7561 Commits

Author SHA1 Message Date
Rodrigo Campos Catelin e669727247 Merge pull request #5111 from kolyshkin/1.3-backports
[1.3] misc backports + Go 1.24->1.25
2026-02-11 11:03:26 +01:00
Kir Kolyshkin 2d035157f1 [1.3] ci: remove Go 1.24.x, add 1.25.x
Go 1.24 is no longer supported, and Go 1.25 (which we use in Dockerfile
for official binaries) is not being tested against.

So remove Go 1.24.x and add Go 1.25.x.

We keep Go 1.23.x is this is a minimally required version for this
branch.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-10 14:31:04 -08:00
Kir Kolyshkin 551ed37e5a ci: bump shellcheck to v0.11.0
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 68771cfe51)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-10 14:17:32 -08:00
Kir Kolyshkin 4bce3cc13c Use Go 1.25 for official builds
(as well as for testing on Cirrus CI)

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 79b97d4642)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-10 14:17:32 -08:00
Kir Kolyshkin 7162479052 Bump seccomp to v2.6.0
This version was released almost a year ago.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit f4710e5023)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-10 14:17:24 -08:00
Kir Kolyshkin 3808341ef4 ci: bump bats to 1.12.0
This which is already using in CI on Fedora.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit f128234354)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-10 14:17:24 -08:00
Kir Kolyshkin f6ad11b287 ci: show criu version in criu-dev testing
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 2a7ce15e68)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-10 14:15:40 -08:00
Kir Kolyshkin 09c5eeea73 ci: bump bats to 1.11.1
Bump bats to the version from Fedora 42 (used in "fedora" job), so we
have the same version everywhere.

This also fixes an issue introduced by commit d31e6b87 (which forgot to
bump bats in GHA CI), and adds a note to the yaml in order to avoid the
same issue in the future.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 6af1d637ba)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-10 14:15:34 -08:00
Aleksa Sarai 478edba3b8 merge #5044 into opencontainers/runc:release-1.3
Li Fu Bang (2):
  VERSION: back to development
  VERSION: release 1.3.4

LGTMs: rata cyphar
2025-11-28 10:34:01 +11:00
lifubang 13cc7e92cf VERSION: back to development
Signed-off-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-28 02:58:07 +11:00
lifubang d6d73eb8c6 VERSION: release 1.3.4
Signed-off-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
v1.3.4
2025-11-28 02:58:07 +11:00
Kir Kolyshkin 2e68e04979 Merge pull request #5042 from lifubang/backport-5014-fd-leaks-flake-1.3
[1.3] libct/int: TestFdLeaks: deflake
2025-11-26 17:57:56 -08:00
Kir Kolyshkin e1a6adc946 libct/int: TestFdLeaks: deflake
Since the recent CVE fixes, TestFdLeaksSystemd sometimes fails:

	=== RUN   TestFdLeaksSystemd
	    exec_test.go:1750: extra fd 9 -> /12224/task/13831/fd
	    exec_test.go:1753: found 1 extra fds after container.Run
	--- FAIL: TestFdLeaksSystemd (0.10s)

It might have been caused by the change to the test code in commit
ff6fe13 ("utils: use safe procfs for /proc/self/fd loop code") -- we are
now opening a file descriptor during the logic to get a list of file
descriptors. If the file descriptor happens to be allocated to a
different number, you'll get an error.

Let's try to filter out the fd used to read a directory.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 5fbc3bb019)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-26 14:14:27 +00:00
Akihiro Suda cef8c323d0 Merge pull request #5028 from lifubang/ci-detect-fdleak-try-best-1.3
[1.3] fix fd leaks and detect them as comprehensively as possible
2025-11-26 12:48:12 +09:00
lifubang ebea1f8553 integration: verify syscall compatibility after seccomp enforcement
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit d8706501cf)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-20 11:52:48 +00:00
lifubang 34e84588af downgrade github.com/cyphar/filepath-securejoin from v0.6.0 to v0.5.2
The dependency was initially slated for an upgrade from v0.6.0 to v0.6.1
to address an fd leak. However, due to compatibility constraints, we
instead downgrade to v0.5, using v0.5.2 which includes a backported fix
for the same issue.

Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-20 11:52:35 +00:00
lifubang ae8839acc2 bump github.com/opencontainers/s
elinux from v1.13.0 to v1.13.1

Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-20 11:52:35 +00:00
lifubang 52192a8e24 libct: add a defer fd close in createDeviceNode
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit 9a5e6262f0bf4e3e654b1a0d71bb804093948f85)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-20 11:52:35 +00:00
lifubang 98dc593f13 libct: always close m.dstFile in mountToRootfs
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit e0272886047915899ec06e06665723fc453d3cbf)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-20 11:52:35 +00:00
lifubang 167fa3f8e7 ci: detect file descriptor leaks as comprehensively as possible
Co-authored-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit ba7f46d7119dc4bf57e2a13017333d1980494ea9)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-20 11:52:35 +00:00
lfbzhm 769fc75893 Merge pull request #4999 from kolyshkin/1.3-check-go
[1.3] check/bump go version in Dockerfile
2025-11-20 17:51:06 +08:00
Kir Kolyshkin 7a5a90e807 Use Go 1.24.x for release binaries
Since Go 1.23 is no longer supported, we should not use it.
Go 1.23 is still supported and is probably the best bet for
the release-1.2 branch.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-20 15:24:46 +08:00
Kir Kolyshkin 99cc7bcb48 ci: add checking Go version from Dockerfile
This is to ensure that Go version in Dockerfile (which is used to build
release binaries) is:
 - currently supported;
 - used in CI tests.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit df4acc8867)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-20 15:24:46 +08:00
Kir Kolyshkin 4b76986b98 ci: faster git clone
For some reason, some jobs in .github/workflows/validate.yml
have "fetch-depth: 0" argument to actions/checkout, meaning
"all history for all branches and tags". Obviously this is
not needed here.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit e0b00171eb0f338cf024760019abdd4e7dec690f)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 0200ccb53d9265c43f203fb98a9862407835eb23)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-20 15:24:46 +08:00
dependabot[bot] 59a7a5270c build(deps): bump actions/checkout from 4 to 5
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit cfb22c9a0f)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-20 15:24:46 +08:00
lfbzhm b1be4553c4 Merge pull request #5031 from cyphar/1.3-5017-ci-pin-parent-cgroup
[1.3] ci: ensure the cgroup parent always exists for rootless
2025-11-20 09:14:16 +08:00
lifubang 9ddb71d163 ci: ensure the cgroup(v1) parent always exists for rootless
On some systems (e.g., AlmaLinux 8), systemd automatically removes cgroup paths
when they become empty (i.e., contain no processes). To prevent this, we spawn
a dummy process to pin the cgroup in place.
Fix: https://github.com/opencontainers/runc/issues/5003

Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit bba7647d09)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-20 03:28:40 +11:00
Aleksa Sarai d30192b5b0 Merge pull request #4996 from kolyshkin/1.3-4970
[1.3] disable golangci-lint cache
2025-11-11 15:05:25 +11:00
lfbzhm c8787a6c5c Merge pull request #4975 from cyphar/1.3-tmpfs-mode
[1.3] rootfs: only set mode= for tmpfs mount if target already existed
2025-11-11 09:28:04 +08:00
lfbzhm c5656667e4 Merge pull request #4979 from cyphar/1.3-selinux-1.13
[1.3] deps: update to github.com/opencontainers/selinux@v0.13.0
2025-11-11 09:23:43 +08:00
dependabot[bot] 612d46ea37 build(deps): bump golangci/golangci-lint-action from 8 to 9
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 8 to 9.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/v8...v9)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-version: '9'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit c0db4632d2)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-10 15:53:25 -08:00
dependabot[bot] 1a40cc91a9 build(deps): bump golangci/golangci-lint-action from 7 to 8
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 7 to 8.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/v7...v8)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-version: '8'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit c1958d8844)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-10 15:53:21 -08:00
Kir Kolyshkin be6ea0662f ci: bump golangci-lint to v2.6
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 49780ce734)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-10 15:52:32 -08:00
Kir Kolyshkin f17a5e1515 ci: disable golangci-lint cache
This will result in slower runs but we are having issues with
golangci-lint (false positives) that are most probably related
to caching.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 96dfa9de54)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-10 15:52:14 -08:00
Aleksa Sarai daf9664eb4 rootfs: only set mode= for tmpfs mount if target already existed
This was always the intended behaviour but commit 72fbb34f50 ("rootfs:
switch to fd-based handling of mountpoint targets") regressed it when
adding a mechanism to create a file handle to the target if it didn't
already exist (causing the later stat to always succeed).

A lot of people depend on this functionality, so add some tests to make
sure we don't break it in the future.

Fixes: 72fbb34f50 ("rootfs: switch to fd-based handling of mountpoint targets")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 9a9719eeb4)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-11 03:11:53 +11:00
Aleksa Sarai b9df996b68 deps: update to github.com/opencontainers/selinux@v0.13.0
This new version includes the fixes for CVE-2025-52881, so we can remove
the internal/third_party copy of the library we added in commit
ed6b1693b8 ("selinux: use safe procfs API for labels") as well as the
"replace" directive in go.mod (which is problematic for "go get"
installs).

