Skip to content

Commit

Permalink
Merge tag 'v1.1.13' into release-1.1-m
Browse files Browse the repository at this point in the history
v1.1.13 -- "There is no certainty in the world. This is the only certainty I have."

This is the thirteenth patch release in the 1.1.z release branch of runc. It
brings in Go 1.12.x compatibility and fixes a few issues, including an
occasional wrong nofile rlimit in runc exec, and a race between runc list and
runc delete.

NOTE that if using Go 1.22.x to build runc, make sure to use 1.22.4 or a later version.
For more details, see issue opencontainers#4233.

 * Support go 1.22.4+. (opencontainers#4313)
 * runc list: fix race with runc delete. (opencontainers#4231)
 * Fix set nofile rlimit error. (opencontainers#4277, opencontainers#4299)
 * libct/cg/fs: fix setting rt_period vs rt_runtime. (opencontainers#4284)
 * Fix a debug msg for user ns in nsexec. (opencontainers#4315)
 * script/*: fix gpg usage wrt keyboxd. (opencontainers#4316)
 * CI fixes and misc backports. (opencontainers#4241)
 * Fix codespell warnings. (opencontainers#4300)
 * Silence security false positives from golang/net. (opencontainers#4244)
 * libcontainer: allow containers to make apps think fips is enabled/disabled for testing. (opencontainers#4257)
 * allow overriding VERSION value in Makefile. (opencontainers#4270)
 * Vagrantfile.fedora: bump Fedora to 39. (opencontainers#4261)
 * ci/cirrus: rm centos stream 8. (opencontainers#4305, opencontainers#4308)

Thanks to all of the contributors who made this release possible:

 * Akhil Mohan <[email protected]>
 * Akihiro Suda <[email protected]>
 * Aleksa Sarai <[email protected]>
 * Kir Kolyshkin <[email protected]>
 * Sohan Kunkerkar <[email protected]>
 * TTFISH <[email protected]>
 * kychen <[email protected]>
 * lifubang <[email protected]>
 * ls-ggg <[email protected]>

Signed-off-by: Kir Kolyshkin <[email protected]>

# -----BEGIN PGP SIGNATURE-----
#
# iQEzBAABCAAdFiEEwkKM11cg+s3PdrbqF95ey3WhEA4FAmZrFGYACgkQF95ey3Wh
# EA7DPwf9HVwO0EO3s7OuJPBCmZBp92L6AMDBmkpnE14Pi1c4DVcWtlrBna2CNnUJ
# 4Hu8rgEtT80Y8L3GBf96Wo3C1DHR6lG6dyu6FjHozWu97WfrTtw92I/254dQZnsr
# i7m+5C6Tluewr9pH6ageRI0rRYt4QPpyRihMkiZQHl44Z5ogRGJvCCkjk9nIDlxi
# ok2U5aPIw4NWPwnMg3wC6CmcviaM81kyuWh2Twc1OPwRilCPQXWblcUgqujg5tOr
# C3Z6AwiIedpMt6Nr0jdWZh9Rh0ffuOXBEiUO/K8vYqE/eDvqJd42c8ALi1HOONoU
# ZwrNWNU3o2pIQ4qz0Fs4vauK4wSs1A==
# =IFN9
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu Jun 13 08:46:46 2024 PDT
# gpg:                using RSA key C2428CD75720FACDCF76B6EA17DE5ECB75A1100E
# gpg: Can't check signature: No public key

# Conflicts:
#	CHANGELOG.md
#	VERSION
#	go.mod
#	go.sum
#	vendor/golang.org/x/sys/unix/mmap_nomremap.go
#	vendor/golang.org/x/sys/windows/syscall_windows.go
#	vendor/modules.txt
  • Loading branch information
aepifanov committed Jul 11, 2024
2 parents 2e2d421 + 58aa920 commit a92c699
Show file tree
Hide file tree
Showing 41 changed files with 597 additions and 207 deletions.
8 changes: 2 additions & 6 deletions .cirrus.yml
Original file line number Diff line number Diff line change
Expand Up @@ -77,13 +77,12 @@ task:
env:
HOME: /root
CIRRUS_WORKING_DIR: /home/runc
GO_VERSION: "1.20"
GO_VERSION: "1.21"
BATS_VERSION: "v1.9.0"
RPMS: gcc git iptables jq glibc-static libseccomp-devel make criu fuse-sshfs
# yamllint disable rule:key-duplicates
matrix:
DISTRO: centos-7
DISTRO: centos-stream-8
DISTRO: centos-stream-9

