Commit Graph

7160 Commits

Author SHA1 Message Date
Rodrigo Campos e89a29929c VERSION: Release 1.2.6
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
v1.2.6
2025-03-14 11:54:49 +01:00
Akihiro Suda b5ec91d1f8 Merge pull request #4678 from kolyshkin/1.2-4671
[1.2] .cirrus.yml: install less dependencies
2025-03-14 09:08:44 +09:00
Kir Kolyshkin b582187ce9 .cirrus.yml: install less dependencies
In a nutshell:
 - use git-core instead of git;
 - do not install weak deps;
 - do not install docs.

This results in less packages to install:
 - 25 instead of 72 for almalinux-8
 - 24 instead of 90 for almalinux-9

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 1d9bea5378)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-13 11:19:27 -07:00
lfbzhm 9d0c86a72d Merge pull request #4668 from AkihiroSuda/cherrypick-4664-1.2
[1.2] CI: migrate Vagrant + Cirrus to Lima + GHA
2025-03-10 19:28:07 +08:00
Akihiro Suda 96f68384bb CI: migrate Vagrant + Cirrus to Lima + GHA
- Unlike proprietary Vagrant, Lima remains to be an open source project
- GHA now natively supports nested virt on Linux runners

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 135552e5e4)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2025-03-09 02:49:55 +09:00
Aleksa Sarai 4dbf9ac5ae merge #4647 into opencontainers/runc:release-1.2
Evan Phoenix (1):
  libcontainer: Prevent startup hang when CloseExecFrom errors

LGTMs: lifubang cyphar
2025-02-27 16:06:02 +11:00
Aleksa Sarai 35d1d6e7a0 merge #4649 into opencontainers/runc:release-1.2
lifubang (2):
  libct: don't send config to nsexec when joining an existing timens
  test: exec into a container with private time ns

LGTMs: cyphar lifubang
2025-02-27 16:05:17 +11:00
Aleksa Sarai 58c8c815b0 merge #4650 into opencontainers/runc:release-1.2
Evan Phoenix (1):
  Retry direct unix package calls if observing EINTR

LGTMs: cyphar lifubang
2025-02-27 16:04:42 +11:00
lfbzhm 13d44fb2aa Merge pull request #4651 from kolyshkin/1.2-4641
[1.2] exeseal: do not use F_SEAL_FUTURE_WRITE
2025-02-27 12:45:13 +08:00
Evan Phoenix e64390545e libcontainer: Prevent startup hang when CloseExecFrom errors
The previous logic caused runc to hang if CloseExecFrom returned an
error, as the defer waiting on logsDone never finished as the parent
process was never started (and it controls the closing of logsDone via
it's logsPipe).

This moves the defer to after we have started the parent, with means all
the logic related to managing the logsPipe should also be running.

Signed-off-by: Evan Phoenix <evan@phx.io>
(cherry picked from commit 7b26da9ee3)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-27 11:25:10 +08:00
lfbzhm baefcaedc7 Merge pull request #4646 from kolyshkin/1.2-4576
[1.2] libct/system: rm Fexecve
2025-02-27 11:24:28 +08:00
lfbzhm 57e4f53292 Merge pull request #4648 from kolyshkin/1.2-4634
[1.2] Add Go 1.24, drop ubuntu 20.04
2025-02-27 11:23:29 +08:00
Tomasz Duda e11430aa50 exeseal: do not use F_SEAL_FUTURE_WRITE
Prior to kernel Linux 5.5, F_SEAL_FUTURE_WRITE has a bug which maps
memory as shared between processes even if it is set as private. See
kernel commit 05d351102dbe ("mm, memfd: fix COW issue on MAP_PRIVATE and
F_SEAL_FUTURE_WRITE mappings") for more details.

According to the fcntl(2) man pages, F_SEAL_WRITE is enough:

> Furthermore, trying to create new shared, writable memory-mappings via
> mmap(2) will also fail with EPERM.
>
> Using the F_ADD_SEALS operation to set the F_SEAL_WRITE seal fails
> with EBUSY if any writable, shared mapping exists. Such mappings must
> be unmapped before you can add this seal.

F_SEAL_FUTURE_WRITE only makes sense if a read-write shared mapping in
one process should be read-only in another process. This is not case for
runc, especially not for the /proc/self/exe we are protecting.

