[do not merge] add swap to CI for 1.26

.golangci.yml

@@ -8,6 +8,5 @@ run:
   concurrency: 4
 linters:
   enable:
-    - revive
     - unconvert
     - unparam

CHANGELOG.md

@@ -2,6 +2,36 @@
 
 # Changelog
 
+## v1.26.10 (2025-12-09)
+
+    Bump minimum to golang 1.22.6
+    Bump CI environment to match release-1.39
+    Bump x/tools to v0.26.0
+    Proxy module access
+    util.SortMounts(): make the returned order more stable
+    Bump runc to v1.2.9
+    Handle Cobra v1.5 -> v1.8 behavior changes
+    vendor: switch to moby/sys/capability
+    Don't set ambient capabilities
+    Integration tests: run git daemon on a random-but-bind()able port
+    run: handle relabeling bind mounts ourselves
+    Add a dummy "runtime" that just dumps its config file
+    runUsingRuntime: use named constants for runtime states
+    buildah-build(1): clarify that --cgroup-parent affects RUN instructions
+    CI: switch to debian for testing there
+    Adjust tests for new CI environment
+    Update the selinux spc test
+    Temporarily hard-skip bud-multiple-platform-values test
+    Skip bud with --cpu-shares test on runc/cgroupsv2
+    Remove -cover flag from test-unit target
+    tests/tools: update ginkgo and golangci-lint
+    Stop checking spec file version
+    Fix linter errors
+    Stop setting "parent" in docker format
+    commit: set "parent" for docker format only when requested
+    Builder.SetWorkDir(): trim off a path separator suffix, if there is one
+    main: check for ExitErrors that use standard library wrapping
+
 ## v1.26.9 (2025-01-24)
 
     Add build-tag comments

Makefile

@@ -26,7 +26,8 @@ export GO_TEST=$(GO) test
 endif
 RACEFLAGS := $(shell $(GO_TEST) -race ./pkg/dummy > /dev/null 2>&1 && echo -race)
 
-GIT_COMMIT ?= $(if $(shell git rev-parse --short HEAD),$(shell git rev-parse --short HEAD),$(error "git failed"))
+COMMIT_NO ?= $(shell git rev-parse HEAD 2> /dev/null || true)
+GIT_COMMIT ?= $(if $(shell git status --porcelain --untracked-files=no),${COMMIT_NO}-dirty,${COMMIT_NO})
 SOURCE_DATE_EPOCH ?= $(if $(shell date +%s),$(shell date +%s),$(error "date failed"))
 STATIC_STORAGETAGS = "containers_image_openpgp exclude_graphdriver_devicemapper $(STORAGE_TAGS)"
 
@@ -49,7 +50,7 @@ endif
 #     Note: Uses the -N -l go compiler options to disable compiler optimizations
 #           and inlining. Using these build options allows you to subsequently
 #           use source debugging tools like delve.
-all: bin/buildah bin/imgtype bin/copy bin/tutorial docs
+all: bin/buildah bin/imgtype bin/copy bin/inet bin/tutorial bin/dumpspec docs
 
 # Update nix/nixpkgs.json its latest stable commit
 .PHONY: nixpkgs
@@ -95,6 +96,12 @@ bin/copy: $(SOURCES) tests/copy/copy.go
 bin/tutorial: $(SOURCES) tests/tutorial/tutorial.go
 	$(GO_BUILD) $(BUILDAH_LDFLAGS) -o $@ $(BUILDFLAGS) ./tests/tutorial/tutorial.go
 
+bin/inet: tests/inet/inet.go
+	$(GO_BUILD) $(BUILDAH_LDFLAGS) -o $@ $(BUILDFLAGS) ./tests/inet/inet.go
+
+bin/dumpspec: $(SOURCES)
+	$(GO_BUILD) $(BUILDAH_LDFLAGS) -o $@ $(BUILDFLAGS) ./tests/dumpspec
+
 .PHONY: clean
 clean:
 	$(RM) -r bin tests/testreport/testreport
@@ -169,21 +176,21 @@ test-conformance:
 
