From b5361505a4f07f2f52b7e90bc9868c933465e349 Mon Sep 17 00:00:00 2001 From: Luoyaoming Date: Tue, 30 Apr 2024 18:13:03 +0800 Subject: [PATCH] Import Debian changes 1.1.12+ds1-ok1 runc (1.1.12+ds1-ok1) nile; urgency=medium * Build for openKylin. --- debian/.gitlab-ci.yml | 37 +++++ debian/changelog | 5 + debian/control | 82 ++++++++++ debian/copyright | 52 +++++++ debian/gbp.conf | 2 + debian/gitlab-ci.yml | 6 + ...golang-github-opencontainers-runc-dev.docs | 1 + ...ang-github-opencontainers-runc-dev.install | 1 + .../0001-skip-test-hugetlb_test.go.patch | 49 ++++++ ...rivileged-test-factory_linux_test.go.patch | 30 ++++ ...skip-privileged-test-nsenter_test.go.patch | 18 +++ .../0004-skip-test-cgroups_test.go.patch | 21 +++ ...05-skip-integration-when-no-dev-kmsg.patch | 24 +++ .../0006-skip-test-paths_test.go.patch | 29 ++++ .../0007-skip-test-manager_test.go.patch | 21 +++ ...-seccomp-default-action-tests-on-arm.patch | 59 ++++++++ .../patches/0009-skip-test-file_test.go.patch | 22 +++ .../patches/0010-export-blockIODevice.patch | 45 ++++++ debian/patches/0011-Bump-go-criu-to-v6.patch | 142 ++++++++++++++++++ debian/patches/series | 11 ++ debian/rules | 20 +++ debian/runc.clean | 1 + debian/runc.docs | 3 + debian/runc.install | 2 + debian/runc.links | 1 + debian/runc.lintian-overrides | 1 + debian/runc.manpages | 1 + debian/source/format | 1 + debian/tests/checkpoint | 8 + debian/tests/integration | 8 + debian/upstream/metadata | 4 + debian/watch | 7 + 32 files changed, 714 insertions(+) create mode 100644 debian/.gitlab-ci.yml create mode 100644 debian/changelog create mode 100644 debian/control create mode 100644 debian/copyright create mode 100644 debian/gbp.conf create mode 100644 debian/gitlab-ci.yml create mode 100644 debian/golang-github-opencontainers-runc-dev.docs create mode 100644 debian/golang-github-opencontainers-runc-dev.install create mode 100644 debian/patches/0001-skip-test-hugetlb_test.go.patch create mode 100644 debian/patches/0002-skip-privileged-test-factory_linux_test.go.patch create mode 100644 debian/patches/0003-skip-privileged-test-nsenter_test.go.patch create mode 100644 debian/patches/0004-skip-test-cgroups_test.go.patch create mode 100644 debian/patches/0005-skip-integration-when-no-dev-kmsg.patch create mode 100644 debian/patches/0006-skip-test-paths_test.go.patch create mode 100644 debian/patches/0007-skip-test-manager_test.go.patch create mode 100644 debian/patches/0008-tests-enable-seccomp-default-action-tests-on-arm.patch create mode 100644 debian/patches/0009-skip-test-file_test.go.patch create mode 100644 debian/patches/0010-export-blockIODevice.patch create mode 100644 debian/patches/0011-Bump-go-criu-to-v6.patch create mode 100644 debian/patches/series create mode 100755 debian/rules create mode 100644 debian/runc.clean create mode 100644 debian/runc.docs create mode 100644 debian/runc.install create mode 100644 debian/runc.links create mode 100644 debian/runc.lintian-overrides create mode 100644 debian/runc.manpages create mode 100644 debian/source/format create mode 100755 debian/tests/checkpoint create mode 100755 debian/tests/integration create mode 100644 debian/upstream/metadata create mode 100644 debian/watch diff --git a/debian/.gitlab-ci.yml b/debian/.gitlab-ci.yml new file mode 100644 index 0000000..e5cc022 --- /dev/null +++ b/debian/.gitlab-ci.yml @@ -0,0 +1,37 @@ +--- +# https://docs.gitlab.com/ce/ci/yaml/#include +include: + - remote: https://salsa.debian.org/onlyjob/ci/raw/master/onlyjob-ci.yml + +## "amd64-unstable" always runs by default followed by lintian. + +## Only for arch:all packages - remove if not required: +binary-indep: + extends: .build-indep + +## Job to check Build-Depends versioning: +amd64-testing_unstable: + extends: .build + variables: + arch: amd64 + dist: testing_unstable + +i386-unstable: + extends: .build + variables: + arch: i386 + dist: unstable + +amd64-experimental: + extends: .build + variables: + arch: amd64 + dist: experimental + +amd64-stable: + extends: .build + when: manual + allow_failure: true + variables: + arch: amd64 + dist: stable diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..55098b5 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,5 @@ +runc (1.1.12+ds1-ok1) nile; urgency=medium + + * Build for openKylin. + + -- Luoyaoming Tue, 30 Apr 