moby-containerd: fix test compatibility with golang 1.21 (#8031)

Author: hbeberman

SPECS/moby-containerd-cc/fix_cc_tests_for_golang1.21.patch

@@ -0,0 +1,47 @@
+Backported from upstream 5d9bf7d1398f645882e5c2becc7815daa1770c26
+
+Signed-off-by: Akihiro Suda <[email protected]>
+Signed-off-by: Henry Beberman <[email protected]>
+
+diff -Naur a/contrib/apparmor/apparmor.go b/contrib/apparmor/apparmor.go
+--- a/contrib/apparmor/apparmor.go	2024-02-09 13:19:03.000000000 +0000
++++ b/contrib/apparmor/apparmor.go	2024-02-22 00:22:43.993021818 +0000
+@@ -39,6 +39,11 @@
+ 
+ // WithDefaultProfile will generate a default apparmor profile under the provided name
+ // for the container.  It is only generated if a profile under that name does not exist.
++//
++// FIXME: pkg/cri/[sb]server/container_create_linux_test.go depends on go:noinline
++// since Go 1.21.
++//
++//go:noinline
+ func WithDefaultProfile(name string) oci.SpecOpts {
+ 	return func(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error {
+ 		if err := LoadDefaultProfile(name); err != nil {
+diff -Naur a/contrib/seccomp/seccomp.go b/contrib/seccomp/seccomp.go
+--- a/contrib/seccomp/seccomp.go	2024-02-09 13:19:03.000000000 +0000
++++ b/contrib/seccomp/seccomp.go	2024-02-22 00:49:25.471844786 +0000
+@@ -30,6 +30,11 @@
+ // WithProfile receives the name of a file stored on disk comprising a json
+ // formatted seccomp profile, as specified by the opencontainers/runtime-spec.
+ // The profile is read from the file, unmarshaled, and set to the spec.
++//
++// FIXME: pkg/cri/[sb]server/container_create_linux_test.go depends on go:noinline
++// since Go 1.21.
++//
++//go:noinline
+ func WithProfile(profile string) oci.SpecOpts {
+ 	return func(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error {
+ 		s.Linux.Seccomp = &specs.LinuxSeccomp{}
+@@ -46,6 +51,11 @@
+ 
+ // WithDefaultProfile sets the default seccomp profile to the spec.
+ // Note: must follow the setting of process capabilities
++//
++// FIXME: pkg/cri/[sb]server/container_create_linux_test.go depends on go:noinline
++// since Go 1.21.
++//
++//go:noinline
+ func WithDefaultProfile() oci.SpecOpts {
+ 	return func(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error {
+ 		s.Linux.Seccomp = DefaultProfile(s)

SPECS/moby-containerd-cc/moby-containerd-cc.spec

@@ -6,7 +6,7 @@
 Summary: Industry-standard container runtime for confidential containers
 Name: moby-%{upstream_name}
 Version: 1.7.7
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: ASL 2.0
 Group: Tools/Container
 URL: https://www.containerd.io
@@ -18,6 +18,7 @@ Source1: containerd.service
 Source2: containerd.toml
 Patch0: CVE-2023-47108.patch
 Patch1: CVE-2023-44487.patch
+Patch2: fix_cc_tests_for_golang1.21.patch
 
 %{?systemd_requires}
 
@@ -79,6 +80,9 @@ fi
 %config(noreplace) %{_sysconfdir}/containerd/config.toml
 
 %changelog
+* Wed Feb 21 2024 Henry Beberman <[email protected]> - 1.7.7-2
+- Backport upstream patch for no-inlining seccomp and apparmor functions to fix tests.
+
 * Tue Feb 20 2024 Mitch Zhu <[email protected]> - 1.7.7-1
 - Upgrade to upstream containerd v1.7.7.
 

SPECS/moby-containerd/fix_tests_for_golang1.21.patch

@@ -0,0 +1,47 @@
+Backported from upstream 5d9bf7d1398f645882e5c2becc7815daa1770c26
+
+Signed-off-by: Akihiro Suda <[email protected]>
+Signed-off-by: Henry Beberman <[email protected]>
+
+diff -Naur a/contrib/apparmor/apparmor.go b/contrib/apparmor/apparmor.go
+--- a/contrib/apparmor/apparmor.go	2023-12-08 23:30:22.000000000 +0000
++++ b/contrib/apparmor/apparmor.go	2024-02-21 23:33:58.302514996 +0000
+@@ -40,6 +40,11 @@
+ 
+ // WithDefaultProfile will generate a default apparmor profile under the provided name
+ // for the container.  It is only generated if a profile under that name does not exist.
++//
++// FIXME: pkg/cri/[sb]server/container_create_linux_test.go depends on go:noinline
++// since Go 1.21.
++//
++//go:noinline
+ func WithDefaultProfile(name string) oci.SpecOpts {
+ 	return func(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error {
+ 		if err := LoadDefaultProfile(name); err != nil {
+diff -Naur a/contrib/seccomp/seccomp.go b/contrib/seccomp/seccomp.go
+--- a/contrib/seccomp/seccomp.go	2023-12-08 23:30:22.000000000 +0000
++++ b/contrib/seccomp/seccomp.go	2024-02-21 23:34:20.362648277 +0000
+@@ -30,6 +30,11 @@
+ // WithProfile receives the name of a file stored on disk comprising a json
+ // formatted seccomp profile, as specified by the opencontainers/runtime-spec.
+ // The profile is read from the file, unmarshaled, and set to the spec.
++//
++// FIXME: pkg/cri/[sb]server/container_create_linux_test.go depends on go:noinline
++// since Go 1.21.
++//
++//go:noinline
+ func WithProfile(profile string) oci.SpecOpts {
+ 	return func(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error {
+ 		s.Linux.Seccomp = &specs.LinuxSeccomp{}
+@@ -46,6 +51,11 @@
+ 
+ // WithDefaultProfile sets the default seccomp profile to the spec.
+ // Note: must follow the setting of process capabilities
++//
++// FIXME: pkg/cri/[sb]server/container_create_linux_test.go depends on go:noinline
++// since Go 1.21.
++//
++//go:noinline
+ func WithDefaultProfile() oci.SpecOpts {
+ 	return func(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error {
+ 		s.Linux.Seccomp = DefaultProfile(s)

SPECS/moby-containerd/moby-containerd.spec

@@ -5,7 +5,7 @@
 Summary: Industry-standard container runtime
 Name: moby-%{upstream_name}
 Version: 1.6.26
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: ASL 2.0
 Group: Tools/Container
 URL: https://www.containerd.io
@@ -17,6 +17,7 @@ Source1: containerd.service
 Source2: containerd.toml
 Patch0:  Makefile.patch
 Patch1:  add_ptrace_readby_tracedby_to_apparmor.patch
+Patch2:  fix_tests_for_golang1.21.patch
 
 %{?systemd_requires}
 
@@ -90,6 +91,9 @@ fi
 %dir /opt/containerd/lib
 
 %changelog
+* Wed Feb 21 2024 Henry Beberman <[email protected]> - 1.6.26-4
+- Backport upstream patch for no-inlining seccomp and apparmor functions to fix tests.
+
 * Fri Feb 02 2024 CBL-Mariner Servicing Account <[email protected]> - 1.6.26-3
 - Bump release to rebuild with go 1.21.6