1. Sort the list of matrix excludes in the order of matrix,
add comments explaining why we disable some jobs.
2. Exclude some jobs:
- runc_nodmz && go 1.20.x
- runc_nodmz && -race
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
The referenced issue was fixed in `github.com/urfave/cli` v1.22.6. We
can now remove the dependabot ignore for this package.
Signed-off-by: SuperQ <superq@gmail.com>
Since today, the URL from download.opensuse.org started returning a
HTTP 302 redirect, so -L option for curl is needed to follow it.
While at it, remove apt-key as per its man page recommendation:
> Note: Instead of using this command a keyring should be placed
> directly in the /etc/apt/trusted.gpg.d/ directory with a descriptive
> name and either "gpg" or "asc" as file extension.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
The idea is to remove the need for cloning the entire runc binary by
replacing the final execve() call of the container process with an
execve() call to a clone of a small C binary which just does an execve()
of its arguments.
This provides similar protection against CVE-2019-5736 but without
requiring a >10MB binary copy for each "runc init". When compiled with
musl, runc-dmz is 13kB (though unfortunately with glibc, it is 1.1MB
which is still quite large).
It should be noted that there is still a window where the container
processes could get access to the host runc binary, but because we set
ourselves as non-dumpable the container would need CAP_SYS_PTRACE (which
is not enabled by default in Docker) in order to get around the
proc_fd_access_allowed() checks. In addition, since Linux 4.10[1] the
kernel blocks access entirely for user namespaced containers in this
scenario. For those cases we cannot use runc-dmz, but most containers
won't have this issue.
This new runc-dmz binary can be opted out of at compile time by setting
the "runc_nodmz" buildtag, and at runtime by setting the RUNC_DMZ=legacy
environment variable. In both cases, runc will fall back to the classic
/proc/self/exe-based cloning trick. If /proc/self/exe is already a
sealed memfd (namely if the user is using contrib/cmd/memfd-bind to
create a persistent sealed memfd for runc), neither runc-dmz nor
/proc/self/exe cloning will be used because they are not necessary.
[1]: https://github.com/torvalds/linux/commit/bfedb589252c01fa505ac9f6f2a3d5d68d707ef4
Co-authored-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: lifubang <lifubang@acmcoder.com>
[cyphar: address various review nits]
[cyphar: fix runc-dmz cross-compilation]
[cyphar: embed runc-dmz into runc binary and clone in Go code]
[cyphar: make runc-dmz optional, with fallback to /proc/self/exe cloning]
[cyphar: do not use runc-dmz when the container has certain privs]
Co-authored-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
The default timeout is 360 minutes, which is way long for these jobs.
If the CI (or a test) has stuck, we'd better know about it earlier than
in 6 hours.
Set the timeouts for some [relatively] long running jobs conservatively:
- test and release jobs usually take ~10 minutes;
- lint job takes 1 minute (but can be a few times slower when we switch
Go or golangci-lint version);
- cross-386 job takes about 2 minutes;
- the rest is seconds (and I am lazy to set timeouts everywhere).
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
We used to skip testing rootless integration tests for systemd, because
in case of cgroup v1 it does not support user delegation.
Since we added ubuntu 22.04 to the testing matrix, we can actually test
rootless+systemd there (with the proper systemd setup).
Fixes: 953e1cc485
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Since commit e3cf217cf1 actions/setup-go@v4 uses caching
implicitly, and olangci/golangci-lint-action also uses caching.
These two caches clash, resulting in multiple warnings in CI logs.
The official golangci-lint-action solution is to disable caching
for setup-go job (see [1]). Do the same.
[1] https://github.com/golangci/golangci-lint-action/pull/704
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
As of today, installing fails with
> libc6:i386 : Depends: libgcc-s1:i386 but it is not going to be installed
Add the package explicitly to work around that.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
The first kludge is not needed since the switch to Ubuntu 22.04 in
commit 953e1cc48.
The second one is not needed since Go 1.20.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
These checks ensure that all of the keys in the runc.keyring list are
actually the keys of the specified user and that the users themselves
are actually maintainers.
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
For test jobs, add ubuntu 22.04 into the matrix, so we can test of both
cgroup v1 and v2.
For validate jobs, just switch to ubuntu 22.04
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This version is already used by Cirrus CI Fedora 37 job, but other CI
jobs are still using 1.3.0.
Bump it everywhere so we can enjoy new version features and fixes.
For one thing, I noticed that new bats is reporting error location
correctly.
We will also be able to use "run !" and "run -N" commands.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This is to check that tests/integration/get-images.sh is in sync
with tests/integration/bootstrap-get-images.sh.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
1. Bump shfmt to v3.5.1. Release notes:
https://github.com/mvdan/sh/releases
2. Since shfmt v3.5.0, specifying -l bash (or -l bats) is no longer
necessary. Therefore, we can use shfmt to find all the files.
Add .editorconfig to ignore vendor subdirectory.
3. Use shfmt docker image, so that we don't have to install anything
explicitly. This greatly simplifies the shfmt CI job. Add
localshfmt target so developers can still use a local shfmt binary
when necessary.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This tag points to the latest v3 version (currently v3.0.11). Mainly
done to avoid cluttering git history with multiple minor v3 upgrades.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
When golang 1.19 is used to build unit tests on 386, it fails like this:
sudo -E PATH="$PATH" -- make GOARCH=386 CGO_ENABLED=1 localunittest
<...>
go test -timeout 3m -tags "seccomp" -v ./...
<...>
# github.com/opencontainers/runc/libcontainer/capabilities.test
runtime/cgo(.text): unknown symbol __stack_chk_fail_local in pcrel
runtime/cgo(.text): unknown symbol __stack_chk_fail_local in pcrel
runtime/cgo(.text): unknown symbol __stack_chk_fail_local in pcrel
runtime/cgo(.text): unknown symbol __stack_chk_fail_local in pcrel
runtime/cgo(.text): unknown symbol __stack_chk_fail_local in pcrel
runtime/cgo(.text): relocation target __stack_chk_fail_local not defined
runtime/cgo(.text): relocation target __stack_chk_fail_local not defined
The fix is to add CGO_CFLAGS=-fno-stack-protector.
See also:
- https://github.com/docker-library/golang/pull/426
- https://go.dev/issue/52919
- https://go.dev/issue/54313
- https://go-review.googlesource.com/c/go/+/421935
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>