diff --git a/.cirrus.yml b/.cirrus.yml index cfd238f154e..981f85a876b 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -77,13 +77,12 @@ task: env: HOME: /root CIRRUS_WORKING_DIR: /home/runc - GO_VERSION: "1.20" + GO_VERSION: "1.21" BATS_VERSION: "v1.9.0" RPMS: gcc git iptables jq glibc-static libseccomp-devel make criu fuse-sshfs # yamllint disable rule:key-duplicates matrix: DISTRO: centos-7 - DISTRO: centos-stream-8 DISTRO: centos-stream-9 name: ci / $DISTRO @@ -105,9 +104,6 @@ task: echo "user.max_user_namespaces=15076" > /etc/sysctl.d/userns.conf sysctl --system ;; - centos-stream-8) - yum config-manager --set-enabled powertools # for glibc-static - ;; centos-stream-9) dnf config-manager --set-enabled crb # for glibc-static dnf -y install epel-release epel-next-release # for fuse-sshfs @@ -181,7 +177,7 @@ task: ssh -tt localhost "make -C /home/runc localintegration" integration_systemd_rootless_script: | case $DISTRO in - centos-7|centos-stream-8) + centos-7) echo "SKIP: integration_systemd_rootless_script requires cgroup v2" ;; *) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 53feeece8f4..a3cf78bd302 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -21,7 +21,7 @@ jobs: strategy: fail-fast: false matrix: - go-version: [1.17.x, 1.20.x, 1.21.x] + go-version: [1.17.x, 1.21.x, 1.22.x] rootless: ["rootless", ""] race: ["-race", ""] criu: [""] @@ -35,7 +35,7 @@ jobs: steps: - name: checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: install deps if: matrix.criu == '' @@ -46,13 +46,13 @@ jobs: curl -fSsLl $REPO/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/devel_tools_criu.gpg > /dev/null echo "deb $REPO/ /" | sudo tee /etc/apt/sources.list.d/criu.list sudo apt update - sudo apt install libseccomp-dev criu sshfs + sudo apt -y install libseccomp-dev criu sshfs - name: install deps (criu ${{ matrix.criu }}) if: matrix.criu != '' run: | sudo apt -q update - sudo apt -q install libseccomp-dev sshfs \ + sudo apt -qy install libseccomp-dev sshfs \ libcap-dev libnet1-dev libnl-3-dev \ libprotobuf-c-dev libprotobuf-dev protobuf-c-compiler protobuf-compiler git clone https://github.com/checkpoint-restore/criu.git ~/criu @@ -60,9 +60,10 @@ jobs: rm -rf ~/criu - name: install go ${{ matrix.go-version }} - uses: actions/setup-go@v4 + uses: actions/setup-go@v5 with: go-version: ${{ matrix.go-version }} + check-latest: true - name: build run: sudo -E PATH="$PATH" make EXTRA_FLAGS="${{ matrix.race }}" all @@ -99,12 +100,12 @@ jobs: # However, we do not have 32-bit ARM CI, so we use i386 for testing 32bit stuff. # We are not interested in providing official support for i386. cross-i386: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - name: checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: install deps run: | @@ -113,15 +114,13 @@ jobs: sudo add-apt-repository -y ppa:criu/ppa # apt-add-repository runs apt update so we don't have to. - # Due to a bug in apt, we have to update it first - # (see https://bugs.launchpad.net/ubuntu-cdimage/+bug/1871268) - sudo apt -q install apt - sudo apt -q install libseccomp-dev libseccomp-dev:i386 gcc-multilib criu + sudo apt -qy install libseccomp-dev libseccomp-dev:i386 gcc-multilib criu - name: install go - uses: actions/setup-go@v4 + uses: actions/setup-go@v5 with: go-version: 1.x # Latest stable + check-latest: true - name: unit test run: sudo -E PATH="$PATH" -- make GOARCH=386 localunittest diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index d97b1afe366..f90a3613283 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -8,74 +8,73 @@ on: - release-* pull_request: env: - GO_VERSION: 1.20.x + GO_VERSION: 1.22.x jobs: keyring: runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: check runc.keyring run: make validate-keyring lint: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: fetch-depth: 2 - - uses: actions/setup-go@v4 + - uses: actions/setup-go@v5 with: go-version: "${{ env.GO_VERSION }}" - cache: false # golangci-lint-action does its own caching - name: install deps run: | sudo apt -q update - sudo apt -q install libseccomp-dev - - uses: golangci/golangci-lint-action@v3 + sudo apt -qy install libseccomp-dev + - uses: golangci/golangci-lint-action@v6 with: - version: v1.53 + version: v1.57 # Extra linters, only checking new code from a pull request. - name: lint-extra if: github.event_name == 'pull_request' run: | - golangci-lint run --config .golangci-extra.yml --new-from-rev=HEAD~1 --out-format=github-actions + golangci-lint run --config .golangci-extra.yml --new-from-rev=HEAD~1 compile-buildtags: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 env: # Don't ignore C warnings. Note that the output of "go env CGO_CFLAGS" by default is "-g -O2", so we keep them. CGO_CFLAGS: -g -O2 -Werror steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: install go - uses: actions/setup-go@v4 + uses: actions/setup-go@v5 with: go-version: "${{ env.GO_VERSION }}" - name: compile with no build tags run: make BUILDTAGS="" codespell: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: install deps # Version of codespell bundled with Ubuntu is way old, so use pip. - run: pip install codespell + run: pip install codespell==v2.3.0 - name: run codespell run: codespell shfmt: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: shfmt run: make shfmt shellcheck: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: vars run: | echo 'VERSION=v0.8.0' >> $GITHUB_ENV @@ -98,19 +97,20 @@ jobs: run : ./script/check-config.sh deps: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: install go - uses: actions/setup-go@v4 + uses: actions/setup-go@v5 with: go-version: "${{ env.GO_VERSION }}" + check-latest: true - name: verify deps run: make verify-dependencies commit: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 # Only check commits on pull requests. if: github.event_name == 'pull_request' steps: @@ -121,23 +121,23 @@ jobs: token: ${{ secrets.GITHUB_TOKEN }} - name: check subject line length - uses: tim-actions/commit-message-checker-with-regex@v0.3.1 + uses: tim-actions/commit-message-checker-with-regex@v0.3.2 with: commits: ${{ steps.get-pr-commits.outputs.commits }} pattern: '^.{0,72}(\n.