Import Debian changes 1.1.12+ds1-ok1

runc (1.1.12+ds1-ok1) nile; urgency=medium

  * Build for openKylin.

debian/.gitlab-ci.yml

@@ -0,0 +1,37 @@
+---
+# https://docs.gitlab.com/ce/ci/yaml/#include
+include:
+  - remote: https://salsa.debian.org/onlyjob/ci/raw/master/onlyjob-ci.yml
+
+## "amd64-unstable" always runs by default followed by lintian.
+
+## Only for arch:all packages - remove if not required:
+binary-indep:
+  extends: .build-indep
+
+## Job to check Build-Depends versioning:
+amd64-testing_unstable:
+  extends: .build
+  variables:
+    arch: amd64
+    dist: testing_unstable
+
+i386-unstable:
+  extends: .build
+  variables:
+    arch: i386
+    dist: unstable
+
+amd64-experimental:
+  extends: .build
+  variables:
+    arch: amd64
+    dist: experimental
+
+amd64-stable:
+  extends: .build
+  when: manual
+  allow_failure: true
+  variables:
+    arch: amd64
+    dist: stable

debian/changelog

@@ -0,0 +1,5 @@
+runc (1.1.12+ds1-ok1) nile; urgency=medium
+
+  * Build for openKylin.
+
+ -- Luoyaoming <Luoyaoming@kylinos.cn>  Tue, 30 Apr 2024 18:13:03 +0800

debian/control

@@ -0,0 +1,82 @@
+Source: runc
+Section: admin
+Priority: optional
+Standards-Version: 4.6.2
+Maintainer: openKylin Developers <packaging@lists.openkylin.top>
+XSBC-Original-Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
+Uploaders: Alexandre Viau <aviau@debian.org>,
+           Dmitry Smirnov <onlyjob@debian.org>,
+           Tim Potter <tpot@hpe.com>,
+Build-Depends: debhelper-compat (= 13),
+               dh-golang,
+               go-md2man,
+               golang-any,
+               golang-dbus-dev,
+               golang-github-checkpoint-restore-go-criu-dev (>= 6),
+               golang-github-cilium-ebpf-dev (>= 0.6.2~),
+               golang-github-containerd-console-dev,
+               golang-github-coreos-go-systemd-dev (>= 22.3.2~),
+               golang-github-cyphar-filepath-securejoin-dev,
+               golang-github-docker-go-units-dev (>= 0.4.0~),
+               golang-github-moby-sys-dev (>= 0.0~git20201113.5a29239~),
+               golang-github-mrunalp-fileutils-dev (>= 0.5.1~),
+               golang-github-opencontainers-selinux-dev (>= 1.8.0~),
+               golang-github-opencontainers-specs-dev (>= 1.0.2.66~),
+               golang-github-seccomp-libseccomp-golang-dev (>= 0.10.0~),
+               golang-github-sirupsen-logrus-dev,
+               golang-github-urfave-cli-dev (>= 1.22.9~),
+               golang-github-vishvananda-netlink-dev,
+               golang-gocapability-dev (>= 0.0+git20200815~),
+               golang-golang-x-net-dev,
+               golang-google-protobuf-dev,
+               pkgconf,
+Homepage: https://github.com/opencontainers/runc
+Vcs-Git: https://salsa.debian.org/go-team/packages/runc.git
+Vcs-Browser: https://salsa.debian.org/go-team/packages/runc
+XS-Go-Import-Path: github.com/opencontainers/runc
+Rules-Requires-Root: no
+Testsuite: autopkgtest-pkg-go
+
+Package: runc
+Build-Profiles: <pkg.runc.with-bin>
+Architecture: any
+Depends: ${misc:Depends},
+         ${shlibs:Depends},
+Built-Using: ${misc:Built-Using},
+Recommends: criu,
+            ${misc:Recommends},
+Description: Open Container Project - runtime
+ "runc" is a command line client for running applications packaged according
+ to the Open Container Format (OCF) and is a compliant implementation of
+ the Open Container Project specification.
+
+Package: golang-github-opencontainers-runc-dev
+Architecture: all
+Section: golang
+Depends: golang-dbus-dev,
+         golang-github-checkpoint-restore-go-criu-dev (>= 6),
+         golang-github-cilium-ebpf-dev (>= 0.6.2~),
+         golang-github-containerd-console-dev,
+         golang-github-coreos-go-systemd-dev (>= 22.3.2~),
+         golang-github-cyphar-filepath-securejoin-dev,
+         golang-github-docker-go-units-dev (>= 0.4.0~),
+         golang-github-moby-sys-dev (>= 0.0~git20201113.5a29239~),
+         golang-github-mrunalp-fileutils-dev (>= 0.5.1~),
+         golang-github-opencontainers-selinux-dev (>= 1.8.0~),
+         golang-github-opencontainers-specs-dev (>= 1.0.2.66~),
+         golang-github-seccomp-libseccomp-golang-dev (>= 0.10.0~),
+         golang-github-sirupsen-logrus-dev,
+         golang-github-urfave-cli-dev (>= 1.22.9~),
+         golang-github-vishvananda-netlink-dev,
+         golang-gocapability-dev (>= 0.0+git20200815~),
+         golang-golang-x-net-dev,
+         golang-google-protobuf-dev,
+         ${misc:Depends},
+Breaks: podman (<< 2.0.4+dfsg2-5~),
+Description: Open Container Project - development files
+ "runc" is a command line client for running applications packaged according
+ to the Open Container Format (OCF) and is a compliant implementation of
+ the Open Container Project specification.
+ .
+ This package provides development files formerly known as
+ "github.com/docker/libcontainer".

