runc

runc copied to clipboard

Refactor mountFd code

7

This is a followup to #3510, doing some refactoring of the code introduced by #2576. This does the following: 1. Simplify `mount` call by removing the procfd argument, and use...

kolyshkin

Support fetching PSI stats for cgroupv2 containers

12

This supports fetching PSI stats for cgroupv2 containers. We read the PSI metrics if they are available from: - cpu.pressure - memory.pressure - io.pressure See more about PSI at https://www.kernel.org/doc/html/latest/accounting/psi.html

dqminh

ci: bump shfmt to 3.5.1, simplify CI setup

16

1. Bump shfmt to v3.5.1. Release notes: https://github.com/mvdan/sh/releases 2. Since shfmt v3.5.0, specifying `-l bash` (or `-l bats`) is no longer necessary. Therefore, we can use shfmt to find all...

kolyshkin

TestCheckpoint and TestUsernsCheckpoint are failing on centos-stream-9 (Segmentation fault)

5

https://cirrus-ci.com/task/4890404691640320?logs=unit_tests#L1358 ``` checkpoint_test.go:163: (00.023368) pie: 1: restoring lsm profile (current) unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 checkpoint_test.go:163: (00.023421) Error (criu/cr-restore.c:1510): 65440 stopped by signal 11: Segmentation fault checkpoint_test.go:163: (00.023704) mnt: Switching to new ns to...

AkihiroSuda

Posting as tracking issue, following https://github.com/opencontainers/runc/pull/3485#discussion_r886570177 Hmm, there's one consideration that I don't know if we should care about here. If resctrlfs is mounted with `-o cdp` we will have...

thaJeztah

Umask behavior doesn't match spec

3

In the [config section](https://github.com/opencontainers/runtime-spec/blob/main/config.md#user) of `runtime-spec`, it states: > `umask`: [...] If unspecified, the umask should not be changed from the calling process' umask. However runc does not seem to...

132ikl

Look into using gvisor.dev/gvisor/pkg/seccomp

12

Apparently, https://pkg.go.dev/gvisor.dev/gvisor/pkg/seccomp can potentially be used (instead of libseccomp / libseccomp-golang) to implement seccomp in runc. Need to look into it.

kolyshkin

move most packages into `internal`

11

At the moment all of our internal packages are importable from anywhere. There are several historical reasons for this: * Docker originally used LXC, but then created a Go container...

cyphar

cgroup v1/v2 compatibility issue when setting memory below the current usage

8

With cgroup v1, when we set the memory limit to below the current usage (`runc update` on a running container), the kernel returns EBUSY and runc fails with a nice...

kolyshkin

libcontainer logging

7

As pointed out by @mrunalp in https://github.com/opencontainers/runc/pull/3433#issuecomment-1079806993, libcontainer packages should not do any logging, since this is a library used by other users. Unfortunately, libcontainer is also a part of...

kolyshkin