From bb2401eeefd240b3ae334c00468b1f97ab9f9f09 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Tue, 8 Aug 2023 18:31:23 -0700 Subject: [PATCH 01/11] [1.1] ci/cirrus: use Go 1.20 Signed-off-by: Kir Kolyshkin --- .cirrus.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.cirrus.yml b/.cirrus.yml index 6c67763dc54..48252761ba7 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -77,7 +77,7 @@ task: env: HOME: /root CIRRUS_WORKING_DIR: /home/runc - GO_VERSION: "1.19.8" + GO_VERSION: "1.20" BATS_VERSION: "v1.9.0" RPMS: gcc git iptables jq glibc-static libseccomp-devel make criu fuse-sshfs # yamllint disable rule:key-duplicates From ecccc4329cff94555fa6bbf500f23163d057caa0 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Wed, 5 Apr 2023 10:03:58 -0700 Subject: [PATCH 02/11] [1.1] ci/cirrus: use Go 1.19.x not 1.19 [XXX 1.1 note: the above subject and the rest of the commit message is the original description from the cherry-picked commit which talks about 1.19 -- while in fact it is now 1.20.] This variable is used in curl to download a go release, so we are using the initial Go 1.19 release in Cirrus CI, not the latest Go 1.19.x release. From the CI perspective, it makes more sense to use the latest release. Add some jq magic to extract the latest minor release information from the download page, and use it. This brings Cirrus CI jobs logic in line with all the others (GHA, Dockerfile), where by 1.20 we actually mean "latest 1.20.x". Signed-off-by: Kir Kolyshkin (cherry picked from commit 873d7bb3a3a135398228f6ad48f527cba69393d9) Signed-off-by: Kir Kolyshkin --- .cirrus.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.cirrus.yml b/.cirrus.yml index 48252761ba7..8100ece1319 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -130,7 +130,10 @@ task: # Use --whatprovides since some packages are renamed. rpm -q --whatprovides $RPMS # install Go - curl -fsSL "https://dl.google.com/go/go${GO_VERSION}.linux-amd64.tar.gz" | tar Cxz /usr/local + PREFIX="https://go.dev/dl/" + # Find out the latest minor release URL. + eval $(curl -fsSL "${PREFIX}?mode=json" | jq -r --arg Ver "$GO_VERSION" '.[] | select(.version | startswith("go\($Ver)")) | .files[] | select(.os == "linux" and .arch == "amd64" and .kind == "archive") | "filename=\"" + .filename + "\""') + curl -fsSL "$PREFIX$filename" | tar Cxz /usr/local # install bats cd /tmp git clone https://github.com/bats-core/bats-core From ac310917d530e823dcfe7c1d0523f77fcadbce24 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Wed, 5 Apr 2023 15:56:30 -0700 Subject: [PATCH 03/11] ci/cirrus: improve host_info 1. Do not use echo, as this results in lines like this: ... echo "-----" ----- ... 2. Move "cat /proc/cpuinfo" to be the last one, as the output is usually very long. 3. Add "go version" to CentOS jobs. Signed-off-by: Kir Kolyshkin (cherry picked from commit fd1a79ffc8c6c0a5c682df2c54184d9f2636fe45) Signed-off-by: Kir Kolyshkin --- .cirrus.yml | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/.cirrus.yml b/.cirrus.yml index 8100ece1319..cfd238f154e 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -31,12 +31,12 @@ task: host_info_script: | uname -a - echo "-----" + # ----- cat /etc/os-release - echo "-----" - cat /proc/cpuinfo - echo "-----" + # ----- df -T + # ----- + cat /proc/cpuinfo install_libvirt_vagrant_script: | curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list @@ -161,14 +161,16 @@ task: systemctl restart sshd host_info_script: | uname -a - echo "-----" + # ----- + /usr/local/go/bin/go version + # ----- + systemctl --version + # ----- cat /etc/os-release - echo "-----" - cat /proc/cpuinfo - echo "-----" + # ----- df -T - echo "-----" - systemctl --version + # ----- + cat /proc/cpuinfo check_config_script: | /home/runc/script/check-config.sh unit_tests_script: | From 1c524242285a047781dd4114d342bf8d97c5d7f4 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Tue, 8 Aug 2023 18:44:33 -0700 Subject: [PATCH 04/11] [1.1] ci/gha: rm unsup Go 1.19.x, add 1.21.x Signed-off-by: Kir Kolyshkin --- .github/workflows/test.yml | 2 +- .github/workflows/validate.