Commit Graph

7491 Commits

Author SHA1 Message Date
Kir Kolyshkin b25bcaa8b3 libct/configs: fix/improve deprecation notices
The per-file deprecation in cgroup_deprecated.go is not working,
let's replace it.

Link to Hooks.Run in Hook.Run deprecation notice.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-06-18 18:14:46 -07:00
Kir Kolyshkin a10d338eb2 libct/configs: add package docstring
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-06-18 18:10:51 -07:00
Kir Kolyshkin 178a58d654 Merge pull request #4783 from opencontainers/dependabot/go_modules/github.com/urfave/cli-1.22.17
build(deps): bump github.com/urfave/cli from 1.22.16 to 1.22.17
2025-06-17 15:16:40 -07:00
dependabot[bot] 99a4f1983d build(deps): bump github.com/urfave/cli from 1.22.16 to 1.22.17
Bumps [github.com/urfave/cli](https://github.com/urfave/cli) from 1.22.16 to 1.22.17.
- [Release notes](https://github.com/urfave/cli/releases)
- [Changelog](https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md)
- [Commits](https://github.com/urfave/cli/compare/v1.22.16...v1.22.17)

---
updated-dependencies:
- dependency-name: github.com/urfave/cli
  dependency-version: 1.22.17
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-16 04:36:33 +00:00
Kir Kolyshkin b04031d708 Merge pull request #4779 from opencontainers/dependabot/go_modules/golang.org/x/net-0.41.0
build(deps): bump golang.org/x/net from 0.40.0 to 0.41.0
2025-06-06 10:18:51 -07:00
dependabot[bot] 31d141e2e7 build(deps): bump golang.org/x/net from 0.40.0 to 0.41.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.40.0 to 0.41.0.
- [Commits](https://github.com/golang/net/compare/v0.40.0...v0.41.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.41.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-06 04:56:47 +00:00
Akihiro Suda 9a0145a001 Merge pull request #4751 from kolyshkin/cgroups-002
deps: bump opencontainers/cgroups to v0.0.2, fix tests
2025-06-03 00:39:47 +09:00
lfbzhm cdf9530701 Merge pull request #4768 from opencontainers/dependabot/go_modules/github.com/containerd/console-1.0.5
build(deps): bump github.com/containerd/console from 1.0.4 to 1.0.5
2025-05-27 13:13:46 +08:00
dependabot[bot] 8b0e7511cf build(deps): bump github.com/containerd/console from 1.0.4 to 1.0.5
Bumps [github.com/containerd/console](https://github.com/containerd/console) from 1.0.4 to 1.0.5.
- [Release notes](https://github.com/containerd/console/releases)
- [Commits](https://github.com/containerd/console/compare/v1.0.4...v1.0.5)

---
updated-dependencies:
- dependency-name: github.com/containerd/console
  dependency-version: 1.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-05-21 04:22:38 +00:00
Kir Kolyshkin 8eb2f43047 Merge pull request #4760 from kolyshkin/sched
ci: add scheduled run of GHA CI
2025-05-20 12:55:21 -07:00
lfbzhm ced3139319 Merge pull request #4724 from saku3/fix-rootfspropagation
fix rootfs propagation mode to shared / unbindable
2025-05-20 09:16:50 +08:00
Yusuke Sakurai 04be81b6a3 fix rootfs propagation mode
Signed-off-by: Yusuke Sakurai <yusuke.sakurai@3-shake.com>
2025-05-19 12:55:35 +00:00
Kir Kolyshkin 995a39a4cb ci: add scheduled run of GHA CI
This is to ensure that our CI is not rotting away even if there are no
new PRs or merges. This is especially useful for release branches
which tend to cease working over time due to some external reasons.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-05-14 16:12:37 -07:00
Kir Kolyshkin 74209b739d ci/gha: allow to run jobs manually
... or from another job.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-05-14 16:12:37 -07:00
Kir Kolyshkin 62e6ab6dda gha/ci: allow validate/all-done to succeed for non-PRs
When we run CI not on a pull request, the commit job is skipped, as a
result, all-done is also skipped.

