Merge tag 'v1.1.13' into release-1.1-m

v1.1.13 -- "There is no certainty in the world. This is the only certainty I have." This is the thirteenth patch release in the 1.1.z release branch of runc. It brings in Go 1.12.x compatibility and fixes a few issues, including an occasional wrong nofile rlimit in runc exec, and a race between runc list and runc delete. NOTE that if using Go 1.22.x to build runc, make sure to use 1.22.4 or a later version. For more details, see issue opencontainers#4233. * Support go 1.22.4+. (opencontainers#4313) * runc list: fix race with runc delete. (opencontainers#4231) * Fix set nofile rlimit error. (opencontainers#4277, opencontainers#4299) * libct/cg/fs: fix setting rt_period vs rt_runtime. (opencontainers#4284) * Fix a debug msg for user ns in nsexec. (opencontainers#4315) * script/*: fix gpg usage wrt keyboxd. (opencontainers#4316) * CI fixes and misc backports. (opencontainers#4241) * Fix codespell warnings. (opencontainers#4300) * Silence security false positives from golang/net. (opencontainers#4244) * libcontainer: allow containers to make apps think fips is enabled/disabled for testing. (opencontainers#4257) * allow overriding VERSION value in Makefile. (opencontainers#4270) * Vagrantfile.fedora: bump Fedora to 39. (opencontainers#4261) * ci/cirrus: rm centos stream 8. (opencontainers#4305, opencontainers#4308) Thanks to all of the contributors who made this release possible: * Akhil Mohan <[email protected]> * Akihiro Suda <[email protected]> * Aleksa Sarai <[email protected]> * Kir Kolyshkin <[email protected]> * Sohan Kunkerkar <[email protected]> * TTFISH <[email protected]> * kychen <[email protected]> * lifubang <[email protected]> * ls-ggg <[email protected]> Signed-off-by: Kir Kolyshkin <[email protected]> # -----BEGIN PGP SIGNATURE----- # # iQEzBAABCAAdFiEEwkKM11cg+s3PdrbqF95ey3WhEA4FAmZrFGYACgkQF95ey3Wh # EA7DPwf9HVwO0EO3s7OuJPBCmZBp92L6AMDBmkpnE14Pi1c4DVcWtlrBna2CNnUJ # 4Hu8rgEtT80Y8L3GBf96Wo3C1DHR6lG6dyu6FjHozWu97WfrTtw92I/254dQZnsr # i7m+5C6Tluewr9pH6ageRI0rRYt4QPpyRihMkiZQHl44Z5ogRGJvCCkjk9nIDlxi # ok2U5aPIw4NWPwnMg3wC6CmcviaM81kyuWh2Twc1OPwRilCPQXWblcUgqujg5tOr # C3Z6AwiIedpMt6Nr0jdWZh9Rh0ffuOXBEiUO/K8vYqE/eDvqJd42c8ALi1HOONoU # ZwrNWNU3o2pIQ4qz0Fs4vauK4wSs1A== # =IFN9 # -----END PGP SIGNATURE----- # gpg: Signature made Thu Jun 13 08:46:46 2024 PDT # gpg: using RSA key C2428CD75720FACDCF76B6EA17DE5ECB75A1100E # gpg: Can't check signature: No public key # Conflicts: # CHANGELOG.md # VERSION # go.mod # go.sum # vendor/golang.org/x/sys/unix/mmap_nomremap.go # vendor/golang.org/x/sys/windows/syscall_windows.go # vendor/modules.txt
aepifanov · Jul 11, 2024 · a92c699 · a92c699
2 parents 2e2d421 + 58aa920
commit a92c699
Show file tree

