Commit Graph

7891 Commits

Author SHA1 Message Date
Kir Kolyshkin fd185882e5 Merge pull request #5009 from kolyshkin/defer-close-init
Close fds on error
2025-12-02 17:35:12 -08:00
Kir Kolyshkin 93792e6c13 notify_socket: close fds on error
Reported in issue 5008.

Reported-by: Arina Cherednik <arinacherednik034@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-02 15:15:23 -08:00
Kir Kolyshkin 8a9b4dcda6 libct: mountFd: close mountFile on error
Reported in issue 5008.

Reported-by: Arina Cherednik <arinacherednik034@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-02 15:15:23 -08:00
Kir Kolyshkin c24965b742 libct: newProcessComm: close fds on error
Reported in issue 5008.

Reported-by: Arina Cherednik <arinacherednik034@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-02 15:15:23 -08:00
Kir Kolyshkin 88f897160c libct: startInitialization: add defer close
This function calls Init what normally never returns, so the defer only
works if there is an error and we can safely use it to close those fds
we opened. This was done for most but not all fds.

Reported in issue 5008.

Reported-by: Arina Cherednik <arinacherednik034@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-02 15:15:23 -08:00
Kir Kolyshkin 1f1ff4be06 Merge pull request #5051 from cyphar/libct-utils-deprecated
libct/utils: remove Deprecated functions
2025-12-02 15:06:01 -08:00
Aleksa Sarai 7c8fccd646 release: use runc-$version.tar.xz as archive name
Because we add the runc-$version/ prefix to the archive we generate,
including the version in the name makes it easier for some tools to
operate on as it matches most other projects (for openSUSE we rename the
archive file to this format in order for the automated RPM scripts to
work properly).

Also, when doing several releases at the same time, being able to
double-check that the correct artefact versions were uploaded for each
release can be quite handy.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-30 15:10:36 +11:00
Rodrigo Campos 20a9532fd0 Merge pull request #5049 from cyphar/changelog-update
CHANGELOG: forward-port changelog entries
2025-11-28 08:34:57 -03:00
Akihiro Suda 64c3c8eea6 Merge pull request #4994 from kolyshkin/gofumpt-extra
Enable gofumpt extra rules
2025-11-28 09:30:57 +09:00
Aleksa Sarai a412bd93e9 libct/utils: remove Deprecated functions
These were all marked for deprecation in runc 1.5.0, so remove them now
to make sure we don't forget.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-28 11:11:11 +11:00
Aleksa Sarai bf258ce163 RELEASES: remove <= 1.1.x special casing
Now that runc 1.4.0 has been released, there is no need to single out
1.1.x and earlier as no longer being supported, as latest-2 is now 1.2.x
and thus 1.1.x would no longer be supported even with the new support
model.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-28 11:07:47 +11:00
Aleksa Sarai 0c150f4c3a RELEASES: remove 'draft' section of policy
We have used this release policy for a year and it seems to work well
for everyone and we haven't received much feedback, so it seems
reasonable to say that we are committed to this policy now.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-28 11:06:41 +11:00
Aleksa Sarai 48de3431a1 CHANGELOG: forward-port changelog entries
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-28 11:04:33 +11:00
lfbzhm 52c3a0e794 Merge pull request #4985 from cyphar/hallucinated-paths
pathrs: add "hallucination" helpers for SecureJoin magic
2025-11-26 22:12:59 +08:00
lifubang 15d7c214cd integration: add some tests for bind mount through dangling symlinks
We intentionally broke this in commit d40b3439a9 ("rootfs: switch to
fd-based handling of mountpoint targets") under the assumption that most
users do not need this feature. Sadly it turns out they do, and so
commit 3f925525b4 ("rootfs: re-allow dangling symlinks in mount
targets") added a hotfix to re-add this functionality.

This patch adds some much-needed tests for this behaviour, since it
seems we are going to need to keep this for compatibility reasons (at
least until runc v2...).