debian/copyright

@@ -0,0 +1,52 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: runc
+Source: https://github.com/opencontainers/runc
+Files-Excluded: vendor
+
+Files: *
+Copyright:
+    2012-2015 Docker, Inc.
+    2019      Aleksa Sarai <cyphar@cyphar.com>
+    2019      SUSE LLC
+License: Apache-2.0
+
+Files: debian/*
+Copyright:
+    2015      Alexandre Viau <alexandre@alexandreviau.net>
+    2015-2019 Dmitry Smirnov <onlyjob@debian.org>
+License: GPL-3+
+
+Files: debian/patches/*
+Copyright: 2015 Dmitry Smirnov <onlyjob@debian.org>
+License: GPL-3+ or Apache-2.0
+Comment: patches can be licensed under the same terms as upstream.
+
+License: Apache-2.0
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+ .
+ http://www.apache.org/licenses/LICENSE-2.0
+ .
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ .
+ The complete text of the Apache version 2.0 license
+ can be found in "/usr/share/common-licenses/Apache-2.0".
+
+License: GPL-3+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+ ․
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+ ․
+ The complete text of the GNU General Public License version 3
+ can be found in "/usr/share/common-licenses/GPL-3".

debian/gbp.conf

@@ -0,0 +1,2 @@
+[DEFAULT]
+pristine-tar = True

debian/gitlab-ci.yml

@@ -0,0 +1,6 @@
+# auto-generated, DO NOT MODIFY.
+# The authoritative copy of this file lives at:
+# https://salsa.debian.org/go-team/infra/pkg-go-tools/blob/master/config/gitlabciyml.go
+---
+include:
+  - https://salsa.debian.org/go-team/infra/pkg-go-tools/-/raw/master/pipeline/test-archive.yml

