Commit Graph

5866 Commits

Author SHA1 Message Date
Aleksa Sarai 9d00472f06 merge branch 'pr-3479' into release-1.1
Kir Kolyshkin (1):
  ci: drop docker layer caching from release job

LGTMs: thaJeztah cyphar
Closes #3479
2022-05-27 08:59:04 +10:00
Kir Kolyshkin 3a09da6b5a ci: drop docker layer caching from release job
This job is failing with "No space left on device" lately, and this
helps to fix it.

Besides, it seems that caching does not help to shorten execution times
(validate/release job succeeds in under 8 minutes now; ymmv).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-26 13:50:47 -07:00
Akihiro Suda fa7cca98a0 Merge pull request #3478 from cyphar/1.1-seccomp-enosys-setup
[1.1] seccomp: enosys: always return -ENOSYS for setup(2) on s390(x)
2022-05-25 17:24:11 +09:00
Aleksa Sarai 8b93f9fb3c seccomp: enosys: always return -ENOSYS for setup(2) on s390(x)
On s390x, syscalls above 255 are multiplexed using the (now otherwise
unused) setup(2) syscall (syscall number 0). If the kernel supports the
syscall then it will correctly translate the syscall number such that
seccomp will correctly detect it -- however, for unknown syscalls the
syscall number remains unchanged. This can be verified by running the
following program under strace:

	int main(void)
	{
		scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_TRAP);
		seccomp_load(ctx);

		return syscall(439, AT_FDCWD, "asdf", X_OK, 0);
	}

Which will then die with the following signal (on pre-5.8 kernels):

	--- SIGSYS {si_signo=SIGSYS, si_code=SYS_SECCOMP,
	            si_call_addr=0x3ffb3006c22, si_syscall=__NR_setup,
	            si_arch=AUDIT_ARCH_S390X} ---

(Note that the si_syscall is __NR_setup, not __NR_faccessat2.)

As a result, the -ENOSYS handling we had previously did not work
completely correctly on s390x because any syscall not supported by the
kernel would be treated as syscall number 0 rather than the actual
syscall number.

Always returning -ENOSYS will not cause any issues because in all of the
cases where this multiplexing occurs, seccomp will see the remapped
syscall number -- and no userspace program will call setup(2)
intentionally (the syscall has not existed in Linux for decades and was
originally a hack used early in Linux init prior to spawning pid1 -- so
you will get -ENOSYS from the kernel anyway).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2022-05-24 12:51:51 +10:00
Kir Kolyshkin 1839c392cc Merge pull request #3476 from kolyshkin/1.1-dbus-err
[1.1] libct/cg/sd: check dbus.ErrClosed instead of isDbusError
2022-05-23 10:45:06 -07:00
Kang Chen fc2a8fe13b libct/cg/sd: check dbus.ErrClosed instead of isDbusError
Signed-off-by: Kang Chen <kongchen28@gmail.com>
(cherry picked from commit 0ca0bb9fee)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-23 16:48:12 +10:00
Aleksa Sarai 13e164dbb0 merge branch 'pr-3477' into release-1.1
CrazyMax (1):
  fix deprecated ActKill

Kir Kolyshkin (2):
  libct/seccomp/config: add missing KillThread, KillProcess
  [1.1] vendor: bump seccomp/libseccomp-golang to f33da4d

LGTMs: AkihiroSuda cyphar
Closes #3477
2022-05-23 16:46:52 +10:00
Kir Kolyshkin d105e052d3 libct/seccomp/config: add missing KillThread, KillProcess
OCI spec added SCMP_ACT_KILL_THREAD and SCMP_ACT_KILL_PROCESS almost two
years ago ([1], [2]), but runc support was half-finished [3].

Add these actions, and modify the test case to check them.

In addition, "runc features" now lists the new actions.

