Adds a Go compiler matrix to CI for testing of latest Go versions.
Updates and pins to major version GitHub actions packages.
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
The former wording was inconsistent with runc, crun, youki, etc.
Several `mount(8)` options such as `X-mount.mode` are unimplemented in those OCI runtimes,
and vice versa (`tmpcopyup`, `rro`, etc.)
The option table added in this commit conforms to runc 1.1, but `acl`
and `noacl` are excluded as the runc implementation seems wrong (runc issue 3738).
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
The time namespace is a new kernel feature available in 5.6+ to
isolate the system monotonic and boot-time clocks.
Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
runC originally implemented prestart hooks contrary to the spec. And it
still implements them the same way today, as it would break a lot of
projects which have come to rely on the existing behaviour. Any OCI
runtime implementations which want to be compatible with projects that
have come to rely on the existing runC behaviour must also implement
them contrary to the spec. Furthermore, the Lifecycle section of the
spec requires the existing runC behaviour for the prestart hook,
_directly contradicting the section of the spec which defines the
prestart hook in config.md!_ Given that existing implementations cannot
be changed, the spec contradicts existing implementations, and the spec
contradicts _itself_, amending the spec to align with the existing runC
behaviour is the only viable way to resolve the contradiction.
Signed-off-by: Cory Snider <csnider@mirantis.com>
Linux 5.19 introduced a new seccomp flag:
SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV
It is useful for seccomp notify when handling notification from Golang
programs which are often preempted by the runtime with SIGURG.
Signed-off-by: Alban Crequy <albancrequy@microsoft.com>
Burstable CFS controller is introduced in Linux 5.14. This helps with
parallel workloads that might be bursty. They can get throttled even
when their average utilization is under quota. And they may be latency
sensitive at the same time so that throttling them is undesired.
This feature borrows time now against the future underrun, at the cost
of increased interference against the other system users, by introducing
`cfs_burst_us` into CFS bandwidth control to enact the cap on unused
bandwidth accumulation, which will then used additionally for burst.
The patch adds the support/control for CFS bandwidth burst.
Fixes https://github.com/opencontainers/runtime-spec/issues/1119
Signed-off-by: Kailun Qin <kailun.qin@intel.com>
This setting can be used to mimic cgroup v1 behavior on cgroup v2,
when setting the new memory limit during update operation.
In cgroup v1, a limit which is lower than the current usage is rejected.
In cgroup v2, such a low limit is causing an OOM kill.
Ref: https://github.com/opencontainers/runc/issues/3509
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Clarify that device nodes need not be under `/dev`, but that the runtimes need
to be informed of all the device nodes that are used by the container.
Virtual-machine based runtimes such as Kata Containers need to be able to
perform adjustment on device nodes, and cannot be required to deep-scan
file-systems to do so.
The proposed wording was chosen to avoid any regression for any workload
mounding nodes elsewhere, while at the same time clarifying that correct
behaviour cannot be guaranteed if a device node is created on the host and used
by the container without being passed in the devices list.
This fixes issue #1147.
Signed-off-by: Christophe de Dinechin <christophe@dinechin.org>
add the domainname entity so that container runtimes can add special handling similar to hostname. The current workaround of adding a sysctl for kernel.domainname only works with rootful execution in most cases. This will allow for rootless execution.
container runtimes will be able to add special handling as they do for hostname, using setdomainname to add the entry to /proc/sys/kernel/domainname.
Signed-off-by: Charlie Doern <cdoern@redhat.com>
