Commit Graph

55 Commits

Author SHA1 Message Date
Aleksa Sarai e67725c087 contrib: remove deprecated memfd-bind binary
This was a really ugly hack to try to reduce the impact of our original
set of CVE-2019-5736 mitigations, but unfortunately had too many caveats
to its use to ever be really useful. In addition, it was completely
obsoleted by the migration to using an detached overlayfs mount in
commit 515f09f7b1 ("dmz: use overlayfs to write-protect /proc/self/exe
if possible").

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-05 00:04:35 +11:00
Aleksa Sarai 625ef531b7 libct: devices: drop deprecated cgroup types
These were all marked deprecated in commit a75076b4a4 ("Switch to
opencontainers/cgroups") when we switched maintenance of our cgroup code
to opencontainers/cgroups.

Users have had ample time to switch to opencontainers/cgroups
themselves, so we can finally remove this.

Note that the whole libcontainer/devices package will be moved to
moby/sys in the near future, so this whole package will be marked
deprecated soon.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-05 00:04:34 +11:00
Aleksa Sarai 6a77ee7864 libct: remove deprecated MPOL_* constants
These were inadvertently added to our exported APIs by commit
eeda7bdf80cca ("Add memory policy support"). We couldn't remove them
from runc 1.4.x, but we deprecated them in commit 3741f9186d
("libct/configs: mark MPOL_* constants as deprecated") and marked them
for removal in runc 1.5. Users should never have used these in the first
place.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-05 00:04:34 +11:00
Aleksa Sarai 87b0804345 libct: remove deprecated HooksList.RunHooks
This was deprecated in commit e6a4870e4ac40 ("libct: better errors for
hooks"), and users have had ample time to migrate to Hooks.Run since.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-04 23:01:30 +11:00
Aleksa Sarai 8fd8e433f8 libct: config: remove deprecated cgroup types
These were all marked deprecated in commit a75076b4a4 ("Switch to
opencontainers/cgroups") when we switched maintenance of our cgroup code
to opencontainers/cgroups.

Users have had ample time to switch to opencontainers/cgroups
themselves, so we can finally remove this.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-04 23:01:16 +11:00
Aleksa Sarai f0ea41ad1f CHANGELOG: add notice for removed libct/utils APIs
Ref: a412bd93e9 ("libct/utils: remove Deprecated functions")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-04 23:00:18 +11:00
Aleksa Sarai 48de3431a1 CHANGELOG: forward-port changelog entries
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-28 11:04:33 +11:00
Aleksa Sarai 3b75374cc7 runtime-spec: update pids.limit handling to match new guidance
The main update is actually in github.com/opencontainers/cgroups, but we
need to also update runtime-spec to a newer pre-release version to get
the updates from there as well.

In short, the behaviour change is now that "0" is treated as a valid
value to set in "pids.max", "-1" means "max" and unset/nil means "do
nothing". As described in the opencontainers/cgroups PR, this change is
actually backwards compatible because our internal state.json stores
PidsLimit, and that entry is marked as "omitempty". So, an old runc
would omit PidsLimit=0 in state.json, and this will be parsed by a new
runc as being "nil" -- and both would treat this case as "do not set
anything".

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-11 15:15:27 +11:00
Aleksa Sarai 918de6824a CHANGELOG: add v1.3.2 entry
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-10-04 21:17:35 +10:00
Aleksa Sarai e4f99b5c95 libcontainer: remove deprecated package "userns"
This package was marked deprecated in commit 9b60a93cf3
("libcontainer/userns: migrate to github.com/moby/sys/userns"), which
was included in runc 1.2. Users have thus had a year to migrate to
github.com/moby/sys/userns and it's okay for us to remove this wrapper
package.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-10-03 16:32:10 +10:00
Aleksa Sarai b2ec7f9201 VERSION: release v1.4.0-rc.1
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-09-05 19:03:49 +10:00
Aleksa Sarai 081b8c25b3 CHANGELOG: forward-port v1.3.1 changelog
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-09-05 19:03:49 +10:00
Aleksa Sarai 1931ebf739 CHANGELOG: forward-port v1.2.7 changelog
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-09-05 19:03:49 +10:00
Aleksa Sarai 779c9e1d9a libct: user: remove deprecated module
libcontainer/user was marked as deprecated in d9ea71bf96 ("deprecate
libcontainer/user") and users have had plenty of time to migrate to
github.com/moby/sys/user.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-09-03 00:45:15 +10:00
Aleksa Sarai 121192ade6 libct: reset CPU affinity by default
In certain deployments, it's possible for runc to be spawned by a
process with a restrictive cpumask (such as from a systemd unit with
CPUAffinity=... configured) which will be inherited by runc and thus the
container process by default.

