2025-12-02 15:26:48 -08:00
|
|
|
ARG GO_VERSION=1.25
|
2025-12-02 15:22:40 -08:00
|
|
|
ARG BATS_VERSION=v1.12.0
|
2025-12-02 15:25:42 -08:00
|
|
|
ARG LIBSECCOMP_VERSION=2.6.0
|
2020-02-22 18:43:54 +01:00
|
|
|
|
2024-05-30 11:23:03 -07:00
|
|
|
FROM golang:${GO_VERSION}-bookworm
|
2020-02-22 18:44:49 +01:00
|
|
|
ARG DEBIAN_FRONTEND=noninteractive
|
2024-05-30 11:23:03 -07:00
|
|
|
ARG CRIU_REPO=https://download.opensuse.org/repositories/devel:/tools:/criu/Debian_12
|
2016-08-30 09:46:47 +08:00
|
|
|
|
2021-09-23 12:07:36 -07:00
|
|
|
RUN KEYFILE=/usr/share/keyrings/criu-repo-keyring.gpg; \
|
|
|
|
|
wget -nv $CRIU_REPO/Release.key -O- | gpg --dearmor > "$KEYFILE" \
|
2021-11-12 13:27:03 -08:00
|
|
|
&& echo "deb [signed-by=$KEYFILE] $CRIU_REPO/ /" > /etc/apt/sources.list.d/criu.list \
|
2023-08-19 12:18:08 +10:00
|
|
|
&& dpkg --add-architecture i386 \
|
2020-02-23 01:01:29 +01:00
|
|
|
&& apt-get update \
|
|
|
|
|
&& apt-get install -y --no-install-recommends \
|
|
|
|
|
build-essential \
|
2020-11-27 13:52:15 -08:00
|
|
|
criu \
|
2023-08-19 12:18:08 +10:00
|
|
|
gcc \
|
|
|
|
|
gcc-multilib \
|
2020-02-23 01:01:29 +01:00
|
|
|
curl \
|
|
|
|
|
gawk \
|
make release: add cross-build
This implements cross-build for "make release", moving the build into a
container. This way we can support arm, arm64, ppc, and whatnot.
* script/seccomp.sh: separate out of script/release.sh, amend to support
cross-compile and save needed environment variables to a file.
* Dockerfile: add installing libseccomp from source, as this is needed
for release builds.
* script/release.sh: amend to support more architectures in addition to
the native build. Additional arches can be added by specifying
"-a <arch>" argument (can be specified multiple times), or
"make RELEASE_ARGS="-a arm64" release" if called via make.
All supported architectures can be enabled via "make releaseall".
* Makefile: move "release" target to "localrelease", add "release" and
"releaseall" targets to build via the Dockerfile. This is done because
most distros (including Fedora and openSUSE) lack cross-glibc, which is
needed to cross-compile libseccomp.
* Makefile: remove 'cross' and 'localcross' targets, as this is now done
by the release script.
* .github/workflows/validate.yum: amend the release CI job to cross-build
for supported architectures, remove cross job.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-06 11:31:11 -07:00
|
|
|
gperf \
|
2020-02-23 01:01:29 +01:00
|
|
|
iptables \
|
|
|
|
|
jq \
|
|
|
|
|
kmod \
|
|
|
|
|
pkg-config \
|
2021-08-18 15:59:22 -07:00
|
|
|
python3-minimal \
|
Fix failure with rw bind mount of a ro fuse
As reported in [1], in a case where read-only fuse (sshfs) mount
is used as a volume without specifying ro flag, the kernel fails
to remount it (when adding various flags such as nosuid and nodev),
returning EPERM.
Here's the relevant strace line:
> [pid 333966] mount("/tmp/bats-run-PRVfWc/runc.RbNv8g/bundle/mnt", "/proc/self/fd/7", 0xc0001e9164, MS_NOSUID|MS_NODEV|MS_REMOUNT|MS_BIND|MS_REC, NULL) = -1 EPERM (Operation not permitted)
I was not able to reproduce it with other read-only mounts as the source
(tried tmpfs, read-only bind mount, and an ext2 mount), so somehow this
might be specific to fuse.
The fix is to check whether the source has RDONLY flag, and retry the
remount with this flag added.
