@@ -4,7 +4,7 @@

 # containerd is also pinned in vendor.conf. When updating the binary

 # version you may also need to update the vendor version to pick up bug

 # fixes or new APIs.

-CONTAINERD_COMMIT=d50db0a42053864a270f648048f9a8b4f24eced3 # v1.2.9

+CONTAINERD_COMMIT=b34a5c8af56e510852c35414db4c1f4fa6172339 # v1.2.10

 install_containerd() {

 	echo "Install containerd version $CONTAINERD_COMMIT"

@@ -4,7 +4,7 @@

 # The version of runc should match the version that is used by the containerd

 # version that is used. If you need to update runc, open a pull request in

 # the containerd project first, and update both after that is merged.

-RUNC_COMMIT=425e105d5a03fabd737a126ad93d62a9eeede87f # v1.0.0-rc8

+RUNC_COMMIT=3e425f80a8c931f88e6d94a8c831b9d5aa481657 # v1.0.0-rc8-92-g84373aaa

 install_runc() {

 	# If using RHEL7 kernels (3.10.0 el7), disable kmem accounting/limiting

@@ -21,6 +21,7 @@ github.com/docker/go-connections                    7395e3f8aa162843a74ed6d48e79

 golang.org/x/text                                   f21a4dfb5e38f5895301dc265a8def02365cc3d0 # v0.3.0

 gotest.tools                                        1083505acf35a0bd8a696b26837e1fb3187a7a83 # v2.3.0

 github.com/google/go-cmp                            3af367b6b30c263d47e8895973edcca9a49cf029 # v0.2.0

+github.com/syndtr/gocapability                      d98352740cb2c55f81556b63d4a1ec64c5a319c2

 github.com/RackSec/srslog                           a4725f04ec91af1a91b380da679d6e0c2f061e59

 github.com/imdario/mergo                            7c29201646fa3de8506f701213473dd407f19646 # v0.3.7

@@ -81,16 +82,14 @@ google.golang.org/grpc                              6eaf6f47437a6b4e2153a190160e

 # the containerd project first, and update both after that is merged.

 # This commit does not need to match RUNC_COMMIT as it is used for helper

 # packages but should be newer or equal.

-github.com/opencontainers/runc                      425e105d5a03fabd737a126ad93d62a9eeede87f # v1.0.0-rc8

+github.com/opencontainers/runc                      3e425f80a8c931f88e6d94a8c831b9d5aa481657 # v1.0.0-rc8-92-g84373aaa

 github.com/opencontainers/runtime-spec              29686dbc5559d93fb1ef402eeda3e35c38d75af4 # v1.0.1-59-g29686db

 github.com/opencontainers/image-spec                d60099175f88c47cd379c4738d158884749ed235 # v1.0.1

 github.com/seccomp/libseccomp-golang                32f571b70023028bd57d9288c20efbcb237f3ce0

-# libcontainer deps (see src/github.com/opencontainers/runc/Godeps/Godeps.json)

+# systemd integration (journald, daemon/listeners, containerd/cgroups)

 github.com/coreos/go-systemd                        39ca1b05acc7ad1220e09f133283b8859a8b71ab # v17

 github.com/godbus/dbus                              5f6efc7ef2759c81b7ba876593971bfce311eab3 # v4.0.0

-github.com/syndtr/gocapability                      d98352740cb2c55f81556b63d4a1ec64c5a319c2

-github.com/golang/protobuf                          aa810b61a9c79d51363740d207bb46cf8e620ed5 # v1.2.0

 # gelf logging driver deps

 github.com/Graylog2/go-gelf                         4143646226541087117ff2f83334ea48b3201841

@@ -133,6 +132,7 @@ github.com/gogo/googleapis                          d31c731455cb061f42baff3bda55

 # cluster

 github.com/docker/swarmkit                          bbe341867eae1615faf8a702ec05bfe986e73e06 # bump_v19.03 branch

 github.com/gogo/protobuf                            ba06b47c162d49f2af050fb4c75bcbc86a159d5c # v1.2.1

