Signed-off-by: Kir Kolyshkin <[email protected]>

Signed-off-by: lfbzhm <[email protected]>
(cherry picked from commit a596a05)
Signed-off-by: Kir Kolyshkin <[email protected]>

Signed-off-by: TTFISH <[email protected]>
(cherry picked from commit eb55472)
Signed-off-by: Kir Kolyshkin <[email protected]>

Apparently, sometimes a short-lived "runc run" produces result with \r
and sometimes without. As a result, we have an occasional failure of
"runc run with tmpfs perms" test.

The solution (to the flaky test) is to use the first line of the output
(like many other tests do).

Signed-off-by: Kir Kolyshkin <[email protected]>
(cherry picked from commit 6d27922)
Signed-off-by: Kir Kolyshkin <[email protected]>

This adds support for syscalls up to Linux 6.7-rc3.

Signed-off-by: Aleksa Sarai <[email protected]>
(cherry picked from commit cdccf6d)
Signed-off-by: Kir Kolyshkin <[email protected]>

[1.1] CI fixes and misc backports

golang.org/x/net:v0.8.0 will introduce some security false positives:

- https://avd.aquasec.com/nvd/cve-2023-4448
- https://avd.aquasec.com/nvd/cve-2023-3978
- https://avd.aquasec.com/nvd/cve-2023-39325

Signed-off-by: kychen <[email protected]>

[1.1] chore: silencing security false positives caused by golang.org/x/net

Signed-off-by: Kir Kolyshkin <[email protected]>
(cherry picked from commit 8732ead)
Signed-off-by: Kir Kolyshkin <[email protected]>

[1.1] Vagrantfile.fedora: bump Fedora to 39

The motivation behind this change is to provide a flexible mechanism for
containers within a Kubernetes cluster to opt out of FIPS mode when necessary.
This change enables apps to simulate FIPS mode being enabled or disabled for testing
purposes. Users can control whether apps believe FIPS mode is on or off by manipulating
`/proc/sys/crypto/fips_enabled`.

Signed-off-by: Sohan Kunkerkar <[email protected]>

[1.1] libcontainer: force apps to think fips is enabled/disabled for testing

this allows using a custom version string while building runc
without modifying the VERSION file

Signed-off-by: Akhil Mohan <[email protected]>
(cherry picked from commit 9d9273c)
Signed-off-by: Akhil Mohan <[email protected]>

[1.1] allow overriding VERSION value in Makefile

Instead of a huge if {} block, use continue.

Best reviewed with --ignore-all-space.

Signed-off-by: Kir Kolyshkin <[email protected]>
(cherry picked from commit 095929b)
Signed-off-by: Kir Kolyshkin <[email protected]>

Since commit 5516294 we can (and should) use Info() to get access to
file stat. Do this.

While going over directory entries, a parallel runc delete can remove
an entry, and with the current code it results in a fatal error (which
was not observed in practice, but looks quite possible). To fix,
add a special case to continue on ErrNotExist.

Signed-off-by: Kir Kolyshkin <[email protected]>
(cherry picked from commit 1a3ee49)
Signed-off-by: Kir Kolyshkin <[email protected]>

This is not used since commit dac4171.
It will be removed in v1.2.0

Signed-off-by: Kir Kolyshkin <[email protected]>
(cherry picked from commit dbd0c33)
Signed-off-by: lifubang <[email protected]>

Do not refer to the function which was removed.

Signed-off-by: Kir Kolyshkin <[email protected]>
(cherry picked from commit bac5064)
Signed-off-by: lifubang <[email protected]>

Issue: opencontainers#4195
Since https://go-review.googlesource.com/c/go/+/476097, there is
a get/set race between runc exec and syscall.rlimit.init, so we
need to call setupRlimits after syscall.rlimit.init() completed.

Signed-off-by: lifubang <[email protected]>
(cherry picked from commit a853a82)
Signed-off-by: lifubang <[email protected]>

The complete generic features are supported since go 1.18

Signed-off-by: lfbzhm <[email protected]>

As reported in issue opencontainers#4195, the new version(since 1.19) of go runtime
will cache rlimit-nofile. Before executing execve, the rlimit-nofile
of the process will be restored with the cache. In runc, this will
cause the rlimit-nofile set by the parent process for the container
to become invalid. It can be solved by clearing the cache.

Signed-off-by: ls-ggg <[email protected]>
(cherry picked from commit f9f8abf)
Signed-off-by: lifubang <[email protected]>
(cherry picked from commit da68c8e)
Signed-off-by: lifubang <[email protected]>

issues:
opencontainers#4195
opencontainers#4265 (comment)

Signed-off-by: lifubang <[email protected]>
(cherry picked from commit 4ea0bf8)
Signed-off-by: lfbzhm <[email protected]>

Signed-off-by: lifubang <[email protected]>
(cherry picked from commit a35f7d8)
Signed-off-by: lifubang <[email protected]>

[1.1] runc list: fix race with runc delete

…filerlimit

[1.1] Fix set nofile rlimit error

The issue is the same as in commit 1b2adcf but for RT scheduler;
the fix is also the same.

