Sometimes we need to run runc through some wrapper (like nohup), but
because "__runc" and "runc" are bash functions in our test suite this
doesn't work trivially -- and you cannot just pass "$RUNC" because you
you need to set --root for rootless tests.
So create a setup_runc_cmdline helper which sets $RUNC_CMDLINE to the
beginning cmdline used by __runc (and switch __runc to use that).
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(Cherry-pick of commit d1f6acfab06e6f5eb15b7edfaa704f50907907b1.)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
"runc" was a special wrapper around bats's "run" which output some very
useful diagnostic information to the bats log, but this was not usable
for other commands. So let's make it a more generic helper that we can
use for other commands.
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(Cherry-pick of commit ea385de40c9a006737399bc72918a19e5d038736.)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
The issue on arm [1] is now fixed, so let's get back to using the
packaged criu version for most of the CI matrix.
This reverts commit 105674844e
("ci: use criu built from source on gha arm").
[1]: https://github.com/checkpoint-restore/criu/issues/2709
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(Cherry-picked from commit 96f4a90a6b1ca9e3f2011ebaeffb7dc52db2ca32.)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Currently, criu package from opensuse build farm times out on GHA arm,
so let's only use criu-dev (i.e. compiled from source on CI machine).
Once this is fixed, this patch can be reverted.
Related to criu issue 2709.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(Cherry-picked from commit 105674844eaaf24bf14135ef0c64703e511882ab.)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Since GHA now provides ARM, we can switch away from actuated.
Many thanks to @alexellis (@self-actuated) for being the sponsor of this
project.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(Cherry-picked from commit 1cf096803abb770c414ce0a1e2e0be283b09001d.)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Prevent --l3-cache-schema from clearing the intel_rdt.memBwSchema state
and --mem-bw-schema clearing l3_cache_schema, respectively.
Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
(cherry picked from commit 57b6a317bb)
This was added in 2ee9cbbd12 ("It's /proc/stat, not /proc/stats") with
no actual justification, and doesn't really make much sense on further
inspection:
* /proc/net is a symlink to "self/net", which means that /proc/net/dev
is a per-process file, and so overmounting it would only affect pid1.
Any other program that cares about /proc/net/dev would see their own
process's configuration, and unprivileged processes wouldn't be able
to see /proc/1/... data anyway.
In addition, the fact that this is a symlink means that runc will
deny the overmount because /proc/1/net/dev is not in the proc
overmount allowlist. This means that this has not worked for many
years, and probably never worked in the first place.
* /proc/self/net is already namespaced with network namespaces, so the
primary argument for allowing /proc overmounts (lxcfs-like masking of
procfs files to emulate namespacing for files that are not properly
namespaced for containers -- such as /proc/cpuinfo) is moot.
It goes without saying that lxcfs has never overmounted
/proc/self/net/... files, so the general "because lxcfs"
justification doesn't hold water either.
* The kernel has slowly been moving towards blocking overmounts in
/proc/self/. Linux 6.12 blocked overmounts for fd, fdinfo, and
map_files; future Linux versions will probably end up blocking
everything under /proc/self/.
Fixes: 2ee9cbbd12 ("It's /proc/stat, not /proc/stats")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry-picked from commit 3620185d06b79da836559b75161027c6273fff7b.)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
The dmem controller is added into kernel v6.13 and is now enabled in
Fedora 42 kernels. Yet, systemd is not aware of dmem.
This fixes the test case failure on Fedora.
For the initial test case, see commit 27515719.
For earlier commits similar to this one, see
commits 601cf582, 05272718, e83ca519.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit b3432118ed)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
The per-file deprecation in cgroup_deprecated.go is not working,
let's replace it.
Link to Hooks.Run in Hook.Run deprecation notice.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit b25bcaa8b3)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
When we run CI not on a pull request, the commit job is skipped, as a
result, all-done is also skipped.