Co-developed-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-26 21:04:05 +11:00
Aleksa Sarai 195e9551e4 pathrs: add MkdirAllParentInRoot helper
While CreateInRoot supports hallucinating the target path, we do not use
it directly when constructing device inode targets because we need to
have different handling for mknod and bind-mounts.

The solution is to simply have a more generic MkdirAllParentInRoot
helper that MkdirAll's the parent directory of the target path and then
allows the caller to create the trailing component however they like.
(This can be used by CreateInRoot internally as well!)

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-26 21:04:05 +11:00
Aleksa Sarai cfb74326be pathrs: add "hallucination" helpers for SecureJoin magic
In order to maintain compatibility with previous releases of runc (which
permitted dangling symlinks as path components by permitting
non-existent path components to be treated like real directories) we
have to first do SecureJoin to construct a target path that is
compatible with the old behaviour but has all dangling symlinks (or
other invalid paths like ".." components after non-existent directories)
removed.

This is effectively a more generic verison of commit 3f925525b4
("rootfs: re-allow dangling symlinks in mount targets") and will let us
remove the need for open-coding SecureJoin workarounds.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-26 21:04:05 +11:00
Aleksa Sarai 20c5a8ec4a pathrs: rename MkdirAllInRootOpen -> MkdirAllInRoot
Now that MkdirAllInRoot has been removed, we can make MkdirAllInRootOpen
less wordy by renaming it to MkdirAllInRoot. This is a non-functional
change.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-26 21:04:04 +11:00
Aleksa Sarai 9dbd37e06f libct: switch final WithProcfd users to WithProcfdFile
This probably should've been done as part of commit d40b3439a9
("rootfs: switch to fd-based handling of mountpoint targets") but it
seems I missed them when doing the rest of the conversions.

This also lets us remove utils.WithProcfd entirely, as well as
pathrs.MkdirAllInRoot. Unfortunately, WithProcfd was exposed in the
externally-importable "libcontainer/utils" package and so we need to
have a deprecation notice to remove it in runc 1.5.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-26 21:03:30 +11:00
Aleksa Sarai 42a1e19d67 libcontainer: move CleanPath and StripRoot to internal/pathrs
These helpers will be needed for the compatibility code added in future
patches in this series, but because "internal/pathrs" is imported by
"libcontainer/utils" we need to move them so that we can avoid circular
dependencies.

Because the old functions were in a non-internal package it is possible
some downstreams use them, so add some wrappers but mark them as
deprecated.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-26 21:03:29 +11:00
Akihiro Suda 475473d869 Merge pull request #5026 from lifubang/ci-detect-fdleak-try-best
fix fd leaks and detect them as comprehensively as possible
2025-11-26 08:33:53 +09:00
lfbzhm a7a402a7ea Merge pull request #4928 from kolyshkin/better-init-errors
Better errors from `runc init`
2025-11-22 15:02:52 +08:00
Kir Kolyshkin f944ccecb2 runc create/run/exec: show fatal errors from init
In case early stage of runc init (nsenter) fails for some reason, it
logs error(s) with FATAL log level, via bail().

The runc init log is read by a parent (runc create/run/exec) and is
logged via normal logrus mechanism, which is all fine and dandy, except
when `runc init` fails, we return the error from the parent (which is
usually not too helpful, for example):

	runc run failed: unable to start container process: can't get final child's PID from pipe: EOF

Now, the actual underlying error is from runc init and it was logged
earlier; here's how full runc output looks like:

	FATA[0000] nsexec-1[3247792]: failed to unshare remaining namespaces: No space left on device
	FATA[0000] nsexec-0[3247790]: failed to sync with stage-1: next state
	ERRO[0000] runc run failed: unable to start container process: can't get final child's PID from pipe: EOF

The problem is, upper level runtimes tend to ignore everything except
the last line from runc, and thus error reported by e.g. docker is not
very helpful.