Hide file tree

Showing 41 changed files with 597 additions and 207 deletions.
diff --git a/.cirrus.yml b/.cirrus.yml
@@ -77,13 +77,12 @@ task:
   env:
     HOME: /root
     CIRRUS_WORKING_DIR: /home/runc
-    GO_VERSION: "1.20"
+    GO_VERSION: "1.21"
     BATS_VERSION: "v1.9.0"
     RPMS: gcc git iptables jq glibc-static libseccomp-devel make criu fuse-sshfs
     # yamllint disable rule:key-duplicates
     matrix:
       DISTRO: centos-7
-      DISTRO: centos-stream-8
       DISTRO: centos-stream-9
 
   name: ci / $DISTRO
@@ -105,9 +104,6 @@ task:
       echo "user.max_user_namespaces=15076" > /etc/sysctl.d/userns.conf
       sysctl --system
       ;;
-    centos-stream-8)
-      yum config-manager --set-enabled powertools # for glibc-static
-      ;;
     centos-stream-9)
       dnf config-manager --set-enabled crb # for glibc-static
       dnf -y install epel-release epel-next-release # for fuse-sshfs
@@ -181,7 +177,7 @@ task:
     ssh -tt localhost "make -C /home/runc localintegration"
   integration_systemd_rootless_script: |
     case $DISTRO in
-    centos-7|centos-stream-8)
+    centos-7)
       echo "SKIP: integration_systemd_rootless_script requires cgroup v2"
       ;;
     *)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -21,7 +21,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        go-version: [1.17.x, 1.20.x, 1.21.x]
+        go-version: [1.17.x, 1.21.x, 1.22.x]
         rootless: ["rootless", ""]
         race: ["-race", ""]
         criu: [""]
@@ -35,7 +35,7 @@ jobs:
     steps:
 
     - name: checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     - name: install deps
       if: matrix.criu == ''
@@ -46,23 +46,24 @@ jobs:
         curl -fSsLl $REPO/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/devel_tools_criu.gpg > /dev/null
         echo "deb $REPO/ /" | sudo tee /etc/apt/sources.list.d/criu.list
         sudo apt update
-        sudo apt install libseccomp-dev criu sshfs
+        sudo apt -y install libseccomp-dev criu sshfs
 
     - name: install deps (criu ${{ matrix.criu }})
       if: matrix.criu != ''
       run: |
         sudo apt -q update
-        sudo apt -q install libseccomp-dev sshfs \
+        sudo apt -qy install libseccomp-dev sshfs \
           libcap-dev libnet1-dev libnl-3-dev \
           libprotobuf-c-dev libprotobuf-dev protobuf-c-compiler protobuf-compiler
         git clone https://github.com/checkpoint-restore/criu.git ~/criu
         (cd ~/criu && git checkout ${{ matrix.criu }} && sudo make install-criu)
         rm -rf ~/criu
 
     - name: install go ${{ matrix.go-version }}
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@v5
       with:
         go-version: ${{ matrix.go-version }}
+        check-latest: true
 
     - name: build
       run: sudo -E PATH="$PATH" make EXTRA_FLAGS="${{ matrix.race }}" all
@@ -99,12 +100,12 @@ jobs:
   # However, we do not have 32-bit ARM CI, so we use i386 for testing 32bit stuff.
   # We are not interested in providing official support for i386.
   cross-i386:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
 
     steps:
 
     - name: checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     - name: install deps
       run: |
@@ -113,15 +114,13 @@ jobs:
         sudo add-apt-repository -y ppa:criu/ppa
         # apt-add-repository runs apt update so we don't have to.
 
-        # Due to a bug in apt, we have to update it first
-        # (see https://bugs.launchpad.net/ubuntu-cdimage/+bug/1871268)
-        sudo apt -q install apt
-        sudo apt -q install libseccomp-dev libseccomp-dev:i386 gcc-multilib criu
+        sudo apt -qy install libseccomp-dev libseccomp-dev:i386 gcc-multilib criu
 
     - name: install go
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@v5
       with:
         go-version: 1.x # Latest stable
+        check-latest: true
 
