feat: Override Runc Version (#1611)

Shubhranshu153 · web-flow · commit 95939feb3c17 · 2025-10-30T14:39:33.000-07:00
Signed-off-by: Shubhranshu Mahapatra &lt;shubhum@amazon.com&gt;
diff --git a/Makefile b/Makefile
@@ -104,6 +104,14 @@ CONTAINER_RUNTIME_ARCHIVE_AARCH64_DIGEST ?= "sha256:$(AARCH64_256_DIGEST)"
 CONTAINER_RUNTIME_ARCHIVE_X86_64_LOCATION ?= "$(ARTIFACT_BASE_URL)/$(X86_64_ARTIFACT)"
 CONTAINER_RUNTIME_ARCHIVE_X86_64_DIGEST ?= "sha256:$(X86_64_256_DIGEST)"
 
+# For Finch on macOS and Windows, the runc override locations and digests are set
+# based on the values set in deps/finch-core/deps/runc-override.conf
+-include $(FINCH_CORE_DIR)/deps/runc-override.conf
+RUNC_OVERRIDE_AARCH64_LOCATION ?= "$(RUNC_ARTIFACT_BASE_URL)/$(RUNC_AARCH64_ARTIFACT)"
+RUNC_OVERRIDE_AARCH64_DIGEST ?= "sha256:$(RUNC_AARCH64_256_DIGEST)"
+RUNC_OVERRIDE_X86_64_LOCATION ?= "$(RUNC_ARTIFACT_BASE_URL)/$(RUNC_X86_64_ARTIFACT)"
+RUNC_OVERRIDE_X86_64_DIGEST ?= "sha256:$(RUNC_X86_64_256_DIGEST)"
+
 .PHONY: finch.yaml
 finch.yaml: $(OS_OUTDIR)/finch.yaml
 
diff --git a/Makefile.darwin b/Makefile.darwin
@@ -46,6 +46,12 @@ $(OS_OUTDIR)/finch.yaml: $(OS_OUTDIR) finch.yaml.d/common.yaml finch.yaml.d/mac.
 	sed -i.bak -e "s|<finch_daemon_root>|$(FINCH_DAEMON_LOCATION_ROOT)|g" finch.yaml.temp
 	sed -i.bak -e "s|<finch_daemon_location>|$(FINCH_DAEMON_LOCATION)|g" finch.yaml.temp
 	sed -i.bak -e "s|<finch_daemon_credhelper_location>|$(FINCH_DAEMON_CREDHELPER_LOCATION)|g" finch.yaml.temp
+	sed -i.bak -e "s|<runc_override_aarch64_location>|$(RUNC_OVERRIDE_AARCH64_LOCATION)|g" finch.yaml.temp
+	sed -i.bak -e "s/<runc_override_aarch64_digest>/$(RUNC_OVERRIDE_AARCH64_DIGEST)/g" finch.yaml.temp
+	sed -i.bak -e "s|<runc_override_x86_64_location>|$(RUNC_OVERRIDE_X86_64_LOCATION)|g" finch.yaml.temp
+	sed -i.bak -e "s/<runc_override_x86_64_digest>/$(RUNC_OVERRIDE_X86_64_DIGEST)/g" finch.yaml.temp
+
+	cat finch.yaml.temp
 
 	# Replacement was successful, so cleanup .bak
 	@rm finch.yaml.temp.bak
diff --git a/Makefile.windows b/Makefile.windows
@@ -32,7 +32,11 @@ $(OS_OUTDIR)/finch.yaml: $(OS_OUTDIR) finch.yaml.d/common.yaml finch.yaml.d/wind
 	sed -i.bak -e "s/<container_runtime_archive_aarch64_digest>/$(CONTAINER_RUNTIME_ARCHIVE_AARCH64_DIGEST)/g" finch.yaml.temp
 	sed -i.bak -e "s|<container_runtime_archive_x86_64_location>|$(CONTAINER_RUNTIME_ARCHIVE_X86_64_LOCATION)|g" finch.yaml.temp
 	sed -i.bak -e "s/<container_runtime_archive_x86_64_digest>/$(CONTAINER_RUNTIME_ARCHIVE_X86_64_DIGEST)/g" finch.yaml.temp
-
+	sed -i.bak -e "s|<runc_override_aarch64_location>|$(RUNC_OVERRIDE_AARCH64_LOCATION)|g" finch.yaml.temp
+	sed -i.bak -e "s/<runc_override_aarch64_digest>/$(RUNC_OVERRIDE_AARCH64_DIGEST)/g" finch.yaml.temp
+	sed -i.bak -e "s|<runc_override_x86_64_location>|$(RUNC_OVERRIDE_X86_64_LOCATION)|g" finch.yaml.temp
+	sed -i.bak -e "s/<runc_override_x86_64_digest>/$(RUNC_OVERRIDE_X86_64_DIGEST)/g" finch.yaml.temp
+	
 	# Replacement was successful, so cleanup .bak
 	@rm finch.yaml.temp.bak
 
