From cbd10e41a6093cc2eb596b199cca6a87c3d42bf4 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Thu, 27 Apr 2023 11:59:14 +0200 Subject: [PATCH 1/2] vendor: github.com/opencontainers/runc v1.1.6 release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.6 full diff: opencontainers/runc@v1.1.5...v1.1.6 This is the sixth patch release in the 1.1.z series of runc, which fixes a series of cgroup-related issues. Note that this release can no longer be built from sources using Go 1.16. Using a latest maintained Go 1.20.x or Go 1.19.x release is recommended. Go 1.17 can still be used. - systemd cgroup v1 and v2 drivers were deliberately ignoring UnitExist error from systemd while trying to create a systemd unit, which in some scenarios may result in a container not being added to the proper systemd unit and cgroup. - systemd cgroup v2 driver was incorrectly translating cpuset range from spec's resources.cpu.cpus to systemd unit property (AllowedCPUs) in case of more than 8 CPUs, resulting in the wrong AllowedCPUs setting. - systemd cgroup v1 driver was prefixing container's cgroup path with the path of PID 1 cgroup, resulting in inability to place PID 1 in a non-root cgroup. - runc run/start may return "permission denied" error when starting a rootless container when the file to be executed does not have executable bit set for the user, not taking the CAP_DAC_OVERRIDE capability into account. This is a regression in runc 1.1.4, as well as in Go 1.20 and 1.20.1 - cgroup v1 drivers are now aware of misc controller. Signed-off-by: Sebastiaan van Stijn --- go.mod | 2 +- go.sum | 5 ++--- integration/client/go.mod | 2 +- integration/client/go.sum | 4 ++-- .../opencontainers/runc/libcontainer/user/user.go | 14 +++++++------- vendor/modules.txt | 4 ++-- 6 files changed, 15 insertions(+), 16 deletions(-) diff --git a/go.mod b/go.mod index 859aaccd9..f9fe213a7 100644 --- a/go.mod +++ b/go.mod @@ -45,7 +45,7 @@ require ( github.com/moby/sys/symlink v0.2.0 github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b - github.com/opencontainers/runc v1.1.5 + github.com/opencontainers/runc v1.1.6 github.com/opencontainers/runtime-spec v1.1.0-rc.1 github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626 github.com/opencontainers/selinux v1.11.0 diff --git a/go.sum b/go.sum index 186b3f6d3..8473437fb 100644 --- a/go.sum +++ b/go.sum @@ -783,8 +783,8 @@ github.com/opencontainers/runc v1.0.0-rc93/go.mod h1:3NOsor4w32B2tC0Zbl8Knk4Wg84 github.com/opencontainers/runc v1.0.2/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0= github.com/opencontainers/runc v1.1.0/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc= github.com/opencontainers/runc v1.1.2/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc= -github.com/opencontainers/runc v1.1.5 h1:L44KXEpKmfWDcS02aeGm8QNTFXTo2D+8MYGDIJ/GDEs= -github.com/opencontainers/runc v1.1.5/go.mod h1:1J5XiS+vdZ3wCyZybsuxXZWGrgSr8fFJHLXuG2PsnNg= +github.com/opencontainers/runc v1.1.6 h1:XbhB8IfG/EsnhNvZtNdLB0GBw92GYEFvKlhaJk9jUgA= +github.com/opencontainers/runc v1.1.6/go.mod h1:CbUumNnWCuTGFukNXahoo/RFBZvDAgRh/smNYNOhA50= github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.0.2-0.20190207185410-29686dbc5559/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= @@ -882,7 +882,6 @@ github.com/sclevine/spec v1.2.0/go.mod h1:W4J29eT/Kzv7/b9IWLB055Z+qvVC9vt0Arko24 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo= github.com/seccomp/libseccomp-golang v0.9.2-0.20210429002308-3879420cc921/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg= -github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg= github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= github.com/sirupsen/logrus v1.0.4-0.20170822132746-89742aefa4b2/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc= github.com/sirupsen/logrus v1.0.6/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc= diff --git a/integration/client/go.mod b/integration/client/go.mod index d2fa7c02c..453865f46 100644 --- a/integration/client/go.mod +++ b/integration/client/go.mod @@ -47,7 +47,7 @@ require ( github.com/moby/sys/mountinfo v0.6.2 // indirect github.com/moby/sys/sequential v0.5.0 // indirect github.com/moby/sys/signal v0.7.0 // indirect - github.com/opencontainers/runc v1.1.5 // indirect + github.com/opencontainers/runc v1.1.6 // indirect github.com/opencontainers/selinux v1.11.0 // indirect github.com/pelletier/go-toml v1.9.5 // indirect github.com/pkg/errors v0.9.1 // indirect diff --git a/integration/client/go.sum b/integration/client/go.sum index 972392a2e..2b76b928a 100644 --- a/integration/client/go.sum +++ b/integration/client/go.sum @@ -1179,8 +1179,8 @@ github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b h1 github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b/go.mod h1:3OVijpioIKYWTqjiG0zfF6wvoJ4fAXGbjdZuI2NgsRQ= github.com/opencontainers/runc v1.0.2/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0= github.com/opencontainers/runc v1.1.2/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc= -github.com/opencontainers/runc v1.1.5 h1:L44KXEpKmfWDcS02aeGm8QNTFXTo2D+8MYGDIJ/GDEs= -github.com/opencontainers/runc v1.1.5/go.mod h1:1J5XiS+vdZ3wCyZybsuxXZWGrgSr8fFJHLXuG2PsnNg= +github.com/opencontainers/runc v1.1.6 h1:XbhB8IfG/EsnhNvZtNdLB0GBw92GYEFvKlhaJk9jUgA= +github.com/opencontainers/runc v1.1.6/go.mod h1:CbUumNnWCuTGFukNXahoo/RFBZvDAgRh/smNYNOhA50= github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.0.2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.0.3-0.20200929063507-e6143ca7d51d/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= diff --git a/vendor/github.com/opencontainers/runc/libcontainer/user/user.go b/vendor/github.com/opencontainers/runc/libcontainer/user/user.go index 2473c5ead..a1e216683 100644 --- a/vendor/github.com/opencontainers/runc/libcontainer/user/user.go +++ b/vendor/github.com/opencontainers/runc/libcontainer/user/user.go @@ -280,13 +280,13 @@ func GetExecUserPath(userSpec string, defaults *ExecUser, passwdPath, groupPath // found in any entry in passwd and group respectively. // // Examples of valid user specifications are: -// * "" -// * "user" -// * "uid" -// * "user:group" -// * "uid:gid -// * "user:gid" -// * "uid:group" +// - "" +// - "user" +// - "uid" +// - "user:group" +// - "uid:gid +// - "user:gid" +// - "uid:group" // // It should be noted that if you specify a numeric user or group id, they will // not be evaluated as usernames (only the metadata will be filled). So attempting diff --git a/vendor/modules.txt b/vendor/modules.txt index f61b0925b..1cf8c4c90 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -339,8 +339,8 @@ github.com/opencontainers/go-digest/digestset github.com/opencontainers/image-spec/identity github.com/opencontainers/image-spec/specs-go github.com/opencontainers/image-spec/specs-go/v1 -# github.com/opencontainers/runc v1.1.5 -## explicit; go 1.16 +# github.com/opencontainers/runc v1.1.6 +## explicit; go 1.17 github.com/opencontainers/runc/libcontainer/devices github.com/opencontainers/runc/libcontainer/user # github.com/opencontainers/runtime-spec v1.1.0-rc.1 From 0ba0664742c79da8d8884101626598e7ac2b3618 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Thu, 27 Apr 2023 12:00:23 +0200 Subject: [PATCH 2/2] vendor: github.com/opencontainers/runc v1.1.7 release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.7 full diff: https://github.com/opencontainers/runc/compare/v1.1.6...v1.1.7 This is the seventh patch release in the 1.1.z release of runc, and is the last planned release of the 1.1.z series. It contains a fix for cgroup device rules with systemd when handling device rules for devices that don't exist (though for devices whose drivers don't correctly register themselves in the kernel -- such as the NVIDIA devices -- the full fix only works with systemd v240+). - When used with systemd v240+, systemd cgroup drivers no longer skip DeviceAllow rules if the device does not exist (a regression introduced in runc 1.1.3). This fix also reverts the workaround added in runc 1.1.5, removing an