseExecFrom returned an
error, as the defer waiting on logsDone never finished as the parent
process was never started (and it controls the closing of logsDone via
it's logsPipe).

This moves the defer to after we have started the parent, with means all
the logic related to managing the logsPipe should also be running.

Signed-off-by: Evan Phoenix <evan@phx.io>
(cherry picked from commit 7b26da9ee3)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-27 11:25:10 +08:00
lfbzhm baefcaedc7 Merge pull request #4646 from kolyshkin/1.2-4576
[1.2] libct/system: rm Fexecve
2025-02-27 11:24:28 +08:00
lfbzhm 57e4f53292 Merge pull request #4648 from kolyshkin/1.2-4634
[1.2] Add Go 1.24, drop ubuntu 20.04
2025-02-27 11:23:29 +08:00
Tomasz Duda e11430aa50 exeseal: do not use F_SEAL_FUTURE_WRITE
Prior to kernel Linux 5.5, F_SEAL_FUTURE_WRITE has a bug which maps
memory as shared between processes even if it is set as private. See
kernel commit 05d351102dbe ("mm, memfd: fix COW issue on MAP_PRIVATE and
F_SEAL_FUTURE_WRITE mappings") for more details.

According to the fcntl(2) man pages, F_SEAL_WRITE is enough:

> Furthermore, trying to create new shared, writable memory-mappings via
> mmap(2) will also fail with EPERM.
>
> Using the F_ADD_SEALS operation to set the F_SEAL_WRITE seal fails
> with EBUSY if any writable, shared mapping exists. Such mappings must
> be unmapped before you can add this seal.

F_SEAL_FUTURE_WRITE only makes sense if a read-write shared mapping in
one process should be read-only in another process. This is not case for
runc, especially not for the /proc/self/exe we are protecting.

Signed-off-by: Tomasz Duda <tomaszduda23@gmail.com>
(cyphar: improve the comment regarding F_SEAL_FUTURE_WRITE)
(cyphar: improve commit message)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit c43ea7d629)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-26 13:29:36 -08:00
Evan Phoenix 68a76952a0 Retry direct unix package calls if observing EINTR
Retry Recvfrom, Sendmsg, Readmsg, and Read as they can return EINTR.

Signed-off-by: Evan Phoenix <evan@phx.io>
(cherry picked from commit 28475f12e3)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-26 13:26:52 -08:00
lifubang c5312bc308 libct: don't send config to nsexec when joining an existing timens
We should configure the process's timens offset only when we need to
create new time namespace, we shouldn't do it if we are joining an
existing time namespace. (#4635)

Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit ad09197e41)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-26 13:23:36 -08:00
lfbzhm f4af9ad5fc test: exec into a container with private time ns
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit 74619689ae)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-26 13:23:36 -08:00
Kir Kolyshkin 14f6169b2c [1.2] CI: gha: rm ubuntu-20.04
There is an announce that Ubuntu 20.04 will be removed in April,
and in March there will be a few "brown-out" dates/times when
it won't work.

This leaves us with no other options than to remove ubuntu-20.04
from the testing matrix.

As a result, cgroup v1 testing will only be done on AlmaLinux 8
running on CirrusCI. It is probably going to be sufficient for
the time being (until we deprecate cgroup v1).

If not, our options are
 - run Ubuntu 20.04 (or other cgroup v1 distro) in a VM on GHA;
 - switch to cirrus-ci.

[1]: https://github.com/actions/runner-images/issues/11101

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 4244978687)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-26 13:19:45 -08:00
Kir Kolyshkin ba5a519d76 [1.2] Add Go 1.24, switch to Go 1.23 for build
Since Go 1.22 is no longer supported, let's switch to Go 1.23 for
official builds, cirrus, and GHA validate jobs.

Add Go 1.24 to testing matrix, and keep Go 1.22.

