Commit Graph

7188 Commits

Author SHA1 Message Date
dependabot[bot] ef5d2d4e35 Merge pull request #4565 from opencontainers/dependabot/go_modules/github.com/cilium/ebpf-0.17.1 2024-12-20 05:35:35 +00:00
dependabot[bot] 5855ba5303 build(deps): bump github.com/cilium/ebpf from 0.17.0 to 0.17.1
Bumps [github.com/cilium/ebpf](https://github.com/cilium/ebpf) from 0.17.0 to 0.17.1.
- [Release notes](https://github.com/cilium/ebpf/releases)
- [Commits](https://github.com/cilium/ebpf/compare/v0.17.0...v0.17.1)

---
updated-dependencies:
- dependency-name: github.com/cilium/ebpf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-12-20 04:10:23 +00:00
Kir Kolyshkin ae994af502 Merge pull request #4563 from opencontainers/dependabot/go_modules/github.com/cilium/ebpf-0.17.0
build(deps): bump github.com/cilium/ebpf from 0.16.0 to 0.17.0
2024-12-19 16:28:57 -08:00
dependabot[bot] e809db842f build(deps): bump github.com/cilium/ebpf from 0.16.0 to 0.17.0
Bumps [github.com/cilium/ebpf](https://github.com/cilium/ebpf) from 0.16.0 to 0.17.0.
- [Release notes](https://github.com/cilium/ebpf/releases)
- [Commits](https://github.com/cilium/ebpf/compare/v0.16.0...v0.17.0)

---
updated-dependencies:
- dependency-name: github.com/cilium/ebpf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-12-20 00:07:03 +00:00
Kir Kolyshkin 5239b05129 Merge pull request #4564 from opencontainers/dependabot/go_modules/golang.org/x/net-0.33.0
build(deps): bump golang.org/x/net from 0.32.0 to 0.33.0
2024-12-19 16:05:57 -08:00
Aleksa Sarai b5a1957d53 Merge pull request #4560 from opencontainers/dependabot/go_modules/github.com/cyphar/filepath-securejoin-0.3.6
build(deps): bump github.com/cyphar/filepath-securejoin from 0.3.5 to 0.3.6
2024-12-19 15:14:00 +11:00
dependabot[bot] c2b11a6353 build(deps): bump golang.org/x/net from 0.32.0 to 0.33.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.32.0 to 0.33.0.
- [Commits](https://github.com/golang/net/compare/v0.32.0...v0.33.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-12-19 04:09:48 +00:00
dependabot[bot] 71327d7fcd build(deps): bump github.com/cyphar/filepath-securejoin
Bumps [github.com/cyphar/filepath-securejoin](https://github.com/cyphar/filepath-securejoin) from 0.3.5 to 0.3.6.
- [Release notes](https://github.com/cyphar/filepath-securejoin/releases)
- [Changelog](https://github.com/cyphar/filepath-securejoin/blob/main/CHANGELOG.md)
- [Commits](https://github.com/cyphar/filepath-securejoin/compare/v0.3.5...v0.3.6)

---
updated-dependencies:
- dependency-name: github.com/cyphar/filepath-securejoin
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-12-19 01:42:44 +00:00
lfbzhm 90f38e76ae Merge pull request #4561 from kolyshkin/lint162
GHA CI bumps
2024-12-19 09:33:04 +08:00
Kir Kolyshkin 9468986a49 ci: use a specific ubuntu version
GHA shows a warning telling that "ubuntu-latest" is going to be switched
to ubuntu-24.04 soon. Let's specify the version explicitly (and switch
to 24.04 for this job ahead of github).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-17 22:52:16 -08:00
Kir Kolyshkin e845f4be86 ci: bump golangci-lint to v1.62
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-17 22:50:44 -08:00
dependabot[bot] aace922de9 Merge pull request #4558 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.36.0 2024-12-18 01:20:22 +00:00
dependabot[bot] 705382ac66 build(deps): bump google.golang.org/protobuf from 1.35.2 to 1.36.0
Bumps google.golang.org/protobuf from 1.35.2 to 1.36.0.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-12-17 04:53:16 +00:00
Aleksa Sarai 3ddaa9140d merge #4555 into opencontainers/runc:main
Kir Kolyshkin (1):
  Re-add tun/tap to default device rules

LGTMs: AkihiroSuda cyphar
2024-12-17 14:13:05 +11:00
Kir Kolyshkin 394f4c3b70 Re-add tun/tap to default device rules
Since v1.2.0 was released, a number of users complained that the removal
of tun/tap device access from the default device ruleset is causing a
regression in their workloads.

