From f7a415f480e9ebe68101d7f05f777ace936207c7 Mon Sep 17 00:00:00 2001 From: Tariq Ibrahim Date: Tue, 29 Apr 2025 19:01:38 -0700 Subject: [PATCH] bump runc go dep to v1.3.0 Signed-off-by: Tariq Ibrahim --- .../update-ldcache/safe-exec_linux.go | 4 +-- go.mod | 2 +- go.sum | 8 +++--- .../{dmz => exeseal}/cloned_binary_linux.go | 4 +-- .../{dmz => exeseal}/overlayfs_linux.go | 2 +- .../libcontainer/system/rlimit_linux_go122.go | 27 ------------------- .../runc/libcontainer/utils/utils.go | 22 +++++++-------- .../runc/libcontainer/utils/utils_unix.go | 10 +++++-- vendor/modules.txt | 6 ++--- 9 files changed, 32 insertions(+), 53 deletions(-) rename vendor/github.com/opencontainers/runc/libcontainer/{dmz => exeseal}/cloned_binary_linux.go (98%) rename vendor/github.com/opencontainers/runc/libcontainer/{dmz => exeseal}/overlayfs_linux.go (99%) delete mode 100644 vendor/github.com/opencontainers/runc/libcontainer/system/rlimit_linux_go122.go diff --git a/cmd/nvidia-cdi-hook/update-ldcache/safe-exec_linux.go b/cmd/nvidia-cdi-hook/update-ldcache/safe-exec_linux.go index c1c655b4..2e496e37 100644 --- a/cmd/nvidia-cdi-hook/update-ldcache/safe-exec_linux.go +++ b/cmd/nvidia-cdi-hook/update-ldcache/safe-exec_linux.go @@ -22,7 +22,7 @@ import ( "strconv" "syscall" - "github.com/opencontainers/runc/libcontainer/dmz" + "github.com/opencontainers/runc/libcontainer/exeseal" ) // SafeExec attempts to clone the specified binary (as an memfd, for example) before executing it. @@ -53,5 +53,5 @@ func cloneBinary(path string) (*os.File, error) { } size := stat.Size() - return dmz.CloneBinary(exe, size, path, os.TempDir()) + return exeseal.CloneBinary(exe, size, path, os.TempDir()) } diff --git a/go.mod b/go.mod index 90e8d90f..5e0c845a 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,7 @@ require ( github.com/NVIDIA/go-nvlib v0.7.1 github.com/NVIDIA/go-nvml v0.12.4-1 github.com/moby/sys/symlink v0.3.0 - github.com/opencontainers/runc v1.2.6 + github.com/opencontainers/runc v1.3.0 github.com/opencontainers/runtime-spec v1.2.1 github.com/pelletier/go-toml v1.9.5 github.com/sirupsen/logrus v1.9.3 diff --git a/go.sum b/go.sum index 99bf5dc4..9dfa2176 100644 --- a/go.sum +++ b/go.sum @@ -35,16 +35,16 @@ github.com/mndrix/tap-go v0.0.0-20171203230836-629fa407e90b/go.mod h1:pzzDgJWZ34 github.com/moby/sys/symlink v0.3.0 h1:GZX89mEZ9u53f97npBy4Rc3vJKj7JBDj/PN2I22GrNU= github.com/moby/sys/symlink v0.3.0/go.mod h1:3eNdhduHmYPcgsJtZXW1W4XUJdZGBIkttZ8xKqPUJq0= github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ= -github.com/opencontainers/runc v1.2.6 h1:P7Hqg40bsMvQGCS4S7DJYhUZOISMLJOB2iGX5COWiPk= -github.com/opencontainers/runc v1.2.6/go.mod h1:dOQeFo29xZKBNeRBI0B19mJtfHv68YgCTh1X+YphA+4= +github.com/opencontainers/runc v1.3.0 h1:cvP7xbEvD0QQAs0nZKLzkVog2OPZhI/V2w3WmTmUSXI= +github.com/opencontainers/runc v1.3.0/go.mod h1:9wbWt42gV+KRxKRVVugNP6D5+PQciRbenB4fLVsqGPs= github.com/opencontainers/runtime-spec v1.0.3-0.20220825212826-86290f6a00fb/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.2.1 h1:S4k4ryNgEpxW1dzyqffOmhI1BHYcjzU8lpJfSlR0xww= github.com/opencontainers/runtime-spec v1.2.