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index c93167e94a1..909c66f26e5 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -21,7 +21,7 @@ jobs: strategy: fail-fast: false matrix: - go-version: [1.17.x, 1.19.x, 1.20.x] + go-version: [1.17.x, 1.20.x, 1.21.x] rootless: ["rootless", ""] race: ["-race", ""] criu: [""] diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index c1ee2692d18..ad896973fa6 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -8,7 +8,7 @@ on: - release-* pull_request: env: - GO_VERSION: 1.19.x + GO_VERSION: 1.20.x jobs: keyring: From 37405ca009837fe573be45616ba6e1b698ef8b87 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Wed, 2 Aug 2023 18:54:43 -0700 Subject: [PATCH 05/11] Fix running tests under Docker/Podman and cgroup v2 For "make integration", the tests are run inside a Docker/Podman container. Problem is, if cgroup v2 is used, the in-container /sys/fs/cgroup/cgroup.subtree_control is empty. The added script, used as Docker entrypoint, moves the current process into a sub-cgroup, and then adds all controllers in top-level cgroup.subtree_control. Signed-off-by: Kir Kolyshkin (cherry picked from commit cfc801b7ed89555b5622bfc9a88ee731d0670e90) Signed-off-by: Kir Kolyshkin --- Dockerfile | 4 ++++ script/prepare-cgroup-v2.sh | 17 +++++++++++++++++ 2 files changed, 21 insertions(+) create mode 100755 script/prepare-cgroup-v2.sh diff --git a/Dockerfile b/Dockerfile index 8c4138b6dae..d24756bc1fc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -62,3 +62,7 @@ ENV PKG_CONFIG_PATH=/opt/libseccomp/lib/pkgconfig RUN git config --global --add safe.directory /go/src/github.com/opencontainers/runc WORKDIR /go/src/github.com/opencontainers/runc + +# Fixup for cgroup v2. +COPY script/prepare-cgroup-v2.sh / +ENTRYPOINT [ "/prepare-cgroup-v2.sh" ] diff --git a/script/prepare-cgroup-v2.sh b/script/prepare-cgroup-v2.sh new file mode 100755 index 00000000000..886c550ec46 --- /dev/null +++ b/script/prepare-cgroup-v2.sh @@ -0,0 +1,17 @@ +#!/bin/bash +# +# This script is used from ../Dockerfile as the ENTRYPOINT. It sets up cgroup +# delegation for cgroup v2 to make sure runc tests can be properly run inside +# a container. + +# Only do this for cgroup v2. +if [ -f /sys/fs/cgroup/cgroup.controllers ]; then + set -x + # Move the current process to a sub-cgroup. + mkdir /sys/fs/cgroup/init + echo 0 >/sys/fs/cgroup/init/cgroup.procs + # Enable all controllers. + sed 's/\b\w/+\0/g' <"/sys/fs/cgroup/cgroup.controllers" >"/sys/fs/cgroup/cgroup.subtree_control" +fi + +exec "$@" From cff41a893ce72208a25b47ea6c376d4e08259e85 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Wed, 2 Aug 2023 20:13:03 -0700 Subject: [PATCH 06/11] ci: fix TestNilResources when systemd not available Split the test into two -- for fs and systemd cgroup managers, and only run the second one if systemd is available. Prevents the following failure during `make unittest`: > === RUN TestNilResources > manager_test.go:27: systemd not running on this host, cannot use systemd cgroups manager > --- FAIL: TestNilResources (0.22s) Signed-off-by: Kir Kolyshkin (cherry picked from commit 962019d64e578be4fbd3a2b2ce5c9f19be7346c0) Signed-off-by: Kir Kolyshkin --- libcontainer/cgroups/manager/manager_test.go | 65 ++++++++++++-------- 1 file changed, 38 insertions(+), 27 deletions(-) diff --git a/libcontainer/cgroups/manager/manager_test.go b/libcontainer/cgroups/manager/manager_test.go index b53e6f1761e..6f0c0703a60 100644 --- a/libcontainer/cgroups/manager/manager_test.go +++ b/libcontainer/cgroups/manager/manager_test.go @@ -3,6 +3,7 @@ package manager import ( "testing" + "github.com/opencontainers/runc/libcontainer/cgroups/systemd" "github.com/opencontainers/runc/libcontainer/configs" ) @@ -10,35 +11,45 @@ import ( // config.Resources is nil. While it does not make sense to use a // manager with no resources, it should not result in a panic. // -// This tests either v1 or v2 managers (both fs and systemd), -// depending on what cgroup version is available on the host. +// This tests either v1 or v2 fs cgroup manager, depending