[1] https://github.com/opencontainers/runtime-spec/pull/1044
[2] https://github.com/opencontainers/runtime-spec/pull/1064
[3] https://github.com/opencontainers/runc/pulls/3204

Fixes: 4a4d4f109b
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit e74fdeb88a)
(cherry picked from commit 68427f33d0)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-20 13:25:51 -07:00
Kir Kolyshkin e4474ef881 [1.1] vendor: bump seccomp/libseccomp-golang to f33da4d
This is the same as commit df2bc1380e
but for release-1.1 branch.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-20 13:25:36 -07:00
CrazyMax dc083b2bb7 fix deprecated ActKill
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
(cherry picked from commit 29a56b5206)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-20 11:30:16 -07:00
Sebastiaan van Stijn b507e2da6c Merge pull request #3472 from kolyshkin/1.1-fix-fedora-ci-git
[1.1] Make CI green again
2022-05-12 11:54:14 +02:00
Kir Kolyshkin bf1cd884d9 ci: use golangci-lint-action v3, GO_VERSION
golangci-lint-action v3 no longer installs golang itself, and the
version that comes with Ubuntu is not new/good enough.

Install go 1.17.x explicitly.

Introduce GO_VERSION environment variable to avoid duplication,
and use it instead of 1.x in other places, so that implicit go update
won't bring some unexpected failures.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit f7637defb8)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 16:46:59 -07:00
Kir Kolyshkin 1feafc31f8 ci: bump golangci-lint to v1.44
Also, remove "must be specified without patch version" as this is no
longer true.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit f7d4613492)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 16:46:59 -07:00
Kir Kolyshkin 89f79ff06d libct: StartInitialization: fix %w related warning
(on Go 1.18 this is actually an error)

> libcontainer/factory_linux.go:341:10: fmt.Errorf format %w has arg e of wrong type interface{}

Unfortunately, fixing it results in an errorlint warning:

> libcontainer/factory_linux.go#L344 non-wrapping format verb for fmt.Errorf. Use `%w` to format errors (errorlint)

so we have to silence that one.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 907aefd43c)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 16:46:59 -07:00
Kir Kolyshkin 3b7f260510 Format sources using gofumpt 0.2.1
... which adds a wee more whitespace fixes.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 89733cd055)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 16:42:50 -07:00
dependabot[bot] eeac4e7721 build(deps): bump actions/checkout from 2 to 3
Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit a43485c92c)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 16:35:41 -07:00
Kir Kolyshkin cd7fa00d6b Vagrantfile.fedora: fix build wrt new git
With the updated git in Fedora 35, we can't build it via sudo:

	ssh default 'sudo -i make -C /vagrant localunittest'
	make: Entering directory '/vagrant'
	fatal: unsafe repository ('/vagrant' is owned by someone else)
	To add an exception for this directory, call:

		git config --global --add safe.directory /vagrant
	go build -trimpath "-buildmode=pie"  -tags "seccomp" -ldflags "-X main.gitCommit= -X main.version=1.1.0+dev " -o runc .
	error obtaining VCS status: exit status 128
		Use -buildvcs=false to disable VCS stamping.
	make: Leaving directory '/vagrant'

This commit should fix this.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 009e627cb0)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 16:25:09 -07:00
Aleksa Sarai 8acb6a0771 Merge pull request from GHSA-f3fp-gc8g-vw66
runc: do not set inheritable capabilities
2022-05-12 08:15:42 +10:00
Kir Kolyshkin cdfdbe55fb VERSION: back to development
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-05 12:50:18 -07:00
Kir Kolyshkin a916309fff VERSION: release 1.1.2
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
v1.1.2
2022-05-05 12:49:49 -07:00
Kir Kolyshkin 364ec0f1b4 runc: do not set inheritable capabilities
Do not set inheritable capabilities in runc spec, runc exec --cap,
and in libcontainer integration tests.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-05 12:20:40 -07:00
Aleksa Sarai 58546650ce merge branch 'pr-3439' into release-1.1
Kir Kolyshkin (3):
  VERSION: back to development
  VERSION: release 1.1.1
  CHANGELOG.md: add 1.1.1 release notes