name: ci / $DISTRO
Expand All @@ -105,9 +104,6 @@ task:
echo "user.max_user_namespaces=15076" > /etc/sysctl.d/userns.conf
sysctl --system
;;
centos-stream-8)
yum config-manager --set-enabled powertools # for glibc-static
;;
centos-stream-9)
dnf config-manager --set-enabled crb # for glibc-static
dnf -y install epel-release epel-next-release # for fuse-sshfs
Expand Down Expand Up @@ -181,7 +177,7 @@ task:
ssh -tt localhost "make -C /home/runc localintegration"
integration_systemd_rootless_script: |
case $DISTRO in
centos-7|centos-stream-8)
centos-7)
echo "SKIP: integration_systemd_rootless_script requires cgroup v2"
;;
*)
Expand Down
23 changes: 11 additions & 12 deletions .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ jobs:
strategy:
fail-fast: false
matrix:
go-version: [1.17.x, 1.20.x, 1.21.x]
go-version: [1.17.x, 1.21.x, 1.22.x]
rootless: ["rootless", ""]
race: ["-race", ""]
criu: [""]
Expand All @@ -35,7 +35,7 @@ jobs:
steps:

- name: checkout
uses: actions/checkout@v3
uses: actions/checkout@v4

- name: install deps
if: matrix.criu == ''
Expand All @@ -46,23 +46,24 @@ jobs:
curl -fSsLl $REPO/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/devel_tools_criu.gpg > /dev/null
echo "deb $REPO/ /" | sudo tee /etc/apt/sources.list.d/criu.list
sudo apt update
sudo apt install libseccomp-dev criu sshfs
sudo apt -y install libseccomp-dev criu sshfs
- name: install deps (criu ${{ matrix.criu }})
if: matrix.criu != ''
run: |
sudo apt -q update
sudo apt -q install libseccomp-dev sshfs \
sudo apt -qy install libseccomp-dev sshfs \
libcap-dev libnet1-dev libnl-3-dev \
libprotobuf-c-dev libprotobuf-dev protobuf-c-compiler protobuf-compiler
git clone https://github.com/checkpoint-restore/criu.git ~/criu
(cd ~/criu && git checkout ${{ matrix.criu }} && sudo make install-criu)
rm -rf ~/criu
- name: install go ${{ matrix.go-version }}
uses: actions/setup-go@v4
uses: actions/setup-go@v5
with:
go-version: ${{ matrix.go-version }}
check-latest: true

- name: build
run: sudo -E PATH="$PATH" make EXTRA_FLAGS="${{ matrix.race }}" all
Expand Down Expand Up @@ -99,12 +100,12 @@ jobs:
# However, we do not have 32-bit ARM CI, so we use i386 for testing 32bit stuff.
# We are not interested in providing official support for i386.
cross-i386:
runs-on: ubuntu-20.04
runs-on: ubuntu-22.04

steps:

- name: checkout
uses: actions/checkout@v3
uses: actions/checkout@v4

- name: install deps
run: |
Expand All @@ -113,15 +114,13 @@ jobs:
sudo add-apt-repository -y ppa:criu/ppa
# apt-add-repository runs apt update so we don't have to.
# Due to a bug in apt, we have to update it first
# (see https://bugs.launchpad.net/ubuntu-cdimage/+bug/1871268)
sudo apt -q install apt
sudo apt -q install libseccomp-dev libseccomp-dev:i386 gcc-multilib criu
sudo apt -qy install libseccomp-dev libseccomp-dev:i386 gcc-multilib criu
- name: install go
uses: actions/setup-go@v4
uses: actions/setup-go@v5
with:
go-version: 1.x # Latest stable
check-latest: true