Additionally, it seems that some upper-level orchestration tools
(Docker Swarm, Kubernetes) makes it either impossible or cumbersome
to supply additional device rules.

While it's probably not quite right to have /dev/net/tun in a default
device list, it was there from the very beginning, and users rely on it.
Let's keep it there for the sake of backward compatibility.

This reverts commit 2ce40b6ad7.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-16 12:01:10 -08:00
Akihiro Suda 28b65d3d23 Merge pull request #4472 from kolyshkin/cg-cfg
libct/configs: move cgroup configs to libct/cgroups
2024-12-15 02:01:32 +09:00
Akihiro Suda 2e1559ecd3 Merge pull request #4553 from kolyshkin/keyring
keyring: update @kolyshkin key expiry
2024-12-14 22:12:37 +09:00
Kir Kolyshkin b15fcc1be6 keyring: update @kolyshkin key expiry
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-13 14:28:12 -08:00
Kir Kolyshkin 5a838ccbe0 tests/cmd/sd-helper: switch from configs to cgroups
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-11 19:08:40 -08:00
Kir Kolyshkin a56f85f87b libct/*: switch from configs to cgroups
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-11 19:08:40 -08:00
Kir Kolyshkin 04041f21ac libct/cgroups/*: switch from configs to cgroups
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-11 19:08:40 -08:00
Kir Kolyshkin ae477f15f0 libct/configs: move cgroup stuff to libct/cgroups
We have quite a few external users of libcontainer/cgroups packages,
and they all have to depend on libcontainer/configs as well.

Let's move cgroup-related configuration to libcontainer/croups.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-11 19:08:40 -08:00
Kir Kolyshkin 85c7c99d05 libct/cg/fs2: fix some revive linter warnings
These:

> Error: libcontainer/cgroups/fs2/cpu.go:15:6: var-naming: func isCpuSet should be isCPUSet (revive)
> func isCpuSet(r *cgroups.Resources) bool {
>      ^
> Error: libcontainer/cgroups/fs2/cpu.go:19:6: var-naming: func setCpu should be setCPU (revive)
> func setCpu(dirPath string, r *cgroups.Resources) error {
>      ^

They are going to be shown after next commits because of linter-extra CI
job (which, due to major changes, now thinks it's a new code so extra
linters apply).

Fixing it beforehand.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-11 19:08:25 -08:00
lfbzhm 986451c24e Merge pull request #4383 from kolyshkin/test-cmd
Move test helper binaries
2024-12-12 09:00:37 +08:00
Kir Kolyshkin 66fe7db3bc Move test helper binaries
Instead of having every test helper binary in its own directory, let's
use /tests/cmd/_bin as a destination directory.

This allows for simpler setup/cleanup.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-11 10:46:33 -08:00
Akihiro Suda 4cb480de70 Merge pull request #4546 from kolyshkin/criu-opt
Add `runc_nocriu` build tag to opt out of c/r
2024-12-11 13:04:22 +09:00
Kir Kolyshkin 47dc185880 Add runc_nocriu build tag
This allows to make a 17% smaller runc binary by not compiling in
checkpoint/restore support.

It turns out that google.golang.org/protobuf package, used by go-criu,
is quite big, and go linker can't drop unused stuff if reflection is
used anywhere in the code.

Currently there's no alternative to using protobuf in go-criu, and since
not all users use c/r, let's provide them an option for a smaller
binary.

For the reference, here's top10 biggest vendored packages, as reported
by gsa[1]:

$ gsa runc | grep vendor | head
│ 8.59%   │ google.golang.org/protobuf                  │ 1.3 MB │ vendor    │
│ 5.76%   │ github.com/opencontainers/runc              │ 865 kB │ vendor    │
│ 4.05%   │ github.com/cilium/ebpf                      │ 608 kB │ vendor    │
│ 2.86%   │ github.com/godbus/dbus/v5                   │ 429 kB │ vendor    │
│ 1.25%   │ github.com/urfave/cli                       │ 188 kB │ vendor    │
│ 0.90%   │ github.com/vishvananda/netlink              │ 135 kB │ vendor    │
│ 0.59%   │ github.com/sirupsen/logrus                  │ 89 kB  │ vendor    │
│ 0.56%   │ github.com/checkpoint-restore/go-criu/v6    │ 84 kB  │ vendor    │
│ 0.51%   │ golang.org/x/sys                            │ 76 kB  │ vendor    │
│ 0.47%   │ github.com/seccomp/libseccomp-golang        │ 71 kB  │ vendor    │

And here is a total binary size saving when `runc_nocriu` is used.

