Commit Graph

7721 Commits

Author SHA1 Message Date
dependabot[bot] eedec9c5f0 build(deps): bump google.golang.org/protobuf from 1.36.7 to 1.36.8
Bumps google.golang.org/protobuf from 1.36.7 to 1.36.8.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-version: 1.36.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-08-21 04:38:43 +00:00
Rodrigo Campos b27d6f3f1a Merge pull request #4856 from kolyshkin/criu-arm
CI: switch to packaged criu on arm
2025-08-19 11:35:22 -03:00
Kir Kolyshkin 96f4a90a6b Switch to packaged criu on arm
The issue on arm [1] is now fixed, so let's get back to using the
packaged criu version for most of the CI matrix.

This reverts commit 105674844e
("ci: use criu built from source on gha arm").

[1]: https://github.com/checkpoint-restore/criu/issues/2709

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-08-18 10:47:26 -07:00
Rodrigo Campos d754fdaddf Merge pull request #4852 from kolyshkin/golangci-24x
ci: bump golangci-lint to v2.4.x
2025-08-18 09:46:51 -03:00
Kir Kolyshkin 9e0f989015 ci: bump golangci-lint to v2.4.x
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-08-17 15:40:58 -07:00
Akihiro Suda 37c6f6de70 Merge pull request #4850 from opencontainers/dependabot/github_actions/actions/checkout-5
build(deps): bump actions/checkout from 4 to 5
2025-08-17 13:04:41 +08:00
dependabot[bot] cfb22c9a0f build(deps): bump actions/checkout from 4 to 5
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-08-15 16:40:45 +00:00
Aleksa Sarai 6b08448f6c merge #4844 into opencontainers/runc:main
Kir Kolyshkin (2):
  ci: use criu built from source on gha arm
  CI: switch to GHA for arm

LGTMs: rata cyphar
2025-08-16 02:39:17 +10:00
Kir Kolyshkin 105674844e ci: use criu built from source on gha arm
Currently, criu package from opensuse build farm times out on GHA arm,
so let's only use criu-dev (i.e. compiled from source on CI machine).

Once this is fixed, this patch can be reverted.

Related to criu issue 2709.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-08-12 14:48:05 -07:00
Kir Kolyshkin 1cf096803a CI: switch to GHA for arm
Since GHA now provides ARM, we can switch away from actuated.

Many thanks to @alexellis (@self-actuated) for being the sponsor of this
project.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-08-12 14:00:13 -07:00
dependabot[bot] 1398ba7eb0 Merge pull request #4845 from opencontainers/dependabot/go_modules/golang.org/x/net-0.43.0 2025-08-09 07:57:14 +00:00
dependabot[bot] db26a717b9 build(deps): bump golang.org/x/net from 0.42.0 to 0.43.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.42.0 to 0.43.0.
- [Commits](https://github.com/golang/net/compare/v0.42.0...v0.43.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.43.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-08-09 07:19:22 +00:00
lfbzhm c332250553 Merge pull request #4847 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.35.0
build(deps): bump golang.org/x/sys from 0.34.0 to 0.35.0
2025-08-09 15:18:01 +08:00
dependabot[bot] 8f0bb87748 build(deps): bump golang.org/x/sys from 0.34.0 to 0.35.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.34.0 to 0.35.0.
- [Commits](https://github.com/golang/sys/compare/v0.34.0...v0.35.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-version: 0.35.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-08-09 06:55:58 +00:00
dependabot[bot] e6313c010d Merge pull request #4846 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.36.7 2025-08-09 06:54:41 +00:00
dependabot[bot] bf33fe5fdb build(deps): bump google.golang.org/protobuf from 1.36.6 to 1.36.7
Bumps google.golang.org/protobuf from 1.36.6 to 1.36.7.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-version: 1.36.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-08-08 04:33:24 +00:00
Rodrigo Campos 89c46a9496 Merge pull request #4840 from marquiz/devel/rdt-mkdir-rmdir
libcontainer/intelrdt: use Mkdir/Remove instead of MkdirAll/RemoveAll
2025-08-07 09:49:54 -03:00
Markus Lehtonen 620956c21c libcontainer/intelrdt: use Mkdir/Remove instead of MkdirAll/RemoveAll
The more restricted Mkdir and Rmdir are sufficient in resctrl fs.

Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
2025-08-06 10:43:01 +03:00
Kir Kolyshkin 851e100ad5 Merge pull request #4839 from opencontainers/dependabot/go_modules/github.com/seccomp/libseccomp-golang-0.11.1
build(deps): bump github.com/seccomp/libseccomp-golang from 0.11.0 to 0.11.1
2025-08-05 21:52:28 -07:00
dependabot[bot] f6a52d7f5f build(deps): bump github.com/seccomp/libseccomp-golang
Bumps [github.com/seccomp/libseccomp-golang](https://github.com/seccomp/libseccomp-golang) from 0.11.0 to 0.11.1.
- [Release notes](https://github.com/seccomp/libseccomp-golang/releases)
- [Changelog](https://github.com/seccomp/libseccomp-golang/blob/main/CHANGELOG)
- [Commits](https://github.com/seccomp/libseccomp-golang/compare/v0.11.0...v0.11.1)

---
updated-dependencies:
- dependency-name: github.com/seccomp/libseccomp-golang
  dependency-version: 0.11.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-08-06 03:34:49 +00:00
Rodrigo Campos 9f84df7d03 Merge pull request #4829 from marquiz/devel/rdt-validate
libcontainer/configs/validate: check that intelrdt is enabled
2025-08-05 16:12:51 -03:00
Kir Kolyshkin 67112aaf0d Merge pull request #4825 from cyphar/test-bfq-policy
tests: bfq: skip tests on misbehaving udev systems
2025-08-05 06:17:28 -07:00
Aleksa Sarai 32593a445d merge #4837 into opencontainers/runc:main
Kir Kolyshkin (1):
  script/lib.sh: remove obsoleted comment

LGTMs: AkihiroSuda cyphar
2025-08-05 16:42:20 +10:00
Akihiro Suda 9902a3dad1 Merge pull request #4827 from marquiz/devel/runc-update-rdt-empty-conf
runc update: refuse to create new rdt group
2025-08-05 14:35:04 +09:00
Kir Kolyshkin 3b533b23a6 script/lib.sh: remove obsoleted comment
Since commit 871057d8 we no longer have cc_platform.mk.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-08-04 16:46:57 -07:00
Markus Lehtonen 3a962655f8 libcontainer/intelrdt: use SecureJoin in NewManager
Protects against invalid (non-validated) CLOS names.

Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
2025-08-04 09:42:37 +03:00
Aleksa Sarai e6b4b5a128 tests: bfq: skip tests on misbehaving udev systems
openSUSE has an unfortunate default udev setup which forcefully sets all
loop devices to use the "none" scheduler, even if you manually set it.
As this is a property of the host configuration (and udev is monitoring
from the host) we cannot really change this behaviour from inside our
test container.

So we should just skip the test in this (hopefully unusual) case.
Ideally tools running the test suite should disable this behaviour when
running our test suite.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-08-02 20:01:24 +10:00
Aleksa Sarai ceef984fb3 tests: clean up loopback devices properly
If an error occurs during a test which sets up loopback devices, the
loopback device is not freed. Since most systems have very conservative
limits on the number of loopback devices, re-running a failing test
locally to debug it often ends up erroring out due to loopback device
exhaustion.

So let's just move the "losetup -d" to teardown, where it belongs.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-08-02 20:01:24 +10:00
Markus Lehtonen f73e28371f libcontainer/intelrdt: refactor path handling
Also, use GetPath() in Apply to get the resctrl group path, similar to
other methods of intelRdtManager.

Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
2025-08-01 15:04:50 +03:00
Markus Lehtonen 85801e845e runc update: refuse to create new rdt group
Error out --l3-cache-schema and --mem-bw-schema if the original
spec didn't specify intelRdt which also means that no CLOS (resctrl
group) was created for the container.

This prevents serious issues in this corner case.

First, a CLOS was created but the schemata of the CLOS was not
correctly updated. Confusingly, calling runc update twice
did the job: the first call created the resctrl group and the seccond
call was able to update the schemata. This issue would be relatively
easily fixable, though.

Second, more severe issue is that creating new CLOSes this way caused
them to be orphaned, not being removed when the container exists. This
is caused by runc not capturing the updated state (original spec was
intelRdt=nil -> no CLOS but after update this is not the case).

The most severe problem is that the update only move (or tried to move)
the original init process pid but all children escaped the update. Doing
this (i.e. migrating all processes of a container from CLOS to another
CLOS) reliably, race-free, would probably require freezing the
container.

Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
2025-08-01 14:36:51 +03:00
lfbzhm e20b2c7126 Merge pull request #4828 from marquiz/devel/runc-update-rdt-single-schema
runc update: don't lose intelRdt state
2025-08-01 18:43:22 +08:00
Markus Lehtonen e846add595 libcontainer/configs/validate: check that intelrdt is enabled
If intelRdt is specified in the spec, check that the resctrl fs is
actually mounted. Fixes e.g. the case where "intelRdt.closID" is
specified but runc silently ignores this if resctrl is not mounted.

Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
2025-08-01 10:03:54 +03:00
Markus Lehtonen 57b6a317bb runc update: don't lose intelRdt state
Prevent --l3-cache-schema from clearing the intel_rdt.memBwSchema state
and --mem-bw-schema clearing l3_cache_schema, respectively.

Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
2025-07-31 17:31:52 +03:00
Kir Kolyshkin 5d04e7f60c Merge pull request #4823 from kolyshkin/unix-conn
Simplify getting net.UnixConn
2025-07-29 14:29:50 -07:00
Kir Kolyshkin 314dd812f5 tests/cmd: simplify getting net.UnixConn
The typecast can't fail, so it doesn't make sense checking for errors
here.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-07-29 14:07:29 -07:00
Kir Kolyshkin 87b8f974c8 setupIO: close conn on error
While it does not make much sense practically, as runc is going to exit
soon and all fds will be closed anyway, various linters (including
SVACE) keep reporting this.

