From e660ef61a5f8677e22fb50e51cd4368d8f24d319 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Fri, 7 Jun 2024 09:04:16 -0700 Subject: [PATCH 1/7] libct/nsenter: stop blacklisting go 1.22+ Go 1.23 includes a fix (https://go.dev/cl/587919) so go1.23.x can be used. This fix is also backported to 1.22.4, so go1.22.x can also be used (when x >= 4). Finally, for glibc >= 2.32 it doesn't really matter. Add a note about Go 1.22.x > 1.22.4 to README as well. Signed-off-by: Kir Kolyshkin --- README.md | 4 ++++ libcontainer/nsenter/nsenter_go122.go | 15 --------------- 2 files changed, 4 insertions(+), 15 deletions(-) delete mode 100644 libcontainer/nsenter/nsenter_go122.go diff --git a/README.md b/README.md index 6d8ac4d47ca..2cb8ed9f91e 100644 --- a/README.md +++ b/README.md @@ -29,6 +29,10 @@ A third party security audit was performed by Cure53, you can see the full repor `runc` only supports Linux. It must be built with Go version 1.19 or higher. +NOTE: if building with Go 1.22.x, make sure to use 1.22.4 or a later version +(see [issue #4233](https://github.com/opencontainers/runc/issues/4233) for +more details). + In order to enable seccomp support you will need to install `libseccomp` on your platform. > e.g. `libseccomp-devel` for CentOS, or `libseccomp-dev` for Ubuntu diff --git a/libcontainer/nsenter/nsenter_go122.go b/libcontainer/nsenter/nsenter_go122.go deleted file mode 100644 index 2b9ece0ad29..00000000000 --- a/libcontainer/nsenter/nsenter_go122.go +++ /dev/null @@ -1,15 +0,0 @@ -//go:build go1.22 - -package nsenter - -/* -// We know for sure that glibc has issues with pthread_self() when called from -// Go after nsenter has run. This is likely a more general problem with how we -// ignore the rules in signal-safety(7), and so it's possible musl will also -// have issues, but as this is just a hotfix let's only block glibc builds. -#include -#ifdef __GLIBC__ -# error "runc does not currently work properly with Go >=1.22. See ." -#endif -*/ -import "C" From a3302f20548c6f7b3443985c8dccccf2f4889bd9 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Fri, 24 May 2024 16:55:03 -0700 Subject: [PATCH 2/7] ci: switch to go 1.22 as main version Now when Go 1.22.4 is out it should no longer be a problem. Leave Go 1.21 for CentOS testing (CentOS 7 and 8 have older glibc) and Dockerfile (Debian 11 have older glibc). Signed-off-by: Kir Kolyshkin --- .github/workflows/test.yml | 12 +++++++----- .github/workflows/validate.yml | 3 ++- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index ea93554c02c..73cbf652d92 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -24,7 +24,7 @@ jobs: fail-fast: false matrix: os: [ubuntu-20.04, ubuntu-24.04, actuated-arm64-6cpu-8gb] - go-version: [1.20.x, 1.21.x] + go-version: [1.21.x, 1.22.x] rootless: ["rootless", ""] race: ["-race", ""] criu: ["", "criu-dev"] @@ -33,7 +33,7 @@ jobs: # Disable most of criu-dev jobs, as they are expensive # (need to compile criu) and don't add much value/coverage. - criu: criu-dev - go-version: 1.20.x + go-version: 1.21.x - criu: criu-dev rootless: rootless - criu: criu-dev @@ -45,12 +45,12 @@ jobs: - dmz: runc_nodmz os: ubuntu-20.04 - dmz: runc_nodmz - go-version: 1.20.x + go-version: 1.21.x - dmz: runc_nodmz rootless: rootless - dmz: runc_nodmz race: -race - - go-version: 1.20.x + - go-version: 1.21.x os: actuated-arm64-6cpu-8gb - race: "-race" os: actuated-arm64-6cpu-8gb @@ -147,6 +147,7 @@ jobs: uses: actions/setup-go@v5 with: go-version: ${{ matrix.go-version }} + check-latest: true - name: build env: @@ -225,7 +226,8 @@ jobs: - name: install go uses: actions/setup-go@v5 with: - go-version: 1.21.x # TODO: switch to 1.x (latest stable) once Go 1.22 vs glibc issue is fixed. + go-version: 1.x # Latest stable + check-latest: true - name: unit test env: diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index e5108c32dcb..ad4929b2326 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -8,7 +8,7 @@ on: - release-* pull_request: env: - GO_VERSION: 1.20.x + GO_VERSION: 1.22.x permissions: contents: read @@ -117,6 +117,7 @@ jobs: uses: actions/setup-go@v5 with: go-version: "${{ env.GO_VERSION }}" + check-latest: true - name: verify deps run: make verify-dependencies From 