For non-stripped binaries:

$ gsa runc-cr runc-nocr | tail -3
│ -17.04% │ runc-cr                                  │ 15 MB    │ 12 MB    │ -2.6 MB │
│         │ runc-nocr                                │          │          │         │
└─────────┴──────────────────────────────────────────┴──────────┴──────────┴─────────┘

And for stripped binaries:

│ -17.01% │ runc-cr-stripped                         │ 11 MB    │ 8.8 MB   │ -1.8 MB │
│         │ runc-nocr-stripped                       │          │          │         │
└─────────┴──────────────────────────────────────────┴──────────┴──────────┴─────────┘

[1]: https://github.com/Zxilly/go-size-analyzer

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-09 11:19:23 -08:00
Kir Kolyshkin c487840f75 Remove main package dependency on criurpc
Commit 7f64fb47 made the main package, and runc/libcontainer's CriuOpts
depend on criu/rpc. This is not good; among the other things, it makes
it complicated to make c/r optional.

Let's switch CriuOpts.ManageCgroupsMode to a string (yes, it's an APIt
breaking change) and move the cgroup mode string parsing to
libcontainer.

While at it, let's better document ManageCgroupsMode.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-09 11:19:23 -08:00
Sebastiaan van Stijn e0752069a5 Merge pull request #4548 from cyphar/ebpf-enotsup
cgroups: ebpf: use link.Anchor to check for BPF_F_REPLACE support
2024-12-07 13:17:20 +01:00
lfbzhm fe371b9dae Merge pull request #4549 from cyphar/racing-mkdirall
deps: update to github.com/cyphar/filepath-securejoin@v0.3.5
2024-12-07 09:30:47 +08:00
Aleksa Sarai 2f1b6626f3 deps: update to github.com/cyphar/filepath-securejoin@v0.3.5
This fixes a regression in use of securejoin.MkdirAll, where multiple
runc processes racing to create the same mountpoint in a shared rootfs
would result in spurious EEXIST errors. In particular, this regression
caused issues with BuildKit.

Fixes: dd827f7b71 ("utils: switch to securejoin.MkdirAllHandle")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-12-06 19:38:46 +11:00
Aleksa Sarai c0044c7aa4 cgroup: ebpf: make unexpected errors in haveBpfProgReplace louder
If we get an unexpected error here, it is probably because of a library
or kernel change that could cause our detection logic to be invalid. As
a result, these warnings should be louder so users have a chance to tell
us about them sooner (or so we might notice them before doing a release,
as happened with the 1.2.0 regression).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-12-06 17:54:06 +11:00
Aleksa Sarai 9bc6753d1f cgroups: ebpf: also check for ebpf.ErrNotSupported
It is possible for LinkAttachProgram to return ErrNotSupported if
program attachment is not supported at all (which doesn't matter in this
case), but it seems possible that upstream will start returning
ErrNotSupported for BPF_F_REPLACE at some point so it's best to make
sure we don't cause additional regressions here.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-12-06 17:52:14 +11:00
Aleksa Sarai dea0e04dd9 cgroups: ebpf: use link.Anchor to check for BPF_F_REPLACE support
In v0.13.0, cilium/ebpf stopped supporting setting BPF_F_REPLACE as an
explicit flag and instead requires us to use link.Anchor to specify
where the program should be attached.

Commit 216175a9ca ("Upgrade Cilium's eBPF library version to 0.16")
did update this correctly for the actual attaching logic, but when
checking for kernel support we still passed BPF_F_REPLACE. This would
result in a generic error being returned, which our feature-support
checking logic would treat as being an error the indicates that
BPF_F_REPLACE *is* supported, resulting in a regression on pre-5.6
kernels.

It turns out that our debug logging saying that this unexpected error
was happening was being output as a result of this change, but nobody
noticed...

