8013 Commits

Author SHA1 Message Date
Kir Kolyshkin 94133fab97 libct: factor out initProcessCgroupPath
Separate initProcessCgroupPath code out of addIntoCgroupV2.
To be used by the next patch.

While at it, describe the new scenario in which the container's
configured cgroup might not be available.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-11 11:52:59 -08:00
Akihiro Suda fffd7cfde5 Merge pull request #5109 from kolyshkin/go126-released
ci: bump Go 1.26rc2 -> 1.26.x
2026-02-11 16:17:50 +09:00
Kir Kolyshkin daa5ffcc84 ci: bump Go 1.26rc2 -> 1.26.x
Since Go 1.26.0 is released today.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-10 13:05:24 -08:00
Kir Kolyshkin d12ba865ae Merge pull request #5106 from opencontainers/dependabot/go_modules/golang.org/x/net-0.50.0
build(deps): bump golang.org/x/net from 0.49.0 to 0.50.0
2026-02-10 11:01:51 -08:00
dependabot[bot] d9879698a3 build(deps): bump golang.org/x/net from 0.49.0 to 0.50.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.49.0 to 0.50.0.
- [Commits](https://github.com/golang/net/compare/v0.49.0...v0.50.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.50.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-10 04:52:25 +00:00
lfbzhm 8cbd8f9027 Merge pull request #5104 from opencontainers/dependabot/github_actions/bats-core/bats-action-4.0.0
build(deps): bump bats-core/bats-action from 3.0.1 to 4.0.0
2026-02-09 17:10:21 +08:00
lfbzhm f60dfbcf90 Merge pull request #5105 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.41.0
build(deps): bump golang.org/x/sys from 0.40.0 to 0.41.0
2026-02-09 17:09:39 +08:00
dependabot[bot] 06c7d3375e build(deps): bump golang.org/x/sys from 0.40.0 to 0.41.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.40.0 to 0.41.0.
- [Commits](https://github.com/golang/sys/compare/v0.40.0...v0.41.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-version: 0.41.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-09 04:53:03 +00:00
dependabot[bot] 4c7cf7d503 build(deps): bump bats-core/bats-action from 3.0.1 to 4.0.0
Bumps [bats-core/bats-action](https://github.com/bats-core/bats-action) from 3.0.1 to 4.0.0.
- [Release notes](https://github.com/bats-core/bats-action/releases)
- [Commits](https://github.com/bats-core/bats-action/compare/3.0.1...4.0.0)

---
updated-dependencies:
- dependency-name: bats-core/bats-action
  dependency-version: 4.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-09 04:52:53 +00:00
Kir Kolyshkin f6604e6386 Merge pull request #5098 from lifubang/fix-recattr-atime
libct/specconv: always clear entire MOUNT_ATTR__ATIME field when updating atime mode
2026-02-08 14:26:34 -08:00
lifubang 5560d55bfd libct/specconv: fix partial clear of atime mount flags
When parsing mount options into recAttrSet and recAttrClr,
the code sets attr_clr to individual atime flags (e.g.
MOUNT_ATTR_NOATIME or MOUNT_ATTR_STRICTATIME) when clearing
atime attributes. However, this violates the kernel's
requirement documented in mount_setattr(2)[1]:

> Note that, since the access-time values are an enumeration
> rather than bit values, a caller wanting to transition to a
> different access-time setting cannot simply specify the
> access-time setting in attr_set, but must also include
> MOUNT_ATTR__ATIME in the attr_clr field.  The kernel will
> verify that MOUNT_ATTR__ATIME isn't partially set in
> attr_clr (i.e., either all bits in the MOUNT_ATTR__ATIME
> bit field are either set or clear), and that attr_set
> doesn't have any access-time bits set if MOUNT_ATTR__ATIME
> isn't set in attr_clr.

Passing only a single atime flag (e.g. MOUNT_ATTR_RELATIME) in
attr_clr causes mount_setattr() to fail with EINVAL.