 .PHONY: test-integration
 test-integration: install.tools
-	./tests/tools/build/ginkgo $(BUILDFLAGS) -v tests/e2e/.
+	$(GO_TEST) $(BUILDFLAGS) -v ./tests/e2e/.
 	cd tests; ./test_runner.sh
 
 tests/testreport/testreport: tests/testreport/testreport.go
 	$(GO_BUILD) $(GO_LDFLAGS) "-linkmode external -extldflags -static" -tags "$(STORAGETAGS) $(SECURITYTAGS)" -o tests/testreport/testreport ./tests/testreport/testreport.go
 
 .PHONY: test-unit
 test-unit: tests/testreport/testreport
-	$(GO_TEST) -v -tags "$(STORAGETAGS) $(SECURITYTAGS)" -cover $(RACEFLAGS) $(shell $(GO) list ./... | grep -v vendor | grep -v tests | grep -v cmd) -timeout 45m
+	$(GO_TEST) -v -tags "$(STORAGETAGS) $(SECURITYTAGS)" $(RACEFLAGS) $(shell $(GO) list ./... | grep -v vendor | grep -v tests | grep -v cmd) -timeout 45m
 	tmp=$(shell mktemp -d) ; \
 	mkdir -p $$tmp/root $$tmp/runroot; \
-	$(GO_TEST) -v -tags "$(STORAGETAGS) $(SECURITYTAGS)" -cover $(RACEFLAGS) ./cmd/buildah -args --root $$tmp/root --runroot $$tmp/runroot --storage-driver vfs --signature-policy $(shell pwd)/tests/policy.json --registries-conf $(shell pwd)/tests/registries.conf
+	$(GO_TEST) -v -tags "$(STORAGETAGS) $(SECURITYTAGS)" $(RACEFLAGS) ./cmd/buildah -args --root $$tmp/root --runroot $$tmp/runroot --storage-driver vfs --signature-policy $(shell pwd)/tests/policy.json --registries-conf $(shell pwd)/tests/registries.conf
 
 vendor-in-container:
-	podman run --privileged --rm --env HOME=/root -v `pwd`:/src -w /src docker.io/library/golang:1.16 make vendor
+	podman run --privileged --rm --env HOME=/root -v `pwd`:/src -w /src docker.io/library/golang:1.22 make vendor
 
 .PHONY: vendor
 vendor:

add.go

@@ -4,7 +4,6 @@ import (
 	"archive/tar"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"net/http"
 	"net/url"
 	"os"
@@ -22,7 +21,7 @@ import (
 	"github.com/containers/storage/pkg/fileutils"
 	"github.com/containers/storage/pkg/idtools"
 	"github.com/hashicorp/go-multierror"
-	"github.com/opencontainers/runc/libcontainer/userns"
+	"github.com/moby/sys/userns"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -115,7 +114,7 @@ func getURL(src string, chown *idtools.IDPair, mountpoint, renameTarget string,
 	if size < 0 {
 		// Create a temporary file and copy the content to it, so that
 		// we can figure out how much content there is.
-		f, err := ioutil.TempFile(mountpoint, "download")
+		f, err := os.CreateTemp(mountpoint, "download")
 		if err != nil {
 			return errors.Wrapf(err, "error creating temporary file to hold %q", src)
 		}
@@ -604,7 +603,7 @@ func (b *Builder) userForRun(mountPoint string, userspec string) (specs.User, st
 	if !strings.Contains(userspec, ":") {
 		groups, err2 := chrootuser.GetAdditionalGroupsForUser(mountPoint, uint64(u.UID))
 		if err2 != nil {
-			if errors.Cause(err2) != chrootuser.ErrNoSuchUser && err == nil {
+			if !errors.Is(errors.Cause(err2), chrootuser.ErrNoSuchUser) && err == nil {
 				err = err2
 			}
 		} else {

