This update includes a few breaking API changes that I needed to get in
before an actual runc release depends on it, so that we don't need to
deal with compatibility shims for them (or bumping the SOVERSION).
From a Go API perspective, there were no major changes -- though this
bump did also require a bump to github.com/cyphar/filepath-securejoin
because one of the wrapped APIs changed from int to uint64 as a flag
argument type. Again, better to get this done before we really depend on
this in a public way.
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
A bit of history. EXTRA_BUILDTAGS was introduced in commit dac417174,
as a quick way to add some extra Go build tags to the runc build.
Later, commit 767bc008 changed Makefile to not get EXTRA_TAGS from the
shell environment, as the name is quite generic and some unrelated
environment variable with that name can affect runc build. While such
change does make sense, it makes it more complicated to pass build tags
in CI and otherwise (see e.g. commit 0e1fe368a).
Moreover, runc build uses some Go build tags by default (via Makefile),
and while it is easy to add more build tags (via EXTRA_BUILDTAGS), in
order to remove some existing tags one has to redefine BUILDTAGS from
scratch, which is not very convenient (again, see commit 0e1fe368a which
gets the current value of BUILDTAGS from the Makefile in order to remove
a single tag).
To handle all of the above, let's do this:
- implement RUNC_BUILDTAGS, fixing the issue of not-so-unique name;
- allow to get RUNC_BUILDTAGS from shell environment;
- implement a feature to remove a build tag from default set by
prefixing it with "-" (as in RUNC_BUILDTAGS="-seccomp");
- document all this in README;
- make CI use the new feature;
- keep EXTRA_BUILDTAGS for backward compatibility, add a make warning
and a TODO to remove it for runc 1.6.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Commit 192e3d416f ("ci: add conmon tests run") was merged without
rebasing on top of commit e2c989b7e1 ("build: enable libpathrs by
default"), causing build failures when it was merged.
The solution is to just use the same install script as the rest of CI
from commit 7322b05f41 ("ci: build and install libpathrs").
Fixes: 192e3d416f ("ci: add conmon tests run")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
The modernize documentation used to suggest -test flag but it's not
needed as it is enabled by default. Drop it.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Since we use modernize@latest, it may require latest Go as well (and now it does),
so use "go-version: stable" explicitly (which resolves to latest Go).
This fixes the issue with CI:
> go: golang.org/x/tools/gopls/internal/analysis/modernize/cmd/modernize@latest: golang.org/x/tools/gopls@v0.21.0 requires go >= 1.25 (running go 1.24.11; GOTOOLCHAIN=local)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This is to ensure that Go version in Dockerfile (which is used to build
release binaries) is:
- currently supported;
- used in CI tests.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
For some reason, some jobs in .github/workflows/validate.yml
have "fetch-depth: 0" argument to actions/checkout, meaning
"all history for all branches and tags". Obviously this is
not needed here.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This new version includes the fixes for CVE-2025-52881, so we can remove
the internal/third_party copy of the library we added in commit
ed6b1693b8 ("selinux: use safe procfs API for labels") as well as the
"replace" directive in go.mod (which is problematic for "go get"
installs).
Fixes: ed6b1693b8 ("selinux: use safe procfs API for labels")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
This will result in slower runs but we are having issues with
golangci-lint (false positives) that are most probably related
to caching.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Due to the sensitive nature of these fixes, it was not possible to
submit these upstream and vendor the upstream library. Instead, this
patch uses a fork of github.com/opencontainers/selinux, branched at
commit opencontainers/selinux@879a755db5.
In order to permit downstreams to build with this patched version, a
snapshot of the forked version has been included in
internal/third_party/selinux. Note that since we use "go mod vendor",
the patched code is usable even without being "go get"-able. Once the
embargo for this issue is lifted we can submit the patches upstream and
switch back to a proper upstream go.mod entry.
Also, this requires us to temporarily disable the CI job we have that
disallows "replace" directives.
Fixes: GHSA-cgrx-mc8f-2prm CVE-2025-52881
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
All the new code appears in main (not in the release branches),
and we only want extra linter rules to apply to new code.
Disable lint-extra job if the PR is not to the main branch.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Modernize tool [1] basically ensures that the new language features and
packages are used across the code.
The reason to run it in CI is to ensure that
- PR authors use modern code;
- our code is modern whether we bump Go version in go.mod.