*)*$' error: 'Subject too long (max 72)' cfmt: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - name: checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: install deps run: | sudo apt -qq update - sudo apt -qq install indent + sudo apt -qqy install indent - name: cfmt run: | make cfmt @@ -145,10 +145,10 @@ jobs: release: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - name: checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 @@ -169,7 +169,7 @@ jobs: - name: make releaseall run: make releaseall - name: upload artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: release-${{ github.run_id }} path: release/* diff --git a/Dockerfile b/Dockerfile index d24756bc1fc..6337332f8db 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,10 +1,10 @@ -ARG GO_VERSION=1.20 +ARG GO_VERSION=1.21 ARG BATS_VERSION=v1.9.0 -ARG LIBSECCOMP_VERSION=2.5.4 +ARG LIBSECCOMP_VERSION=2.5.5 -FROM golang:${GO_VERSION}-bullseye +FROM golang:${GO_VERSION}-bookworm ARG DEBIAN_FRONTEND=noninteractive -ARG CRIU_REPO=https://download.opensuse.org/repositories/devel:/tools:/criu/Debian_11 +ARG CRIU_REPO=https://download.opensuse.org/repositories/devel:/tools:/criu/Debian_12 RUN KEYFILE=/usr/share/keyrings/criu-repo-keyring.gpg; \ wget -nv $CRIU_REPO/Release.key -O- | gpg --dearmor > "$KEYFILE" \ @@ -31,6 +31,7 @@ RUN KEYFILE=/usr/share/keyrings/criu-repo-keyring.gpg; \ sshfs \ sudo \ uidmap \ + iproute2 \ && apt-get clean \ && rm -rf /var/cache/apt /var/lib/apt/lists/* /etc/apt/sources.list.d/*.list diff --git a/Makefile b/Makefile index e3af9bc13cc..5c475b31f8d 100644 --- a/Makefile +++ b/Makefile @@ -12,7 +12,7 @@ PROJECT := github.com/opencontainers/runc BUILDTAGS ?= seccomp COMMIT ?= $(shell git describe --dirty --long --always) -VERSION := $(shell cat ./VERSION) +VERSION ?= $(shell cat ./VERSION) LDFLAGS_COMMON := -X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) GOARCH := $(shell $(GO) env GOARCH) diff --git a/README.md b/README.md index d428c686ea2..3b159978fa3 100644 --- a/README.md +++ b/README.md @@ -28,6 +28,10 @@ A third party security audit was performed by Cure53, you can see the full repor `runc` only supports Linux. It must be built with Go version 1.17 or higher. +NOTE: if building with Go 1.22.x, make sure to use 1.22.4 or a later version +(see [issue #4233](https://github.com/opencontainers/runc/issues/4233) for +more details). + In order to enable seccomp support you will need to install `libseccomp` on your platform. > e.g. `libseccomp-devel` for CentOS, or `libseccomp-dev` for Ubuntu diff --git a/VERSION b/VERSION index dd5f4621b31..06c72e74e29 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.1.12-m3 +1.1.13-m1 diff --git a/Vagrantfile.fedora b/Vagrantfile.fedora index 0df6115d503..1a1b2b2d7a2 100644 --- a/Vagrantfile.fedora +++ b/Vagrantfile.fedora @@ -3,7 +3,7 @@ Vagrant.configure("2") do |config| # Fedora box is used for testing cgroup v2 support - config.vm.box = "fedora/38-cloud-base" + config.vm.box = "fedora/39-cloud-base" config.vm.provider :virtualbox do |v| v.memory = 2048 v.cpus = 2 diff --git a/features.go b/features.go index c9cd15cd09d..26fc6438623 100644 --- a/features.go +++ b/features.go @@ -27,7 +27,7 @@ var featuresCommand = cli.Command{ return err } - tru := true + t := true feat := features.Features{ OCIVersionMin: "1.0.0", @@ -43,23 +43,23 @@ var featuresCommand = cli.Command{ Namespaces: specconv.KnownNamespaces(), Capabilities: capabilities.KnownCapabilities(), Cgroup: &features.Cgroup{ - V1: &tru, - V2: &tru, - Systemd: &tru, - SystemdUser: &tru, + V1: &t, + V2: &t, + Systemd: &t, + SystemdUser: &t, }, Apparmor: &features.Apparmor{ - Enabled: &tru, + Enabled: &t, }, Selinux: &features.Selinux{ - Enabled: &tru, + Enabled: &t, }, }, } if seccomp.Enabled { feat.Linux.Seccomp = &features.Seccomp{ - Enabled: &tru, + Enabled: &t, Actions: seccomp.KnownActions(), Operators: seccomp.KnownOperators(), Archs: seccomp.KnownArchs(), diff --git a/go.mod b/go.mod index 95f6928c3d2..006190e763f 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/opencontainers/runc -go 1.17 +go 1.18 require ( github.com/checkpoint-restore/go-criu/v5 v5.3.0 @@ -20,8 +20,8 @@ require ( // NOTE: urfave/cli must be <= v1.22.1 due to a regression: https://github.com/urfave/cli/issues/1092 github.com/urfave/cli v1.22.1 github.com/vishvananda/netlink v1.1.0 - golang.org/x/net v0.23.0 - golang.org/x/sys v0.18.0 + golang.org/x/net v0.24.0 + golang.org/x/sys v0.19.0 google.golang.org/protobuf v1.33.0 ) diff --git a/go.sum b/go.sum index 6c097a65799..03e2a07ce1a 100644 --- a/go.sum +++ b/go.sum @@ -57,57 +57,16 @@ github.com/vishvananda/netlink v1.1.0 h1:1iyaYNBLmP6L0220aDnYQpo1QEV4t4hJ+xEEhhJ github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE= github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df h1:OviZH7qLw/7ZovXvuNyL3XQl8UFofeikI1NW1Gypu7k= github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU= -github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= -golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= -golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= -golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= -golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= -golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= -golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= -golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs= -golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= -golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w= +golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8= golang.org/x/sys v0.0.0-20190606203320-7fc4e5ec1444/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4= -golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= -golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= -golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= -golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= -golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= -golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= -golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o= +golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= diff --git a/libcontainer/cgroups/fs/cpu.go b/libcontainer/cgroups/fs/cpu.go index 6c79f899b48..72c9cd70b50 100644 --- a/libcontainer/cgroups/fs/cpu.go +++ b/libcontainer/cgroups/fs/cpu.go @@ -35,15 +35,31 @@ func (s *CpuGroup) Apply(path string, r *configs.Resources, pid int) error { } func (s *CpuGroup) SetRtSched(path string, r *configs.Resources) error { + var period string if r.CpuRtPeriod != 0 { - if err := cgroups.WriteFile(path, "cpu.rt_period_us", strconv.FormatUint(r.CpuRtPeriod, 10)); err != nil { - return err + period = strconv.FormatUint(r.CpuRtPeriod, 10) + if err := cgroups.WriteFile(path, "cpu.rt_period_us", period); err != nil { + // The values of cpu.rt_period_us and cpu.rt_runtime_us + // are inter-dependent and need to be set in a proper order. + // If the kernel rejects the new period value with EINVAL + // and the new runtime value is also being set, let's + // ignore the error for now and retry later. + if !errors.Is(err, unix.EINVAL) || r.CpuRtRuntime == 0 { + return err + } + } else { + period = "" } } if r.CpuRtRuntime != 0 { if err := cgroups.WriteFile(path, "cpu.rt_runtime_us", strconv.FormatInt(r.CpuRtRuntime, 10)); err != nil { return err } + if period != "" { + if err := cgroups.WriteFile(path, "cpu.rt_period_us", period); err != nil { + return err + } + } } return nil } diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go index d9f18139f54..c849ec6b797 100644 --- a/libcontainer/init_linux.go +++ b/libcontainer/init_linux.go @@ -10,6 +10,7 @@ import ( "os" "path/filepath" "strings" + "syscall" "unsafe" "github.com/containerd/console" @@ -84,6 +85,11 @@ func newContainerInit(t initType, pipe *os.File, consoleSocket *os.File, fifoFd, if err := populateProcessEnvironment(config.Env); err != nil { return nil, err } + + // Clean the RLIMIT_NOFILE cache in go runtime. + // Issue: https://github.com/opencontainers/runc/issues/4195 + maybeClearRlimitNofileCache(config.Rlimits) + switch t { case initSetns: // mountFds must be nil in this case. We don't mount while doing runc exec. @@ -261,7 +267,6 @@ func setupConsole(socket *os.File, config *initConfig, mount bool) error { Height: config.ConsoleHeight, Width: config.ConsoleWidth, }) - if err != nil { return err } @@ -518,6 +523,18 @@ func setupRoute(config *configs.Config) error { return nil } +func maybeClearRlimitNofileCache(limits []configs.Rlimit) { + for _, rlimit := range limits { + if rlimit.Type == syscall.RLIMIT_NOFILE { + system.ClearRlimitNofileCache(&syscall.Rlimit{ + Cur: rlimit.Soft, + Max: rlimit.Hard, + }) + return + } + } +} + func setupRlimits(limits []configs.Rlimit, pid int) error { for _, rlimit := range limits { if err := unix.Prlimit(pid, rlimit.Type, &unix.Rlimit{Max: rlimit.Hard, Cur: rlimit.Soft}, nil); err != nil { diff --git a/libcontainer/integration/exec_test.go b/libcontainer/integration/exec_test.go index 670b33fcbb3..568bb637916 100644 --- a/libcontainer/integration/exec_test.go +++ b/libcontainer/integration/exec_test.go @@ -135,11 +135,13 @@ func testRlimit(t *testing.T, userns bool) { config := newTemplateConfig(t, &tParam{userns: userns}) - // ensure limit is lower than what the config requests to test that in a user namespace + // Ensure limit is lower than what the config requests to test that in a user namespace // the Setrlimit call happens early enough that we still have permissions to raise the limit. + // Do not change the Cur value to be equal to the Max value, please see: + // https://github.com/opencontainers/runc/pull/4265#discussion_r1589666444 ok(t, unix.Setrlimit(unix.RLIMIT_NOFILE, &unix.Rlimit{ Max: 1024, - Cur: 1024, + Cur: 512, })) out := runContainerOk(t, config, "/bin/sh", "-c", "ulimit -n") diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c index 2d224babea9..ff01e55f8c6 100644 --- a/libcontainer/nsenter/nsexec.c +++ b/libcontainer/nsenter/nsexec.c @@ -1213,7 +1213,7 @@ void nsexec(void) bail("failed to sync with parent: write(SYNC_USERMAP_PLS)"); /* ... wait for mapping ... */ - write_log(DEBUG, "request stage-0 to map user namespace"); + write_log(DEBUG, "waiting stage-0 to complete the mapping of user namespace"); if (read(syncfd, &s, sizeof(s)) != sizeof(s)) bail("failed to sync with parent: read(SYNC_USERMAP_ACK)"); if (s != SYNC_USERMAP_ACK) diff --git a/libcontainer/process_linux.go b/libcontainer/process_linux.go index 0d9ceb9c98c..ac3b104ea02 100644 --- a/libcontainer/process_linux.go +++ b/libcontainer/process_linux.go @@ -152,11 +152,7 @@ func (p *setnsProcess) start() (retErr error) { } } } - // set rlimits, this has to be done here because we lose permissions - // to raise the limits once we enter a user-namespace - if err := setupRlimits(p.config.Rlimits, p.pid()); err != nil { - return fmt.Errorf("error setting rlimits for process: %w", err) - } + if err := utils.WriteJSON(p.messageSockPair.parent, p.config); err != nil { return fmt.Errorf("error writing config to pipe: %w", err) } @@ -164,8 +160,14 @@ func (p *setnsProcess) start() (retErr error) { ierr := parseSync(p.messageSockPair.parent, func(sync *syncT) error { switch sync.Type { case procReady: - // This shouldn't happen. - panic("unexpected procReady in setns") + // Set rlimits, this has to be done here because we lose permissions + // to raise the limits once we enter a user-namespace + if err := setupRlimits(p.config.Rlimits, p.pid()); err != nil { + return fmt.Errorf("error setting rlimits for ready process: %w", err) + } + + // Sync with child. + return writeSync(p.messageSockPair.parent, procRun) case procHooks: // This shouldn't happen. panic("unexpected procHooks in setns") @@ -495,7 +497,7 @@ func (p *initProcess) start() (retErr error) { return err } case procReady: - // set rlimits, this has to be done here because we lose permissions + // Set rlimits, this has to be done here because we lose permissions // to raise the limits once we enter a user-namespace if err := setupRlimits(p.config.Rlimits, p.pid()); err != nil { return fmt.Errorf("error setting rlimits for ready process: %w", err) diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go index c701d6a2fcd..52ad3ba121f 100644 --- a/libcontainer/rootfs_linux.go +++ b/libcontainer/rootfs_linux.go @@ -602,6 +602,7 @@ func checkProcMount(rootfs, dest, source string) error { "/proc/slabinfo", "/proc/net/dev", "/proc/sys/kernel/ns_last_pid", + "/proc/sys/crypto/fips_enabled", } for _, valid := range validProcMounts { path, err := filepath.Rel(filepath.Join(rootfs, valid), dest) diff --git a/libcontainer/rootfs_linux_test.go b/libcontainer/rootfs_linux_test.go index 8709a5e47f7..223f75e8266 100644 --- a/libcontainer/rootfs_linux_test.go +++ b/libcontainer/rootfs_linux_test.go @@ -46,6 +46,14 @@ func TestCheckMountDestNsLastPid(t *testing.T) { } } +func TestCheckCryptoFipsEnabled(t *testing.T) { + dest := "/rootfs/proc/sys/crypto/fips_enabled" + err := checkProcMount("/rootfs", dest, "/proc") + if err != nil { + t.Fatalf("/proc/sys/crypto/fips_enabled should not return an error: %v", err) + } +} + func TestNeedsSetupDev(t *testing.T) { config := &configs.Config{ Mounts: []*configs.Mount{ diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go index d1bb12273c0..bb358901c34 100644 --- a/libcontainer/setns_init_linux.go +++ b/libcontainer/setns_init_linux.go @@ -48,6 +48,7 @@ func (l *linuxSetnsInit) Init() error { } } } + if l.config.CreateConsole { if err := setupConsole(l.consoleSocket, l.config, false); err != nil { return err @@ -61,6 +62,14 @@ func (l *linuxSetnsInit) Init() error { return err } } + + // Tell our parent that we're ready to exec. This must be done before the + // Seccomp rules have been applied, because we need to be able to read and + // write to a socket. + if err := syncParentReady(l.pipe); err != nil { + return fmt.Errorf("sync ready: %w", err) + } + if err := selinux.SetExecLabel(l.config.ProcessLabel); err != nil { return err } diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go index d1d94352f93..d9a6a224c5c 100644 --- a/libcontainer/standard_init_linux.go +++ b/libcontainer/standard_init_linux.go @@ -155,7 +155,8 @@ func (l *linuxStandardInit) Init() error { return &os.SyscallError{Syscall: "prctl(SET_NO_NEW_PRIVS)", Err: err} } } - // Tell our parent that we're ready to Execv. This must be done before the + + // Tell our parent that we're ready to exec. This must be done before the // Seccomp rules have been applied, because