To allow all-done to succeed, modify the commit job to succeed for
non-PRs.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 43955a0d28b1f8748ddcc3fcb65fbbf3d2d52d27)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
... or from another job.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 9d970f1dfb890e8c28f1cec7ad58cf414fab3684)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Commit 874207492 neglects to update the exclusion rules when bumping Go
releases, and so we no longer exclude running on actuated with older Go
release, or running with criu-dev with older Go release.
Fixes: 874207492 ("CI: add Go 1.24, drop go1.22")
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 0628b1e5a0d909627594f4e2df20a8e4ee57e51c)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
We already have the indirect require for 1.17.3, that comes
opencontainers/cgroups[1]. That module requires that version as min, so
go can't use older versions. We can just remove the excludes.
There might be cases where people can use runc as a dependency and use
replace to override it (not sure, but probably). We were clear on what
our dependencies are, so we can sleep fine. In the unlikely case that
some project uses runc as a dependency and:
* Uses a replace for cilium v0.17.x but not the latest patch release (0.17.3 is fixed)
* they run with 32bits
* and hit this (that didn't happen always on CI)
* Ignore the changelog for 0.17.3 that mentions the buffer overflow on
32 bits platforms[2].
In that case, if we have a bug report, we can point them to the right
place. But 0.17.3 was released for some months now (most people probably
update) and 0.18.0 was released recently. I wouldn't worry about someone
hitting this in real life.
Also, the excludes directives prevent go install from working, so let's
just remove them.
[1]: https://github.com/opencontainers/cgroups/blob/9657f5a18b8d60a0f39fbb34d0cb7771e28e6278/go.mod#L6
[2]: https://github.com/cilium/ebpf/releases/tag/v0.17.3
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
(cherry picked from commit 67b8a68599)
This ensures that if runc is built without the provided Makefile, the
version is still properly set.
No change in the output.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit c12c99b7d2)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Instead of setting cli.App.Version in main, let's set up
cli.VersionPrinter. This way, we only get various versions
when needed.
Note it does not change the output of runc --version.
It changes the output of runc --help though, and I think it's for the
better.
Before this patch:
> $ runc help
> ...
> USAGE:
> runc [global options] command [command options] [arguments...]
>
> VERSION:
> 1.3.0-rc.1+dev
> commit: v1.3.0-rc.1-93-g932e8342
> spec: 1.2.1
> go: go1.24.2
> libseccomp: 2.5.5
>
> COMMANDS:
> checkpoint checkpoint a running container
> ...
After:
> $ runc help
> ...
> USAGE:
> runc [global options] command [command options] [arguments...]
>
> VERSION:
> 1.3.0-rc.1+dev
>
> COMMANDS:
> checkpoint checkpoint a running container
> ...
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit d54eaaf2c2)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
The new configuration file was initially generated by golangci-lint
migrate, when tweaked to minimize and simplify.
golangci-lint v2 switches to a new version of staticcheck which shows
much more warnings. Some of them were fixed by a few previous commits,
and the rest of them are disabled.
In particular, ST1005 had to be disabled (an attempt to fix it was made
in https://github.com/opencontainers/runc/pull/3857 but it wasn't
merged).
Also, golangci-extra was modified to include ALL staticcheck linters.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 127e8e68d3)
Signed-off-by: lifubang <lifubang@acmcoder.com>
> libcontainer/intelrdt/cmt.go:5:1: ST1020: comment on exported function IsCMTEnabled should be of the form "IsCMTEnabled ..." (staticcheck)
> // Check if Intel RDT/CMT is enabled.