This change ensures that whenever an atime mode is updated,
attr_clr includes MOUNT_ATTR__ATIME to properly reset the
entire access-time attribute field before applying the new mode.

[1] https://man7.org/linux/man-pages/man2/mount_setattr.2.html

Signed-off-by: lifubang <lifubang@acmcoder.com>
2026-02-06 03:30:55 +00:00
Akihiro Suda 92c80abae1 Merge pull request #5091 from kolyshkin/go126
Fix runc exec vs go1.26 + older kernel
2026-02-04 19:43:32 +09:00
Kir Kolyshkin cb31d62f1c Fix exec vs Go 1.26
Since [PR 4812], runc exec tries to use clone3 syscall with
CLONE_INTO_CGROUP, falling back to the old method if it is not
supported.

One issue with that approach is, a

> Cmd cannot be reused after calling its [Cmd.Start], [Cmd.Run],
> [Cmd.Output], or [Cmd.CombinedOutput] methods.

(from https://pkg.go.dev/os/exec#Cmd).

This is enforced since Go 1.26, see [CL 728642], and so runc exec
actually fails in specific scenarios (go1.26 and no CLONE_INTO_CGROUP
support).

The easiest workaround is to pre-copy the p.cmd structure (copy = *cmd).
From the [CL 734200] it looks like it is an acceptable way, but it might
break in the future as it also copies the private fields, so let's do a
proper field-by-field copy. If the upstream will add cmd.Clone method,
we will switch to it.

Also, we can probably be fine with a post-copy (once the first Start has
failed), but let's be conservative here and do a pre-copy.

[PR 4812]: https://github.com/opencontainers/runc/pull/4812
[CL 728642]: https://go.dev/cl/728642
[CL 734200]: https://go.dev/cl/734200

Reported-by: Efim Verzakov <efimverzakov@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-01-29 13:49:34 -08:00
Kir Kolyshkin 82b7597a26 libct: check cmd.Err after exec.Command call
Theoretically, exec.Command can set cmd.Err.

Practically, this should never happen (Linux, Go <= 1.26, exePath is
absolute), but in the unlikely case it does, let's fail early.

This is related to the cloneCmd (to be introduced by the following
commit) which chooses to not copy the Err field. Theoretically,
exec.Command can set Err and so the first call to cmd.Start will fail
(since Err != nil), and the second call to cmd.Start may succeed because
Err == nil. Yet, this scenario is highly unlikely, but better be safe
than sorry.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-01-29 13:49:04 -08:00
Kir Kolyshkin e4e05423e4 ci: add go 1.26 rc2
This is mostly to test whether https://go.dev/cl/728642 results in
any test failures in the current CI matrix.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-01-28 17:34:14 -08:00
lfbzhm 08072e9368 Merge pull request #5093 from opencontainers/dependabot/go_modules/github.com/coreos/go-systemd/v22-22.7.0
build(deps): bump github.com/coreos/go-systemd/v22 from 22.6.0 to 22.7.0
2026-01-29 00:29:17 +08:00
dependabot[bot] 9abc1824f2 build(deps): bump github.com/coreos/go-systemd/v22 from 22.6.0 to 22.7.0
Bumps [github.com/coreos/go-systemd/v22](https://github.com/coreos/go-systemd) from 22.6.0 to 22.7.0.
- [Release notes](https://github.com/coreos/go-systemd/releases)
- [Commits](https://github.com/coreos/go-systemd/compare/v22.6.0...v22.7.0)

---
updated-dependencies:
- dependency-name: github.com/coreos/go-systemd/v22
  dependency-version: 22.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-01-28 04:52:18 +00:00
lfbzhm 3d60760d3b Merge pull request #5088 from kolyshkin/pointers 2026-01-27 08:05:02 +08:00
Kir Kolyshkin 593ac3b7d9 libct: use pointers for Process methods
The Process type is quite big (currently 368 bytes on a 64 bit Linux)
and using non-pointer receivers in its methods results in copying which
is totally unnecessary.

