Commit Graph

6821 Commits

Author SHA1 Message Date
Aleksa Sarai 275e6d85f7 VERSION: release v1.2.0-rc.1
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
v1.2.0-rc.1
2024-04-03 21:43:24 +11:00
Aleksa Sarai fc3e04dc35 changelog: update to include all new changes since 1.1.0
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
[ cyphar: restructuring and removal of outdated or incorrect info ]
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-04-02 15:46:49 +11:00
Aleksa Sarai b47fb3fda4 changelog: sync changelog entries up to runc 1.1.12
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-04-02 15:46:24 +11:00
Aleksa Sarai d4b670fca6 changelog: mention key breaking changes for mount options
Just to make sure we don't forget to fully explain these when we do
-rc1.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-04-02 15:46:23 +11:00
Kir Kolyshkin 4641f17e86 Merge pull request #4234 from cyphar/go122
[hotfix] nsenter: refuse to build with Go 1.22
2024-04-01 17:05:51 -07:00
Aleksa Sarai e377e16846 [hotfix] nsenter: refuse to build with Go 1.22 on glibc
We will almost certainly need to eventually rework nsenter to:

 1. Figure out a way to make pthread_self() not break after nsenter runs
    (probably not possible, because the core issue is likely that we are
    ignoring the rules of signal-safety(7)); or
 2. Do an other re-exec of /proc/self/exe to execute the Go half of
    "runc init" -- after we've done the nsenter setup. This would reset
    all of the process state and ensure we have a clean glibc state for
    Go, but it would make runc slower...

For now, just block Go 1.22 builds to avoid having broken runcs floating
around until we resolve the issue. It seems possible for musl to also
have an issue, but it appears to work and so for now just block glibc
builds.

Note that this will only block builds for anything that uses nsenter --
so users of our (internal) libcontainer libraries should be fine. Only
users that are starting containers using nsenter to actually start
containers will see the error (which is precisely what we want).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-04-02 01:59:46 +11:00
Kir Kolyshkin ac31da6b80 ci/cross-i386: pin Go to 1.21.x
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-04-02 01:55:50 +11:00
lfbzhm ea38465a37 Merge pull request #3783 from utam0k/io-prio
Add I/O priority
2024-03-31 09:56:25 +08:00
utam0k bfbd0305ba Add I/O priority
Signed-off-by: utam0k <k0ma@utam0k.jp>
2024-03-30 22:31:54 +09:00
Aleksa Sarai a1acca9acb merge #4219 into opencontainers/runc:main
Aleksa Sarai (2):
  seccomp: patchbpf: always include native architecture in stub
  seccomp: patchbpf: rename nativeArch -> linuxAuditArch

LGTMs: AkihiroSuda kolyshkin
2024-03-29 12:44:51 +11:00
Aleksa Sarai ccc500c427 seccomp: patchbpf: always include native architecture in stub
It turns out that on ppc64le (at least), Docker doesn't include any
architectures in the list of allowed architectures. libseccomp
interprets this as "just include the default architecture" but patchbpf
would return a no-op ENOSYS stub, which would lead to the exact issues
that commit 7a8d7162f9 ("seccomp: prepend -ENOSYS stub to all
filters") fixed for other architectures.

So, just always include the running architecture in the list. There's
no real downside.

Ref: https://bugzilla.suse.com/show_bug.cgi?id=1192051#c6
Reported-by: Fabian Vogt <fvogt@suse.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-03-29 12:01:47 +11:00
Aleksa Sarai b288abeaa5 seccomp: patchbpf: rename nativeArch -> linuxAuditArch
Calling the Linux AUDIT_* architecture constants "native" leads to
confusing code when we are getting the actual native architecture of the
running system.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-03-29 12:01:47 +11:00
Akihiro Suda 8e69225e2e Merge pull request #4220 from cyphar/runc-dmz-no-selinux-magic
dmz: remove SELinux special-casing
2024-03-27 14:16:52 +09:00
lfbzhm 3db0871f1c Merge pull request #4217 from AkihiroSuda/features-unsafe
features: implement returning potentiallyUnsafeConfigAnnotations list
2024-03-25 19:00:01 +08:00
lfbzhm 18c313be72 Merge pull request #4223 from cyphar/seccomp-2.5.5
build: update libseccomp to v2.5.5
2024-03-16 08:02:10 +08:00
lfbzhm d6df41c767 Merge pull request #4224 from SuperQ/update_urfave_cli
Remove dependabot ignore
2024-03-16 07:59:02 +08:00
SuperQ ab6788d307 Remove dependabot ignore
The referenced issue was fixed in `github.com/urfave/cli` v1.22.6. We
can now remove the dependabot ignore for this package.

