opencontainers/runc
1
0
Fork 0
mirror of https://github.com/opencontainers/runc.git synced 2026-02-05 09:46:08 +01:00
Code Issues Wiki Activity
Files
main
runc/Makefile

252 lines
7.0 KiB
Makefile
Raw Permalink Normal View History

runc-dmz: reduce memfd binary cloning cost with small C binary The idea is to remove the need for cloning the entire runc binary by replacing the final execve() call of the container process with an execve() call to a clone of a small C binary which just does an execve() of its arguments. This provides similar protection against CVE-2019-5736 but without requiring a >10MB binary copy for each "runc init". When compiled with musl, runc-dmz is 13kB (though unfortunately with glibc, it is 1.1MB which is still quite large). It should be noted that there is still a window where the container processes could get access to the host runc binary, but because we set ourselves as non-dumpable the container would need CAP_SYS_PTRACE (which is not enabled by default in Docker) in order to get around the proc_fd_access_allowed() checks. In addition, since Linux 4.10[1] the kernel blocks access entirely for user namespaced containers in this scenario. For those cases we cannot use runc-dmz, but most containers won't have this issue. This new runc-dmz binary can be opted out of at compile time by setting the "runc_nodmz" buildtag, and at runtime by setting the RUNC_DMZ=legacy environment variable. In both cases, runc will fall back to the classic /proc/self/exe-based cloning trick. If /proc/self/exe is already a sealed memfd (namely if the user is using contrib/cmd/memfd-bind to create a persistent sealed memfd for runc), neither runc-dmz nor /proc/self/exe cloning will be used because they are not necessary. [1]: https://github.com/torvalds/linux/commit/bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 Co-authored-by: lifubang <lifubang@acmcoder.com> Signed-off-by: lifubang <lifubang@acmcoder.com> [cyphar: address various review nits] [cyphar: fix runc-dmz cross-compilation] [cyphar: embed runc-dmz into runc binary and clone in Go code] [cyphar: make runc-dmz optional, with fallback to /proc/self/exe cloning] [cyphar: do not use runc-dmz when the container has certain privs] Co-authored-by: Aleksa Sarai <cyphar@cyphar.com> Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-08-15 17:00:22 +08:00
SHELL = /bin/bash
Makefile: allow overriding `docker` command e.g. `make CONTAINER_ENGINE="sudo podman" unittest` (for ease of cgroup2 testing) Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-10-28 13:08:39 +09:00
CONTAINER_ENGINE := docker
Makefile: allow overriding go command by environment This is required for environments/build systems where a specific go version / command needs to be used. Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2021-05-04 11:59:02 +02:00
GO ?= go
makefile: drop usage of --install The "go build -i" invocation may slightly help with incremental recompilation, but it will cause builds to fail if $GOROOT is not writeable by the current user. While this does appear to work sometimes, it's a concern for external build systems where "-i" causes build errors for no real gain. Given the size of the runc project, --install is not really giving us much anyway. Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-08-14 00:10:28 +10:00
Makefile: fix DESTDIR handling DESTDIR should only be used while installing. To test: make DESTDIR=$(pwd)/inst PREFIX=/usr install install-man install-bash Before this commit, this would result in installing to /usr rather than $(pwd)/usr. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-09-08 16:47:19 -07:00
PREFIX ?= /usr/local
Revert back to using /sbin This was changed in https://github.com/opencontainers/runc/commit/d2f49696#diff-b67911656ef5d18c4ae36cb6741b7965R7 and is causing install problems for people building runc and having it installed in /bin and /sbin. Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2017-04-14 10:15:33 -07:00
BINDIR := $(PREFIX)/sbin
Makefile: fix/clean install-man Target `install-man` was not dependent on `man`, meaning no man pages were installed unless one called `make man` beforehand. Fix this. Remove many man-related variables, only leaving MANDIR, which is an installation directory for man pages. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-27 13:49:39 -07:00
MANDIR := $(PREFIX)/share/man
Use git branch name as tag when building images Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
2016-06-28 15:39:38 -07:00
GIT_BRANCH := $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null)
GIT_BRANCH_CLEAN := $(shell echo $(GIT_BRANCH) | sed -e "s/[^[:alnum:]]/-/g")
RUNC_IMAGE := runc_dev$(if $(GIT_BRANCH_CLEAN),:$(GIT_BRANCH_CLEAN))
Add target man in Makefile Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-04-22 14:37:42 +08:00
PROJECT := github.com/opencontainers/runc
Makefile: Don't read COMMIT, BUILDTAG, EXTRA_BUILDTAGS from env vars We recently switched VERSION to be read from env vars (#4270). This broke several projects, as they were building runc and using a `VERSION` env var for, e.g. the containerd version. When fixing that in #4370, we discussed to consider doing the same for these variables too (https://github.com/opencontainers/runc/pull/4370#pullrequestreview-2240030944). Let's stop reading them from env vars, as it is very easy to do it by mistake (e.g. compile runc and define a COMMIT env var, not to override the commit shown in `runc --version`) and users that want can still override them if they want to. For example, with: make EXTRA_BUILDTAGS=runc_nodmz Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2024-08-15 11:37:59 +02:00
EXTRA_BUILDTAGS :=
BUILDTAGS := seccomp urfave_cli_no_docs
runc-dmz: reduce memfd binary cloning cost with small C binary The idea is to remove the need for cloning the entire runc binary by replacing the final execve() call of the container process with an execve() call to a clone of a small C binary which just does an execve() of its arguments. This provides similar protection against CVE-2019-5736 but without requiring a >10MB binary copy for each "runc init". When compiled with musl, runc-dmz is 13kB (though unfortunately with glibc, it is 1.1MB which is still quite large). It should be noted that there is still a window where the container processes could get access to the host runc binary, but because we set ourselves as non-dumpable the container would need CAP_SYS_PTRACE (which is not enabled by default in Docker) in order to get around the proc_fd_access_allowed() checks. In addition, since Linux 4.10[1] the kernel blocks access entirely for user namespaced containers in this scenario. For those cases we cannot use runc-dmz, but most containers won't have this issue. This new runc-dmz binary can be opted out of at compile time by setting the "runc_nodmz" buildtag, and at runtime by setting the RUNC_DMZ=legacy environment variable. In both cases, runc will fall back to the classic /proc/self/exe-based cloning trick. If /proc/self/exe is already a sealed memfd (namely if the user is using contrib/cmd/memfd-bind to create a persistent sealed memfd for runc), neither runc-dmz nor /proc/self/exe cloning will be used because they are not necessary. [1]: https://github.com/torvalds/linux/commit/bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 Co-authored-by: lifubang <lifubang@acmcoder.com> Signed-off-by: lifubang <lifubang@acmcoder.com> [cyphar: address various review nits] [cyphar: fix runc-dmz cross-compilation] [cyphar: embed runc-dmz into runc binary and clone in Go code] [cyphar: make runc-dmz optional, with fallback to /proc/self/exe cloning] [cyphar: do not use runc-dmz when the container has certain privs] Co-authored-by: Aleksa Sarai <cyphar@cyphar.com> Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-08-15 17:00:22 +08:00
BUILDTAGS += $(EXTRA_BUILDTAGS)
Makefile: add LDFLAGS_COMMON and LDFLAGS_STATIC LDFLAGS_COMMON are used from two places, so it makes sense to dedup. LDFLAGS_STATIC is a preparation for the next commit. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-31 15:56:14 -07:00
Makefile: Don't read COMMIT, BUILDTAG, EXTRA_BUILDTAGS from env vars We recently switched VERSION to be read from env vars (#4270). This broke several projects, as they were building runc and using a `VERSION` env var for, e.g. the containerd version. When fixing that in #4370, we discussed to consider doing the same for these variables too (https://github.com/opencontainers/runc/pull/4370#pullrequestreview-2240030944). Let's stop reading them from env vars, as it is very easy to do it by mistake (e.g. compile runc and define a COMMIT env var, not to override the commit shown in `runc --version`) and users that want can still override them if they want to. For example, with: make EXTRA_BUILDTAGS=runc_nodmz Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2024-08-15 11:37:59 +02:00
COMMIT := $(shell git describe --dirty --long --always)
Makefile: Add EXTRA_VERSION Add this new make variable so users can specify build information without modifying the runc version nor the source code. Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2024-08-14 12:46:54 +02:00
EXTRA_VERSION :=
runc: embed version from VERSION file This ensures that if runc is built without the provided Makefile, the version is still properly set. No change in the output. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-08 19:00:59 -07:00
LDFLAGS_COMMON := -X main.gitCommit=$(COMMIT) \
$(if $(strip $(EXTRA_VERSION)),-X main.extraVersion=$(EXTRA_VERSION),)
Makefile: abstract go build flags There are way to many arguments to go build, and they are repeatedly used across the makefile. Separate them out to GO_BUILD and GO_BUILD_STATIC variables. While at it, let's be consistem about the style and use $(FOO) everywhere (there is no difference from ${FOO}). Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-20 12:33:58 -07:00
Makefile: add support for static PIE Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-31 18:27:40 -07:00
GOARCH := $(shell $(GO) env GOARCH)