A test case (which was kind of hard to write) is added, and it fails
without the fix. Note that rootless user need to be able to ssh to
rootless@localhost in order to sshfs to work -- amend setup scripts
to make it work, and skip the test if the setup is not working.
[1] https://github.com/containers/podman/issues/12205
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-16 13:50:09 -08:00
|
|
|
sshfs \
|
2020-02-23 01:01:29 +01:00
|
|
|
sudo \
|
|
|
|
|
uidmap \
|
2023-06-25 17:32:23 +08:00
|
|
|
iproute2 \
|
2023-08-19 12:18:08 +10:00
|
|
|
&& apt-get install -y --no-install-recommends \
|
|
|
|
|
libc-dev:i386 libgcc-s1:i386 \
|
|
|
|
|
gcc-aarch64-linux-gnu libc-dev-arm64-cross \
|
|
|
|
|
gcc-arm-linux-gnueabi libc-dev-armel-cross \
|
|
|
|
|
gcc-arm-linux-gnueabihf libc-dev-armhf-cross \
|
|
|
|
|
gcc-powerpc64le-linux-gnu libc-dev-ppc64el-cross \
|
|
|
|
|
gcc-s390x-linux-gnu libc-dev-s390x-cross \
|
|
|
|
|
gcc-riscv64-linux-gnu libc-dev-riscv64-cross \
|
2020-02-23 01:01:29 +01:00
|
|
|
&& apt-get clean \
|
2020-11-27 13:52:15 -08:00
|
|
|
&& rm -rf /var/cache/apt /var/lib/apt/lists/* /etc/apt/sources.list.d/*.list
|
2016-08-30 09:46:47 +08:00
|
|
|
|
2016-05-11 17:45:00 +10:00
|
|
|
# Add a dummy user for the rootless integration tests. While runC does
|
|
|
|
|
# not require an entry in /etc/passwd to operate, one of the tests uses
|
|
|
|
|
# `git clone` -- and `git clone` does not allow you to clone a
|
|
|
|
|
# repository if the current uid does not have an entry in /etc/passwd.
|
|
|
|
|
RUN useradd -u1000 -m -d/home/rootless -s/bin/bash rootless
|
|
|
|
|
|
2016-08-30 09:46:47 +08:00
|
|
|
# install bats
|
2020-02-22 18:43:54 +01:00
|
|
|
ARG BATS_VERSION
|
2016-08-30 09:46:47 +08:00
|
|
|
RUN cd /tmp \
|
2020-04-10 11:00:51 -07:00
|
|
|
&& git clone https://github.com/bats-core/bats-core.git \
|
|
|
|
|
&& cd bats-core \
|
2020-02-22 18:43:54 +01:00
|
|
|
&& git reset --hard "${BATS_VERSION}" \
|
2016-10-09 09:43:22 +08:00
|
|
|
&& ./install.sh /usr/local \
|
2020-04-10 11:00:51 -07:00
|
|
|
&& rm -rf /tmp/bats-core
|
2016-08-30 09:46:47 +08:00
|
|
|
|
make release: add cross-build
This implements cross-build for "make release", moving the build into a
container. This way we can support arm, arm64, ppc, and whatnot.
* script/seccomp.sh: separate out of script/release.sh, amend to support
cross-compile and save needed environment variables to a file.
* Dockerfile: add installing libseccomp from source, as this is needed
for release builds.
* script/release.sh: amend to support more architectures in addition to
the native build. Additional arches can be added by specifying
"-a <arch>" argument (can be specified multiple times), or
"make RELEASE_ARGS="-a arm64" release" if called via make.
All supported architectures can be enabled via "make releaseall".
* Makefile: move "release" target to "localrelease", add "release" and
"releaseall" targets to build via the Dockerfile. This is done because
most distros (including Fedora and openSUSE) lack cross-glibc, which is
needed to cross-compile libseccomp.
* Makefile: remove 'cross' and 'localcross' targets, as this is now done
by the release script.
* .github/workflows/validate.yum: amend the release CI job to cross-build
for supported architectures, remove cross job.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-06 11:31:11 -07:00
|
|
|
# install libseccomp
|
|
|
|
|
ARG LIBSECCOMP_VERSION
|
2022-03-31 17:30:35 -07:00
|
|
|
COPY script/seccomp.sh script/lib.sh /tmp/script/
|
Dockerfile: fix for seccomp
Commit f30244ee1b22223cf broke the scenario of using Dockefile for
anything but making a release. This happened because it installed
native libseccomp build to a temporary directory, and so linking against
libseccomp required setting a few environment variables.