To allow all-done to succeed, modify the commit job to succeed for
non-PRs.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-05-14 16:12:33 -07:00
Kir Kolyshkin b39bd10590 ci/gha: fix exclusion rules
Commit 874207492 neglects to update the exclusion rules when bumping Go
releases, and so we no longer exclude running on actuated with older Go
release, or running with criu-dev with older Go release.

Fixes: 874207492 ("CI: add Go 1.24, drop go1.22")

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-05-14 15:57:10 -07:00
Kir Kolyshkin b206a015b3 deps: bump opencontainers/cgroups to v0.0.2
For changes, see https://github.com/opencontainers/cgroups/releases/tag/v0.0.2

Fix integration tests according to changes in [1] (now the CPU quota value set
is rounded the same way systemd does it).

[1]: https://github.com/opencontainers/cgroups/pull/4
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-05-13 13:28:36 -07:00
Kir Kolyshkin ae00c2bd09 tests/int: simplify using check_cpu_quota
Instead of providing systemd CPU quota value (CPUQuotaPerSec),
calculate it based on how opencontainers/cgroups/systemd handles
it (see addCPUQuota).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-05-13 13:28:36 -07:00
Rodrigo Campos 17c8e80c40 Merge pull request #4764 from opencontainers/dependabot/go_modules/github.com/vishvananda/netlink-1.3.1
build(deps): bump github.com/vishvananda/netlink from 1.3.0 to 1.3.1
2025-05-13 13:57:19 -03:00
dependabot[bot] fbf1a320d8 build(deps): bump github.com/vishvananda/netlink from 1.3.0 to 1.3.1
Bumps [github.com/vishvananda/netlink](https://github.com/vishvananda/netlink) from 1.3.0 to 1.3.1.
- [Release notes](https://github.com/vishvananda/netlink/releases)
- [Commits](https://github.com/vishvananda/netlink/compare/v1.3.0...v1.3.1)

---
updated-dependencies:
- dependency-name: github.com/vishvananda/netlink
  dependency-version: 1.3.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-05-12 04:47:59 +00:00
lfbzhm 23cf356f90 Merge pull request #4761 from cyphar/changelog-1.3
CHANGELOG: forward-port entries from 1.3.0
2025-05-08 00:42:30 +08:00
Aleksa Sarai 5cdfeea7c9 CHANGELOG: forward-port entries from 1.3.0
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-05-08 00:06:13 +10:00
Kir Kolyshkin a4b9868323 Merge pull request #4758 from opencontainers/dependabot/go_modules/golang.org/x/net-0.40.0
build(deps): bump golang.org/x/net from 0.39.0 to 0.40.0
2025-05-06 14:51:44 -07:00
Kir Kolyshkin 99325b6a7e Merge pull request #4756 from opencontainers/dependabot/github_actions/golangci/golangci-lint-action-8
build(deps): bump golangci/golangci-lint-action from 7 to 8
2025-05-06 12:25:55 -07:00
dependabot[bot] 0623ea108a build(deps): bump golang.org/x/net from 0.39.0 to 0.40.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.39.0 to 0.40.0.
- [Commits](https://github.com/golang/net/compare/v0.39.0...v0.40.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.40.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-05-06 04:31:36 +00:00
dependabot[bot] c1958d8844 build(deps): bump golangci/golangci-lint-action from 7 to 8
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 7 to 8.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/v7...v8)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-version: '8'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-05-05 04:31:04 +00:00
Akihiro Suda 8d90e3dba6 Merge pull request #4750 from rata/go-mod-exclude-linter
ci: Check for exclude/replace directives
2025-05-01 08:50:34 +09:00
Rodrigo Campos 9f86496c33 ci: Check for exclude/replace directives
To not accidentally break `go install`, let's add CI to check it. If in
the future we need those directives, we can remove the CI check.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2025-04-30 17:30:10 +02:00
Akihiro Suda 8ba0a16844 Merge pull request #4743 from kolyshkin/retry-ppa
ci/cross-i386: retry adding ppa
2025-04-29 18:08:08 +09:00
lfbzhm 57d1c30360 Merge pull request #4748 from rata/main
go.mod: Delete exclude directives
2025-04-29 09:01:49 +08:00
Rodrigo Campos 67b8a68599 go.mod: Delete exclude directives
We already have the indirect require for 1.17.3, that comes
opencontainers/cgroups[1]. That module requires that version as min, so
go can't use older versions. We can just remove the excludes.

