deps: upgrade to runc v1.1.3

.changelog/13900.txt

+```release-note:improvement
+deps: Updated runc dependency to v1.1.3'
+```

client/lib/cgutil/cgutil_linux.go

@@ -78,9 +78,7 @@ func ConfigureBasicCgroups(config *lcc.Config) error {
 	if err = os.MkdirAll(path, 0755); err != nil {
 		return err
 	}
-	config.Cgroups.Paths = map[string]string{
-		subsystem: path,
-	}
+	config.Cgroups.Path = path
 	return nil
 }
 

client/lib/cgutil/cpuset_manager_v1.go

@@ -299,16 +299,18 @@ func (c *cpusetManagerV1) signalReconcile() {
 }
 
 func (c *cpusetManagerV1) getCpuset(group string) (cpuset.CPUSet, error) {
-	man := fs.NewManager(
+	man, err := fs.NewManager(
 		&configs.Cgroup{
 			Path: filepath.Join(c.cgroupParent, group),
 		},
 		map[string]string{"cpuset": filepath.Join(c.cgroupParentPath, group)},
-		false,
 	)
+	if err != nil {
+		return cpuset.Empty, err
+	}
 	stats, err := man.GetStats()
 	if err != nil {
-		return cpuset.CPUSet{}, err
+		return cpuset.Empty, err
 	}
 	return cpuset.New(stats.CPUSetStats.CPUs...), nil
 }
@@ -332,7 +334,10 @@ func getCPUsFromCgroupV1(group string) ([]uint16, error) {
 		return nil, err
 	}
 
-	man := fs.NewManager(&configs.Cgroup{Path: group}, map[string]string{"cpuset": cgroupPath}, false)
+	man, err := fs.NewManager(&configs.Cgroup{Path: group}, map[string]string{"cpuset": cgroupPath})
+	if err != nil {
+		return nil, err
+	}
 	stats, err := man.GetStats()
 	if err != nil {
 		return nil, err

client/lib/cgutil/cpuset_manager_v2.go

@@ -31,10 +31,6 @@ const (
 	// in case for e.g. Nomad tasks should be further constrained by an externally
 	// configured systemd cgroup.
 	DefaultCgroupParentV2 = "nomad.slice"
-
-	// rootless is (for now) always false; Nomad clients require root, so we
-	// assume to not need to do the extra plumbing for rootless cgroups.
-	rootless = false
 )
 
 // nothing is used for treating a map like a set with no values
@@ -145,7 +141,7 @@ func (c *cpusetManagerV2) CgroupPathFor(allocID, task string) CgroupPathGetter {
 
 		for {
 			path := c.pathOf(makeID(allocID, task))
-			mgr, err := fs2.NewManager(nil, path, rootless)
+			mgr, err := fs2.NewManager(nil, path)
 			if err != nil {
 				return "", err
 			}
@@ -239,7 +235,7 @@ func (c *cpusetManagerV2) pathOf(id identity) string {
 // We avoid removing a cgroup if it still contains a PID, as the cpuset manager
 // may be initially empty on a Nomad client restart.
 func (c *cpusetManagerV2) remove(path string) {
-	mgr, err := fs2.NewManager(nil, path, rootless)
+	mgr, err := fs2.NewManager(nil, path)
 	if err != nil {
 		c.logger.Warn("failed to create manager", "path", path, "err", err)
 		return
@@ -267,7 +263,7 @@ func (c *cpusetManagerV2) write(id identity, set cpuset.CPUSet) {
 	path := c.pathOf(id)
 