Fixes: 216175a9ca ("Upgrade Cilium's eBPF library version to 0.16")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-12-06 17:51:41 +11:00
Akihiro Suda 9453d599a9 Merge pull request #4544 from opencontainers/dependabot/go_modules/golang.org/x/net-0.32.0
build(deps): bump golang.org/x/net from 0.31.0 to 0.32.0
2024-12-05 18:50:50 +09:00
dependabot[bot] d5694eed7c build(deps): bump golang.org/x/net from 0.31.0 to 0.32.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.31.0 to 0.32.0.
- [Commits](https://github.com/golang/net/compare/v0.31.0...v0.32.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-12-05 09:28:56 +00:00
lfbzhm 189749aca4 Merge pull request #4492 from cyphar/nsenter-flexible-joining
nsenter: implement a two-stage join for setns
2024-12-05 17:25:04 +08:00
Akihiro Suda 396a975b50 Merge pull request #4545 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.28.0
build(deps): bump golang.org/x/sys from 0.27.0 to 0.28.0
2024-12-05 18:24:44 +09:00
dependabot[bot] ec7e90b308 build(deps): bump golang.org/x/sys from 0.27.0 to 0.28.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.27.0 to 0.28.0.
- [Commits](https://github.com/golang/sys/compare/v0.27.0...v0.28.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-12-05 04:47:30 +00:00
Kir Kolyshkin 67c8a285e7 Merge pull request #4358 from kolyshkin/rm-cap-init
libct/cap: switch to moby/sys/capability, lazy init
2024-12-02 17:00:15 -08:00
Kir Kolyshkin 66969827c0 Switch to github.com/moby/sys/capability v0.4.0
This removes the last unversioned package in runc's direct dependencies.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-02 13:18:10 -08:00
Kir Kolyshkin fe73f1a9ab libct/cap: switch to lazy init
A map which is created in func init is only used by capSlice, which is
only used by New, which is only used by runc init. Switch to lazy init
to slightly save on startup time.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-02 13:18:10 -08:00
Kir Kolyshkin cdee1b386f libct/cap: preallocate slices
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-02 13:18:10 -08:00
dependabot[bot] b7da16731c build(deps): bump google.golang.org/protobuf from 1.35.1 to 1.35.2
Bumps google.golang.org/protobuf from 1.35.1 to 1.35.2.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-11-18 12:11:47 +08:00
Kir Kolyshkin 9b3fe30e19 Merge pull request #4526 from lifubang/test-cgroup-removepath
libct/cg: add test for remove a non-existent dir in a ro mount point
2024-11-14 16:39:09 -08:00
lfbzhm 119111a0df libct/cg: add test for remove a non-existent dir in a ro mount point
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-11-14 23:58:35 +00:00
Akihiro Suda 4b24754360 Merge pull request #4529 from lifubang/revert-4514
Revert "Temporary set vagrant to 2.4.1-1"
2024-11-14 00:07:32 -07:00
Kir Kolyshkin d28222a987 Merge pull request #4525 from cyphar/memfd-bind-doc-kernel
memfd-bind: elaborate kernel requirements for overlayfs protection
2024-11-13 11:12:12 -08:00
Aleksa Sarai fffc165d79 tests: add test for 'weird' external namespace joining
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-11-14 00:56:55 +11:00
Aleksa Sarai fadc55eb17 nsenter: implement a two-stage join for setns
If we are running with privileges and are asked to join an externally
created user namespaces as well as some other namespace that was *not*
created underneath said user namespace, the approach we added in commit
2cd9c31b99 ("nsenter: guarantee correct user namespace ordering")
doesn't work.

While in theory you would want all externally created namespaces to be
sane, it seems that some tools really do create unrelated namespaces and
ask us to join them. Luckily we can just loosely copy what nsenter(1)
appears to do -- we first try to join any namespaces we can (with host
root privileges), then we join any user namespaces, and then we join any
remaining namespaces (now with the user namespace's privileges).

Note that we *do not* have to try to join namespaces after we create our
own user namespace. Namespace permissions are based purely on the owning
user namespace (not the rootuid) so we will not have access to any extra
namespaces once we unshare(CLONE_NEWUSER) (in fact we will not be able
to setns(2) to anything!).

Fixes: 2cd9c31b99 ("nsenter: guarantee correct user namespace ordering")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-11-14 00:56:55 +11:00