Merge branch 'extend-seccomp-program' of github.com:sat0ken/youki into extend-seccomp-program

Author: sat0ken

.devcontainer/Dockerfile

@@ -14,25 +14,41 @@ EOF
 
 RUN <<EOF
 apt-get update
+
+# For building
 apt-get install -y \
-  # For building
   build-essential \
   git \
   libclang-dev \
   libelf-dev \
   libseccomp-dev \
   libssl-dev \
   libsystemd-dev \
-  pkg-config \
-  # For debugging
-  bpftrace \
-  podman
+  pkg-config
+
+# For debugging
+apt-get install -y \
+  podman \
+  bpftrace
+
+# Since systemd is not running inside the Dev Container,
+# but the default events_logger for podman is set to journald, container startup fails.
+# Therefore, change it to file.
+sudo sed -i 's/^# events_logger = "journald"/events_logger = "file"/' /usr/share/containers/containers.conf
 
 curl --proto '=https' --tlsv1.2 -sSf https://just.systems/install.sh | bash -s -- --to /usr/bin
 
+curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
+chmod +x kubectl
+mv ./kubectl /usr/bin/kubectl
+
 # nightly build is required for `cargo fmt` as `rustfmt.toml` uses unstable features.
 curl https://sh.rustup.rs -sSf | sh -s -- -y
 rustup install nightly
 rustup component add rustfmt
 rustup component add clippy 
+
+# Install mdbook
+VERSION=$(curl -sSfL https://api.github.com/repos/rust-lang/mdBook/releases/latest | jq -r .tag_name)
+curl -sSfL https://github.com/rust-lang/mdBook/releases/download/$VERSION/mdbook-$VERSION-$(uname -m)-unknown-linux-musl.tar.gz | tar -xzvC /usr/bin/ mdbook
 EOF

.devcontainer/devcontainer-lock.json

@@ -0,0 +1,14 @@
+{
+  "features": {
+    "ghcr.io/devcontainers/features/common-utils:2": {
+      "version": "2.5.4",
+      "resolved": "ghcr.io/devcontainers/features/common-utils@sha256:00fd45550f578d9d515044d9e2226e908dbc3d7aa6fcb9dee4d8bdb60be114cf",
+      "integrity": "sha256:00fd45550f578d9d515044d9e2226e908dbc3d7aa6fcb9dee4d8bdb60be114cf"
+    },
+    "ghcr.io/devcontainers/features/docker-in-docker:2": {
+      "version": "2.12.2",
+      "resolved": "ghcr.io/devcontainers/features/docker-in-docker@sha256:842d2ed40827dc91b95ef727771e170b0e52272404f00dba063cee94eafac4bb",
+      "integrity": "sha256:842d2ed40827dc91b95ef727771e170b0e52272404f00dba063cee94eafac4bb"
+    }
+  }
+}

.devcontainer/devcontainer.json

@@ -1,36 +1,34 @@
 {
 	"name": "Youki",
-	"extensions": [
-		"rust-analyzer"
-	],
-    "features": {
-        "ghcr.io/devcontainers/features/docker-in-docker:2": {}
-    },
-    "customizations": {
+	"features": {
+		"ghcr.io/devcontainers/features/docker-in-docker:2": {}
+	},
+	"customizations": {
 		"vscode": {
-			"settings": { 
+			"settings": {
 				"lldb.executable": "/usr/bin/lldb",
 				"files.watcherExclude": {
 					"**/target/**": true
 				},
-				"rust-analyzer.checkOnSave.command": "clippy"
+				"rust-analyzer.check": {
+					"command": "clippy"
+				}
 			},
-			
 			"extensions": [
 				"vadimcn.vscode-lldb",
 				"mutantdino.resourcemonitor",
 				"rust-lang.rust-analyzer",
 				"tamasfe.even-better-toml",
-				"serayuzgur.crates"
+				"fill-labs.dependi"
 			]
 		}
 	},
 	"privileged": true,
-    "runArgs": [
-        "--name",
-        "youki-devcontainer"
-    ],
-    "build": {
+	"runArgs": [
+		"--name",
+		"youki-devcontainer"
+	],
+	"build": {
 		"dockerfile": "Dockerfile"
 	}
 }

.github/workflows/basic.yml

@@ -11,29 +11,72 @@ on:
 
