Remove crypto/tls dependency

It appears that when we import github.com/coreos/go-systemd/activation,
it brings in the whole crypto/tls package (which is not used by runc
directly or indirectly), making the runc binary size larger and
potentially creating issues with FIPS compliance.

Let's copy the code of function we use from go-systemd/activation
to avoid that.

The space savings are:

$ size runc.before runc.after
   text	   data	    bss	    dec	    hex	filename
7101084	5049593	 271560	12422237	 bd8c5d	runc.before
6508796	4623281	 229128	11361205	 ad5bb5	runc.after

Reported-by: Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

internal/third_party/systemd/activation/files_unix.go

@@ -15,6 +15,10 @@
 //go:build !windows
 
 // Package activation implements primitives for systemd socket activation.
+//
+// It is a partial copy of https://github.com/coreos/go-systemd/v22/activation
+// (https://github.com/coreos/go-systemd/blob/ce60782c0aabb616faa8e60f91e639d91f631e99/activation/files_unix.go),
+// to avoid bringing in crypto/tls dependency.
 package activation
 
 import (
@@ -51,7 +55,7 @@ func Files(unsetEnv bool) []*os.File {
 	}
 
 	nfds, err := strconv.Atoi(os.Getenv("LISTEN_FDS"))
-	if err != nil || nfds == 0 {
+	if err != nil || nfds <= 0 {
 		return nil
 	}
 

utils_linux.go

@@ -9,7 +9,6 @@ import (
 	"path/filepath"
 	"strconv"
 
-	"github.com/coreos/go-systemd/v22/activation"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	selinux "github.com/opencontainers/selinux/go-selinux"
 	"github.com/sirupsen/logrus"
@@ -17,6 +16,7 @@ import (
 	"golang.org/x/sys/unix"
 
 	"github.com/opencontainers/runc/internal/pathrs"
+	"github.com/opencontainers/runc/internal/third_party/systemd/activation"
 	"github.com/opencontainers/runc/libcontainer"
 	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/opencontainers/runc/libcontainer/specconv"

vendor/github.com/coreos/go-systemd/v22/activation/files_windows.go

@@ -1,21 +0,0 @@
-// Copyright 2015 CoreOS, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package activation
-
-import "os"
-
-func Files(unsetEnv bool) []*os.File {
-	return nil
-}

vendor/github.com/coreos/go-systemd/v22/activation/listeners.go

@@ -1,103 +0,0 @@
-// Copyright 2015 CoreOS, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package activation
-
-import (
-	"crypto/tls"
-	"net"
-)
-
-// Listeners returns a slice containing a net.Listener for each matching socket type
-// passed to this process.
-//
-// The order of the file descriptors is preserved in the returned slice.
-// Nil values are used to fill any gaps. For example if systemd were to return file descriptors
-// corresponding with "udp, tcp, tcp", then the slice would contain {nil, net.Listener, net.Listener}
-func Listeners() ([]net.Listener, error) {
-	files := Files(true)
-	listeners := make([]net.Listener, len(files))
-
-	for i, f := range files {
-		if pc, err := net.FileListener(f); err == nil {
-			listeners[i] = pc
-			f.Close()
-		}
-	}
-	return listeners, nil
-}
-
-// ListenersWithNames maps a listener name to a set of net.Listener instances.
-func ListenersWithNames() (map[string][]net.Listener, error) {
-	files := Files(true)
-	listeners := map[string][]net.Listener{}
-
-	for _, f := range files {
-		if pc, err := net.FileListener(f); err == nil {
-			current, ok := listeners[f.Name()]
-			if !ok {
-				listeners[f.Name()] = []net.Listener{pc}
-			} else {
-				listeners[f.Name()] = append(current, pc)
-			}
-			f.Close()
-		}
-	}
-	return listeners, nil
-}
-
-// TLSListeners returns a slice containing a net.listener for each matching TCP socket type
-// passed to this process.
-// It uses default Listeners func and forces TCP sockets handlers to use TLS based on tlsConfig.
-func TLSListeners(tlsConfig *tls.Config) ([]net.Listener, error) {
-	listeners, err := Listeners()
-
-	if listeners == nil || err != nil {
-		return nil, err
-	}
-
-	if tlsConfig != nil {
-		for i, l := range listeners {
-			// Activate TLS only for TCP sockets
-			if l.Addr().Network() == "tcp" {
-				listeners[i] = tls.NewListener(l, tlsConfig)
-			}
-		}
-	}
-
-	return listeners, err
-}
-
-// TLSListenersWithNames maps a listener name to a net.Listener with
-// the associated TLS configuration.
-func TLSListenersWithNames(tlsConfig *tls.Config) (map[string][]net.Listener, error) {
-	listeners, err := ListenersWithNames()
-
-	if listeners == nil || err != nil {
-		return nil, err
-	}
-
-	if tlsConfig != nil {
-		for _, ll := range listeners {
-			// Activate TLS only for TCP sockets
-			for i, l := range ll {
-				if l.Addr().Network() == "tcp" {
-					ll[i] = tls.NewListener(l, tlsConfig)
-				}
-			}
-		}
-	}
-
-	return listeners, err
-}

vendor/github.com/coreos/go-systemd/v22/activation/packetconns.go

@@ -1,38 +0,0 @@
-// Copyright 2015 CoreOS, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package activation
-
-import (
-	"net"
-)
-
-// PacketConns returns a slice containing a net.PacketConn for each matching socket type
-// passed to this process.
-//
-// The order of the file descriptors is preserved in the returned slice.
-// Nil values are used to fill any gaps. For example if systemd were to return file descriptors
-// corresponding with "udp, tcp, udp", then the slice would contain {net.PacketConn, nil, net.PacketConn}
-func PacketConns() ([]net.PacketConn, error) {
-	files := Files(true)
-	conns := make([]net.PacketConn, len(files))
-
-	for i, f := range files {
-		if pc, err := net.FilePacketConn(f); err == nil {
-			conns[i] = pc
-			f.Close()
-		}
-	}
-	return conns, nil
-}

vendor/modules.txt

@@ -28,7 +28,6 @@ github.com/cilium/ebpf/link
 github.com/containerd/console
 # github.com/coreos/go-systemd/v22 v22.6.0
 ## explicit; go 1.23
-github.com/coreos/go-systemd/v22/activation
 github.com/coreos/go-systemd/v22/dbus
 # github.com/cpuguy83/go-md2man/v2 v2.0.7
 ## explicit; go 1.12