Merge branch 'main' into criu-nits

kolyshkin · web-flow · commit ec597cde01c1 · 2025-05-20T16:56:28.000-07:00
diff --git a/.github/workflows/scheduled.yml b/.github/workflows/scheduled.yml
@@ -0,0 +1,35 @@
+# This enables periodical execution of CI jobs in branches we maintain.
+#
+# CI jobs are triggered through here (instead of adding "schedule:" to the
+# appropriate files) because scheduled jobs are only run on the main branch.
+# In other words, it's a way to run periodical CI for other branches.
+
+name: scheduled
+on:
+  schedule:
+    # Runs at 00:00 UTC every Sunday, Tuesday, Thursday.
+    - cron: '0 0 * * 0,2,4'
+  workflow_dispatch:
+permissions:
+  contents: read
+  actions: write
+
+jobs:
+  trigger-workflow:
+    strategy:
+      matrix:
+        branch: ["main", "release-1.3"]
+        wf_id: ["validate.yml", "test.yml"]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Trigger ${{ matrix.wf_id }} workflow on ${{ matrix.branch}} branch
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            await github.rest.actions.createWorkflowDispatch({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              workflow_id: '${{ matrix.wf_id }}',
+              ref: '${{ matrix.branch }}'
+            });
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -10,6 +10,7 @@ on:
       - main
       - release-*
   pull_request:
+  workflow_dispatch:
 permissions:
   contents: read
 
@@ -32,12 +33,12 @@ jobs:
           # Disable most of criu-dev jobs, as they are expensive
           # (need to compile criu) and don't add much value/coverage.
           - criu: criu-dev
-            go-version: 1.22.x
+            go-version: 1.23.x
           - criu: criu-dev
             rootless: rootless
           - criu: criu-dev
             race: -race
-          - go-version: 1.22.x
+          - go-version: 1.23.x
             os: actuated-arm64-6cpu-8gb
           - race: "-race"
             os: actuated-arm64-6cpu-8gb
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
@@ -7,6 +7,7 @@ on:
       - main
       - release-*
   pull_request:
+  workflow_dispatch:
 env:
   GO_VERSION: 1.24
 permissions:
@@ -157,22 +158,26 @@ jobs:
       contents: read
       pull-requests: read
     runs-on: ubuntu-24.04
-    # Only check commits on pull requests.
-    if: github.event_name == 'pull_request'
     steps:
       - name: get pr commits
+        if: github.event_name == 'pull_request' # Only check commits on pull requests.
         id: 'get-pr-commits'
         uses: tim-actions/get-pr-commits@v1.3.1
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: check subject line length
+        if: github.event_name == 'pull_request' # Only check commits on pull requests.
         uses: tim-actions/commit-message-checker-with-regex@v0.3.2
         with:
           commits: ${{ steps.get-pr-commits.outputs.commits }}
           pattern: '^.{0,72}(\n.*)*$'
           error: 'Subject too long (max 72)'
 
+      - name: succeed (not a PR) # Allow all-done to succeed for non-PRs.
+        if: github.event_name != 'pull_request'
+        run: echo "Nothing to check here."
+
   cfmt:
     runs-on: ubuntu-24.04
     steps:
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
@@ -215,6 +215,18 @@ func prepareRootfs(pipe *syncSocket, iConfig *initConfig) (err error) {
 		return fmt.Errorf("error jailing process inside rootfs: %w", err)
 	}
 
+	// Apply root mount propagation flags.
+	// This must be done after pivot_root/chroot because the mount propagation flag is applied
+	// to the current root ("/"), and not to the old rootfs before it becomes "/". Applying the
+	// flag in prepareRoot would affect the host mount namespace if the container's
+	// root mount is shared.
+	// MS_PRIVATE is skipped as rootfsParentMountPrivate() is already called.
+	if config.RootPropagation != 0 && config.RootPropagation&unix.MS_PRIVATE == 0 {
+		if err := mount("", "/", "", uintptr(config.RootPropagation), ""); err != nil {
+			return fmt.Errorf("unable to apply root propagation flags: %w", err)
+		}
+	}
+
 	if setupDev {
 		if err := reOpenDevNull(); err != nil {
 			return fmt.Errorf("error reopening /dev/null inside container: %w", err)
diff --git a/tests/integration/mounts_propagation.bats b/tests/integration/mounts_propagation.bats
@@ -0,0 +1,22 @@
+#!/usr/bin/env bats
+
+load helpers
+
+function setup() {
+	requires root
+	setup_debian
+}
+
+function teardown() {
+	teardown_bundle
+}
+
+@test "runc run [rootfsPropagation shared]" {
+	update_config ' .linux.rootfsPropagation = "shared" '
+
+	update_config ' .process.args = ["findmnt", "--noheadings", "-o", "PROPAGATION", "/"] '
+
+	runc run test_shared_rootfs
+	[ "$status" -eq 0 ]
+	[ "$output" = "shared" ]
+}
