Merge pull request #450 from AkihiroSuda/dev

CI: update dependencies
rootless-containers · Jul 17, 2024 · 75f183f · 75f183f
2 parents df2f16d + c5a4fbf
commit 75f183f
Show file tree

Hide file tree

Showing 8 changed files with 63 additions and 46 deletions.
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -3,27 +3,38 @@ on: [push, pull_request]
 jobs:
   test-unit:
     name: "Unit test"
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
     - name: "Check out"
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: "Build unit test image"
       run: DOCKER_BUILDKIT=1 docker build -t rootlesskit:test-unit --target test-unit .
     - name: "Unit test"
       run: docker run --rm --privileged rootlesskit:test-unit
   test-cross:
     name: "Cross compilation test"
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: "Build binaries"
       run: DOCKER_BUILDKIT=1 docker build -o /tmp/artifact --target cross-artifact .
   test-integration:
     name: "Integration test"
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
+    - name: "Set up AppArmor"
+      run: |
+        cat <<EOT | sudo tee "/etc/apparmor.d/home.user.bin.rootlesskit"
+        abi <abi/4.0>,
+        include <tunables/global>
+
+        /home/user/bin/rootlesskit flags=(unconfined) {
+          userns,
+        }
+        EOT
+        sudo systemctl restart apparmor.service
     - name: "Check out"
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: "Build integration test image"
       run: DOCKER_BUILDKIT=1 docker build -t rootlesskit:test-integration --target test-integration .
     - name: "Integration test: exit-code"
@@ -174,10 +185,21 @@ jobs:
 
   test-integration-docker:
     name: "Integration test (Docker)"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
+    - name: "Set up AppArmor"
+      run: |
+        cat <<EOT | sudo tee "/etc/apparmor.d/home.user.bin.rootlesskit"
+        abi <abi/4.0>,
+        include <tunables/global>
+
+        /home/user/bin/rootlesskit flags=(unconfined) {
+          userns,
+        }
+        EOT
+        sudo systemctl restart apparmor.service
     - name: "Check out"
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: "Build integration test image"
       run: DOCKER_BUILDKIT=1 docker build -t rootlesskit:test-integration-docker --target test-integration-docker .
     - name: "Create a custom network to avoid IP confusion"

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -18,7 +18,7 @@ jobs:
   release:
     runs-on: ubuntu-22.04
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: "Build binaries"
       run: DOCKER_BUILDKIT=1 docker build -o /tmp/artifact --target cross-artifact .
     - name: "SHA256SUMS"

diff --git a/Dockerfile b/Dockerfile
@@ -1,10 +1,10 @@
 ARG GO_VERSION=1.22
-ARG UBUNTU_VERSION=22.04
-ARG SHADOW_VERSION=4.13
+ARG UBUNTU_VERSION=24.04
+ARG SHADOW_VERSION=4.16.0
 ARG SLIRP4NETNS_VERSION=v1.3.1
 ARG VPNKIT_VERSION=0.5.0
-ARG PASST_VERSION=2023_12_30.f091893
-ARG DOCKER_VERSION=25.0.2
+ARG PASST_VERSION=2024_06_24.1ee2eca
+ARG DOCKER_VERSION=27.0.3
 ARG DOCKER_CHANNEL=stable
 