+github.com/golang/protobuf                          aa810b61a9c79d51363740d207bb46cf8e620ed5 # v1.2.0

 github.com/cloudflare/cfssl                         5d63dbd981b5c408effbb58c442d54761ff94fbd # 1.3.2

 github.com/fernet/fernet-go                         1b2437bc582b3cfbb341ee5a29f8ef5b42912ff2

 github.com/google/certificate-transparency-go       37a384cd035e722ea46e55029093e26687138edf # v1.0.20

@@ -261,6 +261,7 @@ process := &libcontainer.Process{

 	Stdin:  os.Stdin,

 	Stdout: os.Stdout,

 	Stderr: os.Stderr,

+	Init:   true,

 }

 err := container.Run(process)

@@ -11,6 +11,8 @@ import (

 	"path/filepath"

 	"strconv"

 	"strings"

+	"sync"

+	"syscall"

 	"time"

 	units "github.com/docker/go-units"

@@ -22,6 +24,30 @@ const (

 	CgroupProcesses  = "cgroup.procs"

 )

+var (

+	isUnifiedOnce sync.Once

+	isUnified     bool

+)

+

+// HugePageSizeUnitList is a list of the units used by the linux kernel when

+// naming the HugePage control files.

+// https://www.kernel.org/doc/Documentation/cgroup-v1/hugetlb.txt

+// TODO Since the kernel only use KB, MB and GB; TB and PB should be removed,

+// depends on https://github.com/docker/go-units/commit/a09cd47f892041a4fac473133d181f5aea6fa393

+var HugePageSizeUnitList = []string{"B", "KB", "MB", "GB", "TB", "PB"}

+

+// IsCgroup2UnifiedMode returns whether we are running in cgroup v2 unified mode.

+func IsCgroup2UnifiedMode() bool {

+	isUnifiedOnce.Do(func() {

+		var st syscall.Statfs_t

+		if err := syscall.Statfs("/sys/fs/cgroup", &st); err != nil {

+			panic("cannot statfs cgroup root")

+		}

+		isUnified = st.Type == unix.CGROUP2_SUPER_MAGIC

+	})

+	return isUnified

+}

+

 // https://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.txt

 func FindCgroupMountpoint(cgroupPath, subsystem string) (string, error) {

 	mnt, _, err := FindCgroupMountpointAndRoot(cgroupPath, subsystem)

@@ -42,6 +68,10 @@ func FindCgroupMountpointAndRoot(cgroupPath, subsystem string) (string, string,

 	}

 	defer f.Close()

+	if IsCgroup2UnifiedMode() {

+		subsystem = ""

+	}

+

 	return findCgroupMountpointAndRootFromReader(f, cgroupPath, subsystem)

 }

@@ -50,12 +80,12 @@ func findCgroupMountpointAndRootFromReader(reader io.Reader, cgroupPath, subsyst

 	for scanner.Scan() {

 		txt := scanner.Text()

 		fields := strings.Fields(txt)

-		if len(fields) < 5 {

+		if len(fields) < 9 {

 			continue

 		}

 		if strings.HasPrefix(fields[4], cgroupPath) {

 			for _, opt := range strings.Split(fields[len(fields)-1], ",") {

-				if opt == subsystem {

+				if (subsystem == "" && fields[9] == "cgroup2") || opt == subsystem {

 					return fields[4], fields[3], nil

 				}

 			}

@@ -69,6 +99,19 @@ func findCgroupMountpointAndRootFromReader(reader io.Reader, cgroupPath, subsyst

 }

 func isSubsystemAvailable(subsystem string) bool {

+	if IsCgroup2UnifiedMode() {

+		controllers, err := GetAllSubsystems()

+		if err != nil {

+			return false

+		}

+		for _, c := range controllers {

+			if c == subsystem {

+				return true

+			}

+		}

+		return false

+	}

+

 	cgroups, err := ParseCgroupFile("/proc/self/cgroup")

 	if err != nil {

 		return false

@@ -113,7 +156,7 @@ func FindCgroupMountpointDir() (string, error) {

 			return "", fmt.Errorf("Found no fields post '-' in %q", text)

 		}

-		if postSeparatorFields[0] == "cgroup" {

+		if postSeparatorFields[0] == "cgroup" || postSeparatorFields[0] == "cgroup2" {

 			// Check that the mount is properly formatted.

 			if numPostFields < 3 {

 				return "", fmt.Errorf("Error found less than 3 fields post '-' in %q", text)

@@ -186,6 +229,19 @@ func getCgroupMountsHelper(ss map[string]bool, mi io.Reader, all bool) ([]Mount,

 // GetCgroupMounts returns the mounts for the cgroup subsystems.