17380da2772e932e8febe091cfe13ec26e05099c Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Thu, 30 May 2024 11:16:41 -0700 Subject: [PATCH 3/7] Dockerfile: switch to Go 1.22 and Debian 12 Signed-off-by: Kir Kolyshkin --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 79e0aafbf1a..d04a958892d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.21 +ARG GO_VERSION=1.22 ARG BATS_VERSION=v1.9.0 ARG LIBSECCOMP_VERSION=2.5.5 From 6b2eb52fb08de4c33473ea54bb50d892b2003f5d Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Fri, 24 May 2024 17:03:06 -0700 Subject: [PATCH 4/7] go.mod,README: require Go 1.21 Go 1.20 was released in February 2023 and is no longer supported since February 2024. Time to move on. Signed-off-by: Kir Kolyshkin --- README.md | 2 +- go.mod | 2 +- go.sum | 5 +++++ 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 2cb8ed9f91e..2d532f984fe 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,7 @@ A third party security audit was performed by Cure53, you can see the full repor ## Building -`runc` only supports Linux. It must be built with Go version 1.19 or higher. +`runc` only supports Linux. It must be built with Go version 1.21 or higher. NOTE: if building with Go 1.22.x, make sure to use 1.22.4 or a later version (see [issue #4233](https://github.com/opencontainers/runc/issues/4233) for diff --git a/go.mod b/go.mod index 9c15a6bffd1..98b23ab872d 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/opencontainers/runc -go 1.20 +go 1.21 require ( github.com/checkpoint-restore/go-criu/v6 v6.3.0 diff --git a/go.sum b/go.sum index 59f2fc9fb26..13b88a4850c 100644 --- a/go.sum +++ b/go.sum @@ -17,15 +17,19 @@ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4= github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= github.com/frankban/quicktest v1.14.5 h1:dfYrrRyLtiqT9GyKXgdh+k4inNeTvmGbuSgZ3lx3GhA= +github.com/frankban/quicktest v1.14.5/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk= github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/moby/sys/mountinfo v0.7.1 h1:/tTvQaSJRr2FshkhXiIpux6fQ2Zvc4j7tAhMTStAG2g= github.com/moby/sys/mountinfo v0.7.1/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI= github.com/moby/sys/user v0.1.0 h1:WmZ93f5Ux6het5iituh9x2zAG7NFY9Aqi49jjE1PaQg= @@ -39,6 +43,7 @@ github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M5 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8= +github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/seccomp/libseccomp-golang v0.10.0 h1:aA4bp+/Zzi0BnWZ2F1wgNBs5gTpm+na2rWM6M9YjLpY= From a1e87f8d76456a46b487f13e2e805d64723a0a1d Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Fri, 24 May 2024 16:56:40 -0700 Subject: [PATCH 5/7] libct: rm eaccess It is not needed since Go 1.20 (which was released in February 2023 and is no longer supported since February 2024). Signed-off-by: Kir Kolyshkin --- libcontainer/eaccess_go119.go | 17 ----------------- libcontainer/eaccess_stub.go | 10 ---------- libcontainer/setns_init_linux.go | 7 ------- libcontainer/standard_init_linux.go | 7 ------- 4 files changed, 41 deletions(-) delete mode 100644 libcontainer/eaccess_go119.go delete mode 100644 libcontainer/eaccess_stub.go diff --git a/libcontainer/eaccess_go119.go b/libcontainer/eaccess_go119.go deleted file mode 100644 index cc1e2079a79..00000000000 --- a/libcontainer/eaccess_go119.go +++ /dev/null @@ -1,17 +0,0 @@ -//go:build !go1.20 -// +build !go1.20 - -package libcontainer - -import "golang.org/x/sys/unix" - -func eaccess(path string) error { - // This check is similar to access(2) with X_OK except for - // setuid/setgid binaries where it checks against the effective - // (rather than real) uid and gid. It is not needed in go 1.20 - // and beyond and will be removed later. - - // Relies on code added in https://go-review.googlesource.com/c/sys/+/468877 - // and older CLs linked from there. - return unix.Faccessat(unix.AT_FDCWD, path, unix.X_OK, unix.AT_EACCESS) -} diff --git a/libcontainer/eaccess_stub.go b/libcontainer/eaccess_stub.go deleted file mode 100644 index 7c049fd7aa0..00000000000 --- a/libcontainer/eaccess_stub.go +++ /dev/null @@ -1,10 +0,0 @@ -//go:build go1.20 - -package libcontainer - -func eaccess(path string) error { - // Not needed in Go 1.20+ as the functionality is already in