 jobs:
   changes:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 15
     outputs:
       any_modified: ${{ steps.filter.outputs.any_modified }}
     steps:
       - uses: actions/checkout@v4
-      - uses: tj-actions/changed-files@v41
-        id: filter
         with:
-          files_ignore: |
-            docs
-            LICENSE
-            **.md
+          fetch-depth: 0  # Required to get full history
+      # Using Git commands instead of tj-actions/changed-files
+      - name: Get changed files
+        id: filter
+        run: |
+          # grep will exit with non-zero if no matching pattern
+          # but we are ok with that, so to prevent workflow failing
+          # we set allow errors
+          set +e 
+
+          # Change the base commit depending on event type
+          if [[ "${{ github.event_name }}" == "push" ]]; then
+            # For push events
+            if [[ -n "${{ github.event.before }}" ]]; then
+              BASE_COMMIT="${{ github.event.before }}"
+            else
+              # For workflow dispatch, etc.
+              git fetch origin main --depth=1
+              BASE_COMMIT="origin/main"
+            fi
+          elif [[ "${{ github.event_name }}" == "pull_request" ]]; then
+            # For pull request events
+            git fetch origin "${{ github.base_ref }}" --depth=1
+            BASE_COMMIT="origin/${{ github.base_ref }}"
+          else
+            # For workflow dispatch events
+            git fetch origin main --depth=1
+            BASE_COMMIT="HEAD~1"
+          fi
+          
+          echo "Using base commit: $BASE_COMMIT"
+          
+          # Get changed files and filter out the ones to ignore
+          ALL_CHANGED_FILES=$(git diff --name-only --diff-filter=ACMRT "$BASE_COMMIT" HEAD)
+          FILTERED_FILES=$(echo "$ALL_CHANGED_FILES" | grep -v -E '^docs/|^LICENSE$|\.md$')
+          
+          # Set the results
+          if [[ -n "$FILTERED_FILES" ]]; then
+            echo "any_modified=true" >> $GITHUB_OUTPUT
+            echo "all_modified_files<<EOF" >> $GITHUB_OUTPUT
+            echo "$FILTERED_FILES" >> $GITHUB_OUTPUT
+            echo "EOF" >> $GITHUB_OUTPUT
+          else
+            echo "any_modified=false" >> $GITHUB_OUTPUT
+            echo "all_modified_files=" >> $GITHUB_OUTPUT
+          fi
       - name: List all changed files
         run: |
-          for file in ${{ steps.filter.outputs.all_modified_files }}; do
-            echo "$file was changed"
-          done
+          if [[ "${{ steps.filter.outputs.any_modified }}" == "true" ]]; then
+            echo "Changed files detected:"
+            echo "${{ steps.filter.outputs.all_modified_files }}"
+          else
+            echo "No relevant changes detected"
+          fi
 
   check:
     needs: [changes]
     if: needs.changes.outputs.any_modified == 'true'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 15
     strategy:
       matrix:
@@ -48,24 +91,28 @@ jobs:
       - name: Install nightly rustfmt
         run: rustup toolchain install nightly --component rustfmt --profile minimal --no-self-update
       - name: typos-action
-        uses: crate-ci/typos@v1.22.9
+        uses: crate-ci/typos@v1.32.0
       - name: Install just
         uses: taiki-e/install-action@just
       - name: Install cross-rs
-        run: cargo install cross --git https://github.com/cross-rs/cross
+        run: RUSTFLAGS="" cargo install cross --git https://github.com/cross-rs/cross
       - name: Setup target
         run: |
           echo "CARGO=cross" >> ${GITHUB_ENV}
           echo "TARGET=${{ matrix.arch }}-unknown-linux-${{ matrix.libc }}" >> ${GITHUB_ENV}
       - name: Check formatting and lints
         run: just lint
+      - name: Install cargo machete
+        uses: taiki-e/install-action@v2
+        with:
+          tool: cargo-machete@0.7.0
       - name: Check unused deps
-        uses: bnjbvr/cargo-machete@v0.7.0
+        run: cargo machete
 
   tests:
     needs: [changes]
     if: needs.changes.outputs.any_modified == 'true'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 20
     strategy:
       matrix:
@@ -78,11 +125,17 @@ jobs:
       - name: Install just
         uses: taiki-e/install-action@just
       - name: Install cross-rs
-        run: cargo install cross --git https://github.com/cross-rs/cross
-      - name: Setup target
+        run: RUSTFLAGS="" cargo install cross --git https://github.com/cross-rs/cross
+      - name: Create test user
+        # Create user and home directory for tests that require them
+        run: sudo useradd -m -d /tmp/testuser testuser
+      - name: Setup environment variables
         run: |
           echo "CARGO=cross" >> ${GITHUB_ENV}
           echo "TARGET=${{ matrix.arch }}-unknown-linux-${{ matrix.libc }}" >> ${GITHUB_ENV}
+          echo "TEST_NON_ROOT_UID=$(id -u testuser)" >> ${GITHUB_ENV}
+      - name: Disable AppArmor restrictions
+        run: echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns
       - name: Run tests
         run: just test-basic
       - name: Run feature tests
@@ -94,7 +147,7 @@ jobs:
   # coverage:
   #   needs: [changes]
   #   if: needs.changes.outputs.any_modified == 'true'
-  #   runs-on: ubuntu-22.04
+  #   runs-on: ubuntu-24.04
   #   timeout-minutes: 20
   #   name: Run test coverage
   #   steps:

.github/workflows/benchmark_execution_time.yml

@@ -7,7 +7,7 @@ on:
 jobs:
   building-pr-branch:
     if: (github.event.issue.pull_request != null) && github.event.comment.body == '!github easy-benchmark'
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 15
 
     steps:
@@ -34,7 +34,7 @@ jobs:
 
   building-main-branch:
     if: (github.event.issue.pull_request != null) && github.event.comment.body == '!github easy-benchmark'
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 15
 
     steps:
@@ -65,7 +65,7 @@ jobs:
     needs:
       - building-pr-branch
       - building-main-branch
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 15
 
     steps:

.github/workflows/dependabot_auto.yaml

@@ -30,6 +30,9 @@ jobs:
           PR_URL: ${{ github.event.pull_request.html_url }}
           PR_TITLE: ${{ github.event.pull_request.title }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # This is needed otherwise the pr edit fails for some reason
+          # see https://github.com/cli/cli/issues/7558
+          GH_REPO: ${{ github.repository_owner }}/${{ github.event.repository.name }}
       - name: Automerge
         id: automerge
         uses: pascalgn/automerge-action@v0.15.6

.github/workflows/docs.yaml

@@ -7,7 +7,7 @@ on:
 
 jobs:
   changes:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 15
     outputs:
       dirs: ${{ steps.filter.outputs.changes }}
@@ -21,7 +21,7 @@ jobs:
   deploy:
     needs: [changes]
     if: ${{ !contains(needs.changes.outputs.dirs, '[]') }}
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 15
     concurrency:
       group: ${{ github.workflow }}-${{ github.ref }}