we need to be able to read and // write to a socket. if err := syncParentReady(l.pipe); err != nil { diff --git a/libcontainer/system/linux.go b/libcontainer/system/linux.go index e1d6eb18034..16edc6ba6d9 100644 --- a/libcontainer/system/linux.go +++ b/libcontainer/system/linux.go @@ -31,12 +31,12 @@ func (p ParentDeathSignal) Set() error { return SetParentDeathSignal(uintptr(p)) } +// Deprecated: Execv is not used in runc anymore, it will be removed in v1.2.0. func Execv(cmd string, args []string, env []string) error { name, err := exec.LookPath(cmd) if err != nil { return err } - return Exec(name, args, env) } diff --git a/libcontainer/system/rlimit_linux.go b/libcontainer/system/rlimit_linux.go new file mode 100644 index 00000000000..4595fa82aa1 --- /dev/null +++ b/libcontainer/system/rlimit_linux.go @@ -0,0 +1,15 @@ +//go:build go1.23 + +package system + +import ( + "syscall" +) + +// ClearRlimitNofileCache clears go runtime's nofile rlimit cache. The argument +// is process RLIMIT_NOFILE values. Relies on go.dev/cl/588076. +func ClearRlimitNofileCache(lim *syscall.Rlimit) { + // Ignore the return values since we only need to clean the cache, + // the limit is going to be set via unix.Prlimit elsewhere. + _ = syscall.Setrlimit(syscall.RLIMIT_NOFILE, lim) +} diff --git a/libcontainer/system/rlimit_linux_go122.go b/libcontainer/system/rlimit_linux_go122.go new file mode 100644 index 00000000000..674e44bd8f7 --- /dev/null +++ b/libcontainer/system/rlimit_linux_go122.go @@ -0,0 +1,27 @@ +//go:build go1.19 && !go1.23 + +// TODO: remove this file once go 1.22 is no longer supported. + +package system + +import ( + "sync/atomic" + "syscall" + _ "unsafe" // Needed for go:linkname to work. +) + +//go:linkname syscallOrigRlimitNofile syscall.origRlimitNofile +var syscallOrigRlimitNofile atomic.Pointer[syscall.Rlimit] + +// ClearRlimitNofileCache clears go runtime's nofile rlimit cache. +// The argument is process RLIMIT_NOFILE values. +func ClearRlimitNofileCache(_ *syscall.Rlimit) { + // As reported in issue #4195, the new version of go runtime(since 1.19) + // will cache rlimit-nofile. Before executing execve, the rlimit-nofile + // of the process will be restored with the cache. In runc, this will + // cause the rlimit-nofile setting by the parent process for the container + // to become invalid. It can be solved by clearing this cache. But + // unfortunately, go stdlib doesn't provide such function, so we need to + // link to the private var `origRlimitNofile` in package syscall to hack. + syscallOrigRlimitNofile.Store(nil) +} diff --git a/libcontainer/system/rlimit_stub.go b/libcontainer/system/rlimit_stub.go new file mode 100644 index 00000000000..96200df596c --- /dev/null +++ b/libcontainer/system/rlimit_stub.go @@ -0,0 +1,7 @@ +//go:build !go1.19 + +package system + +import "syscall" + +func ClearRlimitNofileCache(_ *syscall.Rlimit) {} diff --git a/libcontainer/user/user.go b/libcontainer/user/user.go index 984466d1ab5..198c4936795 100644 --- a/libcontainer/user/user.go +++ b/libcontainer/user/user.go @@ -197,7 +197,6 @@ func ParseGroupFilter(r io.Reader, filter func(Group) bool) ([]Group, error) { for { var line []byte line, isPrefix, err = rd.ReadLine() - if err != nil { // We should return no error if EOF is reached // without a match. diff --git a/list.go b/list.go index 3503dcd2f5e..3fb9917248f 100644 --- a/list.go +++ b/list.go @@ -127,50 +127,55 @@ func getContainers(context *cli.Context) ([]containerState, error) { var s []containerState for _, item := range list { - if item.IsDir() { - st, err := os.Stat(filepath.Join(absRoot, item.Name())) - if err != nil { - fatal(err) - } - // This cast is safe on Linux. - uid := st.Sys().(*syscall.Stat_t).Uid - owner, err := user.LookupUid(int(uid)) - if err != nil { - owner.Name = fmt.Sprintf("#%d", uid) - } - - container, err := factory.Load(item.Name()) - if err != nil { - fmt.Fprintf(os.Stderr, "load container %s: %v\n", item.Name(), err) - continue - } - containerStatus, err := container.Status() - if err != nil { - fmt.Fprintf(os.Stderr, "status for %s: %v\n", item.Name(), err) - continue - } - state, err := container.State() - if err != nil { - fmt.Fprintf(os.Stderr, "state for %s: %v\n", item.Name(), err) + if !item.IsDir() { + continue + } + st, err := item.Info() + if err != nil { + if errors.Is(err, os.ErrNotExist) { + // Possible race with runc delete. continue } - pid := state.BaseState.InitProcessPid - if containerStatus == libcontainer.Stopped { - pid = 0 - } - bundle, annotations := utils.Annotations(state.Config.Labels) - s = append(s, containerState{ - Version: state.BaseState.Config.Version, - ID: state.BaseState.ID, - InitProcessPid: pid, - Status: containerStatus.String(), - Bundle: bundle, - Rootfs: state.BaseState.Config.Rootfs, - Created: state.BaseState.Created, - Annotations: annotations, - Owner: owner.Name, - }) + fatal(err) + } + // This cast is safe on Linux. + uid := st.Sys().(*syscall.Stat_t).Uid + owner, err := user.LookupUid(int(uid)) + if err != nil { + owner.Name = fmt.Sprintf("#%d", uid) + } + + container, err := factory.Load(item.Name()) + if err != nil { + fmt.Fprintf(os.Stderr, "load container %s: %v\n", item.Name(), err) + continue + } + containerStatus, err := container.Status() + if err != nil { + fmt.Fprintf(os.Stderr, "status for %s: %v\n", item.Name(), err) + continue + } + state, err := container.State() + if err != nil { + fmt.Fprintf(os.Stderr, "state for %s: %v\n", item.Name(), err) + continue + } + pid := state.BaseState.InitProcessPid + if containerStatus == libcontainer.Stopped { + pid = 0 } + bundle, annotations := utils.Annotations(state.Config.Labels) + s = append(s, containerState{ + Version: state.BaseState.Config.Version, + ID: state.BaseState.ID, + InitProcessPid: pid, + Status: containerStatus.String(), + Bundle: bundle, + Rootfs: state.BaseState.Config.Rootfs, + Created: state.BaseState.Created, + Annotations: annotations, + Owner: owner.Name, + }) } return s, nil } diff --git a/script/keyring_validate.sh b/script/keyring_validate.sh index ccb3da2a679..20a0b85618f 100755 --- a/script/keyring_validate.sh +++ b/script/keyring_validate.sh @@ -32,6 +32,12 @@ function bail() { tmp_gpgdir="$(mktemp -d --tmpdir "$project-validate-tmpkeyring.XXXXXX")" trap 'rm -r "$tmp_gpgdir"' EXIT +function gpg_user() { + local user=$1 + shift + gpg --homedir="$tmp_gpgdir" --no-default-keyring --keyring="$user.keyring" "$@" +} + # Get the set of MAINTAINERS. readarray -t maintainers < <(sed -E 's|.* <.*> \(@?(.*)\)$|\1|' <"$root/MAINTAINERS") echo "------------------------------------------------------------" @@ -41,8 +47,7 @@ echo "------------------------------------------------------------" # Create a dummy gpg keyring from the set of MAINTAINERS. while IFS="" read -r username || [ -n "$username" ]; do - curl -sSL "https://github.com/$username.gpg" | - gpg --no-default-keyring --keyring="$tmp_gpgdir/$username.keyring" --import + curl -sSL "https://github.com/$username.gpg" | gpg_user "$username" --import done < <(printf '%s\n' "${maintainers[@]}") # Make sure all of the keys in the keyring have a github=... comment. @@ -65,8 +70,7 @@ echo "------------------------------------------------------------" echo "$project release managers:" sed -En "s|^Comment:.