- name: unit test
run: sudo -E PATH="$PATH" -- make GOARCH=386 localunittest
62 changes: 31 additions & 31 deletions .github/workflows/validate.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,74 +8,73 @@ on:
- release-*
pull_request:
env:
GO_VERSION: 1.20.x
GO_VERSION: 1.22.x

jobs:
keyring:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- name: check runc.keyring
run: make validate-keyring

lint:
runs-on: ubuntu-20.04
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
with:
fetch-depth: 2
- uses: actions/setup-go@v4
- uses: actions/setup-go@v5
with:
go-version: "${{ env.GO_VERSION }}"
cache: false # golangci-lint-action does its own caching
- name: install deps
run: |
sudo apt -q update
sudo apt -q install libseccomp-dev
- uses: golangci/golangci-lint-action@v3
sudo apt -qy install libseccomp-dev
- uses: golangci/golangci-lint-action@v6
with:
version: v1.53
version: v1.57
# Extra linters, only checking new code from a pull request.
- name: lint-extra
if: github.event_name == 'pull_request'
run: |
golangci-lint run --config .golangci-extra.yml --new-from-rev=HEAD~1 --out-format=github-actions
golangci-lint run --config .golangci-extra.yml --new-from-rev=HEAD~1
compile-buildtags:
runs-on: ubuntu-20.04
runs-on: ubuntu-22.04
env:
# Don't ignore C warnings. Note that the output of "go env CGO_CFLAGS" by default is "-g -O2", so we keep them.
CGO_CFLAGS: -g -O2 -Werror
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- name: install go
uses: actions/setup-go@v4
uses: actions/setup-go@v5
with:
go-version: "${{ env.GO_VERSION }}"
- name: compile with no build tags
run: make BUILDTAGS=""

codespell:
runs-on: ubuntu-20.04
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- name: install deps
# Version of codespell bundled with Ubuntu is way old, so use pip.
run: pip install codespell
run: pip install codespell==v2.3.0
- name: run codespell
run: codespell

shfmt:
runs-on: ubuntu-20.04
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- name: shfmt
run: make shfmt

shellcheck:
runs-on: ubuntu-20.04
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- name: vars
run: |
echo 'VERSION=v0.8.0' >> $GITHUB_ENV
Expand All @@ -98,19 +97,20 @@ jobs:
run : ./script/check-config.sh

deps:
runs-on: ubuntu-20.04
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- name: install go
uses: actions/setup-go@v4
uses: actions/setup-go@v5
with:
go-version: "${{ env.GO_VERSION }}"
check-latest: true
- name: verify deps
run: make verify-dependencies


commit:
runs-on: ubuntu-20.04
runs-on: ubuntu-22.04
# Only check commits on pull requests.
if: github.event_name == 'pull_request'
steps:
Expand All @@ -121,34 +121,34 @@ jobs:
token: ${{ secrets.GITHUB_TOKEN }}

- name: check subject line length
uses: tim-actions/[email protected].1
uses: tim-actions/[email protected].2
with:
commits: ${{ steps.get-pr-commits.outputs.commits }}
pattern: '^.{0,72}(\n.*)*$'
error: 'Subject too long (max 72)'

cfmt:
runs-on: ubuntu-20.04
runs-on: ubuntu-22.04
steps:
- name: checkout
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: install deps
run: |
sudo apt -qq update
sudo apt -qq install indent
sudo apt -qqy install indent
- name: cfmt
run: |
make cfmt
git diff --exit-code
release:
runs-on: ubuntu-20.04
runs-on: ubuntu-22.04
steps:
- name: checkout
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
fetch-depth: 0

Expand All @@ -169,7 +169,7 @@ jobs:
- name: make releaseall
run: make releaseall
- name: upload artifacts
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: release-${{ github.run_id }}
path: release/*
9 changes: 5 additions & 4 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
ARG GO_VERSION=1.20
ARG GO_VERSION=1.21
ARG BATS_VERSION=v1.9.0
ARG LIBSECCOMP_VERSION=2.5.4
ARG LIBSECCOMP_VERSION=2.5.5