there - // (added by https://go.dev/cl/416115, https://go.dev/cl/414824, - // and fixed in Go 1.20.2 by https://go.dev/cl/469956). - return nil -} diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go index de3a15f6e2f..d14198772aa 100644 --- a/libcontainer/setns_init_linux.go +++ b/libcontainer/setns_init_linux.go @@ -117,13 +117,6 @@ func (l *linuxSetnsInit) Init() error { if err != nil { return err } - // exec.LookPath in Go < 1.20 might return no error for an executable - // residing on a file system mounted with noexec flag, so perform this - // extra check now while we can still return a proper error. - // TODO: remove this once go < 1.20 is not supported. - if err := eaccess(name); err != nil { - return &os.PathError{Op: "eaccess", Path: name, Err: err} - } // Set seccomp as close to execve as possible, so as few syscalls take // place afterward (reducing the amount of syscalls that users need to // enable in their seccomp profiles). diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go index 4b7aa677509..ec2e814370a 100644 --- a/libcontainer/standard_init_linux.go +++ b/libcontainer/standard_init_linux.go @@ -211,13 +211,6 @@ func (l *linuxStandardInit) Init() error { if err != nil { return err } - // exec.LookPath in Go < 1.20 might return no error for an executable - // residing on a file system mounted with noexec flag, so perform this - // extra check now while we can still return a proper error. - // TODO: remove this once go < 1.20 is not supported. - if err := eaccess(name); err != nil { - return &os.PathError{Op: "eaccess", Path: name, Err: err} - } // Set seccomp as close to execve as possible, so as few syscalls take // place afterward (reducing the amount of syscalls that users need to From b7fdd524cb3758b373d873831dea02bd1499e8b3 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Fri, 24 May 2024 17:00:38 -0700 Subject: [PATCH 6/7] libct: use slices package As we're no longer supporting Go < 1.21. Signed-off-by: Kir Kolyshkin --- libcontainer/container_linux.go | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go index 13be71ccb89..ad49244a889 100644 --- a/libcontainer/container_linux.go +++ b/libcontainer/container_linux.go @@ -10,6 +10,7 @@ import ( "path" "path/filepath" "reflect" + "slices" "strconv" "strings" "sync" @@ -452,16 +453,6 @@ func (c *Container) includeExecFifo(cmd *exec.Cmd) error { return nil } -// No longer needed in Go 1.21. -func slicesContains[S ~[]E, E comparable](slice S, needle E) bool { - for _, val := range slice { - if val == needle { - return true - } - } - return false -} - func isDmzBinarySafe(c *configs.Config) bool { // Because we set the dumpable flag in nsexec, the only time when it is // unsafe to use runc-dmz is when the container process would be able to @@ -472,9 +463,9 @@ func isDmzBinarySafe(c *configs.Config) bool { // inheritable, or ambient sets). Luckily, most containers do not have this // capability. if c.Capabilities == nil || - (!slicesContains(c.Capabilities.Bounding, "CAP_SYS_PTRACE") && - !slicesContains(c.Capabilities.Inheritable, "CAP_SYS_PTRACE") && - !slicesContains(c.Capabilities.Ambient, "CAP_SYS_PTRACE")) { + (!slices.Contains(c.Capabilities.Bounding, "CAP_SYS_PTRACE") && + !slices.Contains(c.Capabilities.Inheritable, "CAP_SYS_PTRACE") && + !slices.Contains(c.Capabilities.Ambient, "CAP_SYS_PTRACE")) { return true } From 3019e842de904de2d6259aca906d11fc36453b07 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Fri, 24 May 2024 17:02:39 -0700 Subject: [PATCH 7/7] libct/cg: use clear built-in As we no longer support Go < 1.21. Signed-off-by: Kir Kolyshkin --- libcontainer/cgroups/utils.go | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/libcontainer/cgroups/utils.go b/libcontainer/cgroups/utils.go index 186cbc6413f..8bec8c36f16 100644 --- a/libcontainer/cgroups/utils.go +++ b/libcontainer/cgroups/utils.go @@ -275,9 +275,7 @@ func RemovePaths(paths map[string]string) (err error) { } } if len(paths) == 0 { - //nolint:ineffassign,staticcheck // done to help garbage collecting: opencontainers/runc#2506 - // TODO: switch to clear once Go < 1.21 is not supported. - paths = make(map[string]string) + clear(paths) return nil } return fmt.Errorf("Failed to remove paths: %v", paths)