* github=(\w+).*| * \1|p" <"$root/$project.keyring" | sort -u echo "------------------------------------------------------------" -gpg --no-default-keyring --keyring="$tmp_gpgdir/keyring" \ - --import --import-options=show-only <"$root/$project.keyring" +gpg --show-keys <"$root/$project.keyring" echo "------------------------------------------------------------" # Check that each entry in the kering is actually a maintainer's key. @@ -94,12 +98,10 @@ while IFS="" read -d $'\0' -r block || [ -n "$block" ]; do # fingerprint. See # for more details. while IFS="" read -r key || [ -n "$key" ]; do - gpg --no-default-keyring --keyring="$tmp_gpgdir/$username.keyring" \ - --list-keys --with-colons | grep "$fprfield:::::::::$key:" >/dev/null || + gpg_user "$username" --list-keys --with-colons | grep "$fprfield:::::::::$key:" >/dev/null || bail "(Sub?)Key $key in $project.keyring is NOT actually one of $username's keys!" log "Successfully verified $username's (sub?)key $key is legitimate." - done < <(gpg --no-default-keyring \ - --import --import-options=show-only --with-colons <<<"$block" | + done < <(gpg --show-keys --with-colons <<<"$block" | grep "^$fprfield:" | cut -d: -f10) done < <(awk <"$root/$project.keyring" ' /^-----BEGIN PGP PUBLIC KEY BLOCK-----$/ { in_block=1 } diff --git a/script/release_build.sh b/script/release_build.sh index af238628cbd..06b52dadc31 100755 --- a/script/release_build.sh +++ b/script/release_build.sh @@ -19,7 +19,7 @@ set -e ## ---> # Project-specific options and functions. In *theory* you shouldn't need to # touch anything else in this script in order to use this elsewhere. -: "${LIBSECCOMP_VERSION:=2.5.4}" +: "${LIBSECCOMP_VERSION:=2.5.5}" project="runc" root="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")/..")" diff --git a/script/release_sign.sh b/script/release_sign.sh index e66a81bc7b2..39f806fa642 100755 --- a/script/release_sign.sh +++ b/script/release_sign.sh @@ -105,10 +105,10 @@ set -x tmp_gpgdir="$(mktemp -d --tmpdir "$project-sign-tmpkeyring.XXXXXX")" trap 'rm -r "$tmp_gpgdir"' EXIT -tmp_runc_gpgflags=("--no-default-keyring" "--keyring=$tmp_gpgdir/$project.keyring") +tmp_runc_gpgflags=("--homedir=$tmp_gpgdir" "--no-default-keyring" "--keyring=$project.keyring") gpg "${tmp_runc_gpgflags[@]}" --import <"$root/$project.keyring" -tmp_seccomp_gpgflags=("--no-default-keyring" "--keyring=$tmp_gpgdir/seccomp.keyring") +tmp_seccomp_gpgflags=("--homedir=$tmp_gpgdir" "--no-default-keyring" "--keyring=seccomp.keyring") gpg "${tmp_seccomp_gpgflags[@]}" --recv-keys 0x47A68FCE37C7D7024FD65E11356CE62C2B524099 gpg "${tmp_seccomp_gpgflags[@]}" --recv-keys 0x7100AADFAE6E6E940D2E0AD655E45A5AE8CA7C8A diff --git a/script/seccomp.sh b/script/seccomp.sh index beea612ac83..7060ed67806 100755 --- a/script/seccomp.sh +++ b/script/seccomp.sh @@ -7,7 +7,7 @@ source "$(dirname "${BASH_SOURCE[0]}")/lib.sh" # sha256 checksums for seccomp release tarballs. declare -A SECCOMP_SHA256=( - ["2.5.4"]=d82902400405cf0068574ef3dc1fe5f5926207543ba1ae6f8e7a1576351dcbdb + ["2.5.5"]=248a2c8a4d9b9858aa6baf52712c34afefcf9c9e94b76dce02c1c9aa25fb3375 ) # Due to libseccomp being LGPL we must include its sources, diff --git a/tests/integration/rlimits.bats b/tests/integration/rlimits.bats new file mode 100644 index 00000000000..356a7871069 --- /dev/null +++ b/tests/integration/rlimits.bats @@ -0,0 +1,88 @@ +#!/usr/bin/env bats + +load helpers + +function setup() { + # Do not change the Cur value to be equal to the Max value + # Because in some environments, the soft and hard nofile limit have the same value. + [ $EUID -eq 0 ] && prlimit --nofile=1024:65536 -p $$ + setup_busybox +} + +function teardown() { + teardown_bundle +} + +# Set and check rlimit_nofile for runc run. Arguments are: +# $1: soft limit; +# $2: hard limit. +function run_check_nofile() { + soft="$1" + hard="$2" + update_config ".process.rlimits = [{\"type\": \"RLIMIT_NOFILE\", \"soft\": ${soft}, \"hard\": ${hard}}]" + update_config '.process.args = ["/bin/sh", "-c", "ulimit -n; ulimit -H -n"]' + + runc run test_rlimit + [ "$status" -eq 0 ] + [[ "${lines[0]}" == "${soft}" ]] + [[ "${lines[1]}" == "${hard}" ]] +} + +# Set and check rlimit_nofile for runc exec. Arguments are: +# $1: soft limit; +# $2: hard limit. +function exec_check_nofile() { + soft="$1" + hard="$2" + update_config ".process.rlimits = [{\"type\": \"RLIMIT_NOFILE\", \"soft\": ${soft}, \"hard\": ${hard}}]" + + runc run -d --console-socket "$CONSOLE_SOCKET" test_rlimit + [ "$status" -eq 0 ] + + runc exec test_rlimit /bin/sh -c "ulimit -n; ulimit -H -n" + [ "$status" -eq 0 ] + [[ "${lines[0]}" == "${soft}" ]] + [[ "${lines[1]}" == "${hard}" ]] +} + +@test "runc run with RLIMIT_NOFILE(The same as system's hard value)" { + hard=$(ulimit -n -H) + soft="$hard" + run_check_nofile "$soft" "$hard" +} + +@test "runc run with RLIMIT_NOFILE(Bigger than system's hard value)" { + requires root + limit=$(ulimit -n -H) + soft=$((limit + 1)) + hard=$soft + run_check_nofile "$soft" "$hard" +} + +@test "runc run with RLIMIT_NOFILE(Smaller than system's hard value)" { + limit=$(ulimit -n -H) + soft=$((limit - 1)) + hard=$soft + run_check_nofile "$soft" "$hard" +} + +@test "runc exec with RLIMIT_NOFILE(The same as system's hard value)" { + hard=$(ulimit -n -H) + soft="$hard" + exec_check_nofile "$soft" "$hard" +} + +@test "runc exec with RLIMIT_NOFILE(Bigger than system's hard value)" { + requires root + limit=$(ulimit -n -H) + soft=$((limit + 1)) + hard=$soft + exec_check_nofile "$soft" "$hard" +} + +@test "runc exec with RLIMIT_NOFILE(Smaller than system's hard value)" { + limit=$(ulimit -n -H) + soft=$((limit - 1)) + hard=$soft + exec_check_nofile "$soft" "$hard" +} diff --git a/tests/integration/run.bats b/tests/integration/run.bats index 88540c763d1..3669f521cfa 100644 --- a/tests/integration/run.bats +++ b/tests/integration/run.bats @@ -72,7 +72,7 @@ function teardown() { runc run test_tmpfs [ "$status" -eq 0 ] - [ "$output" = "$mode" ] + [ "${lines[0]}" = "$mode" ] } @test "runc run with tmpfs perms" { @@ -83,13 +83,13 @@ function teardown() { # Directory is to be created by runc. runc run test_tmpfs [ "$status" -eq 0 ] - [ "$output" = "444" ] + [ "${lines[0]}" = "444" ] # Run a 2nd time with the pre-existing directory. # Ref: https://github.com/opencontainers/runc/issues/3911 runc run test_tmpfs [ "$status" -eq 0 ] - [ "$output" = "444" ] + [ "${lines[0]}" = "444" ] # Existing directory, custom perms, no mode on the mount, # so it should use the directory's perms. @@ -98,7 +98,7 @@ function