Commit Graph

7458 Commits

Author SHA1 Message Date
Kir Kolyshkin b0aa863fc8 ci: bump golangci-lint to v2.1
(The current v2.1 release is v2.1.5 as of today).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-25 15:35:40 -07:00
lfbzhm 51f45cb5c0 Merge pull request #4746 from opencontainers/dependabot/go_modules/github.com/seccomp/libseccomp-golang-0.11.0
build(deps): bump github.com/seccomp/libseccomp-golang from 0.10.0 to 0.11.0
2025-04-25 23:07:54 +08:00
dependabot[bot] d920a72202 build(deps): bump github.com/seccomp/libseccomp-golang
Bumps [github.com/seccomp/libseccomp-golang](https://github.com/seccomp/libseccomp-golang) from 0.10.0 to 0.11.0.
- [Release notes](https://github.com/seccomp/libseccomp-golang/releases)
- [Changelog](https://github.com/seccomp/libseccomp-golang/blob/main/CHANGELOG)
- [Commits](https://github.com/seccomp/libseccomp-golang/compare/v0.10.0...v0.11.0)

---
updated-dependencies:
- dependency-name: github.com/seccomp/libseccomp-golang
  dependency-version: 0.11.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-04-24 04:50:34 +00:00
Kir Kolyshkin 96bb2b0e25 Merge pull request #4718 from kolyshkin/embed-version
Embed version from VERSION
2025-04-23 09:50:44 -07:00
Kir Kolyshkin c12c99b7d2 runc: embed version from VERSION file
This ensures that if runc is built without the provided Makefile, the
version is still properly set.

No change in the output.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-23 09:31:26 -07:00
Kir Kolyshkin d54eaaf2c2 runc --version: use a function
Instead of setting cli.App.Version in main, let's set up
cli.VersionPrinter. This way, we only get various versions
when needed.

Note it does not change the output of runc --version.

It changes the output of runc --help though, and I think it's for the
better.

Before this patch:

> $ runc help
> ...
> USAGE:
>    runc [global options] command [command options] [arguments...]
>
> VERSION:
>    1.3.0-rc.1+dev
> commit: v1.3.0-rc.1-93-g932e8342
> spec: 1.2.1
> go: go1.24.2
> libseccomp: 2.5.5
>
> COMMANDS:
>    checkpoint  checkpoint a running container
> ...

After:

> $ runc help
> ...
> USAGE:
>    runc [global options] command [command options] [arguments...]
>
> VERSION:
>    1.3.0-rc.1+dev
>
> COMMANDS:
>    checkpoint  checkpoint a running container
> ...

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-23 09:31:26 -07:00
lfbzhm a3a8a2e33d Merge pull request #4736 from kolyshkin/fedora-skip-criu-41
ci: update to criu-4.1-2 on Fedora
2025-04-23 11:22:26 +08:00
Kir Kolyshkin 3e3e04824d ci: upgrade to criu-4.1-2 in Fedora
Package criu-4.1-1 has a known bug [1] which is fixed in criu-4.1-2 [2],
which is currently only available in updates-testing. Add a kludge to
install newer criu if necessary to fix CI.

This will not be needed in ~2 weeks once the new package is promoted to
updates.

[1]: https://github.com/checkpoint-restore/criu/issues/2650
[2]: https://bodhi.fedoraproject.org/updates/FEDORA-2025-d374d8ce17

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-22 19:35:09 -07:00
lfbzhm b60a77a199 Merge pull request #4734 from cyphar/mount-errors
rootfs: improve mount-related errors
2025-04-22 12:26:19 +08:00
Aleksa Sarai 58c3ab77b0 rootfs: improve error messages for bind-mount vfs flag setting
While debugging an issue involving failing mounts, I discovered that
just returning the plain mount error message when we are in the fallback
code for handling locked mounts leads to unnecessary confusion.

It also doesn't help that podman currently forcefully sets "rw" on
mounts, which means that rootless containers are likely to hit the
locked mounts issue fairly often.