Signed-off-by: SuperQ <superq@gmail.com>
2024-03-15 08:38:53 +01:00
Aleksa Sarai cdccf6d615 build: update libseccomp to v2.5.5
This adds support for syscalls up to Linux 6.7-rc3.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-03-15 17:57:54 +11:00
Aleksa Sarai 44114d32df merge #4179 into opencontainers/runc:main
Kir Kolyshkin (1):
  tests/int: fix flaky kill tests

LGTMs: AkihiroSuda cyphar
2024-03-15 17:57:12 +11:00
Aleksa Sarai e0cfcb3f85 merge #4222 into opencontainers/runc:main
lifubang (1):
  fix runc-dmz bin path error in Makefile

LGTMs: AkihiroSuda cyphar
2024-03-15 17:34:36 +11:00
lifubang da79b616a3 fix runc-dmz bin path error in Makefile
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-03-14 18:16:09 +08:00
Aleksa Sarai 37581ad340 dmz: remove SELinux special-casing
Now that runc-dmz is opt-in, we no longer need to try to detect whether
SELinux would cause issues for us. We can also remove the
special-purpose build-tag we added.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-03-13 18:18:09 +11:00
Aleksa Sarai 1950892f69 merge #4174 into opencontainers/runc:main
Rodrigo Campos (3):
  Makefile: Fix runc-dmz removal
  contrib/cmd/memfd-bind: Mention runc-dmz needs RUNC_DMZ=true
  libct/dmz: Require RUNC_DMZ=true to opt-in

LGTMs: AkihiroSuda cyphar
2024-03-13 16:22:16 +11:00
Akihiro Suda eefc6ae254 features: implement returning potentiallyUnsafeConfigAnnotations list
See https://github.com/opencontainers/runtime-spec/blob/v1.2.0/features.md#unsafe-annotations-in-configjson

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-03-09 21:31:49 +09:00
dependabot[bot] 109a7a0478 Merge pull request #4203 from opencontainers/dependabot/go_modules/github.com/opencontainers/runtime-spec-1.2.0 2024-03-09 12:18:19 +00:00
dependabot[bot] 606251ab33 build(deps): bump github.com/opencontainers/runtime-spec
Bumps [github.com/opencontainers/runtime-spec](https://github.com/opencontainers/runtime-spec) from 1.1.1-0.20230823135140-4fec88fd00a4 to 1.2.0.
- [Release notes](https://github.com/opencontainers/runtime-spec/releases)
- [Changelog](https://github.com/opencontainers/runtime-spec/blob/main/ChangeLog)
- [Commits](https://github.com/opencontainers/runtime-spec/commits/v1.2.0)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/runtime-spec
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-03-07 14:43:33 +09:00
Akihiro Suda ee7100854c Merge pull request #4216 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.33.0
build(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0
2024-03-07 14:41:36 +09:00
Akihiro Suda 9120ac6aa4 Merge pull request #4215 from opencontainers/dependabot/go_modules/golang.org/x/net-0.22.0
build(deps): bump golang.org/x/net from 0.21.0 to 0.22.0
2024-03-07 14:41:17 +09:00
dependabot[bot] bb5673f265 build(deps): bump golang.org/x/net from 0.21.0 to 0.22.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.21.0 to 0.22.0.
- [Commits](https://github.com/golang/net/compare/v0.21.0...v0.22.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-03-06 12:59:33 +00:00
dependabot[bot] 7ab66b187c build(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0
Bumps google.golang.org/protobuf from 1.32.0 to 1.33.0.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-03-06 12:59:30 +00:00
dependabot[bot] 1491dec992 Merge pull request #4214 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.18.0 2024-03-06 12:58:37 +00:00
dependabot[bot] 6056ed2dd6 build(deps): bump golang.org/x/sys from 0.17.0 to 0.18.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.17.0 to 0.18.0.
- [Commits](https://github.com/golang/sys/compare/v0.17.0...v0.18.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-03-05 04:18:12 +00:00
Rodrigo Campos fc76b136e1 Makefile: Fix runc-dmz removal
Signed-off-by: Rodrigo Campos <rodrigo@sdfg.com.ar>
2024-02-28 15:38:04 -03:00
Rodrigo Campos 46b72107f1 contrib/cmd/memfd-bind: Mention runc-dmz needs RUNC_DMZ=true
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2024-02-28 12:15:57 -03:00
Rodrigo Campos 1dae66f748 libct/dmz: Require RUNC_DMZ=true to opt-in
If it is compiled, the user needs to opt-in with this env variable to
use it.