The cpuset cgroup used to reconfigure the cpumask automatically for
joining processes, but kcommit da019032819a ("sched: Enforce user
requested affinity") changed this behaviour in Linux 6.2.

The solution is to try to emulate the expected behaviour by resetting
our cpumask to correspond with the configured cpuset (in the case of
"runc exec", if the user did not configure an alternative one). Normally
we would have to parse /proc/stat and /sys/fs/cgroup, but luckily
sched_setaffinity(2) will transparently convert an all-set cpumask (even
if it has more entries than the number of CPUs on the system) to the
correct value for our usecase.

For some reason, in our CI it seems that rootless --systemd-cgroup
results in the cpuset (presumably temporarily?) being configured such
that sched_setaffinity(2) will allow the full set of CPUs. For this
particular case, all we care about is that it is different to the
original set, so include some special-casing (but we should probably
investigate this further...).

Reported-by: ningmingxiao <ning.mingxiao@zte.com.cn>
Reported-by: Martin Sivak <msivak@redhat.com>
Reported-by: Peter Hunt <pehunt@redhat.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-08-28 08:25:46 +10:00
Markus Lehtonen a8faf92551 CHANGELOG: document breaking change of runc update
Co-authored-by: lfbzhm <lifubang@acmcoder.com>
Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
2025-08-25 14:54:30 +03:00
Aleksa Sarai 5cdfeea7c9 CHANGELOG: forward-port entries from 1.3.0
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-05-08 00:06:13 +10:00
Rodrigo Campos e34c1a0408 CHANGELOG: Port 1.2.x changes
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2025-04-09 09:23:13 -07:00
Rodrigo Campos a00ce11e91 VERSION: release v1.3.0-rc.1
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
(cyphar: improve changelog)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-03-04 18:42:08 +11:00
Kir Kolyshkin 10ca66bff5 runc exec: implement CPU affinity
As per
- https://github.com/opencontainers/runtime-spec/pull/1253
- https://github.com/opencontainers/runtime-spec/pull/1261

CPU affinity can be set in two ways:
1. When creating/starting a container, in config.json's
   Process.ExecCPUAffinity, which is when applied to all execs.
2. When running an exec, in process.json's CPUAffinity, which
   applied to a given exec and overrides the value from (1).

Add some basic tests.

Note that older kernels (RHEL8, Ubuntu 20.04) change CPU affinity of a
process to that of a container's cgroup, as soon as it is moved to that
cgroup, while newer kernels (Ubuntu 24.04, Fedora 41) don't do that.

Because of the above,
 - it's impossible to really test initial CPU affinity without adding
   debug logging to libcontainer/nsenter;
 - for older kernels, there can be a brief moment when exec's affinity
   is different than either initial or final affinity being set;
 - exec's final CPU affinity, if not specified, can be different
   depending on the kernel, therefore we don't test it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-02 19:17:41 -08:00
Kir Kolyshkin 6e01e85054 CHANGELOG: fwd port 1.2.1 to 1.2.5 changes
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-28 11:40:56 -08:00
Kir Kolyshkin 99f9ed94dc runc exec: fix setting process.Scheduler
Commit 770728e1 added Scheduler field into both Config and Process,
but forgot to add a mechanism to actually use Process.Scheduler.
As a result, runc exec does not set Process.Scheduler ever.

Fix it, and a test case (which fails before the fix).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-11 18:01:30 -08:00
Kir Kolyshkin b9114d91e2 runc exec: fix setting process.ioPriority
Commit bfbd0305b added IOPriority field into both Config and Process,
but forgot to add a mechanism to actually use Process.IOPriority.
As a result, runc exec does not set Process.IOPriority ever.

Fix it, and a test case (which fails before the fix).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-11 18:01:30 -08:00
Kir Kolyshkin 7dc2486889 libct: switch to numeric UID/GID/groups
This addresses the following TODO in the code (added back in 2015
by commit 845fc65e5):

> // TODO: fix libcontainer's API to better support uid/gid in a typesafe way.

Historically, libcontainer internally uses strings for user, group, and
additional (aka supplementary) groups.

Yet, runc receives those credentials as part of runtime-spec's process,
which uses integers for all of them (see [1], [2]).

What happens next is:

1. runc start/run/exec converts those credentials to strings (a User
   string containing "UID:GID", and a []string for additional GIDs) and
   passes those onto runc init.
2. runc init converts them back to int, in the most complicated way
   possible (parsing container's /etc/passwd and /etc/group).