 FROM golang:${GO_VERSION}-alpine AS build
@@ -35,7 +35,7 @@ CMD ["go","test","-v","-race","github.com/rootless-containers/rootlesskit/..."]
 # idmap runnable without --privileged (but still requires seccomp=unconfined apparmor=unconfined)
 FROM ubuntu:${UBUNTU_VERSION} AS idmap
 ENV DEBIAN_FRONTEND=noninteractive
-RUN apt-get update && apt-get install -y automake autopoint bison gettext git gcc libcap-dev libtool make
+RUN apt-get update && apt-get install -y automake autopoint bison gettext git gcc libbsd-dev libcap-dev libtool make pkg-config
 RUN git clone https://github.com/shadow-maint/shadow.git /shadow
 WORKDIR /shadow
 ARG SHADOW_VERSION
@@ -64,13 +64,14 @@ FROM ubuntu:${UBUNTU_VERSION} AS test-integration
 # libcap2-bin and curl: used by the RUN instructions in this Dockerfile.
 # bind9-dnsutils: for `nslookup` command used by integration-net.sh
 # systemd and uuid-runtime: for systemd-socket-activate used by integration-systemd-socket.sh
-RUN apt-get update && apt-get install -y iproute2 liblxc-common lxc-utils iperf3 busybox sudo libcap2-bin curl bind9-dnsutils systemd uuid-runtime
+# iptables: for Docker
+RUN apt-get update && apt-get install -y iproute2 liblxc-common lxc-utils iperf3 busybox sudo libcap2-bin curl bind9-dnsutils systemd uuid-runtime iptables
 COPY --from=idmap /usr/bin/newuidmap /usr/bin/newuidmap
 COPY --from=idmap /usr/bin/newgidmap /usr/bin/newgidmap
 RUN /sbin/setcap cap_setuid+eip /usr/bin/newuidmap && \
   /sbin/setcap cap_setgid+eip /usr/bin/newgidmap && \
-  useradd --create-home --home-dir /home/user --uid 1000 user && \
-  mkdir -p /run/user/1000 /etc/lxc && \
+  useradd --create-home --home-dir /home/user --uid 2000 user && \
+  mkdir -p /run/user/2000 /etc/lxc && \
   echo "user veth lxcbr0 32" > /etc/lxc/lxc-usernet && \
   echo "user ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/user
 COPY --from=artifact /rootlesskit /home/user/bin/
@@ -81,11 +82,11 @@ RUN curl -sSL -o /home/user/bin/slirp4netns https://github.com/rootless-containe
 COPY --from=vpnkit /vpnkit /home/user/bin/vpnkit
 COPY --from=passt /usr/local /usr/local
 ADD ./hack /home/user/hack
-RUN chown -R user:user /run/user/1000 /home/user
+RUN chown -R user:user /run/user/2000 /home/user
 USER user
 ENV HOME /home/user
 ENV USER user
-ENV XDG_RUNTIME_DIR=/run/user/1000
+ENV XDG_RUNTIME_DIR=/run/user/2000
 ENV PATH /home/user/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 ENV LD_LIBRARY_PATH=/home/user/lib
 WORKDIR /home/user/hack
@@ -99,7 +100,7 @@ RUN curl -fsSL -o /home/user/bin/dockerd-rootless.sh https://raw.githubuserconte
   chmod +x /home/user/bin/dockerd-rootless.sh
 ENV DOCKERD_ROOTLESS_ROOTLESSKIT_NET=slirp4netns
 ENV DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=builtin
-ENV DOCKER_HOST=unix:///run/user/1000/docker.sock
+ENV DOCKER_HOST=unix:///run/user/2000/docker.sock
 RUN mkdir -p /home/user/.local
 VOLUME /home/user/.local
 CMD ["dockerd-rootless.sh"]
diff --git a/go.mod b/go.mod
@@ -8,7 +8,7 @@ require (
 	github.com/gofrs/flock v0.12.0
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/mux v1.8.1
-	github.com/insomniacslk/dhcp v0.0.0-20230516061539-49801966e6cb
+	github.com/insomniacslk/dhcp v0.0.0-20240710054256-ddd8a41251c9
 	github.com/moby/sys/mountinfo v0.7.1
 	github.com/moby/vpnkit v0.5.0
 	github.com/sirupsen/logrus v1.9.3
@@ -21,10 +21,9 @@ require (
 require (
 	github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
-	github.com/josharian/native v1.1.0 // indirect
-	github.com/pierrec/lz4/v4 v4.1.17 // indirect
+	github.com/pierrec/lz4/v4 v4.1.21 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/u-root/uio v0.0.0-20230305220412-3e8cd9d6bf63 // indirect
-	github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913 // indirect
-	golang.org/x/net v0.25.0 // indirect
+	github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 // indirect
+	github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect
+	golang.org/x/net v0.27.0 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -23,11 +23,8 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
-github.com/insomniacslk/dhcp v0.0.0-20230516061539-49801966e6cb h1:6fDKEAXwe3rsfS4khW3EZ8kEqmSiV9szhMPcDrD+Y7Q=
-github.com/insomniacslk/dhcp v0.0.0-20230516061539-49801966e6cb/go.mod h1:7474bZ1YNCvarT6WFKie4kEET6J0KYRDC4XJqqXzQW4=
-github.com/josharian/native v1.0.1-0.20221213033349-c1e37c09b531/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
-github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
-github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
+github.com/insomniacslk/dhcp v0.0.0-20240710054256-ddd8a41251c9 h1:LZJWucZz7ztCqY6Jsu7N9g124iJ2kt/O62j3+UchZFg=
+github.com/insomniacslk/dhcp v0.0.0-20240710054256-ddd8a41251c9/go.mod h1:KclMyHxX06VrVr0DJmeFSUb1ankt7xTfoOA35pCkoic=
 github.com/moby/sys/mountinfo v0.7.1 h1:/tTvQaSJRr2FshkhXiIpux6fQ2Zvc4j7tAhMTStAG2g=
 github.com/moby/sys/mountinfo v0.7.1/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI=
 github.com/moby/vpnkit v0.5.0 h1:VcDpS9y+PmT9itf+mH5Qdh9GME7ungLMt9yjf9o4REY=
@@ -36,9 +33,8 @@ github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA
 github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To=
 github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk=
 github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0=
-github.com/pierrec/lz4/v4 v4.1.14/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
-github.com/pierrec/lz4/v4 v4.1.17 h1:kV4Ip+/hUBC+8T6+2EgburRtkE9ef4nbY3f4dFhGjMc=
-github.com/pierrec/lz4/v4 v4.1.17/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
+github.com/pierrec/lz4/v4 v4.1.21 h1:yOVMLb6qSIDP67pl/5F7RepeKYu/VmTyEXvuMI5d9mQ=
+github.com/pierrec/lz4/v4 v4.1.21/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
@@ -51,21 +47,20 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/u-root/uio v0.0.0-20230305220412-3e8cd9d6bf63 h1:YcojQL98T/OO+rybuzn2+5KrD5dBwXIvYBvQ2cD3Avg=
-github.com/u-root/uio v0.0.0-20230305220412-3e8cd9d6bf63/go.mod h1:eLL9Nub3yfAho7qB0MzZizFhTU2QkLeoVsWdHtDW264=
+github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 h1:pyC9PaHYZFgEKFdlp3G8RaCKgVpHZnecvArXvPXcFkM=
+github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701/go.mod h1:P3a5rG4X7tI17Nn3aOIAYr5HbIMukwXG0urG0WuL8OA=
 github.com/urfave/cli/v2 v2.27.2 h1:6e0H+AkS+zDckwPCUrZkKX38mRaau4nL2uipkJpbkcI=
 github.com/urfave/cli/v2 v2.27.2/go.mod h1:g0+79LmHHATl7DAcHO99smiR/T7uGLw84w8Y42x+4eM=
-github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913 h1:+qGGcbkzsfDQNPPe9UDgpxAWQrhbbBXOYJFQDq/dtJw=
-github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913/go.mod h1:4aEEwZQutDLsQv2Deui4iYQ6DWTxR14g6m8Wv88+Xqk=
-golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=
-golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
+github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 h1:gEOO8jv9F4OT7lGCjxCBTO/36wtF6j2nSip77qHd4x4=
+github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1/go.mod h1:Ohn+xnUBiLI6FVj/9LpzZWtj1/D6lUovWYBkxHVV3aM=
+golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
+golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220622161953-175b2fd9d664/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
 golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk=
-golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
+golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 golang.org/x/tools v0.21.0 h1:qc0xYgIbsSDt9EyWz05J5wfa7LOVW0YTLOXrqdLAWIw=
 golang.org/x/tools v0.21.0/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

