Update to runc main, removing pin to an older version

We were pinned to a specific commit to ensure that tests kept
passing. Hopefully they pass now, as we need to grab latest runc
for CVE fixes.

Also grab Buildah main to fix a build issue on FreeBSD. After a
botched manual vendor, I used Ed's treadmill script and squashed
it into this commit to make Git happy. Thanks bunches Ed.

Signed-off-by: Matt Heon <mheon@redhat.com>

vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpu.go

@@ -94,14 +94,6 @@ func (s *CpuGroup) Set(path string, r *configs.Resources) error {
 			}
 		}
 	}
-
-	if r.CPUIdle != nil {
-		idle := strconv.FormatInt(*r.CPUIdle, 10)
-		if err := cgroups.WriteFile(path, "cpu.idle", idle); err != nil {
-			return err
-		}
-	}
-
 	return s.SetRtSched(path, r)
 }
 

vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpuset.go

@@ -195,7 +195,7 @@ func cpusetEnsureParent(current string) error {
 	}
 	// Treat non-existing directory as cgroupfs as it will be created,
 	// and the root cpuset directory obviously exists.
-	if err != nil && err != unix.ENOENT {
+	if err != nil && err != unix.ENOENT { //nolint:errorlint // unix errors are bare
 		return &os.PathError{Op: "statfs", Path: parent, Err: err}
 	}
 

vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/devices.go

@@ -1,11 +1,20 @@
 package fs
 
 import (
+	"bytes"
+	"errors"
+	"reflect"
+
 	"github.com/opencontainers/runc/libcontainer/cgroups"
+	cgroupdevices "github.com/opencontainers/runc/libcontainer/cgroups/devices"
 	"github.com/opencontainers/runc/libcontainer/configs"
+	"github.com/opencontainers/runc/libcontainer/devices"
+	"github.com/opencontainers/runc/libcontainer/userns"
 )
 
-type DevicesGroup struct{}
+type DevicesGroup struct {
+	TestingSkipFinalCheck bool
+}
 
 func (s *DevicesGroup) Name() string {
 	return "devices"
@@ -24,14 +33,75 @@ func (s *DevicesGroup) Apply(path string, r *configs.Resources, pid int) error {
 	return apply(path, pid)
 }
 
-func (s *DevicesGroup) Set(path string, r *configs.Resources) error {
-	if cgroups.DevicesSetV1 == nil {
-		if len(r.Devices) == 0 {
-			return nil
-		}
-		return cgroups.ErrDevicesUnsupported
+func loadEmulator(path string) (*cgroupdevices.Emulator, error) {
+	list, err := cgroups.ReadFile(path, "devices.list")
+	if err != nil {
+		return nil, err
 	}
-	return cgroups.DevicesSetV1(path, r)
+	return cgroupdevices.EmulatorFromList(bytes.NewBufferString(list))
+}
+
+func buildEmulator(rules []*devices.Rule) (*cgroupdevices.Emulator, error) {
+	// This defaults to a white-list -- which is what we want!
+	emu := &cgroupdevices.Emulator{}
+	for _, rule := range rules {
+		if err := emu.Apply(*rule); err != nil {
+			return nil, err
+		}
+	}
+	return emu, nil
+}
+
+func (s *DevicesGroup) Set(path string, r *configs.Resources) error {
+	if userns.RunningInUserNS() || r.SkipDevices {
+		return nil
+	}
+
+	// Generate two emulators, one for the current state of the cgroup and one
+	// for the requested state by the user.
+	current, err := loadEmulator(path)
+	if err != nil {
+		return err
+	}
+	target, err := buildEmulator(r.Devices)
+	if err != nil {
+		return err
+	}
+
+	// Compute the minimal set of transition rules needed to achieve the
+	// requested state.
+	transitionRules, err := current.Transition(target)
+	if err != nil {
+		return err
+	}
+	for _, rule := range transitionRules {
+		file := "devices.deny"
+		if rule.Allow {
+			file = "devices.allow"
+		}
+		if err := cgroups.WriteFile(path, file, rule.CgroupString()); err != nil {
+			return err
+		}
+	}
+
+	// Final safety check -- ensure that the resulting state is what was
+	// requested. This is only really correct for white-lists, but for
+	// black-lists we can at least check that the cgroup is in the right mode.
+	//
+	// This safety-check is skipped for the unit tests because we cannot
+	// currently mock devices.list correctly.
+	if !s.TestingSkipFinalCheck {
+		currentAfter, err := loadEmulator(path)
+		if err != nil {
+			return err
+		}
+		if !target.IsBlacklist() && !reflect.DeepEqual(currentAfter, target) {
+			return errors.New("resulting devices cgroup doesn't precisely match target")
+		} else if target.IsBlacklist() != currentAfter.IsBlacklist() {
+			return errors.New("resulting devices cgroup doesn't match target mode")
+		}
+	}
+	return nil
 }
 
 func (s *DevicesGroup) GetStats(path string, stats *cgroups.Stats) error {

vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/fs.go

@@ -54,13 +54,13 @@ type subsystem interface {
 	Set(path string, r *configs.Resources) error
 }
 