Change the methods to use pointer receivers.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-01-26 14:17:46 -08:00
Kir Kolyshkin 6cd91f665e libct/configs: use pointers for Config methods
The Config type is quite big (currently 554 bytes on a 64 bit Linux)
and using non-pointer receivers in its methods results in copying which
is totally unnecessary.

Change the methods to use pointer receivers.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-01-26 14:17:44 -08:00
Kir Kolyshkin 2088e000eb libct/configs: Id -> ID
Rename a function parameter (containerId -> containerID) to avoid a
linter warning:

> var-naming: method parameter containerId should be containerID (revive)

In many other places, including config.json (.linux.uidMappings and
.gidMappings) it is already called containerID, so let's rename.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-01-26 14:16:19 -08:00
lfbzhm 506a849db7 Merge pull request #5086 from opencontainers/dependabot/go_modules/github.com/sirupsen/logrus-1.9.4
build(deps): bump github.com/sirupsen/logrus from 1.9.3 to 1.9.4
2026-01-19 23:12:47 +08:00
dependabot[bot] 833e15e078 build(deps): bump github.com/sirupsen/logrus from 1.9.3 to 1.9.4
Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.3 to 1.9.4.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.9.3...v1.9.4)

---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
  dependency-version: 1.9.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-01-16 04:52:25 +00:00
Rodrigo Campos 9b40f6af91 Merge pull request #5085 from opencontainers/dependabot/go_modules/golang.org/x/net-0.49.0
build(deps): bump golang.org/x/net from 0.48.0 to 0.49.0
2026-01-13 22:23:09 -03:00
dependabot[bot] b650eda423 build(deps): bump golang.org/x/net from 0.48.0 to 0.49.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.48.0 to 0.49.0.
- [Commits](https://github.com/golang/net/compare/v0.48.0...v0.49.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.49.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-01-13 06:33:37 +00:00
lfbzhm 3a4ffe8068 Merge pull request #5083 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.40.0 2026-01-09 21:51:38 +08:00
dependabot[bot] 9e6a4cc36d build(deps): bump golang.org/x/sys from 0.39.0 to 0.40.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.39.0 to 0.40.0.
- [Commits](https://github.com/golang/sys/compare/v0.39.0...v0.40.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-version: 0.40.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-01-09 05:02:06 +00:00
Akihiro Suda 6dfec8bab1 Merge pull request #5081 from kolyshkin/sim
internal/sys: simplify WriteSysctls
2026-01-08 10:07:11 +09:00
Kir Kolyshkin c84a878cac internal/sys: simplify WriteSysctls
Apparently Write (and WriteString) must return an error (apparently
io.ErrShortWrite) on short writes (see [1], [2]), so no explicit check
for a short write is needed.

While at it, use (*os.File).WriteString directly rather than
io.WriteString.

[1]: https://pkg.go.dev/os#File.Write
[2]: https://pkg.go.dev/io#Writer
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-01-07 13:27:44 -08:00
Rodrigo Campos 7b39322a5d Merge pull request #5080 from lifubang/followup-5079
integration: quote shell value to prevent word splitting
2026-01-06 16:42:47 -03:00
lifubang 9632f1e198 integration: quote shell value to prevent word splitting
Signed-off-by: lifubang <lifubang@acmcoder.com>
2026-01-06 10:02:03 +00:00
Kir Kolyshkin ed01e20ee3 Merge pull request #5079 from ricardobranco777/no_new_privs
integration: Skip test for new privileges if NoNewPrivs is set
2026-01-05 16:53:46 -08:00
Ricardo Branco c1ba275d88 integration: Skip test for new privileges if NoNewPrivs is set
Signed-off-by: Ricardo Branco <rbranco@suse.de>
2026-01-06 00:55:15 +01:00
lfbzhm 561c95f7cf Merge pull request #5078 from opencontainers/dependabot/go_modules/github.com/godbus/dbus/v5-5.2.2
build(deps): bump github.com/godbus/dbus/v5 from 5.2.0 to 5.2.2
2026-01-05 14:44:20 +08:00
dependabot[bot] 9d0d5ea411 build(deps): bump github.com/godbus/dbus/v5 from 5.2.0 to 5.2.2
Bumps [github.com/godbus/dbus/v5](https://github.com/godbus/dbus) from 5.2.0 to 5.2.2.
- [Release notes](https://github.com/godbus/dbus/releases)
- [Commits](https://github.com/godbus/dbus/compare/v5.2.0...v5.2.2)