So we should improve our error messages to explain why the mount is
failing in the locked flags case.

Fixes: 7c71a22705 ("rootfs: remove --no-mount-fallback and finally fix MS_REMOUNT")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-04-21 13:01:03 +10:00
Aleksa Sarai 30302a2850 mount: add string representation of mount flags
When reading mount errors, it is quite hard to make sense of mount flags
in their hex form. As this is the error path, the minor performance
impact of constructing a string is probably not worth hyper-optimising.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-04-21 13:00:59 +10:00
lfbzhm eeae96b181 Merge pull request #4728 from kolyshkin/ci-criu
ci fixes (ssh-keygen and criu version bump for almalinux 8)
2025-04-21 09:10:21 +08:00
Kir Kolyshkin 87ae2f8466 Unify and fix rootless key setup
For some reason, ssh-keygen is unable to write to /root even as root on
AlmaLinux 8:

	# id
	uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0
	# id -Z
	ls -ld /root
	# ssh-keygen -t ecdsa -N "" -f /root/rootless.key || cat /var/log/audit/audit.log
	Saving key "/root/rootless.key" failed: Permission denied

The audit.log shows:

> type=AVC msg=audit(1744834995.352:546): avc:  denied  { dac_override } for  pid=13471 comm="ssh-keygen" capability=1  scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:system_r:ssh_keygen_t:s0 tclass=capability permissive=0
> type=SYSCALL msg=audit(1744834995.352:546): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5641c7587520 a2=241 a3=180 items=0 ppid=4978 pid=13471 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)␝ARCH=x86_64 SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"

A workaround is to use /root/.ssh directory instead of just /root.

While at it, let's unify rootless user and key setup into a single place.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-17 16:16:31 -07:00
Kir Kolyshkin b520f750ef ci: install newer criu for almalinux-8
We are seeing a ton on flakes on almalinux-8 CI job, all caused by criu
inability to freeze a cgroup. This was worked around in criu [1], but
obviously we can't rely on a distro vendor to update the package.

Let's use a copr (thanks to Adrian Reber!)

[1]: https://github.com/checkpoint-restore/criu/pull/2545

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-17 16:04:52 -07:00
Kir Kolyshkin e55fe63aed Merge pull request #4727 from askervin/5aY_fix_invalid_workflow
Fix "invalid workflow file" github actions error
2025-04-17 11:54:04 -07:00
Antti Kervinen d7285e46d8 Fix "invalid workflow file" github actions error
The colon after "Error:" caused actionlint to report error on map in
context where map is not allowed.

Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
2025-04-16 14:16:55 +03:00
Akihiro Suda 3d8a278bdd Merge pull request #4722 from kolyshkin/rm-criu-opt
Completely remove --criu option
2025-04-16 15:41:19 +09:00
lfbzhm f1eaad8597 Merge pull request #4725 from kolyshkin/novar
libct/apparmor: don't use vars for public functions
2025-04-15 18:10:28 +08:00
Kir Kolyshkin 5f4d3f3670 libct/apparmor: don't use vars for public functions
Unfortunately, Go documentation formatter does a sloppy job formatting
documentation for variables -- it is rendered as comments (see [1]).

Switch to using wrapper functions, solely for the sake of better
documentation formatting.

[1]: https://pkg.go.dev/github.com/opencontainers/runc@v1.3.0-rc.2/libcontainer/apparmor

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-14 13:59:39 -07:00
Rodrigo Campos 021973353f Merge pull request #4723 from chenx97/stat-uint32-mips
tests/cmd/remap-rootfs: fix mips builds
2025-04-14 05:44:59 -03:00
Rodrigo Campos 35c4d964cc Merge pull request #4721 from kolyshkin/no-toolchain-check
ci: add check for toolchain in go.mod
2025-04-11 06:14:54 -03:00
Henry Chen 08ebbfc8c7 tests/cmd/remap-rootfs: fix mips builds
Similar to #1824, we need to convert the device number to uint64 for
mips.