Let's make them happy.

Reported-by: Tigran Sogomonian <tsogomonian@astralinux.ru>
Reported-by: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-07-29 14:05:40 -07:00
Kir Kolyshkin 7d2161f807 setupIO: simplify getting net.UnixConn
The typecast can't fail, so it doesn't make sense checking for errors
here.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-07-28 16:56:53 -07:00
Aleksa Sarai b64bb16b10 merge #4818 into opencontainers/runc:main
Kir Kolyshkin (1):
  ci: speed up criu-dev install

LGTMs: lifubang cyphar
2025-07-29 01:09:24 +10:00
Kir Kolyshkin 1a26cf3a23 ci: speed up criu-dev install
Employ shallow git clone and parallel build, speeding up build.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-07-25 20:45:15 -07:00
lfbzhm b33b5276c7 Merge pull request #4813 from kolyshkin/golangci-lint-22
ci: bump golangci-lint to v2.3.x
2025-07-25 12:58:18 +08:00
Kir Kolyshkin 1c2810be9e ci: bump golangci-lint to v2.3.x
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-07-25 12:37:46 +08:00
Kir Kolyshkin 79a311f73d Merge pull request #4802 from kolyshkin/ci-events
tests/int/events.bats: don't require root
2025-07-24 16:19:27 -07:00
Kir Kolyshkin 66a533eb3e tests/int/events.bats: don't require root
These tests should work as rootless as long as cgroup access works.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-07-22 16:38:07 -07:00
Aleksa Sarai 6bae6cad47 merge #4817 into opencontainers/runc:main
Aleksa Sarai (1):
  rootfs: remove /proc/net/dev from allowed overmount list

LGTMs: AkihiroSuda lifubang
2025-07-21 23:46:31 +10:00
Aleksa Sarai 3620185d06 rootfs: remove /proc/net/dev from allowed overmount list
This was added in 2ee9cbbd12 ("It's /proc/stat, not /proc/stats") with
no actual justification, and doesn't really make much sense on further
inspection:

 * /proc/net is a symlink to "self/net", which means that /proc/net/dev
   is a per-process file, and so overmounting it would only affect pid1.
   Any other program that cares about /proc/net/dev would see their own
   process's configuration, and unprivileged processes wouldn't be able
   to see /proc/1/... data anyway.

   In addition, the fact that this is a symlink means that runc will
   deny the overmount because /proc/1/net/dev is not in the proc
   overmount allowlist. This means that this has not worked for many
   years, and probably never worked in the first place.

 * /proc/self/net is already namespaced with network namespaces, so the
   primary argument for allowing /proc overmounts (lxcfs-like masking of
   procfs files to emulate namespacing for files that are not properly
   namespaced for containers -- such as /proc/cpuinfo) is moot.

   It goes without saying that lxcfs has never overmounted
   /proc/self/net/... files, so the general "because lxcfs"
   justification doesn't hold water either.

 * The kernel has slowly been moving towards blocking overmounts in
   /proc/self/. Linux 6.12 blocked overmounts for fd, fdinfo, and
   map_files; future Linux versions will probably end up blocking
   everything under /proc/self/.

Fixes: 2ee9cbbd12 ("It's /proc/stat, not /proc/stats")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-07-20 15:40:37 +10:00
Rodrigo Campos 34c64e2a7f Merge pull request #4803 from opencontainers/dependabot/go_modules/golang.org/x/net-0.42.0
build(deps): bump golang.org/x/net from 0.41.0 to 0.42.0
2025-07-17 00:05:35 -03:00
Kir Kolyshkin cac7cf6cbb Merge pull request #4807 from kolyshkin/debug-ci-failure
tests/int/update: fix getting block major
2025-07-16 10:52:45 -07:00
Kir Kolyshkin 46dac589c1 tests/int/update: fix getting block major
Apparently, having a minor of 0 does not always mean it's the
whole device (not a partition):

	 === /proc/partitions (using major: 259) ===
	 major minor  #blocks  name

	    8       16   78643200 sdb
	    8       17   77593583 sdb1
	    8       30       4096 sdb14
	    8       31     108544 sdb15
	  259        0     934912 sdb16
	    8        0   78643200 sda
	    8        1   78641152 sda1

Rewrite the test to not assume minor is 0, and use
lsblk -d to find out whole devices.

This fixes a test case which was added in commit 7696402da.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-07-16 10:31:28 -07:00
dependabot[bot] 6a0644df63 build(deps): bump golang.org/x/net from 0.41.0 to 0.42.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.41.0 to 0.42.0.
- [Commits](https://github.com/golang/net/compare/v0.41.0...v0.42.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.42.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-16 10:31:31 +00:00
Rodrigo Campos 8a1335c713 Merge pull request #4766 from jokemanfire/loog
Add audit support for loong64
2025-07-16 06:45:29 -03:00