LGTMs: mrunalp AkihiroSuda cyphar
Closes #3439
2022-03-29 13:58:36 +11:00
Kir Kolyshkin 8959e37254 VERSION: back to development
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-28 12:02:47 -07:00
Kir Kolyshkin 52de29d7e0 VERSION: release 1.1.1
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
v1.1.1
2022-03-28 12:02:47 -07:00
Kir Kolyshkin 2636e1cb36 CHANGELOG.md: add 1.1.1 release notes
This also includes the backport of commit e4d23d50fa,
fixing a minor formatting issue.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-28 12:02:47 -07:00
Kir Kolyshkin ae28db1424 Merge pull request #3436 from kolyshkin/1.1-add-centos-stream-9
[1.1] add centos-stream-9
2022-03-28 12:02:23 -07:00
Kir Kolyshkin 036cc34899 CI/cirrus: add centos-stream-9
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit a9cc993a2b6f8405edcc2a07e52a2c48e664b323)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-28 11:46:11 -07:00
Mrunal Patel c65363285b Merge pull request #3438 from kolyshkin/1.1-fix-badges
[1.1] Fix badges
2022-03-28 11:21:45 -07:00
Kir Kolyshkin db953158e1 README.md: add cirrus-ci badge
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 3618079cab)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-28 09:53:34 -07:00
Kir Kolyshkin ea19181ebd README,libct/README: fix pkg.go.dev badges
What used to be godoc.org is now pkg.go.dev, and while the old URLs
still work, they might be broken in the future.

Updated badges are generated via https://pkg.go.dev/badge/

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit f309a69a48)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-28 09:53:34 -07:00
Mrunal Patel 6bf0a56814 Merge pull request #3435 from mrunalp/dont_panic_1.1
[release-1.1] libct/cg: IsCgroup2HybridMode: don't panic
2022-03-28 09:43:01 -07:00
Kir Kolyshkin 8290c4cf58 libct/cg: IsCgroup2HybridMode: don't panic
In case statfs("/sys/fs/cgroup/unified") fails with any error other
than ENOENT, current code panics. As IsCgroup2HybridMode is called from
libcontainer/cgroups/fs's init function, this means that any user of
libcontainer may panic during initialization, which is ugly.

Avoid panicking; instead, do not enable hybrid hierarchy support and
report the error (under debug level, not to confuse anyone).

Basically, replace the panic with "turn off hybrid mode support"
(which makes total sense since we were unable to statfs its root).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-28 09:13:57 -07:00
Kir Kolyshkin 6f48ab3eaf Merge pull request #3406 from marquiz/backports/rdt
[1.1] configs/validate: looser validation for RDT
2022-03-14 14:11:24 -07:00
Markus Lehtonen ee7ba6cb1e configs/validate: looser validation for RDT
Don't require CAT or MBA because we don't detect those correctly (we
don't support L2 or L3DATA/L3CODE for example, and in the future
possibly even more). With plain "ClosId mode" we don't really care: we
assign the container to a pre-configured CLOS without trying to do
anything smarter.

Moreover, this was a duplicate/redundant check anyway, as for CAT and
MBA there is another specific sanity check that is done if L3 or MB
is specified in the config.

Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
(cherry picked from commit 1d5c331042)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-14 09:35:43 -07:00
Sebastiaan van Stijn a3765fb46d Merge pull request #3404 from kolyshkin/1.1-delegate-enoent
[1.1] libct/cg/sd/v2: fix ENOENT on cgroup delegation
2022-03-10 20:37:34 +01:00
Kir Kolyshkin 96193422ea libct/cg/sd/v2: fix ENOENT on cgroup delegation
Apparently, not all files listed in /sys/kernel/cgroup/delegate must
exist in every cgroup, so we should ignore ENOENT.

Dot not ignore ENOENT on the directory itself though.

Change cgroupFilesToChown to not return ".", and refactor it to not do
any dynamic slice appending in case we're using the default built-in
list of files.

Fixes: 35d20c4e0
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 8c04b98100)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-08 12:03:50 -08:00
Akihiro Suda 51feb4289d Merge pull request #3403 from kolyshkin/1.1-exec-subcgroup
[1.1] runc exec --cgroup: ensure the path is a sub-cgroup path
2022-03-09 00:12:19 +09:00
lifubang 35784a3e6a ensure the path is a sub-cgroup path
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit 01f00e1fd5)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-07 18:25:59 -08:00
Mrunal Patel b9460f26b4 Merge pull request #3355 from kolyshkin/1.1-rodev
[1.1] Fix working with read-only /dev
2022-01-28 15:56:26 -08:00
Kir Kolyshkin 986e7c535f libct: fixStdioPermissions: ignore EROFS
In case of a read-only /dev, it's better to move on and let whatever is
run in a container to handle any possible errors.