---
updated-dependencies:
- dependency-name: github.com/godbus/dbus/v5
  dependency-version: 5.2.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-12-30 04:02:43 +00:00
lfbzhm 4246d6a078 Merge pull request #5076 from rata/main
Update rata's email address
2025-12-21 13:05:05 +08:00
Rodrigo Campos a4b2adc566 Merge pull request #5075 from kolyshkin/fix-modernize-url
ci: fix modernize URL
2025-12-20 01:23:04 -03:00
Rodrigo Campos cf9076db56 Update rata's email address
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2025-12-19 15:01:45 -03:00
Kir Kolyshkin 0d788db46d Merge pull request #5068 from opencontainers/dependabot/github_actions/actions/upload-artifact-6
build(deps): bump actions/upload-artifact from 5 to 6
2025-12-17 19:33:19 -08:00
Kir Kolyshkin a431b11529 Merge pull request #5069 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.36.11
build(deps): bump google.golang.org/protobuf from 1.36.10 to 1.36.11
2025-12-17 19:32:27 -08:00
Kir Kolyshkin 428043bcf2 ci: fix modernize URL
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-17 11:57:00 -08:00
dependabot[bot] b4887cec32 build(deps): bump google.golang.org/protobuf from 1.36.10 to 1.36.11
Bumps google.golang.org/protobuf from 1.36.10 to 1.36.11.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-version: 1.36.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-12-17 01:30:19 +00:00
Kir Kolyshkin ef5e8a5505 Merge pull request #5064 from opencontainers/dependabot/go_modules/golang.org/x/net-0.48.0
build(deps): bump golang.org/x/net from 0.47.0 to 0.48.0
2025-12-16 17:29:13 -08:00
dependabot[bot] 65fe59d01d build(deps): bump golang.org/x/net from 0.47.0 to 0.48.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.47.0 to 0.48.0.
- [Commits](https://github.com/golang/net/compare/v0.47.0...v0.48.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.48.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-12-17 00:54:36 +00:00
Kir Kolyshkin 7658403efc Merge pull request #5050 from cyphar/release-policy-finalised
RELEASES: finalise policy
2025-12-16 16:54:27 -08:00
dependabot[bot] 3be9a054e7 build(deps): bump actions/upload-artifact from 5 to 6
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 5 to 6.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v5...v6)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-12-17 00:53:57 +00:00
Rodrigo Campos 58c2e4aca7 Merge pull request #5072 from kolyshkin/ci-125
CI: fix modernize job failure
2025-12-17 01:40:56 +01:00
Kir Kolyshkin 20bdd0b537 ci: use Go 1.25 for validate jobs
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-16 15:05:01 -08:00
Kir Kolyshkin dbc4234607 ci: drop -test from modernize run
The modernize documentation used to suggest -test flag but it's not
needed as it is enabled by default. Drop it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-16 15:05:01 -08:00
Kir Kolyshkin 16ee2bbf4c ci: use latest Go for modernize job
Since we use modernize@latest, it may require latest Go as well (and now it does),
so use "go-version: stable" explicitly (which resolves to latest Go).

This fixes the issue with CI:

> go: golang.org/x/tools/gopls/internal/analysis/modernize/cmd/modernize@latest: golang.org/x/tools/gopls@v0.21.0 requires go >= 1.25 (running go 1.24.11; GOTOOLCHAIN=local)

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-16 15:04:58 -08:00