teardown() { # shellcheck disable=SC2016 runc run test_tmpfs [ "$status" -eq 0 ] - [ "$output" = "710" ] + [ "${lines[0]}" = "710" ] # Add back the mode on the mount, and it should use that instead. # Just for fun, use different perms than was used earlier. @@ -106,7 +106,7 @@ function teardown() { update_config '.mounts[-1].options = ["mode=0410"]' runc run test_tmpfs [ "$status" -eq 0 ] - [ "$output" = "410" ] + [ "${lines[0]}" = "410" ] } @test "runc run [joining existing container namespaces]" { diff --git a/tests/integration/spec.bats b/tests/integration/spec.bats index 8091ba339a5..999e3b8c940 100644 --- a/tests/integration/spec.bats +++ b/tests/integration/spec.bats @@ -31,11 +31,11 @@ function teardown() { git clone https://github.com/opencontainers/runtime-spec.git (cd runtime-spec && git reset --hard "$SPEC_REF") - SCHEMA='runtime-spec/schema/config-schema.json' - [ -e "$SCHEMA" ] - GO111MODULE=auto go get github.com/xeipuuv/gojsonschema - GO111MODULE=auto go build runtime-spec/schema/validate.go + cd runtime-spec/schema + go mod init runtime-spec + go mod tidy + go build ./validate.go - ./validate "$SCHEMA" config.json + ./validate config-schema.json ../../config.json } diff --git a/tests/integration/update.bats b/tests/integration/update.bats index b7a44cb72ce..b1accd5be7a 100644 --- a/tests/integration/update.bats +++ b/tests/integration/update.bats @@ -653,6 +653,17 @@ EOF check_cgroup_value "cpu.rt_period_us" 900001 check_cgroup_value "cpu.rt_runtime_us" 600001 + + # https://github.com/opencontainers/runc/issues/4094 + runc update test_update_rt --cpu-rt-period 10000 --cpu-rt-runtime 3000 + [ "$status" -eq 0 ] + check_cgroup_value "cpu.rt_period_us" 10000 + check_cgroup_value "cpu.rt_runtime_us" 3000 + + runc update test_update_rt --cpu-rt-period 100000 --cpu-rt-runtime 20000 + [ "$status" -eq 0 ] + check_cgroup_value "cpu.rt_period_us" 100000 + check_cgroup_value "cpu.rt_runtime_us" 20000 } @test "update devices [minimal transition rules]" { diff --git a/utils_linux.go b/utils_linux.go index 60d534e86b1..587e28fb8b5 100644 --- a/utils_linux.go +++ b/utils_linux.go @@ -168,9 +168,8 @@ func setupIO(process *libcontainer.Process, rootuid, rootgid int, createTTY, det return setupProcessPipes(process, rootuid, rootgid) } -// createPidFile creates a file with the processes pid inside it atomically -// it creates a temp file with the paths filename + '.' infront of it -// then renames the file +// createPidFile creates a file containing the PID, +// doing so atomically (via create and rename). func createPidFile(path string, process *libcontainer.Process) error { pid, err := process.Pid() if err != nil { diff --git a/vendor/golang.org/x/sys/unix/mmap_nomremap.go b/vendor/golang.org/x/sys/unix/mmap_nomremap.go index 4b68e59780a..7f602ffd26d 100644 --- a/vendor/golang.org/x/sys/unix/mmap_nomremap.go +++ b/vendor/golang.org/x/sys/unix/mmap_nomremap.go @@ -2,7 +2,7 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. -//go:build aix || darwin || dragonfly || freebsd || openbsd || solaris +//go:build aix || darwin || dragonfly || freebsd || openbsd || solaris || zos package unix diff --git a/vendor/golang.org/x/sys/unix/syscall_zos_s390x.go b/vendor/golang.org/x/sys/unix/syscall_zos_s390x.go index b473038c615..27c41b6f0a1 100644 --- a/vendor/golang.org/x/sys/unix/syscall_zos_s390x.go +++ b/vendor/golang.org/x/sys/unix/syscall_zos_s390x.go @@ -1520,6 +1520,14 @@ func (m *mmapper) Munmap(data []byte) (err error) { return nil } +func Mmap(fd int, offset int64, length int, prot int, flags int) (data []byte, err error) { + return mapper.Mmap(fd, offset, length, prot, flags) +} + +func Munmap(b []byte) (err error) { + return mapper.Munmap(b) +} + func Read(fd int, p []byte) (n int, err error) { n, err = read(fd, p) if raceenabled { diff --git a/vendor/golang.org/x/sys/windows/syscall_windows.go b/vendor/golang.org/x/sys/windows/syscall_windows.go index 6395a031d45..6525c62f3c2 100644 --- a/vendor/golang.org/x/sys/windows/syscall_windows.go +++ b/vendor/golang.org/x/sys/windows/syscall_windows.go @@ -165,6 +165,7 @@ func NewCallbackCDecl(fn interface{}) uintptr { //sys CreateFile(name *uint16, access uint32, mode uint32, sa *SecurityAttributes, createmode uint32, attrs uint32, templatefile Handle) (handle Handle, err error) [failretval==InvalidHandle] = CreateFileW //sys CreateNamedPipe(name *uint16, flags uint32, pipeMode uint32, maxInstances uint32, outSize uint32, inSize uint32, defaultTimeout uint32, sa *SecurityAttributes) (handle Handle, err error) [failretval==InvalidHandle] = CreateNamedPipeW //sys ConnectNamedPipe(pipe Handle, overlapped *Overlapped) (err error) +//sys DisconnectNamedPipe(pipe Handle) (err error) //sys GetNamedPipeInfo(pipe Handle, flags *uint32, outSize *uint32, inSize *uint32, maxInstances *uint32) (err error) //sys GetNamedPipeHandleState(pipe Handle, state *uint32, curInstances *uint32, maxCollectionCount *uint32, collectDataTimeout *uint32, userName *uint16, maxUserNameSize uint32) (err error) = GetNamedPipeHandleStateW //sys SetNamedPipeHandleState(pipe Handle, state *uint32, maxCollectionCount *uint32, collectDataTimeout *uint32) (err error) = SetNamedPipeHandleState @@ -348,8 +349,19 @@ func NewCallbackCDecl(fn interface{}) uintptr { //sys SetProcessPriorityBoost(process Handle, disable bool) (err error) = kernel32.SetProcessPriorityBoost //sys GetProcessWorkingSetSizeEx(hProcess Handle, lpMinimumWorkingSetSize *uintptr, lpMaximumWorkingSetSize *uintptr, flags *uint32) //sys SetProcessWorkingSetSizeEx(hProcess Handle, dwMinimumWorkingSetSize uintptr, dwMaximumWorkingSetSize uintptr, flags uint32) (err error) +//sys ClearCommBreak(handle Handle) (err error) +//sys ClearCommError(handle Handle, lpErrors *uint32, lpStat *ComStat) (err error) +//sys EscapeCommFunction(handle Handle, dwFunc uint32) (err error) +//sys GetCommState(handle Handle, lpDCB *DCB) (err error) +//sys GetCommModemStatus(handle Handle, lpModemStat *uint32) (err error) //sys GetCommTimeouts(handle Handle, timeouts *CommTimeouts) (err error) +//sys PurgeComm(handle Handle, dwFlags uint32) (err error) +//sys SetCommBreak(handle Handle) (err error) +//sys SetCommMask(handle Handle, dwEvtMask uint32) (err error) +//sys SetCommState(handle Handle, lpDCB *DCB) (err error) //sys SetCommTimeouts(handle Handle, timeouts *CommTimeouts) (err error) +//sys SetupComm(handle Handle, dwInQueue uint32, dwOutQueue uint32) (err error) +//sys WaitCommEvent(handle Handle, lpEvtMask *uint32, lpOverlapped *Overlapped) (err error) //sys GetActiveProcessorCount(groupNumber uint16) (ret uint32) //sys GetMaximumProcessorCount(groupNumber uint16) (ret uint32) //sys EnumWindows(enumFunc uintptr, param unsafe.Pointer) (err error) = user32.EnumWindows @@ -1834,3 +1846,73 @@ func ResizePseudoConsole(pconsole Handle, size Coord) error { // accept arguments that can be casted to uintptr, and Coord can't. return