This solves runc exec for a user with read-only /dev.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 146c8c0c62)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-27 13:36:33 -08:00
Kir Kolyshkin 5053a06511 libct: fixStdioPermissions: skip chown if not needed
Since we already called fstat, we know the current file uid. In case it
is the same as the one we want it to be, there's no point in trying
chown.

Remove the specific /dev/null check, as the above also covers it
(comparing /dev/null uid with itself is true).

This also fixes runc exec with read-only /dev for root user.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 18c4760aed)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-27 13:36:33 -08:00
Kir Kolyshkin d2939b6b93 libct: fixStdioPermissions: minor refactoring
Use os/file Chown method instead of bare unix.Fchown as it already have
access to underlying fd, and produces nice-looking errors. This allows
us to remove our error wrapping and some linter annotations.

We still use unix.Fstat since os.Stat access to os-specific fields
like uid/gid is not very straightforward. The only change here is to use
file name (rather than fd) in the error text.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit b7fdb68848)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-27 13:36:33 -08:00
Aleksa Sarai d7f7b22a85 VERSION: back to development
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2022-01-17 19:16:33 +11:00
Aleksa Sarai 067aaf8548 VERSION: release runc v1.1.0
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
v1.1.0
2022-01-17 19:16:31 +11:00
Akihiro Suda c83abc503d Merge pull request #3331 from kolyshkin/nsenter-unsup
Refuse to build runc without nsenter
2022-01-05 14:18:02 +09:00
Kir Kolyshkin c0e300f109 Refuse to build runc without nsenter
Commit 4d1d6185ab added this
nsenter_unsupported.go file in order for nsenter to be a valid (but
empty, non-functional) Go package on unsupported platforms.

As a result, runc can be build successfully without CGO, which results
in a non-working and hard-to-debug binary (see issue 3330).

As the functionality of being able to compile a package which is
definitely not working is questionable, and I can't think of any use
cases, let's remove the file.

With this, runc can no longer be build without CGO:

	[kir@kir-rhat runc]$ CGO_ENABLED=0 make runc
	go build -trimpath "-buildmode=pie"  -tags "seccomp" -ldflags "-X main.gitCommit=v1.0.0-452-g00f56786-dirty -X main.version=1.1.0-rc.1+dev " -o runc .
	go build github.com/opencontainers/runc/libcontainer/nsenter: build constraints exclude all Go files in /home/kir/go/src/github.com/opencontainers/runc/libcontainer/nsenter

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-04 15:49:41 -08:00
Akihiro Suda 00f56786bb Merge pull request #3328 from opencontainers/dependabot/go_modules/github.com/checkpoint-restore/go-criu/v5-5.3.0
build(deps): bump github.com/checkpoint-restore/go-criu/v5 from 5.2.0 to 5.3.0
2021-12-23 11:00:22 +09:00
dependabot[bot] e155b3322c build(deps): bump github.com/checkpoint-restore/go-criu/v5
Bumps [github.com/checkpoint-restore/go-criu/v5](https://github.com/checkpoint-restore/go-criu) from 5.2.0 to 5.3.0.
- [Release notes](https://github.com/checkpoint-restore/go-criu/releases)
- [Commits](https://github.com/checkpoint-restore/go-criu/compare/v5.2.0...v5.3.0)

---
updated-dependencies:
- dependency-name: github.com/checkpoint-restore/go-criu/v5
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-12-22 04:18:26 +00:00
Akihiro Suda 81044ad7c9 Merge pull request #3325 from kolyshkin/rm-go115
libct/cg: rm go 1.15 compatibility
2021-12-15 11:39:50 +09:00
Kir Kolyshkin 5c7e898186 libct/cg: rm go 1.15 compatibility
Since commit 12e99a0f8d we do require Go >= 1.16, so this file
is no longer needed.

Also, this actually ensures that go >= 1.16 is used (otherwise
libcontainer/cgroups/getallpids.go won't compile).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-12-14 13:08:47 -08:00