 // all indicates whether to return just the first instance or all the mounts.

 func GetCgroupMounts(all bool) ([]Mount, error) {

+	if IsCgroup2UnifiedMode() {

+		availableControllers, err := GetAllSubsystems()

+		if err != nil {

+			return nil, err

+		}

+		m := Mount{

+			Mountpoint: "/sys/fs/cgroup",

+			Root:       "/sys/fs/cgroup",

+			Subsystems: availableControllers,

+		}

+		return []Mount{m}, nil

+	}

+

 	f, err := os.Open("/proc/self/mountinfo")

 	if err != nil {

 		return nil, err

@@ -349,6 +405,9 @@ func parseCgroupFromReader(r io.Reader) (map[string]string, error) {

 }

 func getControllerPath(subsystem string, cgroups map[string]string) (string, error) {

+	if IsCgroup2UnifiedMode() {

+		return "/", nil

+	}

 	if p, ok := cgroups[subsystem]; ok {

 		return p, nil

@@ -409,19 +468,26 @@ func RemovePaths(paths map[string]string) (err error) {

 }

 func GetHugePageSize() ([]string, error) {

-	var pageSizes []string

-	sizeList := []string{"B", "kB", "MB", "GB", "TB", "PB"}

 	files, err := ioutil.ReadDir("/sys/kernel/mm/hugepages")

 	if err != nil {

-		return pageSizes, err

+		return []string{}, err

 	}

+	var fileNames []string

 	for _, st := range files {

-		nameArray := strings.Split(st.Name(), "-")

+		fileNames = append(fileNames, st.Name())

+	}

+	return getHugePageSizeFromFilenames(fileNames)

+}

+

+func getHugePageSizeFromFilenames(fileNames []string) ([]string, error) {

+	var pageSizes []string

+	for _, fileName := range fileNames {

+		nameArray := strings.Split(fileName, "-")

 		pageSize, err := units.RAMInBytes(nameArray[1])

 		if err != nil {

 			return []string{}, err

 		}

-		sizeString := units.CustomSize("%g%s", float64(pageSize), 1024.0, sizeList)

+		sizeString := units.CustomSize("%g%s", float64(pageSize), 1024.0, HugePageSizeUnitList)

 		pageSizes = append(pageSizes, sizeString)

 	}

@@ -59,3 +59,8 @@ func NewThrottleDevice(major, minor int64, rate uint64) *ThrottleDevice {

 func (td *ThrottleDevice) String() string {

 	return fmt.Sprintf("%d:%d %d", td.Major, td.Minor, td.Rate)

 }

+

+// StringName formats the struct to be writable to the cgroup specific file

+func (td *ThrottleDevice) StringName(name string) string {

+	return fmt.Sprintf("%d:%d %s=%d", td.Major, td.Minor, name, td.Rate)

+}

@@ -119,4 +119,12 @@ type Resources struct {

 	// Set class identifier for container's network packets

 	NetClsClassid uint32 `json:"net_cls_classid_u"`

+

+	// Used on cgroups v2:

+

+	// CpuWeight sets a proportional bandwidth limit.

+	CpuWeight uint64 `json:"cpu_weight"`

+

+	// CpuMax sets she maximum bandwidth limit (format: max period).

+	CpuMax string `json:"cpu_max"`

 }

new file mode 100644

@@ -0,0 +1,8 @@

+// +build !linux

+

+package configs

+

+// TODO Windows: This can ultimately be entirely factored out on Windows as

+// cgroups are a Unix-specific construct.

+type Cgroup struct {

+}

deleted file mode 100644

@@ -1,6 +0,0 @@

-package configs

-

-// TODO Windows: This can ultimately be entirely factored out on Windows as

-// cgroups are a Unix-specific construct.

-type Cgroup struct {

-}

@@ -7,11 +7,11 @@ import (

 	"path/filepath"

 	"github.com/opencontainers/runc/libcontainer/configs"

-

 	"golang.org/x/sys/unix"

 )

 var (

+	// ErrNotADevice denotes that a file is not a valid linux device.