Bump golangci-lint to a version which supports Go 1.24.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-26 13:19:27 -08:00
Kir Kolyshkin f5f6e758f8 libct/system: rm Fexecve
This helper was added for runc-dmz in commit dac417174, but runc-dmz was
later removed in commit 871057d, which forgot to remove the helper.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 83350c24a9)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-26 11:46:10 -08:00
Aleksa Sarai 300d35b12b merge #4626 into opencontainers/runc:release-1.2
Aleksa Sarai (1):
  release: explicitly set --keyserver in release signing scripts

Kir Kolyshkin (2):
  VERSION: back to development
  VERSION: release v1.2.5

LGTMs: AkihiroSuda cyphar rata
2025-02-14 12:12:43 +11:00
Kir Kolyshkin ca26a9c13e VERSION: back to development
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-13 14:58:58 -08:00
Kir Kolyshkin 59923ef18c VERSION: release v1.2.5
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
v1.2.5
2025-02-13 14:58:49 -08:00
Aleksa Sarai 165b1035de release: explicitly set --keyserver in release signing scripts
On my machine, the --recv-keys steps to get upstream keys started
producing errors recently, and even setting a default keyserver in the
global gpg configuration doesn't seem to help:

  + gpg --homedir=/tmp/runc-sign-tmpkeyring.qm0IP6
        --no-default-keyring --keyring=seccomp.keyring
        --recv-keys 0x47A68FCE37C7D7024FD65E11356CE62C2B524099
  gpg: keybox '/tmp/runc-sign-tmpkeyring.qm0IP6/seccomp.keyring' created
  gpg: keyserver receive failed: No keyserver available

So just explicitly specify a reputable keyserver. Ideally we would use
an .onion-address keyserver to avoid potential targeted attacks but not
everybody runs a Tor proxy on their machine.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 26cfe14231)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-13 14:58:28 -08:00
Kir Kolyshkin 66c6d08ba9 Merge pull request #4632 from lifubang/1.2-bump-xnet-to-0.33.0
[1.2] build(deps): bump golang.org/x/net from 0.24.0 to 0.33.0
2025-02-13 14:38:37 -08:00
lifubang 615240a870 build(deps): bump golang.org/x/net from 0.24.0 to 0.33.0
There is a security patch for CVE-2024-45338 in this version.
Ref: https://github.com/advisories/GHSA-w32m-9786-jp63

Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-02-13 04:27:31 +00:00
Akihiro Suda d0ed7f7ae6 Merge pull request #4619 from kolyshkin/1.2-4616
[1.2] libc/int/userns: add build tag to C file
2025-02-07 13:34:05 +09:00
Akihiro Suda 6635338757 Merge pull request #4615 from kolyshkin/1.2-4612
[1.2] libct/cg/sd: set the DeviceAllow property before DevicePolicy
2025-02-07 13:33:48 +09:00
Brad Davidson 04468c038d libc/int/userns: add build tag to C file
This fixes k3s cross-compilation on Windows, broken by commit
1912d5988b ("*: actually support joining a userns with a new
container").

[@kolyshkin: commit message]

Fixes: 1912d5988b
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit ccb589bd7d)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-06 19:10:39 -08:00
Kir Kolyshkin 9742b6cf10 libct/cg/sd: set the DeviceAllow property before DevicePolicy
Every unit created by runc need daemon reload since systemd v230.
This breaks support for NVIDIA GPUs, see
https://github.com/opencontainers/runc/issues/3708#issuecomment-2216967210

A workaround is to set DeviceAllow before DevicePolicy.

Also:
 - add a test case (which fails before the fix) by @kolyshkin
 - better explain why we need empty DeviceAllow (by @cyphar)

Fixes 4568.

Reported-by: Jian Wen <wenjianhn@gmail.com>
Co-authored-by: Jian Wen <wenjianhn@gmail.com>
Co-authored-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit d84388ae10)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-05 12:18:12 -08:00
Rodrigo Campos de92f4b40d Merge pull request #4608 from kolyshkin/1.2-4590
[1.2] deps: update to github.com/cyphar/filepath-securejoin@v0.4.1
2025-02-05 09:01:31 -03:00
Aleksa Sarai 00f4a5cc4f deps: update to github.com/cyphar/filepath-securejoin@v0.4.1
This release includes a minor breaking API change that requires us to
rework the types of our wrappers, but there is no practical behaviour
change.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 70e500e7d1)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-05 22:05:15 +11:00
Aleksa Sarai 456d770f22 merge #4611 into opencontainers/runc:release-1.2
Kir Kolyshkin (1):
  CI: fix criu-dev compile

LGTMs: rata cyphar
2025-02-05 22:04:29 +11:00