Shove it into go-fix job which already does a similar thing
but for 'go-fix' and rename the whole job to modernize.
[1]: https://pkg.go.dev/golang.org/x/tools/gopls/internal/analysis/modernize
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
When we run CI not on a pull request, the commit job is skipped, as a
result, all-done is also skipped.
To allow all-done to succeed, modify the commit job to succeed for
non-PRs.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
To not accidentally break `go install`, let's add CI to check it. If in
the future we need those directives, we can remove the CI check.
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
The colon after "Error:" caused actionlint to report error on map in
context where map is not allowed.
Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
The new configuration file was initially generated by golangci-lint
migrate, when tweaked to minimize and simplify.
golangci-lint v2 switches to a new version of staticcheck which shows
much more warnings. Some of them were fixed by a few previous commits,
and the rest of them are disabled.
In particular, ST1005 had to be disabled (an attempt to fix it was made
in https://github.com/opencontainers/runc/pull/3857 but it wasn't
merged).
Also, golangci-extra was modified to include ALL staticcheck linters.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Also, bump golangci-lint to v1.64 (v1.64.2 added Go 1.24 support).
NOTE we still use Go 1.23.x for official builds.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
GHA shows a warning telling that "ubuntu-latest" is going to be switched
to ubuntu-24.04 soon. Let's specify the version explicitly (and switch
to 24.04 for this job ahead of github).
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This allows to make a 17% smaller runc binary by not compiling in
checkpoint/restore support.
It turns out that google.golang.org/protobuf package, used by go-criu,
is quite big, and go linker can't drop unused stuff if reflection is
used anywhere in the code.
Currently there's no alternative to using protobuf in go-criu, and since
not all users use c/r, let's provide them an option for a smaller
binary.
For the reference, here's top10 biggest vendored packages, as reported
by gsa[1]:
$ gsa runc | grep vendor | head
│ 8.59% │ google.golang.org/protobuf │ 1.3 MB │ vendor │
│ 5.76% │ github.com/opencontainers/runc │ 865 kB │ vendor │
│ 4.05% │ github.com/cilium/ebpf │ 608 kB │ vendor │
│ 2.86% │ github.com/godbus/dbus/v5 │ 429 kB │ vendor │
│ 1.25% │ github.com/urfave/cli │ 188 kB │ vendor │
│ 0.90% │ github.com/vishvananda/netlink │ 135 kB │ vendor │
│ 0.59% │ github.com/sirupsen/logrus │ 89 kB │ vendor │
│ 0.56% │ github.com/checkpoint-restore/go-criu/v6 │ 84 kB │ vendor │
│ 0.51% │ golang.org/x/sys │ 76 kB │ vendor │
│ 0.47% │ github.com/seccomp/libseccomp-golang │ 71 kB │ vendor │
And here is a total binary size saving when `runc_nocriu` is used.
For non-stripped binaries:
$ gsa runc-cr runc-nocr | tail -3
│ -17.04% │ runc-cr │ 15 MB │ 12 MB │ -2.6 MB │
│ │ runc-nocr │ │ │ │
└─────────┴──────────────────────────────────────────┴──────────┴──────────┴─────────┘
And for stripped binaries:
│ -17.01% │ runc-cr-stripped │ 11 MB │ 8.8 MB │ -1.8 MB │
│ │ runc-nocr-stripped │ │ │ │
└─────────┴──────────────────────────────────────────┴──────────┴──────────┴─────────┘
[1]: https://github.com/Zxilly/go-size-analyzer
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
The warnings fixed were:
libcontainer/configs/config_test.go:205:12: printf: non-constant format string in call to (*testing.common).Errorf (govet)
t.Errorf(fmt.Sprintf("Expected error to not occur but it was %+v", err))
^
libcontainer/cgroups/fs/blkio_test.go:481:13: printf: non-constant format string in call to (*testing.common).Errorf (govet)
t.Errorf(fmt.Sprintf("test case '%s' failed unexpectedly: %s", testCase.desc, err))
^
libcontainer/cgroups/fs/blkio_test.go:595:13: printf: non-constant format string in call to (*testing.common).Errorf (govet)
t.Errorf(fmt.Sprintf("test case '%s' failed unexpectedly: %s", testCase.desc, err))
^
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>