debian/golang-github-opencontainers-runc-dev.docs

@@ -0,0 +1 @@
+NOTICE

debian/golang-github-opencontainers-runc-dev.install

@@ -0,0 +1 @@
+usr/share/gocode/src

debian/patches/0001-skip-test-hugetlb_test.go.patch

@@ -0,0 +1,49 @@
+From: Dmitry Smirnov <onlyjob@debian.org>
+Date: Sun, 15 Nov 2020 21:42:16 +0800
+Subject: skip test: hugetlb_test.go
+
+Random failures on ppc64el, s390x
+
+Last-Update: 2018-09-27
+Forwarded: not-needed
+Bug-Upstream: https://github.com/opencontainers/runc/issues/1822
+---
+ libcontainer/cgroups/fs/hugetlb_test.go | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/libcontainer/cgroups/fs/hugetlb_test.go b/libcontainer/cgroups/fs/hugetlb_test.go
+index 17b4945..8836dbe 100644
+--- a/libcontainer/cgroups/fs/hugetlb_test.go
++++ b/libcontainer/cgroups/fs/hugetlb_test.go
+@@ -115,6 +115,7 @@ func TestHugetlbRStatsRsvd(t *testing.T) {
+ }
+ 
+ func TestHugetlbStatsNoUsageFile(t *testing.T) {
++	t.Skip("Disabled unreliable test")
+ 	path := tempDir(t, "hugetlb")
+ 	writeFileContents(t, path, map[string]string{
+ 		maxUsage: hugetlbMaxUsageContents,
+@@ -129,6 +130,7 @@ func TestHugetlbStatsNoUsageFile(t *testing.T) {
+ }
+ 
+ func TestHugetlbStatsNoMaxUsageFile(t *testing.T) {
++	t.Skip("Disabled unreliable test")
+ 	path := tempDir(t, "hugetlb")
+ 	for _, pageSize := range cgroups.HugePageSizes() {
+ 		writeFileContents(t, path, map[string]string{
+@@ -145,6 +147,7 @@ func TestHugetlbStatsNoMaxUsageFile(t *testing.T) {
+ }
+ 
+ func TestHugetlbStatsBadUsageFile(t *testing.T) {
++	t.Skip("Disabled unreliable test")
+ 	path := tempDir(t, "hugetlb")
+ 	for _, pageSize := range cgroups.HugePageSizes() {
+ 		writeFileContents(t, path, map[string]string{
+@@ -162,6 +165,7 @@ func TestHugetlbStatsBadUsageFile(t *testing.T) {
+ }
+ 
+ func TestHugetlbStatsBadMaxUsageFile(t *testing.T) {
++	t.Skip("Disabled unreliable test")
+ 	path := tempDir(t, "hugetlb")
+ 	writeFileContents(t, path, map[string]string{
+ 		usage:    hugetlbUsageContents,

debian/patches/0002-skip-privileged-test-factory_linux_test.go.patch

@@ -0,0 +1,30 @@
+From: Dmitry Smirnov <onlyjob@debian.org>
+Date: Sun, 15 Nov 2020 21:42:17 +0800
+Subject: skip privileged test: factory_linux_test.go
+
+Last-Update: 2018-06-15
+Forwarded: not-needed
+---
+ libcontainer/factory_linux_test.go | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libcontainer/factory_linux_test.go b/libcontainer/factory_linux_test.go
+index 47f3069..2ced7f0 100644
+--- a/libcontainer/factory_linux_test.go
++++ b/libcontainer/factory_linux_test.go
+@@ -38,6 +38,7 @@ func TestFactoryNew(t *testing.T) {
+ }
+ 
+ func TestFactoryNewTmpfs(t *testing.T) {
++	t.Skip("DM - skipping privileged test")
+ 	root := t.TempDir()
+ 	factory, err := New(root, TmpfsRoot)
+ 	if err != nil {
+@@ -99,6 +100,7 @@ func TestFactoryLoadNotExists(t *testing.T) {
+ }
+ 
+ func TestFactoryLoadContainer(t *testing.T) {
++	t.Skip("DM - skipping privileged test")
+ 	root := t.TempDir()
+ 	// setup default container config and state for mocking
+ 	var (

debian/patches/0003-skip-privileged-test-nsenter_test.go.patch

@@ -0,0 +1,18 @@
+From: Shengjing Zhu <zhsj@debian.org>
+Date: Sat, 23 Jan 2021 22:25:59 +0800
+Subject: skip privileged test: nsenter_test.go
+
+---
+ libcontainer/nsenter/nsenter_test.go | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libcontainer/nsenter/nsenter_test.go b/libcontainer/nsenter/nsenter_test.go
+index 0cbf0aa..44556b3 100644
+--- a/libcontainer/nsenter/nsenter_test.go
++++ b/libcontainer/nsenter/nsenter_test.go
+@@ -1,3 +1,5 @@
++// +build ignore
++
+ package nsenter
+ 
+ import (

debian/patches/0004-skip-test-cgroups_test.go.patch

@@ -0,0 +1,21 @@
+From: Shengjing Zhu <zhsj@debian.org>
+Date: Sat, 23 Jan 2021 22:29:01 +0800
+Subject: skip test: cgroups_test.go
+
+Fail when cgroups is not mounted
+---
+ libcontainer/cgroups/cgroups_test.go | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/libcontainer/cgroups/cgroups_test.go b/libcontainer/cgroups/cgroups_test.go
+index b31412f..90b69ee 100644
+--- a/libcontainer/cgroups/cgroups_test.go
++++ b/libcontainer/cgroups/cgroups_test.go
+@@ -5,6 +5,7 @@ import (
+ )
+ 
+ func TestParseCgroups(t *testing.T) {
++	t.Skip("need to mount cgroupfs")
+ 	cgroups, err := ParseCgroupFile("/proc/self/cgroup")
+ 	if err != nil {
+ 		t.Fatal(err)

