search

opencontainers / runc

CLI tool for spawning and running containers according to the OCI specification
https://www.opencontainers.org/
Apache License 2.0
11.58k stars 2.06k forks source link

ci/gha: switch to ubuntu 24.04 #4286

Closed kolyshkin closed 4 weeks ago

kolyshkin commented 1 month ago

Let's replace ubuntu-22.04 with ubuntu-24.04 where we can, and keep ubuntu-20.04 to test cgroup v1 stuff.

Leave ubuntu-22.04 for these jobs only:

These issues can be addressed separately later.

The only kludge we have to add is enable userns for runc binary being tested (as userns is disabled by apparmor system-wide by default now, see [1]).

[1] https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions-15

kolyshkin commented 1 month ago

root integration tests have 2 failures, reproduced locally:

scheduler.bats
 ✓ scheduler is applied
 ✗ scheduler vs cpus
   (in test file tests/integration/scheduler.bats, line 33)
     `[ "$status" -eq 1 ]' failed
   runc spec (status=0):

   runc run -d --console-socket /tmp/bats-run-X1CKVR/runc.ewU637/tty/sock test_scheduler (status=0):

and 

no_pivot.bats
 ✗ runc run --no-pivot must not expose bare /proc
   (in test file tests/integration/no_pivot.bats, line 22)
     `[[ "$output" == *"mount: permission denied"* ]]' failed
   runc spec (status=0):

   runc run --no-pivot test_no_pivot (status=1):
   unshare: can't open '/proc/self/setgroups': Permission denied
kolyshkin commented 1 month ago

root integration tests have 2 failures, reproduced locally:

scheduler.bats
 ✓ scheduler is applied
 ✗ scheduler vs cpus
   (in test file tests/integration/scheduler.bats, line 33)
     `[ "$status" -eq 1 ]' failed
   runc spec (status=0):

   runc run -d --console-socket /tmp/bats-run-X1CKVR/runc.ewU637/tty/sock test_scheduler (status=0):

This was a mistake, it only failed locally and only because I ran a UP (not SMP) VM. Should be fixed by #4298.

no_pivot.bats
 ✗ runc run --no-pivot must not expose bare /proc
   (in test file tests/integration/no_pivot.bats, line 22)
     `[[ "$output" == *"mount: permission denied"* ]]' failed
   runc spec (status=0):

   runc run --no-pivot test_no_pivot (status=1):
   unshare: can't open '/proc/self/setgroups': Permission denied

This is caused by Ubuntu 24.04 default apparmor profile restricting user namespaces (https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890). The fix is to add a profile for the binary being tested (can copy that from /etc/apparmor.d/runc, changing the path to binary (s|/usr/sbin/runc|$PWD/runc|) and loading the new profile).

kolyshkin commented 4 weeks ago

No longer a draft; PTAL @opencontainers/runc-maintainers

Never mind

kolyshkin commented 4 weeks ago

we'll have to adjust the list of required checks; perhaps to transition we should temporarily not mark 22.04 as "required" (otherwise existing PRs would never finish 🤔)

Yes, I always take care of it once a PR (such as this one) is merged.