Set the process personality early to ensure it takes effect before
seccomp is initialized. If seccomp filters are applied first and they
block personality-related system calls (e.g., `personality(2)`),
subsequent attempts to set the personality will fail.
Signed-off-by: lifubang <lifubang@acmcoder.com>
The main benefit here is when we are using a systemd cgroup driver,
we actually ask systemd to add a PID, rather than doing it ourselves.
This way, we can add rootless exec PID to a cgroup.
This requires newer opencontainers/cgroups and coreos/go-systemd.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Remove cgroupPaths field from struct setnsProcess, because:
- we can get base cgroup paths from p.manager.GetPaths();
- we can get sub-cgroup paths from p.process.SubCgroupPaths.
But mostly because we are going to need separate cgroup paths when
adopting cgroups.AddPid.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This fixes the following warning (seen on Fedora 42 and Ubuntu 24.04):
+ sudo chown -R rootless.rootless /home/rootless
chown: warning: '.' should be ':': ‘rootless.rootless’
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
When a non–page-aligned value is written to memory.max, the kernel aligns it
down to the nearest page boundary. On systems with a page size greater
than 4K (e.g., 64K), this caused failures because the configured
memory.max value was not 64K aligned.
This patch fixes the issue by explicitly aligning the memory.max value
to 64K. Since 64K is also a multiple of 4K, the value is correctly
aligned on both 4K and 64K page size systems.
However, this approach will still fail on systems where the hardcoded
memory.max value is not aligned to the system page size.
Fixes: https://github.com/opencontainers/runc/issues/4841
Signed-off-by: Vishal Chourasia <vishalc@linux.ibm.com>
Signed-off-by: Donet Tom <donettom@linux.ibm.com>
Implement support for the linux.intelRdt.schemata field of the spec.
This allows management of the "schemata" file in the resctrl group in a
generic way.
Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
These sysctls are all per-userns (termed `ucounts` in the kernel code) are
settable with CAP_SYS_RESOURCE in the user namespace.
Signed-off-by: Tycho Andersen <tycho@tycho.pizza>
libcontainer/user was marked as deprecated in d9ea71bf96 ("deprecate
libcontainer/user") and users have had plenty of time to migrate to
github.com/moby/sys/user.
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Modernize tool [1] basically ensures that the new language features and
packages are used across the code.
The reason to run it in CI is to ensure that
- PR authors use modern code;
- our code is modern whether we bump Go version in go.mod.
Shove it into go-fix job which already does a similar thing
but for 'go-fix' and rename the whole job to modernize.
[1]: https://pkg.go.dev/golang.org/x/tools/gopls/internal/analysis/modernize
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
In these cases, omitempty doesn't really work so it is useless,
but omitzero actually works.
As a result, output of `runc events` may omit these fields if all they
contain are zeroes.
NOTE this might be a breaking change.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Now that Go 1.25 is out, let's switch to go 1.24.0 as a minimally
supported version, drop Go 1.23 and add Go 1.25 to CI matrix.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
1. In case runc binary file name is not runc, the test fails like
below. The fix is to get the binary name from $RUNC.
✗ runc command -h
(in test file tests/integration/help.bats, line 27)
`[[ ${lines[1]} =~ runc\ checkpoint+ ]]' failed
runc-go1.25.0-main checkpoint -h (status=0):
NAME:
runc-go1.25.0-main checkpoint - checkpoint a running container
2. Simplify the test by adding a loop for all commands. While at it, add
a loop for -h --help as well.
3. Add missing commands (create, ps, features).
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
The setup in selinux.bats assumes $RUNC binary name ends in runc, and
thus it fails when we run it like this:
sudo -E RUNC=$(pwd)/runc.patched bats tests/integration/selinux.bats
Fix is easy.
Fixes: b39781b06 ("tests/int: add selinux test case")
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