make trimpath optional Signed-off-by: Avi Deitcher <avi@deitcher.net>
2023-06-20 16:41:15 +03:00
# -trimpath may be required on some platforms to create reproducible builds
# on the other hand, it does strip out build information, like -ldflags, which
# some tools use to infer the version, in the absence of go information,
# which happens when you use `go build`.
# This enables someone to override by doing `make runc TRIMPATH= ` etc.
TRIMPATH := -trimpath
Makefile: fix GO_BUILDMODE setting 1. Set to empty value by default. 2. Assume Linux (remove GOOS check, since we do not support other OSes). 3. Instead of using a "not-supported" list, use a "supported" list (as Go release notes usually say which platforms are supported). As of today, -buildmode=pie is supported for: * linux/386, linux/amd64, linux/arm, linux/arm64, and linux/ppc64le (since Go 1.6, see https://tip.golang.org/doc/go1.6#compiler) * linux/s390x (since Go 1.7, which adds the initial port) * linux/riscv64 (since Go 1.16, see https://tip.golang.org/doc/go1.16#riscv) NOTE this does not mean we support these architectures; it is merely a way to see if -buildmode=pie can be used. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-31 17:51:11 -07:00
GO_BUILDMODE :=
# Enable dynamic PIE executables on supported platforms.
Add loong64 support in seccomp and PIE Signed-off-by: zhaixiaojuan <zhaixiaojuan@loongson.cn>
2025-10-16 09:50:37 +08:00
ifneq (,$(filter $(GOARCH),386 amd64 arm arm64 loong64 ppc64le riscv64 s390x))
Makefile: fix GO_BUILDMODE setting 1. Set to empty value by default. 2. Assume Linux (remove GOOS check, since we do not support other OSes). 3. Instead of using a "not-supported" list, use a "supported" list (as Go release notes usually say which platforms are supported). As of today, -buildmode=pie is supported for: * linux/386, linux/amd64, linux/arm, linux/arm64, and linux/ppc64le (since Go 1.6, see https://tip.golang.org/doc/go1.6#compiler) * linux/s390x (since Go 1.7, which adds the initial port) * linux/riscv64 (since Go 1.16, see https://tip.golang.org/doc/go1.16#riscv) NOTE this does not mean we support these architectures; it is merely a way to see if -buildmode=pie can be used. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-31 17:51:11 -07:00
ifeq (,$(findstring -race,$(EXTRA_FLAGS)))
GO_BUILDMODE := "-buildmode=pie"
Remove "-buildmode=pie" from platforms that don't support it This sequence (and syntax) is inspired by containerd's implementation of the same: https://github.com/containerd/containerd/blob/4e08c2de67ec514b5602eea47804d41dfeabdc72/Makefile.linux#L21-L26 Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
2020-05-19 09:44:06 -07:00
endif
endif
make trimpath optional Signed-off-by: Avi Deitcher <avi@deitcher.net>
2023-06-20 16:41:15 +03:00
GO_BUILD := $(GO) build $(TRIMPATH) $(GO_BUILDMODE) \
Makefile: add support for static PIE Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-31 18:27:40 -07:00
$(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \
Makefile: add LDFLAGS_COMMON and LDFLAGS_STATIC LDFLAGS_COMMON are used from two places, so it makes sense to dedup. LDFLAGS_STATIC is a preparation for the next commit. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-31 15:56:14 -07:00
-ldflags "$(LDFLAGS_COMMON) $(EXTRA_LDFLAGS)"
Makefile: add support for static PIE Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-31 18:27:40 -07:00
GO_BUILDMODE_STATIC :=
Makefile: add LDFLAGS_COMMON and LDFLAGS_STATIC LDFLAGS_COMMON are used from two places, so it makes sense to dedup. LDFLAGS_STATIC is a preparation for the next commit. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-31 15:56:14 -07:00
LDFLAGS_STATIC := -extldflags -static
Makefile: add support for static PIE Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-31 18:27:40 -07:00
# Enable static PIE executables on supported platforms.
# This (among the other things) requires libc support (rcrt1.o), which seems
# to be available only for arm64 and amd64 (Debian Bullseye).
ifneq (,$(filter $(GOARCH),arm64 amd64))
ifeq (,$(findstring -race,$(EXTRA_FLAGS)))
GO_BUILDMODE_STATIC := -buildmode=pie
Makefile: fix typo in LDFLAGS_STATIC Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-02-14 21:27:26 +01:00
LDFLAGS_STATIC := -linkmode external -extldflags -static-pie
Makefile: add support for static PIE Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-31 18:27:40 -07:00
endif
endif
# Enable static PIE binaries on supported platforms.
make trimpath optional Signed-off-by: Avi Deitcher <avi@deitcher.net>
2023-06-20 16:41:15 +03:00
GO_BUILD_STATIC := $(GO) build $(TRIMPATH) $(GO_BUILDMODE_STATIC) \
Makefile: add support for static PIE Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-31 18:27:40 -07:00
$(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo" \
Makefile: add LDFLAGS_COMMON and LDFLAGS_STATIC LDFLAGS_COMMON are used from two places, so it makes sense to dedup. LDFLAGS_STATIC is a preparation for the next commit. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-31 15:56:14 -07:00
-ldflags "$(LDFLAGS_COMMON) $(LDFLAGS_STATIC) $(EXTRA_LDFLAGS)"
Add target man in Makefile Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-04-22 14:37:42 +08:00
release: correctly handle binary signing for "make releaseall" My GPG keys are not available inside the container, so it makes little sense to try to sign the binaries inside the container's release.sh. The solution is to split things into separate build and sign stages, with signing ocurring after the in-Docker build. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-12-07 18:07:30 +11:00
GPG_KEYID ?= asarai@suse.de
Makefile: set CGO_ENABLED=1 when needed It doesn't matter whether static or dynamic linking is used, runc always needs libcontainer/nsenter, which is written in C and thus requires cgo. Same is true for libcontainer/integration. In addition, contrib/pkg/seccompagent also needs cgo (if seccomp build tag is set), as it need to be linked against libseccomp C library. By default, cgo is disabled when cross-compiling, meaning that CGO_ENABLED=1 has to be set explicitly in such cases. In all other cases (e.g. other contrib binaries) we do not need cgo. Remove CGO_ENABLED=1 from GO_BUILD_STATIC (as it does not have anything to do with static linking), and add it to all targets that require it. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-31 18:32:36 -07:00