Signed-off-by: Henry Chen <henry.chen@oss.cipunited.com>
2025-04-10 14:59:58 +08:00
Kir Kolyshkin 1d78cb2112 Completely remove --criu option
This option is ignored since commit 6e1d476a, it's now time to actually
remove it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-09 10:10:50 -07:00
Kir Kolyshkin c899193643 ci: add check for toolchain in go.mod
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-09 10:04:37 -07:00
Kir Kolyshkin 7483452016 Merge pull request #4716 from rata/changelog-1.2-updates
CHANGELOG: Port 1.2.x changes
2025-04-09 09:45:23 -07:00
Rodrigo Campos e34c1a0408 CHANGELOG: Port 1.2.x changes
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2025-04-09 09:23:13 -07:00
Rodrigo Campos 491e35213b Merge pull request #4709 from kolyshkin/pause-warn
runc pause/unpause/ps: get rid of excessive warning
2025-04-09 07:15:51 -03:00
Rodrigo Campos 636eb4bc6a Merge pull request #4717 from kolyshkin/no-toolchain
go.mod: rm toolchain
2025-04-09 07:12:58 -03:00
Kir Kolyshkin c5ab4b6e30 runc pause/unpause/ps: get rid of excessive warning
This issue was originally reported in podman PR 25792.

When calling runc pause/unpause for an ordinary user, podman do not
provide --systemd-cgroups option, and shouldUseRootlessCgroupManager
returns true. This results in a warning:

	$ podman pause sleeper
	WARN[0000] runc pause may fail if you don't have the full access to cgroups
	sleeper

Actually, it does not make sense to call shouldUseRootlessCgroupManager
at this point, because we already know if we're rootless or not, from
the container state.json (same for systemd).

Also, busctl binary is not available either in this context, so
shouldUseRootlessCgroupManager would not work properly.

Finally, it doesn't really matter if we use systemd or not, because we
use fs/fs2 manager to freeze/unfreeze, and it will return something like
EPERM (or tell that cgroups is not configured, for a true rootless
container).

So, let's only print the warning after pause/unpause failed,
if the error returned looks like a permission error.

Same applies to "runc ps".

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-08 14:00:56 -07:00
Kir Kolyshkin fda034c9ec pause: refactor
This is to simplify code review for the next commit.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-08 14:00:56 -07:00
Kir Kolyshkin 75a4546b2b go.mod: rm toolchain
This was added by dependabot in commit 0b536265. Seems there is a bug
about it: https://github.com/dependabot/dependabot-core/issues/11933.

Having "toolchain" means instead of using installed go version to
build/test, the version specified in toolchain is [downloaded and] used,
which might not be what we actually want.

For more details on toolchain directive, see
https://go.dev/doc/toolchain.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-08 12:31:03 -07:00
Rodrigo Campos 932e83428a Merge pull request #4715 from opencontainers/dependabot/go_modules/golang.org/x/net-0.39.0
build(deps): bump golang.org/x/net from 0.38.0 to 0.39.0
2025-04-08 06:03:40 -03:00
dependabot[bot] 0a9639e380 build(deps): bump golang.org/x/net from 0.38.0 to 0.39.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.38.0 to 0.39.0.
- [Commits](https://github.com/golang/net/compare/v0.38.0...v0.39.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.39.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-04-08 04:41:06 +00:00
Akihiro Suda a996fe8bf8 Merge pull request #4704 from rata/env-var-fixes
Override HOME if its set to the empty string
2025-04-07 20:49:54 +09:00
Rodrigo Campos bf9e609b3b Merge pull request #4710 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.32.0
build(deps): bump golang.org/x/sys from 0.31.0 to 0.32.0
2025-04-07 07:20:15 -03:00
Akihiro Suda 9edb49733e Merge pull request #4707 from opencontainers/dependabot/go_modules/github.com/moby/sys/user-0.4.0
build(deps): bump github.com/moby/sys/user from 0.3.0 to 0.4.0
2025-04-07 08:53:35 +01:00
dependabot[bot] c5e0ece494 build(deps): bump golang.org/x/sys from 0.31.0 to 0.32.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.31.0 to 0.32.0.
- [Commits](https://github.com/golang/sys/compare/v0.31.0...v0.32.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-version: 0.32.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-04-07 04:09:11 +00:00
Rodrigo Campos 19c6515471 tests: Add env var tests
This adds some e2e tests for environment variables set in the
config.json. These were based on tests that failed on docker CI[1][2] after
the refactor on 06f1e0765 ("libct: speedup process.Env handling") and
some bugs that I had along the way trying to fix it.