Signed-off-by: Tomasz Duda <tomaszduda23@gmail.com>
(cyphar: improve the comment regarding F_SEAL_FUTURE_WRITE)
(cyphar: improve commit message)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit c43ea7d629)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-26 13:29:36 -08:00
Evan Phoenix 68a76952a0 Retry direct unix package calls if observing EINTR
Retry Recvfrom, Sendmsg, Readmsg, and Read as they can return EINTR.

Signed-off-by: Evan Phoenix <evan@phx.io>
(cherry picked from commit 28475f12e3)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-26 13:26:52 -08:00
lifubang c5312bc308 libct: don't send config to nsexec when joining an existing timens
We should configure the process's timens offset only when we need to
create new time namespace, we shouldn't do it if we are joining an
existing time namespace. (#4635)

Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit ad09197e41)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-26 13:23:36 -08:00
lfbzhm f4af9ad5fc test: exec into a container with private time ns
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit 74619689ae)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-26 13:23:36 -08:00
Kir Kolyshkin 14f6169b2c [1.2] CI: gha: rm ubuntu-20.04
There is an announce that Ubuntu 20.04 will be removed in April,
and in March there will be a few "brown-out" dates/times when
it won't work.

This leaves us with no other options than to remove ubuntu-20.04
from the testing matrix.

As a result, cgroup v1 testing will only be done on AlmaLinux 8
running on CirrusCI. It is probably going to be sufficient for
the time being (until we deprecate cgroup v1).

If not, our options are
 - run Ubuntu 20.04 (or other cgroup v1 distro) in a VM on GHA;
 - switch to cirrus-ci.

[1]: https://github.com/actions/runner-images/issues/11101

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 4244978687)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-26 13:19:45 -08:00
Kir Kolyshkin ba5a519d76 [1.2] Add Go 1.24, switch to Go 1.23 for build
Since Go 1.22 is no longer supported, let's switch to Go 1.23 for
official builds, cirrus, and GHA validate jobs.

Add Go 1.24 to testing matrix, and keep Go 1.22.

Bump golangci-lint to a version which supports Go 1.24.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-26 13:19:27 -08:00
Kir Kolyshkin f5f6e758f8 libct/system: rm Fexecve
This helper was added for runc-dmz in commit dac417174, but runc-dmz was
later removed in commit 871057d, which forgot to remove the helper.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 83350c24a9)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-26 11:46:10 -08:00
Aleksa Sarai 300d35b12b merge #4626 into opencontainers/runc:release-1.2
Aleksa Sarai (1):
  release: explicitly set --keyserver in release signing scripts

Kir Kolyshkin (2):
  VERSION: back to development
  VERSION: release v1.2.5

LGTMs: AkihiroSuda cyphar rata
2025-02-14 12:12:43 +11:00
Kir Kolyshkin ca26a9c13e VERSION: back to development
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-13 14:58:58 -08:00
Kir Kolyshkin 59923ef18c VERSION: release v1.2.5
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
v1.2.5
2025-02-13 14:58:49 -08:00
Aleksa Sarai 165b1035de release: explicitly set --keyserver in release signing scripts
On my machine, the --recv-keys steps to get upstream keys started
producing errors recently, and even setting a default keyserver in the
global gpg configuration doesn't seem to help:

  + gpg --homedir=/tmp/runc-sign-tmpkeyring.qm0IP6
        --no-default-keyring --keyring=seccomp.keyring
        --recv-keys 0x47A68FCE37C7D7024FD65E11356CE62C2B524099
  gpg: keybox '/tmp/runc-sign-tmpkeyring.qm0IP6/seccomp.keyring' created
  gpg: keyserver receive failed: No keyserver available

So just explicitly specify a reputable keyserver. Ideally we would use
an .onion-address keyserver to avoid potential targeted attacks but not
everybody runs a Tor proxy on their machine.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 26cfe14231)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-13 14:58:28 -08:00
Kir Kolyshkin 66c6d08ba9 Merge pull request #4632 from lifubang/1.2-bump-xnet-to-0.33.0
[1.2] build(deps): bump golang.org/x/net from 0.24.0 to 0.33.0
2025-02-13 14:38:37 -08:00
lifubang 615240a870 build(deps): bump golang.org/x/net from 0.24.0 to 0.33.0
There is a security patch for CVE-2024-45338 in this version.
Ref: https://github.com/advisories/GHSA-w32m-9786-jp63

Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-02-13 04:27:31 +00:00
Akihiro Suda d0ed7f7ae6 Merge pull request #4619 from kolyshkin/1.2-4616
[1.2] libc/int/userns: add build tag to C file
2025-02-07 13:34:05 +09:00
Akihiro Suda 6635338757 Merge pull request #4615 from kolyshkin/1.2-4612
[1.2] libct/cg/sd: set the DeviceAllow property before DevicePolicy
2025-02-07 13:33:48 +09:00
Brad Davidson 04468c038d libc/int/userns: add build tag to C file
This fixes k3s cross-compilation on Windows, broken by commit
1912d5988b ("*: actually support joining a userns with a new
container").

[@kolyshkin: commit message]

Fixes: 1912d5988b
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit ccb589bd7d)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-06 19:10:39 -08:00
Kir Kolyshkin 9742b6cf10 libct/cg/sd: set the DeviceAllow property before DevicePolicy
Every unit created by runc need daemon reload since systemd v230.
This breaks support for NVIDIA GPUs, see
https://github.com/opencontainers/runc/issues/3708#issuecomment-2216967210

A workaround is to set DeviceAllow before DevicePolicy.

Also:
 - add a test case (which fails before the fix) by @kolyshkin
 - better explain why we need empty DeviceAllow (by @cyphar)

Fixes 4568.

Reported-by: Jian Wen <wenjianhn@gmail.com>
Co-authored-by: Jian Wen <wenjianhn@gmail.com>
Co-authored-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit d84388ae10)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-05 12:18:12 -08:00
Rodrigo Campos de92f4b40d Merge pull request #4608 from kolyshkin/1.2-4590
[1.2] deps: update to github.com/cyphar/filepath-securejoin@v0.4.1
2025-02-05 09:01:31 -03:00
Aleksa Sarai 00f4a5cc4f deps: update to github.com/cyphar/filepath-securejoin@v0.4.1
This release includes a minor breaking API change that requires us to
rework the types of our wrappers, but there is no practical behaviour
change.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 70e500e7d1)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-05 22:05:15 +11:00
Aleksa Sarai 456d770f22 merge #4611 into opencontainers/runc:release-1.2
Kir Kolyshkin (1):
  CI: fix criu-dev compile

LGTMs: rata cyphar
2025-02-05 22:04:29 +11:00
Kir Kolyshkin bb445c1933 CI: fix criu-dev compile
As of [1], criu requires uuid library.

[1]: https://github.com/checkpoint-restore/criu/pull/2550/commits/9a2b7d6b3baa2b3183489ed9cebece039f9f488f

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit f414b5349a)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-04 16:25:19 -08:00
Aleksa Sarai 2a424616f0 merge #4581 into opencontainers/runc:release-1.2
Aleksa Sarai (2):
  VERSION: back to development
  VERSION: release v1.2.4

LGTMs: lifubang kolyshkin
2025-01-07 17:29:02 +11:00
Aleksa Sarai 48ea727898 VERSION: back to development
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-01-07 10:20:22 +11:00
Aleksa Sarai 6c52b3fc54 VERSION: release v1.2.4
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
v1.2.4
2025-01-07 10:20:22 +11:00
Kir Kolyshkin 5243eba185 Merge pull request #4556 from cyphar/1.2-readd-tuntap
[1.2] Re-add tun/tap to default device rules
2024-12-16 21:51:09 -08:00
Kir Kolyshkin 33ed43bdfa [1.2] Re-add tun/tap to default device rules
Since v1.2.0 was released, a number of users complained that the removal
of tun/tap device access from the default device ruleset is causing a
regression in their workloads.

Additionally, it seems that some upper-level orchestration tools
(Docker Swarm, Kubernetes) makes it either impossible or cumbersome
to supply additional device rules.

While it's probably not quite right to have /dev/net/tun in a default
device list, it was there from the very beginning, and users rely on it.
Let's keep it there for the sake of backward compatibility.