2024 18:13:03 +0800 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..1c36246 --- /dev/null +++ b/debian/control @@ -0,0 +1,82 @@ +Source: runc +Section: admin +Priority: optional +Standards-Version: 4.6.2 +Maintainer: openKylin Developers +XSBC-Original-Maintainer: Debian Go Packaging Team +Uploaders: Alexandre Viau , + Dmitry Smirnov , + Tim Potter , +Build-Depends: debhelper-compat (= 13), + dh-golang, + go-md2man, + golang-any, + golang-dbus-dev, + golang-github-checkpoint-restore-go-criu-dev (>= 6), + golang-github-cilium-ebpf-dev (>= 0.6.2~), + golang-github-containerd-console-dev, + golang-github-coreos-go-systemd-dev (>= 22.3.2~), + golang-github-cyphar-filepath-securejoin-dev, + golang-github-docker-go-units-dev (>= 0.4.0~), + golang-github-moby-sys-dev (>= 0.0~git20201113.5a29239~), + golang-github-mrunalp-fileutils-dev (>= 0.5.1~), + golang-github-opencontainers-selinux-dev (>= 1.8.0~), + golang-github-opencontainers-specs-dev (>= 1.0.2.66~), + golang-github-seccomp-libseccomp-golang-dev (>= 0.10.0~), + golang-github-sirupsen-logrus-dev, + golang-github-urfave-cli-dev (>= 1.22.9~), + golang-github-vishvananda-netlink-dev, + golang-gocapability-dev (>= 0.0+git20200815~), + golang-golang-x-net-dev, + golang-google-protobuf-dev, + pkgconf, +Homepage: https://github.com/opencontainers/runc +Vcs-Git: https://salsa.debian.org/go-team/packages/runc.git +Vcs-Browser: https://salsa.debian.org/go-team/packages/runc +XS-Go-Import-Path: github.com/opencontainers/runc +Rules-Requires-Root: no +Testsuite: autopkgtest-pkg-go + +Package: runc +Build-Profiles: +Architecture: any +Depends: ${misc:Depends}, + ${shlibs:Depends}, +Built-Using: ${misc:Built-Using}, +Recommends: criu, + ${misc:Recommends}, +Description: Open Container Project - runtime + "runc" is a command line client for running applications packaged according + to the Open Container Format (OCF) and is a compliant implementation of + the Open Container Project specification. + +Package: golang-github-opencontainers-runc-dev +Architecture: all +Section: golang +Depends: golang-dbus-dev, + golang-github-checkpoint-restore-go-criu-dev (>= 6), + golang-github-cilium-ebpf-dev (>= 0.6.2~), + golang-github-containerd-console-dev, + golang-github-coreos-go-systemd-dev (>= 22.3.2~), + golang-github-cyphar-filepath-securejoin-dev, + golang-github-docker-go-units-dev (>= 0.4.0~), + golang-github-moby-sys-dev (>= 0.0~git20201113.5a29239~), + golang-github-mrunalp-fileutils-dev (>= 0.5.1~), + golang-github-opencontainers-selinux-dev (>= 1.8.0~), + golang-github-opencontainers-specs-dev (>= 1.0.2.66~), + golang-github-seccomp-libseccomp-golang-dev (>= 0.10.0~), + golang-github-sirupsen-logrus-dev, + golang-github-urfave-cli-dev (>= 1.22.9~), + golang-github-vishvananda-netlink-dev, + golang-gocapability-dev (>= 0.0+git20200815~), + golang-golang-x-net-dev, + golang-google-protobuf-dev, + ${misc:Depends}, +Breaks: podman (<< 2.0.4+dfsg2-5~), +Description: Open Container Project - development files + "runc" is a command line client for running applications packaged according + to the Open Container Format (OCF) and is a compliant implementation of + the Open Container Project specification. + . + This package provides development files formerly known as + "github.com/docker/libcontainer". diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..2fa4e73 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,52 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: runc +Source: https://github.com/opencontainers/runc +Files-Excluded: vendor + +Files: * +Copyright: + 2012-2015 Docker, Inc. + 2019 Aleksa Sarai + 2019 SUSE LLC +License: Apache-2.0 + +Files: debian/* +Copyright: + 2015 Alexandre Viau + 2015-2019 Dmitry Smirnov +License: GPL-3+ + +Files: debian/patches/* +Copyright: 2015 Dmitry Smirnov +License: GPL-3+ or Apache-2.0 +Comment: patches can be licensed under the same terms as upstream. + +License: Apache-2.0 + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + . + http://www.apache.org/licenses/LICENSE-2.0 + . + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + . + The complete text of the Apache version 2.0 license + can be found in "/usr/share/common-licenses/Apache-2.0". + +License: GPL-3+ + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + ․ + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + ․ + The complete text of the GNU General Public License version 3 + can be found in "/usr/share/common-licenses/GPL-3". diff --git a/debian/gbp.conf b/debian/gbp.conf new file mode 100644 index 0000000..cec628c --- /dev/null +++ b/debian/gbp.conf @@ -0,0 +1,2 @@ +[DEFAULT] +pristine-tar = True diff --git a/debian/gitlab-ci.yml b/debian/gitlab-ci.yml new file mode 100644 index 0000000..594e14e --- /dev/null +++ b/debian/gitlab-ci.yml @@ -0,0 +1,6 @@ +# auto-generated, DO NOT MODIFY. +# The authoritative copy of this file lives at: +# https://salsa.debian.org/go-team/infra/pkg-go-tools/blob/master/config/gitlabciyml.go +--- +include: + - https://salsa.debian.org/go-team/infra/pkg-go-tools/-/raw/master/pipeline/test-archive.yml diff --git a/debian/golang-github-opencontainers-runc-dev.docs b/debian/golang-github-opencontainers-runc-dev.docs new file mode 100644 index 0000000..6d5ee1d --- /dev/null +++ b/debian/golang-github-opencontainers-runc-dev.docs @@ -0,0 +1 @@ +NOTICE diff --git a/debian/golang-github-opencontainers-runc-dev.install b/debian/golang-github-opencontainers-runc-dev.install new file mode 100644 index 0000000..3e409b1 --- /dev/null +++ b/debian/golang-github-opencontainers-runc-dev.install @@ -0,0 +1 @@ +usr/share/gocode/src diff --git a/debian/patches/0001-skip-test-hugetlb_test.go.patch b/debian/patches/0001-skip-test-hugetlb_test.go.patch new file mode 100644 index 0000000..bdd42ca --- /dev/null +++ b/debian/patches/0001-skip-test-hugetlb_test.go.patch @@ -0,0 +1,49 @@ +From: Dmitry Smirnov +Date: Sun, 15 Nov 2020 21:42:16 +0800 +Subject: skip test: hugetlb_test.go + +Random failures on ppc64el, s390x + +Last-Update: 2018-09-27 +Forwarded: not-needed +Bug-Upstream: https://github.com/opencontainers/runc/issues/1822 +--- + libcontainer/cgroups/fs/hugetlb_test.go | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/libcontainer/cgroups/fs/hugetlb_test.go b/libcontainer/cgroups/fs/hugetlb_test.go +index 17b4945..8836dbe 100644 +--- a/libcontainer/cgroups/fs/hugetlb_test.go ++++ b/libcontainer/cgroups/fs/hugetlb_test.go +@@ -115,6 +115,7 @@ func TestHugetlbRStatsRsvd(t *testing.T) { + } + + func TestHugetlbStatsNoUsageFile(t *testing.T) { ++ t.Skip("Disabled unreliable test") + path := tempDir(t, "hugetlb") + writeFileContents(t, path, map[string]string{ + maxUsage: hugetlbMaxUsageContents, +@@ -129,6 +130,7 @@ func TestHugetlbStatsNoUsageFile(t *testing.T) { + } + + func TestHugetlbStatsNoMaxUsageFile(t *testing.T) { ++ t.Skip("Disabled unreliable test") + path := tempDir(t, "hugetlb") + for _, pageSize := range cgroups.HugePageSizes() { + writeFileContents(t, path, map[string]string{ +@@ -145,6 +147,7 @@ func TestHugetlbStatsNoMaxUsageFile(t *testing.T) { + } + + func TestHugetlbStatsBadUsageFile(t *testing.T) { ++ t.Skip("Disabled unreliable test") + path := tempDir(t, "hugetlb") + for _, pageSize := range cgroups.HugePageSizes() { + writeFileContents(t, path, map[string]string{ +@@ -162,6 +165,7 @@ func TestHugetlbStatsBadUsageFile(t *testing.T) { + } + + func TestHugetlbStatsBadMaxUsageFile(t *testing.T) { ++ t.Skip("Disabled unreliable test") + path := tempDir(t, "hugetlb") + writeFileContents(t, path, map[string]string{ + usage: hugetlbUsageContents, diff --git a/debian/patches/0002-skip-privileged-test-factory_linux_test.go.patch b/debian/patches/0002-skip-privileged-test-factory_linux_test.go.patch new file mode 100644 index 0000000..0161dda --- /dev/null +++ b/debian/patches/0002-skip-privileged-test-factory_linux_test.go.patch @@ -0,0 +1,30 @@ +From: Dmitry Smirnov +Date: Sun, 15 Nov 2020 21:42:17 +0800 +Subject: skip privileged test: factory_linux_test.go + +Last-Update: 2018-06-15 +Forwarded: not-needed +--- + libcontainer/factory_linux_test.go | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libcontainer/factory_linux_test.go b/libcontainer/factory_linux_test.go +index 47f3069..2ced7f0 100644 +--- a/libcontainer/factory_linux_test.go ++++ b/libcontainer/factory_linux_test.go +@@ -38,6 +38,7 @@ func TestFactoryNew(t *testing.T) { + } + + func TestFactoryNewTmpfs(t *testing.T) { ++ t.Skip("DM - skipping privileged test") + root := t.TempDir() + factory, err := New(root, TmpfsRoot) + if err != nil { +@@ -99,6 +100,7 @@ func TestFactoryLoadNotExists(t *testing.T) { + } + + func