There might be cases where people can use runc as a dependency and use
replace to override it (not sure, but probably). We were clear on what
our dependencies are, so we can sleep fine. In the unlikely case that
some project uses runc as a dependency and:

 * Uses a replace for cilium v0.17.x but not the latest patch release (0.17.3 is fixed)
 * they run with 32bits
 * and hit this (that didn't happen always on CI)
 * Ignore the changelog for 0.17.3 that mentions the buffer overflow on
   32 bits platforms[2].

In that case, if we have a bug report, we can point them to the right
place. But 0.17.3 was released for some months now (most people probably
update) and 0.18.0 was released recently. I wouldn't worry about someone
hitting this in real life.

Also, the excludes directives prevent go install from working, so let's
just remove them.

[1]: https://github.com/opencontainers/cgroups/blob/9657f5a18b8d60a0f39fbb34d0cb7771e28e6278/go.mod#L6
[2]: https://github.com/cilium/ebpf/releases/tag/v0.17.3

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2025-04-28 12:04:46 +02:00
Aleksa Sarai 0e57cc520a merge #4747 into opencontainers/runc:main
Kir Kolyshkin (1):
  ci: bump golangci-lint to v2.1

LGTMs: lifubang cyphar
2025-04-28 15:28:31 +10:00
Kir Kolyshkin b0aa863fc8 ci: bump golangci-lint to v2.1
(The current v2.1 release is v2.1.5 as of today).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-25 15:35:40 -07:00
lfbzhm 51f45cb5c0 Merge pull request #4746 from opencontainers/dependabot/go_modules/github.com/seccomp/libseccomp-golang-0.11.0
build(deps): bump github.com/seccomp/libseccomp-golang from 0.10.0 to 0.11.0
2025-04-25 23:07:54 +08:00
dependabot[bot] d920a72202 build(deps): bump github.com/seccomp/libseccomp-golang
Bumps [github.com/seccomp/libseccomp-golang](https://github.com/seccomp/libseccomp-golang) from 0.10.0 to 0.11.0.
- [Release notes](https://github.com/seccomp/libseccomp-golang/releases)
- [Changelog](https://github.com/seccomp/libseccomp-golang/blob/main/CHANGELOG)
- [Commits](https://github.com/seccomp/libseccomp-golang/compare/v0.10.0...v0.11.0)

---
updated-dependencies:
- dependency-name: github.com/seccomp/libseccomp-golang
  dependency-version: 0.11.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-04-24 04:50:34 +00:00
Kir Kolyshkin 8e3ee502c8 ci/cross-i386: retry adding ppa
For some reason, launchpad.net is frequently giving us Gateway Timeout.
Let's retry adding the ppa once to mitigate that.

(The alternative is not to install criu and thus run criu-related unit
tests on i386 -- this might actually be better).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-23 14:01:02 -07:00
Kir Kolyshkin 96bb2b0e25 Merge pull request #4718 from kolyshkin/embed-version
Embed version from VERSION
2025-04-23 09:50:44 -07:00
Kir Kolyshkin c12c99b7d2 runc: embed version from VERSION file
This ensures that if runc is built without the provided Makefile, the
version is still properly set.

No change in the output.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-23 09:31:26 -07:00
Kir Kolyshkin d54eaaf2c2 runc --version: use a function
Instead of setting cli.App.Version in main, let's set up
cli.VersionPrinter. This way, we only get various versions
when needed.

Note it does not change the output of runc --version.

It changes the output of runc --help though, and I think it's for the
better.

Before this patch:

> $ runc help
> ...
> USAGE:
>    runc [global options] command [command options] [arguments...]
>
> VERSION:
>    1.3.0-rc.1+dev
> commit: v1.3.0-rc.1-93-g932e8342
> spec: 1.2.1
> go: go1.24.2
> libseccomp: 2.5.5
>
> COMMANDS:
>    checkpoint  checkpoint a running container
> ...

After:

> $ runc help
> ...
> USAGE:
>    runc [global options] command [command options] [arguments...]
>
> VERSION:
>    1.3.0-rc.1+dev
>
> COMMANDS:
>    checkpoint  checkpoint a running container
> ...