on which +// cgroup version is available. func TestNilResources(t *testing.T) { - for _, sd := range []bool{false, true} { - cg := &configs.Cgroup{} // .Resources is nil - cg.Systemd = sd - mgr, err := New(cg) + testNilResources(t, false) +} + +// TestNilResourcesSystemd is the same as TestNilResources, +// only checking the systemd cgroup manager. +func TestNilResourcesSystemd(t *testing.T) { + if !systemd.IsRunningSystemd() { + t.Skip("requires systemd") + } + testNilResources(t, true) +} + +func testNilResources(t *testing.T, systemd bool) { + cg := &configs.Cgroup{} // .Resources is nil + cg.Systemd = systemd + mgr, err := New(cg) + if err != nil { + // Some managers require non-nil Resources during + // instantiation -- provide and retry. In such case + // we're mostly testing Set(nil) below. + cg.Resources = &configs.Resources{} + mgr, err = New(cg) if err != nil { - // Some managers require non-nil Resources during - // instantiation -- provide and retry. In such case - // we're mostly testing Set(nil) below. - cg.Resources = &configs.Resources{} - mgr, err = New(cg) - if err != nil { - t.Error(err) - continue - } + t.Fatal(err) } - _ = mgr.Apply(-1) - _ = mgr.Set(nil) - _ = mgr.Freeze(configs.Thawed) - _ = mgr.Exists() - _, _ = mgr.GetAllPids() - _, _ = mgr.GetCgroups() - _, _ = mgr.GetFreezerState() - _ = mgr.Path("") - _ = mgr.GetPaths() - _, _ = mgr.GetStats() - _, _ = mgr.OOMKillCount() - _ = mgr.Destroy() } + _ = mgr.Apply(-1) + _ = mgr.Set(nil) + _ = mgr.Freeze(configs.Thawed) + _ = mgr.Exists() + _, _ = mgr.GetAllPids() + _, _ = mgr.GetCgroups() + _, _ = mgr.GetFreezerState() + _ = mgr.Path("") + _ = mgr.GetPaths() + _, _ = mgr.GetStats() + _, _ = mgr.OOMKillCount() + _ = mgr.Destroy() } From 44a53f088c879a357c054408315ad10e6d859b11 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Wed, 2 Aug 2023 20:21:24 -0700 Subject: [PATCH 07/11] ci: fix TestOpenat2 when no systemd is used A few cases relied on the fact that systemd is used, and thus /sys/fs/cgroup/user.slice is available. Guess what, in case of "make unittest" it might not be. Signed-off-by: Kir Kolyshkin (cherry picked from commit 5c6b334c88f761dca933ca58cd221cf32327e943) Signed-off-by: Kir Kolyshkin --- libcontainer/cgroups/file_test.go | 2 -- 1 file changed, 2 deletions(-) diff --git a/libcontainer/cgroups/file_test.go b/libcontainer/cgroups/file_test.go index dc2b0630cde..94f1a99bff0 100644 --- a/libcontainer/cgroups/file_test.go +++ b/libcontainer/cgroups/file_test.go @@ -58,8 +58,6 @@ func TestOpenat2(t *testing.T) { {"/sys/fs/cgroup", "/cgroup.controllers"}, {"/sys/fs/cgroup/", "cgroup.controllers"}, {"/sys/fs/cgroup/", "/cgroup.controllers"}, - {"/sys/fs/cgroup/user.slice", "cgroup.controllers"}, - {"/sys/fs/cgroup/user.slice/", "/cgroup.controllers"}, {"/", "/sys/fs/cgroup/cgroup.controllers"}, {"/", "sys/fs/cgroup/cgroup.controllers"}, {"/sys/fs/cgroup/cgroup.controllers", ""}, From a47c15b4525252cd83467f16d8e156caa3ad06a9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 16 Mar 2023 05:11:04 +0000 Subject: [PATCH 08/11] build(deps): bump actions/setup-go from 3 to 4 Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3 to 4. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/v3...v4) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] (cherry picked from commit e3cf217cf1fa9248d153f1ebfbc456fe853bb180) Signed-off-by: Kir Kolyshkin --- .github/workflows/test.yml | 4 ++-- .github/workflows/validate.yml | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 909c66f26e5..dc12234b3f9 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -60,7 +60,7 @@ jobs: rm -rf ~/criu - name: install go ${{ matrix.go-version }} - uses: actions/setup-go@v3 + uses: actions/setup-go@v4 with: go-version: ${{ matrix.go-version }} @@ -119,7 +119,7 @@ jobs: sudo apt -q install libseccomp-dev libseccomp-dev:i386 gcc-multilib criu - name: install go - uses: actions/setup-go@v3 + uses: actions/setup-go@v4 with: go-version: 1.x # Latest stable diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index ad896973fa6..aaeb5cc113c 