Commit Graph

177 Commits

Author SHA1 Message Date
Sebastiaan van Stijn e8a97bae27 Merge pull request #4692 from kolyshkin/golangci-v2
ci: switch to golangci-lint v2
2025-03-31 16:31:28 +02:00
dependabot[bot] 5cfd1a62b3 build(deps): bump bats-core/bats-action from 3.0.0 to 3.0.1
Bumps [bats-core/bats-action](https://github.com/bats-core/bats-action) from 3.0.0 to 3.0.1.
- [Release notes](https://github.com/bats-core/bats-action/releases)
- [Commits](https://github.com/bats-core/bats-action/compare/3.0.0...3.0.1)

---
updated-dependencies:
- dependency-name: bats-core/bats-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-03-28 04:44:14 +00:00
Kir Kolyshkin 127e8e68d3 ci: bump to golangci-lint v2.0
The new configuration file was initially generated by golangci-lint
migrate, when tweaked to minimize and simplify.

golangci-lint v2 switches to a new version of staticcheck which shows
much more warnings. Some of them were fixed by a few previous commits,
and the rest of them are disabled.

In particular, ST1005 had to be disabled (an attempt to fix it was made
in https://github.com/opencontainers/runc/pull/3857 but it wasn't
merged).

Also, golangci-extra was modified to include ALL staticcheck linters.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-25 16:06:44 -07:00
Kir Kolyshkin d00c3be986 ci: bump codespell to v2.4.1, fix some typos
All but one were found by codespell.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-24 10:05:22 -07:00
Kir Kolyshkin b48dd65114 ci: bump shellcheck to v0.10.0
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-13 10:21:55 -07:00
Akihiro Suda 135552e5e4 CI: migrate Vagrant + Cirrus to Lima + GHA
- Unlike proprietary Vagrant, Lima remains to be an open source project
- GHA now natively supports nested virt on Linux runners

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2025-03-07 12:48:02 +09:00
Kir Kolyshkin 4244978687 CI: gha: rm ubuntu-20.04
There is an announce that Ubuntu 20.04 will be removed in April,
and in March there will be a few "brown-out" dates/times when
it won't work.

This leaves us with no other options than to remove ubuntu-20.04
from the testing matrix.

As a result, cgroup v1 testing will only be done on AlmaLinux 8
running on CirrusCI. It is probably going to be sufficient for
the time being (until we deprecate cgroup v1).

If not, our options are
 - run Ubuntu 20.04 (or other cgroup v1 distro) in a VM on GHA;
 - switch to cirrus-ci.

[1]: https://github.com/actions/runner-images/issues/11101

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-16 09:38:47 -08:00
Kir Kolyshkin 874207492e CI: add Go 1.24, drop go1.22
Also, bump golangci-lint to v1.64 (v1.64.2 added Go 1.24 support).

NOTE we still use Go 1.23.x for official builds.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-11 18:02:48 -08:00
Kir Kolyshkin f414b5349a CI: fix criu-dev compile
As of [1], criu requires uuid library.

[1]: https://github.com/checkpoint-restore/criu/pull/2550/commits/9a2b7d6b3baa2b3183489ed9cebece039f9f488f

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-01 13:27:41 -08:00
Kir Kolyshkin 9468986a49 ci: use a specific ubuntu version
GHA shows a warning telling that "ubuntu-latest" is going to be switched
to ubuntu-24.04 soon. Let's specify the version explicitly (and switch
to 24.04 for this job ahead of github).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-17 22:52:16 -08:00
Kir Kolyshkin e845f4be86 ci: bump golangci-lint to v1.62
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-17 22:50:44 -08:00
Kir Kolyshkin 47dc185880 Add runc_nocriu build tag
This allows to make a 17% smaller runc binary by not compiling in
checkpoint/restore support.

It turns out that google.golang.org/protobuf package, used by go-criu,
is quite big, and go linker can't drop unused stuff if reflection is
used anywhere in the code.

