Remove references to apparmor and selinux buildtags for runc

From the runc v1.0.0-rc93 release notes: > The "selinux" and "apparmor" buildtags have been removed, and now all runc > builds will have SELinux and AppArmor support enabled. Note that "seccomp" > is still optional (though we very highly recommend you enable it). Also adding a note about kmem support. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
containerd · Mar 10, 2021 · b89a63a · b89a63a
1 parent 17ab5dd
commit b89a63a
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 8 deletions.
diff --git a/BUILDING.md b/BUILDING.md
@@ -209,9 +209,12 @@ Next, let's build `runc`:
 
 ```sh
 cd /go/src/github.com/opencontainers/runc
-make BUILDTAGS='seccomp apparmor selinux' && make install
+make && make install
 ```
 
+For further details about building runc, refer to [RUNC.md](docs/RUNC.md) in the
+docs directory.
+
 When working with `ctr`, the simple test client we just built, don't forget to start the daemon!
 
 ```sh

diff --git a/docs/RUNC.md b/docs/RUNC.md
@@ -10,16 +10,26 @@ Note: before building you may need to install additional support, which will var
 
 From within your `opencontainers/runc` repository run:
 
-### apparmor
-
 ```bash
-make BUILDTAGS='seccomp apparmor' && sudo make install
+make && sudo make install
 ```
 
-### selinux
+Starting with runc 1.0.0-rc93, the "selinux" and "apparmor" buildtags have been
+removed, and runc builds have SELinux, AppArmor, and seccomp support enabled
+by default. Note that "seccomp" can be disabled by passing an empty `BUILDTAGS`
+make variable, but is highly recommended to keep enabled.
 
-```bash
-make BUILDTAGS='seccomp selinux' && sudo make install
+By default, runc is compiled with kernel-memory limiting support enabled. This
+functionality is deprecated in kernel 5.4 and up, and is known to be broken on
+RHEL7 and CentOS 7 3.10 kernels. For these kernels, we recommend disabling kmem
+support using the `nokmem` build-tag. When doing so, be sure to set the `seccomp`
+build-tag to enable seccomp support, for example:
+
+```sh
+make BUILDTAGS='nokmem seccomp' && make install
 ```
 
+For details about the `nokmem` build-tag, refer to [opencontainers/runc#2594](https://github.com/opencontainers/runc/pull/2594).
+For further details on building runc, refer to the [build instructions in the runc README](https://github.com/opencontainers/runc#building).
+
 After an official runc release we will start pinning containerd support to a specific version but various development and testing features may require a newer runc version than the latest release.  If you encounter any runtime errors, please make sure your runc is in sync with the commit/tag provided in this document.
diff --git a/script/setup/install-runc b/script/setup/install-runc
@@ -27,7 +27,7 @@ function install_runc() {
 	git clone https://github.com/opencontainers/runc.git "${TMPROOT}"/runc
 	pushd "${TMPROOT}"/runc
 	git checkout "${RUNC_COMMIT}"
-	make BUILDTAGS='apparmor seccomp selinux' runc
+	make runc
 	make install
 	popd
 	rm -fR "${TMPROOT}"