Fixes: ed6b1693b8 ("selinux: use safe procfs API for labels")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 96f1962f91)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-08 02:18:50 +11:00
lfbzhm 90627f6288 Merge pull request #4966 from cyphar/1.3-4964-fix-mips
[1.3] libct: fix mips compilation
2025-11-06 11:23:34 +08:00
Kir Kolyshkin 9381215c1f libct: fix mips compilation
On MIPS arches, Rdev is uint32 so we have to convert it.

Fixes issue 4962.

Fixes: 8476df83 ("libct: add/use isDevNull, verifyDevNull")
Fixes: de87203e ("console: verify /dev/pts/ptmx before use")
Fixes: 398955bc ("console: add fallback for pre-TIOCGPTPEER kernels")
Reported-by: Tianon Gravi <admwiggin@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 1b954f1f06)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-06 13:46:38 +11:00
Aleksa Sarai 3cf50999ce merge security release into opencontainers/runc:release-1.3
Aleksa Sarai (24):
  VERSION: back to development
  VERSION: release v1.3.3
  rootfs: re-allow dangling symlinks in mount targets
  openat2: improve resilience on busy systems
  selinux: use safe procfs API for labels
  rootfs: switch to fd-based handling of mountpoint targets
  libct/system: use securejoin for /proc/$pid/stat
  init: use securejoin for /proc/self/setgroups
  init: write sysctls using safe procfs API
  utils: remove unneeded EnsureProcHandle
  utils: use safe procfs for /proc/self/fd loop code
  apparmor: use safe procfs API for labels
  ci: add lint to forbid the usage of os.Create
  rootfs: avoid using os.Create for new device inodes
  internal: add wrappers for securejoin.Proc*
  go.mod: update to github.com/cyphar/filepath-securejoin@v0.5.0
  console: verify /dev/pts/ptmx before use
  console: avoid trivial symlink attacks for /dev/console
  console: add fallback for pre-TIOCGPTPEER kernels
  console: use TIOCGPTPEER when allocating peer PTY
  *: switch to safer securejoin.Reopen
  internal: move utils.MkdirAllInRoot to internal/pathrs
  internal/sys: add VerifyInode helper
  internal: linux: add package doc-comment

Li Fubang (1):
  libct: align param type for mountCgroupV1/V2 functions

Kir Kolyshkin (3):
  libct: maskPaths: don't rely on ENOTDIR for mount
  libct: maskPaths: only ignore ENOENT on mount dest
  libct: add/use isDevNull, verifyDevNull

Fixes: CVE-2025-31133 GHSA-9493-h29p-rfm2
Fixes: CVE-2025-52565 GHSA-qw9x-cqr3-wc7r
Fixes: CVE-2025-52881 GHSA-cgrx-mc8f-2prm
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-05 20:29:41 +11:00
Aleksa Sarai 8f6e8b45d6 VERSION: back to development
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-05 20:06:49 +11:00
Aleksa Sarai d842d77194 VERSION: release v1.3.3
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
v1.3.3
2025-11-05 20:06:20 +11:00
Aleksa Sarai b370bafce9 merge private security patches into ghsa-release-1.3.3
Aleksa Sarai (22):
  rootfs: re-allow dangling symlinks in mount targets
  openat2: improve resilience on busy systems
  selinux: use safe procfs API for labels
  rootfs: switch to fd-based handling of mountpoint targets
  libct/system: use securejoin for /proc/$pid/stat
  init: use securejoin for /proc/self/setgroups
  init: write sysctls using safe procfs API
  utils: remove unneeded EnsureProcHandle
  utils: use safe procfs for /proc/self/fd loop code
  apparmor: use safe procfs API for labels
  ci: add lint to forbid the usage of os.Create
  rootfs: avoid using os.Create for new device inodes
  internal: add wrappers for securejoin.Proc*
  go.mod: update to github.com/cyphar/filepath-securejoin@v0.5.0
  console: verify /dev/pts/ptmx before use
  console: avoid trivial symlink attacks for /dev/console
  console: add fallback for pre-TIOCGPTPEER kernels
  console: use TIOCGPTPEER when allocating peer PTY
  *: switch to safer securejoin.Reopen
  internal: move utils.MkdirAllInRoot to internal/pathrs
  internal/sys: add VerifyInode helper
  internal: linux: add package doc-comment

Li Fubang (1):
  libct: align param type for mountCgroupV1/V2 functions

Kir Kolyshkin (3):
  libct: maskPaths: don't rely on ENOTDIR for mount
  libct: maskPaths: only ignore ENOENT on mount dest
  libct: add/use isDevNull, verifyDevNull

Fixes: CVE-2025-31133 GHSA-9493-h29p-rfm2
Fixes: CVE-2025-52565 GHSA-qw9x-cqr3-wc7r
Fixes: CVE-2025-52881 GHSA-cgrx-mc8f-2prm
Reported-by: Lei Wang <ssst0n3@gmail.com>
Reported-by: Li Fubang <lifubang@acmcoder.com>
Reported-by: Tõnis Tiigi <tonistiigi@gmail.com>
Reported-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-05 20:05:20 +11:00
Aleksa Sarai 4edba17619 rootfs: re-allow dangling symlinks in mount targets
It seems there are a fair few images where dangling symlinks are used as
path components for mount targets, which pathrs-lite does not support
(and it would be difficult to fully support this in a race-free way).

