Commit Graph

117 Commits

Author SHA1 Message Date
Tianon Gravi be66519c26 Remove "-buildmode=pie" from platforms that don't support it
This sequence (and syntax) is inspired by containerd's implementation of the same:
4e08c2de67/Makefile.linux (L21-L26)

Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
2020-05-19 16:00:37 -07:00
Kir Kolyshkin 772d090930 Makefile: rm RELEASE_DIR and SHELL
RELEASE_DIR is only used once, so it doesn't make sense to have it.

SHELL was introduced in commit 54390f89a7 and was used
implicitly (since Makefile contained some bash-specific code),
but is no longer needed since commit ed68ee1e10.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-27 14:17:18 -07:00
Kir Kolyshkin 731947d5ec Makefile: fix/clean install-man
Target `install-man` was not dependent on `man`, meaning no man pages
were installed unless one called `make man` beforehand. Fix this.

Remove many man-related variables, only leaving MANDIR, which is
an installation directory for man pages.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-27 14:17:18 -07:00
Kir Kolyshkin df72e8989c Makefile: rm uninstall* targets
These targets are not very reliable and, depending on environment
variables, migth result in data loss. For example:

 make DESTDIR=`pwd`/tmp install
 ...
 make uninstall

The first make command will install $CURDIR/tmp/usr/local/bin/runc,
while the last command will remove /usr/local/bin/runc.

One way to support uninstall would be to write a temp file during
installation, which would contain the files we have installed.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-27 14:17:18 -07:00
Kir Kolyshkin a036e890b9 Makefile: add -mod=vendor to go test
Otherwise, in case go < 1.14 is used, all the go deps are downloaded
instead of using vendor subdir.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-27 14:16:22 -07:00
Kir Kolyshkin 2fe9e31aa9 Makefile: don't use -mod=vendor if GO111MODULE=off
This fixes the following bug:

> $ GO111MODULE=off make
> go build "-mod=vendor" -buildmode=pie  -tags "seccomp selinux apparmor" -ldflags "-X main.gitCommit="19ba7688cb4e0922d53029e2f7c1f2af45d40938-dirty" -X main.version=1.0.0-rc10+dev " -o runc .
> build flag -mod=vendor only valid when using modules

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-27 13:17:20 -07:00
Kir Kolyshkin 19ba7688cb Makefile: test, localtest: no need to invoke make
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-27 13:04:32 -07:00
Kir Kolyshkin fc54f6d7db Makefile: rm $(SOURCES), mark targets as PHONY
Since go has its own way to track dependencies and rebuild if needed,
and it is efficient enough, let's drop using SOURCES variable, mark
all targets as PHONY and let golang do its job.

The primary motivation for this was concern about using find on every
make invocation to build the list of all sources.

Some unscientific performance analisys:

Before:
> $ time make
> make: 'runc' is up to date.
>
> real	0m0.202s
> user	0m0.177s
> sys	0m0.031s

After:
> $ time make
> go build -mod=vendor -buildmode=pie  -tags "seccomp selinux apparmor" -ldflags "-X main.gitCommit="5a8210a58bd0f07cc987e6201b4174e5b93fa115" -X main.version=1.0.0-rc10+dev " -o runc .
>
> real	0m0.149s
> user	0m0.315s
> sys	0m0.106s

So, it is slightly faster using the wall clock, uses more CPU, but
we can be sure the binary is always up to date.

This also fixes the Makefile to mark all targets as PHONY. The list
was generated by `grep -E '^[a-z-]+:' Makefile | sed 's/:.*//'`.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-27 12:53:44 -07:00
Kir Kolyshkin b7dadf0f7b Makefile: rm $(allpackages)
This was added by commit 993cbf9db but since some time ago (go 1.13
for sure, but may be earlier) is no longer needed since all the tools
are correctly skipping vendor subdir.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-27 12:24:39 -07:00
Kir Kolyshkin fbeed52283 Makefile: add -mod=vendor
Since we carry vendor/ subdir, let's actually use it. Should speed up CI
a bit, possibly also making it a tad more stable.