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626 h1:DmNGcqH3WDbV5k8OJ+esPWbqUOX5rMLR2PMvziDMJi0= github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626/go.mod h1:BRHJJd0E+cx42OybVYSgUvZmU0B8P9gZuRXlZUP7TKI= github.com/opencontainers/selinux v1.9.1/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI= -github.com/opencontainers/selinux v1.11.0 h1:+5Zbo97w3Lbmb3PeqQtpmTkMwsW5nRI3YaLpt7tQ7oU= -github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec= +github.com/opencontainers/selinux v1.11.1 h1:nHFvthhM0qY8/m+vfhJylliSshm8G1jJ2jDMcgULaH8= +github.com/opencontainers/selinux v1.11.1/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec= github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8= github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= diff --git a/vendor/github.com/opencontainers/runc/libcontainer/dmz/cloned_binary_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/exeseal/cloned_binary_linux.go similarity index 98% rename from vendor/github.com/opencontainers/runc/libcontainer/dmz/cloned_binary_linux.go rename to vendor/github.com/opencontainers/runc/libcontainer/exeseal/cloned_binary_linux.go index 02916e50..3bafc96a 100644 --- a/vendor/github.com/opencontainers/runc/libcontainer/dmz/cloned_binary_linux.go +++ b/vendor/github.com/opencontainers/runc/libcontainer/exeseal/cloned_binary_linux.go @@ -1,4 +1,4 @@ -package dmz +package exeseal import ( "errors" @@ -228,7 +228,7 @@ func CloneSelfExe(tmpDir string) (*os.File, error) { // around ~60% overhead during container startup. overlayFile, err := sealedOverlayfs("/proc/self/exe", tmpDir) if err == nil { - logrus.Debug("runc-dmz: using overlayfs for sealed /proc/self/exe") // used for tests + logrus.Debug("runc exeseal: using overlayfs for sealed /proc/self/exe") // used for tests return overlayFile, nil } logrus.WithError(err).Debugf("could not use overlayfs for /proc/self/exe sealing -- falling back to making a temporary copy") diff --git a/vendor/github.com/opencontainers/runc/libcontainer/dmz/overlayfs_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/exeseal/overlayfs_linux.go similarity index 99% rename from vendor/github.com/opencontainers/runc/libcontainer/dmz/overlayfs_linux.go rename to vendor/github.com/opencontainers/runc/libcontainer/exeseal/overlayfs_linux.go index b81b7025..f585566b 100644 --- a/vendor/github.com/opencontainers/runc/libcontainer/dmz/overlayfs_linux.go +++ b/vendor/github.com/opencontainers/runc/libcontainer/exeseal/overlayfs_linux.go @@ -1,4 +1,4 @@ -package dmz +package exeseal import ( "fmt" diff --git a/vendor/github.com/opencontainers/runc/libcontainer/system/rlimit_linux_go122.go b/vendor/github.com/opencontainers/runc/libcontainer/system/rlimit_linux_go122.go deleted file mode 100644 index 865d1802..00000000 --- a/vendor/github.com/opencontainers/runc/libcontainer/system/rlimit_linux_go122.go +++ /dev/null @@ -1,27 +0,0 @@ -//go:build !go1.23 - -// TODO: remove this file once go 1.22 is no longer supported. - -package system - -import ( - "sync/atomic" - "syscall" - _ "unsafe" // Needed for go:linkname to work. -) - -//go:linkname syscallOrigRlimitNofile syscall.origRlimitNofile -var syscallOrigRlimitNofile atomic.Pointer[syscall.Rlimit] - -// ClearRlimitNofileCache clears go runtime's nofile rlimit cache. -// The argument is process RLIMIT_NOFILE values. -func ClearRlimitNofileCache(_ *syscall.Rlimit) { - // As reported in issue #4195, the new version of go runtime(since 1.19) - // will cache rlimit-nofile. Before executing execve, the rlimit-nofile - // of the process will be restored with the cache. In runc, this will - // cause the rlimit-nofile setting by the parent process for the container - // to become invalid. It can be solved by clearing this cache. But - // unfortunately, go stdlib doesn't provide such function, so we need to - // link to the private var `origRlimitNofile` in package syscall