diff --git a/hack/benchmark-iperf3-net.sh b/hack/benchmark-iperf3-net.sh
@@ -42,7 +42,7 @@ function benchmark::iperf3::lxc-user-nic() {
 	dev=lxcbr0
 	set -x
 	# ignore "lxc-net is already running" error
-	sudo /usr/lib/$(uname -m)-linux-gnu/lxc/lxc-net start || true
+	sudo /usr/lib/$(uname -m)-linux-gnu/lxc/lxc-net start || sudo /etc/init.d/lxc-net start || true
 	ip=$(ip -4 -o addr show $dev | awk '{print $4}' | cut -d "/" -f 1)
 	$ROOTLESSKIT --state-dir=$statedir --net=lxc-user-nic $@ -- $IPERF3C $ip
 	set +x

diff --git a/hack/integration-net.sh b/hack/integration-net.sh
@@ -16,6 +16,6 @@ INFO "net=${net} flags=$@"
 set -x
 if [ "${net}" = "lxc-user-nic" ]; then
 	# ignore "lxc-net is already running" error
-	sudo /usr/lib/$(uname -m)-linux-gnu/lxc/lxc-net start || true
+	sudo /usr/lib/$(uname -m)-linux-gnu/lxc/lxc-net start || sudo /etc/init.d/lxc-net start || true
 fi
 $ROOTLESSKIT --net=${net} --copy-up=/etc --copy-up=/run --disable-host-loopback ${flags} -- nslookup example.com
diff --git a/pkg/version/version.go b/pkg/version/version.go
@@ -1,3 +1,3 @@
 package version
 
-const Version = "2.1.0+dev"
+const Version = "2.2.0+dev"