# Some targets need cgo, which is disabled by default when cross compiling.
# Enable cgo explicitly for those.
# Both runc and libcontainer/integration need libcontainer/nsenter.
runc static localunittest: export CGO_ENABLED=1
# seccompagent needs libseccomp (when seccomp build tag is set).
ifneq (,$(filter $(BUILDTAGS),seccomp))
seccompagent: export CGO_ENABLED=1
endif
contrib: add recvtty proof-of-concept This is a proof-of-concept for the --console-socket API. It just acts as a dumb input-output copy process (nowhere near as good as the internal runC one since it doesn't handle console resizes or signals). It also provides a test-friendly mode that will be used in the bats integration tests. This patch is part of the console rewrite patchset. Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-09-05 22:29:03 +10:00
.DEFAULT: runc
Makefile: move .PHONY to before each target All the targets in the Makefile we have are phony (as we mostly rely on go to figure out dependencies and whether to rebuild something), and they have to be marked as such. We do that at the end of the file, and the list is pretty long. Instead, let's just add .PHONY before each target. That way it is easier to spot any omissions. Alternative solutions: - add ".PHONY: %"; it won't work as wildcards are not recongized in this context; - add "MAKEFLAGS += --always-make". Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-05 13:28:53 -07:00
.PHONY: runc
drop runc-dmz solution according to overlay solution Because we have the overlay solution, we can drop runc-dmz binary solution since it has too many limitations. Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-10-28 17:22:19 +08:00
runc: runc-bin
Makefile: avoid calling sub-make Instead, rewrite the rules so that the targets are executed in the needed order. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-05 13:00:49 -07:00
Makefile: move .PHONY to before each target All the targets in the Makefile we have are phony (as we mostly rely on go to figure out dependencies and whether to rebuild something), and they have to be marked as such. We do that at the end of the file, and the list is pretty long. Instead, let's just add .PHONY before each target. That way it is easier to spot any omissions. Alternative solutions: - add ".PHONY: %"; it won't work as wildcards are not recongized in this context; - add "MAKEFLAGS += --always-make". Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-05 13:28:53 -07:00
.PHONY: runc-bin
drop runc-dmz solution according to overlay solution Because we have the overlay solution, we can drop runc-dmz binary solution since it has too many limitations. Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-10-28 17:22:19 +08:00
runc-bin:
Makefile: abstract go build flags There are way to many arguments to go build, and they are repeatedly used across the makefile. Separate them out to GO_BUILD and GO_BUILD_STATIC variables. While at it, let's be consistem about the style and use $(FOO) everywhere (there is no difference from ${FOO}). Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-20 12:33:58 -07:00
$(GO_BUILD) -o runc .
Add makefile targets for basic lint and testing Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-06-26 13:06:17 -07:00
Makefile: move .PHONY to before each target All the targets in the Makefile we have are phony (as we mostly rely on go to figure out dependencies and whether to rebuild something), and they have to be marked as such. We do that at the end of the file, and the list is pretty long. Instead, let's just add .PHONY before each target. That way it is easier to spot any omissions. Alternative solutions: - add ".PHONY: %"; it won't work as wildcards are not recongized in this context; - add "MAKEFLAGS += --always-make". Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-05 13:28:53 -07:00
.PHONY: all
Move test helper binaries Instead of having every test helper binary in its own directory, let's use /tests/cmd/_bin as a destination directory. This allows for simpler setup/cleanup. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-08-21 18:57:38 -07:00
all: runc memfd-bind
contrib: add recvtty proof-of-concept This is a proof-of-concept for the --console-socket API. It just acts as a dumb input-output copy process (nowhere near as good as the internal runC one since it doesn't handle console resizes or signals). It also provides a test-friendly mode that will be used in the bats integration tests. This patch is part of the console rewrite patchset. Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-09-05 22:29:03 +10:00
mv contrib/cmd tests/cmd (except memfd-bind) The following commands are moved from `contrib/cmd` to `tests/cmd`: - fs-idmap - pidfd-kill - recvtty - remap-rootfs - sd-helper - seccompagent Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-08-16 00:55:48 +09:00
.PHONY: memfd-bind
memfd-bind:
tests/int: add a "update cpu period with pod limit set" test Add a test case for an issue fixed by the previous commit. Unfortunately, this is somewhat complicated as there's no easy way to create a transient unit, so a binary, sd-helper, had to be added. On top of that, an ability to create a parent/pod cgroup is added to helpers.bash, which might be useful for future integration tests. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-28 10:37:29 -07:00
$(GO_BUILD) -o contrib/cmd/$@/$@ ./contrib/cmd/$@
contrib: add recvtty proof-of-concept This is a proof-of-concept for the --console-socket API. It just acts as a dumb input-output copy process (nowhere near as good as the internal runC one since it doesn't handle console resizes or signals). It also provides a test-friendly mode that will be used in the bats integration tests. This patch is part of the console rewrite patchset. Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-09-05 22:29:03 +10:00
Move test helper binaries Instead of having every test helper binary in its own directory, let's use /tests/cmd/_bin as a destination directory. This allows for simpler setup/cleanup. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-08-21 18:57:38 -07:00
TESTBINDIR := tests/cmd/_bin
$(TESTBINDIR):
mkdir $(TESTBINDIR)
tests/int/selinux: test keyring security label This tests the functionality added by commit cd96170c1 ("Need to setup labeling of kernel keyrings."), for both runc run and runc exec, with and without user namespace. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-11 15:50:23 -07:00
TESTBINS := recvtty sd-helper seccompagent fs-idmap pidfd-kill remap-rootfs key_label
Move test helper binaries Instead of having every test helper binary in its own directory, let's use /tests/cmd/_bin as a destination directory. This allows for simpler setup/cleanup. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-08-21 18:57:38 -07:00
.PHONY: test-binaries $(TESTBINS)
test-binaries: $(TESTBINS)
$(TESTBINS): $(TESTBINDIR)
$(GO_BUILD) -o $(TESTBINDIR) ./tests/cmd/$@
mv contrib/cmd tests/cmd (except memfd-bind) The following commands are moved from `contrib/cmd` to `tests/cmd`: - fs-idmap - pidfd-kill - recvtty - remap-rootfs - sd-helper - seccompagent Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-08-16 00:55:48 +09:00
move the target 'clean' next to 'all' Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2023-12-13 14:26:42 +00:00
.PHONY: clean
clean:
drop runc-dmz solution according to overlay solution Because we have the overlay solution, we can drop runc-dmz binary solution since it has too many limitations. Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-10-28 17:22:19 +08:00
rm -f runc runc-*
move the target 'clean' next to 'all' Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2023-12-13 14:26:42 +00:00
rm -f contrib/cmd/memfd-bind/memfd-bind
Move test helper binaries Instead of having every test helper binary in its own directory, let's use /tests/cmd/_bin as a destination directory. This allows for simpler setup/cleanup. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-08-21 18:57:38 -07:00
rm -fr $(TESTBINDIR)
move the target 'clean' next to 'all' Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2023-12-13 14:26:42 +00:00
sudo rm -rf release
rm -rf man/man8
Makefile: move .PHONY to before each target All the targets in the Makefile we have are phony (as we mostly rely on go to figure out dependencies and whether to rebuild something), and they have to be marked as such. We do that at the end of the file, and the list is pretty long. Instead, let's just add .PHONY before each target. That way it is easier to spot any omissions. Alternative solutions: - add ".PHONY: %"; it won't work as wildcards are not recongized in this context; - add "MAKEFLAGS += --always-make". Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-05 13:28:53 -07:00
.PHONY: static
drop runc-dmz solution according to overlay solution Because we have the overlay solution, we can drop runc-dmz binary solution since it has too many limitations. Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-10-28 17:22:19 +08:00
static: static-bin
Makefile: avoid calling sub-make Instead, rewrite the rules so that the targets are executed in the needed order. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-05 13:00:49 -07:00
Makefile: move .PHONY to before each target All the targets in the Makefile we have are phony (as we mostly rely on go to figure out dependencies and whether to rebuild something), and they have to be marked as such. We do that at the end of the file, and the list is pretty long. Instead, let's just add .PHONY before each target. That way it is easier to spot any omissions. Alternative solutions: - add ".PHONY: %"; it won't work as wildcards are not recongized in this context; - add "MAKEFLAGS += --always-make". Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-05 13:28:53 -07:00
.PHONY: static-bin
drop runc-dmz solution according to overlay solution Because we have the overlay solution, we can drop runc-dmz binary solution since it has too many limitations. Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-10-28 17:22:19 +08:00
static-bin:
Makefile: abstract go build flags There are way to many arguments to go build, and they are repeatedly used across the makefile. Separate them out to GO_BUILD and GO_BUILD_STATIC variables. While at it, let's be consistem about the style and use $(FOO) everywhere (there is no difference from ${FOO}). Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-20 12:33:58 -07:00
$(GO_BUILD_STATIC) -o runc .
