This change is generated by `go1.23rc2 fix ./...`.
Had to use go1.23rc2, since all released go versions have a bug
preventing it from working with `go 1.22.0` in go.mod (opened
https://github.com/golang/go/issues/68825,
https://github.com/golang/go/issues/68824 for awareness).
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Pay better attention to dev/nodev/exec/noexec/suid/nosuid/ro/rw flags on
bind, overlay, and tmpfs mounts when any of them are specified. Stop
quietly adding "nodev" when it isn't asked for.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
This adds no-op stubs for various things and adds an optional override
for creating the container chroot - on FreeBSD we use a jail to allow
setting the container hostname.
Signed-off-by: Doug Rabson <dfr@rabson.org>
We now use the golang error wrapping format specifier `%w` instead of
the deprecated github.com/pkg/errors package.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
When we link our test helper statically using the external linker, the
hardwired default seccomp filter we get from the runtime-tools generator
triggers a hang in it at startup.
Rather than switch to the internal linker, which seems to work around
this, start using the same seccomp filter for unit tests that we
actually use in real life, leaving analysis of which difference between
the two is responsible for it for another day.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add an IsolationChroot that trades flexibility and isolation for being
able to do what it does in a host environment that's already isolated to
the point where we're not allowed to set up some of that isolation,
producing a result that leans more toward chroot(1) than runc(1) does.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #836
Approved by: rhatdan
Kir Kolyshkin
Nalin Dahyabhai
Doug Rabson
Sascha Grunert