buildah.go

@@ -5,7 +5,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"sort"
@@ -402,7 +401,7 @@ func OpenBuilder(store storage.Store, container string) (*Builder, error) {
 	if err != nil {
 		return nil, err
 	}
-	buildstate, err := ioutil.ReadFile(filepath.Join(cdir, stateFile))
+	buildstate, err := os.ReadFile(filepath.Join(cdir, stateFile))
 	if err != nil {
 		return nil, err
 	}
@@ -444,7 +443,7 @@ func OpenBuilderByPath(store storage.Store, path string) (*Builder, error) {
 		if err != nil {
 			return nil, err
 		}
-		buildstate, err := ioutil.ReadFile(filepath.Join(cdir, stateFile))
+		buildstate, err := os.ReadFile(filepath.Join(cdir, stateFile))
 		if err != nil {
 			if os.IsNotExist(err) {
 				logrus.Debugf("error reading %q: %v, ignoring container %q", filepath.Join(cdir, stateFile), err, container.ID)
@@ -481,7 +480,7 @@ func OpenAllBuilders(store storage.Store) (builders []*Builder, err error) {
 		if err != nil {
 			return nil, err
 		}
-		buildstate, err := ioutil.ReadFile(filepath.Join(cdir, stateFile))
+		buildstate, err := os.ReadFile(filepath.Join(cdir, stateFile))
 		if err != nil {
 			if os.IsNotExist(err) {
 				logrus.Debugf("error reading %q: %v, ignoring container %q", filepath.Join(cdir, stateFile), err, container.ID)

changelog.txt

@@ -1,3 +1,32 @@
+- Changelog for v1.26.10 (2025-12-09)
+  * Bump minimum to golang 1.22.6
+  * Bump CI environment to match release-1.39
+  * Bump x/tools to v0.26.0
+  * Proxy module access
+  * util.SortMounts(): make the returned order more stable
+  * Bump runc to v1.2.9
+  * Handle Cobra v1.5 -> v1.8 behavior changes
+  * vendor: switch to moby/sys/capability
+  * Don't set ambient capabilities
+  * Integration tests: run git daemon on a random-but-bind()able port
+  * run: handle relabeling bind mounts ourselves
+  * Add a dummy "runtime" that just dumps its config file
+  * runUsingRuntime: use named constants for runtime states
+  * buildah-build(1): clarify that --cgroup-parent affects RUN instructions
+  * CI: switch to debian for testing there
+  * Adjust tests for new CI environment
+  * Update the selinux spc test
+  * Temporarily hard-skip bud-multiple-platform-values test
+  * Skip bud with --cpu-shares test on runc/cgroupsv2
+  * Remove -cover flag from test-unit target
+  * tests/tools: update ginkgo and golangci-lint
+  * Stop checking spec file version
+  * Fix linter errors
+  * Stop setting "parent" in docker format
+  * commit: set "parent" for docker format only when requested
+  * Builder.SetWorkDir(): trim off a path separator suffix, if there is one
+  * main: check for ExitErrors that use standard library wrapping
+
 - Changelog for v1.26.9 (2025-01-24)
   * Add build-tag comments
   * Fix cache locks with multiple mounts

chroot/run.go

@@ -7,7 +7,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"os"
 	"os/exec"
 	"os/signal"
@@ -18,20 +17,20 @@ import (
 	"sync"
 	"syscall"
 	"time"
-	"unsafe"
 