debian/patches/0005-skip-integration-when-no-dev-kmsg.patch

@@ -0,0 +1,24 @@
+From: Shengjing Zhu <zhsj@debian.org>
+Date: Thu, 4 Feb 2021 17:35:38 +0800
+Subject: skip integration when no /dev/kmsg
+
+By default, privileged lxc container doesn't have /dev/kmsg
+---
+ tests/integration/dev.bats | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/tests/integration/dev.bats b/tests/integration/dev.bats
+index 2433157..e7c91c7 100644
+--- a/tests/integration/dev.bats
++++ b/tests/integration/dev.bats
+@@ -73,6 +73,10 @@ function teardown() {
+ @test "runc run [device cgroup allow rw char device]" {
+ 	requires root
+ 
++	if [[ ! -c /dev/kmsg ]]; then
++		skip "no /dev/kmsg"
++	fi
++
+ 	update_config ' .linux.resources.devices = [{"allow": false, "access": "rwm"},{"allow": true, "type": "c", "major": 1, "minor": 11, "access": "rw"}]
+ 			| .linux.devices = [{"path": "/dev/kmsg", "type": "c", "major": 1, "minor": 11}]
+ 			| .process.args |= ["sh"]

debian/patches/0006-skip-test-paths_test.go.patch

@@ -0,0 +1,29 @@
+From: Shengjing Zhu <zhsj@debian.org>
+Date: Wed, 15 Dec 2021 01:14:52 +0800
+Subject: skip test: paths_test.go
+
+Fail when cgroups is not mounted
+---
+ libcontainer/cgroups/fs/paths_test.go | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libcontainer/cgroups/fs/paths_test.go b/libcontainer/cgroups/fs/paths_test.go
+index 3a4d45f..2a77f6d 100644
+--- a/libcontainer/cgroups/fs/paths_test.go
++++ b/libcontainer/cgroups/fs/paths_test.go
+@@ -10,6 +10,7 @@ import (
+ )
+ 
+ func TestInvalidCgroupPath(t *testing.T) {
++	t.Skip("need to mount cgroupfs")
+ 	if cgroups.IsCgroup2UnifiedMode() {
+ 		t.Skip("cgroup v2 is not supported")
+ 	}
+@@ -91,6 +92,7 @@ func TestInvalidCgroupPath(t *testing.T) {
+ }
+ 
+ func TestTryDefaultCgroupRoot(t *testing.T) {
++	t.Skip("need to mount cgroupfs")
+ 	res := tryDefaultCgroupRoot()
+ 	exp := defaultCgroupRoot
+ 	if cgroups.IsCgroup2UnifiedMode() {

debian/patches/0007-skip-test-manager_test.go.patch

@@ -0,0 +1,21 @@
+From: Shengjing Zhu <zhsj@debian.org>
+Date: Wed, 15 Dec 2021 01:16:00 +0800
+Subject: skip test: manager_test.go
+
+Fail when cgroups is not mounted
+---
+ libcontainer/cgroups/manager/manager_test.go | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/libcontainer/cgroups/manager/manager_test.go b/libcontainer/cgroups/manager/manager_test.go
+index 6f0c070..fe07a47 100644
+--- a/libcontainer/cgroups/manager/manager_test.go
++++ b/libcontainer/cgroups/manager/manager_test.go
+@@ -14,6 +14,7 @@ import (
+ // This tests either v1 or v2 fs cgroup manager, depending on which
+ // cgroup version is available.
+ func TestNilResources(t *testing.T) {
++	t.Skip("need to mount cgroupfs")
+ 	testNilResources(t, false)
+ }
+ 