 	// make a manager for the cgroup
-	m, err := fs2.NewManager(nil, path, rootless)
+	m, err := fs2.NewManager(nil, path)
 	if err != nil {
 		c.logger.Error("failed to manage cgroup", "path", path, "err", err)
 	}
@@ -288,7 +284,7 @@ func (c *cpusetManagerV2) write(id identity, set cpuset.CPUSet) {
 // ensureParentCgroup will create parent cgroup for the manager if it does not
 // exist yet. No PIDs are added to any cgroup yet.
 func (c *cpusetManagerV2) ensureParent() error {
-	mgr, err := fs2.NewManager(nil, c.parentAbs, rootless)
+	mgr, err := fs2.NewManager(nil, c.parentAbs)
 	if err != nil {
 		return err
 	}

client/lib/cgutil/group_killer.go

@@ -60,7 +60,7 @@ func (d *killer) v1(cgroup *configs.Cgroup) error {
 	}
 
 	// the actual path to our tasks freezer cgroup
-	path := cgroup.Paths[freezer]
+	path := cgroup.Path
 
 	d.logger.Trace("killing processes", "cgroup_path", path, "cgroup_version", "v1", "executor_pid", d.pid)
 
@@ -109,7 +109,7 @@ func (d *killer) v2(cgroup *configs.Cgroup) error {
 
 	d.logger.Trace("killing processes", "cgroup_path", path, "cgroup_version", "v2", "executor_pid", d.pid, "existing_pids", existingPIDs)
 
-	mgr, err := fs2.NewManager(cgroup, "", rootless)
+	mgr, err := fs2.NewManager(cgroup, "")
 	if err != nil {
 		return fmt.Errorf("failed to create v2 cgroup manager: %w", err)
 	}
@@ -117,7 +117,7 @@ func (d *killer) v2(cgroup *configs.Cgroup) error {
 	// move executor PID into the root init.scope so we can kill the task pids
 	// without killing the executor (which is the process running this code, doing
 	// the killing)
-	init, err := fs2.NewManager(nil, filepath.Join(CgroupRoot, "init.scope"), rootless)
+	init, err := fs2.NewManager(nil, filepath.Join(CgroupRoot, "init.scope"))
 	if err != nil {
 		return fmt.Errorf("failed to create v2 init cgroup manager: %w", err)
 	}

client/lib/resources/containment_linux.go

@@ -15,6 +15,10 @@ import (
 	"github.com/opencontainers/runc/libcontainer/configs"
 )
 
+const (
+	freezerSubsystem = "freezer"
+)
+
 type containment struct {
 	lock   sync.RWMutex
 	cgroup *configs.Cgroup
@@ -36,7 +40,7 @@ func (c *containment) Apply(pid int) error {
 
 	// for v2 use manager to create and enter the cgroup
 	if cgutil.UseV2 {
-		mgr, err := fs2.NewManager(c.cgroup, "", false)
+		mgr, err := fs2.NewManager(c.cgroup, "")
 		if err != nil {
 			return fmt.Errorf("failed to create v2 cgroup manager for containment: %w", err)
 		}
@@ -55,7 +59,7 @@ func (c *containment) Apply(pid int) error {
 	}
 
 	// for v1 a random cgroup was created already; just enter it
-	if err := cgroups.EnterPid(c.cgroup.Paths, pid); err != nil {
+	if err := cgroups.EnterPid(map[string]string{freezerSubsystem: c.cgroup.Path}, pid); err != nil {
 		return fmt.Errorf("failed to add pid to v1 cgroup: %w", err)
 	}
 
@@ -89,7 +93,7 @@ func (c *containment) GetPIDs() PIDs {
 	if cgutil.UseV2 {
 		path = filepath.Join(cgutil.CgroupRoot, c.cgroup.Path)
 	} else {
-		path = c.cgroup.Paths["freezer"]
+		path = c.cgroup.Path
 	}
 