runc-dmz: reduce memfd binary cloning cost with small C binary The idea is to remove the need for cloning the entire runc binary by replacing the final execve() call of the container process with an execve() call to a clone of a small C binary which just does an execve() of its arguments. This provides similar protection against CVE-2019-5736 but without requiring a >10MB binary copy for each "runc init". When compiled with musl, runc-dmz is 13kB (though unfortunately with glibc, it is 1.1MB which is still quite large). It should be noted that there is still a window where the container processes could get access to the host runc binary, but because we set ourselves as non-dumpable the container would need CAP_SYS_PTRACE (which is not enabled by default in Docker) in order to get around the proc_fd_access_allowed() checks. In addition, since Linux 4.10[1] the kernel blocks access entirely for user namespaced containers in this scenario. For those cases we cannot use runc-dmz, but most containers won't have this issue. This new runc-dmz binary can be opted out of at compile time by setting the "runc_nodmz" buildtag, and at runtime by setting the RUNC_DMZ=legacy environment variable. In both cases, runc will fall back to the classic /proc/self/exe-based cloning trick. If /proc/self/exe is already a sealed memfd (namely if the user is using contrib/cmd/memfd-bind to create a persistent sealed memfd for runc), neither runc-dmz nor /proc/self/exe cloning will be used because they are not necessary. [1]: https://github.com/torvalds/linux/commit/bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 Co-authored-by: lifubang <lifubang@acmcoder.com> Signed-off-by: lifubang <lifubang@acmcoder.com> [cyphar: address various review nits] [cyphar: fix runc-dmz cross-compilation] [cyphar: embed runc-dmz into runc binary and clone in Go code] [cyphar: make runc-dmz optional, with fallback to /proc/self/exe cloning] [cyphar: do not use runc-dmz when the container has certain privs] Co-authored-by: Aleksa Sarai <cyphar@cyphar.com> Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-08-15 17:00:22 +08:00
Makefile: move .PHONY to before each target All the targets in the Makefile we have are phony (as we mostly rely on go to figure out dependencies and whether to rebuild something), and they have to be marked as such. We do that at the end of the file, and the list is pretty long. Instead, let's just add .PHONY before each target. That way it is easier to spot any omissions. Alternative solutions: - add ".PHONY: %"; it won't work as wildcards are not recongized in this context; - add "MAKEFLAGS += --always-make". Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-05 13:28:53 -07:00
.PHONY: releaseall
scripts: add proper 386 and amd64 target triples and builds We need these to match the Makefile detection of the right gcc for runc-dmz, as well as making sure that everything builds properly for our cross-i386 tests. While we're at it, add x86 to the list of build targets for release builds (presumably nobody will use it, but since we do test builds of this anyway it probably won't hurt). In addition, clean up the handling of the native architecture build by treating it the same as any other build (ensuring that building runc from a different platform will work the same way regardless of the native architecture). In practice, the build works the same way as before. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-08-19 12:18:08 +10:00
releaseall: RELEASE_ARGS := "-a 386 -a amd64 -a arm64 -a armel -a armhf -a ppc64le -a riscv64 -a s390x"
make release: add cross-build This implements cross-build for "make release", moving the build into a container. This way we can support arm, arm64, ppc, and whatnot. * script/seccomp.sh: separate out of script/release.sh, amend to support cross-compile and save needed environment variables to a file. * Dockerfile: add installing libseccomp from source, as this is needed for release builds. * script/release.sh: amend to support more architectures in addition to the native build. Additional arches can be added by specifying "-a <arch>" argument (can be specified multiple times), or "make RELEASE_ARGS="-a arm64" release" if called via make. All supported architectures can be enabled via "make releaseall". * Makefile: move "release" target to "localrelease", add "release" and "releaseall" targets to build via the Dockerfile. This is done because most distros (including Fedora and openSUSE) lack cross-glibc, which is needed to cross-compile libseccomp. * Makefile: remove 'cross' and 'localcross' targets, as this is now done by the release script. * .github/workflows/validate.yum: amend the release CI job to cross-build for supported architectures, remove cross job. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-06 11:31:11 -07:00
releaseall: release
Makefile: move .PHONY to before each target All the targets in the Makefile we have are phony (as we mostly rely on go to figure out dependencies and whether to rebuild something), and they have to be marked as such. We do that at the end of the file, and the list is pretty long. Instead, let's just add .PHONY before each target. That way it is easier to spot any omissions. Alternative solutions: - add ".PHONY: %"; it won't work as wildcards are not recongized in this context; - add "MAKEFLAGS += --always-make". Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-05 13:28:53 -07:00
.PHONY: release
make release: add cross-build This implements cross-build for "make release", moving the build into a container. This way we can support arm, arm64, ppc, and whatnot. * script/seccomp.sh: separate out of script/release.sh, amend to support cross-compile and save needed environment variables to a file. * Dockerfile: add installing libseccomp from source, as this is needed for release builds. * script/release.sh: amend to support more architectures in addition to the native build. Additional arches can be added by specifying "-a <arch>" argument (can be specified multiple times), or "make RELEASE_ARGS="-a arm64" release" if called via make. All supported architectures can be enabled via "make releaseall". * Makefile: move "release" target to "localrelease", add "release" and "releaseall" targets to build via the Dockerfile. This is done because most distros (including Fedora and openSUSE) lack cross-glibc, which is needed to cross-compile libseccomp. * Makefile: remove 'cross' and 'localcross' targets, as this is now done by the release script. * .github/workflows/validate.yum: amend the release CI job to cross-build for supported architectures, remove cross job. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-06 11:31:11 -07:00
release: runcimage
$(CONTAINER_ENGINE) run $(CONTAINER_ENGINE_RUN_FLAGS) \
--rm -v $(CURDIR):/go/src/$(PROJECT) \
-e RELEASE_ARGS=$(RELEASE_ARGS) \
$(RUNC_IMAGE) make localrelease
runc: embed version from VERSION file This ensures that if runc is built without the provided Makefile, the version is still properly set. No change in the output. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-08 19:00:59 -07:00
script/release_sign.sh -S $(GPG_KEYID)
make release: add cross-build This implements cross-build for "make release", moving the build into a container. This way we can support arm, arm64, ppc, and whatnot. * script/seccomp.sh: separate out of script/release.sh, amend to support cross-compile and save needed environment variables to a file. * Dockerfile: add installing libseccomp from source, as this is needed for release builds. * script/release.sh: amend to support more architectures in addition to the native build. Additional arches can be added by specifying "-a <arch>" argument (can be specified multiple times), or "make RELEASE_ARGS="-a arm64" release" if called via make. All supported architectures can be enabled via "make releaseall". * Makefile: move "release" target to "localrelease", add "release" and "releaseall" targets to build via the Dockerfile. This is done because most distros (including Fedora and openSUSE) lack cross-glibc, which is needed to cross-compile libseccomp. * Makefile: remove 'cross' and 'localcross' targets, as this is now done by the release script. * .github/workflows/validate.yum: amend the release CI job to cross-build for supported architectures, remove cross job. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-06 11:31:11 -07:00
Makefile: move .PHONY to before each target All the targets in the Makefile we have are phony (as we mostly rely on go to figure out dependencies and whether to rebuild something), and they have to be marked as such. We do that at the end of the file, and the list is pretty long. Instead, let's just add .PHONY before each target. That way it is easier to spot any omissions. Alternative solutions: - add ".PHONY: %"; it won't work as wildcards are not recongized in this context; - add "MAKEFLAGS += --always-make". Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-05 13:28:53 -07:00
.PHONY: localrelease
Makefile: add verify-changelog as release dependency ... as a way to maybe catch some CHANGELOG.md bugs at the last moment. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> (cherry picked from commit 54cfb25d696964fdcca8b27a8c9242a001139d96) Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-29 14:49:12 -07:00
localrelease: verify-changelog
runc: embed version from VERSION file This ensures that if runc is built without the provided Makefile, the version is still properly set. No change in the output. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-08 19:00:59 -07:00
script/release_build.sh $(RELEASE_ARGS)
Introduce make release So we can make all types of release binary with combination of following flags: seccomp selinux apparmor static All binary files are put in release/ dir, like: [root@zlosvm1 runc]# ls -l release total 53556 -rwxr-xr-x 1 root root 9517965 Aug 24 16:59 runc -rwxr-xr-x 1 root root 9673533 Aug 24 17:00 runc.seccomp -rwxr-xr-x 1 root root 9705839 Aug 24 17:00 runc.seccomp.selinux -rwxr-xr-x 1 root root 9546175 Aug 24 16:59 runc.selinux -rwxr-xr-x 1 root root 8205015 Aug 24 16:59 runc.selinux.static -rwxr-xr-x 1 root root 8181789 Aug 24 16:59 runc.static ... Closes #899 Signed-off-by: Zhao Lei <zhaolei@cn.fujitsu.com>
