Merge pull request #1056 from tariq1890/bump-runc-dep

Bump github.com/opencontainers/runc from v1.2.6 to v1.3.0

cmd/nvidia-cdi-hook/update-ldcache/safe-exec_linux.go

@@ -22,7 +22,7 @@ import (
 	"strconv"
 	"syscall"
 
-	"github.com/opencontainers/runc/libcontainer/dmz"
+	"github.com/opencontainers/runc/libcontainer/exeseal"
 )
 
 // SafeExec attempts to clone the specified binary (as an memfd, for example) before executing it.
@@ -53,5 +53,5 @@ func cloneBinary(path string) (*os.File, error) {
 	}
 	size := stat.Size()
 
-	return dmz.CloneBinary(exe, size, path, os.TempDir())
+	return exeseal.CloneBinary(exe, size, path, os.TempDir())
 }

go.mod

@@ -6,7 +6,7 @@ require (
 	github.com/NVIDIA/go-nvlib v0.7.1
 	github.com/NVIDIA/go-nvml v0.12.4-1
 	github.com/moby/sys/symlink v0.3.0
-	github.com/opencontainers/runc v1.2.6
+	github.com/opencontainers/runc v1.3.0
 	github.com/opencontainers/runtime-spec v1.2.1
 	github.com/pelletier/go-toml v1.9.5
 	github.com/sirupsen/logrus v1.9.3

go.sum

@@ -35,16 +35,16 @@ github.com/mndrix/tap-go v0.0.0-20171203230836-629fa407e90b/go.mod h1:pzzDgJWZ34
 github.com/moby/sys/symlink v0.3.0 h1:GZX89mEZ9u53f97npBy4Rc3vJKj7JBDj/PN2I22GrNU=
 github.com/moby/sys/symlink v0.3.0/go.mod h1:3eNdhduHmYPcgsJtZXW1W4XUJdZGBIkttZ8xKqPUJq0=
 github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
-github.com/opencontainers/runc v1.2.6 h1:P7Hqg40bsMvQGCS4S7DJYhUZOISMLJOB2iGX5COWiPk=
-github.com/opencontainers/runc v1.2.6/go.mod h1:dOQeFo29xZKBNeRBI0B19mJtfHv68YgCTh1X+YphA+4=
+github.com/opencontainers/runc v1.3.0 h1:cvP7xbEvD0QQAs0nZKLzkVog2OPZhI/V2w3WmTmUSXI=
+github.com/opencontainers/runc v1.3.0/go.mod h1:9wbWt42gV+KRxKRVVugNP6D5+PQciRbenB4fLVsqGPs=
 github.com/opencontainers/runtime-spec v1.0.3-0.20220825212826-86290f6a00fb/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-spec v1.2.1 h1:S4k4ryNgEpxW1dzyqffOmhI1BHYcjzU8lpJfSlR0xww=
 github.com/opencontainers/runtime-spec v1.2.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626 h1:DmNGcqH3WDbV5k8OJ+esPWbqUOX5rMLR2PMvziDMJi0=
 github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626/go.mod h1:BRHJJd0E+cx42OybVYSgUvZmU0B8P9gZuRXlZUP7TKI=
 github.com/opencontainers/selinux v1.9.1/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI=
-github.com/opencontainers/selinux v1.11.0 h1:+5Zbo97w3Lbmb3PeqQtpmTkMwsW5nRI3YaLpt7tQ7oU=
-github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
+github.com/opencontainers/selinux v1.11.1 h1:nHFvthhM0qY8/m+vfhJylliSshm8G1jJ2jDMcgULaH8=
+github.com/opencontainers/selinux v1.11.1/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
 github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8=
 github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=

vendor/github.com/opencontainers/runc/libcontainer/exeseal/cloned_binary_linux.go

@@ -1,4 +1,4 @@
-package dmz
+package exeseal
 
 import (
 	"errors"
@@ -228,7 +228,7 @@ func CloneSelfExe(tmpDir string) (*os.File, error) {
 	// around ~60% overhead during container startup.
 	overlayFile, err := sealedOverlayfs("/proc/self/exe", tmpDir)
 	if err == nil {
-		logrus.Debug("runc-dmz: using overlayfs for sealed /proc/self/exe") // used for tests
+		logrus.Debug("runc exeseal: using overlayfs for sealed /proc/self/exe") // used for tests
 		return overlayFile, nil
 	}
 	logrus.WithError(err).Debugf("could not use overlayfs for /proc/self/exe sealing -- falling back to making a temporary copy")

vendor/github.com/opencontainers/runc/libcontainer/exeseal/overlayfs_linux.go

@@ -1,4 +1,4 @@
-package dmz
+package exeseal
 
 import (
 	"fmt"