Currently there's no alternative to using protobuf in go-criu, and since
not all users use c/r, let's provide them an option for a smaller
binary.

For the reference, here's top10 biggest vendored packages, as reported
by gsa[1]:

$ gsa runc | grep vendor | head
│ 8.59%   │ google.golang.org/protobuf                  │ 1.3 MB │ vendor    │
│ 5.76%   │ github.com/opencontainers/runc              │ 865 kB │ vendor    │
│ 4.05%   │ github.com/cilium/ebpf                      │ 608 kB │ vendor    │
│ 2.86%   │ github.com/godbus/dbus/v5                   │ 429 kB │ vendor    │
│ 1.25%   │ github.com/urfave/cli                       │ 188 kB │ vendor    │
│ 0.90%   │ github.com/vishvananda/netlink              │ 135 kB │ vendor    │
│ 0.59%   │ github.com/sirupsen/logrus                  │ 89 kB  │ vendor    │
│ 0.56%   │ github.com/checkpoint-restore/go-criu/v6    │ 84 kB  │ vendor    │
│ 0.51%   │ golang.org/x/sys                            │ 76 kB  │ vendor    │
│ 0.47%   │ github.com/seccomp/libseccomp-golang        │ 71 kB  │ vendor    │

And here is a total binary size saving when `runc_nocriu` is used.

For non-stripped binaries:

$ gsa runc-cr runc-nocr | tail -3
│ -17.04% │ runc-cr                                  │ 15 MB    │ 12 MB    │ -2.6 MB │
│         │ runc-nocr                                │          │          │         │
└─────────┴──────────────────────────────────────────┴──────────┴──────────┴─────────┘

And for stripped binaries:

│ -17.01% │ runc-cr-stripped                         │ 11 MB    │ 8.8 MB   │ -1.8 MB │
│         │ runc-nocr-stripped                       │          │          │         │
└─────────┴──────────────────────────────────────────┴──────────┴──────────┴─────────┘

[1]: https://github.com/Zxilly/go-size-analyzer

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-09 11:19:23 -08:00
lifubang 871057d863 drop runc-dmz solution according to overlay solution
Because we have the overlay solution, we can drop runc-dmz binary
solution since it has too many limitations.

Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-10-28 15:18:07 +00:00
Kir Kolyshkin cbb9b309cd ci: use Go 1.23
Where we only use one Go version, let's use Go 1.23.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-23 00:04:17 -07:00
dependabot[bot] f55957de35 build(deps): bump bats-core/bats-action from 2.1.1 to 3.0.0
Bumps [bats-core/bats-action](https://github.com/bats-core/bats-action) from 2.1.1 to 3.0.0.
- [Release notes](https://github.com/bats-core/bats-action/releases)
- [Commits](https://github.com/bats-core/bats-action/compare/2.1.1...3.0.0)

---
updated-dependencies:
- dependency-name: bats-core/bats-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-09-30 04:20:03 +00:00
Akhil Mohan 5b161e04ae update bats-action to 2.1.1
bats-action@2.1.1 supports:
- ubuntu 20.04
- cache key with multiple arch

Signed-off-by: Akhil Mohan <akhilerm@gmail.com>
2024-09-25 20:39:36 +05:30
Akhil Mohan 35f999dded remove installation of unused bats support libs
bats-core/bats-action installs a few support libraries by default which are not used by
runc. Disable the installation, which will remove /usr/bin/tar: Permission denied errors.

Signed-off-by: Akhil Mohan <akhilerm@gmail.com>
2024-09-25 11:31:44 +05:30
Akhil Mohan 8671a7dba9 ci: update to setup bats action from bats-core
mig4/setup-bats is now unmaintained(last commit in Sep 2021).
bats-core/bats-action can be used as a replacement maintained
by the bats-core team.