resizePseudoConsole(pconsole, *((*uint32)(unsafe.Pointer(&size)))) } + +// DCB constants. See https://learn.microsoft.com/en-us/windows/win32/api/winbase/ns-winbase-dcb. +const ( + CBR_110 = 110 + CBR_300 = 300 + CBR_600 = 600 + CBR_1200 = 1200 + CBR_2400 = 2400 + CBR_4800 = 4800 + CBR_9600 = 9600 + CBR_14400 = 14400 + CBR_19200 = 19200 + CBR_38400 = 38400 + CBR_57600 = 57600 + CBR_115200 = 115200 + CBR_128000 = 128000 + CBR_256000 = 256000 + + DTR_CONTROL_DISABLE = 0x00000000 + DTR_CONTROL_ENABLE = 0x00000010 + DTR_CONTROL_HANDSHAKE = 0x00000020 + + RTS_CONTROL_DISABLE = 0x00000000 + RTS_CONTROL_ENABLE = 0x00001000 + RTS_CONTROL_HANDSHAKE = 0x00002000 + RTS_CONTROL_TOGGLE = 0x00003000 + + NOPARITY = 0 + ODDPARITY = 1 + EVENPARITY = 2 + MARKPARITY = 3 + SPACEPARITY = 4 + + ONESTOPBIT = 0 + ONE5STOPBITS = 1 + TWOSTOPBITS = 2 +) + +// EscapeCommFunction constants. See https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-escapecommfunction. +const ( + SETXOFF = 1 + SETXON = 2 + SETRTS = 3 + CLRRTS = 4 + SETDTR = 5 + CLRDTR = 6 + SETBREAK = 8 + CLRBREAK = 9 +) + +// PurgeComm constants. See https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-purgecomm. +const ( + PURGE_TXABORT = 0x0001 + PURGE_RXABORT = 0x0002 + PURGE_TXCLEAR = 0x0004 + PURGE_RXCLEAR = 0x0008 +) + +// SetCommMask constants. See https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-setcommmask. +const ( + EV_RXCHAR = 0x0001 + EV_RXFLAG = 0x0002 + EV_TXEMPTY = 0x0004 + EV_CTS = 0x0008 + EV_DSR = 0x0010 + EV_RLSD = 0x0020 + EV_BREAK = 0x0040 + EV_ERR = 0x0080 + EV_RING = 0x0100 +) diff --git a/vendor/golang.org/x/sys/windows/types_windows.go b/vendor/golang.org/x/sys/windows/types_windows.go index 359780f6ace..d8cb71db0a6 100644 --- a/vendor/golang.org/x/sys/windows/types_windows.go +++ b/vendor/golang.org/x/sys/windows/types_windows.go @@ -3380,3 +3380,27 @@ type BLOB struct { Size uint32 BlobData *byte } + +type ComStat struct { + Flags uint32 + CBInQue uint32 + CBOutQue uint32 +} + +type DCB struct { + DCBlength uint32 + BaudRate uint32 + Flags uint32 + wReserved uint16 + XonLim uint16 + XoffLim uint16 + ByteSize uint8 + Parity uint8 + StopBits uint8 + XonChar byte + XoffChar byte + ErrorChar byte + EofChar byte + EvtChar byte + wReserved1 uint16 +} diff --git a/vendor/golang.org/x/sys/windows/zsyscall_windows.go b/vendor/golang.org/x/sys/windows/zsyscall_windows.go index e8791c82c30..5c6035ddfa9 100644 --- a/vendor/golang.org/x/sys/windows/zsyscall_windows.go +++ b/vendor/golang.org/x/sys/windows/zsyscall_windows.go @@ -188,6 +188,8 @@ var ( procAssignProcessToJobObject = modkernel32.NewProc("AssignProcessToJobObject") procCancelIo = modkernel32.NewProc("CancelIo") procCancelIoEx = modkernel32.NewProc("CancelIoEx") + procClearCommBreak = modkernel32.NewProc("ClearCommBreak") + procClearCommError = modkernel32.NewProc("ClearCommError") procCloseHandle = modkernel32.NewProc("CloseHandle") procClosePseudoConsole = modkernel32.NewProc("ClosePseudoConsole") procConnectNamedPipe = modkernel32.NewProc("ConnectNamedPipe") @@ -212,7 +214,9 @@ var ( procDeleteProcThreadAttributeList = modkernel32.NewProc("DeleteProcThreadAttributeList") procDeleteVolumeMountPointW = modkernel32.NewProc("DeleteVolumeMountPointW") procDeviceIoControl = modkernel32.NewProc("DeviceIoControl") + procDisconnectNamedPipe = modkernel32.NewProc("DisconnectNamedPipe") procDuplicateHandle = modkernel32.NewProc("DuplicateHandle") + procEscapeCommFunction = modkernel32.NewProc("EscapeCommFunction") procExitProcess = modkernel32.NewProc("ExitProcess") procExpandEnvironmentStringsW = modkernel32.NewProc("ExpandEnvironmentStringsW") procFindClose = modkernel32.NewProc("FindClose") @@ -236,6 +240,8 @@ var ( procGenerateConsoleCtrlEvent = modkernel32.NewProc("GenerateConsoleCtrlEvent") procGetACP = modkernel32.NewProc("GetACP") procGetActiveProcessorCount = modkernel32.NewProc("GetActiveProcessorCount") + procGetCommModemStatus = modkernel32.NewProc("GetCommModemStatus") + procGetCommState = modkernel32.NewProc("GetCommState") procGetCommTimeouts = modkernel32.NewProc("GetCommTimeouts") procGetCommandLineW = modkernel32.NewProc("GetCommandLineW") procGetComputerNameExW = modkernel32.NewProc("GetComputerNameExW") @@ -322,6 +328,7 @@ var ( procProcess32NextW = modkernel32.NewProc("Process32NextW") procProcessIdToSessionId = modkernel32.NewProc("ProcessIdToSessionId") procPulseEvent = modkernel32.NewProc("PulseEvent") + procPurgeComm = modkernel32.NewProc("PurgeComm") procQueryDosDeviceW = modkernel32.NewProc("QueryDosDeviceW") procQueryFullProcessImageNameW = modkernel32.NewProc("QueryFullProcessImageNameW") procQueryInformationJobObject = modkernel32.NewProc("QueryInformationJobObject") @@ -335,6 +342,9 @@ var ( procResetEvent = modkernel32.NewProc("ResetEvent") procResizePseudoConsole = modkernel32.NewProc("ResizePseudoConsole") procResumeThread = modkernel32.NewProc("ResumeThread") + procSetCommBreak = modkernel32.NewProc("SetCommBreak") + procSetCommMask = modkernel32.NewProc("SetCommMask") + procSetCommState = modkernel32.NewProc("SetCommState") procSetCommTimeouts = modkernel32.NewProc("SetCommTimeouts") procSetConsoleCursorPosition = modkernel32.NewProc("SetConsoleCursorPosition") procSetConsoleMode = modkernel32.NewProc("SetConsoleMode") @@ -342,7 +352,6 @@ var ( procSetDefaultDllDirectories = modkernel32.NewProc("SetDefaultDllDirectories") procSetDllDirectoryW = modkernel32.NewProc("SetDllDirectoryW") procSetEndOfFile = modkernel32.NewProc("SetEndOfFile") - procSetFileValidData = modkernel32.NewProc("SetFileValidData") procSetEnvironmentVariableW = modkernel32.NewProc("SetEnvironmentVariableW") procSetErrorMode = modkernel32.NewProc("SetErrorMode") procSetEvent = modkernel32.NewProc("SetEvent") @@ -351,6 +360,7 @@ var ( procSetFileInformationByHandle = modkernel32.NewProc("SetFileInformationByHandle") procSetFilePointer = modkernel32.NewProc("SetFilePointer") procSetFileTime = modkernel32.NewProc("SetFileTime") + procSetFileValidData = modkernel32.NewProc("SetFileValidData") procSetHandleInformation = modkernel32.NewProc("SetHandleInformation") procSetInformationJobObject = modkernel32.NewProc("SetInformationJobObject") procSetNamedPipeHandleState = modkernel32.NewProc("SetNamedPipeHandleState") @@ -361,6 +371,7 @@ var ( procSetStdHandle = modkernel32.NewProc("SetStdHandle") procSetVolumeLabelW = modkernel32.NewProc("SetVolumeLabelW") procSetVolumeMountPointW = modkernel32.NewProc("SetVolumeMountPointW") + procSetupComm = modkernel32.NewProc("SetupComm") procSizeofResource = modkernel32.NewProc("SizeofResource") procSleepEx = modkernel32.NewProc("SleepEx") procTerminateJobObject = modkernel32.NewProc("TerminateJobObject") @@ -379,6 +390,7 @@ var ( procVirtualQueryEx = modkernel32.NewProc("VirtualQueryEx") procVirtualUnlock = modkernel32.NewProc("VirtualUnlock") procWTSGetActiveConsoleSessionId = modkernel32.NewProc("WTSGetActiveConsoleSessionId") + procWaitCommEvent = modkernel32.NewProc("WaitCommEvent") procWaitForMultipleObjects = modkernel32.NewProc("WaitForMultipleObjects") procWaitForSingleObject = modkernel32.NewProc("WaitForSingleObject") procWriteConsoleW = modkernel32.NewProc("WriteConsoleW") @@ -1641,6 +1653,22 @@ func CancelIoEx(s Handle, o *Overlapped) (err error) { return } +func ClearCommBreak(handle Handle) (err error) { + r1, _, e1 := syscall.Syscall(procClearCommBreak.Addr(), 1, uintptr(handle), 0, 0) + if r1 == 0 { + err = errnoErr(e1) + } + return +} + +func ClearCommError(handle Handle, lpErrors *uint32, lpStat *ComStat) (err error) { + r1, _, e1 := syscall.Syscall(procClearCommError.Addr(), 3, uintptr(handle), uintptr(unsafe.Pointer(lpErrors)), uintptr(unsafe.Pointer(lpStat))) + if r1 == 0 { + err = errnoErr(e1) + } + return +} + func CloseHandle(handle Handle) (err error) { r1, _, e1 := syscall.Syscall(procCloseHandle.Addr(), 1, uintptr(handle), 0, 0) if r1 == 0 { @@ -1845,6 +1873,14 @@ func DeviceIoControl(handle Handle, ioControlCode uint32, inBuffer *byte, inBuff return } +func DisconnectNamedPipe(pipe Handle) (err error) { + r1, _, e1 := syscall.Syscall(procDisconnectNamedPipe.Addr(), 1, uintptr(pipe), 0, 0) + if r1 == 0 { + err = errnoErr(e1) + } + return +} + func DuplicateHandle(hSourceProcessHandle Handle, hSourceHandle Handle, hTargetProcessHandle Handle, lpTargetHandle *Handle, dwDesiredAccess uint32, bInheritHandle bool, dwOptions uint32) (err error) { var _p0 uint32 if bInheritHandle { @@ -1857,6 +1893,14 @@ func DuplicateHandle(hSourceProcessHandle Handle, hSourceHandle Handle, hTargetP return } +func EscapeCommFunction(handle Handle, dwFunc uint32) (err error) { + r1, _, e1 := syscall.Syscall(procEscapeCommFunction.Addr(), 2, uintptr(handle), uintptr(dwFunc), 0) + if r1 == 0 { + err = errnoErr(e1) + } + return +} + func ExitProcess(exitcode uint32) { syscall.Syscall(procExitProcess.Addr(), 1, uintptr(exitcode), 0, 0) return @@ -2058,6 +2102,22 @@ func GetActiveProcessorCount(groupNumber uint16) (ret uint32) { return } +func GetCommModemStatus(handle Handle, lpModemStat *uint32) (err error) { + r1, _, e1 := syscall.Syscall(procGetCommModemStatus.Addr(), 2, uintptr(handle), uintptr(unsafe.Pointer(lpModemStat)), 0) + if r1 == 0 { + err = errnoErr(e1) + } + return +} + +func GetCommState(handle Handle, lpDCB *DCB) (err error) { + r1, _, e1 := syscall.Syscall(procGetCommState.Addr(), 2, uintptr(handle), uintptr(unsafe.Pointer(lpDCB)), 0) + if r1 == 0 { + err = errnoErr(e1) + } + return +} + func GetCommTimeouts(handle Handle, timeouts *CommTimeouts) (err error) { r1, _, e1 := syscall.Syscall(procGetCommTimeouts.Addr(), 2, uintptr(handle), uintptr(unsafe.Pointer(timeouts)), 0) if r1 == 0 { @@ -2810,6 +2870,14 @@ func PulseEvent(event Handle) (err error) { return } +func PurgeComm(handle Handle, dwFlags uint32) (err error) { + r1, _, e1 := syscall.Syscall(procPurgeComm.Addr(), 2, uintptr(handle), uintptr(dwFlags), 0) + if r1 == 0 { + err = errnoErr(e1) + } + return +} + func QueryDosDevice(deviceName *uint16, targetPath *uint16, max uint32) (n uint32, err error) { r0, _, e1 := syscall.Syscall(procQueryDosDeviceW.Addr(), 3, uintptr(unsafe.Pointer(deviceName)), uintptr(unsafe.Pointer(targetPath)), uintptr(max)) n = uint32(r0) @@ -2924,6 +2992,30 @@ func ResumeThread(thread Handle) (ret uint32, err error) { return } +func SetCommBreak(handle Handle) (err error) { + r1, _, e1 := syscall.Syscall(procSetCommBreak.Addr(), 1, uintptr(handle), 0, 0) + if r1 == 0 { + err = errnoErr(e1) + } + return +} + +func SetCommMask(handle Handle, dwEvtMask uint32) (err error) { + r1, _, e1 := syscall.Syscall(procSetCommMask.Addr(), 2, uintptr(handle), uintptr(dwEvtMask), 0) + if r1 == 0 { + err = errnoErr(e1) + } + return +} + +func SetCommState(handle Handle, lpDCB *DCB) (err error) { + r1, _, e1 := syscall.Syscall(procSetCommState.Addr(), 2, uintptr(handle), uintptr(unsafe.Pointer(lpDCB)), 0) + if r1 == 0 { + err = errnoErr(e1) + } + return +} + func SetCommTimeouts(handle Handle, timeouts *CommTimeouts) (err error) { r1, _, e1 := syscall.Syscall(procSetCommTimeouts.Addr(), 2, uintptr(handle), uintptr(unsafe.Pointer(timeouts)), 0) if r1 == 0 { @@ -2989,14 +3081,6 @@ func SetEndOfFile(handle Handle) (err error) { return } -func SetFileValidData(handle Handle, validDataLength int64) (err error) { - r1, _, e1 := syscall.Syscall(procSetFileValidData.Addr(), 2, uintptr(handle), uintptr(validDataLength), 0) - if r1 == 0 { - err = errnoErr(e1) - } - return -} - func SetEnvironmentVariable(name *uint16, value *uint16) (err error) { r1, _, e1 := syscall.Syscall(procSetEnvironmentVariableW.Addr(), 2, uintptr(unsafe.Pointer(name)), uintptr(unsafe.Pointer(value)), 0) if r1 == 0 { @@ -3060,6 +3144,14 @@ func SetFileTime(handle Handle, ctime *Filetime, atime *Filetime, wtime *Filetim return } +func SetFileValidData(handle Handle, validDataLength int64) (err error) { + r1, _, e1 := syscall.Syscall(procSetFileValidData.Addr(), 2, uintptr(handle), uintptr(validDataLength), 0) + if r1 == 0 { + err = errnoErr(e1) + } + return +} + func SetHandleInformation(handle Handle, mask uint32, flags uint32) (err error) { r1, _, e1 := syscall.Syscall(procSetHandleInformation.Addr(), 3, uintptr(handle), uintptr(mask), uintptr(flags)) if r1 == 0 { @@ -3145,6 +3237,14 @@ func SetVolumeMountPoint(volumeMountPoint *uint16, volumeName *uint16) (err erro return } +func SetupComm(handle Handle, dwInQueue uint32, dwOutQueue uint32) (err error) { + r1, _, e1 := syscall.Syscall(procSetupComm.Addr(), 3, uintptr(handle), uintptr(dwInQueue), uintptr(dwOutQueue)) + if r1 == 0 { + err = errnoErr(e1) + } + return +} + func SizeofResource(module Handle, resInfo Handle) (size uint32, err error) { r0, _, e1 := syscall.Syscall(procSizeofResource.Addr(), 2, uintptr(module), uintptr(resInfo), 0) size = uint32(r0) @@ -3291,6 +3391,14 @@ func WTSGetActiveConsoleSessionId() (sessionID uint32) { return } +func WaitCommEvent(handle Handle, lpEvtMask *uint32, lpOverlapped *Overlapped) (err error) { + r1, _, e1 := syscall.Syscall(procWaitCommEvent.Addr(), 3, uintptr(handle), uintptr(unsafe.Pointer(lpEvtMask)), uintptr(unsafe.Pointer(lpOverlapped))) + if r1 == 0 { + err = errnoErr(e1) + } + return +} + func waitForMultipleObjects(count uint32, handles uintptr, waitAll bool, waitMilliseconds uint32) (event uint32, err error) { var _p0 uint32 if waitAll { diff --git a/vendor/modules.txt b/vendor/modules.txt index b995ac634a0..b6dc382368a 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -70,10 +70,10 @@ github.com/vishvananda/netlink/nl # github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df ## explicit; go 1.12 github.com/vishvananda/netns -# golang.org/x/net v0.23.0 +# golang.org/x/net v0.24.0 ## explicit; go 1.18 golang.org/x/net/bpf -# golang.org/x/sys v0.18.0 +# golang.org/x/sys v0.19.0 ## explicit; go 1.18 golang.org/x/sys/unix golang.org/x/sys/windows