 	// find the pids in the cgroup under containment

drivers/shared/executor/executor_linux.go

@@ -98,7 +98,6 @@ func (l *LibcontainerExecutor) Launch(command *ExecCommand) (*ProcessState, erro
 	// create a new factory which will store the container state in the allocDir
 	factory, err := libcontainer.New(
 		path.Join(command.TaskDir, "../alloc/container"),
-		libcontainer.Cgroupfs,
 		// note that os.Args[0] refers to the executor shim typically
 		// and first args arguments is ignored now due
 		// until https://github.com/opencontainers/runc/pull/1888 is merged

drivers/shared/executor/executor_universal_linux.go

@@ -122,7 +122,7 @@ func (e *UniversalExecutor) configureResourceContainer(pid int) error {
 				"error", err)
 			return nil
 		}
-		path := cfg.Cgroups.Paths["freezer"]
+		path := cfg.Cgroups.Path
 		e.logger.Trace("cgroup created, now need to apply", "path", path)
 		e.containment = resources.Contain(e.logger, cfg.Cgroups)
 		return e.containment.Apply(pid)

go.mod

@@ -100,7 +100,7 @@ require (
 	github.com/moby/sys/mount v0.3.0
 	github.com/moby/sys/mountinfo v0.6.0
 	github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6
-	github.com/opencontainers/runc v1.0.3
+	github.com/opencontainers/runc v1.1.3
 	github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
 	github.com/posener/complete v1.2.3
 	github.com/prometheus/client_golang v1.12.0
@@ -160,7 +160,6 @@ require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
 	github.com/bgentry/speakeasy v0.1.0 // indirect
-	github.com/bits-and-blooms/bitset v1.2.0 // indirect
 	github.com/bmatcuk/doublestar v1.1.5 // indirect
 	github.com/boltdb/bolt v1.3.1 // indirect
 	github.com/brianvoe/gofakeit/v6 v6.16.0
@@ -246,7 +245,7 @@ require (
 	github.com/prometheus/procfs v0.7.3 // indirect
 	github.com/renier/xmlrpc v0.0.0-20170708154548-ce4a1a486c03 // indirect
 	github.com/rogpeppe/go-internal v1.6.1 // indirect
-	github.com/seccomp/libseccomp-golang v0.9.2-0.20210429002308-3879420cc921 // indirect
+	github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646 // indirect
 	github.com/sirupsen/logrus v1.8.1 // indirect
 	github.com/softlayer/softlayer-go v0.0.0-20180806151055-260589d94c7d // indirect
 	github.com/stretchr/objx v0.4.0 // indirect