debian/patches/0008-tests-enable-seccomp-default-action-tests-on-arm.patch

@@ -0,0 +1,59 @@
+From: Shengjing Zhu <zhsj@debian.org>
+Date: Mon, 20 Jun 2022 13:14:25 +0800
+Subject: tests: enable seccomp default action tests on arm
+
+Signed-off-by: Shengjing Zhu <zhsj@debian.org>
+
+Forwarded: https://github.com/opencontainers/runc/pull/3525
+---
+ tests/integration/seccomp.bats | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/tests/integration/seccomp.bats b/tests/integration/seccomp.bats
+index e81beca..c24eeb2 100644
+--- a/tests/integration/seccomp.bats
++++ b/tests/integration/seccomp.bats
+@@ -43,8 +43,8 @@ function teardown() {
+ 			| .process.noNewPrivileges = false
+ 			| .linux.seccomp = {
+ 				"defaultAction":"SCMP_ACT_ALLOW",
+-				"architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32"],
+-				"syscalls":[{"names":["mkdir"], "action":"SCMP_ACT_ERRNO"}]
++				"architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32","SCMP_ARCH_X86_64","SCMP_ARCH_AARCH64","SCMP_ARCH_ARM"],
++				"syscalls":[{"names":["mkdir","mkdirat"], "action":"SCMP_ACT_ERRNO"}]
+ 			}'
+ 
+ 	runc run test_busybox
+@@ -57,8 +57,8 @@ function teardown() {
+ 			| .process.noNewPrivileges = false
+ 			| .linux.seccomp = {
+ 				"defaultAction":"SCMP_ACT_ALLOW",
+-				"architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32"],
+-				"syscalls":[{"names":["mkdir"], "action":"SCMP_ACT_ERRNO", "errnoRet": 100}]
++				"architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32","SCMP_ARCH_X86_64","SCMP_ARCH_AARCH64","SCMP_ARCH_ARM"],
++				"syscalls":[{"names":["mkdir","mkdirat"], "action":"SCMP_ACT_ERRNO", "errnoRet": 100}]
+ 			}'
+ 
+ 	runc run test_busybox
+@@ -71,8 +71,8 @@ function teardown() {
+ 			| .process.noNewPrivileges = false
+ 			| .linux.seccomp = {
+ 				"defaultAction":"SCMP_ACT_ALLOW",
+-				"architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32"],
+-				"syscalls":[{"names":["mkdir"], "action":"SCMP_ACT_KILL"}]
++				"architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32","SCMP_ARCH_X86_64","SCMP_ARCH_AARCH64","SCMP_ARCH_ARM"],
++				"syscalls":[{"names":["mkdir","mkdirat"], "action":"SCMP_ACT_KILL"}]
+ 			}'
+ 
+ 	runc run test_busybox
+@@ -84,8 +84,8 @@ function teardown() {
+ 	update_config '   .process.args = ["/bin/true"]
+ 			| .linux.seccomp = {
+ 				"defaultAction":"SCMP_ACT_ALLOW",
+-				"architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32"],
+-				"syscalls":[{"names":["mkdir"], "action":"SCMP_ACT_KILL"}]
++				"architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32","SCMP_ARCH_X86_64","SCMP_ARCH_AARCH64","SCMP_ARCH_ARM"],
++				"syscalls":[{"names":["mkdir","mkdirat"], "action":"SCMP_ACT_KILL"}]
+ 			}
+ 			| .hooks = {
+ 				"startContainer": [ {

debian/patches/0009-skip-test-file_test.go.patch

@@ -0,0 +1,22 @@
+From: Shengjing Zhu <zhsj@debian.org>
+Date: Wed, 29 Mar 2023 17:30:22 +0800
+Subject: skip test: file_test.go
+
+Fail when cgroups is not mounted
+---
+ libcontainer/cgroups/file_test.go | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libcontainer/cgroups/file_test.go b/libcontainer/cgroups/file_test.go
+index 94f1a99..98cae47 100644
+--- a/libcontainer/cgroups/file_test.go
++++ b/libcontainer/cgroups/file_test.go
+@@ -41,6 +41,8 @@ func TestWriteCgroupFileHandlesInterrupt(t *testing.T) {
+ }
+ 
+ func TestOpenat2(t *testing.T) {
++	t.Skip("need to mount cgroupfs")
++
+ 	if !IsCgroup2UnifiedMode() {
+ 		// The reason is many test cases below test opening files from
+ 		// the top-level directory, where cgroup v1 has no files.