This reverts commit 2ce40b6ad7.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(Cherry-pick of commit 394f4c3b7012674ebe0232c560713e57cbd653e6.)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-12-17 14:14:11 +11:00
Akihiro Suda 2dec17d9a5 Merge pull request #4554 from kolyshkin/1.2-4553
[1.2] keyring: update @kolyshkin key expiry
2024-12-16 16:36:18 +09:00
Kir Kolyshkin e9c9dad4de keyring: update @kolyshkin key expiry
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit b15fcc1be6)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-15 17:26:37 -08:00
Aleksa Sarai d4534b2d9e merge #4552 into opencontainers/runc:release-1.2
lifubang (2):
  VERSION: back to development
  VERSION: release v1.2.3

LGTMs: cyphar thaJeztah kolyshkin
2024-12-11 12:25:54 +11:00
lifubang b01ffa03c0 VERSION: back to development
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-12-10 18:14:40 +08:00
lifubang 0d37cfd4b5 VERSION: release v1.2.3
Signed-off-by: lifubang <lifubang@acmcoder.com>
v1.2.3
2024-12-10 18:14:40 +08:00
lfbzhm a640df5739 Merge pull request #4550 from cyphar/1.2-racing-mkdirall
[1.2] deps: update to github.com/cyphar/filepath-securejoin@v0.3.5
2024-12-08 09:31:45 +08:00
lfbzhm fceb5ef8f2 Merge pull request #4551 from cyphar/1.2-ebf-enotsup
[1.2] cgroups: ebpf: use link.Anchor to check for BPF_F_REPLACE support
2024-12-08 00:01:54 +08:00
Aleksa Sarai 7242ffa4bf [1.2] cgroup: ebpf: make unexpected errors in haveBpfProgReplace louder
(This is a cherry-pick of c0044c7aa403ecf2d9172bd9386d05433b011076.)

If we get an unexpected error here, it is probably because of a library
or kernel change that could cause our detection logic to be invalid. As
a result, these warnings should be louder so users have a chance to tell
us about them sooner (or so we might notice them before doing a release,
as happened with the 1.2.0 regression).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-12-08 00:21:59 +11:00
Aleksa Sarai e26e0fde01 [1.2] cgroups: ebpf: also check for ebpf.ErrNotSupported
(This is a cherry-pick of dea0e04dd93d3922083e68667d20aac532d31129.)

It is possible for LinkAttachProgram to return ErrNotSupported if
program attachment is not supported at all (which doesn't matter in this
case), but it seems possible that upstream will start returning
ErrNotSupported for BPF_F_REPLACE at some point so it's best to make
sure we don't cause additional regressions here.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-12-08 00:21:49 +11:00
Aleksa Sarai e623414959 [1.2] cgroups: ebpf: use link.Anchor to check for BPF_F_REPLACE support
(This is a cherry-pick of dea0e04dd93d3922083e68667d20aac532d31129.)

In v0.13.0, cilium/ebpf stopped supporting setting BPF_F_REPLACE as an
explicit flag and instead requires us to use link.Anchor to specify
where the program should be attached.

Commit 216175a9ca ("Upgrade Cilium's eBPF library version to 0.16")
did update this correctly for the actual attaching logic, but when
checking for kernel support we still passed BPF_F_REPLACE. This would
result in a generic error being returned, which our feature-support
checking logic would treat as being an error the indicates that
BPF_F_REPLACE *is* supported, resulting in a regression on pre-5.6
kernels.

It turns out that our debug logging saying that this unexpected error
was happening was being output as a result of this change, but nobody
noticed...

Fixes: 216175a9ca ("Upgrade Cilium's eBPF library version to 0.16")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-12-08 00:21:22 +11:00
Aleksa Sarai 6b904f3e7e [1.2] deps: update to github.com/cyphar/filepath-securejoin@v0.3.5
(This is a cherry-pick of 2f1b6626f38c63ee37930267caa3a9bf57a2ea79.)

This fixes a regression in use of securejoin.MkdirAll, where multiple
runc processes racing to create the same mountpoint in a shared rootfs
would result in spurious EEXIST errors. In particular, this regression
caused issues with BuildKit.

Fixes: dd827f7b71 ("utils: switch to securejoin.MkdirAllHandle")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-12-07 22:44:45 +11:00
Aleksa Sarai 21cabde608 [1.2] deps: update to golang.org/x/sys@v0.28.0
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-12-07 22:44:09 +11:00