2016-06-14 18:03:35 +08:00
Makefile: move .PHONY to before each target All the targets in the Makefile we have are phony (as we mostly rely on go to figure out dependencies and whether to rebuild something), and they have to be marked as such. We do that at the end of the file, and the list is pretty long. Instead, let's just add .PHONY before each target. That way it is easier to spot any omissions. Alternative solutions: - add ".PHONY: %"; it won't work as wildcards are not recongized in this context; - add "MAKEFLAGS += --always-make". Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-05 13:28:53 -07:00
.PHONY: dbuild
Combine runctestimage and runcimage There is no need that keep them separate, it also fixes #1006. Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-08-30 09:46:47 +08:00
dbuild: runcimage
Makefile: split long lines It's hard to read otherwise (at least for me). While at it, replace ${FOO} with $(FOO) -- both are identical, but the second style looks to be used more. No functional change. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-20 12:42:58 -07:00
$(CONTAINER_ENGINE) run $(CONTAINER_ENGINE_RUN_FLAGS) \
--privileged --rm \
-v $(CURDIR):/go/src/$(PROJECT) \
Move test helper binaries Instead of having every test helper binary in its own directory, let's use /tests/cmd/_bin as a destination directory. This allows for simpler setup/cleanup. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-08-21 18:57:38 -07:00
$(RUNC_IMAGE) make clean runc test-binaries
*: enable full test suite on make test Enable the full test suite to run on `make test`. They also all run inside a Docker container for maximum reproducibility. Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-04-26 18:00:01 +10:00
Makefile: move .PHONY to before each target All the targets in the Makefile we have are phony (as we mostly rely on go to figure out dependencies and whether to rebuild something), and they have to be marked as such. We do that at the end of the file, and the list is pretty long. Instead, let's just add .PHONY before each target. That way it is easier to spot any omissions. Alternative solutions: - add ".PHONY: %"; it won't work as wildcards are not recongized in this context; - add "MAKEFLAGS += --always-make". Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-05 13:28:53 -07:00
.PHONY: lint
Fix the build by removing go get for vet golang.org/x/tools/cmd/vet has been removed as it is available in go cmd directly Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-04-07 09:36:08 -07:00
lint:
make lint: use golangci-lint Instead of running just a couple of linters, use the same set as we run on CI. NOTE that this is for developers, not scripts, and requires having golangci-lint installed (see https://golangci-lint.run/usage/install/#local-installation). Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-02-16 14:07:28 -08:00
golangci-lint run ./...
Add makefile targets for basic lint and testing Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-06-26 13:06:17 -07:00
Makefile: move .PHONY to before each target All the targets in the Makefile we have are phony (as we mostly rely on go to figure out dependencies and whether to rebuild something), and they have to be marked as such. We do that at the end of the file, and the list is pretty long. Instead, let's just add .PHONY before each target. That way it is easier to spot any omissions. Alternative solutions: - add ".PHONY: %"; it won't work as wildcards are not recongized in this context; - add "MAKEFLAGS += --always-make". Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-05 13:28:53 -07:00
.PHONY: man
Add target man in Makefile Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-04-22 14:37:42 +08:00
man:
man/md2man-all.sh
Makefile: move .PHONY to before each target All the targets in the Makefile we have are phony (as we mostly rely on go to figure out dependencies and whether to rebuild something), and they have to be marked as such. We do that at the end of the file, and the list is pretty long. Instead, let's just add .PHONY before each target. That way it is easier to spot any omissions. Alternative solutions: - add ".PHONY: %"; it won't work as wildcards are not recongized in this context; - add "MAKEFLAGS += --always-make". Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-05 13:28:53 -07:00
.PHONY: runcimage
Combine runctestimage and runcimage There is no need that keep them separate, it also fixes #1006. Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-08-30 09:46:47 +08:00
runcimage:
Makefile: split long lines It's hard to read otherwise (at least for me). While at it, replace ${FOO} with $(FOO) -- both are identical, but the second style looks to be used more. No functional change. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-20 12:42:58 -07:00
$(CONTAINER_ENGINE) build $(CONTAINER_ENGINE_BUILD_FLAGS) -t $(RUNC_IMAGE) .
Add makefile targets for basic lint and testing Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-06-26 13:06:17 -07:00
Makefile: move .PHONY to before each target All the targets in the Makefile we have are phony (as we mostly rely on go to figure out dependencies and whether to rebuild something), and they have to be marked as such. We do that at the end of the file, and the list is pretty long. Instead, let's just add .PHONY before each target. That way it is easier to spot any omissions. Alternative solutions: - add ".PHONY: %"; it won't work as wildcards are not recongized in this context; - add "MAKEFLAGS += --always-make". Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-05 13:28:53 -07:00
.PHONY: test
Makefile: test, localtest: no need to invoke make Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-27 12:55:24 -07:00
test: unittest integration rootlessintegration
Add makefile targets for basic lint and testing Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-06-26 13:06:17 -07:00
Makefile: move .PHONY to before each target All the targets in the Makefile we have are phony (as we mostly rely on go to figure out dependencies and whether to rebuild something), and they have to be marked as such. We do that at the end of the file, and the list is pretty long. Instead, let's just add .PHONY before each target. That way it is easier to spot any omissions. Alternative solutions: - add ".PHONY: %"; it won't work as wildcards are not recongized in this context; - add "MAKEFLAGS += --always-make". Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-05 13:28:53 -07:00
.PHONY: localtest
Makefile: test, localtest: no need to invoke make Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-27 12:55:24 -07:00
localtest: localunittest localintegration localrootlessintegration
Add seccomp build tag Add a seccomp build tag and also support in the Makefile to add or remove build tags. Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2015-08-21 15:25:26 -07:00
Makefile: move .PHONY to before each target All the targets in the Makefile we have are phony (as we mostly rely on go to figure out dependencies and whether to rebuild something), and they have to be marked as such. We do that at the end of the file, and the list is pretty long. Instead, let's just add .PHONY before each target. That way it is easier to spot any omissions. Alternative solutions: - add ".PHONY: %"; it won't work as wildcards are not recongized in this context; - add "MAKEFLAGS += --always-make". Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-05 13:28:53 -07:00
.PHONY: unittest
Combine runctestimage and runcimage There is no need that keep them separate, it also fixes #1006. Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-08-30 09:46:47 +08:00
unittest: runcimage
Makefile: split long lines It's hard to read otherwise (at least for me). While at it, replace ${FOO} with $(FOO) -- both are identical, but the second style looks to be used more. No functional change. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-20 12:42:58 -07:00
$(CONTAINER_ENGINE) run $(CONTAINER_ENGINE_RUN_FLAGS) \
-t --privileged --rm \
-v /lib/modules:/lib/modules:ro \
-v $(CURDIR):/go/src/$(PROJECT) \
makefile: quote TESTFLAGS when passing to containerised make Otherwise TESTFLAGS="-run FooBar" will result in TESTFLAGS=-run being executed in the container. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-08-04 17:57:35 +10:00
$(RUNC_IMAGE) make localunittest TESTFLAGS="$(TESTFLAGS)"
*: enable full test suite on make test Enable the full test suite to run on `make test`. They also all run inside a Docker container for maximum reproducibility. Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-04-26 18:00:01 +10:00
Makefile: move .PHONY to before each target All the targets in the Makefile we have are phony (as we mostly rely on go to figure out dependencies and whether to rebuild something), and they have to be marked as such. We do that at the end of the file, and the list is pretty long. Instead, let's just add .PHONY before each target. That way it is easier to spot any omissions. Alternative solutions: - add ".PHONY: %"; it won't work as wildcards are not recongized in this context; - add "MAKEFLAGS += --always-make". Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-05 13:28:53 -07:00
.PHONY: localunittest
Move test helper binaries Instead of having every test helper binary in its own directory, let's use /tests/cmd/_bin as a destination directory. This allows for simpler setup/cleanup. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-08-21 18:57:38 -07:00
localunittest: test-binaries
Revert "Revert "Makefile: rm go 1.13 workaround"" This reverts commit 1a659bc68ec3a1c7ad2019de9cf82f4c23827cfb, essentially reinstating commit d0cbef576f8bb2ce55ec73599. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-19 15:05:55 -07:00
$(GO) test -timeout 3m -tags "$(BUILDTAGS)" $(TESTFLAGS) -v ./...