Signed-off-by: Akhil Mohan <akhilerm@gmail.com>
2024-09-22 23:00:59 +05:30
Kir Kolyshkin 2cd24a4dae ci/gha: add all-done jobs
The sole reason is to simplify branch protection rules,
requiring just these to be passed.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-08-21 17:00:59 -07:00
Kir Kolyshkin 606257c6e1 Bump golangci-lint to v1.60, fix new warnings
The warnings fixed were:

libcontainer/configs/config_test.go:205:12: printf: non-constant format string in call to (*testing.common).Errorf (govet)
		t.Errorf(fmt.Sprintf("Expected error to not occur but it was %+v", err))
		         ^
libcontainer/cgroups/fs/blkio_test.go:481:13: printf: non-constant format string in call to (*testing.common).Errorf (govet)
			t.Errorf(fmt.Sprintf("test case '%s' failed unexpectedly: %s", testCase.desc, err))
			         ^
libcontainer/cgroups/fs/blkio_test.go:595:13: printf: non-constant format string in call to (*testing.common).Errorf (govet)
			t.Errorf(fmt.Sprintf("test case '%s' failed unexpectedly: %s", testCase.desc, err))
			         ^

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-08-14 20:39:15 +08:00
Kir Kolyshkin adedeb993a ci/gha: add Go 1.23, drop 1.21
- drop Go 1.21;
- add Go 1.23;
- for a few jobs that were using Go 1.21, switch to 1.22;

Also, bump go to 1.22 in go.mod.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-08-14 20:39:15 +08:00
Kir Kolyshkin 15ec295bb1 ci/gha: bump golangci-lint to v1.59
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-07-10 16:25:30 -07:00
Kir Kolyshkin 309a6d91a4 ci/gha: add go-fix job
Add a CI job to ensure go fix produces no result. Quoting
`go doc cmd/fix`:

> Fix finds Go programs that use old APIs and rewrites them to use newer
> ones. After you update to a new Go release, fix helps make the
> necessary changes to your programs.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-07-03 10:12:25 -07:00
Kir Kolyshkin a3302f2054 ci: switch to go 1.22 as main version
Now when Go 1.22.4 is out it should no longer be a problem.

Leave Go 1.21 for CentOS testing (CentOS 7 and 8 have older glibc)
and Dockerfile (Debian 11 have older glibc).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 10:18:59 -07:00
Kir Kolyshkin 67f6c37bc2 ci/gha: switch to ubuntu 24.04
Let's replace ubuntu-22.04 with ubuntu-24.04 where we can, and keep
ubuntu-20.04 to test cgroup v1 stuff.

Leave ubuntu-22.04 for ci/cross-i386 (issue with systemctl restart hang
after apt install). This can be addressed separately later.

The only kludge we have to add is enable userns for runc binary being
tested (as userns is disabled by apparmor system-wide by default now,
see [1]).

[1] https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions-15

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-04 23:43:12 -07:00
Kir Kolyshkin b24fc9d2c4 ci: pin codespell
CI should not fail and require attention every time a new codespell
version is released.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-02 10:51:43 -07:00
Kir Kolyshkin f452f667c0 ci/gha: bump golangci-lint-action from 5 to 6
Note that github-actions output format is deprecated and no longer supported,
and it is also no longer needed since setup-go problem matcher already
handles default golangci-lint output format ("colored-line-number").

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-05-07 14:26:41 -07:00
Kir Kolyshkin d63018c252 ci/gha: bump golangci-lint to v1.57
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-25 08:39:26 -07:00
Kir Kolyshkin 6bcc736122 ci/gha: bump golangci/golangci-lint-action to v5
Since v5 removes caching [1], re-enable setup-go cache.

[1] https://github.com/golangci/golangci-lint-action/pull/1024

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-25 08:25:02 -07:00
Kir Kolyshkin baba55e278 ci/actuated: re-enable CRIU tests
They were failing earlier but are working now.

