This sequence (and syntax) is inspired by containerd's implementation of the same:
4e08c2de67/Makefile.linux (L21-L26)
Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
RELEASE_DIR is only used once, so it doesn't make sense to have it.
SHELL was introduced in commit 54390f89a7 and was used
implicitly (since Makefile contained some bash-specific code),
but is no longer needed since commit ed68ee1e10.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Target `install-man` was not dependent on `man`, meaning no man pages
were installed unless one called `make man` beforehand. Fix this.
Remove many man-related variables, only leaving MANDIR, which is
an installation directory for man pages.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
These targets are not very reliable and, depending on environment
variables, migth result in data loss. For example:
make DESTDIR=`pwd`/tmp install
...
make uninstall
The first make command will install $CURDIR/tmp/usr/local/bin/runc,
while the last command will remove /usr/local/bin/runc.
One way to support uninstall would be to write a temp file during
installation, which would contain the files we have installed.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Otherwise, in case go < 1.14 is used, all the go deps are downloaded
instead of using vendor subdir.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This fixes the following bug:
> $ GO111MODULE=off make
> go build "-mod=vendor" -buildmode=pie -tags "seccomp selinux apparmor" -ldflags "-X main.gitCommit="19ba7688cb4e0922d53029e2f7c1f2af45d40938-dirty" -X main.version=1.0.0-rc10+dev " -o runc .
> build flag -mod=vendor only valid when using modules
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Since go has its own way to track dependencies and rebuild if needed,
and it is efficient enough, let's drop using SOURCES variable, mark
all targets as PHONY and let golang do its job.
The primary motivation for this was concern about using find on every
make invocation to build the list of all sources.
Some unscientific performance analisys:
Before:
> $ time make
> make: 'runc' is up to date.
>
> real 0m0.202s
> user 0m0.177s
> sys 0m0.031s
After:
> $ time make
> go build -mod=vendor -buildmode=pie -tags "seccomp selinux apparmor" -ldflags "-X main.gitCommit="5a8210a58bd0f07cc987e6201b4174e5b93fa115" -X main.version=1.0.0-rc10+dev " -o runc .
>
> real 0m0.149s
> user 0m0.315s
> sys 0m0.106s
So, it is slightly faster using the wall clock, uses more CPU, but
we can be sure the binary is always up to date.
This also fixes the Makefile to mark all targets as PHONY. The list
was generated by `grep -E '^[a-z-]+:' Makefile | sed 's/:.*//'`.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This was added by commit 993cbf9db but since some time ago (go 1.13
for sure, but may be earlier) is no longer needed since all the tools
are correctly skipping vendor subdir.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Since we carry vendor/ subdir, let's actually use it. Should speed up CI
a bit, possibly also making it a tad more stable.
This is actually implemented in go 1.14 already (i.e. it turns mod=vendor
automatically if it sees vendor/ dir), but we still use go 1.13.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
It's hard to read otherwise (at least for me).
While at it, replace ${FOO} with $(FOO) -- both are
identical, but the second style looks to be used more.
No functional change.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
There are way to many arguments to go build, and they are repeatedly
used across the makefile. Separate them out to GO_BUILD and
GO_BUILD_STATIC variables.
While at it, let's be consistem about the style and use $(FOO) everywhere
(there is no difference from ${FOO}).
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Odin Ugedal (7):
Run verify-dependencies only on go1.x
Don't add git utils to go.mod in CI
Remove refrences to vndr
Make CI script to verify that vendor is in sync
Fix file permissions for mounts.bats
Update spec test to use go.mod
Add support for GO Modules
LGTMs: @hqhq @AkihiroSuda @cyphar
Closes#2073
Both selinux and apparmor subsystem can detect whether it is enabled,
and act accordingly. Compiling it in by default should help avoid
some frustration cased by missing build tags.
This should not change anything in case BUILDTAGS is already set.
README.md is amended to clarify what BUILDTAGS are enabled by
default.
[v2: add apparmor]
[v3: add it unconditionally, fix README]
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
The `static_build` build tag was introduced in e9944d0f
to remove build warnings related to systemd cgroup driver
dependencies. Since then, those dependencies have changed and
building the systemd cgroup driver no longer imports dlopen.
After this change, runc builds will always include the systemd
cgroup driver.
This fixes#2008.
Signed-off-by: James Peach <jpeach@apache.org>
Some package managers download the archive instead of cloning the git repo.
When they do that, the call to git fails.
This commit allows package managers to provide the COMMIT value via environment.