vendor/github.com/opencontainers/runc/libcontainer/system/rlimit_linux_go122.go

@@ -1,27 +0,0 @@
-//go:build !go1.23
-
-// TODO: remove this file once go 1.22 is no longer supported.
-
-package system
-
-import (
-	"sync/atomic"
-	"syscall"
-	_ "unsafe" // Needed for go:linkname to work.
-)
-
-//go:linkname syscallOrigRlimitNofile syscall.origRlimitNofile
-var syscallOrigRlimitNofile atomic.Pointer[syscall.Rlimit]
-
-// ClearRlimitNofileCache clears go runtime's nofile rlimit cache.
-// The argument is process RLIMIT_NOFILE values.
-func ClearRlimitNofileCache(_ *syscall.Rlimit) {
-	// As reported in issue #4195, the new version of go runtime(since 1.19)
-	// will cache rlimit-nofile. Before executing execve, the rlimit-nofile
-	// of the process will be restored with the cache. In runc, this will
-	// cause the rlimit-nofile setting by the parent process for the container
-	// to become invalid. It can be solved by clearing this cache. But
-	// unfortunately, go stdlib doesn't provide such function, so we need to
-	// link to the private var `origRlimitNofile` in package syscall to hack.
-	syscallOrigRlimitNofile.Store(nil)
-}

vendor/github.com/opencontainers/runc/libcontainer/utils/utils.go

@@ -50,19 +50,19 @@ func CleanPath(path string) string {
 
 	// Ensure that all paths are cleaned (especially problematic ones like
 	// "/../../../../../" which can cause lots of issues).
-	path = filepath.Clean(path)
+
+	if filepath.IsAbs(path) {
+		return filepath.Clean(path)
+	}
 
 	// If the path isn't absolute, we need to do more processing to fix paths
 	// such as "../../../../<etc>/some/path". We also shouldn't convert absolute
 	// paths to relative ones.
-	if !filepath.IsAbs(path) {
-		path = filepath.Clean(string(os.PathSeparator) + path)
-		// This can't fail, as (by definition) all paths are relative to root.
-		path, _ = filepath.Rel(string(os.PathSeparator), path)
-	}
+	path = filepath.Clean(string(os.PathSeparator) + path)
+	// This can't fail, as (by definition) all paths are relative to root.
+	path, _ = filepath.Rel(string(os.PathSeparator), path)
 
-	// Clean the path again for good measure.
-	return filepath.Clean(path)
+	return path
 }
 
 // stripRoot returns the passed path, stripping the root path if it was
@@ -77,7 +77,7 @@ func stripRoot(root, path string) string {
 		path = "/"
 	case root == "/":
 		// do nothing
-	case strings.HasPrefix(path, root+"/"):
+	default:
 		path = strings.TrimPrefix(path, root+"/")
 	}
 	return CleanPath("/" + path)
@@ -88,8 +88,8 @@ func stripRoot(root, path string) string {
 func SearchLabels(labels []string, key string) (string, bool) {
 	key += "="
 	for _, s := range labels {
-		if strings.HasPrefix(s, key) {
-			return s[len(key):], true
+		if val, ok := strings.CutPrefix(s, key); ok {
+			return val, true
 		}
 	}
 	return "", false

vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go

@@ -102,8 +102,14 @@ func fdRangeFrom(minFd int, fn fdFunc) error {
 func CloseExecFrom(minFd int) error {
 	// Use close_range(CLOSE_RANGE_CLOEXEC) if possible.
 	if haveCloseRangeCloexec() {
-		err := unix.CloseRange(uint(minFd), math.MaxUint, unix.CLOSE_RANGE_CLOEXEC)
-		return os.NewSyscallError("close_range", err)
+		err := unix.CloseRange(uint(minFd), math.MaxInt32, unix.CLOSE_RANGE_CLOEXEC)
+		if err == nil {
+			return nil
+		}
+
+		logrus.Debugf("close_range failed, closing range one at a time (error: %v)", err)
+
+		// If close_range fails, we fall back to the standard loop.
 	}
 	// Otherwise, fall back to the standard loop.
 	return fdRangeFrom(minFd, unix.CloseOnExec)

vendor/modules.txt

@@ -34,9 +34,9 @@ github.com/google/uuid
 # github.com/moby/sys/symlink v0.3.0
 ## explicit; go 1.17
 github.com/moby/sys/symlink
-# github.com/opencontainers/runc v1.2.6
-## explicit; go 1.22
-github.com/opencontainers/runc/libcontainer/dmz
+# github.com/opencontainers/runc v1.3.0
+## explicit; go 1.23.0
+github.com/opencontainers/runc/libcontainer/exeseal
 github.com/opencontainers/runc/libcontainer/system
 github.com/opencontainers/runc/libcontainer/utils
 # github.com/opencontainers/runtime-spec v1.2.1