-type Manager struct {
+type manager struct {
 	mu      sync.Mutex
 	cgroups *configs.Cgroup
 	paths   map[string]string
 }
 
-func NewManager(cg *configs.Cgroup, paths map[string]string) (*Manager, error) {
+func NewManager(cg *configs.Cgroup, paths map[string]string) (cgroups.Manager, error) {
 	// Some v1 controllers (cpu, cpuset, and devices) expect
 	// cgroups.Resources to not be nil in Apply.
 	if cg.Resources == nil {
@@ -78,7 +78,7 @@ func NewManager(cg *configs.Cgroup, paths map[string]string) (*Manager, error) {
 		}
 	}
 
-	return &Manager{
+	return &manager{
 		cgroups: cg,
 		paths:   paths,
 	}, nil
@@ -105,7 +105,7 @@ func isIgnorableError(rootless bool, err error) bool {
 	return false
 }
 
-func (m *Manager) Apply(pid int) (err error) {
+func (m *manager) Apply(pid int) (err error) {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 
@@ -139,19 +139,19 @@ func (m *Manager) Apply(pid int) (err error) {
 	return nil
 }
 
-func (m *Manager) Destroy() error {
+func (m *manager) Destroy() error {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 	return cgroups.RemovePaths(m.paths)
 }
 
-func (m *Manager) Path(subsys string) string {
+func (m *manager) Path(subsys string) string {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 	return m.paths[subsys]
 }
 
-func (m *Manager) GetStats() (*cgroups.Stats, error) {
+func (m *manager) GetStats() (*cgroups.Stats, error) {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 	stats := cgroups.NewStats()
@@ -167,7 +167,7 @@ func (m *Manager) GetStats() (*cgroups.Stats, error) {
 	return stats, nil
 }
 
-func (m *Manager) Set(r *configs.Resources) error {
+func (m *manager) Set(r *configs.Resources) error {
 	if r == nil {
 		return nil
 	}
@@ -183,7 +183,7 @@ func (m *Manager) Set(r *configs.Resources) error {
 		if err := sys.Set(path, r); err != nil {
 			// When rootless is true, errors from the device subsystem
 			// are ignored, as it is really not expected to work.
-			if m.cgroups.Rootless && sys.Name() == "devices" && !errors.Is(err, cgroups.ErrDevicesUnsupported) {
+			if m.cgroups.Rootless && sys.Name() == "devices" {
 				continue
 			}
 			// However, errors from other subsystems are not ignored.
@@ -202,7 +202,7 @@ func (m *Manager) Set(r *configs.Resources) error {
 
 // Freeze toggles the container's freezer cgroup depending on the state
 // provided
-func (m *Manager) Freeze(state configs.FreezerState) error {
+func (m *manager) Freeze(state configs.FreezerState) error {
 	path := m.Path("freezer")
 	if path == "" {
 		return errors.New("cannot toggle freezer: cgroups not configured for container")
@@ -218,25 +218,25 @@ func (m *Manager) Freeze(state configs.FreezerState) error {
 	return nil
 }
 
-func (m *Manager) GetPids() ([]int, error) {
+func (m *manager) GetPids() ([]int, error) {
 	return cgroups.GetPids(m.Path("devices"))
 }
 
-func (m *Manager) GetAllPids() ([]int, error) {
+func (m *manager) GetAllPids() ([]int, error) {
 	return cgroups.GetAllPids(m.Path("devices"))
 }
 
-func (m *Manager) GetPaths() map[string]string {
+func (m *manager) GetPaths() map[string]string {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 	return m.paths
 }
 
-func (m *Manager) GetCgroups() (*configs.Cgroup, error) {
+func (m *manager) GetCgroups() (*configs.Cgroup, error) {
 	return m.cgroups, nil
 }
 
-func (m *Manager) GetFreezerState() (configs.FreezerState, error) {
+func (m *manager) GetFreezerState() (configs.FreezerState, error) {
 	dir := m.Path("freezer")
 	// If the container doesn't have the freezer cgroup, say it's undefined.
 	if dir == "" {
@@ -246,7 +246,7 @@ func (m *Manager) GetFreezerState() (configs.FreezerState, error) {
 	return freezer.GetState(dir)
 }
 
-func (m *Manager) Exists() bool {
+func (m *manager) Exists() bool {
 	return cgroups.PathExists(m.Path("devices"))
 }
 
@@ -254,7 +254,7 @@ func OOMKillCount(path string) (uint64, error) {
 	return fscommon.GetValueByKey(path, "memory.oom_control", "oom_kill")
 }
 