TestFactoryLoadContainer(t *testing.T) { ++ t.Skip("DM - skipping privileged test") + root := t.TempDir() + // setup default container config and state for mocking + var ( diff --git a/debian/patches/0003-skip-privileged-test-nsenter_test.go.patch b/debian/patches/0003-skip-privileged-test-nsenter_test.go.patch new file mode 100644 index 0000000..0cda4b6 --- /dev/null +++ b/debian/patches/0003-skip-privileged-test-nsenter_test.go.patch @@ -0,0 +1,18 @@ +From: Shengjing Zhu +Date: Sat, 23 Jan 2021 22:25:59 +0800 +Subject: skip privileged test: nsenter_test.go + +--- + libcontainer/nsenter/nsenter_test.go | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libcontainer/nsenter/nsenter_test.go b/libcontainer/nsenter/nsenter_test.go +index 0cbf0aa..44556b3 100644 +--- a/libcontainer/nsenter/nsenter_test.go ++++ b/libcontainer/nsenter/nsenter_test.go +@@ -1,3 +1,5 @@ ++// +build ignore ++ + package nsenter + + import ( diff --git a/debian/patches/0004-skip-test-cgroups_test.go.patch b/debian/patches/0004-skip-test-cgroups_test.go.patch new file mode 100644 index 0000000..4be4f29 --- /dev/null +++ b/debian/patches/0004-skip-test-cgroups_test.go.patch @@ -0,0 +1,21 @@ +From: Shengjing Zhu +Date: Sat, 23 Jan 2021 22:29:01 +0800 +Subject: skip test: cgroups_test.go + +Fail when cgroups is not mounted +--- + libcontainer/cgroups/cgroups_test.go | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libcontainer/cgroups/cgroups_test.go b/libcontainer/cgroups/cgroups_test.go +index b31412f..90b69ee 100644 +--- a/libcontainer/cgroups/cgroups_test.go ++++ b/libcontainer/cgroups/cgroups_test.go +@@ -5,6 +5,7 @@ import ( + ) + + func TestParseCgroups(t *testing.T) { ++ t.Skip("need to mount cgroupfs") + cgroups, err := ParseCgroupFile("/proc/self/cgroup") + if err != nil { + t.Fatal(err) diff --git a/debian/patches/0005-skip-integration-when-no-dev-kmsg.patch b/debian/patches/0005-skip-integration-when-no-dev-kmsg.patch new file mode 100644 index 0000000..9041cd2 --- /dev/null +++ b/debian/patches/0005-skip-integration-when-no-dev-kmsg.patch @@ -0,0 +1,24 @@ +From: Shengjing Zhu +Date: Thu, 4 Feb 2021 17:35:38 +0800 +Subject: skip integration when no /dev/kmsg + +By default, privileged lxc container doesn't have /dev/kmsg +--- + tests/integration/dev.bats | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/tests/integration/dev.bats b/tests/integration/dev.bats +index 2433157..e7c91c7 100644 +--- a/tests/integration/dev.bats ++++ b/tests/integration/dev.bats +@@ -73,6 +73,10 @@ function teardown() { + @test "runc run [device cgroup allow rw char device]" { + requires root + ++ if [[ ! -c /dev/kmsg ]]; then ++ skip "no /dev/kmsg" ++ fi ++ + update_config ' .linux.resources.devices = [{"allow": false, "access": "rwm"},{"allow": true, "type": "c", "major": 1, "minor": 11, "access": "rw"}] + | .linux.devices = [{"path": "/dev/kmsg", "type": "c", "major": 1, "minor": 11}] + | .process.args |= ["sh"] diff --git a/debian/patches/0006-skip-test-paths_test.go.patch b/debian/patches/0006-skip-test-paths_test.go.patch new file mode 100644 index 0000000..362b676 --- /dev/null +++ b/debian/patches/0006-skip-test-paths_test.go.patch @@ -0,0 +1,29 @@ +From: Shengjing Zhu +Date: Wed, 15 Dec 2021 01:14:52 +0800 +Subject: skip test: paths_test.go + +Fail when cgroups is not mounted +--- + libcontainer/cgroups/fs/paths_test.go | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libcontainer/cgroups/fs/paths_test.go b/libcontainer/cgroups/fs/paths_test.go +index 3a4d45f..2a77f6d 100644 +--- a/libcontainer/cgroups/fs/paths_test.go ++++ b/libcontainer/cgroups/fs/paths_test.go +@@ -10,6 +10,7 @@ import ( + ) + + func TestInvalidCgroupPath(t *testing.T) { ++ t.Skip("need to mount cgroupfs") + if cgroups.IsCgroup2UnifiedMode() { + t.Skip("cgroup v2 is not supported") + } +@@ -91,6 +92,7 @@ func TestInvalidCgroupPath(t *testing.T) { + } + + func TestTryDefaultCgroupRoot(t *testing.T) { ++ t.Skip("need to mount cgroupfs") + res := tryDefaultCgroupRoot() + exp := defaultCgroupRoot + if cgroups.IsCgroup2UnifiedMode() { diff --git a/debian/patches/0007-skip-test-manager_test.go.patch b/debian/patches/0007-skip-test-manager_test.go.patch new file mode 100644 index 0000000..7b4984b --- /dev/null +++ b/debian/patches/0007-skip-test-manager_test.go.patch @@ -0,0 +1,21 @@ +From: Shengjing Zhu +Date: Wed, 15 Dec 2021 01:16:00 +0800 +Subject: skip test: manager_test.go + +Fail when cgroups is not mounted +--- + libcontainer/cgroups/manager/manager_test.go | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libcontainer/cgroups/manager/manager_test.go b/libcontainer/cgroups/manager/manager_test.go +index 6f0c070..fe07a47 100644 +--- a/libcontainer/cgroups/manager/manager_test.go ++++ b/libcontainer/cgroups/manager/manager_test.go +@@ -14,6 +14,7 @@ import ( + // This tests either v1 or v2 fs cgroup manager, depending on which + // cgroup version is available. + func TestNilResources(t *testing.T) { ++ t.Skip("need to mount cgroupfs") + testNilResources(t, false) + } + diff --git a/debian/patches/0008-tests-enable-seccomp-default-action-tests-on-arm.patch b/debian/patches/0008-tests-enable-seccomp-default-action-tests-on-arm.patch new file mode 100644 index 0000000..8b839b9 --- /dev/null +++ b/debian/patches/0008-tests-enable-seccomp-default-action-tests-on-arm.patch @@ -0,0 +1,59 @@ +From: Shengjing Zhu +Date: Mon, 20 Jun 2022 13:14:25 +0800 +Subject: tests: enable seccomp default action tests on arm + +Signed-off-by: Shengjing Zhu + +Forwarded: https://github.com/opencontainers/runc/pull/3525 +--- + tests/integration/seccomp.bats | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/tests/integration/seccomp.bats b/tests/integration/seccomp.bats +index e81beca..c24eeb2 100644 +--- a/tests/integration/seccomp.bats ++++ b/tests/integration/seccomp.bats +@@ -43,8 +43,8 @@ function teardown() { + | .process.noNewPrivileges = false + | .linux.seccomp = { + "defaultAction":"SCMP_ACT_ALLOW", +- "architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32"], +- "syscalls":[{"names":["mkdir"], "action":"SCMP_ACT_ERRNO"}] ++ "architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32","SCMP_ARCH_X86_64","SCMP_ARCH_AARCH64","SCMP_ARCH_ARM"], ++ "syscalls":[{"names":["mkdir","mkdirat"], "action":"SCMP_ACT_ERRNO"}] + }' + + runc run test_busybox +@@ -57,8 +57,8 @@ function teardown() { + | .process.noNewPrivileges = false + | .linux.seccomp = { + "defaultAction":"SCMP_ACT_ALLOW", +- "architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32"], +- "syscalls":[{"names":["mkdir"], "action":"SCMP_ACT_ERRNO", "errnoRet": 100}] ++ "architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32","SCMP_ARCH_X86_64","SCMP_ARCH_AARCH64","SCMP_ARCH_ARM"], ++ "syscalls":[{"names":["mkdir","mkdirat"], "action":"SCMP_ACT_ERRNO", "errnoRet": 100}] + }' + + runc run test_busybox +@@ -71,8 +71,8 @@ function teardown() { + | .process.noNewPrivileges = false + | .linux.seccomp = { + "defaultAction":"SCMP_ACT_ALLOW", +- "architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32"], +- "syscalls":[{"names":["mkdir"], "action":"SCMP_ACT_KILL"}] ++ "architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32","SCMP_ARCH_X86_64","SCMP_ARCH_AARCH64","SCMP_ARCH_ARM"], ++ "syscalls":[{"names":["mkdir","mkdirat"], "action":"SCMP_ACT_KILL"}] + }' + + runc run test_busybox +@@ -84,8 +84,8 @@ function teardown() { + update_config ' .process.args = ["/bin/true"] + | .linux.seccomp = { + "defaultAction":"SCMP_ACT_ALLOW", +- "architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32"], +- "syscalls":[{"names":["mkdir"], "action":"SCMP_ACT_KILL"}] ++ "architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32","SCMP_ARCH_X86_64","SCMP_ARCH_AARCH64","SCMP_ARCH_ARM"], ++ "syscalls":[{"names":["mkdir","mkdirat"], "action":"SCMP_ACT_KILL"}] + } + | .hooks = { + "startContainer": [ { diff --git a/debian/patches/0009-skip-test-file_test.go.patch b/debian/patches/0009-skip-test-file_test.go.patch new file mode 100644 index 0000000..31bb5d8 --- /dev/null +++ b/debian/patches/0009-skip-test-file_test.go.patch @@ -0,0 +1,22 @@ +From: Shengjing Zhu +Date: Wed, 29 Mar 2023 17:30:22 +0800 +Subject: skip test: file_test.go + +Fail when cgroups is not mounted +--- + libcontainer/cgroups/file_test.go | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libcontainer/cgroups/file_test.go b/libcontainer/cgroups/file_test.go +index 94f1a99..98cae47 100644 +--- a/libcontainer/cgroups/file_test.go ++++ b/libcontainer/cgroups/file_test.go +@@ -41,6 +41,8 @@ func TestWriteCgroupFileHandlesInterrupt(t *testing.T) { + } + + func TestOpenat2(t *testing.T) { ++ t.Skip("need to mount