Initial commit of runc binary Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2015-06-21 19:31:12 -07:00
Makefile: move .PHONY to before each target All the targets in the Makefile we have are phony (as we mostly rely on go to figure out dependencies and whether to rebuild something), and they have to be marked as such. We do that at the end of the file, and the list is pretty long. Instead, let's just add .PHONY before each target. That way it is easier to spot any omissions. Alternative solutions: - add ".PHONY: %"; it won't work as wildcards are not recongized in this context; - add "MAKEFLAGS += --always-make". Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-05 13:28:53 -07:00
.PHONY: integration
Makefile: Fix wrong dependency of "integration" target Change dependency of integration to runcimage. Signed-off-by: Jiuyue Ma <majiuyue@huawei.com>
2016-09-05 18:06:03 +08:00
integration: runcimage
Makefile: split long lines It's hard to read otherwise (at least for me). While at it, replace ${FOO} with $(FOO) -- both are identical, but the second style looks to be used more. No functional change. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-20 12:42:58 -07:00
$(CONTAINER_ENGINE) run $(CONTAINER_ENGINE_RUN_FLAGS) \
-t --privileged --rm \
-v /lib/modules:/lib/modules:ro \
-v $(CURDIR):/go/src/$(PROJECT) \
makefile: quote TESTFLAGS when passing to containerised make Otherwise TESTFLAGS="-run FooBar" will result in TESTFLAGS=-run being executed in the container. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-08-04 17:57:35 +10:00
$(RUNC_IMAGE) make localintegration TESTPATH="$(TESTPATH)"
adds integration tests Signed-off-by: Mike Brown <brownwm@us.ibm.com>
2016-03-14 14:55:05 -05:00
Makefile: move .PHONY to before each target All the targets in the Makefile we have are phony (as we mostly rely on go to figure out dependencies and whether to rebuild something), and they have to be marked as such. We do that at the end of the file, and the list is pretty long. Instead, let's just add .PHONY before each target. That way it is easier to spot any omissions. Alternative solutions: - add ".PHONY: %"; it won't work as wildcards are not recongized in this context; - add "MAKEFLAGS += --always-make". Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-05 13:28:53 -07:00
.PHONY: localintegration
Move test helper binaries Instead of having every test helper binary in its own directory, let's use /tests/cmd/_bin as a destination directory. This allows for simpler setup/cleanup. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-08-21 18:57:38 -07:00
localintegration: runc test-binaries
Makefile: use $(FOO) not ${FOO} The first style seems to be prevalent. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-20 12:48:12 -07:00
bats -t tests/integration$(TESTPATH)
*: enable full test suite on make test Enable the full test suite to run on `make test`. They also all run inside a Docker container for maximum reproducibility. Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-04-26 18:00:01 +10:00
Makefile: move .PHONY to before each target All the targets in the Makefile we have are phony (as we mostly rely on go to figure out dependencies and whether to rebuild something), and they have to be marked as such. We do that at the end of the file, and the list is pretty long. Instead, let's just add .PHONY before each target. That way it is easier to spot any omissions. Alternative solutions: - add ".PHONY: %"; it won't work as wildcards are not recongized in this context; - add "MAKEFLAGS += --always-make". Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-05 13:28:53 -07:00
.PHONY: rootlessintegration
tests: add rootless integration tests This adds targets for rootless integration tests, as well as all of the required setup in order to get the tests to run. This includes quite a few changes, because of a lot of assumptions about things running as root within the bats scripts (which is not true when setting up rootless containers). Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-05-11 17:45:00 +10:00
rootlessintegration: runcimage
Makefile: split long lines It's hard to read otherwise (at least for me). While at it, replace ${FOO} with $(FOO) -- both are identical, but the second style looks to be used more. No functional change. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-20 12:42:58 -07:00
$(CONTAINER_ENGINE) run $(CONTAINER_ENGINE_RUN_FLAGS) \
-t --privileged --rm \
-v $(CURDIR):/go/src/$(PROJECT) \
-e ROOTLESS_TESTPATH \
$(RUNC_IMAGE) make localrootlessintegration
tests: add rootless integration tests This adds targets for rootless integration tests, as well as all of the required setup in order to get the tests to run. This includes quite a few changes, because of a lot of assumptions about things running as root within the bats scripts (which is not true when setting up rootless containers). Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-05-11 17:45:00 +10:00
Makefile: move .PHONY to before each target All the targets in the Makefile we have are phony (as we mostly rely on go to figure out dependencies and whether to rebuild something), and they have to be marked as such. We do that at the end of the file, and the list is pretty long. Instead, let's just add .PHONY before each target. That way it is easier to spot any omissions. Alternative solutions: - add ".PHONY: %"; it won't work as wildcards are not recongized in this context; - add "MAKEFLAGS += --always-make". Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-05 13:28:53 -07:00
.PHONY: localrootlessintegration
Move test helper binaries Instead of having every test helper binary in its own directory, let's use /tests/cmd/_bin as a destination directory. This allows for simpler setup/cleanup. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-08-21 18:57:38 -07:00
localrootlessintegration: runc test-binaries
tests: generalise rootless runner This is necessary in order to add proper opportunistic tests, and is a placeholder until we add tests for new{uid,gid}map configurations. Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-09-07 07:07:43 +10:00
tests/rootless.sh
tests: add rootless integration tests This adds targets for rootless integration tests, as well as all of the required setup in order to get the tests to run. This includes quite a few changes, because of a lot of assumptions about things running as root within the bats scripts (which is not true when setting up rootless containers). Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-05-11 17:45:00 +10:00
Makefile: move .PHONY to before each target All the targets in the Makefile we have are phony (as we mostly rely on go to figure out dependencies and whether to rebuild something), and they have to be marked as such. We do that at the end of the file, and the list is pretty long. Instead, let's just add .PHONY before each target. That way it is easier to spot any omissions. Alternative solutions: - add ".PHONY: %"; it won't work as wildcards are not recongized in this context; - add "MAKEFLAGS += --always-make". Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-05 13:28:53 -07:00
.PHONY: shell
Fix make shell The "shell" rule in the Makefile uses docker to run a bash session, however it was depending on the "all" rule which assumes non-docker local development. This commit fixes it by making it depend on the "runcimage" rule. Signed-off-by: Tibor Vass <tibor@docker.com>
2018-02-28 05:23:01 +00:00
shell: runcimage
Makefile: split long lines It's hard to read otherwise (at least for me). While at it, replace ${FOO} with $(FOO) -- both are identical, but the second style looks to be used more. No functional change. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-20 12:42:58 -07:00
$(CONTAINER_ENGINE) run $(CONTAINER_ENGINE_RUN_FLAGS) \
-ti --privileged --rm \
-v $(CURDIR):/go/src/$(PROJECT) \
$(RUNC_IMAGE) bash
tests: fix all the things This fixes all of the tests that were broken as part of the console rewrite. This includes fixing the integration tests that used TTY handling inside libcontainer, as well as the bats integration tests that needed to be rewritten to use recvtty (as they rely on detached containers that are running). This patch is part of the console rewrite patchset. Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-09-06 22:40:01 +10:00
Makefile: move .PHONY to before each target All the targets in the Makefile we have are phony (as we mostly rely on go to figure out dependencies and whether to rebuild something), and they have to be marked as such. We do that at the end of the file, and the list is pretty long. Instead, let's just add .PHONY before each target. That way it is easier to spot any omissions. Alternative solutions: - add ".PHONY: %"; it won't work as wildcards are not recongized in this context; - add "MAKEFLAGS += --always-make". Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-05 13:28:53 -07:00