 	ErrNotADevice = errors.New("not a device node")

 )

@@ -21,7 +21,8 @@ var (

 	ioutilReadDir = ioutil.ReadDir

 )

-// Given the path to a device and its cgroup_permissions(which cannot be easily queried) look up the information about a linux device and return that information as a Device struct.

+// Given the path to a device and its cgroup_permissions(which cannot be easily queried) look up the

+// information about a linux device and return that information as a Device struct.

 func DeviceFromPath(path, permissions string) (*configs.Device, error) {

 	var stat unix.Stat_t

 	err := unixLstat(path, &stat)

@@ -60,25 +61,29 @@ func DeviceFromPath(path, permissions string) (*configs.Device, error) {

 	}, nil

 }

+// HostDevices returns all devices that can be found under /dev directory.

 func HostDevices() ([]*configs.Device, error) {

-	return getDevices("/dev")

+	return GetDevices("/dev")

 }

-func getDevices(path string) ([]*configs.Device, error) {

+// GetDevices recursively traverses a directory specified by path

+// and returns all devices found there.

+func GetDevices(path string) ([]*configs.Device, error) {

 	files, err := ioutilReadDir(path)

 	if err != nil {

 		return nil, err

 	}

-	out := []*configs.Device{}

+	var out []*configs.Device

 	for _, f := range files {

 		switch {

 		case f.IsDir():

 			switch f.Name() {

 			// ".lxc" & ".lxd-mounts" added to address https://github.com/lxc/lxd/issues/2825

-			case "pts", "shm", "fd", "mqueue", ".lxc", ".lxd-mounts":

+			// ".udev" added to address https://github.com/opencontainers/runc/issues/2093

+			case "pts", "shm", "fd", "mqueue", ".lxc", ".lxd-mounts", ".udev":

 				continue

 			default:

-				sub, err := getDevices(filepath.Join(path, f.Name()))

+				sub, err := GetDevices(filepath.Join(path, f.Name()))

 				if err != nil {

 					return nil, err

 				}

@@ -1,5 +1,3 @@

 // +build !linux !cgo

 package nsenter

-

-import "C"

@@ -37,9 +37,6 @@ enum sync_t {

 	SYNC_RECVPID_ACK = 0x43,	/* PID was correctly received by parent. */

 	SYNC_GRANDCHILD = 0x44,	/* The grandchild is ready to run. */

 	SYNC_CHILD_READY = 0x45,	/* The child or grandchild is ready to return. */

-

-	/* XXX: This doesn't help with segfaults and other such issues. */

-	SYNC_ERR = 0xFF,	/* Fatal error, no turning back. The error code follows. */

 };

 /*

@@ -53,9 +50,6 @@ enum sync_t {

 #define JUMP_CHILD  0xA0

 #define JUMP_INIT   0xA1

-/* JSON buffer. */

-#define JSON_MAX 4096

-

 /* Assume the stack grows down, so arguments should be above it. */

 struct clone_t {

 	/*

@@ -95,6 +89,15 @@ struct nlconfig_t {

 	size_t gidmappath_len;

 };

+#define PANIC   "panic"

+#define FATAL   "fatal"

+#define ERROR   "error"

+#define WARNING "warning"

+#define INFO    "info"

+#define DEBUG   "debug"

+

+static int logfd = -1;

+

 /*

  * List of netlink message types sent to us as part of bootstrapping the init.

  * These constants are defined in libcontainer/message_linux.go.

@@ -131,22 +134,34 @@ int setns(int fd, int nstype)

 }

 #endif

+static void write_log_with_info(const char *level, const char *function, int line, const char *format, ...)