cgroupfs") ++ + if !IsCgroup2UnifiedMode() { + // The reason is many test cases below test opening files from + // the top-level directory, where cgroup v1 has no files. diff --git a/debian/patches/0010-export-blockIODevice.patch b/debian/patches/0010-export-blockIODevice.patch new file mode 100644 index 0000000..8157467 --- /dev/null +++ b/debian/patches/0010-export-blockIODevice.patch @@ -0,0 +1,45 @@ +From: cdoern +Date: Sat, 27 Aug 2022 18:23:47 +0800 +Subject: export blockIODevice + +the struct blockIODevice is used in an exported struct but it is not itself exported rendering that type inaccessible to +outside projects + +Signed-off-by: cdoern +--- + libcontainer/configs/blkio_device.go | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/libcontainer/configs/blkio_device.go b/libcontainer/configs/blkio_device.go +index fa195bf..865344f 100644 +--- a/libcontainer/configs/blkio_device.go ++++ b/libcontainer/configs/blkio_device.go +@@ -2,8 +2,8 @@ package configs + + import "fmt" + +-// blockIODevice holds major:minor format supported in blkio cgroup +-type blockIODevice struct { ++// BlockIODevice holds major:minor format supported in blkio cgroup. ++type BlockIODevice struct { + // Major is the device's major number + Major int64 `json:"major"` + // Minor is the device's minor number +@@ -12,7 +12,7 @@ type blockIODevice struct { + + // WeightDevice struct holds a `major:minor weight`|`major:minor leaf_weight` pair + type WeightDevice struct { +- blockIODevice ++ BlockIODevice + // Weight is the bandwidth rate for the device, range is from 10 to 1000 + Weight uint16 `json:"weight"` + // LeafWeight is the bandwidth rate for the device while competing with the cgroup's child cgroups, range is from 10 to 1000, cfq scheduler only +@@ -41,7 +41,7 @@ func (wd *WeightDevice) LeafWeightString() string { + + // ThrottleDevice struct holds a `major:minor rate_per_second` pair + type ThrottleDevice struct { +- blockIODevice ++ BlockIODevice + // Rate is the IO rate limit per cgroup per device + Rate uint64 `json:"rate"` + } diff --git a/debian/patches/0011-Bump-go-criu-to-v6.patch b/debian/patches/0011-Bump-go-criu-to-v6.patch new file mode 100644 index 0000000..ec1b37d --- /dev/null +++ b/debian/patches/0011-Bump-go-criu-to-v6.patch @@ -0,0 +1,142 @@ +From: Shengjing Zhu +Date: Sun, 5 Nov 2023 15:32:57 +0800 +Subject: Bump go-criu to v6 + +--- + checkpoint.go | 2 +- + go.mod | 9 ++++----- + go.sum | 19 ++++++++++++------- + libcontainer/container_linux.go | 4 ++-- + libcontainer/criu_opts_linux.go | 2 +- + 5 files changed, 20 insertions(+), 16 deletions(-) + +diff --git a/checkpoint.go b/checkpoint.go +index 32a62a8..bcd2819 100644 +--- a/checkpoint.go ++++ b/checkpoint.go +@@ -8,7 +8,7 @@ import ( + "path/filepath" + "strconv" + +- criu "github.com/checkpoint-restore/go-criu/v5/rpc" ++ criu "github.com/checkpoint-restore/go-criu/v6/rpc" + "github.com/opencontainers/runc/libcontainer" + "github.com/opencontainers/runc/libcontainer/userns" + "github.com/opencontainers/runtime-spec/specs-go" +diff --git a/go.mod b/go.mod +index f51b643..bf75be8 100644 +--- a/go.mod ++++ b/go.mod +@@ -3,7 +3,7 @@ module github.com/opencontainers/runc + go 1.17 + + require ( +- github.com/checkpoint-restore/go-criu/v5 v5.3.0 ++ github.com/checkpoint-restore/go-criu/v6 v6.3.0 + github.com/cilium/ebpf v0.7.0 + github.com/containerd/console v1.0.3 + github.com/coreos/go-systemd/v22 v22.3.2 +@@ -22,12 +22,11 @@ require ( + github.com/vishvananda/netlink v1.1.0 + golang.org/x/net v0.8.0 + golang.org/x/sys v0.6.0 +- google.golang.org/protobuf v1.27.1 ++ google.golang.org/protobuf v1.28.1 + ) + + require ( +- github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d // indirect +- github.com/russross/blackfriday/v2 v2.0.1 // indirect +- github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect ++ github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect ++ github.com/russross/blackfriday/v2 v2.1.0 // indirect + github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df // indirect + ) +diff --git a/go.sum b/go.sum +index ecabd39..f47124c 100644 +--- a/go.sum ++++ b/go.sum +@@ -1,14 +1,15 @@ + github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +-github.com/checkpoint-restore/go-criu/v5 v5.3.0 h1:wpFFOoomK3389ue2lAb0Boag6XPht5QYpipxmSNL4d8= +-github.com/checkpoint-restore/go-criu/v5 