 	"github.com/containers/buildah/bind"
 	"github.com/containers/buildah/copier"
+	"github.com/containers/buildah/internal/pty"
 	"github.com/containers/buildah/util"
 	"github.com/containers/storage/pkg/ioutils"
 	"github.com/containers/storage/pkg/mount"
 	"github.com/containers/storage/pkg/reexec"
 	"github.com/containers/storage/pkg/unshare"
+	"github.com/moby/sys/capability"
 	"github.com/opencontainers/runc/libcontainer/apparmor"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
-	"github.com/syndtr/gocapability/capability"
 	"golang.org/x/sys/unix"
 	"golang.org/x/term"
 )
@@ -246,39 +245,11 @@ func runUsingChrootMain() {
 	var stderr io.Writer
 	fdDesc := make(map[int]string)
 	if options.Spec.Process.Terminal {
-		// Create a pseudo-terminal -- open a copy of the master side.
-		ptyMasterFd, err := unix.Open("/dev/ptmx", os.O_RDWR, 0600)
+		ptyMasterFd, ptyFd, err := pty.GetPtyDescriptors()
 		if err != nil {
-			logrus.Errorf("error opening PTY master using /dev/ptmx: %v", err)
+			logrus.Errorf("error opening PTY descriptors: %v", err)
 			os.Exit(1)
 		}
-		// Set the kernel's lock to "unlocked".
-		locked := 0
-		if result, _, err := unix.Syscall(unix.SYS_IOCTL, uintptr(ptyMasterFd), unix.TIOCSPTLCK, uintptr(unsafe.Pointer(&locked))); int(result) == -1 {
-			logrus.Errorf("error unlocking PTY descriptor: %v", err)
-			os.Exit(1)
-		}
-		// Get a handle for the other end.
-		ptyFd, _, err := unix.Syscall(unix.SYS_IOCTL, uintptr(ptyMasterFd), unix.TIOCGPTPEER, unix.O_RDWR|unix.O_NOCTTY)
-		if int(ptyFd) == -1 {
-			if errno, isErrno := err.(syscall.Errno); !isErrno || (errno != syscall.EINVAL && errno != syscall.ENOTTY) {
-				logrus.Errorf("error getting PTY descriptor: %v", err)
-				os.Exit(1)
-			}
-			// EINVAL means the kernel's too old to understand TIOCGPTPEER.  Try TIOCGPTN.
-			ptyN, err := unix.IoctlGetInt(ptyMasterFd, unix.TIOCGPTN)
-			if err != nil {
-				logrus.Errorf("error getting PTY number: %v", err)
-				os.Exit(1)
-			}
-			ptyName := fmt.Sprintf("/dev/pts/%d", ptyN)
-			fd, err := unix.Open(ptyName, unix.O_RDWR|unix.O_NOCTTY, 0620)
-			if err != nil {
-				logrus.Errorf("error opening PTY %q: %v", ptyName, err)
-				os.Exit(1)
-			}
-			ptyFd = uintptr(fd)
-		}
 		// Make notes about what's going where.
 		relays[ptyMasterFd] = unix.Stdout
 		relays[unix.Stdin] = ptyMasterFd
@@ -303,19 +274,19 @@ func runUsingChrootMain() {
 			}
 		}
 		if winsize.Row != 0 && winsize.Col != 0 {
-			if err = unix.IoctlSetWinsize(int(ptyFd), unix.TIOCSWINSZ, winsize); err != nil {
+			if err = unix.IoctlSetWinsize(ptyFd, unix.TIOCSWINSZ, winsize); err != nil {
 				logrus.Warnf("error setting terminal size for pty")
 			}
 			// FIXME - if we're connected to a terminal, we should
 			// be passing the updated terminal size down when we
 			// receive a SIGWINCH.
 		}
 		// Open an *os.File object that we can pass to our child.
-		ctty = os.NewFile(ptyFd, "/dev/tty")
+		ctty = os.NewFile(uintptr(ptyFd), "/dev/tty")
 		// Set ownership for the PTY.
 		if err = ctty.Chown(rootUID, rootGID); err != nil {
 			var cttyInfo unix.Stat_t
-			err2 := unix.Fstat(int(ptyFd), &cttyInfo)
+			err2 := unix.Fstat(ptyFd, &cttyInfo)
 			from := ""
 			op := "setting"
 			if err2 == nil {
@@ -782,7 +753,7 @@ func runUsingChrootExecMain() {
 			os.Exit(1)
 		}
 	} else {
-		setgroups, _ := ioutil.ReadFile("/proc/self/setgroups")
+		setgroups, _ := os.ReadFile("/proc/self/setgroups")
 		if strings.Trim(string(setgroups), "\n") != "deny" {
 			logrus.Debugf("clearing supplemental groups")
 			if err = syscall.Setgroups([]int{}); err != nil {
@@ -944,9 +915,9 @@ func setCapabilities(spec *specs.Spec, keepCaps ...string) error {
 		capability.EFFECTIVE:   spec.Process.Capabilities.Effective,
 		capability.INHERITABLE: []string{},
 		capability.PERMITTED:   spec.Process.Capabilities.Permitted,
-		capability.AMBIENT:     spec.Process.Capabilities.Ambient,
+		capability.AMBIENT:     {},
 	}
-	knownCaps := capability.List()
+	knownCaps := capability.ListKnown()
 	noCap := capability.Cap(-1)
 	for capType, capList := range capMap {
 		for _, capToSet := range capList {
@@ -1153,9 +1124,9 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
 		if err := unix.Mount(m.Mountpoint, subSys, "bind", sysFlags, ""); err != nil {
 			msg := fmt.Sprintf("could not bind mount %q, skipping: %v", m.Mountpoint, err)
 			if strings.HasPrefix(m.Mountpoint, "/sys") {
-				logrus.Infof(msg)
+				logrus.Infof("%s", msg)
 			} else {
-				logrus.Warningf(msg)
+				logrus.Warningf("%s", msg)
 			}
 			continue
 		}