go.sum

@@ -181,7 +181,6 @@ github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d/go.mod h1:6QX/PXZ
 github.com/bgentry/speakeasy v0.1.0 h1:ByYyxL9InA1OWqxJqqp2A5pYHUrCiAL6K3J+LKSsQkY=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
 github.com/bitly/go-simplejson v0.5.0/go.mod h1:cXHtHw4XUPsvGaxgjIAn8PhEWG9NfngEKAMDJEczWVA=
-github.com/bits-and-blooms/bitset v1.2.0 h1:Kn4yilvwNtMACtf1eYDlG8H77R07mZSPbMjLyS07ChA=
 github.com/bits-and-blooms/bitset v1.2.0/go.mod h1:gIdJ4wp64HaoK2YrL1Q5/N7Y16edYb8uY+O0FJTyyDA=
 github.com/blang/semver v3.1.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
 github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
@@ -224,6 +223,7 @@ github.com/cilium/ebpf v0.0.0-20200702112145-1c8d4c9ef775/go.mod h1:7cR51M8ViRLI
 github.com/cilium/ebpf v0.2.0/go.mod h1:To2CFviqOWL/M0gIMsvSMlqe7em/l1ALkX1PyjrX2Qs=
 github.com/cilium/ebpf v0.4.0/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
 github.com/cilium/ebpf v0.6.2/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
+github.com/cilium/ebpf v0.7.0/go.mod h1:/oI2+1shJiTGAMgl6/RgJr36Eo1jzrRcAWbcXO2usCA=
 github.com/cilium/ebpf v0.8.1 h1:bLSSEbBLqGPXxls55pGr5qWZaTqcmfDJHhou7t254ao=
 github.com/cilium/ebpf v0.8.1/go.mod h1:f5zLIM0FSNuAkSyLAN7X+Hy6yznlF1mNiWUMfxMtrgk=
 github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible h1:C29Ae4G5GtYyYMm1aztcyj/J5ckgJm2zwdDajFbx1NY=
@@ -514,6 +514,7 @@ github.com/godbus/dbus v0.0.0-20180201030542-885f9cc04c9c/go.mod h1:/YcGZj5zSblf
 github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e/go.mod h1:bBOAhwG1umN6/6ZUMtDFBMQR8jRg9O75tm9K00oMsK4=
 github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/godbus/dbus/v5 v5.0.6/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
 github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gogo/googleapis v1.2.0/go.mod h1:Njal3psf3qN6dwBtQfUmBZh2ybovJ0tlu3o/AC7HYjU=
@@ -1060,8 +1061,8 @@ github.com/opencontainers/runc v1.0.0-rc8.0.20190926000215-3e425f80a8c9/go.mod h
 github.com/opencontainers/runc v1.0.0-rc9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
 github.com/opencontainers/runc v1.0.0-rc93/go.mod h1:3NOsor4w32B2tC0Zbl8Knk4Wg84SM2ImC1fxBuqJ/H0=
 github.com/opencontainers/runc v1.0.2/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0=
-github.com/opencontainers/runc v1.0.3 h1:1hbqejyQWCJBvtKAfdO0b1FmaEf2z/bxnjqbARass5k=
-github.com/opencontainers/runc v1.0.3/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0=
+github.com/opencontainers/runc v1.1.3 h1:vIXrkId+0/J2Ymu2m7VjGvbSlAId9XNRPhn2p4b+d8w=
+github.com/opencontainers/runc v1.1.3/go.mod h1:1J5XiS+vdZ3wCyZybsuxXZWGrgSr8fFJHLXuG2PsnNg=
 github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-spec v1.0.2-0.20190207185410-29686dbc5559/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
@@ -1170,8 +1171,8 @@ github.com/sclevine/agouti v3.0.0+incompatible/go.mod h1:b4WX9W9L1sfQKXeJf1mUTLZ
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529 h1:nn5Wsu0esKSJiIVhscUtVbo7ada43DJhG55ua/hjS5I=
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
 github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo=
-github.com/seccomp/libseccomp-golang v0.9.2-0.20210429002308-3879420cc921 h1:58EBmR2dMNL2n/FnbQewK3D14nXr0V9CObDSvMJLq+Y=
-github.com/seccomp/libseccomp-golang v0.9.2-0.20210429002308-3879420cc921/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg=
+github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646 h1:RpforrEYXWkmGwJHIGnLZ3tTWStkjVVstwzNGqxX2Ds=
+github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg=
 github.com/sergi/go-diff v1.0.0 h1:Kpca3qRNrduNnOQeazBd0ysaKrUJiIuISHxogkT9RPQ=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
 github.com/shirou/gopsutil v0.0.0-20181107111621-48177ef5f880/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA=
@@ -1588,6 +1589,7 @@ golang.org/x/sys v0.0.0-20210917161153-d61c044b1678/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211013075003-97ac67df715c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220517195934-5e4e11fc645e h1:w36l2Uw3dRan1K3TyXriXvY+6T56GNmlKGcqiQUJDfM=
 golang.org/x/sys v0.0.0-20220517195934-5e4e11fc645e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

lib/cpuset/cpuset.go

@@ -9,6 +9,12 @@ import (
 	"strings"
 )
 
+// Empty represents an empty CPUSet.
+// Always use .Equals to compare with this value.
+//
+// Do not modify this value.
+var Empty = New()
+
 // CPUSet is a set like object that provides methods helpful when working with cpus with systems
 // such as the Linux cpuset cgroup subsystem. A CPUSet is immutable and can be safely accessed concurrently.
 type CPUSet struct {