Aleksa Sarai
Aleksa Sarai
~~To clarify, these are the only failing tests, right?~~ EDIT: Ah I was looking at the errors from https://github.com/opencontainers/runc/issues/4384#issuecomment-2310296025 not the original issue. However, this comment is still relevant for...
Something like #4386 should fix the `procError` failures at least. IIRC 35aa63ea874f249d9c1b84250aa3f5aef960b3e7 tried to fix a similar issue (#4171), but since we close the file descriptor from underneath the `*os.File`...
~~Ah, I expected that to only help with some of the issues. What about the `procError` ones? I didn't expect those to be races with the log reading as well...~~...
> Yes, if execve returns an error, we should send procError to parent process, but if execve success, we have no way to close the log pipe fd, we will...
@rata I misread the original issue description, I was looking at this error (but it was from a bisect, it was fixed in #4171): ``` === FAIL: amd64.integration.capabilities TestNoNewPrivileges/CapabilityRequested=false (0.32s)...
It seems this was fixed, right?
Christian and I wrote this series: https://lore.kernel.org/all/[email protected]/ The plan is to block more stuff in a future patch, but this is the "obvious stuff" to block.
I understand the problem that the spec change was trying to fix, but the problem is that "ignore options specified by a user in `config.json`" is at odds with how...
The order you join namespaces is important. All namespaces have an associated user namespace that is considered its "owner" and all permission checks are done based on that namespace. runc...
I'll send the patch in a week or two.