+{

+	char message[1024] = {};

+

+	va_list args;

+

+	if (logfd < 0 || level == NULL)

+		return;

+

+	va_start(args, format);

+	if (vsnprintf(message, sizeof(message), format, args) < 0)

+		goto done;

+

+	dprintf(logfd, "{\"level\":\"%s\", \"msg\": \"%s:%d %s\"}\n", level, function, line, message);

+done:

+	va_end(args);

+}

+

+#define write_log(level, fmt, ...) \

+	write_log_with_info((level), __FUNCTION__, __LINE__, (fmt), ##__VA_ARGS__)

+

 /* XXX: This is ugly. */

 static int syncfd = -1;

-/* TODO(cyphar): Fix this so it correctly deals with syncT. */

-#define bail(fmt, ...)								\

-	do {									\

-		int ret = __COUNTER__ + 1;					\

-		fprintf(stderr, "nsenter: " fmt ": %m\n", ##__VA_ARGS__);	\

-		if (syncfd >= 0) {						\

-			enum sync_t s = SYNC_ERR;				\

-			if (write(syncfd, &s, sizeof(s)) != sizeof(s))		\

-				fprintf(stderr, "nsenter: failed: write(s)");	\

-			if (write(syncfd, &ret, sizeof(ret)) != sizeof(ret))	\

-				fprintf(stderr, "nsenter: failed: write(ret)");	\

-		}								\

-		exit(ret);							\

+#define bail(fmt, ...)                                       \

+	do {                                                       \

+		write_log(FATAL, "nsenter: " fmt ": %m", ##__VA_ARGS__); \

+		exit(1);                                                 \

 	} while(0)

 static int write_file(char *data, size_t data_len, char *pathfmt, ...)

@@ -352,6 +367,23 @@ static int initpipe(void)

 	return pipenum;

 }

+static void setup_logpipe(void)

+{

+	char *logpipe, *endptr;

+

+	logpipe = getenv("_LIBCONTAINER_LOGPIPE");

+	if (logpipe == NULL || *logpipe == '\0') {

+		return;

+	}

+

+	logfd = strtol(logpipe, &endptr, 10);

+	if (logpipe == endptr || *endptr != '\0') {

+		fprintf(stderr, "unable to parse _LIBCONTAINER_LOGPIPE, value: %s\n", logpipe);

+		/* It is too early to use bail */

+		exit(1);

+	}

+}

+

 /* Returns the clone(2) flag for a namespace, given the name of a namespace. */

 static int nsflag(char *name)

 {

@@ -545,6 +577,12 @@ void nsexec(void)

 	struct nlconfig_t config = { 0 };

 	/*

+	 * Setup a pipe to send logs to the parent. This should happen

+	 * first, because bail will use that pipe.

+	 */

+	setup_logpipe();

+

+	/*

 	 * If we don't have an init pipe, just return to the go routine.

 	 * We'll only get an init pipe for start or exec.

 	 */

@@ -560,6 +598,8 @@ void nsexec(void)

 	if (ensure_cloned_binary() < 0)

 		bail("could not ensure we are a cloned binary");

+	write_log(DEBUG, "nsexec started");

+

 	/* Parse all of the netlink configuration. */

 	nl_parse(pipenum, &config);

@@ -676,7 +716,6 @@ void nsexec(void)

 			 */

 			while (!ready) {

 				enum sync_t s;

-				int ret;

 				syncfd = sync_child_pipe[1];

 				close(sync_child_pipe[0]);

@@ -685,12 +724,6 @@ void nsexec(void)

 					bail("failed to sync with child: next state");

 				switch (s) {

-				case SYNC_ERR:

-					/* We have to mirror the error code of the child. */

-					if (read(syncfd, &ret, sizeof(ret)) != sizeof(ret))

-						bail("failed to sync with child: read(error code)");

-

-					exit(ret);

 				case SYNC_USERMAP_PLS:

 					/*

 					 * Enable setgroups(2) if we've been asked to. But we also

@@ -759,7 +792,6 @@ void nsexec(void)

 			ready = false;

 			while (!ready) {

 				enum sync_t s;

-				int ret;

 				syncfd = sync_grandchild_pipe[1];

 				close(sync_grandchild_pipe[0]);

@@ -774,12 +806,6 @@ void nsexec(void)

 					bail("failed to sync with child: next state");

 				switch (s) {

-				case SYNC_ERR:

-					/* We have to mirror the error code of the child. */

-					if (read(syncfd, &ret, sizeof(ret)) != sizeof(ret))

-						bail("failed to sync with child: read(error code)");

-

-					exit(ret);

 				case SYNC_CHILD_READY:

 					ready = true;

 					break;

