This is to ensure that our CI is not rotting away even if there are no
new PRs or merges. This is especially useful for release branches
which tend to cease working over time due to some external reasons.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
When we run CI not on a pull request, the commit job is skipped, as a
result, all-done is also skipped.
To allow all-done to succeed, modify the commit job to succeed for
non-PRs.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Commit 874207492 neglects to update the exclusion rules when bumping Go
releases, and so we no longer exclude running on actuated with older Go
release, or running with criu-dev with older Go release.
Fixes: 874207492 ("CI: add Go 1.24, drop go1.22")
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Instead of providing systemd CPU quota value (CPUQuotaPerSec),
calculate it based on how opencontainers/cgroups/systemd handles
it (see addCPUQuota).
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
To not accidentally break `go install`, let's add CI to check it. If in
the future we need those directives, we can remove the CI check.
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
We already have the indirect require for 1.17.3, that comes
opencontainers/cgroups[1]. That module requires that version as min, so
go can't use older versions. We can just remove the excludes.
There might be cases where people can use runc as a dependency and use
replace to override it (not sure, but probably). We were clear on what
our dependencies are, so we can sleep fine. In the unlikely case that
some project uses runc as a dependency and:
* Uses a replace for cilium v0.17.x but not the latest patch release (0.17.3 is fixed)
* they run with 32bits
* and hit this (that didn't happen always on CI)
* Ignore the changelog for 0.17.3 that mentions the buffer overflow on
32 bits platforms[2].
In that case, if we have a bug report, we can point them to the right
place. But 0.17.3 was released for some months now (most people probably
update) and 0.18.0 was released recently. I wouldn't worry about someone
hitting this in real life.
Also, the excludes directives prevent go install from working, so let's
just remove them.
[1]: 9657f5a18b/go.mod (L6)
[2]: https://github.com/cilium/ebpf/releases/tag/v0.17.3
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
For some reason, launchpad.net is frequently giving us Gateway Timeout.
Let's retry adding the ppa once to mitigate that.
(The alternative is not to install criu and thus run criu-related unit
tests on i386 -- this might actually be better).
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This ensures that if runc is built without the provided Makefile, the
version is still properly set.
No change in the output.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Instead of setting cli.App.Version in main, let's set up
cli.VersionPrinter. This way, we only get various versions
when needed.
Note it does not change the output of runc --version.
It changes the output of runc --help though, and I think it's for the
better.
Before this patch:
> $ runc help
> ...
> USAGE:
> runc [global options] command [command options] [arguments...]
>
> VERSION:
> 1.3.0-rc.1+dev
> commit: v1.3.0-rc.1-93-g932e8342
> spec: 1.2.1
> go: go1.24.2
> libseccomp: 2.5.5
>
> COMMANDS:
> checkpoint checkpoint a running container
> ...
After:
> $ runc help
> ...
> USAGE:
> runc [global options] command [command options] [arguments...]
>
> VERSION:
> 1.3.0-rc.1+dev
>
> COMMANDS:
> checkpoint checkpoint a running container
> ...
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
While debugging an issue involving failing mounts, I discovered that
just returning the plain mount error message when we are in the fallback
code for handling locked mounts leads to unnecessary confusion.
It also doesn't help that podman currently forcefully sets "rw" on
mounts, which means that rootless containers are likely to hit the
locked mounts issue fairly often.
So we should improve our error messages to explain why the mount is
failing in the locked flags case.
Fixes: 7c71a22705 ("rootfs: remove --no-mount-fallback and finally fix MS_REMOUNT")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
When reading mount errors, it is quite hard to make sense of mount flags
in their hex form. As this is the error path, the minor performance
impact of constructing a string is probably not worth hyper-optimising.
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
For some reason, ssh-keygen is unable to write to /root even as root on
AlmaLinux 8:
# id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0
# id -Z
ls -ld /root
# ssh-keygen -t ecdsa -N "" -f /root/rootless.key || cat /var/log/audit/audit.log
Saving key "/root/rootless.key" failed: Permission denied
The audit.log shows:
> type=AVC msg=audit(1744834995.352:546): avc: denied { dac_override } for pid=13471 comm="ssh-keygen" capability=1 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:system_r:ssh_keygen_t:s0 tclass=capability permissive=0
> type=SYSCALL msg=audit(1744834995.352:546): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5641c7587520 a2=241 a3=180 items=0 ppid=4978 pid=13471 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)␝ARCH=x86_64 SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
A workaround is to use /root/.ssh directory instead of just /root.
While at it, let's unify rootless user and key setup into a single place.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
We are seeing a ton on flakes on almalinux-8 CI job, all caused by criu
inability to freeze a cgroup. This was worked around in criu [1], but
obviously we can't rely on a distro vendor to update the package.
Let's use a copr (thanks to Adrian Reber!)
[1]: https://github.com/checkpoint-restore/criu/pull/2545
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
The colon after "Error:" caused actionlint to report error on map in
context where map is not allowed.
Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