These tests pass with runc 1.2 too.

[1]: https://github.com/moby/moby/blob/843e51459f14ebc964d349eba1013dc8a3e9d52e/integration-cli/docker_cli_run_test.go#L822-L843
[2]: https://github.com/moby/moby/blob/843e51459f14ebc964d349eba1013dc8a3e9d52e/integration-cli/docker_cli_links_test.go#L197-L204

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2025-04-04 15:44:47 +02:00
Rodrigo Campos 09501d96d2 libct: Override HOME if its set to the empty string
Before commit 06f1e0765 ("libct: speedup process.Env handling") we were
overriding HOME if it was set to "" too[1]. But now we only override it
if it wasn't set at all.

This patch restores the old behavior of overriding it if it was set to
an empty value.

Docker relies on this behaviour since ages[2].

[1]: https://github.com/opencontainers/runc/blob/1c508045727231e7342e258ab30add1478c1f981/libcontainer/init_linux.go#L544-L549
[2]: https://github.com/moby/moby/blob/843e51459f14ebc964d349eba1013dc8a3e9d52e/integration-cli/docker_cli_run_test.go#L822-L843

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2025-04-04 15:37:22 +02:00
dependabot[bot] bb5aa11622 build(deps): bump github.com/moby/sys/user from 0.3.0 to 0.4.0
Bumps [github.com/moby/sys/user](https://github.com/moby/sys) from 0.3.0 to 0.4.0.
- [Release notes](https://github.com/moby/sys/releases)
- [Commits](https://github.com/moby/sys/compare/user/v0.3.0...user/v0.4.0)

---
updated-dependencies:
- dependency-name: github.com/moby/sys/user
  dependency-version: 0.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-04-04 04:34:30 +00:00
Rodrigo Campos c3a41d77db Merge pull request #4696 from avagin/criu-vs-exec
criu: Add time namespace to container config after checkpoint/restore
2025-04-01 14:54:33 -03:00
Rodrigo Campos f88669c0c9 Merge pull request #4693 from lifubang/fix-home-env-check-set
libct: we should set envs after we are in the jail of the container
2025-04-01 13:18:00 -03:00
lifubang bf38646497 libct: we should set envs after we are in the jail of the container
Because we have to set a default HOME env for the current container
user, so we should set it after we are in the jail of the container,
or else we'll use host's `/etc/passwd` to get a wrong HOME value.
Please see: #4688.

Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-04-01 15:22:29 +00:00
lifubang 4a0e282b09 test: check whether runc set a correct default home env or not
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-04-01 15:22:19 +00:00
lfbzhm e2e3c65383 Merge pull request #4703 from kolyshkin/modernize
Use Go 1.22+ features
2025-04-01 18:10:00 +08:00
Kir Kolyshkin 7fdec327a0 Use any instead of interface{}
The keyword is available since Go 1.18 (see
https://pkg.go.dev/builtin#any).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-31 17:15:06 -07:00
Kir Kolyshkin 17570625c0 Use for range over integers
This appears in Go 1.22 (see https://tip.golang.org/ref/spec#For_range).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-31 17:15:06 -07:00
Kir Kolyshkin f64edc4d6d ps: use slices.Contains
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-31 17:15:06 -07:00
Kir Kolyshkin ef5acfab4f libct/configs: use slices.Delete
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-31 17:15:06 -07:00
Kir Kolyshkin 0fc2338d59 libct/specconv: use maps.Clone
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-31 17:15:06 -07:00