to hack. - syscallOrigRlimitNofile.Store(nil) -} diff --git a/vendor/github.com/opencontainers/runc/libcontainer/utils/utils.go b/vendor/github.com/opencontainers/runc/libcontainer/utils/utils.go index db420ea6..23003e17 100644 --- a/vendor/github.com/opencontainers/runc/libcontainer/utils/utils.go +++ b/vendor/github.com/opencontainers/runc/libcontainer/utils/utils.go @@ -50,19 +50,19 @@ func CleanPath(path string) string { // Ensure that all paths are cleaned (especially problematic ones like // "/../../../../../" which can cause lots of issues). - path = filepath.Clean(path) + + if filepath.IsAbs(path) { + return filepath.Clean(path) + } // If the path isn't absolute, we need to do more processing to fix paths // such as "../../../..//some/path". We also shouldn't convert absolute // paths to relative ones. - if !filepath.IsAbs(path) { - path = filepath.Clean(string(os.PathSeparator) + path) - // This can't fail, as (by definition) all paths are relative to root. - path, _ = filepath.Rel(string(os.PathSeparator), path) - } + path = filepath.Clean(string(os.PathSeparator) + path) + // This can't fail, as (by definition) all paths are relative to root. + path, _ = filepath.Rel(string(os.PathSeparator), path) - // Clean the path again for good measure. - return filepath.Clean(path) + return path } // stripRoot returns the passed path, stripping the root path if it was @@ -77,7 +77,7 @@ func stripRoot(root, path string) string { path = "/" case root == "/": // do nothing - case strings.HasPrefix(path, root+"/"): + default: path = strings.TrimPrefix(path, root+"/") } return CleanPath("/" + path) @@ -88,8 +88,8 @@ func stripRoot(root, path string) string { func SearchLabels(labels []string, key string) (string, bool) { key += "=" for _, s := range labels { - if strings.HasPrefix(s, key) { - return s[len(key):], true + if val, ok := strings.CutPrefix(s, key); ok { + return val, true } } return "", false diff --git a/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go b/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go index 8f179b6a..f6b3fefb 100644 --- a/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go +++ b/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go @@ -102,8 +102,14 @@ func fdRangeFrom(minFd int, fn fdFunc) error { func CloseExecFrom(minFd int) error { // Use close_range(CLOSE_RANGE_CLOEXEC) if possible. if haveCloseRangeCloexec() { - err := unix.CloseRange(uint(minFd), math.MaxUint, unix.CLOSE_RANGE_CLOEXEC) - return os.NewSyscallError("close_range", err) + err := unix.CloseRange(uint(minFd), math.MaxInt32, unix.CLOSE_RANGE_CLOEXEC) + if err == nil { + return nil + } + + logrus.Debugf("close_range failed, closing range one at a time (error: %v)", err) + + // If close_range fails, we fall back to the standard loop. } // Otherwise, fall back to the standard loop. return fdRangeFrom(minFd, unix.CloseOnExec) diff --git a/vendor/modules.txt b/vendor/modules.txt index a142c7a5..4c5ce77e 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -34,9 +34,9 @@ github.com/google/uuid # github.com/moby/sys/symlink v0.3.0 ## explicit; go 1.17 github.com/moby/sys/symlink -# github.com/opencontainers/runc v1.2.6 -## explicit; go 1.22 -github.com/opencontainers/runc/libcontainer/dmz +# github.com/opencontainers/runc v1.3.0 +## explicit; go 1.23.0 +github.com/opencontainers/runc/libcontainer/exeseal github.com/opencontainers/runc/libcontainer/system github.com/opencontainers/runc/libcontainer/utils # github.com/opencontainers/runtime-spec v1.2.1