Test case by ls-ggg.

Co-authored-by: ls-ggg <[email protected]>
Signed-off-by: Kir Kolyshkin <[email protected]>
(cherry picked from commit b60079e)
Signed-off-by: Kir Kolyshkin <[email protected]>

[1.1] libct/cg/fs: fix setting rt_period vs rt_runtime

./features.go:30: tru ==> through, true
...
./utils_linux.go:147: infront ==> in front

Signed-off-by: Kir Kolyshkin <[email protected]>
(cherry picked from commit 177c7d4)
Signed-off-by: lifubang <[email protected]>

CI should not fail and require attention every time a new codespell
version is released.

Signed-off-by: Kir Kolyshkin <[email protected]>
(cherry picked from commit b24fc9d)
Signed-off-by: lifubang <[email protected]>

…ll-2.3.0

[1.1] Fix codespell warnings

Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 3 to 4.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](golangci/golangci-lint-action@v3...v4)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
(cherry picked from commit 27cbabd)
Signed-off-by: Kir Kolyshkin <[email protected]>

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3 to 4.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@v3...v4)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
(cherry picked from commit 7b65578)
Signed-off-by: Kir Kolyshkin <[email protected]>

Bumps [tim-actions/commit-message-checker-with-regex](https://github.com/tim-actions/commit-message-checker-with-regex) from 0.3.1 to 0.3.2.
- [Release notes](https://github.com/tim-actions/commit-message-checker-with-regex/releases)
- [Commits](tim-actions/commit-message-checker-with-regex@v0.3.1...v0.3.2)

---
updated-dependencies:
- dependency-name: tim-actions/commit-message-checker-with-regex
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
(cherry picked from commit fe6f33b)
Signed-off-by: Kir Kolyshkin <[email protected]>

Same as commit 2d0cd0b in main branch.

Signed-off-by: Kir Kolyshkin <[email protected]>

Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4 to 5.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](actions/setup-go@v4...v5)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
(cherry picked from commit e66ba70)
Signed-off-by: Kir Kolyshkin <[email protected]>

This is a partial backport of commits 953e1cc and b32655d
from the main branch.

Signed-off-by: Kir Kolyshkin <[email protected]>

Signed-off-by: Akihiro Suda <[email protected]>
(cherry picked from commit 30dc98f)
Signed-off-by: Kir Kolyshkin <[email protected]>

Since v5 removes caching [1], re-enable setup-go cache.

[1] golangci/golangci-lint-action#1024

Signed-off-by: Kir Kolyshkin <[email protected]>
(cherry picked from commit 6bcc736)
Signed-off-by: Kir Kolyshkin <[email protected]>

Note that github-actions output format is deprecated and no longer supported,
and it is also no longer needed since setup-go problem matcher already
handles default golangci-lint output format ("colored-line-number").

Signed-off-by: Kir Kolyshkin <[email protected]>
(cherry picked from commit f452f66)
Signed-off-by: Kir Kolyshkin <[email protected]>

Signed-off-by: Kir Kolyshkin <[email protected]>

Currently, it is at v1.54.2.

Signed-off-by: Kir Kolyshkin <[email protected]>
(cherry picked from commit 17e7e23)
Signed-off-by: Kir Kolyshkin <[email protected]>

Signed-off-by: Kir Kolyshkin <[email protected]>
(cherry picked from commit d63018c)
Signed-off-by: Kir Kolyshkin <[email protected]>

Signed-off-by: lifubang <[email protected]>
(cherry picked from commit 75e0219)
Signed-off-by: Kir Kolyshkin <[email protected]>

Go 1.23 includes a fix (https://go.dev/cl/587919) so go1.23.x can be
used. This fix is also backported to 1.22.4, so go1.22.x can also be
used (when x >= 4). Finally, for glibc >= 2.32 it doesn't really matter.

Add a note about Go 1.22.x > 1.22.4 to README as well.

Signed-off-by: Kir Kolyshkin <[email protected]>
(cherry picked from commit e660ef6)
Signed-off-by: Kir Kolyshkin <[email protected]>

Now when Go 1.22.4 is out it should no longer be a problem.

Leave Go 1.21 for CentOS testing (CentOS 7 and 8 have older glibc)
and Dockerfile (Debian 11 have older glibc).