All this conversion and, especially, parsing is totally unnecessary,
but is performed on every container exec (and start).

The only benefit of all this is, a libcontainer user could use user and
group names instead of numeric IDs (but runc itself is not using this
feature, and we don't know if there are any other users of this).

Let's remove this back and forth translation, hopefully increasing
runc exec performance.

The only remaining need to parse /etc/passwd is to set HOME environment
variable for a specified UID, in case $HOME is not explicitly set in
process.Env. This can now be done right in prepareEnv, which simplifies
the code flow a lot. Alas, we can not use standard os/user.LookupId, as
it could cache host's /etc/passwd or the current user (even with the
osusergo tag).

PS Note that the structures being changed (initConfig and Process) are
never saved to disk as JSON by runc, so there is no compatibility issue
for runc users.

Still, this is a breaking change in libcontainer, but we never promised
that libcontainer API will be stable (and there's a special package
that can handle it -- github.com/moby/sys/user). Reflect this in
CHANGELOG.

For 3998.

[1]: https://github.com/opencontainers/runtime-spec/blob/v1.0.2/config.md#posix-platform-user
[2]: https://github.com/opencontainers/runtime-spec/blob/v1.0.2/specs-go/config.go#L86

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-06 17:49:17 -08:00
Kir Kolyshkin 6171da6005 libct/configs: add HookList.SetDefaultEnv
1. Make CommandHook.Command a pointer, which reduces the amount of data
   being copied when using hooks, and allows to modify command hooks.

2. Add SetDefaultEnv, which is to be used by the next commit.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-01-09 18:22:53 +08:00
Kir Kolyshkin f9fd70b7ff CHANGELOG: add (forward-port) v1.1.15 changes
Those are taken from commit bc20cb44.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-29 17:08:23 -07:00
Aleksa Sarai 0b9fa21be2 VERSION: release v1.2.0
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-10-22 09:21:47 +11:00
Aleksa Sarai 961b8031f6 VERSION: back to development
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-09-03 11:33:06 +10:00
lifubang 45471bc945 VERSION: release v1.2.0-rc.3
Signed-off-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-09-03 11:29:51 +10:00
Aleksa Sarai 6c24b2e83e changelog: update to include 1.1.14 notes
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-09-03 11:29:21 +10:00
Kir Kolyshkin 8b1c0f7e47 CHANGELOG.md: dedup v1.2.0-rc.2 notes
Remove changes that are already reflected in v1.1.13 changelog:
 - rlimit_nofile fix;
 - rt_period vs rt_runtime fix;
 - gpg vs keyboxd fix;
 - nsexec debug log fix;
 - fips faking;
 - vagrant Fedora 39 bump;
 - golangci-lint bump;
 - x/net bump;
 - centos stream 8 removal;
 - codespell ci fixes.

Compact some of the entries that are related (e.g. about actuated-ci).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-07-01 10:24:22 -07:00
lifubang f2d2ee5e45 VERSION: release 1.2.0-rc.2
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-06-26 20:03:03 +08:00
lfbzhm ad976aa155 put the changelog of v1.1.13 after v1.2.0-rc.1
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-06-19 14:09:02 +00:00
lfbzhm 4e2d7c0a6e update changelog after v1.1.13 released
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-06-13 22:45:00 +00:00
Kir Kolyshkin 4f3319b56d libct: decouple libct/cg/devices
Commit b6967fa84c moved the functionality of managing cgroup devices
into a separate package, and decoupled libcontainer/cgroups from it.

Yet, some software (e.g. cadvisor) may need to use libcontainer package,
which imports libcontainer/cgroups/devices, thus making it impossible to
use libcontainer without bringing in cgroup/devices dependency.

In fact, we only need to manage devices in runc binary, so move the
import to main.go.

The need to import libct/cg/dev in order to manage devices is already
documented in libcontainer/cgroups, but let's
 - update that documentation;
 - add a similar note to libcontainer/cgroups/systemd;
 - add a note to libct README.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-17 15:05:38 -07:00
Aleksa Sarai 275e6d85f7 VERSION: release v1.2.0-rc.1
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-04-03 21:43:24 +11:00
Aleksa Sarai fc3e04dc35 changelog: update to include all new changes since 1.1.0
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
[ cyphar: restructuring and removal of outdated or incorrect info ]
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-04-02 15:46:49 +11:00
Aleksa Sarai b47fb3fda4 changelog: sync changelog entries up to runc 1.1.12
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-04-02 15:46:24 +11:00
Aleksa Sarai d4b670fca6 changelog: mention key breaking changes for mount options
Just to make sure we don't forget to fully explain these when we do
-rc1.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-04-02 15:46:23 +11:00
Aleksa Sarai e377e16846 [hotfix] nsenter: refuse to build with Go 1.22 on glibc
We will almost certainly need to eventually rework nsenter to:

 1. Figure out a way to make pthread_self() not break after nsenter runs
    (probably not possible, because the core issue is likely that we are
    ignoring the rules of signal-safety(7)); or
 2. Do an other re-exec of /proc/self/exe to execute the Go half of
    "runc init" -- after we've done the nsenter setup. This would reset
    all of the process state and ensure we have a clean glibc state for
    Go, but it would make runc slower...