debian/patches/0010-export-blockIODevice.patch

@@ -0,0 +1,45 @@
+From: cdoern <cdoern@redhat.com>
+Date: Sat, 27 Aug 2022 18:23:47 +0800
+Subject: export blockIODevice
+
+the struct blockIODevice is used in an exported struct but it is not itself exported rendering that type inaccessible to
+outside projects
+
+Signed-off-by: cdoern <cdoern@redhat.com>
+---
+ libcontainer/configs/blkio_device.go | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/libcontainer/configs/blkio_device.go b/libcontainer/configs/blkio_device.go
+index fa195bf..865344f 100644
+--- a/libcontainer/configs/blkio_device.go
++++ b/libcontainer/configs/blkio_device.go
+@@ -2,8 +2,8 @@ package configs
+ 
+ import "fmt"
+ 
+-// blockIODevice holds major:minor format supported in blkio cgroup
+-type blockIODevice struct {
++// BlockIODevice holds major:minor format supported in blkio cgroup.
++type BlockIODevice struct {
+ 	// Major is the device's major number
+ 	Major int64 `json:"major"`
+ 	// Minor is the device's minor number
+@@ -12,7 +12,7 @@ type blockIODevice struct {
+ 
+ // WeightDevice struct holds a `major:minor weight`|`major:minor leaf_weight` pair
+ type WeightDevice struct {
+-	blockIODevice
++	BlockIODevice
+ 	// Weight is the bandwidth rate for the device, range is from 10 to 1000
+ 	Weight uint16 `json:"weight"`
+ 	// LeafWeight is the bandwidth rate for the device while competing with the cgroup's child cgroups, range is from 10 to 1000, cfq scheduler only
+@@ -41,7 +41,7 @@ func (wd *WeightDevice) LeafWeightString() string {
+ 
+ // ThrottleDevice struct holds a `major:minor rate_per_second` pair
+ type ThrottleDevice struct {
+-	blockIODevice
++	BlockIODevice
+ 	// Rate is the IO rate limit per cgroup per device
+ 	Rate uint64 `json:"rate"`
+ }