Signed-off-by: Kir Kolyshkin <[email protected]>
(cherry picked from commit a3302f2)
Signed-off-by: Kir Kolyshkin <[email protected]>

Signed-off-by: Kir Kolyshkin <[email protected]>
(cherry picked from commit b74b33c)
Signed-off-by: Kir Kolyshkin <[email protected]>

[1.1] Support Go 1.22, bump some CI deps

Signed-off-by: lfbzhm <[email protected]>
(cherry picked from commit 24c2d28)
Signed-off-by: lifubang <[email protected]>

I used script/keyring_validate.sh, which gave me this error:

> [*] User cyphar in runc.keyring is not a maintainer!

Apparently, when gnupg 2.4.1+ sees a fresh install (i.e. no ~/.gnupg
directory), it configures itself to use keyboxd instead of keyring
files, and when just silently ignores options like --keyring and
--no-default-keyring, working with keyboxd all the time.

The only way I found to make it not use keyboxd is to set --homedir.
Let's do that when we explicitly want a separate keyring.

Similar change is made to script/release_key.sh.

Also, change "--import --import-options=show-only" to "--show-keys"
which is a shortcut. When using this, there is no need to protect
the default keyring since this command does not read or modify it.

Signed-off-by: Kir Kolyshkin <[email protected]>
(cherry picked from commit 760105a)
Signed-off-by: lifubang <[email protected]>

[1.1] fix a debug msg for user ns in nsexec

[1.1] script/*: fix gpg usage wrt keyboxd

Signed-off-by: lifubang <[email protected]>

v1.1.13 -- "There is no certainty in the world. This is the only certainty I have."

This is the thirteenth patch release in the 1.1.z release branch of runc. It
brings in Go 1.12.x compatibility and fixes a few issues, including an
occasional wrong nofile rlimit in runc exec, and a race between runc list and
runc delete.

NOTE that if using Go 1.22.x to build runc, make sure to use 1.22.4 or a later version.
For more details, see issue opencontainers#4233.

 * Support go 1.22.4+. (opencontainers#4313)
 * runc list: fix race with runc delete. (opencontainers#4231)
 * Fix set nofile rlimit error. (opencontainers#4277, opencontainers#4299)
 * libct/cg/fs: fix setting rt_period vs rt_runtime. (opencontainers#4284)
 * Fix a debug msg for user ns in nsexec. (opencontainers#4315)
 * script/*: fix gpg usage wrt keyboxd. (opencontainers#4316)
 * CI fixes and misc backports. (opencontainers#4241)
 * Fix codespell warnings. (opencontainers#4300)
 * Silence security false positives from golang/net. (opencontainers#4244)
 * libcontainer: allow containers to make apps think fips is enabled/disabled for testing. (opencontainers#4257)
 * allow overriding VERSION value in Makefile. (opencontainers#4270)
 * Vagrantfile.fedora: bump Fedora to 39. (opencontainers#4261)
 * ci/cirrus: rm centos stream 8. (opencontainers#4305, opencontainers#4308)

Thanks to all of the contributors who made this release possible:

 * Akhil Mohan <[email protected]>
 * Akihiro Suda <[email protected]>
 * Aleksa Sarai <[email protected]>
 * Kir Kolyshkin <[email protected]>
 * Sohan Kunkerkar <[email protected]>
 * TTFISH <[email protected]>
 * kychen <[email protected]>
 * lifubang <[email protected]>
 * ls-ggg <[email protected]>

Signed-off-by: Kir Kolyshkin <[email protected]>

# -----BEGIN PGP SIGNATURE-----
#
# iQEzBAABCAAdFiEEwkKM11cg+s3PdrbqF95ey3WhEA4FAmZrFGYACgkQF95ey3Wh
# EA7DPwf9HVwO0EO3s7OuJPBCmZBp92L6AMDBmkpnE14Pi1c4DVcWtlrBna2CNnUJ
# 4Hu8rgEtT80Y8L3GBf96Wo3C1DHR6lG6dyu6FjHozWu97WfrTtw92I/254dQZnsr
# i7m+5C6Tluewr9pH6ageRI0rRYt4QPpyRihMkiZQHl44Z5ogRGJvCCkjk9nIDlxi
# ok2U5aPIw4NWPwnMg3wC6CmcviaM81kyuWh2Twc1OPwRilCPQXWblcUgqujg5tOr
# C3Z6AwiIedpMt6Nr0jdWZh9Rh0ffuOXBEiUO/K8vYqE/eDvqJd42c8ALi1HOONoU
# ZwrNWNU3o2pIQ4qz0Fs4vauK4wSs1A==
# =IFN9
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu Jun 13 08:46:46 2024 PDT
# gpg:                using RSA key C2428CD75720FACDCF76B6EA17DE5ECB75A1100E
# gpg: Can't check signature: No public key