diff --git a/deps/finch-core b/deps/finch-core
@@ -1 +1 @@
-Subproject commit 30e5e1f2eb742e8bda9a536a171ae1e71a607219
+Subproject commit 83e39bd3c729ce4da9e7ff21841544c8e89ae235
diff --git a/e2e/vm/version_remote_test.go b/e2e/vm/version_remote_test.go
@@ -22,7 +22,7 @@ const (
 	nerdctlVersion    = "v2.1.3"
 	buildKitVersion   = "v0.23.2"
 	containerdVersion = "v2.1.3"
-	runcVersion       = "1.3.0"
+	runcVersion       = "1.3.2"
 )
 
 type Versions struct {
diff --git a/finch.yaml.d/common.yaml b/finch.yaml.d/common.yaml
@@ -29,6 +29,44 @@ provision:
   - mode: user
     script: |
       #!/bin/bash
+      
+      # Override runc with specified version after container runtime is installed
+      ARCH=$(uname -m)
+      if [ "$ARCH" = "x86_64" ]; then
+        RUNC_URL="<runc_override_x86_64_location>"
+        RUNC_DIGEST="<runc_override_x86_64_digest>"
+      elif [ "$ARCH" = "aarch64" ]; then
+        RUNC_URL="<runc_override_aarch64_location>"
+        RUNC_DIGEST="<runc_override_aarch64_digest>"
+      else
+        echo "Unsupported architecture: $ARCH"
+        exit 1
+      fi
+      
+      # Download and verify runc override
+      curl -L --fail "$RUNC_URL" -o /tmp/runc-override
+      echo "$RUNC_DIGEST /tmp/runc-override" | sha256sum -c -
+      
+      # Replace the existing runc binary
+      sudo chmod +x /tmp/runc-override
+      sudo cp /tmp/runc-override /usr/local/bin/runc
+      sudo cp /tmp/runc-override /usr/bin/runc
+      sudo rm /tmp/runc-override
+      
+      # Verify runc version is >= 1.3.2
+      INSTALLED_VERSION=$(runc --version | head -n1 | awk '{print $3}')
+      REQUIRED_VERSION="1.3.2"
+      if ! printf '%s\n%s\n' "$REQUIRED_VERSION" "$INSTALLED_VERSION" | sort -V -C; then
+        echo "ERROR: runc version $INSTALLED_VERSION is less than required $REQUIRED_VERSION"
+        exit 1
+      fi
+      echo "SUCCESS: runc version $INSTALLED_VERSION meets requirement >= $REQUIRED_VERSION"
+      
+      # Restart containerd
+      sudo systemctl restart containerd.service
+  - mode: user
+    script: |
+      #!/bin/bash
 
       # Enable SSHing into the VM as root (e.g., in `nerdctlConfigApplier.Apply`).
       sudo cp ~/.ssh/authorized_keys /root/.ssh/
@@ -92,6 +130,7 @@ provision:
       sudo systemctl daemon-reload
 
       sudo systemctl restart containerd.service
+  
 env:
   # Containerd namespace is used by the lima cidata script
   # 40-install-containerd.sh. Specifically this variable is defining the
diff --git a/go.mod b/go.mod
@@ -15,7 +15,7 @@ require (
 	github.com/onsi/gomega v1.38.2
 	github.com/pelletier/go-toml v1.9.5
 	github.com/pkg/sftp v1.13.9
-	github.com/runfinch/common-tests v0.9.4
+	github.com/runfinch/common-tests v0.10.1
 	github.com/shirou/gopsutil/v3 v3.24.5
 	github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af
 	github.com/spf13/afero v1.15.0
diff --git a/go.sum b/go.sum
@@ -290,8 +290,8 @@ github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR
 github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
 github.com/rootless-containers/rootlesskit/v2 v2.3.5 h1:WGY05oHE7xQpSkCGfYP9lMY5z19tCxA8PhWlvP1cKx8=
 github.com/rootless-containers/rootlesskit/v2 v2.3.5/go.mod h1:83EIYLeMX8UeNgLHkR1PefoSV76aKEC+OyI3vzrEfvw=
-github.com/runfinch/common-tests v0.9.4 h1:ctGR/jq4eP3KbdeSfL4ya7DNafwc9+sQgyRdkocfMh8=
-github.com/runfinch/common-tests v0.9.4/go.mod h1:25UdRwKrGWnIzKHvceDaMpV3rz+41aCXGB1AOX768po=
+github.com/runfinch/common-tests v0.10.1 h1:noZ9LbolXMLTZgXllAJtNkyO6JQrrnf1mpvN1zknU40=
+github.com/runfinch/common-tests v0.10.1/go.mod h1:PX9VBgtcOm+2Stjm4F6Y6KpovJ2emdSJ+y1X1URnAIU=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06 h1:OkMGxebDjyw0ULyrTYWeN0UNCCkmCWfjPnIA2W6oviI=

Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@ const (`
`22`	`22`	`nerdctlVersion = "v2.1.3"`
`23`	`23`	`buildKitVersion = "v0.23.2"`
`24`	`24`	`containerdVersion = "v2.1.3"`
`25`		`- runcVersion = "1.3.0"`
	`25`	`+ runcVersion = "1.3.2"`
`26`	`26`	`)`
`27`	`27`
`28`	`28`	`type Versions struct {`