     - name: unit test
       run: sudo -E PATH="$PATH" -- make GOARCH=386 localunittest
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
@@ -8,74 +8,73 @@ on:
       - release-*
   pull_request:
 env:
-  GO_VERSION: 1.20.x
+  GO_VERSION: 1.22.x
 
 jobs:
   keyring:
     runs-on: ubuntu-22.04
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: check runc.keyring
       run: make validate-keyring
 
   lint:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 2
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v5
         with:
           go-version: "${{ env.GO_VERSION }}"
-          cache: false # golangci-lint-action does its own caching
       - name: install deps
         run: |
           sudo apt -q update
-          sudo apt -q install libseccomp-dev
-      - uses: golangci/golangci-lint-action@v3
+          sudo apt -qy install libseccomp-dev
+      - uses: golangci/golangci-lint-action@v6
         with:
-          version: v1.53
+          version: v1.57
       # Extra linters, only checking new code from a pull request.
       - name: lint-extra
         if: github.event_name == 'pull_request'
         run: |
-          golangci-lint run --config .golangci-extra.yml --new-from-rev=HEAD~1 --out-format=github-actions
+          golangci-lint run --config .golangci-extra.yml --new-from-rev=HEAD~1
 
   compile-buildtags:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     env:
       # Don't ignore C warnings. Note that the output of "go env CGO_CFLAGS" by default is "-g -O2", so we keep them.
       CGO_CFLAGS: -g -O2 -Werror
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: install go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           go-version: "${{ env.GO_VERSION }}"
       - name: compile with no build tags
         run: make BUILDTAGS=""
 
   codespell:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: install deps
       # Version of codespell bundled with Ubuntu is way old, so use pip.
-      run: pip install codespell
+      run: pip install codespell==v2.3.0
     - name: run codespell
       run: codespell
 
   shfmt:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: shfmt
       run: make shfmt
 
   shellcheck:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: vars
         run: |
           echo 'VERSION=v0.8.0' >> $GITHUB_ENV
@@ -98,19 +97,20 @@ jobs:
         run : ./script/check-config.sh
 
   deps:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: install go
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@v5
       with:
         go-version: "${{ env.GO_VERSION }}"
+        check-latest: true
     - name: verify deps
       run: make verify-dependencies
 
 
   commit:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     # Only check commits on pull requests.
     if: github.event_name == 'pull_request'
     steps:
@@ -121,34 +121,34 @@ jobs:
           token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: check subject line length
-        uses: tim-actions/[email protected].1
+        uses: tim-actions/[email protected].2
         with:
           commits: ${{ steps.get-pr-commits.outputs.commits }}
           pattern: '^.{0,72}(\n.*)*$'
           error: 'Subject too long (max 72)'
 
   cfmt:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
     - name: checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
       with:
         fetch-depth: 0
     - name: install deps
       run: |
         sudo apt -qq update
-        sudo apt -qq install indent
+        sudo apt -qqy install indent
     - name: cfmt
       run: |
         make cfmt
         git diff --exit-code
 
 
   release:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
     - name: checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
       with:
         fetch-depth: 0
 
@@ -169,7 +169,7 @@ jobs:
     - name: make releaseall
       run: make releaseall
     - name: upload artifacts
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: release-${{ github.run_id }}
         path: release/*
diff --git a/Dockerfile b/Dockerfile
@@ -1,10 +1,10 @@
-ARG GO_VERSION=1.20
+ARG GO_VERSION=1.21
 ARG BATS_VERSION=v1.9.0
-ARG LIBSECCOMP_VERSION=2.5.4
+ARG LIBSECCOMP_VERSION=2.5.5
 
-FROM golang:${GO_VERSION}-bullseye
+FROM golang:${GO_VERSION}-bookworm
 ARG DEBIAN_FRONTEND=noninteractive
-ARG CRIU_REPO=https://download.opensuse.org/repositories/devel:/tools:/criu/Debian_11
+ARG CRIU_REPO=https://download.opensuse.org/repositories/devel:/tools:/criu/Debian_12
 