FROM golang:${GO_VERSION}-bullseye
FROM golang:${GO_VERSION}-bookworm
ARG DEBIAN_FRONTEND=noninteractive
ARG CRIU_REPO=https://download.opensuse.org/repositories/devel:/tools:/criu/Debian_11
ARG CRIU_REPO=https://download.opensuse.org/repositories/devel:/tools:/criu/Debian_12

RUN KEYFILE=/usr/share/keyrings/criu-repo-keyring.gpg; \
wget -nv $CRIU_REPO/Release.key -O- | gpg --dearmor > "$KEYFILE" \
Expand All @@ -31,6 +31,7 @@ RUN KEYFILE=/usr/share/keyrings/criu-repo-keyring.gpg; \
sshfs \
sudo \
uidmap \
iproute2 \
&& apt-get clean \
&& rm -rf /var/cache/apt /var/lib/apt/lists/* /etc/apt/sources.list.d/*.list

Expand Down
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ PROJECT := github.com/opencontainers/runc
BUILDTAGS ?= seccomp

COMMIT ?= $(shell git describe --dirty --long --always)
VERSION := $(shell cat ./VERSION)
VERSION ?= $(shell cat ./VERSION)
LDFLAGS_COMMON := -X main.gitCommit=$(COMMIT) -X main.version=$(VERSION)

GOARCH := $(shell $(GO) env GOARCH)
Expand Down
4 changes: 4 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,10 @@ A third party security audit was performed by Cure53, you can see the full repor

`runc` only supports Linux. It must be built with Go version 1.17 or higher.

NOTE: if building with Go 1.22.x, make sure to use 1.22.4 or a later version
(see [issue #4233](https://github.com/opencontainers/runc/issues/4233) for
more details).

In order to enable seccomp support you will need to install `libseccomp` on your platform.
> e.g. `libseccomp-devel` for CentOS, or `libseccomp-dev` for Ubuntu
Expand Down
2 changes: 1 addition & 1 deletion VERSION
Original file line number Diff line number Diff line change
@@ -1 +1 @@
1.1.12-m3
1.1.13-m1
2 changes: 1 addition & 1 deletion Vagrantfile.fedora
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@

Vagrant.configure("2") do |config|
# Fedora box is used for testing cgroup v2 support
config.vm.box = "fedora/38-cloud-base"
config.vm.box = "fedora/39-cloud-base"
config.vm.provider :virtualbox do |v|
v.memory = 2048
v.cpus = 2
Expand Down
16 changes: 8 additions & 8 deletions features.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ var featuresCommand = cli.Command{
return err
}

tru := true
t := true

feat := features.Features{
OCIVersionMin: "1.0.0",
Expand All @@ -43,23 +43,23 @@ var featuresCommand = cli.Command{
Namespaces: specconv.KnownNamespaces(),
Capabilities: capabilities.KnownCapabilities(),
Cgroup: &features.Cgroup{
V1: &tru,
V2: &tru,
Systemd: &tru,
SystemdUser: &tru,
V1: &t,
V2: &t,
Systemd: &t,
SystemdUser: &t,
},
Apparmor: &features.Apparmor{
Enabled: &tru,
Enabled: &t,
},
Selinux: &features.Selinux{
Enabled: &tru,
Enabled: &t,
},
},
}

if seccomp.Enabled {
feat.Linux.Seccomp = &features.Seccomp{
Enabled: &tru,
Enabled: &t,
Actions: seccomp.KnownActions(),
Operators: seccomp.KnownOperators(),
Archs: seccomp.KnownArchs(),
Expand Down
6 changes: 3 additions & 3 deletions go.mod
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
module github.com/opencontainers/runc

go 1.17
go 1.18

require (
github.com/checkpoint-restore/go-criu/v5 v5.3.0
Expand All @@ -20,8 +20,8 @@ require (
// NOTE: urfave/cli must be <= v1.22.1 due to a regression: https://github.com/urfave/cli/issues/1092
github.com/urfave/cli v1.22.1
github.com/vishvananda/netlink v1.1.0
golang.org/x/net v0.23.0
golang.org/x/sys v0.18.0
golang.org/x/net v0.24.0
golang.org/x/sys v0.19.0
google.golang.org/protobuf v1.33.0
)

Expand Down
Loading

0 comments on commit a92c699

Please sign in to comment.