From ba9e60f7a8a05198bf7cc12a1eeb53a1eec8e7d2 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Fri, 5 Dec 2025 14:14:04 -0800 Subject: [PATCH 1/2] Remove crypto/tls dependency It appears that when we import github.com/coreos/go-systemd/activation, it brings in the whole crypto/tls package (which is not used by runc directly or indirectly), making the runc binary size larger and potentially creating issues with FIPS compliance. Let's copy the code of function we use from go-systemd/activation to avoid that. The space savings are: $ size runc.before runc.after text data bss dec hex filename 7101084 5049593 271560 12422237 bd8c5d runc.before 6508796 4623281 229128 11361205 ad5bb5 runc.after Reported-by: Dimitri John Ledkov Signed-off-by: Kir Kolyshkin --- .../systemd}/activation/files_unix.go | 6 +- utils_linux.go | 2 +- .../v22/activation/files_windows.go | 21 ---- .../go-systemd/v22/activation/listeners.go | 103 ------------------ .../go-systemd/v22/activation/packetconns.go | 38 ------- vendor/modules.txt | 1 - 6 files changed, 6 insertions(+), 165 deletions(-) rename {vendor/github.com/coreos/go-systemd/v22 => internal/third_party/systemd}/activation/files_unix.go (88%) delete mode 100644 vendor/github.com/coreos/go-systemd/v22/activation/files_windows.go delete mode 100644 vendor/github.com/coreos/go-systemd/v22/activation/listeners.go delete mode 100644 vendor/github.com/coreos/go-systemd/v22/activation/packetconns.go diff --git a/vendor/github.com/coreos/go-systemd/v22/activation/files_unix.go b/internal/third_party/systemd/activation/files_unix.go similarity index 88% rename from vendor/github.com/coreos/go-systemd/v22/activation/files_unix.go rename to internal/third_party/systemd/activation/files_unix.go index 7031f281a07..44d5e539ea6 100644 --- a/vendor/github.com/coreos/go-systemd/v22/activation/files_unix.go +++ b/internal/third_party/systemd/activation/files_unix.go @@ -15,6 +15,10 @@ //go:build !windows // Package activation implements primitives for systemd socket activation. +// +// It is a partial copy of https://github.com/coreos/go-systemd/v22/activation +// (https://github.com/coreos/go-systemd/blob/ce60782c0aabb616faa8e60f91e639d91f631e99/activation/files_unix.go), +// to avoid bringing in crypto/tls dependency. package activation import ( @@ -51,7 +55,7 @@ func Files(unsetEnv bool) []*os.File { } nfds, err := strconv.Atoi(os.Getenv("LISTEN_FDS")) - if err != nil || nfds == 0 { + if err != nil || nfds <= 0 { return nil } diff --git a/utils_linux.go b/utils_linux.go index 6195a589851..04785af702f 100644 --- a/utils_linux.go +++ b/utils_linux.go @@ -9,7 +9,6 @@ import ( "path/filepath" "strconv" - "github.com/coreos/go-systemd/v22/activation" "github.com/opencontainers/runtime-spec/specs-go" selinux "github.com/opencontainers/selinux/go-selinux" "github.com/sirupsen/logrus" @@ -17,6 +16,7 @@ import ( "golang.org/x/sys/unix" "github.com/opencontainers/runc/internal/pathrs" + "github.com/opencontainers/runc/internal/third_party/systemd/activation" "github.com/opencontainers/runc/libcontainer" "github.com/opencontainers/runc/libcontainer/configs" "github.com/opencontainers/runc/libcontainer/specconv" diff --git a/vendor/github.com/coreos/go-systemd/v22/activation/files_windows.go b/vendor/github.com/coreos/go-systemd/v22/activation/files_windows.go deleted file mode 100644 index d391bf00c5e..00000000000 --- a/vendor/github.com/coreos/go-systemd/v22/activation/files_windows.go +++ /dev/null @@ -1,21 +0,0 @@ -// Copyright 2015 CoreOS, Inc. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package activation - -import "os" - -func Files(unsetEnv bool) []*os.File { - return nil -} diff --git a/vendor/github.com/coreos/go-systemd/v22/activation/listeners.go b/vendor/github.com/coreos/go-systemd/v22/activation/listeners.go deleted file mode 100644 index 3dbe2b08776..00000000000 --- a/vendor/github.com/coreos/go-systemd/v22/activation/listeners.go +++ /dev/null @@ -1,103 +0,0 @@ -// Copyright 2015 CoreOS, Inc. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package activation - -import ( - "crypto/tls" - "net" -) - -// Listeners returns a slice containing a net.Listener for each matching socket type -// passed to this process. -// -// The order of the file descriptors is preserved in the returned slice. -// Nil values are used to fill any gaps. For example if systemd were to return file descriptors -// corresponding with "udp, tcp, tcp", then the slice would contain {nil, net.Listener, net.Listener} -func Listeners() ([]net.Listener, error) { - files := Files(true) - listeners := make([]net.Listener, len(files)) - - for i, f := range files { - if pc, err := net.FileListener(f); err == nil { - listeners[i] = pc - f.Close() - } - } - return listeners, nil -} - -// ListenersWithNames maps a listener name to a set of net.Listener instances. -func ListenersWithNames() (map[string][]net.Listener, error) { - files := Files(true) - listeners := map[string][]net.Listener{} - - for _, f := range files { - if pc, err := net.FileListener(f); err == nil { - current, ok := listeners[f.Name()] - if !ok { - listeners[f.Name()] = []net.Listener{pc} - } else { - listeners[f.Name()] = append(current, pc) - } - f.Close() - } - } - return listeners, nil -} - -// TLSListeners returns a slice containing a net.listener for each matching TCP socket type -// passed to this process. -// It uses default Listeners func and forces TCP sockets handlers to use TLS based on tlsConfig. -func TLSListeners(tlsConfig *tls.Config) ([]net.Listener, error) { - listeners, err := Listeners() - - if listeners == nil || err != nil { - return nil, err - } - - if tlsConfig != nil { - for i, l := range listeners { - // Activate TLS only for TCP sockets - if l.Addr().Network() == "tcp" { - listeners[i] = tls.NewListener(l, tlsConfig) - } - } - } - - return listeners, err -} - -// TLSListenersWithNames maps a listener name to a net.Listener with -// the associated TLS configuration. -func TLSListenersWithNames(tlsConfig *tls.Config) (map[string][]net.Listener, error) { - listeners, err := ListenersWithNames() - - if listeners == nil || err != nil { - return nil, err - } - - if tlsConfig != nil { - for _, ll := range listeners { - // Activate TLS only for TCP sockets - for i, l := range ll { - if l.Addr().Network() == "tcp" { - ll[i] = tls.NewListener(l, tlsConfig) - } - } - } - } - - return listeners, err -} diff --git a/vendor/github.com/coreos/go-systemd/v22/activation/packetconns.go b/vendor/github.com/coreos/go-systemd/v22/activation/packetconns.go deleted file mode 100644 index a97206785a4..00000000000 --- a/vendor/github.com/coreos/go-systemd/v22/activation/packetconns.go +++ /dev/null @@ -1,38 +0,0 @@ -// Copyright 2015 CoreOS, Inc. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package activation - -import ( - "net" -) - -// PacketConns returns a slice containing a net.PacketConn for each matching socket type -// passed to this process. -// -// The order of the file descriptors is preserved in the returned slice. -// Nil values are used to fill any gaps. For example if systemd were to return file descriptors -// corresponding with "udp, tcp, udp", then the slice would contain {net.PacketConn, nil, net.PacketConn} -func PacketConns() ([]net.PacketConn, error) { - files := Files(true) - conns := make([]net.PacketConn, len(files)) - - for i, f := range files { - if pc, err := net.FilePacketConn(f); err == nil { - conns[i] = pc - f.Close() - } - } - return conns, nil -} diff --git a/vendor/modules.txt b/vendor/modules.txt index 66eae80f57c..1824f87bf52 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -28,7 +28,6 @@ github.com/cilium/ebpf/link github.com/containerd/console # github.com/coreos/go-systemd/v22 v22.6.0 ## explicit; go 1.23 -github.com/coreos/go-systemd/v22/activation github.com/coreos/go-systemd/v22/dbus # github.com/cpuguy83/go-md2man/v2 v2.0.7 ## explicit; go 1.12 From 6ede5917612365b37a2395f02dcb522868840f05 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Fri, 5 Dec 2025 14:22:14 -0800 Subject: [PATCH 2/2] internal/systemd: simplify Remove unused code and argument from the ActivationFiles, and simplify its usage. Signed-off-by: Kir Kolyshkin --- .../third_party/systemd/activation/files_unix.go | 15 ++------------- utils_linux.go | 8 +------- 2 files changed, 3 insertions(+), 20 deletions(-) diff --git a/internal/third_party/systemd/activation/files_unix.go b/internal/third_party/systemd/activation/files_unix.go index 44d5e539ea6..a1d9ebddf29 100644 --- a/internal/third_party/systemd/activation/files_unix.go +++ b/internal/third_party/systemd/activation/files_unix.go @@ -33,22 +33,11 @@ const ( listenFdsStart = 3 ) -// Files returns a slice containing a `os.File` object for each +// Files returns a slice containing a os.File object for each // file descriptor passed to this process via systemd fd-passing protocol. // // The order of the file descriptors is preserved in the returned slice. -// `unsetEnv` is typically set to `true` in order to avoid clashes in -// fd usage and to avoid leaking environment flags to child processes. -func Files(unsetEnv bool) []*os.File { - if unsetEnv { - defer func() { - // Unsetenv implementation for unix never returns an error. - _ = os.Unsetenv("LISTEN_PID") - _ = os.Unsetenv("LISTEN_FDS") - _ = os.Unsetenv("LISTEN_FDNAMES") - }() - } - +func Files() []*os.File { pid, err := strconv.Atoi(os.Getenv("LISTEN_PID")) if err != nil || pid != os.Getpid() { return nil diff --git a/utils_linux.go b/utils_linux.go index 04785af702f..d7f51e20216 100644 --- a/utils_linux.go +++ b/utils_linux.go @@ -399,17 +399,11 @@ func startContainer(context *cli.Context, action CtAct, criuOpts *libcontainer.C } } - // Support on-demand socket activation by passing file descriptors into the container init process. - listenFDs := []*os.File{} - if os.Getenv("LISTEN_FDS") != "" { - listenFDs = activation.Files(false) - } - r := &runner{ enableSubreaper: !context.Bool("no-subreaper"), shouldDestroy: !context.Bool("keep"), container: container, - listenFDs: listenFDs, + listenFDs: activation.Files(), // On-demand socket activation. notifySocket: notifySocket, consoleSocket: context.String("console-socket"), pidfdSocket: context.String("pidfd-socket"),