 RUN KEYFILE=/usr/share/keyrings/criu-repo-keyring.gpg; \
     wget -nv $CRIU_REPO/Release.key -O- | gpg --dearmor > "$KEYFILE" \
@@ -31,6 +31,7 @@ RUN KEYFILE=/usr/share/keyrings/criu-repo-keyring.gpg; \
         sshfs \
         sudo \
         uidmap \
+        iproute2 \
     && apt-get clean \
     && rm -rf /var/cache/apt /var/lib/apt/lists/* /etc/apt/sources.list.d/*.list
 

diff --git a/Makefile b/Makefile
@@ -12,7 +12,7 @@ PROJECT := github.com/opencontainers/runc
 BUILDTAGS ?= seccomp
 
 COMMIT ?= $(shell git describe --dirty --long --always)
-VERSION := $(shell cat ./VERSION)
+VERSION ?= $(shell cat ./VERSION)
 LDFLAGS_COMMON := -X main.gitCommit=$(COMMIT) -X main.version=$(VERSION)
 
 GOARCH := $(shell $(GO) env GOARCH)

diff --git a/README.md b/README.md
@@ -28,6 +28,10 @@ A third party security audit was performed by Cure53, you can see the full repor
 
 `runc` only supports Linux. It must be built with Go version 1.17 or higher.
 
+NOTE: if building with Go 1.22.x, make sure to use 1.22.4 or a later version
+(see [issue #4233](https://github.com/opencontainers/runc/issues/4233) for
+more details).
+
 In order to enable seccomp support you will need to install `libseccomp` on your platform.
 > e.g. `libseccomp-devel` for CentOS, or `libseccomp-dev` for Ubuntu
 

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-1.1.12-m3
+1.1.13-m1
diff --git a/Vagrantfile.fedora b/Vagrantfile.fedora
@@ -3,7 +3,7 @@
 
 Vagrant.configure("2") do |config|
 # Fedora box is used for testing cgroup v2 support
-  config.vm.box = "fedora/38-cloud-base"
+  config.vm.box = "fedora/39-cloud-base"
   config.vm.provider :virtualbox do |v|
     v.memory = 2048
     v.cpus = 2

diff --git a/features.go b/features.go
@@ -27,7 +27,7 @@ var featuresCommand = cli.Command{
 			return err
 		}
 
-		tru := true
+		t := true
 
 		feat := features.Features{
 			OCIVersionMin: "1.0.0",
@@ -43,23 +43,23 @@ var featuresCommand = cli.Command{
 				Namespaces:   specconv.KnownNamespaces(),
 				Capabilities: capabilities.KnownCapabilities(),
 				Cgroup: &features.Cgroup{
-					V1:          &tru,
-					V2:          &tru,
-					Systemd:     &tru,
-					SystemdUser: &tru,
+					V1:          &t,
+					V2:          &t,
+					Systemd:     &t,
+					SystemdUser: &t,
 				},
 				Apparmor: &features.Apparmor{
-					Enabled: &tru,
+					Enabled: &t,
 				},
 				Selinux: &features.Selinux{
-					Enabled: &tru,
+					Enabled: &t,
 				},
 			},
 		}
 
 		if seccomp.Enabled {
 			feat.Linux.Seccomp = &features.Seccomp{
-				Enabled:   &tru,
+				Enabled:   &t,
 				Actions:   seccomp.KnownActions(),
 				Operators: seccomp.KnownOperators(),
 				Archs:     seccomp.KnownArchs(),

diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/opencontainers/runc
 
-go 1.17
+go 1.18
 
 require (
 	github.com/checkpoint-restore/go-criu/v5 v5.3.0
@@ -20,8 +20,8 @@ require (
 	// NOTE: urfave/cli must be <= v1.22.1 due to a regression: https://github.com/urfave/cli/issues/1092
 	github.com/urfave/cli v1.22.1
 	github.com/vishvananda/netlink v1.1.0
-	golang.org/x/net v0.23.0
-	golang.org/x/sys v0.18.0
+	golang.org/x/net v0.24.0
+	golang.org/x/sys v0.19.0
 	google.golang.org/protobuf v1.33.0
 )