debian/patches/0011-Bump-go-criu-to-v6.patch

@@ -0,0 +1,142 @@
+From: Shengjing Zhu <zhsj@debian.org>
+Date: Sun, 5 Nov 2023 15:32:57 +0800
+Subject: Bump go-criu to v6
+
+---
+ checkpoint.go                   |  2 +-
+ go.mod                          |  9 ++++-----
+ go.sum                          | 19 ++++++++++++-------
+ libcontainer/container_linux.go |  4 ++--
+ libcontainer/criu_opts_linux.go |  2 +-
+ 5 files changed, 20 insertions(+), 16 deletions(-)
+
+diff --git a/checkpoint.go b/checkpoint.go
+index 32a62a8..bcd2819 100644
+--- a/checkpoint.go
++++ b/checkpoint.go
+@@ -8,7 +8,7 @@ import (
+ 	"path/filepath"
+ 	"strconv"
+ 
+-	criu "github.com/checkpoint-restore/go-criu/v5/rpc"
++	criu "github.com/checkpoint-restore/go-criu/v6/rpc"
+ 	"github.com/opencontainers/runc/libcontainer"
+ 	"github.com/opencontainers/runc/libcontainer/userns"
+ 	"github.com/opencontainers/runtime-spec/specs-go"
+diff --git a/go.mod b/go.mod
+index f51b643..bf75be8 100644
+--- a/go.mod
++++ b/go.mod
+@@ -3,7 +3,7 @@ module github.com/opencontainers/runc
+ go 1.17
+ 
+ require (
+-	github.com/checkpoint-restore/go-criu/v5 v5.3.0
++	github.com/checkpoint-restore/go-criu/v6 v6.3.0
+ 	github.com/cilium/ebpf v0.7.0
+ 	github.com/containerd/console v1.0.3
+ 	github.com/coreos/go-systemd/v22 v22.3.2
+@@ -22,12 +22,11 @@ require (
+ 	github.com/vishvananda/netlink v1.1.0
+ 	golang.org/x/net v0.8.0
+ 	golang.org/x/sys v0.6.0
+-	google.golang.org/protobuf v1.27.1
++	google.golang.org/protobuf v1.28.1
+ )
+ 
+ require (
+-	github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d // indirect
+-	github.com/russross/blackfriday/v2 v2.0.1 // indirect
+-	github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect
++	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
++	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+ 	github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df // indirect
+ )
+diff --git a/go.sum b/go.sum
+index ecabd39..f47124c 100644
+--- a/go.sum
++++ b/go.sum
+@@ -1,14 +1,15 @@
+ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+-github.com/checkpoint-restore/go-criu/v5 v5.3.0 h1:wpFFOoomK3389ue2lAb0Boag6XPht5QYpipxmSNL4d8=
+-github.com/checkpoint-restore/go-criu/v5 v5.3.0/go.mod h1:E/eQpaFtUKGOOSEBZgmKAcn+zUUwWxqcaKZlF54wK8E=
++github.com/checkpoint-restore/go-criu/v6 v6.3.0 h1:mIdrSO2cPNWQY1truPg6uHLXyKHk3Z5Odx4wjKOASzA=
++github.com/checkpoint-restore/go-criu/v6 v6.3.0/go.mod h1:rrRTN/uSwY2X+BPRl/gkulo9gsKOSAeVp9/K2tv7xZI=
+ github.com/cilium/ebpf v0.7.0 h1:1k/q3ATgxSXRdrmPfH8d7YK0GfqVsEKZAX9dQZvs56k=
+ github.com/cilium/ebpf v0.7.0/go.mod h1:/oI2+1shJiTGAMgl6/RgJr36Eo1jzrRcAWbcXO2usCA=
+ github.com/containerd/console v1.0.3 h1:lIr7SlA5PxZyMV30bDW0MGbiOPXwc63yRuCP0ARubLw=
+ github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkXar0TQ1gf3U=
+ github.com/coreos/go-systemd/v22 v22.3.2 h1:D9/bQk5vlXQFZ6Kwuu6zaiXJ9oTPe68++AzAJc1DzSI=
+ github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+-github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d h1:U+s90UTSYgptZMwQh2aRr3LuazLJIa+Pg3Kc1ylSYVY=
+ github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
++github.com/cpuguy83/go-md2man/v2 v2.0.2 h1:p1EgwI/C7NhT0JmVkwCD2ZBK8j4aeHQX2pMHHBfMQ6w=
++github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+ github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
+ github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
+ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+@@ -24,6 +25,7 @@ github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaS
+ github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+ github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
+ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
++github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
+ github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI=
+ github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+@@ -39,14 +41,16 @@ github.com/opencontainers/selinux v1.10.0 h1:rAiKF8hTcgLI3w0DHm6i0ylVVcOrlgR1kK9
+ github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI=
+ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+-github.com/russross/blackfriday/v2 v2.0.1 h1:lPqVAte+HuHNfhJ/0LC98ESWRz8afy9tM/0RK8m9o+Q=
+ github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
++github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
++github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+ github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646 h1:RpforrEYXWkmGwJHIGnLZ3tTWStkjVVstwzNGqxX2Ds=
+ github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg=
+-github.com/shurcooL/sanitized_anchor_name v1.0.0 h1:PdmoCO6wvbs+7yrJyMORt4/BmY5IYyJwS/kOiWx8mHo=
+ github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
+ github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE=
+ github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
++github.com/spf13/cobra v1.5.0/go.mod h1:dWXEIy2H428czQCjInthrTRUg7yKbok+2Qi/yBIJoUM=
++github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+ github.com/stretchr/testify v1.2.2 h1:bSDNvY7ZPG5RlJ8otE/7V6gMiyenm9RtJ7IUVIAoJ1w=
+ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+ github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI=
+@@ -102,7 +106,8 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
+ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
+ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+-google.golang.org/protobuf v1.27.1 h1:SnqbnDw1V7RiZcXPx5MEeqPv2s79L9i7BJUlG/+RurQ=
+-google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
++google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w=
++google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+ gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
++gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
+index 40b332f..616b3ad 100644
+--- a/libcontainer/container_linux.go
++++ b/libcontainer/container_linux.go
+@@ -17,8 +17,8 @@ import (
+ 	"sync"
+ 	"time"
+ 
+-	"github.com/checkpoint-restore/go-criu/v5"
+-	criurpc "github.com/checkpoint-restore/go-criu/v5/rpc"
++	"github.com/checkpoint-restore/go-criu/v6"
++	criurpc "github.com/checkpoint-restore/go-criu/v6/rpc"
+ 	securejoin "github.com/cyphar/filepath-securejoin"
+ 	"github.com/opencontainers/runtime-spec/specs-go"
+ 	"github.com/sirupsen/logrus"
+diff --git a/libcontainer/criu_opts_linux.go b/libcontainer/criu_opts_linux.go
+index b39476e..6b0cfb8 100644
+--- a/libcontainer/criu_opts_linux.go
++++ b/libcontainer/criu_opts_linux.go
+@@ -1,6 +1,6 @@
+ package libcontainer
+ 
+-import criu "github.com/checkpoint-restore/go-criu/v5/rpc"
++import criu "github.com/checkpoint-restore/go-criu/v6/rpc"
+ 
+ type CriuPageServerInfo struct {
+ 	Address string // IP address of CRIU page server