While we are there, remove the RUNC_DMZ=legacy as that is now the
default.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2024-02-28 12:15:57 -03:00
lfbzhm 6cf6ddc358 Merge pull request #4208 from opencontainers/dependabot/github_actions/tim-actions/get-pr-commits-1.3.1
build(deps): bump tim-actions/get-pr-commits from 1.3.0 to 1.3.1
2024-02-28 18:23:56 +08:00
dependabot[bot] 935d586b39 build(deps): bump tim-actions/get-pr-commits from 1.3.0 to 1.3.1
Bumps [tim-actions/get-pr-commits](https://github.com/tim-actions/get-pr-commits) from 1.3.0 to 1.3.1.
- [Release notes](https://github.com/tim-actions/get-pr-commits/releases)
- [Commits](https://github.com/tim-actions/get-pr-commits/compare/v1.3.0...v1.3.1)

---
updated-dependencies:
- dependency-name: tim-actions/get-pr-commits
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-27 04:45:06 +00:00
Kir Kolyshkin d5e4c33001 Merge pull request #4205 from santidhammo/4204-fix-vendor
Fixed spelling mistake in the Makefile at .PHONY vendor
2024-02-16 10:28:32 -08:00
Kir Kolyshkin 86360598bd tests/int: fix flaky kill tests
It takes some time for the kernel to kill the process (and remove its
PID from cgroup.procs). To ensure we don't have flakes from reading
cgroup.procs right after the kill, check and wait for processes to
actually be gone.

Fixes: 4163
Reported-by: lifubang@acmcoder.com
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-02-15 13:32:33 -08:00
Sjoerd van Leent 82499d428a Fixed spelling mistake in the Makefile at .PHONY vendor
* Simple error correction of a spelling mistake which was
  introduced at commit b8f75f3

Signed-off-by: Sjoerd van Leent <sjoerd.van.leent@alliander.com>
2024-02-15 16:27:37 +01:00
Mrunal Patel 675292473b Merge pull request #4202 from kolyshkin/golangci-annot
ci/golangci-lint: add checks permission
2024-02-14 11:05:21 -08:00
Mrunal Patel bb56ed9e5f Merge pull request #4201 from kolyshkin/cleanups
libct/nsenter: rm dead code
2024-02-14 11:04:46 -08:00
Mrunal Patel aa8ba5bd59 Merge pull request #4187 from kolyshkin/gawk
tests/int: use gawk where needed
2024-02-14 11:04:09 -08:00
Kir Kolyshkin 93e377233f ci/golangci-lint: add checks permission
This permission is now needed so that the linter can annotate code in a
PR (see [1]).

[1] https://github.com/golangci/golangci-lint-action/pull/931/commits/bc1904f0c946172fc1821908fc41649db49f0334

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-02-12 22:14:41 -08:00
Kir Kolyshkin 302b2e89a6 tests/int: use gawk where needed
This expression is specific to GNU awk (gawk), so if someone has other version
of awk installed, this won't work and it's not easy to see why.

Explicitly requiring gawk here is better.

Revert "tests/int/helpers: gawk -> awk"

This reverts commit 4e65118d02.

Reported-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-02-12 14:44:42 -08:00
Kir Kolyshkin 9d2842debb Merge pull request #4200 from opencontainers/dependabot/github_actions/golangci/golangci-lint-action-4
build(deps): bump golangci/golangci-lint-action from 3 to 4
2024-02-12 14:35:20 -08:00
Kir Kolyshkin 3a9859bdc0 libct/nsenter: rm unused include
This was added by commit 9c444070 (to use LONG_MAX and INT_MAX) but the
code was later removed by commit ba0b5e26.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-02-12 13:19:12 -08:00
Kir Kolyshkin ea140db712 libct/nsenter: rm unused code
Commits b999376f and b999376f removed all users of this code.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-02-12 13:17:05 -08:00
dependabot[bot] 27cbabd00d build(deps): bump golangci/golangci-lint-action from 3 to 4
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 3 to 4.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/v3...v4)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-12 04:07:38 +00:00
lfbzhm fd4533aff2 Merge pull request #4196 from opencontainers/dependabot/go_modules/golang.org/x/net-0.21.0
build(deps): bump golang.org/x/net from 0.20.0 to 0.21.0
2024-02-10 01:15:48 +08:00