Update runc to 1.2.0

[kolyshkin]

Let's use latest and greatest runc v1.2.0 (both the binary and the set of vendored libraries).

[cyphar]

@tonistiigi It only overrides CC if CC wasn't already set for the purposes of cross-compilation. It seems Docker uses xx-go --wrap to hide that it is cross-compiling when building dependencies, which leads to issues. I would expect CC=xx-clang (or CC=clang, because of xx-go --wrap) to fix the issue, though I haven't tested it (it's possible there are issues with the linker too).

Unfortunately, just removing cc_platform.mk will mean that "standard" cross-compilation (GOARCH=foo make) on regular systems won't work anymore (to be fair, the script probably only works on openSUSE and Debian).

[tonistiigi]

@cyphar xx-go does not set CC for the system (it doesn't require user to set it). It configures go env CC instead. And if you run xx-go --wrap it sets the go/cgo configuration in the go env GOENV where go reads it. GOARCH etc is also loaded through go env. I think the default for projects should still be to use the configured toolchain of the system. Maybe if you put something like ifeq ($(origin GOARCH), command line) in Makefile, then it is clear that the config was passed to the makefile specifically and has the extra behavior of modifying the toolchain.

[kolyshkin]

The issue seems to be that

1. xx-go --wrap writes ~/.config/go/env file which sets various variables for Go, including GOARCH, CC, GOGCCFLAGS etc. For example, for s390x those are:

• GOARCH='s390x'
• GCCGO='gccgo'
• AR='s390x-linux-gnu-ar'
• CC='s390x-linux-gnu-gcc'
• PKG_CONFIG='s390x-linux-gnu-pkg-config'
• GOGCCFLAGS='-fPIC -m64 -march=z196 -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1204069782=/tmp/go-build -gno-record-gcc-switches'

3. runc's cc_platform.mk exports CC=gcc. Apparently a local environment has a preference over what's in GOENV file.

Now, gcc tries to use x86_64 gcc with s390x cflags.

[tonistiigi]

@kolyshkin I don't think xx writes GOGCCFLAGS https://github.com/tonistiigi/xx/blob/master/src/xx-go#L104-L128 . The rest of it seems correct .

[cyphar]

Ideally we would just do GOARCH=xxx go env CC to get the compiler to use, but that doesn't work at all outside of xx-go --wrap:

1. For proper target triples, Go doesn't autodetect anything and you need to specify a CC and so on anyway. This does get copied to go env CC but that's just passthrough and there's no change in behaviour.
2. For GOARCH=386 (and similar -m compilation targets) Go doesn't even provide the right CFLAGS for you. They are in GOGCCFLAGS but those contain other bits that we don't need.

So we need to parse GOARCH for at least case (2). The GOARCH=... make thing is nice but it's not really required given that GOARCH=... go build doesn't work out of the box AFAICS, so I would accept us breaking this if it meant we could remove.

I suspect Docker doesn't build for 386 but the issue still stands -- we don't want to build runc with an embedded runc-dmz that is the wrong architecture. It would be great if there was a supported way to get the compiler options Go wants to use for CGo... We could just use that then.

[kolyshkin]

Modified this to just set CC and CFLAGS STRIP explicitly from xx-info, this way runc's cc_platform.mk doesn't do any guessing, and no changes to runc are needed.

[kolyshkin]

Full(er) list of test failures:

• TestBuildUserNamespaceValidateCapabilitiesAreV2
• TestNetworkNat
• TestNetworkLocalhostTCPNat
• TestBuildSquashParent
• TestDiff
• TestUsernsCommit
• TestReadPluginNoRead/explicitly_enabled_caching

Most failures are related to not getting output from a container run. As I can't repro this locally I'm not sure how to bisect it.

[rata]

Same here, if I run things locally (changing the setting so the container uses the iptables uses the nft backend, as that is what my host is using) those tests work fine here too.

However, it is 100% reliable that runc 1.2.x fails here on CI and 1.1.x works just fine.

@thaJeztah do you have any pointers on how to further debug this issue we observe only on CI?

I can try to create a VM with ubuntu, but I hope there is a better way (I don't have any VM setup ready to go now).

[kolyshkin]

I can try to create a VM with ubuntu

That's exactly what I was doing (Ubuntu 20.04 in vagrant libvirt) and I still can't repro.

I suspect there are either some limits in CI that we hit, or maybe something like apparmor config.

[kolyshkin]

The common part between most (or all?) of the failures is not getting the container's output.

Also, I tried again and failed to repro this locally in a Ubuntu 20.04 VM.

[AkihiroSuda]

I suspect there are either some limits in CI that we hit, or maybe something like apparmor config.

dmesg may show some hints?
Unloading AppArmor may make some difference?

[rata]

@AkihiroSuda In my tests, apparmor didn't make the difference.
I booted the local host without apparmor=0 in the cmdline, the tests that fail in CI, locally pass just fine.
I've also tried CI with this commit to disable apparmor: rata@9ce9e44 and it failed in the same way (except docker-py, that seems to fail in python while connecting to some URL now).

I've also tried to create a VM in Azure (as github actions runs in Azure IIRC) just in case there was some special ubuntu setup in Azure, however those tests pass fine.

The only change I had to do in the Azure VM and locally for some test to not fail is to use the iptables nft backend: rata@f97ef77.

As I was saying in other issues, the failure in CI seems real, though. It seems 100% reliable that the updated runc fails the moby tests and the failures seem to be always the same. Using runc 1.1 the moby CI seems to pass reliably.

I'm thinking the secret might be either trying to check dmesg on CI (my commits for that didn't work, nothing is printed) or in the .github folder with how it is set-up.

@AkihiroSuda @thaJeztah @kolyshkin any other ideas to try?

[AkihiroSuda]

any other ideas to try?

Maybe bisect (manually? 😞 )?

[AkihiroSuda]

Possible reasons:

• ENOSPC
• ENOSPC, but for inodes
• OOM

[AkihiroSuda]

I'm trying to bisect the commits in #48366 but it is quite painful due to compilation failures of dmz and other irrelevant CI failures

[kolyshkin]

Just found out something I was doing back in 2018 (commit ad2f88d) and decided to try it here.

[kolyshkin]

A failure in test / test (graphdriver) / unit (firewalld):

=== Failed
=== FAIL: libnetwork/networkdb TestNetworkDBCRUDTableEntries (7.60s)
    networkdb_test.go:313: Entry existence verification test failed for node2(8ba4809e3fe4)

Looks like it's a known issue: #47553

[rata]

@kolyshkin thanks for moving this forward!

[rata]

I think these changes didn't help. I ended up doing this: rata@2b723e7

The bug linked there says these tests are flaky (not just the one currently skipped, IIRC) and I just added the skip like other tests on this file do. You can verify this, but my memory is that at least not all the retries in this file helped to make the tests green

[rata]

@kolyshkin sorry, with "these changes" I meant just the retry here in this file. The other changes are still needed, or at least I've seen them flaky with runc 1.2.0 final release in a quick test.

The only difference is that with runc 1.2.0-rcX the tests failed reliably. Now with the overlayfs it is faster and they are just flaky. But I think the rest of the changes to moby tests are needed