v5.3.0/go.mod h1:E/eQpaFtUKGOOSEBZgmKAcn+zUUwWxqcaKZlF54wK8E= ++github.com/checkpoint-restore/go-criu/v6 v6.3.0 h1:mIdrSO2cPNWQY1truPg6uHLXyKHk3Z5Odx4wjKOASzA= ++github.com/checkpoint-restore/go-criu/v6 v6.3.0/go.mod h1:rrRTN/uSwY2X+BPRl/gkulo9gsKOSAeVp9/K2tv7xZI= + github.com/cilium/ebpf v0.7.0 h1:1k/q3ATgxSXRdrmPfH8d7YK0GfqVsEKZAX9dQZvs56k= + github.com/cilium/ebpf v0.7.0/go.mod h1:/oI2+1shJiTGAMgl6/RgJr36Eo1jzrRcAWbcXO2usCA= + github.com/containerd/console v1.0.3 h1:lIr7SlA5PxZyMV30bDW0MGbiOPXwc63yRuCP0ARubLw= + github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkXar0TQ1gf3U= + github.com/coreos/go-systemd/v22 v22.3.2 h1:D9/bQk5vlXQFZ6Kwuu6zaiXJ9oTPe68++AzAJc1DzSI= + github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= +-github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d h1:U+s90UTSYgptZMwQh2aRr3LuazLJIa+Pg3Kc1ylSYVY= + github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= ++github.com/cpuguy83/go-md2man/v2 v2.0.2 h1:p1EgwI/C7NhT0JmVkwCD2ZBK8j4aeHQX2pMHHBfMQ6w= ++github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= + github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg= + github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= + github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +@@ -24,6 +25,7 @@ github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaS + github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= + github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU= + github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= ++github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= + github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI= + github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= + github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +@@ -39,14 +41,16 @@ github.com/opencontainers/selinux v1.10.0 h1:rAiKF8hTcgLI3w0DHm6i0ylVVcOrlgR1kK9 + github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI= + github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= + github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +-github.com/russross/blackfriday/v2 v2.0.1 h1:lPqVAte+HuHNfhJ/0LC98ESWRz8afy9tM/0RK8m9o+Q= + github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= ++github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= ++github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= + github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646 h1:RpforrEYXWkmGwJHIGnLZ3tTWStkjVVstwzNGqxX2Ds= + github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg= +-github.com/shurcooL/sanitized_anchor_name v1.0.0 h1:PdmoCO6wvbs+7yrJyMORt4/BmY5IYyJwS/kOiWx8mHo= + github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= + github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE= + github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= ++github.com/spf13/cobra v1.5.0/go.mod h1:dWXEIy2H428czQCjInthrTRUg7yKbok+2Qi/yBIJoUM= ++github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= + github.com/stretchr/testify v1.2.2 h1:bSDNvY7ZPG5RlJ8otE/7V6gMiyenm9RtJ7IUVIAoJ1w= + github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= + github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI= +@@ -102,7 +106,8 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T + golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4= + golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= + google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= +-google.golang.org/protobuf v1.27.1 h1:SnqbnDw1V7RiZcXPx5MEeqPv2s79L9i7BJUlG/+RurQ= +-google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= ++google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w= ++google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= + gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= + gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= ++gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go +index 40b332f..616b3ad 100644 +--- a/libcontainer/container_linux.go ++++ b/libcontainer/container_linux.go +@@ -17,8 +17,8 @@ import ( + "sync" + "time" + +- "github.com/checkpoint-restore/go-criu/v5" +- criurpc "github.com/checkpoint-restore/go-criu/v5/rpc" ++ "github.com/checkpoint-restore/go-criu/v6" ++ criurpc "github.com/checkpoint-restore/go-criu/v6/rpc" + securejoin "github.com/cyphar/filepath-securejoin" + "github.com/opencontainers/runtime-spec/specs-go" + "github.com/sirupsen/logrus" +diff --git a/libcontainer/criu_opts_linux.go b/libcontainer/criu_opts_linux.go +index b39476e..6b0cfb8 100644 +--- a/libcontainer/criu_opts_linux.go ++++ b/libcontainer/criu_opts_linux.go +@@ -1,6 +1,6 @@ + package libcontainer + +-import criu "github.com/checkpoint-restore/go-criu/v5/rpc" ++import criu "github.com/checkpoint-restore/go-criu/v6/rpc" + + type CriuPageServerInfo struct { + Address string // IP address of CRIU page server diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..5d724db --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,11 @@ +0001-skip-test-hugetlb_test.go.patch +0002-skip-privileged-test-factory_linux_test.go.patch +0003-skip-privileged-test-nsenter_test.go.patch +0004-skip-test-cgroups_test.go.patch +0005-skip-integration-when-no-dev-kmsg.patch +0006-skip-test-paths_test.go.patch +0007-skip-test-manager_test.go.patch +0008-tests-enable-seccomp-default-action-tests-on-arm.patch +0009-skip-test-file_test.go.patch +0010-export-blockIODevice.patch +0011-Bump-go-criu-to-v6.patch diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..8b720f3 --- /dev/null +++ b/debian/rules @@ -0,0 +1,20 @@ +#!/usr/bin/make -f + +include /usr/share/dpkg/pkg-info.mk + +export DH_GOLANG_EXCLUDES := libcontainer/integration contrib/cmd + +TAGS := seccomp urfave_cli_no_docs +LDFLAGS := -X main.version=$(DEB_VERSION_UPSTREAM) -X main.gitCommit=$(DEB_VERSION) + +%: + dh $@ --buildsystem=golang --with=golang --builddirectory=_build + +execute_after_dh_auto_build: + cd man && ./md2man-all.sh + +override_dh_auto_build: + dh_auto_build -- -tags "$(TAGS)" -ldflags "$(LDFLAGS)" + +override_dh_auto_test: + dh_auto_test -- -tags "$(TAGS)" diff --git a/debian/runc.clean b/debian/runc.clean new file mode 100644 index 0000000..cf2f973 --- /dev/null +++ b/debian/runc.clean @@ -0,0 +1 @@ +man/*/*.8 diff --git a/debian/runc.docs b/debian/runc.docs new file mode 100644 index 0000000..5a277f9 --- /dev/null +++ b/debian/runc.docs @@ -0,0 +1,3 @@ +NOTICE +README.md +docs/*.md diff --git a/debian/runc.install b/debian/runc.install new file mode 100644 index 0000000..5acb798 --- /dev/null +++ b/debian/runc.install @@ -0,0 +1,2 @@ +contrib/completions/bash/runc /usr/share/bash-completion/completions/ +usr/bin/* /usr/sbin/ diff --git a/debian/runc.links b/debian/runc.links new file mode 100644 index 0000000..a19d930 --- /dev/null +++ b/debian/runc.links @@ -0,0 +1 @@ +usr/sbin/runc usr/bin/runc diff --git a/debian/runc.lintian-overrides b/debian/runc.lintian-overrides new file mode 100644 index 0000000..eaa0b29 --- /dev/null +++ b/debian/runc.lintian-overrides @@ -0,0 +1 @@ +runc: spelling-error-in-binary diff --git a/debian/runc.manpages b/debian/runc.manpages new file mode 100644 index 0000000..99cddbc --- /dev/null +++ b/debian/runc.manpages @@ -0,0 +1 @@ +man/man8/*.8 diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/debian/tests/checkpoint b/debian/tests/checkpoint new file mode 100755 index 0000000..1f23f8d --- /dev/null +++ b/debian/tests/checkpoint @@ -0,0 +1,8 @@ +#!/bin/sh + +ln -sf /usr/sbin/runc runc +export GOPATH=/tmp/gopath +export GOCACHE=/tmp/gocache +go mod vendor +make recvtty +script -e -c 'bats -t tests/integration/checkpoint.bats' diff --git a/debian/tests/integration b/debian/tests/integration new file mode 100755 index 0000000..46d100b --- /dev/null +++ b/debian/tests/integration @@ -0,0 +1,8 @@ +#!/bin/sh + +ln -sf /usr/sbin/runc runc +export GOPATH=/tmp/gopath +export GOCACHE=/tmp/gocache +go mod vendor +make recvtty seccompagent +script -e -c 'bats -t tests/integration' diff --git a/debian/upstream/metadata b/debian/upstream/metadata new file mode 100644 index 0000000..eb371fa --- /dev/null +++ b/debian/upstream/metadata @@ -0,0 +1,4 @@ +--- +Bug-Database: https://github.com/opencontainers/runc/issues +Bug-Submit: https://github.com/opencontainers/runc/issues/new +Repository-Browse: https://github.com/opencontainers/runc diff --git a/debian/watch b/debian/watch new file mode 100644 index 0000000..d57b109 --- /dev/null +++ b/debian/watch @@ -0,0 +1,7 @@ +version=4 + +opts="uversionmangle=s/-rc/~rc/, \ + dversionmangle=auto, \ + repacksuffix=+ds1" \ +https://github.com/opencontainers/runc/tags \ +(?:.*?/)v?@ANY_VERSION@\.tar\.gz