extra warning emitted by runc run/start. - The source code now has a new file, runc.keyring, which contains the keys used to sign runc releases. Signed-off-by: Sebastiaan van Stijn --- go.mod | 2 +- go.sum | 4 ++-- integration/client/go.mod | 2 +- integration/client/go.sum | 4 ++-- vendor/modules.txt | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/go.mod b/go.mod index f9fe213a7..7ec5e092d 100644 --- a/go.mod +++ b/go.mod @@ -45,7 +45,7 @@ require ( github.com/moby/sys/symlink v0.2.0 github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b - github.com/opencontainers/runc v1.1.6 + github.com/opencontainers/runc v1.1.7 github.com/opencontainers/runtime-spec v1.1.0-rc.1 github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626 github.com/opencontainers/selinux v1.11.0 diff --git a/go.sum b/go.sum index 8473437fb..04a8665bc 100644 --- a/go.sum +++ b/go.sum @@ -783,8 +783,8 @@ github.com/opencontainers/runc v1.0.0-rc93/go.mod h1:3NOsor4w32B2tC0Zbl8Knk4Wg84 github.com/opencontainers/runc v1.0.2/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0= github.com/opencontainers/runc v1.1.0/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc= github.com/opencontainers/runc v1.1.2/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc= -github.com/opencontainers/runc v1.1.6 h1:XbhB8IfG/EsnhNvZtNdLB0GBw92GYEFvKlhaJk9jUgA= -github.com/opencontainers/runc v1.1.6/go.mod h1:CbUumNnWCuTGFukNXahoo/RFBZvDAgRh/smNYNOhA50= +github.com/opencontainers/runc v1.1.7 h1:y2EZDS8sNng4Ksf0GUYNhKbTShZJPJg1FiXJNH/uoCk= +github.com/opencontainers/runc v1.1.7/go.mod h1:CbUumNnWCuTGFukNXahoo/RFBZvDAgRh/smNYNOhA50= github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.0.2-0.20190207185410-29686dbc5559/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= diff --git a/integration/client/go.mod b/integration/client/go.mod index 453865f46..0eeaee03a 100644 --- a/integration/client/go.mod +++ b/integration/client/go.mod @@ -47,7 +47,7 @@ require ( github.com/moby/sys/mountinfo v0.6.2 // indirect github.com/moby/sys/sequential v0.5.0 // indirect github.com/moby/sys/signal v0.7.0 // indirect - github.com/opencontainers/runc v1.1.6 // indirect + github.com/opencontainers/runc v1.1.7 // indirect github.com/opencontainers/selinux v1.11.0 // indirect github.com/pelletier/go-toml v1.9.5 // indirect github.com/pkg/errors v0.9.1 // indirect diff --git a/integration/client/go.sum b/integration/client/go.sum index 2b76b928a..8a30cab1c 100644 --- a/integration/client/go.sum +++ b/integration/client/go.sum @@ -1179,8 +1179,8 @@ github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b h1 github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b/go.mod h1:3OVijpioIKYWTqjiG0zfF6wvoJ4fAXGbjdZuI2NgsRQ= github.com/opencontainers/runc v1.0.2/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0= github.com/opencontainers/runc v1.1.2/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc= -github.com/opencontainers/runc v1.1.6 h1:XbhB8IfG/EsnhNvZtNdLB0GBw92GYEFvKlhaJk9jUgA= -github.com/opencontainers/runc v1.1.6/go.mod h1:CbUumNnWCuTGFukNXahoo/RFBZvDAgRh/smNYNOhA50= +github.com/opencontainers/runc v1.1.7 h1:y2EZDS8sNng4Ksf0GUYNhKbTShZJPJg1FiXJNH/uoCk= +github.com/opencontainers/runc v1.1.7/go.mod h1:CbUumNnWCuTGFukNXahoo/RFBZvDAgRh/smNYNOhA50= github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.0.2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.0.3-0.20200929063507-e6143ca7d51d/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= diff --git a/vendor/modules.txt b/vendor/modules.txt index 1cf8c4c90..2ad621313 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -339,7 +339,7 @@ github.com/opencontainers/go-digest/digestset github.com/opencontainers/image-spec/identity github.com/opencontainers/image-spec/specs-go github.com/opencontainers/image-spec/specs-go/v1 -# github.com/opencontainers/runc v1.1.6 +# github.com/opencontainers/runc v1.1.7 ## explicit; go 1.17 github.com/opencontainers/runc/libcontainer/devices github.com/opencontainers/runc/libcontainer/user