@@ -1,5 +1,5 @@

 // +build linux

-// +build arm64 amd64 mips mipsle mips64 mips64le ppc ppc64 ppc64le s390x

+// +build arm64 amd64 mips mipsle mips64 mips64le ppc ppc64 ppc64le riscv64 s390x

 package system

@@ -1,26 +1,28 @@

 # OCI runtime-spec. When updating this, make sure you use a version tag rather

 # than a commit ID so it's much more obvious what version of the spec we are

 # using.

-github.com/opencontainers/runtime-spec 29686dbc5559d93fb1ef402eeda3e35c38d75af4

+github.com/opencontainers/runtime-spec  29686dbc5559d93fb1ef402eeda3e35c38d75af4 # v1.0.1-59-g29686db

+

 # Core libcontainer functionality.

-github.com/checkpoint-restore/go-criu v3.11

-github.com/mrunalp/fileutils ed869b029674c0e9ce4c0dfa781405c2d9946d08

-github.com/opencontainers/selinux v1.2.2

-github.com/seccomp/libseccomp-golang 84e90a91acea0f4e51e62bc1a75de18b1fc0790f

-github.com/sirupsen/logrus a3f95b5c423586578a4e099b11a46c2479628cac

-github.com/syndtr/gocapability db04d3cc01c8b54962a58ec7e491717d06cfcc16

-github.com/vishvananda/netlink 1e2e08e8a2dcdacaae3f14ac44c5cfa31361f270

+github.com/checkpoint-restore/go-criu   17b0214f6c48980c45dc47ecb0cfd6d9e02df723 # v3.11

+github.com/mrunalp/fileutils            7d4729fb36185a7c1719923406c9d40e54fb93c7

+github.com/opencontainers/selinux       3a1f366feb7aecbf7a0e71ac4cea88b31597de9e # v1.2.2

+github.com/seccomp/libseccomp-golang    689e3c1541a84461afc49c1c87352a6cedf72e9c # v0.9.1

+github.com/sirupsen/logrus              8bdbc7bcc01dcbb8ec23dc8a28e332258d25251f # v1.4.1

+github.com/syndtr/gocapability          d98352740cb2c55f81556b63d4a1ec64c5a319c2

+github.com/vishvananda/netlink          1e2e08e8a2dcdacaae3f14ac44c5cfa31361f270

+

 # systemd integration.

-github.com/coreos/go-systemd v14

-github.com/coreos/pkg v3

-github.com/godbus/dbus v3

-github.com/golang/protobuf 18c9bb3261723cd5401db4d0c9fbc5c3b6c70fe8

+github.com/coreos/go-systemd            95778dfbb74eb7e4dbaf43bf7d71809650ef8076 # v19

+github.com/godbus/dbus                  2ff6f7ffd60f0f2410b3105864bdd12c7894f844 # v5.0.1

+github.com/golang/protobuf              925541529c1fa6821df4e44ce2723319eb2be768 # v1.0.0

+

 # Command-line interface.

-github.com/cyphar/filepath-securejoin v0.2.1

-github.com/docker/go-units v0.2.0

-github.com/urfave/cli d53eb991652b1d438abdd34ce4bfa3ef1539108e

-golang.org/x/sys 41f3e6584952bb034a481797859f6ab34b6803bd https://github.com/golang/sys

+github.com/cyphar/filepath-securejoin   a261ee33d7a517f054effbf451841abaafe3e0fd # v0.2.2

+github.com/docker/go-units              47565b4f722fb6ceae66b95f853feed578a4a51c # v0.3.3

+github.com/urfave/cli                   cfb38830724cc34fedffe9a2a29fb54fa9169cd1 # v1.20.0

+golang.org/x/sys                        9eafafc0a87e0fd0aeeba439a4573537970c44c7 https://github.com/golang/sys

 # console dependencies

-github.com/containerd/console 2748ece16665b45a47f884001d5831ec79703880

-github.com/pkg/errors v0.8.0

+github.com/containerd/console           0650fd9eeb50bab4fc99dceb9f2e14cf58f36e7f

+github.com/pkg/errors                   ba968bfe8b2f7e042a574c888954fccecfa385b4 # v0.8.1