Bump Runc to 1.0.0-rc5

[thaJeztah]

fixes #36446
fixes #36457
fixes #36467
fixes #36628
fixes docker/for-linux#238
fixes docker/for-linux#228

Bump Runc to 1.0.0-rc5 / 4fc53a81fb7c994640722ac585fa9ca548971871

Release notes: https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc5

Full diff: opencontainers/runc@6c55f98...4fc53a8

Possibly relevant changes included:

• chroot when no mount namespaces is provided opencontainers/runc#1702 chroot when no mount namespaces is provided
• fix systemd slice expansion so that it could be consumed by cAdvisor opencontainers/runc#1722 fix systemd slice expansion so that it could be consumed by cAdvisor
• libcontainer/capabilities_linux: Drop os.Getpid() call opencontainers/runc#1724 libcontainer/capabilities_linux: Drop os.Getpid() call
• Update console dependency to fix runc exec on BE opencontainers/runc#1727 Update console dependency to fix runc exec on BE (causing: container_linux.go:265: starting container process caused "open /dev/pts/4294967296: no such file or directory")
• libcontainer: setupUserNamespace is always called opencontainers/runc#1743 libcontainer: setupUserNamespace is always called (fixes: Devices are mounted with wrong uid/gid)

[vdemeester]

LGTM 🐯

[boaz0]

LGTM 🌮

[thaJeztah]

Failing on experimental:

22:05:30 FAIL: docker_cli_swarm_test.go:1682: DockerSwarmSuite.TestSwarmPublishDuplicatePorts
22:05:30 
22:05:30 [de66c61eb721b] waiting for daemon to start
22:05:30 [de66c61eb721b] daemon started
22:05:30 
22:05:30 docker_cli_swarm_test.go:1690:
22:05:30     // make sure task has been deployed.
22:05:30     waitAndAssert(c, defaultReconciliationTimeout, d.CheckActiveContainerCount, checker.Equals, 1)
22:05:30 docker_utils_test.go:465:
22:05:30     c.Assert(v, checker, args...)
22:05:30 ... obtained int = 0
22:05:30 ... expected int = 1
22:05:30 
22:05:30 [de66c61eb721b] exiting daemon

21:56:24 ----------------------------------------------------------------------
21:56:24 FAIL: docker_cli_service_update_test.go:14: DockerSwarmSuite.TestServiceUpdatePort
21:56:24 
21:56:24 [da40f43359dbc] waiting for daemon to start
21:56:24 [da40f43359dbc] daemon started
21:56:24 
21:56:24 docker_cli_service_update_test.go:23:
21:56:24     waitAndAssert(c, defaultReconciliationTimeout, d.CheckActiveContainerCount, checker.Equals, 1)
21:56:24 docker_utils_test.go:465:
21:56:24     c.Assert(v, checker, args...)
21:56:24 ... obtained int = 0
21:56:24 ... expected int = 1
21:56:24 
21:56:24 [da40f43359dbc] exiting daemon
21:56:26 

Failing on experimental and janky

21:57:31 ----------------------------------------------------------------------
21:57:31 FAIL: docker_api_swarm_service_test.go:32: DockerSwarmSuite.TestAPIServiceUpdatePort
21:57:31 
21:57:31 [da5c0c1778557] waiting for daemon to start
21:57:31 [da5c0c1778557] daemon started
21:57:31 
21:57:31 docker_api_swarm_service_test.go:38:
21:57:31     waitAndAssert(c, defaultReconciliationTimeout, d.CheckActiveContainerCount, checker.Equals, 1)
21:57:31 docker_utils_test.go:465:
21:57:31     c.Assert(v, checker, args...)
21:57:31 ... obtained int = 0
21:57:31 ... expected int = 1
21:57:31 
21:57:31 [da5c0c1778557] exiting daemon

Failing on Janky

22:00:02 ----------------------------------------------------------------------
22:00:02 FAIL: check_test.go:366: DockerSwarmSuite.TearDownTest
22:00:02 
22:00:02 unmount of /tmp/docker-execroot/dee88c12512db/netns failed: invalid argument
22:00:02 check_test.go:371:
22:00:02     d.Stop(c)
22:00:02 daemon/daemon.go:389:
22:00:02     t.Fatalf("Error while stopping the daemon %s : %v", d.id, err)
22:00:02 ... Error: Error while stopping the daemon d9ca0cda4d7ac : exit status 130
22:00:02 
22:00:02 
22:00:02 ----------------------------------------------------------------------
22:00:02 PANIC: docker_api_swarm_test.go:262: DockerSwarmSuite.TestAPISwarmLeaderProxy
22:00:02 
22:00:02 [dee88c12512db] waiting for daemon to start
22:00:02 [dee88c12512db] daemon started
22:00:02 
22:00:02 [d9ca0cda4d7ac] waiting for daemon to start
22:00:02 [d9ca0cda4d7ac] daemon started
22:00:02 
22:00:02 [db5530c886c40] waiting for daemon to start
22:00:02 [db5530c886c40] daemon started
22:00:02 
22:00:02 [dee88c12512db] exiting daemon
22:00:02 [d9ca0cda4d7ac] daemon started
22:00:02 Attempt #2: daemon is still running with pid 10619
22:00:02 Attempt #3: daemon is still running with pid 10619
22:00:02 Attempt #4: daemon is still running with pid 10619
22:00:02 [d9ca0cda4d7ac] exiting daemon
22:00:02 ... Panic: Fixture has panicked (see related PANIC)

[codecov]

Codecov Report

❗ No coverage uploaded for pull request base (master@75377ec). Click here to learn what that means.
The diff coverage is n/a.

@@            Coverage Diff            @@
##             master   #36449   +/-   ##
=========================================
  Coverage          ?   34.93%           
=========================================
  Files             ?      613           
  Lines             ?    45375           
  Branches          ?        0           
=========================================
  Hits              ?    15852           
  Misses            ?    27427           
  Partials          ?     2096

[vieux]

ping @crosbymichael

LGTM

[thaJeztah]

FWIW; discussing with @kolyshkin to have a test for #36457, but may not be possible with the test-suite in this repo

[yongtang]

LGTM

[thaJeztah]

Added #36467 to the list of "fixes"

@tophj-ibm do we need a test case for that?

[thaJeztah]

And docker/for-linux#238, which is also about big-endian / s390x

[tophj-ibm]

@thaJeztah possibly. I'll need to figure out why the current test didn't pick this up, as this seems like a normal exec use case.

[tianon]

Any chance this could be considered for a 17.12.2 release, given that there was at least one compatibility break (#36446) from .0 to .1 in the 17.12 stable series that this fixes? 🙏

(IMO that bug is pretty nasty -- it makes --device harder to use securely because now we require one of both --device and --volume, --group-add root assuming the device we need has permissions that allow group access, or to simply run as root inside the container. I think given the error, our users are most likely to go for running as root when presented with the problem, which is the worst of the three.)