.PHONY: install
Remove all for make install This is not how Makefiles work and install should not build everything again. Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2015-06-29 13:33:15 -07:00
install:
Makefile: fix DESTDIR handling DESTDIR should only be used while installing. To test: make DESTDIR=$(pwd)/inst PREFIX=/usr install install-man install-bash Before this commit, this would result in installing to /usr rather than $(pwd)/usr. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-09-08 16:47:19 -07:00
install -D -m0755 runc $(DESTDIR)$(BINDIR)/runc
Add bash completion support I have taken the docker command completions code and reworked it for runc support. Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2016-05-11 09:48:59 -04:00
Makefile: move .PHONY to before each target All the targets in the Makefile we have are phony (as we mostly rely on go to figure out dependencies and whether to rebuild something), and they have to be marked as such. We do that at the end of the file, and the list is pretty long. Instead, let's just add .PHONY before each target. That way it is easier to spot any omissions. Alternative solutions: - add ".PHONY: %"; it won't work as wildcards are not recongized in this context; - add "MAKEFLAGS += --always-make". Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-05 13:28:53 -07:00
.PHONY: install-bash
Add bash completion support I have taken the docker command completions code and reworked it for runc support. Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2016-05-11 09:48:59 -04:00
install-bash:
Makefile: fix DESTDIR handling DESTDIR should only be used while installing. To test: make DESTDIR=$(pwd)/inst PREFIX=/usr install install-man install-bash Before this commit, this would result in installing to /usr rather than $(pwd)/usr. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-09-08 16:47:19 -07:00
install -D -m0644 contrib/completions/bash/runc $(DESTDIR)$(PREFIX)/share/bash-completion/completions/runc
Initial commit of runc binary Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2015-06-21 19:31:12 -07:00
Makefile: move .PHONY to before each target All the targets in the Makefile we have are phony (as we mostly rely on go to figure out dependencies and whether to rebuild something), and they have to be marked as such. We do that at the end of the file, and the list is pretty long. Instead, let's just add .PHONY before each target. That way it is easier to spot any omissions. Alternative solutions: - add ".PHONY: %"; it won't work as wildcards are not recongized in this context; - add "MAKEFLAGS += --always-make". Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-05 13:28:53 -07:00
.PHONY: install-man
Makefile: fix/clean install-man Target `install-man` was not dependent on `man`, meaning no man pages were installed unless one called `make man` beforehand. Fix this. Remove many man-related variables, only leaving MANDIR, which is an installation directory for man pages. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-27 13:49:39 -07:00
install-man: man
Makefile: fix DESTDIR handling DESTDIR should only be used while installing. To test: make DESTDIR=$(pwd)/inst PREFIX=/usr install install-man install-bash Before this commit, this would result in installing to /usr rather than $(pwd)/usr. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-09-08 16:47:19 -07:00
install -d -m 755 $(DESTDIR)$(MANDIR)/man8
install -D -m 644 man/man8/*.8 $(DESTDIR)$(MANDIR)/man8
Add target man in Makefile Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-04-22 14:37:42 +08:00
Makefile: move .PHONY to before each target All the targets in the Makefile we have are phony (as we mostly rely on go to figure out dependencies and whether to rebuild something), and they have to be marked as such. We do that at the end of the file, and the list is pretty long. Instead, let's just add .PHONY before each target. That way it is easier to spot any omissions. Alternative solutions: - add ".PHONY: %"; it won't work as wildcards are not recongized in this context; - add "MAKEFLAGS += --always-make". Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-05 13:28:53 -07:00
.PHONY: cfmt
Fix checking C code formatting Apparently, scripts/validate-c is not working in CI (or maybe maintainers ignored the failures from it) -- current C code gets some changes if we run indent on it. This commit fixes this, simplifying things along the way. In particular: 1. Remove "validate" make target, add "cfmt" target that just runs indent on all *.c files in the repository (NOTE that *.h files are not included, as before). This may help a contributor to fix their code -- they just need to run "make cfmt" now instead of running "make validate" and copy-pasting the indent command and options from the hint. 2. Split GHA validate/misc into validate/release and validate/cfmt. The latter checks that the sources are not changed after "make cfmt". 3. Adds a few more options to indent. This was mostly motivated by trying to save the existing formatting, minimizing the amount of changes indent produces. The new options are: * -il0: sets the offset for goto labels to 0 (currently all labels but one are not indented -- let's keep it that way); * -ppi2: sets the indentation for nested preprocessor directives to 2 spaces (same as it is done in "SYS_memfd_create" defines); * -cp1: sets the indentation between #else / #endif and the following comment to 1 space. 4. Reformat the code using the new indent options. 5. Remove the now-unused script/{.validate,validate-c}. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-17 13:36:31 -07:00
cfmt: C_SRC=$(shell git ls-files '*.c' | grep -v '^vendor/')
cfmt:
cfmt: use the Linux { a, b } decl style Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-10-30 23:54:32 +11:00
indent -linux -l120 -il0 -ppi2 -cp1 -sar -T size_t -T jmp_buf $(C_SRC)
Makefile: move shellcheck out of validate This serves two purposes: 1. A developer can now run `make shellcheck` to show any issues with shell or bats files formatting (this requires a recent version of shfmt, which I think is out of scope for Makefile). 2. Exclude shellcheck from travis ci (will be re-added as a GH action by the next commit). Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-11-19 17:56:26 -08:00
Makefile: move .PHONY to before each target All the targets in the Makefile we have are phony (as we mostly rely on go to figure out dependencies and whether to rebuild something), and they have to be marked as such. We do that at the end of the file, and the list is pretty long. Instead, let's just add .PHONY before each target. That way it is easier to spot any omissions. Alternative solutions: - add ".PHONY: %"; it won't work as wildcards are not recongized in this context; - add "MAKEFLAGS += --always-make". Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-05 13:28:53 -07:00
.PHONY: shellcheck
Makefile: move shellcheck out of validate This serves two purposes: 1. A developer can now run `make shellcheck` to show any issues with shell or bats files formatting (this requires a recent version of shfmt, which I think is out of scope for Makefile). 2. Exclude shellcheck from travis ci (will be re-added as a GH action by the next commit). Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-11-19 17:56:26 -08:00
shellcheck:
make release: add cross-build This implements cross-build for "make release", moving the build into a container. This way we can support arm, arm64, ppc, and whatnot. * script/seccomp.sh: separate out of script/release.sh, amend to support cross-compile and save needed environment variables to a file. * Dockerfile: add installing libseccomp from source, as this is needed for release builds. * script/release.sh: amend to support more architectures in addition to the native build. Additional arches can be added by specifying "-a <arch>" argument (can be specified multiple times), or "make RELEASE_ARGS="-a arm64" release" if called via make. All supported architectures can be enabled via "make releaseall". * Makefile: move "release" target to "localrelease", add "release" and "releaseall" targets to build via the Dockerfile. This is done because most distros (including Fedora and openSUSE) lack cross-glibc, which is needed to cross-compile libseccomp. * Makefile: remove 'cross' and 'localcross' targets, as this is now done by the release script. * .github/workflows/validate.yum: amend the release CI job to cross-build for supported architectures, remove cross job. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-06 11:31:11 -07:00
shellcheck tests/integration/*.bats tests/integration/*.sh \
tests/integration/*.bash tests/*.sh \
man/*sh: fix shellcheck warnings, add to shellcheck Now the only remaining file that needs shellcheck warnings to be fixed is bash-completion. Note that in Makefile's TODO. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-02-16 13:52:46 -08:00
