Until we merge cncf/cncf-fuzzing into this repository (see #7066),
we should keep this step optional.
Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
In addition to oss-fuzz's CIFuzz (see #7052), this commit adds a small
shell script that run all fuzzing tests with go test -fuzz.
While running for 30 seconds would be too short to acutally find issues,
we want to make sure that these fuzzing tests are not fundamentally
broken.
Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
After the switch to MinGW 11.2.0 in #6888, the containerd client
integration tests were crashing with an apparent memory allocation
error as described in golang/go#46099.
This patch reverts MinGW to 10.3.0 to bypass the issue.
Signed-off-by: Nashwan Azhari <nazhari@cloudbasesolutions.com>
All containers except the pause container, mount `/dev/shm" with flags
`nosuid,nodev,noexec`. So change mount options for pause container to
keep consistence.
This also helps to solve issues of failing to mount `/dev/shm` when
pod/container level user namespace is enabled.
Fixes: #6911
Signed-off-by: Jiang Liu <gerry@linux.alibaba.com>
Signed-off-by: Lei Wang <wllenyj@linux.alibaba.com>
This's an optimization to get rid of redundant `/dev/shm" mounts for pause container.
In `oci.defaultMounts`, there is a default `/dev/shm` mount which is redundant for
pause container.
Fixes: #6911
Signed-off-by: Jiang Liu <gerry@linux.alibaba.com>
Signed-off-by: Lei Wang <wllenyj@linux.alibaba.com>
Different tar(1) implementations default to different input and output
locations when none is specified. This can include tape devices like
/dev/st0 (on Linux) or /dev/sa0 (on FreeBSD), but may be overridden by
compilation options or environment variables. Using the f option with
the special value of - instructs tar(1) to read from stdin and write to
stdout instead of the default.
Signed-off-by: Samuel Karp <me@samuelkarp.com>
The TestPodAnnotationPassthroughContainerSpec test and the
TestContainerAnnotationPassthroughContainerSpec test both depend on a
platform-specific implementation of criService.containerSpec, which is
unimplemented on FreeBSD.
The TestSandboxContainerSpec depends on a platform-specific
implementation oc criService.sandboxContainerSpec, which is
unimplemented on FreeBSD.
Signed-off-by: Samuel Karp <me@samuelkarp.com>
Mount options are marked `json:omitempty`. An empty slice in the default
object caused TestWithSpecFromFile to fail.
Signed-off-by: Samuel Karp <me@samuelkarp.com>
Calling link(2) with a symlink as the target will cause FreeBSD to
attempt to create a new hard link pointing to the target of the symlink
rather than a hardlink to the symlink itself. By contrast, Linux creates
a hardlink to the symlink.
Use linkat(2) instead, which accepts a flag controlling this behavior.
If linkat(2) is called with AT_SYMLINK_FOLLOW, it will behave the same
as link(2). If linkat(2) is called without AT_SYMLINK_FOLLOW, it will
behave the same as Linux's link(2) instead.
See FreeBSD's implementation of ln(1), which uses linkat(2) and controls
this behavior by way of the -P and -L flags:
3003117253/bin/ln/ln.c (L342-L343)
Signed-off-by: Samuel Karp <me@samuelkarp.com>
full diff: https://github.com/opencontainers/runc/compare/v1.1.2...v1.1.3
This is the third release of the 1.1.z series of runc, and contains
various minor improvements and bugfixes.
- Our seccomp `-ENOSYS` stub now correctly handles multiplexed syscalls on
s390 and s390x. This solves the issue where syscalls the host kernel did not
support would return `-EPERM` despite the existence of the `-ENOSYS` stub
code (this was due to how s390x does syscall multiplexing).
- Retry on dbus disconnect logic in libcontainer/cgroups/systemd now works as
intended; this fix does not affect runc binary itself but is important for
libcontainer users such as Kubernetes.
- Inability to compile with recent clang due to an issue with duplicate
constants in libseccomp-golang.
- When using systemd cgroup driver, skip adding device paths that don't exist,
to stop systemd from emitting warnings about those paths.
- Socket activation was failing when more than 3 sockets were used.
- Various CI fixes.
- Allow to bind mount `/proc/sys/kernel/ns_last_pid` to inside container.
- runc static binaries are now linked against libseccomp v2.5.4.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