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-23 09:31:26 -07:00
lfbzhm a3a8a2e33d Merge pull request #4736 from kolyshkin/fedora-skip-criu-41
ci: update to criu-4.1-2 on Fedora
2025-04-23 11:22:26 +08:00
Kir Kolyshkin 3e3e04824d ci: upgrade to criu-4.1-2 in Fedora
Package criu-4.1-1 has a known bug [1] which is fixed in criu-4.1-2 [2],
which is currently only available in updates-testing. Add a kludge to
install newer criu if necessary to fix CI.

This will not be needed in ~2 weeks once the new package is promoted to
updates.

[1]: https://github.com/checkpoint-restore/criu/issues/2650
[2]: https://bodhi.fedoraproject.org/updates/FEDORA-2025-d374d8ce17

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-22 19:35:09 -07:00
lfbzhm b60a77a199 Merge pull request #4734 from cyphar/mount-errors
rootfs: improve mount-related errors
2025-04-22 12:26:19 +08:00
Aleksa Sarai 58c3ab77b0 rootfs: improve error messages for bind-mount vfs flag setting
While debugging an issue involving failing mounts, I discovered that
just returning the plain mount error message when we are in the fallback
code for handling locked mounts leads to unnecessary confusion.

It also doesn't help that podman currently forcefully sets "rw" on
mounts, which means that rootless containers are likely to hit the
locked mounts issue fairly often.

So we should improve our error messages to explain why the mount is
failing in the locked flags case.

Fixes: 7c71a22705 ("rootfs: remove --no-mount-fallback and finally fix MS_REMOUNT")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-04-21 13:01:03 +10:00
Aleksa Sarai 30302a2850 mount: add string representation of mount flags
When reading mount errors, it is quite hard to make sense of mount flags
in their hex form. As this is the error path, the minor performance
impact of constructing a string is probably not worth hyper-optimising.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-04-21 13:00:59 +10:00
lfbzhm eeae96b181 Merge pull request #4728 from kolyshkin/ci-criu
ci fixes (ssh-keygen and criu version bump for almalinux 8)
2025-04-21 09:10:21 +08:00
Kir Kolyshkin 87ae2f8466 Unify and fix rootless key setup
For some reason, ssh-keygen is unable to write to /root even as root on
AlmaLinux 8:

	# id
	uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0
	# id -Z
	ls -ld /root
	# ssh-keygen -t ecdsa -N "" -f /root/rootless.key || cat /var/log/audit/audit.log
	Saving key "/root/rootless.key" failed: Permission denied

The audit.log shows:

> type=AVC msg=audit(1744834995.352:546): avc:  denied  { dac_override } for  pid=13471 comm="ssh-keygen" capability=1  scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:system_r:ssh_keygen_t:s0 tclass=capability permissive=0
> type=SYSCALL msg=audit(1744834995.352:546): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5641c7587520 a2=241 a3=180 items=0 ppid=4978 pid=13471 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)␝ARCH=x86_64 SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"

A workaround is to use /root/.ssh directory instead of just /root.

While at it, let's unify rootless user and key setup into a single place.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-17 16:16:31 -07:00
Kir Kolyshkin b520f750ef ci: install newer criu for almalinux-8
We are seeing a ton on flakes on almalinux-8 CI job, all caused by criu
inability to freeze a cgroup. This was worked around in criu [1], but
obviously we can't rely on a distro vendor to update the package.

Let's use a copr (thanks to Adrian Reber!)

[1]: https://github.com/checkpoint-restore/criu/pull/2545

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-17 16:04:52 -07:00
Kir Kolyshkin e55fe63aed Merge pull request #4727 from askervin/5aY_fix_invalid_workflow
Fix "invalid workflow file" github actions error
2025-04-17 11:54:04 -07:00
Antti Kervinen d7285e46d8 Fix "invalid workflow file" github actions error
The colon after "Error:" caused actionlint to report error on map in
context where map is not allowed.

Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
2025-04-16 14:16:55 +03:00
Akihiro Suda 3d8a278bdd Merge pull request #4722 from kolyshkin/rm-criu-opt
Completely remove --criu option
2025-04-16 15:41:19 +09:00