chroot/run_test.go

@@ -7,7 +7,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"strconv"
@@ -42,9 +41,9 @@ func testMinimal(t *testing.T, modify func(g *generate.Generator, rootDir, bundl
 		t.Fatalf("setupSeccomp(%q): %v", "", err)
 	}
 
-	tempDir, err := ioutil.TempDir("", "chroot-test")
+	tempDir, err := os.MkdirTemp("", "chroot-test")
 	if err != nil {
-		t.Fatalf("ioutil.TempDir(%q, %q): %v", "", "chrootTest", err)
+		t.Fatalf("os.MkdirTemp(%q, %q): %v", "", "chrootTest", err)
 	}
 	defer os.RemoveAll(tempDir)
 	info, err := os.Stat(tempDir)

chroot/seccomp.go

@@ -3,7 +3,7 @@
 package chroot
 
 import (
-	"io/ioutil"
+	"os"
 
 	"github.com/containers/common/pkg/seccomp"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
@@ -186,7 +186,7 @@ func setupSeccomp(spec *specs.Spec, seccompProfilePath string) error {
 		}
 		spec.Linux.Seccomp = seccompConfig
 	default:
-		seccompProfile, err := ioutil.ReadFile(seccompProfilePath)
+		seccompProfile, err := os.ReadFile(seccompProfilePath)
 		if err != nil {
 			return errors.Wrapf(err, "opening seccomp profile (%s) failed", seccompProfilePath)
 		}

chroot/selinux.go

@@ -3,19 +3,19 @@
 package chroot
 
 import (
+	"fmt"
+
 	"github.com/opencontainers/runtime-spec/specs-go"
 	selinux "github.com/opencontainers/selinux/go-selinux"
-	"github.com/opencontainers/selinux/go-selinux/label"
-	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
 
 // setSelinuxLabel sets the process label for child processes that we'll start.
 func setSelinuxLabel(spec *specs.Spec) error {
 	logrus.Debugf("setting selinux label")
 	if spec.Process.SelinuxLabel != "" && selinux.GetEnabled() {
-		if err := label.SetProcessLabel(spec.Process.SelinuxLabel); err != nil {
-			return errors.Wrapf(err, "error setting process label to %q", spec.Process.SelinuxLabel)
+		if err := selinux.SetExecLabel(spec.Process.SelinuxLabel); err != nil {
+			return fmt.Errorf("setting process label to %q: %w", spec.Process.SelinuxLabel, err)
 		}
 	}
 	return nil