Using array to build sub-tests is to avoid random pick. The shuffle
thing should be handled by go-test framework. And we should capture
range var before runing sub-test.
Signed-off-by: Wei Fu <fuweid89@gmail.com>
Using array to build sub-tests is to avoid random pick. The shuffle
thing should be handled by go-test framework. And we should capture
range var before runing sub-test.
Signed-off-by: Wei Fu <fuweid89@gmail.com>
Commit cab056226f removed the tryReadonlyMounts
utility, in favor of mounts.ReadOnlyMounts() that was added in commit
daa3a7665e.
That change made part of the comment redundant, because mounts.ReadOnlyMounts
handles both overlayfs read-only mounts (by skipping the workdir mounts), and
sets the "ro" option for other mount-types, but the reason why we're using a
read-only mount is still relevant, so restoring that part of the comment.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.6
full diff: https://github.com/opencontainers/runc/compare/v1.1.5...v1.1.6
This is the sixth patch release in the 1.1.z series of runc, which fixes
a series of cgroup-related issues.
Note that this release can no longer be built from sources using Go
1.16. Using a latest maintained Go 1.20.x or Go 1.19.x release is
recommended. Go 1.17 can still be used.
- systemd cgroup v1 and v2 drivers were deliberately ignoring UnitExist error
from systemd while trying to create a systemd unit, which in some scenarios
may result in a container not being added to the proper systemd unit and
cgroup.
- systemd cgroup v2 driver was incorrectly translating cpuset range from spec's
resources.cpu.cpus to systemd unit property (AllowedCPUs) in case of more
than 8 CPUs, resulting in the wrong AllowedCPUs setting.
- systemd cgroup v1 driver was prefixing container's cgroup path with the path
of PID 1 cgroup, resulting in inability to place PID 1 in a non-root cgroup.
- runc run/start may return "permission denied" error when starting a rootless
container when the file to be executed does not have executable bit set for
the user, not taking the CAP_DAC_OVERRIDE capability into account. This is
a regression in runc 1.1.4, as well as in Go 1.20 and 1.20.1
- cgroup v1 drivers are now aware of misc controller.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
add the new testgrid dashboard information into the release doc
and readme so that it can act as CI signal for a containerd release
Signed-off-by: Akhil Mohan <akhilerm@gmail.com>
We need support in containerd and the OCI runtime to use idmap mounts.
Let's just throw an error for now if the kubelet requests some mounts
with mappings.
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
We will use this in future commits to see if the kubelet requested idmap
mounts for volumes, that we don't yet support.
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
Currently if you're using the shim-mode sandbox server support, if your
shim that's hosting the Sandbox API dies for any reason that wasn't
intentional (segfault, oom etc.) PodSandboxStatus is kind of wedged.
We can use the fact that if we didn't go through the usual k8s flow
of Stop->Remove and we still have an entry in our sandbox store,
us not having a shim mapping anymore means this was likely unintentional.
Signed-off-by: Danny Canter <danny@dcantah.dev>
- Rename test name
- Add a tag to the container image used in the tests instead of the latest tag
- Add a 5 second delay between container start and stop to ensure that the
container is fully initialized
Signed-off-by: Kirtana Ashok <Kirtana.Ashok@microsoft.com>
The latest setup-go action caches the Go pkg cache and may have several
minute-per-run speed improvement on CI runs which have to fill the
pkg cache.
Signed-off-by: Phil Estes <estesp@amazon.com>
This makes it possible to check whether content didn't actually need to
be pushed to the remote registry and was cross-repo mounted or already
existed.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
RunWithPrivileges() will enable privileges will lock a thread, change
privileges, and run the function passed in, within that thread. This
allows us to limit the scope in which we enable privileges and avoids
accidentally enabling privileges in threads that should never have them.
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
It seems that in certain situations, like having the containerd root
and state on a file system hosted on a mounted VHDX, we need
SeSecurityPrivilege when opening a file with winio.ACCESS_SYSTEM_SECURITY.
This happens in the base layer writer in hcsshim when adding a new file.
Enabling SeSecurityPrivilege allows the containerd root to be hosted on
a vhdx.
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
Avoid using sleep as a way to measure whether gc has occurred.
Some systems may pause execution of the test and cause a failure if
the gc thread has not yet run after the sleep in the main thread.
Signed-off-by: Derek McGowan <derek@mcg.dev>