This is actually implemented in go 1.14 already (i.e. it turns mod=vendor
automatically if it sees vendor/ dir), but we still use go 1.13.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-23 18:00:25 -07:00
Kir Kolyshkin 1fe709a0bf Makefile: use $(FOO) not ${FOO}
The first style seems to be prevalent.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-23 18:00:25 -07:00
Kir Kolyshkin d09a6ea95e Makefile: split long lines
It's hard to read otherwise (at least for me).

While at it, replace ${FOO} with $(FOO) -- both are
identical, but the second style looks to be used more.

No functional change.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-23 18:00:25 -07:00
Kir Kolyshkin 64ec355716 Makefile: abstract go build flags
There are way to many arguments to go build, and they are repeatedly
used across the makefile. Separate them out to GO_BUILD and
GO_BUILD_STATIC variables.

While at it, let's be consistem about the style and use $(FOO) everywhere
(there is no difference from ${FOO}).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-23 18:00:25 -07:00
Aleksa Sarai a15d2c3ca0
merge branch 'pr-2073'
Odin Ugedal (7):
  Run verify-dependencies only on go1.x
  Don't add git utils to go.mod in CI
  Remove refrences to vndr
  Make CI script to verify that vendor is in sync
  Fix file permissions for mounts.bats
  Update spec test to use go.mod
  Add support for GO Modules

LGTMs: @hqhq @AkihiroSuda @cyphar
Closes #2073
2020-03-16 12:38:40 +11:00
Kir Kolyshkin 89c108b1be Makefile: add selinux and apparmor build tags
Both selinux and apparmor subsystem can detect whether it is enabled,
and act accordingly. Compiling it in by default should help avoid
some frustration cased by missing build tags.

This should not change anything in case BUILDTAGS is already set.

README.md is amended to clarify what BUILDTAGS are enabled by
default.

[v2: add apparmor]
[v3: add it unconditionally, fix README]

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-03-15 10:29:35 -07:00
Odin Ugedal 777f97d8de
Run verify-dependencies only on go1.x
Signed-off-by: Odin Ugedal <odin@ugedal.com>
2020-03-07 10:46:34 +01:00
Odin Ugedal a08ab87fe9
Make CI script to verify that vendor is in sync
Signed-off-by: Odin Ugedal <odin@ugedal.com>
2020-03-07 09:29:33 +01:00
Kenta Tada af3a81e48e Add rootless testpath in Makefile
This commit modifies Makefile for rootless test to select testpath.

Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
2020-03-06 17:02:33 +09:00
Akihiro Suda 48b055c40a Makefile: allow overriding `docker` command
e.g. `make CONTAINER_ENGINE="sudo podman" unittest` (for ease of cgroup2 testing)

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-12-03 23:59:14 +09:00
James Peach 13919f5dfd Remove the static_build build tag.
The `static_build` build tag was introduced in e9944d0f
to remove build warnings related to systemd cgroup driver
dependencies. Since then, those dependencies have changed and
building the systemd cgroup driver no longer imports dlopen.

After this change, runc builds will always include the systemd
cgroup driver.

This fixes #2008.

Signed-off-by: James Peach <jpeach@apache.org>
2019-10-26 08:28:45 +11:00
Julien Durillon 6770c8695a Allow to define `COMMIT` by env
Some package managers download the archive instead of cloning the git repo.
When they do that, the call to git fails.

This commit allows package managers to provide the COMMIT value via environment.

Signed-off-by: Julien Durillon <julien.durillon@clever-cloud.com>
2019-06-11 13:41:20 +02:00
Kir Kolyshkin 1e0d04c642 Makefile: rm cgo tag
There is no need to explicitly add `cgo` build tag, it is set by
by go tools if cgo is enabled.

Fixes: ecd6463101

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2018-11-01 17:01:12 -07:00
Kir Kolyshkin 6a2c155968 libcontainer: ability to compile without kmem
Commit fe898e7862 (PR #1350) enables kernel memory accounting
for all cgroups created by libcontainer -- even if kmem limit is
not configured.