This includes a fix to criu repo path assignment so it works for actuated case.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-24 19:40:45 -07:00
Akihiro Suda 00238f5d2b CI: add actuated-arm64
See <https://actuated.dev/blog/arm-ci-cncf-ampere>.
Thanks to Alex Ellis, Ampere Computing, and Equinix.

Host information:
* CPU: aarch64 (ARMv8)
* Kernel: 5.10.201
  * Lacks ~CONFIG_CHECKPOINT_RESTORE~, CONFIG_BLK_CGROUP_IOCOST, etc.
* Cgroup: v2
* OS: Ubuntu 22.04
  * Lacks newuidmap, newgidmap, etc. (still apt-gettable)
  * sshd is not running

vmmeter is added from:
https://gist.github.com/alexellis/1f33e581c75e11e161fe613c46180771#file-metering-gha-md

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-04-24 17:22:33 +09:00
Akihiro Suda 30dc98f577 CI: run apt with -y
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-04-23 09:10:09 +09:00
Kir Kolyshkin 851e3882b7 ci/test: exclude some runc_nodmz jobs
1. Sort the list of matrix excludes in the order of matrix,
   add comments explaining why we disable some jobs.

2. Exclude some jobs:
 - runc_nodmz && go 1.20.x
 - runc_nodmz && -race

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-01 17:06:40 -07:00
Kir Kolyshkin ac31da6b80 ci/cross-i386: pin Go to 1.21.x
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-04-02 01:55:50 +11:00
dependabot[bot] 935d586b39 build(deps): bump tim-actions/get-pr-commits from 1.3.0 to 1.3.1
Bumps [tim-actions/get-pr-commits](https://github.com/tim-actions/get-pr-commits) from 1.3.0 to 1.3.1.
- [Release notes](https://github.com/tim-actions/get-pr-commits/releases)
- [Commits](https://github.com/tim-actions/get-pr-commits/compare/v1.3.0...v1.3.1)

---
updated-dependencies:
- dependency-name: tim-actions/get-pr-commits
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-27 04:45:06 +00:00
Kir Kolyshkin 93e377233f ci/golangci-lint: add checks permission
This permission is now needed so that the linter can annotate code in a
PR (see [1]).

[1] https://github.com/golangci/golangci-lint-action/pull/931/commits/bc1904f0c946172fc1821908fc41649db49f0334

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-02-12 22:14:41 -08:00
dependabot[bot] 27cbabd00d build(deps): bump golangci/golangci-lint-action from 3 to 4
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 3 to 4.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/v3...v4)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-12 04:07:38 +00:00
dependabot[bot] 7b655782bf build(deps): bump actions/upload-artifact from 3 to 4
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3 to 4.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-15 04:57:18 +00:00
dependabot[bot] e66ba70f50 build(deps): bump actions/setup-go from 4 to 5
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4 to 5.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-07 04:18:24 +00:00
Kir Kolyshkin f944d7b653 ci/gha: fix downloading Release.key
Since today, the URL from download.opensuse.org started returning a
HTTP 302 redirect, so -L option for curl is needed to follow it.

While at it, remove apt-key as per its man page recommendation:

> Note: Instead of using this command a keyring should be placed
> directly in the /etc/apt/trusted.gpg.d/ directory with a descriptive
> name and either "gpg" or "asc" as file extension.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-19 21:12:30 -07:00
lifubang dac4171746 runc-dmz: reduce memfd binary cloning cost with small C binary
The idea is to remove the need for cloning the entire runc binary by
replacing the final execve() call of the container process with an
execve() call to a clone of a small C binary which just does an execve()
of its arguments.

This provides similar protection against CVE-2019-5736 but without
requiring a >10MB binary copy for each "runc init". When compiled with
musl, runc-dmz is 13kB (though unfortunately with glibc, it is 1.1MB
which is still quite large).

It should be noted that there is still a window where the container
processes could get access to the host runc binary, but because we set
ourselves as non-dumpable the container would need CAP_SYS_PTRACE (which
is not enabled by default in Docker) in order to get around the
proc_fd_access_allowed() checks. In addition, since Linux 4.10[1] the
kernel blocks access entirely for user namespaced containers in this
scenario. For those cases we cannot use runc-dmz, but most containers
won't have this issue.