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -24,7 +24,7 @@ jobs: - uses: actions/checkout@v3 with: fetch-depth: 2 - - uses: actions/setup-go@v3 + - uses: actions/setup-go@v4 with: go-version: "${{ env.GO_VERSION }}" - name: install deps @@ -48,7 +48,7 @@ jobs: steps: - uses: actions/checkout@v3 - name: install go - uses: actions/setup-go@v3 + uses: actions/setup-go@v4 with: go-version: "${{ env.GO_VERSION }}" - name: compile with no build tags @@ -101,7 +101,7 @@ jobs: steps: - uses: actions/checkout@v3 - name: install go - uses: actions/setup-go@v3 + uses: actions/setup-go@v4 with: go-version: "${{ env.GO_VERSION }}" - name: cache go mod and $GOCACHE From 5888c55d75f5f15b1d8dcd322db1bf93315f4b45 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Mon, 10 Apr 2023 10:33:44 -0700 Subject: [PATCH 09/11] ci/gha: rm actions/cache from validate/deps job Since commit e3cf217cf1fa9248d153 actions/setup-go@v4 uses caching implicitly, so it is no longer required. Signed-off-by: Kir Kolyshkin (cherry picked from commit 083e9789b84ebd88ea15fc2a66b6eae2730f47c4) Signed-off-by: Kir Kolyshkin --- .github/workflows/validate.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index aaeb5cc113c..2c716fb755c 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -104,14 +104,6 @@ jobs: uses: actions/setup-go@v4 with: go-version: "${{ env.GO_VERSION }}" - - name: cache go mod and $GOCACHE - uses: actions/cache@v3 - with: - path: | - ~/go/pkg/mod - ~/.cache/go-build - key: ${{ runner.os }}-go.sum-${{ hashFiles('**/go.sum') }} - restore-keys: ${{ runner.os }}-go.sum- - name: verify deps run: make verify-dependencies From d398ad2a311040538ad810af441051727edd45d2 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Mon, 10 Apr 2023 12:26:42 -0700 Subject: [PATCH 10/11] gha: disable setup-go cache for golangci job Since commit e3cf217cf1fa9248d153 actions/setup-go@v4 uses caching implicitly, and olangci/golangci-lint-action also uses caching. These two caches clash, resulting in multiple warnings in CI logs. The official golangci-lint-action solution is to disable caching for setup-go job (see [1]). Do the same. [1] https://github.com/golangci/golangci-lint-action/pull/704 Signed-off-by: Kir Kolyshkin (cherry picked from commit 62cc13ea1abaa939e24c291d545059a1e8f12e3b) Signed-off-by: Kir Kolyshkin --- .github/workflows/validate.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 2c716fb755c..196d042b38b 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -27,6 +27,7 @@ jobs: - uses: actions/setup-go@v4 with: go-version: "${{ env.GO_VERSION }}" + cache: false # golangci-lint-action does its own caching - name: install deps run: | sudo apt -q update From bdbfe0425f8174fc8032998eb3dee4b411019841 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Wed, 28 Jun 2023 13:20:09 -0700 Subject: [PATCH 11/11] ci: bump golangci-lint, remove fixed exception The exception was fixed by https://github.com/polyfloyd/go-errorlint/pull/12 which eventually made its way into golangci-lint. Signed-off-by: Kir Kolyshkin (cherry picked from commit 98317c16ed1edb9405232662589fe704fff50641) Signed-off-by: Kir Kolyshkin --- .github/workflows/validate.yml | 2 +- libcontainer/user/user.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 196d042b38b..d97b1afe366 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -34,7 +34,7 @@ jobs: sudo apt -q install libseccomp-dev - uses: golangci/golangci-lint-action@v3 with: - version: v1.48 + version: v1.53 # Extra linters, only checking new code from a pull request. - name: lint-extra if: github.event_name == 'pull_request' diff --git a/libcontainer/user/user.go b/libcontainer/user/user.go index a1e216683d9..984466d1ab5 100644 --- a/libcontainer/user/user.go +++ b/libcontainer/user/user.go @@ -201,7 +201,7 @@ func ParseGroupFilter(r io.Reader, filter func(Group) bool) ([]Group, error) { if err != nil { // We should return no error if EOF is reached // without a match. - if err == io.EOF { //nolint:errorlint // comparison with io.EOF is legit, https://github.com/polyfloyd/go-errorlint/pull/12 + if err == io.EOF { err = nil } return out, err