man/*.sh script/*
# TODO: add shellcheck for more sh files (contrib/completions/bash/runc).
Makefile: move shfmt out of validate, add -w This serves two purposes: 1. A developer can now run `make shfmt` to show and fix any issues with shell or bats files formatting (this requires a recent version of shfmt, which I think is out of scope for Makefile). 2. Exclude shfmt check from travis ci (will be re-added as a GH action by the next commit). Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-11-16 16:48:44 -08:00
Makefile: move .PHONY to before each target All the targets in the Makefile we have are phony (as we mostly rely on go to figure out dependencies and whether to rebuild something), and they have to be marked as such. We do that at the end of the file, and the list is pretty long. Instead, let's just add .PHONY before each target. That way it is easier to spot any omissions. Alternative solutions: - add ".PHONY: %"; it won't work as wildcards are not recongized in this context; - add "MAKEFLAGS += --always-make". Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-05 13:28:53 -07:00
.PHONY: shfmt
Makefile: move shfmt out of validate, add -w This serves two purposes: 1. A developer can now run `make shfmt` to show and fix any issues with shell or bats files formatting (this requires a recent version of shfmt, which I think is out of scope for Makefile). 2. Exclude shfmt check from travis ci (will be re-added as a GH action by the next commit). Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-11-16 16:48:44 -08:00
shfmt:
ci: bump shfmt to 3.5.1, simplify CI setup 1. Bump shfmt to v3.5.1. Release notes: https://github.com/mvdan/sh/releases 2. Since shfmt v3.5.0, specifying -l bash (or -l bats) is no longer necessary. Therefore, we can use shfmt to find all the files. Add .editorconfig to ignore vendor subdirectory. 3. Use shfmt docker image, so that we don't have to install anything explicitly. This greatly simplifies the shfmt CI job. Add localshfmt target so developers can still use a local shfmt binary when necessary. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-23 11:31:48 -07:00
$(CONTAINER_ENGINE) run $(CONTAINER_ENGINE_RUN_FLAGS) \
--rm -v $(CURDIR):/src -w /src \
Makefile: bump shfmt to v3.11.0 Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-10 11:58:23 -07:00
mvdan/shfmt:v3.11.0 -d -w .
ci: bump shfmt to 3.5.1, simplify CI setup 1. Bump shfmt to v3.5.1. Release notes: https://github.com/mvdan/sh/releases 2. Since shfmt v3.5.0, specifying -l bash (or -l bats) is no longer necessary. Therefore, we can use shfmt to find all the files. Add .editorconfig to ignore vendor subdirectory. 3. Use shfmt docker image, so that we don't have to install anything explicitly. This greatly simplifies the shfmt CI job. Add localshfmt target so developers can still use a local shfmt binary when necessary. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-23 11:31:48 -07:00
Makefile: move .PHONY to before each target All the targets in the Makefile we have are phony (as we mostly rely on go to figure out dependencies and whether to rebuild something), and they have to be marked as such. We do that at the end of the file, and the list is pretty long. Instead, let's just add .PHONY before each target. That way it is easier to spot any omissions. Alternative solutions: - add ".PHONY: %"; it won't work as wildcards are not recongized in this context; - add "MAKEFLAGS += --always-make". Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-05 13:28:53 -07:00
.PHONY: localshfmt
ci: bump shfmt to 3.5.1, simplify CI setup 1. Bump shfmt to v3.5.1. Release notes: https://github.com/mvdan/sh/releases 2. Since shfmt v3.5.0, specifying -l bash (or -l bats) is no longer necessary. Therefore, we can use shfmt to find all the files. Add .editorconfig to ignore vendor subdirectory. 3. Use shfmt docker image, so that we don't have to install anything explicitly. This greatly simplifies the shfmt CI job. Add localshfmt target so developers can still use a local shfmt binary when necessary. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-23 11:31:48 -07:00
localshfmt:
shfmt -d -w .
Add ci target Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-06-30 12:51:09 -07:00
Fixed spelling mistake in the Makefile at .PHONY vendor * Simple error correction of a spelling mistake which was introduced at commit b8f75f3 Signed-off-by: Sjoerd van Leent <sjoerd.van.leent@alliander.com>
2024-02-15 15:56:19 +01:00
.PHONY: vendor
Make CI script to verify that vendor is in sync Signed-off-by: Odin Ugedal <odin@ugedal.com>
2019-06-19 21:56:44 +02:00
vendor:
Makefile: fix vendor and verify-dependencies Commit a08ab87fe added these targets. Alas, the `go mod tidy` never worked, as it was written as part of `export` statement: export GO111MODULE=on \ $(GO) mod tidy && \ ... which is the same as export GO111MODULE=on $(GO) mod tidy && ... which exports a bunch of variables, such as `go`, `mod`, and `tidy`, but does not run it. The fix would be to add a semicolon after the `export` statement, but since GO111MODULE is not really needed here (maybe some older golang versions needed it?), let's just drop it. With this dropped, && does not make any sense, so drop it, too. NOTE that if someone tries GO111MODULE=off make vendor it will fail, but I guess it is expected. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-09-16 16:26:50 -07:00
$(GO) mod tidy
$(GO) mod vendor
Make CI script to verify that vendor is in sync Signed-off-by: Odin Ugedal <odin@ugedal.com>
2019-06-19 21:56:44 +02:00
$(GO) mod verify
Makefile: move .PHONY to before each target All the targets in the Makefile we have are phony (as we mostly rely on go to figure out dependencies and whether to rebuild something), and they have to be marked as such. We do that at the end of the file, and the list is pretty long. Instead, let's just add .PHONY before each target. That way it is easier to spot any omissions. Alternative solutions: - add ".PHONY: %"; it won't work as wildcards are not recongized in this context; - add "MAKEFLAGS += --always-make". Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-05 13:28:53 -07:00
.PHONY: verify-changelog
CHANGELOG.md: forward-port 1.1.x changes This is a forward-port of commit 91fa032da406 ("ci: add basic checks for CHANGELOG.md"), plus whatever changes were made in release-1.1 branch (up to v1.1.3). Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-07-01 15:49:57 -07:00
verify-changelog:
# No space at EOL.
! grep -n '\s$$' CHANGELOG.md
# Period before issue/PR references.
! grep -n '[0-9a-zA-Z][^.] (#[1-9][0-9, #]*)$$' CHANGELOG.md
Makefile: move .PHONY to before each target All the targets in the Makefile we have are phony (as we mostly rely on go to figure out dependencies and whether to rebuild something), and they have to be marked as such. We do that at the end of the file, and the list is pretty long. Instead, let's just add .PHONY before each target. That way it is easier to spot any omissions. Alternative solutions: - add ".PHONY: %"; it won't work as wildcards are not recongized in this context; - add "MAKEFLAGS += --always-make". Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-05 13:28:53 -07:00
.PHONY: verify-dependencies
Make CI script to verify that vendor is in sync Signed-off-by: Odin Ugedal <odin@ugedal.com>
2019-06-19 21:56:44 +02:00
verify-dependencies: vendor
@test -z "$$(git status --porcelain -- go.mod go.sum vendor/)" \
|| (echo -e "git status:\n $$(git status -- go.mod go.sum vendor/)\nerror: vendor/, go.mod and/or go.sum not up to date. Run \"make vendor\" to update"; exit 1) \
&& echo "all vendor files are up to date."
Makefile: make verify-dmz-arch less talkative Every `make` now produces something like this: make[1]: Entering directory '/home/kir/go/src/github.com/opencontainers/runc' readelf -h runc Machine: Advanced Micro Devices X86-64 Flags: 0x0 readelf -h libcontainer/dmz/runc-dmz Machine: Advanced Micro Devices X86-64 Flags: 0x0 runc-dmz architecture matches runc binary. make[1]: Leaving directory '/home/kir/go/src/github.com/opencontainers/runc' That is a bit too much. Let's make it less verbose. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-05 12:51:43 -07:00
Makefile: move .PHONY to before each target All the targets in the Makefile we have are phony (as we mostly rely on go to figure out dependencies and whether to rebuild something), and they have to be marked as such. We do that at the end of the file, and the list is pretty long. Instead, let's just add .PHONY before each target. That way it is easier to spot any omissions. Alternative solutions: - add ".PHONY: %"; it won't work as wildcards are not recongized in this context; - add "MAKEFLAGS += --always-make". Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-05 13:28:53 -07:00
.PHONY: validate-keyring
keyring: verify runc.keyring has legitimate maintainer keys These checks ensure that all of the keys in the runc.keyring list are actually the keys of the specified user and that the users themselves are actually maintainers. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-04-19 12:29:21 +10:00
validate-keyring:
script/keyring_validate.sh
Copy Permalink