Signed-off-by: Julien Durillon <julien.durillon@clever-cloud.com>
There is no need to explicitly add `cgo` build tag, it is set by
by go tools if cgo is enabled.
Fixes: ecd6463101
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Commit fe898e7862 (PR #1350) enables kernel memory accounting
for all cgroups created by libcontainer -- even if kmem limit is
not configured.
Kernel memory accounting is known to be broken in some kernels,
specifically the ones from RHEL7 (including RHEL 7.5). Those
kernels do not support kernel memory reclaim, and are prone to
oopses. Unconditionally enabling kmem acct on such kernels lead
to bugs, such as
* https://github.com/opencontainers/runc/issues/1725
* https://github.com/kubernetes/kubernetes/issues/61937
* https://github.com/moby/moby/issues/29638
This commit gives a way to compile runc without kernel memory setting
support. To do so, use something like
make BUILDTAGS="seccomp nokmem"
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This should fix the following (very legitimate) warnings on static
build:
> /tmp/go-link-818454663/000019.o: In function `mygetgrouplist':
> /usr/lib/go-1.10/src/os/user/getgrouplist_unix.go:15: warning: Using
> 'getgrouplist' in statically linked applications requires at runtime the
> shared libraries from the glibc version used for linking
>
> /tmp/go-link-818454663/000018.o: In function `mygetgrgid_r':
> /usr/lib/go-1.10/src/os/user/cgo_lookup_unix.go:38: warning: Using
> 'getgrgid_r' in statically linked applications requires at runtime the
> shared libraries from the glibc version used for linking
>
> ...
as well as segfaults in the resulting binary.
For more details, check https://github.com/golang/go/issues/23265
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
The "shell" rule in the Makefile uses docker to run a bash session,
however it was depending on the "all" rule which assumes non-docker local
development. This commit fixes it by making it depend on the "runcimage" rule.
Signed-off-by: Tibor Vass <tibor@docker.com>
This fix adds `netgo` to tags for static build so that
the following warning could be addressed:
```
/tmp/go-link-355596637/000000.o: In function `_cgo_b0c710f30cfd_C2func_getaddrinfo':
/tmp/go-build/net/_obj/cgo-gcc-prolog:46: warning: Using 'getaddrinfo' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
```
The above warning appears when building `make static` with
go 1.9.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This is necessary in order to add proper opportunistic tests, and is a
placeholder until we add tests for new{uid,gid}map configurations.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
To make sure that `make release` doesn't suddenly break after we've cut
a release, smoke-test the release scripts. The script won't fail if GPG
keys aren't found, so running in CI shouldn't be a huge issue.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
This script is far easier to use than the previous `make release`
target, not to mention that it also automatically signs all of the
artefacts and makes everything really easy to do for maintainers.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
Go has supported PIC builds for a while now, and given the security
benefits of using PIC binaries we should really enable them. There also
appears to be some indication that non-PIC builds have been interacting
oddly on ppc64le (the linker cannot load some shared libraries), and
using PIC builds appears to solve this problem.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
The "go build -i" invocation may slightly help with incremental
recompilation, but it will cause builds to fail if $GOROOT is not
writeable by the current user. While this does appear to work sometimes,
it's a concern for external build systems where "-i" causes build errors
for no real gain.
Given the size of the runc project, --install is not really giving us
much anyway.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
We don't have that many scripts and for the amount of errors this is
causing on a weekly basis for contributors its not worth the overhead.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
This adds targets for rootless integration tests, as well as all of the
required setup in order to get the tests to run. This includes quite a
few changes, because of a lot of assumptions about things running as
root within the bats scripts (which is not true when setting up rootless
containers).
Signed-off-by: Aleksa Sarai <asarai@suse.de>
This enables the support for the rootless container mode. There are many
restrictions on what rootless containers can do, so many different runC
commands have been disabled:
* runc checkpoint
* runc events
* runc pause
* runc ps
* runc restore
* runc resume
* runc update
The following commands work:
* runc create
* runc delete
* runc exec
* runc kill
* runc list
* runc run
* runc spec
* runc state
In addition, any specification options that imply joining cgroups have
also been disabled. This is due to support for unprivileged subtree
management not being available from Linux upstream.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
This uses the standard go vendor location instead of old Godeps
location.
Also remove usage of symlink GOPATH. Since our README mentions that you
should build it inside GOPATH, i think its a reasonable to assume that
you dont need to create a tmp GOPATH.
Signed-off-by: Daniel Dao <dqminh89@gmail.com>