Kernel memory accounting is known to be broken in some kernels,
specifically the ones from RHEL7 (including RHEL 7.5). Those
kernels do not support kernel memory reclaim, and are prone to
oopses. Unconditionally enabling kmem acct on such kernels lead
to bugs, such as

* https://github.com/opencontainers/runc/issues/1725
* https://github.com/kubernetes/kubernetes/issues/61937
* https://github.com/moby/moby/issues/29638

This commit gives a way to compile runc without kernel memory setting
support. To do so, use something like

	make BUILDTAGS="seccomp nokmem"

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2018-10-31 20:35:51 -07:00
Kenta Tada b399167f2c Add docker proxy settings for make test in a proxy environment
This commit modifies Makefile to execute `make test` in a proxy environment.

Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
2018-08-22 18:19:48 +09:00
Kenta Tada b681b58e8a Fix the problem TESTFLAGS is not to be used in Makefile correctly
This commit modifies Makefile to handle test targets correctly.

Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
2018-07-11 17:50:47 +09:00
Kir Kolyshkin 7fb79f318d Add osusergo flag to static build
This should fix the following (very legitimate) warnings on static
build:

> /tmp/go-link-818454663/000019.o: In function `mygetgrouplist':
> /usr/lib/go-1.10/src/os/user/getgrouplist_unix.go:15: warning: Using
> 'getgrouplist' in statically linked applications requires at runtime the
> shared libraries from the glibc version used for linking
>
> /tmp/go-link-818454663/000018.o: In function `mygetgrgid_r':
> /usr/lib/go-1.10/src/os/user/cgo_lookup_unix.go:38: warning: Using
> 'getgrgid_r' in statically linked applications requires at runtime the
> shared libraries from the glibc version used for linking
>
> ...

as well as segfaults in the resulting binary.

For more details, check https://github.com/golang/go/issues/23265

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2018-07-02 13:43:21 -07:00
Akihiro Suda 39f679c450 travis: test cross compilation
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-06-16 09:32:39 +09:00
Andrei Vagin 74e961e2e2 tests: allow to load kernel modules from a test container
CRIU needs to load a few modules to checkpoint/resume containers.

https://github.com/opencontainers/runc/issues/1745
Signed-off-by: Andrei Vagin <avagin@virtuozzo.com>
2018-03-13 01:20:12 +03:00
Daniel, Dao Quang Minh aada2af1b2
Merge pull request #1748 from cyphar/makefile-release
makefile: make "release" PHONY
2018-02-28 15:43:01 +00:00
Aleksa Sarai 8d7b5731e5
makefile: make "release" PHONY
This just makes it nicer to do "make release" if you have to do builds
for more than one release.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2018-02-28 16:40:30 +11:00
Tibor Vass 10a4cde4b9 Fix make shell
The "shell" rule in the Makefile uses docker to run a bash session,
however it was depending on the "all" rule which assumes non-docker local
development. This commit fixes it by making it depend on the "runcimage" rule.

Signed-off-by: Tibor Vass <tibor@docker.com>
2018-02-28 05:23:03 +00:00
Akihiro Suda dd5eb3b9e3 make: validate C format
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-01-24 10:49:50 +09:00
Yong Tang ec42eaa427 Add `-installsuffix netgo` in static build
This fix adds `-installsuffix netgo` in static build in combination
of `-tags netgo`. See following for the reason:
https://github.com/golang/go/issues/9369#issuecomment-69864440

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2017-09-11 18:20:19 +00:00
Yong Tang 337c3fb88c Use `netgo` for static build
This fix adds `netgo` to tags for static build so that
the following warning could be addressed:
```
/tmp/go-link-355596637/000000.o: In function `_cgo_b0c710f30cfd_C2func_getaddrinfo':
/tmp/go-build/net/_obj/cgo-gcc-prolog:46: warning: Using 'getaddrinfo' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
```