This was actually meant to be blocked by commit 63c2908164 ("rootfs:
try to scope MkdirAll to stay inside the rootfs"), followed by commit
dd827f7b71 ("utils: switch to securejoin.MkdirAllHandle"). However, we
still used SecureJoin to construct mountpoint targets, which means that
dangling symlinks were "resolved" before reaching pathrs-lite.

This patch basically re-adds this hack in order to reduce the breakages
we've seen so far.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-05 19:55:06 +11:00
Aleksa Sarai aca52c4690 openat2: improve resilience on busy systems
Previously, we would see a ~3% failure rate when starting containers
with mounts that contain ".." (which can trigger -EAGAIN). To counteract
this, filepath-securejoin v0.5.1 includes a bump of the internal retry
limit from 32 to 128, which lowers the failure rate to 0.12%.

However, there is still a risk of spurious failure on regular systems.
In order to try to provide more resilience (while avoiding DoS attacks),
this patch also includes an additional retry loop that terminates based
on a deadline rather than retry count. The deadline is 2ms, as my
testing found that ~800us for a single pathrs operation was the longest
latency due to -EAGAIN retries, and that was an outlier compared to the
more common ~400us latencies -- so 2ms should be more than enough for
any real system.

The failure rates above were based on more 50k runs of runc with an
attack script (from libpathrs) running a rename attack on all cores of a
16-core system, which is arguably a worst-case but heavily utilised
servers could likely approach similar results.

Tested-by: Phil Estes <estesp@gmail.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-05 19:54:30 +11:00
Aleksa Sarai 8b7e3d7fe2 merge #4931 into opencontainers/runc:release-1.3
Aleksa Sarai (2):
  tests: bfq: skip tests on misbehaving udev systems
  tests: clean up loopback devices properly

Kir Kolyshkin (3):
  tests/int/update: fix getting block major
  runc update: handle duplicated devs properly
  runc update: support per-device weight and iops

LGTMs: lifubang cyphar
2025-10-16 18:24:00 +11:00
Aleksa Sarai 2e82e55edb tests: bfq: skip tests on misbehaving udev systems
openSUSE has an unfortunate default udev setup which forcefully sets all
loop devices to use the "none" scheduler, even if you manually set it.
As this is a property of the host configuration (and udev is monitoring
from the host) we cannot really change this behaviour from inside our
test container.

So we should just skip the test in this (hopefully unusual) case.
Ideally tools running the test suite should disable this behaviour when
running our test suite.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit e6b4b5a128)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-10-15 23:17:02 -07:00
Aleksa Sarai f1627a7ab7 tests: clean up loopback devices properly
If an error occurs during a test which sets up loopback devices, the
loopback device is not freed. Since most systems have very conservative
limits on the number of loopback devices, re-running a failing test
locally to debug it often ends up erroring out due to loopback device
exhaustion.

So let's just move the "losetup -d" to teardown, where it belongs.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit ceef984fb3)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-10-15 23:17:02 -07:00
Kir Kolyshkin 178e03c7f3 tests/int/update: fix getting block major
Apparently, having a minor of 0 does not always mean it's the
whole device (not a partition):

	 === /proc/partitions (using major: 259) ===
	 major minor  #blocks  name

	    8       16   78643200 sdb
	    8       17   77593583 sdb1
	    8       30       4096 sdb14
	    8       31     108544 sdb15
	  259        0     934912 sdb16
	    8        0   78643200 sda
	    8        1   78641152 sda1

Rewrite the test to not assume minor is 0, and use
lsblk -d to find out whole devices.

This fixes a test case which was added in commit 7696402da.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 46dac589c1)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-10-15 23:17:02 -07:00
Kir Kolyshkin f14cad5a43 runc update: handle duplicated devs properly
In case there's a duplicate in the device list, the latter entry
overrides the former one.

So, we need to modify the last entry, not the first one. To do that,
use slices.Backward.

Amend the test case to test the fix.

Reported-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 0b01dccfbb)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-10-15 23:17:02 -07:00
Kir Kolyshkin 80da60e12d runc update: support per-device weight and iops
This support was missing from runc, and thus the example from the
podman-update wasn't working.

To fix, introduce a function to either update or insert new weights and iops.

Add integration tests.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 7696402dac)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-10-15 23:17:02 -07:00