This patch tries to improve the situation by collecting FATAL errors
from runc init and appending those to the error returned (instead of
logging). With it, the above error will look like this:

	ERRO[0000] runc run failed: unable to start container process: can't get final child's PID from pipe: EOF; runc init error(s): nsexec-1[141549]: failed to unshare remaining namespaces: No space left on device; nsexec-0[141547]: failed to sync with stage-1: next state

Yes, it is long and ugly, but at least the upper level runtime will
report it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-22 12:11:20 +07:00
Aleksa Sarai 21ad0e4399 Merge pull request #5037 from opencontainers/dependabot/github_actions/actions/checkout-6
build(deps): bump actions/checkout from 5 to 6
2025-11-21 17:22:16 +11:00
dependabot[bot] 257fb71e45 build(deps): bump actions/checkout from 5 to 6
Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v5...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-11-21 04:02:45 +00:00
lifubang d8706501cf integration: verify syscall compatibility after seccomp enforcement
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-20 19:43:22 +08:00
lifubang 75188fab73 bump github.com/cyphar/filepath-securejoin from 0.6.0 to 0.6.1
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-20 19:43:22 +08:00
lifubang 6ac151d69b libct: add a defer fd close in createDeviceNode
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-20 19:43:22 +08:00
lifubang 69785c117c libct: always close m.dstFile in mountToRootfs
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-20 19:43:22 +08:00
lifubang b209358db3 ci: detect file descriptor leaks as comprehensively as possible
Co-authored-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-20 19:43:22 +08:00
lfbzhm 9504c6f2ad Merge pull request #5014 from kolyshkin/fd-leaks-flake
libct/int: TestFdLeaks: deflake
2025-11-20 17:53:40 +08:00
Kir Kolyshkin 5fbc3bb019 libct/int: TestFdLeaks: deflake
Since the recent CVE fixes, TestFdLeaksSystemd sometimes fails:

	=== RUN   TestFdLeaksSystemd
	    exec_test.go:1750: extra fd 9 -> /12224/task/13831/fd
	    exec_test.go:1753: found 1 extra fds after container.Run
	--- FAIL: TestFdLeaksSystemd (0.10s)

It might have been caused by the change to the test code in commit
ff6fe13 ("utils: use safe procfs for /proc/self/fd loop code") -- we are
now opening a file descriptor during the logic to get a list of file
descriptors. If the file descriptor happens to be allocated to a
different number, you'll get an error.

Let's try to filter out the fd used to read a directory.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-20 15:36:14 +08:00
lfbzhm f2aa133feb Merge pull request #5001 from opencontainers/dependabot/go_modules/golang.org/x/net-0.47.0
build(deps): bump golang.org/x/net from 0.46.0 to 0.47.0
2025-11-20 10:16:13 +08:00
dependabot[bot] da4ec2375c build(deps): bump golang.org/x/net from 0.46.0 to 0.47.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.46.0 to 0.47.0.
- [Commits](https://github.com/golang/net/compare/v0.46.0...v0.47.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.47.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-11-20 09:52:34 +08:00
lfbzhm db1b9368e1 Merge pull request #5018 from opencontainers/dependabot/go_modules/github.com/godbus/dbus/v5-5.2.0
build(deps): bump github.com/godbus/dbus/v5 from 5.1.0 to 5.2.0
2025-11-20 09:51:28 +08:00
Akihiro Suda 73f7c0a7c5 Merge pull request #5019 from opencontainers/dependabot/go_modules/github.com/opencontainers/selinux-1.13.1
build(deps): bump github.com/opencontainers/selinux from 1.13.0 to 1.13.1
2025-11-20 10:37:38 +09:00
dependabot[bot] 95baf621b4 build(deps): bump github.com/opencontainers/selinux
Bumps [github.com/opencontainers/selinux](https://github.com/opencontainers/selinux) from 1.13.0 to 1.13.1.
- [Release notes](https://github.com/opencontainers/selinux/releases)
- [Commits](https://github.com/opencontainers/selinux/compare/v1.13.0...v1.13.1)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/selinux
  dependency-version: 1.13.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-11-20 01:15:13 +00:00
dependabot[bot] 8f2a85dc94 build(deps): bump github.com/godbus/dbus/v5 from 5.1.0 to 5.2.0
Bumps [github.com/godbus/dbus/v5](https://github.com/godbus/dbus) from 5.1.0 to 5.2.0.
- [Release notes](https://github.com/godbus/dbus/releases)
- [Commits](https://github.com/godbus/dbus/compare/v5.1.0...v5.2.0)