-func (m *Manager) OOMKillCount() (uint64, error) {
+func (m *manager) OOMKillCount() (uint64, error) {
 	c, err := OOMKillCount(m.Path("memory"))
 	// Ignore ENOENT when rootless as it couldn't create cgroup.
 	if err != nil && m.cgroups.Rootless && os.IsNotExist(err) {

vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/hugetlb.go

@@ -1,6 +1,8 @@
 package fs
 
 import (
+	"errors"
+	"os"
 	"strconv"
 
 	"github.com/opencontainers/runc/libcontainer/cgroups"
@@ -19,8 +21,23 @@ func (s *HugetlbGroup) Apply(path string, _ *configs.Resources, pid int) error {
 }
 
 func (s *HugetlbGroup) Set(path string, r *configs.Resources) error {
+	const suffix = ".limit_in_bytes"
+	skipRsvd := false
+
 	for _, hugetlb := range r.HugetlbLimit {
-		if err := cgroups.WriteFile(path, "hugetlb."+hugetlb.Pagesize+".limit_in_bytes", strconv.FormatUint(hugetlb.Limit, 10)); err != nil {
+		prefix := "hugetlb." + hugetlb.Pagesize
+		val := strconv.FormatUint(hugetlb.Limit, 10)
+		if err := cgroups.WriteFile(path, prefix+suffix, val); err != nil {
+			return err
+		}
+		if skipRsvd {
+			continue
+		}
+		if err := cgroups.WriteFile(path, prefix+".rsvd"+suffix, val); err != nil {
+			if errors.Is(err, os.ErrNotExist) {
+				skipRsvd = true
+				continue
+			}
 			return err
 		}
 	}
@@ -32,24 +49,29 @@ func (s *HugetlbGroup) GetStats(path string, stats *cgroups.Stats) error {
 	if !cgroups.PathExists(path) {
 		return nil
 	}
+	rsvd := ".rsvd"
 	hugetlbStats := cgroups.HugetlbStats{}
 	for _, pageSize := range cgroups.HugePageSizes() {
-		usage := "hugetlb." + pageSize + ".usage_in_bytes"
-		value, err := fscommon.GetCgroupParamUint(path, usage)
+	again:
+		prefix := "hugetlb." + pageSize + rsvd
+
+		value, err := fscommon.GetCgroupParamUint(path, prefix+".usage_in_bytes")
 		if err != nil {
+			if rsvd != "" && errors.Is(err, os.ErrNotExist) {
+				rsvd = ""
+				goto again
+			}
 			return err
 		}
 		hugetlbStats.Usage = value
 
-		maxUsage := "hugetlb." + pageSize + ".max_usage_in_bytes"
-		value, err = fscommon.GetCgroupParamUint(path, maxUsage)
+		value, err = fscommon.GetCgroupParamUint(path, prefix+".max_usage_in_bytes")
 		if err != nil {
 			return err
 		}
 		hugetlbStats.MaxUsage = value
 
-		failcnt := "hugetlb." + pageSize + ".failcnt"
-		value, err = fscommon.GetCgroupParamUint(path, failcnt)
+		value, err = fscommon.GetCgroupParamUint(path, prefix+".failcnt")
 		if err != nil {
 			return err
 		}

vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/memory.go

@@ -170,6 +170,10 @@ func (s *MemoryGroup) GetStats(path string, stats *cgroups.Stats) error {
 		return err
 	}
 	stats.MemoryStats.SwapUsage = swapUsage
+	stats.MemoryStats.SwapOnlyUsage = cgroups.MemoryData{
+		Usage:   swapUsage.Usage - memoryUsage.Usage,
+		Failcnt: swapUsage.Failcnt - memoryUsage.Failcnt,
+	}
 	kernelUsage, err := getMemoryData(path, "kmem")
 	if err != nil {
 		return err
@@ -234,6 +238,12 @@ func getMemoryData(path, name string) (cgroups.MemoryData, error) {
 	memoryData.Failcnt = value
 	value, err = fscommon.GetCgroupParamUint(path, limit)
 	if err != nil {
+		if name == "kmem" && os.IsNotExist(err) {
+			// Ignore ENOENT as kmem.limit_in_bytes has
+			// been removed in newer kernels.
+			return memoryData, nil
+		}
+
 		return cgroups.MemoryData{}, err
 	}
 	memoryData.Limit = value

vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/paths.go

@@ -165,8 +165,9 @@ func subsysPath(root, inner, subsystem string) (string, error) {
 		return filepath.Join(root, filepath.Base(mnt), inner), nil
 	}
 
-	// Use GetOwnCgroupPath for dind-like cases, when cgroupns is not
-	// available. This is ugly.
+	// Use GetOwnCgroupPath instead of GetInitCgroupPath, because the creating
+	// process could in container and shared pid namespace with host, and
+	// /proc/1/cgroup could point to whole other world of cgroups.
 	parentPath, err := cgroups.GetOwnCgroupPath(subsystem)
 	if err != nil {
 		return "", err