The above warning appears when building `make static` with
go 1.9.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2017-09-11 18:20:19 +00:00
Aleksa Sarai d0aec23c7e
tests: generalise rootless runner
This is necessary in order to add proper opportunistic tests, and is a
placeholder until we add tests for new{uid,gid}map configurations.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-09-09 12:45:33 +10:00
Aleksa Sarai c24f602407
ci: smoke-test the release script
To make sure that `make release` doesn't suddenly break after we've cut
a release, smoke-test the release scripts. The script won't fail if GPG
keys aren't found, so running in CI shouldn't be a huge issue.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-08-16 14:44:45 +10:00
Aleksa Sarai ed68ee1e10
release: import umoci's release.sh script
This script is far easier to use than the previous `make release`
target, not to mention that it also automatically signs all of the
artefacts and makes everything really easy to do for maintainers.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-08-16 14:35:52 +10:00
Aleksa Sarai b45e243f8b
*: enable -buildmode=pie
Go has supported PIC builds for a while now, and given the security
benefits of using PIC binaries we should really enable them. There also
appears to be some indication that non-PIC builds have been interacting
oddly on ppc64le (the linker cannot load some shared libraries), and
using PIC builds appears to solve this problem.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-08-15 00:12:27 +10:00
Aleksa Sarai 6581d0f488
makefile: drop usage of --install
The "go build -i" invocation may slightly help with incremental
recompilation, but it will cause builds to fail if $GOROOT is not
writeable by the current user. While this does appear to work sometimes,
it's a concern for external build systems where "-i" causes build errors
for no real gain.

Given the size of the runc project, --install is not really giving us
much anyway.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-08-14 00:10:32 +10:00
Michael Crosby 5930d5b427 Remove shfmt
We don't have that many scripts and for the amount of errors this is
causing on a weekly basis for contributors its not worth the overhead.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2017-07-06 11:08:44 -07:00
Justin Cormack 7e3934a339 Allow specification of general Go build flags and ldflags
This is needed if you need to customise the build config for a given platform.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2017-05-19 11:24:03 +01:00
Michael Crosby 4c3584145f Revert back to using /sbin
This was changed in
https://github.com/opencontainers/runc/commit/d2f49696#diff-b67911656ef5d18c4ae36cb6741b7965R7
and is causing install problems for people building runc and having it
installed in /bin and /sbin.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2017-04-14 10:15:33 -07:00
Aleksa Sarai ba38383a39
tests: add rootless integration tests
This adds targets for rootless integration tests, as well as all of the
required setup in order to get the tests to run. This includes quite a
few changes, because of a lot of assumptions about things running as
root within the bats scripts (which is not true when setting up rootless
containers).

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-03-23 20:46:22 +11:00
Aleksa Sarai d2f49696b0
runc: add support for rootless containers
This enables the support for the rootless container mode. There are many
restrictions on what rootless containers can do, so many different runC
commands have been disabled:

* runc checkpoint
* runc events
* runc pause
* runc ps
* runc restore
* runc resume
* runc update

The following commands work:

* runc create
* runc delete
* runc exec
* runc kill
* runc list
* runc run
* runc spec
* runc state

In addition, any specification options that imply joining cgroups have
also been disabled. This is due to support for unprivileged subtree
management not being available from Linux upstream.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-03-23 20:45:24 +11:00
Mrunal Patel 4f903a21c4 Remove ambient build tag
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-03-15 11:38:43 -07:00
Alexander Morozov 993cbf9db0
move from Godeps to vndr
This uses the standard go vendor location instead of old Godeps
location.

Also remove usage of symlink GOPATH. Since our README mentions that you
should build it inside GOPATH, i think its a reasonable to assume that
you dont need to create a tmp GOPATH.

Signed-off-by: Daniel Dao <dqminh89@gmail.com>
2017-02-24 11:25:21 +00:00
Michael Crosby 54a4439700 Merge pull request #1252 from FengtuWang/remove-i
remove `-i` option to avoid failure of jenkins in non-interactive mode.
2017-01-09 10:51:13 -08:00
Fengtu Wang b5d4da872c remove `-i` option to avoid failure of jenkins in non-interactive mode.
Signed-off-by: Fengtu Wang <wangfengtu@huawei.com>
2017-01-04 16:33:05 +08:00
Ma Shimiao 9befe82cde Makefile: add manpage cleanup
I think generated manpages should also need cleanup

Signed-off-by: Ma Shimiao <mashimiao.fnst@cn.fujitsu.com>
2016-12-16 14:33:05 +08:00
Mrunal Patel 34f23cb99c Merge pull request #1018 from cyphar/console-rewrite
Consoles, consoles, consoles.
2016-12-07 14:37:19 -08:00