For now, just block Go 1.22 builds to avoid having broken runcs floating
around until we resolve the issue. It seems possible for musl to also
have an issue, but it appears to work and so for now just block glibc
builds.

Note that this will only block builds for anything that uses nsenter --
so users of our (internal) libcontainer libraries should be fine. Only
users that are starting containers using nsenter to actually start
containers will see the error (which is precisely what we want).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-04-02 01:59:46 +11:00
Heran Yang 104b8dc951 libct/cg: add swapOnlyUsage in MemoryStats
This field reports swap-only usage. For cgroupv1, `Usage` and `Failcnt`
are set by subtracting memory usage from memory+swap usage. For cgroupv2,
`Usage`, `Limit`, and `MaxUsage` are set. This commit also export `MaxUsage`
of memory under cgroupv2 mode, using `memory.peak` introduced in kernel 5.19.

Signed-off-by: Heran Yang <heran55@126.com>
2023-10-25 09:47:25 +08:00
Alexander Eldeib 7d2becdf2c libct/cg/fs2: use file + anon + swap for usage
This aligns v2 usage calculations more closely with v1.
Current node-level reporting for v1 vs v2 on the same
machine under similar load may differ by ~250-750Mi.

Also return usage as combined swap + memory usage, aligned
with v1 and non-root v2 cgroups.

`mem_cgroup_usage` in the kernel counts NR_FILE_PAGES
+ NR_ANON_MAPPED + `nr_swap_pages` (if swap enabled) [^0].

Using total - free results in higher "usage" numbers.
This is likely due to various types of reclaimable
memory technically counted as in use (e.g. inactive anon).

See also https://github.com/kubernetes/kubernetes/issues/118916 for more context

[^0]: https://github.com/torvalds/linux/blob/06c2afb862f9da8dc5efa4b6076a0e48c3fbaaa5/mm/memcontrol.c#L3673-L3680

Signed-off-by: Alexander Eldeib <alexeldeib@gmail.com>
2023-08-02 15:18:22 +02:00
lifubang 237acdd813 add some important announcements in unreleased section
Signed-off-by: lifubang <lifubang@acmcoder.com>
2023-07-23 18:48:31 +08:00
lifubang d9494fc6b4 CHANGELOG: forward-port 1.1.6-1.1.8 changes
Signed-off-by: lifubang <lifubang@acmcoder.com>
2023-07-23 10:31:34 +08:00
Kir Kolyshkin 9f32ce6a2d CHANGELOG: forward-port 1.1.4 and 1.1.5 changes
...from the tip of release-1.1 branch (commit 060a61c69d).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-30 19:46:53 -07:00
Kir Kolyshkin d2a5acd22a CHANGELOG.md: forward-port 1.1.x changes
This is a forward-port of commit 91fa032da4 ("ci: add basic checks for
CHANGELOG.md"), plus whatever changes were made in release-1.1 branch
(up to v1.1.3).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-07-01 15:57:34 -07:00
Aleksa Sarai be6488a5a9 seccomp: enosys: always return -ENOSYS for setup(2) on s390(x)
On s390x, syscalls above 255 are multiplexed using the (now otherwise
unused) setup(2) syscall (syscall number 0). If the kernel supports the
syscall then it will correctly translate the syscall number such that
seccomp will correctly detect it -- however, for unknown syscalls the
syscall number remains unchanged. This can be verified by running the
following program under strace:

	int main(void)
	{
		scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_TRAP);
		seccomp_load(ctx);

		return syscall(439, AT_FDCWD, "asdf", X_OK, 0);
	}

Which will then die with the following signal (on pre-5.8 kernels):

	--- SIGSYS {si_signo=SIGSYS, si_code=SYS_SECCOMP,
	            si_call_addr=0x3ffb3006c22, si_syscall=__NR_setup,
	            si_arch=AUDIT_ARCH_S390X} ---

(Note that the si_syscall is __NR_setup, not __NR_faccessat2.)