This new runc-dmz binary can be opted out of at compile time by setting
the "runc_nodmz" buildtag, and at runtime by setting the RUNC_DMZ=legacy
environment variable. In both cases, runc will fall back to the classic
/proc/self/exe-based cloning trick. If /proc/self/exe is already a
sealed memfd (namely if the user is using contrib/cmd/memfd-bind to
create a persistent sealed memfd for runc), neither runc-dmz nor
/proc/self/exe cloning will be used because they are not necessary.

[1]: https://github.com/torvalds/linux/commit/bfedb589252c01fa505ac9f6f2a3d5d68d707ef4

Co-authored-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: lifubang <lifubang@acmcoder.com>
[cyphar: address various review nits]
[cyphar: fix runc-dmz cross-compilation]
[cyphar: embed runc-dmz into runc binary and clone in Go code]
[cyphar: make runc-dmz optional, with fallback to /proc/self/exe cloning]
[cyphar: do not use runc-dmz when the container has certain privs]
Co-authored-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-09-22 15:38:19 +10:00
dependabot[bot] 2d0cd0b381 build(deps): bump actions/checkout from 3 to 4
Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-05 04:50:22 +00:00
dependabot[bot] fe6f33b2c0 build(deps): bump tim-actions/commit-message-checker-with-regex
Bumps [tim-actions/commit-message-checker-with-regex](https://github.com/tim-actions/commit-message-checker-with-regex) from 0.3.1 to 0.3.2.
- [Release notes](https://github.com/tim-actions/commit-message-checker-with-regex/releases)
- [Commits](https://github.com/tim-actions/commit-message-checker-with-regex/compare/v0.3.1...v0.3.2)

---
updated-dependencies:
- dependency-name: tim-actions/commit-message-checker-with-regex
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-08-28 04:21:42 +00:00
Kir Kolyshkin 17e7e230bd ci/gha: bump golangci-lint to v1.54
Currently, it is at v1.54.2.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-08-24 17:22:23 -07:00
Kir Kolyshkin b22073c5fe ci/gha: add job timeouts
The default timeout is 360 minutes, which is way long for these jobs.
If the CI (or a test) has stuck, we'd better know about it earlier than
in 6 hours.

Set the timeouts for some [relatively] long running jobs conservatively:
 - test and release jobs usually take ~10 minutes;
 - lint job takes 1 minute (but can be a few times slower when we switch
   Go or golangci-lint version);
 - cross-386 job takes about 2 minutes;
 - the rest is seconds (and I am lazy to set timeouts everywhere).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-08-16 16:08:35 -07:00
Kir Kolyshkin 46d6089fb5 ci/gha: re-enable go caching
Since https://github.com/actions/setup-go/issues/368 is now fixed
(in https://github.com/actions/setup-go/releases/tag/v4.1.0), there
is no need to disable caching when using different distros.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-08-08 15:18:21 -07:00
Kir Kolyshkin 5741ea230a ci: add go 1.21, remove go 1.19
Go 1.21 is out, and go 1.19 is no longer supported.

This also fixes cirrus-ci failure.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-08-08 12:34:55 -07:00
Kir Kolyshkin 98317c16ed ci: bump golangci-lint, remove fixed exception
The exception was fixed by https://github.com/polyfloyd/go-errorlint/pull/12
which eventually made its way into golangci-lint.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-07-16 15:02:26 +08:00
Sebastiaan van Stijn 17b335a2ee Merge pull request #3902 from kolyshkin/skip-less
ci/gha: don't skip rootless+systemd on ubuntu 22.04
2023-06-28 15:28:08 +02:00
Kir Kolyshkin 5e53e6592a ci: bump shellcheck to 0.9.0, fix new SC2016 warnings
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-06-27 08:44:21 -07:00