> ^
> libcontainer/intelrdt/intelrdt.go:419:1: ST1020: comment on exported function IsCATEnabled should be of the form "IsCATEnabled ..." (staticcheck)
> // Check if Intel RDT/CAT is enabled
> ^
> libcontainer/intelrdt/intelrdt.go:425:1: ST1020: comment on exported function IsMBAEnabled should be of the form "IsMBAEnabled ..." (staticcheck)
> // Check if Intel RDT/MBA is enabled
> ^
> libcontainer/intelrdt/intelrdt.go:446:1: ST1020: comment on exported method Apply should be of the form "Apply ..." (staticcheck)
> // Applies Intel RDT configuration to the process with the specified pid
> ^
> libcontainer/intelrdt/intelrdt.go:481:1: ST1020: comment on exported method Destroy should be of the form "Destroy ..." (staticcheck)
> // Destroys the Intel RDT container-specific 'container_id' group
> ^
> libcontainer/intelrdt/intelrdt.go:497:1: ST1020: comment on exported method GetPath should be of the form "GetPath ..." (staticcheck)
> // Returns Intel RDT path to save in a state file and to be able to
> ^
> libcontainer/intelrdt/intelrdt.go:506:1: ST1020: comment on exported method GetStats should be of the form "GetStats ..." (staticcheck)
> // Returns statistics for Intel RDT
> ^
> libcontainer/intelrdt/mbm.go:6:1: ST1020: comment on exported function IsMBMEnabled should be of the form "IsMBMEnabled ..." (staticcheck)
> // Check if Intel RDT/MBM is enabled.
> ^
> 8 issues:
> * staticcheck: 8
While at it, add missing periods.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 9b3ccc19a6)
Signed-off-by: lifubang <lifubang@acmcoder.com>
I was pretty sure we have a linter for these but apparently we did not.
> libcontainer/capabilities/capabilities.go:108:1: ST1020: comment on exported method ApplyCaps should be of the form "ApplyCaps ..." (staticcheck)
> // Apply sets all the capabilities for the current process in the config.
> ^
>
>
> types/events.go:15:1: ST1021: comment on exported type Stats should be of the form "Stats ..." (with optional leading article) (staticcheck)
> // stats is the runc specific stats structure for stability when encoding and decoding stats.
> ^
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 30f8acabf6)
Signed-off-by: lifubang <lifubang@acmcoder.com>
> notify_socket.go:44:24: ST1016: methods on the same type should have the same receiver name (seen 1x "n", 5x "s") (staticcheck)
> func (s *notifySocket) Close() error {
> ^
As reported by staticcheck from golangci-lint v2.0.0
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit fdb691632d)
Signed-off-by: lifubang <lifubang@acmcoder.com>
While debugging an issue involving failing mounts, I discovered that
just returning the plain mount error message when we are in the fallback
code for handling locked mounts leads to unnecessary confusion.
It also doesn't help that podman currently forcefully sets "rw" on
mounts, which means that rootless containers are likely to hit the
locked mounts issue fairly often.
So we should improve our error messages to explain why the mount is
failing in the locked flags case.
Fixes: 7c71a22705 ("rootfs: remove --no-mount-fallback and finally fix MS_REMOUNT")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 58c3ab77b0)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
When reading mount errors, it is quite hard to make sense of mount flags
in their hex form. As this is the error path, the minor performance
impact of constructing a string is probably not worth hyper-optimising.
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 30302a2850)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
For some reason, ssh-keygen is unable to write to /root even as root on
AlmaLinux 8:
# id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0
# id -Z
ls -ld /root
# ssh-keygen -t ecdsa -N "" -f /root/rootless.key || cat /var/log/audit/audit.log
Saving key "/root/rootless.key" failed: Permission denied
The audit.log shows:
> type=AVC msg=audit(1744834995.352:546): avc: denied { dac_override } for pid=13471 comm="ssh-keygen" capability=1 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:system_r:ssh_keygen_t:s0 tclass=capability permissive=0
> type=SYSCALL msg=audit(1744834995.352:546): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5641c7587520 a2=241 a3=180 items=0 ppid=4978 pid=13471 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)␝ARCH=x86_64 SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
A workaround is to use /root/.ssh directory instead of just /root.
While at it, let's unify rootless user and key setup into a single place.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 87ae2f8466)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
We are seeing a ton on flakes on almalinux-8 CI job, all caused by criu
inability to freeze a cgroup. This was worked around in criu [1], but
obviously we can't rely on a distro vendor to update the package.
Let's use a copr (thanks to Adrian Reber!)
[1]: https://github.com/checkpoint-restore/criu/pull/2545
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit b520f750ef)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>