As a result, the -ENOSYS handling we had previously did not work
completely correctly on s390x because any syscall not supported by the
kernel would be treated as syscall number 0 rather than the actual
syscall number.

Always returning -ENOSYS will not cause any issues because in all of the
cases where this multiplexing occurs, seccomp will see the remapped
syscall number -- and no userspace program will call setup(2)
intentionally (the syscall has not existed in Linux for decades and was
originally a hack used early in Linux init prior to spawning pid1 -- so
you will get -ENOSYS from the kernel anyway).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2022-05-23 16:36:07 +10:00
Daniel, Dao Quang Minh c6487533f1 Merge pull request #3342 from kolyshkin/cloned-binary
libct/nsenter: fix extra runc re-exec on tmpfs
2022-02-16 16:17:56 +00:00
Kir Kolyshkin 18e286261e libct/nsenter: fix extra runc re-exec on tmpfs
After adding some debug info to cloned_binary.c I found out that
is_self_cloned() is not working right when runc binary is on tmpfs,
resulting in one extra re-exec of runc.

With some added debug:

	$ mkdir bin
	$ sudo mount -t tmpfs tmp bin
	$ sudo cp runc bin
	$ sudo ./bin/runc --debug exec xxx true
	DEBU[0000] nsexec[763590]: => is_self_cloned
	DEBU[0000] nsexec[763590]: got seals 1 (want 15)
	DEBU[0000] nsexec[763590]: <= is_self_cloned, is_cloned = 0
	DEBU[0000] nsexec[763590]: try_bindfd: 5
	DEBU[0000] nsexec[763590]: re-exec itself...
	DEBU[0000] nsexec[763590]: => is_self_cloned
	DEBU[0000] nsexec[763590]: got seals 1 (want 15)
	DEBU[0000] nsexec[763590]: <= is_self_cloned, is_cloned = 0
	DEBU[0000] nsexec[763590]: try_bindfd: -1
	DEBU[0000] nsexec[763590]: fallback to make_execfd: 5
	DEBU[0000] nsexec[763590]: re-exec itself...
	DEBU[0000] nsexec[763590]: => is_self_cloned
	DEBU[0000] nsexec[763590]: got seals 15 (want 15)
	DEBU[0000] nsexec[763590]: <= is_self_cloned, is_cloned = 1

From the above, it is seen that
 - `is_self_cloned` returns 0,
 - `try_bindfd` is called and succeeds,
 - runc re-execs itself,
 - the second call to `is_self_cloned` returns 0 again (because GET_SEALS returns 1),
 - runc falls back to `make_execfd`, and re-execs again,
 - finally, the third `is_self_cloned` returns 1.

I guess that the code relied on the following (quoting fcntl(2)):

> Currently, file seals can be applied only to a file descriptor
> returned by memfd_create(2) (if the MFD_ALLOW_SEALING was employed).
> On other filesystems, all fcntl() operations that operate on seals
> will return EINVAL.

It looks like in case of a file on tmpfs it returns 1 (F_SEAL_SEAL).

With the fix:

	DEBU[0000] nsexec[768367]: => is_self_cloned
	DEBU[0000] nsexec[768367]: got seals 1 (want 15)
	DEBU[0000] nsexec[768367]: no CLONED_BINARY_ENV
	DEBU[0000] nsexec[768367]: <= is_self_cloned, is_cloned = 0
	DEBU[0000] nsexec[768367]: try_bindfd: 5
	DEBU[0000] nsexec[768367]: re-exec itself...
	DEBU[0000] nsexec[768367]: => is_self_cloned
	DEBU[0000] nsexec[768367]: got seals 1 (want 15)
	DEBU[0000] nsexec[768367]: fstatfs says ro = 1
	DEBU[0000] nsexec[768367]: fstat says nlink = 1
	DEBU[0000] nsexec[768367]: <= is_self_cloned, is_cloned = 1

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-27 08:42:11 -08:00
Kir Kolyshkin 6e1d476aad runc: remove --criu option
This was introduced in an initial commit, back in the day when criu was
a highly experimental thing. Today it's not; most users who need it have
it packaged by their distro vendor.

The usual way to run a binary is to look it up in directories listed in
$PATH. This is flexible enough and allows for multiple scenarios (custom
binaries, extra binaries, etc.). This is the way criu should be run.

Make --criu a hidden option (thus removing it from help). Remove the
option from man pages, integration tests, etc. Remove all traces of
CriuPath from data structures.

Add a warning that --criu is ignored and will be removed.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-26 20:25:56 -08:00