debian/patches/series

@@ -0,0 +1,11 @@
+0001-skip-test-hugetlb_test.go.patch
+0002-skip-privileged-test-factory_linux_test.go.patch
+0003-skip-privileged-test-nsenter_test.go.patch
+0004-skip-test-cgroups_test.go.patch
+0005-skip-integration-when-no-dev-kmsg.patch
+0006-skip-test-paths_test.go.patch
+0007-skip-test-manager_test.go.patch
+0008-tests-enable-seccomp-default-action-tests-on-arm.patch
+0009-skip-test-file_test.go.patch
+0010-export-blockIODevice.patch
+0011-Bump-go-criu-to-v6.patch

debian/rules

@@ -0,0 +1,20 @@
+#!/usr/bin/make -f
+
+include /usr/share/dpkg/pkg-info.mk
+
+export DH_GOLANG_EXCLUDES      := libcontainer/integration contrib/cmd
+
+TAGS    := seccomp urfave_cli_no_docs
+LDFLAGS := -X main.version=$(DEB_VERSION_UPSTREAM) -X main.gitCommit=$(DEB_VERSION)
+
+%:
+	dh $@ --buildsystem=golang --with=golang --builddirectory=_build
+
+execute_after_dh_auto_build:
+	cd man && ./md2man-all.sh
+
+override_dh_auto_build:
+	dh_auto_build -- -tags "$(TAGS)" -ldflags "$(LDFLAGS)"
+
+override_dh_auto_test:
+	dh_auto_test -- -tags "$(TAGS)"

debian/runc.clean

@@ -0,0 +1 @@
+man/*/*.8

debian/runc.docs

@@ -0,0 +1,3 @@
+NOTICE
+README.md
+docs/*.md

debian/runc.install

@@ -0,0 +1,2 @@
+contrib/completions/bash/runc /usr/share/bash-completion/completions/
+usr/bin/*    /usr/sbin/

debian/runc.links

@@ -0,0 +1 @@
+usr/sbin/runc usr/bin/runc

debian/runc.lintian-overrides

@@ -0,0 +1 @@
+runc: spelling-error-in-binary

debian/runc.manpages

@@ -0,0 +1 @@
+man/man8/*.8

debian/source/format

@@ -0,0 +1 @@
+3.0 (quilt)

debian/tests/checkpoint

@@ -0,0 +1,8 @@
+#!/bin/sh
+
+ln -sf /usr/sbin/runc runc
+export GOPATH=/tmp/gopath
+export GOCACHE=/tmp/gocache
+go mod vendor
+make recvtty
+script -e -c 'bats -t tests/integration/checkpoint.bats'

debian/tests/integration

@@ -0,0 +1,8 @@
+#!/bin/sh
+
+ln -sf /usr/sbin/runc runc
+export GOPATH=/tmp/gopath
+export GOCACHE=/tmp/gocache
+go mod vendor
+make recvtty seccompagent
+script -e -c 'bats -t tests/integration'

debian/upstream/metadata

@@ -0,0 +1,4 @@
+---
+Bug-Database: https://github.com/opencontainers/runc/issues
+Bug-Submit: https://github.com/opencontainers/runc/issues/new
+Repository-Browse: https://github.com/opencontainers/runc

debian/watch

@@ -0,0 +1,7 @@
+version=4
+
+opts="uversionmangle=s/-rc/~rc/, \
+  dversionmangle=auto, \
+  repacksuffix=+ds1" \
+https://github.com/opencontainers/runc/tags \
+(?:.*?/)v?@ANY_VERSION@\.tar\.gz