Let's fix this, and simplify libseccomp installation. Instead of using
temporary directories, let's install native libseccomp to a specified
directory, all the cross-builds to its subdirectories, and set
PKG_CONFIG_PATH and LD_LIBRARY_PATH in Dockerfile so that the built
library will found by pkg-config and the dynamic linker (without setting
LD_LIBRARY_PATH, ld picks up distro-provided libseccomp.so).
While at it, fix some bugs introduced by the abovementioned commit.
This fixes building runc in make targets like shell, dbuild,
integration, unittest -- i.e. those that depend on runcimage.
Fixes: f30244ee1b22223cf38b505b42
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-29 12:47:57 -07:00
|
|
|
RUN mkdir -p /opt/libseccomp \
|
2023-08-19 12:18:08 +10:00
|
|
|
&& /tmp/script/seccomp.sh "$LIBSECCOMP_VERSION" /opt/libseccomp 386 amd64 arm64 armel armhf ppc64le riscv64 s390x
|
Dockerfile: fix for seccomp
Commit f30244ee1b22223cf broke the scenario of using Dockefile for
anything but making a release. This happened because it installed
native libseccomp build to a temporary directory, and so linking against
libseccomp required setting a few environment variables.
Let's fix this, and simplify libseccomp installation. Instead of using
temporary directories, let's install native libseccomp to a specified
directory, all the cross-builds to its subdirectories, and set
PKG_CONFIG_PATH and LD_LIBRARY_PATH in Dockerfile so that the built
library will found by pkg-config and the dynamic linker (without setting
LD_LIBRARY_PATH, ld picks up distro-provided libseccomp.so).
While at it, fix some bugs introduced by the abovementioned commit.
This fixes building runc in make targets like shell, dbuild,
integration, unittest -- i.e. those that depend on runcimage.
Fixes: f30244ee1b22223cf38b505b42
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-29 12:47:57 -07:00
|
|
|
ENV LIBSECCOMP_VERSION=$LIBSECCOMP_VERSION
|
|
|
|
|
ENV LD_LIBRARY_PATH=/opt/libseccomp/lib
|
|
|
|
|
ENV PKG_CONFIG_PATH=/opt/libseccomp/lib/pkgconfig
|
make release: add cross-build
This implements cross-build for "make release", moving the build into a
container. This way we can support arm, arm64, ppc, and whatnot.
* script/seccomp.sh: separate out of script/release.sh, amend to support
cross-compile and save needed environment variables to a file.
* Dockerfile: add installing libseccomp from source, as this is needed
for release builds.
* script/release.sh: amend to support more architectures in addition to
the native build. Additional arches can be added by specifying
"-a <arch>" argument (can be specified multiple times), or
"make RELEASE_ARGS="-a arm64" release" if called via make.
All supported architectures can be enabled via "make releaseall".
* Makefile: move "release" target to "localrelease", add "release" and
"releaseall" targets to build via the Dockerfile. This is done because
most distros (including Fedora and openSUSE) lack cross-glibc, which is
needed to cross-compile libseccomp.
* Makefile: remove 'cross' and 'localcross' targets, as this is now done
by the release script.
* .github/workflows/validate.yum: amend the release CI job to cross-build
for supported architectures, remove cross job.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-06 11:31:11 -07:00
|
|
|
|
2023-02-08 19:38:49 -08:00
|
|
|
# Prevent the "fatal: detected dubious ownership in repository" git complain during build.
|
|
|
|
|
RUN git config --global --add safe.directory /go/src/github.com/opencontainers/runc
|
|
|
|
|
|
2016-08-30 09:46:47 +08:00
|
|
|
WORKDIR /go/src/github.com/opencontainers/runc
|
2023-08-02 18:54:43 -07:00
|
|
|
|
|
|
|
|
# Fixup for cgroup v2.
|
|
|
|
|
COPY script/prepare-cgroup-v2.sh /
|
|
|
|
|
ENTRYPOINT [ "/prepare-cgroup-v2.sh" ]
|