further reduce uses of libcontainer and update runc v1.0.0-rc93

[thaJeztah]

depends on:

• pkg/cri/server: remove dependency on libcontainer/apparmor, libcontainer/utils #4715 pkg/cri/server: remove dependency on libcontainer/apparmor, libcontainer/utils
• libcontainer: isolate libcontainer/devices opencontainers/runc#2679 libcontainer: isolate libcontainer/devices

After this, we only vendor:

• libcontainer/user
  • used in oci/spec_opts.go (perhaps this is something to move to runtime-spec?)
• libcontainer/devices
  • devices.HostDevices() (used in a single test in pkg/cri/server/container_create_linux_test.go)
  • devices.DeviceFromPath(() (used in a single location; pkg/cri/opts/spec_linux.go)
• libcontainer/nsenter ("fake" dependency; pulled in because it contains C code)

The updated version of runc and gocapability add support for new capabilities
added in kernel 5.9 (syndtr/gocapability@d983527...42c35b4)

• CAP_PERFMON
• CAP_BPF
• CAP_CHECKPOINT_RESTORE

[k8s-ci-robot]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[theopenlab-ci]

Build succeeded.

• containerd-build-arm64 : FAILURE in 5m 46s (non-voting)

[thaJeztah]

Hmm.. something failing; perhaps it doesn't deal well with the fork?

fatal: reference is not a tree: c7f874992f5322b2783580edef6ba6ae3e4aaa6e
Error: Process completed with exit code 128.

[thaJeztah]

We need to check these scripts; I've been bit by similar approaches in docker/docker (given, those didn't use vendoring)

go get -d will use go modules to get the dependency, and therefore first get go modules from master, before switching to the selected commit, which sometimes may cause unexpected results (see moby/moby#41560)

[theopenlab-ci]

Build succeeded.

• containerd-build-arm64 : FAILURE in 7m 29s (non-voting)

[theopenlab-ci]

Build succeeded.

• containerd-build-arm64 : FAILURE in 5m 53s (non-voting)

[thaJeztah]

Interesting; are machined on GH Actions not cleaned up between builds?

Bringing machine 'default' up with 'virtualbox' provider...
==> default: Checking if box 'fedora/32-cloud-base' version '32.20200422.0' is up to date...
==> default: Running provisioner: install-runc (shell)...
    default: Running: inline script
    default: + /root/go/src/github.com/containerd/containerd/script/setup/install-runc
    default: fatal: destination path '/root/go/src/github.com/opencontainers/runc' already exists and is not an empty directory.
The SSH command responded with a non-zero exit status. Vagrant
assumes that this means the command failed. The output for this command
should be in the log above. Please read the output to determine what
went wrong.
Error: Process completed with exit code 1.

[theopenlab-ci]

Build succeeded.

• containerd-build-arm64 : SUCCESS in 6m 13s (non-voting)

[theopenlab-ci]

Build succeeded.

• containerd-build-arm64 : FAILURE in 6m 02s (non-voting)

[theopenlab-ci]

Build succeeded.

• containerd-build-arm64 : SUCCESS in 6m 19s (non-voting)

[thaJeztah]

Interesting; https://github.com/containerd/containerd/pull/4717/checks?check_run_id=1423934789

 /usr/bin/install -c -m 644 libseccomp.pc '/usr/local/lib/pkgconfig'
+ ldconfig
+ rm -rf /tmp/tmp.QeIT0Nsktc
Cloning into '/home/runner/work/containerd/containerd/src/github.com/opencontainers/runc'...
fatal: protocol 'temporarily
https' is not supported
Error: Process completed with exit code 128.

"protocol 'temporarily https' is not supported" 🤔

edit: well, of course, I know 😂

It's attempting to parse vendor.conf, and uses this line to vendor a dependency:

# FIXME temporarily vendoring from my fork (https://github.com/opencontainers/runc/pull/2679)
github.com/opencontainers/runc                      isolate_device https://github.com/thaJeztah/runc.git

[theopenlab-ci]

Build succeeded.

• containerd-build-arm64 : SUCCESS in 5m 50s (non-voting)

[thaJeztah]

Hmmm... looks like something doesn't cleanup between runs

Bringing machine 'default' up with 'virtualbox' provider...
==> default: Checking if box 'fedora/32-cloud-base' version '32.20200422.0' is up to date...
==> default: Running provisioner: install-runc (shell)...
    default: Running: inline script
    default: + /root/go/src/github.com/containerd/containerd/script/setup/install-runc
    default: fatal: destination path '/root/go/src/github.com/opencontainers/runc' already exists and is not an empty directory.
The SSH command responded with a non-zero exit status. Vagrant
assumes that this means the command failed. The output for this command
should be in the log above. Please read the output to determine what
went wrong.
Error: Process completed with exit code 1.

[AkihiroSuda]

opencontainers/runc#2679 is now merged

[theopenlab-ci]

Build succeeded.

• containerd-build-arm64 : FAILURE in 3m 28s (non-voting)

[theopenlab-ci]

Build succeeded.

• containerd-build-arm64 : SUCCESS in 5m 55s (non-voting)

[theopenlab-ci]

Build succeeded.

• containerd-build-arm64 : SUCCESS in 5m 51s (non-voting)

[AkihiroSuda]

Is this still draft?

[thaJeztah]

After this; dependency on runc vendoring is reduced to;

$ tree vendor/github.com/opencontainers/runc/

vendor/github.com/opencontainers/runc/
├── LICENSE
├── NOTICE
└── libcontainer
    ├── devices
    │   ├── device.go
    │   ├── device_unix.go
    │   ├── device_windows.go
    │   └── devices.go
    └── user
        ├── MAINTAINERS
        ├── lookup.go
        ├── lookup_unix.go
        ├── lookup_windows.go
        └── user.go

3 directories, 11 files

[theopenlab-ci]

Build succeeded.

• containerd-build-arm64 : NODE_FAILURE in 0s (non-voting)

[estesp]

LGTM

[estesp]

almost passed :( test timeout as it just didn't finish by 10m inside the Fedora-in-vagrant-on-macOS 🤓

[thaJeztah]

Does it need a longer timeout? Don't think we can restart only a single job, correct?

[thaJeztah]

/retest

[dims]

LGTM

the failed CI job seems be because of a bad download

2021-02-04T17:00:59.5843050Z     default: Downloading: https://vagrantcloud.com/fedora/boxes/33-cloud-base/versions/33.20201019.0/providers/virtualbox.box
2021-02-04T17:00:59.6362490Z 
2021-02-04T17:00:59.7170450Z �[KProgress: 0% (Rate: 0*/s, Estimated time remaining: --:--:--)
2021-02-04T17:00:59.7172020Z �[KDownload redirected to host: download.fedoraproject.org
2021-02-04T17:00:59.7708170Z 
2021-02-04T17:00:59.9694180Z �[KProgress: 100% (Rate: 1766/s, Estimated time remaining: --:--:--)
2021-02-04T17:01:00.0522640Z �[KProgress: 0% (Rate: 0/s, Estimated time remaining: --:--:--)
2021-02-04T17:01:00.0713810Z An error occurred while downloading the remote file. The error
2021-02-04T17:01:00.0714940Z message, if any, is reproduced below. Please fix this error and try
2021-02-04T17:01:00.0715840Z again.
2021-02-04T17:01:00.0716320Z 
2021-02-04T17:01:00.0716840Z The requested URL returned error: 404 Not Found

[thaJeztah]

ah, yes, the runc maintainers also ran into intermittent 404's for fedora; opencontainers/runc#2787

[thaJeztah]

opened #4999 to add the same hack