---
updated-dependencies:
- dependency-name: github.com/godbus/dbus/v5
  dependency-version: 5.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-11-20 01:15:03 +00:00
Aleksa Sarai 117d334130 merge #5017 into opencontainers/runc:main
Li Fubang (1):
  ci: ensure the cgroup(v1) parent always exists for rootless

LGTMs: AkihiroSuda cyphar
2025-11-20 03:26:19 +11:00
lifubang bba7647d09 ci: ensure the cgroup(v1) parent always exists for rootless
On some systems (e.g., AlmaLinux 8), systemd automatically removes cgroup paths
when they become empty (i.e., contain no processes). To prevent this, we spawn
a dummy process to pin the cgroup in place.
Fix: https://github.com/opencontainers/runc/issues/5003

Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-18 13:58:46 +00:00
Kir Kolyshkin 59a5ff14a2 Merge pull request #4948 from AkihiroSuda/spec-1.3
docs/spec-conformance.md: update for spec v1.3.0
2025-11-12 15:14:49 -08:00
Aleksa Sarai 36667a33e2 merge #4997 into opencontainers/runc:main
Kir Kolyshkin (2):
  ci: add checking Go version from Dockerfile
  ci: faster git clone

LGTMs: cyphar thaJeztah
2025-11-12 20:23:30 +11:00
Aleksa Sarai 6a737ed1b7 merge #4956 into opencontainers/runc:main
Akihiro Suda (1):
  Deprecate cgroup v1

LGTMs: kolyshkin cyphar
2025-11-12 20:17:45 +11:00
Akihiro Suda 653161f6d8 docs/spec-conformance.md: update for spec v1.3.0
ref: opencontainers/runtime-spec PR 1302

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-12 20:15:54 +11:00
Kir Kolyshkin df4acc8867 ci: add checking Go version from Dockerfile
This is to ensure that Go version in Dockerfile (which is used to build
release binaries) is:
 - currently supported;
 - used in CI tests.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-11 20:20:21 -08:00
Kir Kolyshkin 3fe21c54e6 ci: faster git clone
For some reason, some jobs in .github/workflows/validate.yml
have "fetch-depth: 0" argument to actions/checkout, meaning
"all history for all branches and tags". Obviously this is
not needed here.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-11 20:20:21 -08:00
Akihiro Suda 996278a189 Merge pull request #4949 from cyphar/pids-limit-0
runtime-spec: update pids.limit handling to match new guidance
2025-11-11 03:47:18 -05:00
Aleksa Sarai 8ab2458bc4 update: switch to generics for mkPtr logic
This is much easier to read and removes the need for explicit per-type
helper functions.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-11 15:16:50 +11:00
Aleksa Sarai 72421e0e25 tests: add pids.limit tests
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-11 15:16:50 +11:00
Aleksa Sarai 3b75374cc7 runtime-spec: update pids.limit handling to match new guidance
The main update is actually in github.com/opencontainers/cgroups, but we
need to also update runtime-spec to a newer pre-release version to get
the updates from there as well.

In short, the behaviour change is now that "0" is treated as a valid
value to set in "pids.max", "-1" means "max" and unset/nil means "do
nothing". As described in the opencontainers/cgroups PR, this change is
actually backwards compatible because our internal state.json stores
PidsLimit, and that entry is marked as "omitempty". So, an old runc
would omit PidsLimit=0 in state.json, and this will be parsed by a new
runc as being "nil" -- and both would treat this case as "do not set
anything".

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-11 15:15:27 +11:00