Merge pull request #3465 from flatcar/krnowak/beta-runc-containerd

Bump runc to 1.3.3 and containerd to 2.0.7 in 4459

changelog/security/2025-11-07-runc-containerd.md

@@ -0,0 +1,2 @@
+- containerd ([CVE-2024-25621](https://www.cve.org/CVERecord?id=CVE-2024-25621), [CVE-2025-64329](https://www.cve.org/CVERecord?id=CVE-2025-64329))
+- runc ([CVE-2025-31133](https://www.cve.org/CVERecord?id=CVE-2025-31133), [CVE-2025-52565](https://www.cve.org/CVERecord?id=CVE-2025-52565), [CVE-2025-52881](https://www.cve.org/CVERecord?id=CVE-2025-52881))

changelog/updates/2025-11-07-runc-containerd.md

@@ -0,0 +1,2 @@
+- runc ([1.3.3](https://github.com/opencontainers/runc/releases/tag/v1.3.3) (includes [1.3.2](https://github.com/opencontainers/runc/releases/tag/v1.3.2), [1.3.1](https://github.com/opencontainers/runc/releases/tag/v1.3.1), [1.3.0](https://github.com/opencontainers/runc/releases/tag/v1.3.0)))
+- containerd ([2.0.7](https://github.com/containerd/containerd/releases/tag/v2.0.7) (includes [2.0.6](https://github.com/containerd/containerd/releases/tag/v2.0.6)))

sdk_container/src/third_party/portage-stable/app-containers/containerd/Manifest

@@ -2,5 +2,7 @@ DIST containerd-2.0.2.tar.gz 10379986 BLAKE2B aee39f749f056965b899f6525bebe00d46
 DIST containerd-2.0.3.tar.gz 10450757 BLAKE2B 5dec56a40dc2874fb0b6fd4d72704f6417858eefd983c8ec5dfb2c9ef8be1e9e309cff83395e03c2d5fef30ed5c0561329ffbcd3dfba91e40d8017f7a605771b SHA512 9528a65d9d9f13d15d861f7ce71ab483958020bda83947d18868b477204e9e2e33eccc69280502c54b2be9ce577724e3e2b1772229c99636099b04bac1079ac1
 DIST containerd-2.0.4.tar.gz 10450939 BLAKE2B f82ed40eab0f1d186f4fb04217b8f75a9da8e33b1140c0b5866dcc61e17fe1040f31ef09bdb07ad98a52def5e9eb12cfeb635e96b2c5f64fdb4d8cfb6c84b885 SHA512 f84e0cc0b82313df010b95989faf56e81ebfbbc321585b968c8c706917b91a9f0d895692fa5046f24f1c370de7a74b50daf83da617fe0595e5a8ff69ed658727
 DIST containerd-2.0.5.tar.gz 10452563 BLAKE2B bf03316c9211eaa17a3b40b1fc9f9aca42fe3e621e086e612eb07c286c6b62bc7a0a2426ce7b6742dce2924d570ab599aefb43463c4fa6be277e562bad79668f SHA512 af89a5c9ad5f931c5fee33c75c13c296fc9ec966f2c64ec244897695eebb365bcb542f6b431e60d4ef7213f0ea11d3a8896d1b7f033ed445e6b521b7ddbffe6f
+DIST containerd-2.0.7.tar.gz 10465656 BLAKE2B 656787c91e913fee32af282bfe82dd78a2732b113ff06adb157787efd5ddca31d13e7acf26e5e59ef51d233ecdee8b89200a9a8048e8422b6d4bd272a047c1ac SHA512 393e6f6357806367b7e007da7f2a951fb4330750d4e16c8e612f49c9b5d62a9f6a2b866dc12317da11dc75f2f2cd7e2e9b5118a3f07e5a68d3475d0449844a4f
 DIST containerd-2.1.0.tar.gz 10610618 BLAKE2B 147c21b4650543af9b0e533e381a0505ba927d6e9270b9b03a09016eb3ccf29875db7fa274944fea2ff7b029b6a05a17d14c61e24b5f3426b31f320831eeb46a SHA512 e9bb128917bb6b2e21a8e05344af3fdcdda8620be20e54407bc2c73046278a88a77bcbed6ef7a59099c9ee3303283db46b90b71afdd45236d3c534749ba844e0
 DIST containerd-2.1.1.tar.gz 10610787 BLAKE2B acc2d769752c783643795d228c0d267b0802e09166dc783e84087da0029a822a64688f5e59c047c47b25f50ca2a1ccb7f5b6216ad6beeb4489df308e525e9716 SHA512 542f7cae61e1ef2e1b529b0bea66d7ad9016d4605de73de9c9c8a738e50ec6f470b939d1546482320515b77424bffe1cf24b721173ac0c0ecd0100c92817cfb1
+DIST containerd-2.1.4.tar.gz 10614131 BLAKE2B b8f4007b4bb368a1fa04c913d606f65d2ea4a17a6419ce12f2b6112eee2574d7a09fb8e2500d1c2f21bef8792dc047df4d63446211ae006662e616facda91f24 SHA512 a9f84784e917621ee5ea38ad20b8106e642fbf463a00d319b73a1a8e4d1fdd5be2fba0789b6a5d31107ef239d3713eced99ce979d4b2764714271a63c0936c15

sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-2.0.7.ebuild

@@ -0,0 +1,90 @@
+# Copyright 2022-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+inherit go-module systemd
+GIT_REVISION=4ac6c20c7bbf8177f29e46bbdc658fec02ffb8ad
+
+DESCRIPTION="A daemon to control runC"
+HOMEPAGE="https://containerd.io/"
+SRC_URI="https://github.com/containerd/containerd/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+KEYWORDS="amd64 ~arm arm64 ppc64 ~riscv ~x86"
+IUSE="apparmor btrfs device-mapper +cri hardened +seccomp selinux test"
+
+COMMON_DEPEND="
+	btrfs? ( sys-fs/btrfs-progs )
+	seccomp? ( sys-libs/libseccomp )
+"
+
+DEPEND="
+${COMMON_DEPEND}
+"
+
+# recommended minimum version of runc is found in script/setup/runc-version
+RDEPEND="
+	${COMMON_DEPEND}
+	>=app-containers/runc-1.3.3[apparmor?,seccomp?]
+"
+
+BDEPEND="
+	dev-go/go-md2man
+	virtual/pkgconfig
+"
+
+# tests require root or docker
+RESTRICT+="test"
+
+src_prepare() {
+	default
+	sed -i \
+		-e "s/-s -w//" \
+		-e "s/-mod=readonly//" \
+		Makefile || die
+	sed -i \
+		-e "s:/usr/local:/usr:" \
+		containerd.service || die
+}
+
+src_compile() {
+	local options=(
+		$(usev apparmor)
+		$(usex btrfs "" "no_btrfs")
+		$(usex cri "" "no_cri")
+		$(usex device-mapper "" "no_devmapper")
+		$(usev seccomp)
+		$(usev selinux)
+	)
+
+	myemakeargs=(
+		BUILDTAGS="${options[*]}"
+		LDFLAGS="$(usex hardened '-extldflags -fno-PIC' '')"
+		REVISION="${GIT_REVISION}"
+		VERSION=v${PV}
+	)
+
+	# race condition in man target https://bugs.gentoo.org/765100
+	# we need to explicitly specify GOFLAGS for "go run" to use vendor source
+	emake "${myemakeargs[@]}" man -j1 #nowarn
+	emake "${myemakeargs[@]}" all
+
+}
+
+src_install() {
+	rm bin/gen-manpages || die
+	dobin bin/*
+	doman man/*
+	newconfd "${FILESDIR}"/${PN}.confd "${PN}"
+	newinitd "${FILESDIR}"/${PN}.initd "${PN}"
+	systemd_dounit containerd.service
+	keepdir /var/lib/containerd
+
+	# we already installed manpages, remove markdown source
+	# before installing docs directory
+	rm -r docs/man || die
+
+	local DOCS=( ADOPTERS.md README.md RELEASES.md ROADMAP.md SCOPE.md docs/. )
+	einstalldocs
+}

sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-2.1.4.ebuild

@@ -0,0 +1,94 @@
+# Copyright 2022-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+inherit go-env go-module systemd toolchain-funcs
+GIT_REVISION=75cb2b7193e4e490e9fbdc236c0e811ccaba3376
+
+DESCRIPTION="A daemon to control runC"
+HOMEPAGE="https://containerd.io/"
+SRC_URI="https://github.com/containerd/containerd/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86"
+IUSE="apparmor btrfs device-mapper +cri hardened +seccomp selinux test"
+
+COMMON_DEPEND="
+	btrfs? ( sys-fs/btrfs-progs )
+	seccomp? ( sys-libs/libseccomp )
+"
+
+DEPEND="
+${COMMON_DEPEND}
+"
+
+# recommended minimum version of runc is found in script/setup/runc-version
+RDEPEND="
+	${COMMON_DEPEND}
+	>=app-containers/runc-1.3.0[apparmor?,seccomp?]
+"
+
+BDEPEND="
+	dev-go/go-md2man
+	virtual/pkgconfig
+"
+
+# tests require root or docker
+RESTRICT+="test"
+
+src_prepare() {
+	default
+	sed -i \
+		-e "s/-s -w//" \
+		Makefile || die
+	sed -i \
+		-e "s:/usr/local:/usr:" \
+		containerd.service || die
+}
+
+src_compile() {
+	local options=(
+		$(usev apparmor)
+		$(usex btrfs "" "no_btrfs")
+		$(usex cri "" "no_cri")
+		$(usex device-mapper "" "no_devmapper")
+		$(usev seccomp)
+		$(usev selinux)
+	)
+
+	myemakeargs=(
+		BUILDTAGS="${options[*]}"
+		LDFLAGS="$(usex hardened '-extldflags -fno-PIC' '')"
+		REVISION="${GIT_REVISION}"
+		VERSION=v${PV}
+	)
+
+	# The Go env is already set, but reset it for CBUILD in a subshell to allow
+	# building the man pages when cross-compiling.
+	(
+		CHOST="${CBUILD}" go-env_set_compile_environment
+		# race condition in man target https://bugs.gentoo.org/765100
+		tc-env_build emake "${myemakeargs[@]}" man -j1 #nowarn
+	)
+
+	emake "${myemakeargs[@]}" all
+
+}
+
+src_install() {
+	rm bin/gen-manpages || die
+	dobin bin/*
+	doman man/*
+	newconfd "${FILESDIR}"/${PN}.confd "${PN}"
+	newinitd "${FILESDIR}"/${PN}.initd "${PN}"
+	systemd_dounit containerd.service
+	keepdir /var/lib/containerd
+
+	# we already installed manpages, remove markdown source
+	# before installing docs directory
+	rm -r docs/man || die
+
+	local DOCS=( ADOPTERS.md README.md RELEASES.md ROADMAP.md SCOPE.md docs/. )
+	einstalldocs
+}

sdk_container/src/third_party/portage-stable/app-containers/runc/Manifest

@@ -1,4 +1,7 @@
 DIST runc-1.2.4.tar.gz 2759394 BLAKE2B 02b282c9fbe7f82ad1d4297b9d2576ee99db7f4db193aa6b08b595d1a18f4a0cb41c5fddb8184ca389e77726c71f4b64b686b2ee1b8e8df97179669362c17ff7 SHA512 2a14bfe7759e0cefcf88fac9d756eb2cbed8a9ebf7b6eacb96855467ea151c278ae0d58735d2a5a2d3335fc54eae4625dfcdb641065df58ba10fd1faafbd3119
 DIST runc-1.2.5.tar.gz 2763738 BLAKE2B 446dd633d94f41957ba205b944320734ddf505e1bdc8f6f9d1002de8ecdd46368af19d788b8812cee87aaab1f8583d01e0c4d6fd0a56590a819588814bfb1841 SHA512 67dd870a24cfe896ead01f156eda6076b14bf287781734c2c4ab0e313d66f49bbf8d51705c5f0c24a604df311439c769a95cbfda12c7fa87ab2e6a31801a6984
 DIST runc-1.2.6.tar.gz 2763135 BLAKE2B d5e40e95f8c0069073d0010d120aca1828e585b103ecd671fca072138ef3528a316414cfac5ca725f45cb84f23ab4216d9e6f466beb118fb2813ab4be3a18e92 SHA512 9a89295e001914726dfc1040729301f62ad6b630943c65f7ade6ed460ef4a2f5f35cf40662730a9e8a6c6d0301a3c9959a85973097ceb8db05c043f9c1a86248
+DIST runc-1.2.8.tar.gz 2834651 BLAKE2B 5f76e40ee8bda4668758dce318625af1dbb13c0d33a17c9c872bc68aefd6311cac570ed934a69b92b4a327c6084ff6d6d55f8914b105513f9484bbc903107a4d SHA512 8d29a2ca179320f9a01c37383506f10aea1764e18b3321c507787556e3a531e23221f8369696d8caaf30124a523a68d0ad3609bae5ab06aa6c519e644d54d4ef
 DIST runc-1.3.0.tar.gz 2858199 BLAKE2B c9402a074b816b9452763267a7ffdc69af6c0cd4cf54fbdfdc91ccbd8bbc5daa783259176775e90f6266fa6a02bf0bad7fbb8eb879b5764309f7f9cd2f246086 SHA512 63422501f6189d0d47f6b2f59565de572bc68b138a65c7dbcc8b5ad42dbc37245ee66e2683ab61971a84c076a15f54f484c37fde4a30815ee19edc9a0d97e9f4
+DIST runc-1.3.1.tar.gz 2860795 BLAKE2B 5711881488dc3d52182377dc09690436aff142552d35728b10c221874a1dafc3b1fe78972891ebfc53e232465aec97eacc78318a453b030c052ca2218c61438d SHA512 0a3007d046fe9711541e29ca07fd72515f19b220c8c79b9df9164f7b88a6b9077ba7a11607593b641823b9e99c0f2e96500a57e2a16e11501bbb7c4690870183
+DIST runc-1.3.3.tar.gz 2929410 BLAKE2B 1feddc154836eff606a685a0c0d606c1bbcd5a1a1ec8a288233581a88e0b3b6a95f446125688a8dca5efd5a275bf22931553cb9ab894f6aa0826d5a1274b6f91 SHA512 9ce0af1b79163c44913979c0483322247b154109871a113726163f64c6354141e7cefb5fb6e1225eaa4bb48a1e33ba9a6049cb45cb2af8793134647dad18c8dc

sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.2.8.ebuild

@@ -0,0 +1,71 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit go-module linux-info
+
+# update on bump, look for commit ID on release tag.
+# https://github.com/opencontainers/runc
+RUNC_COMMIT=eeb7e6024f9ee43876301b1d23c353384fa6dcdd
+
+CONFIG_CHECK="~USER_NS"
+
+DESCRIPTION="runc container cli tools"
+HOMEPAGE="https://github.com/opencontainers/runc/"
+MY_PV="${PV/_/-}"
+SRC_URI="https://github.com/opencontainers/${PN}/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz"
+S="${WORKDIR}/${PN}-${MY_PV}"
+
+LICENSE="Apache-2.0 BSD-2 BSD MIT"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86"
+IUSE="apparmor hardened +kmem +seccomp selinux test"
+
+COMMON_DEPEND="
+	apparmor? ( sys-libs/libapparmor )
+	seccomp? ( sys-libs/libseccomp )"
+DEPEND="${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}
+	!app-emulation/docker-runc
+	selinux? ( sec-policy/selinux-container )"
+BDEPEND="
+	dev-go/go-md2man
+	test? ( "${RDEPEND}" )"
+
+# tests need busybox binary, and portage namespace
+# sandboxing disabled: mount-sandbox pid-sandbox ipc-sandbox
+# majority of tests pass
+RESTRICT+=" test"
+
+src_compile() {
+	# build up optional flags
+	local options=(
+		$(usev apparmor)
+		$(usev seccomp)
+		$(usex kmem '' 'nokmem')
+	)
+
+	myemakeargs=(
+		BUILDTAGS="${options[*]}"
+		COMMIT="${RUNC_COMMIT}"
+	)
+
+	emake "${myemakeargs[@]}" runc man
+}
+
+src_install() {
+	myemakeargs+=(
+		PREFIX="${ED}/usr"
+		BINDIR="${ED}/usr/bin"
+		MANDIR="${ED}/usr/share/man"
+	)
+	emake "${myemakeargs[@]}" install install-man install-bash
+
+	local DOCS=( README.md PRINCIPLES.md docs/. )
+	einstalldocs
+}
+
+src_test() {
+	emake "${myemakeargs[@]}" localunittest
+}

sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.3.1.ebuild

@@ -0,0 +1,71 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit go-module linux-info
+
+# update on bump, look for commit ID on release tag.
+# https://github.com/opencontainers/runc
+RUNC_COMMIT=e6457afc48eff1ce22dece664932395026a7105e
+
+CONFIG_CHECK="~USER_NS"
+
+DESCRIPTION="runc container cli tools"
+HOMEPAGE="https://github.com/opencontainers/runc/"
+MY_PV="${PV/_/-}"
+SRC_URI="https://github.com/opencontainers/${PN}/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz"
+S="${WORKDIR}/${PN}-${MY_PV}"
+
+LICENSE="Apache-2.0 BSD-2 BSD MIT"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86"
+IUSE="apparmor hardened +kmem +seccomp selinux test"
+
+COMMON_DEPEND="
+	apparmor? ( sys-libs/libapparmor )
+	seccomp? ( sys-libs/libseccomp )"
+DEPEND="${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}
+	!app-emulation/docker-runc
+	selinux? ( sec-policy/selinux-container )"
+BDEPEND="
+	dev-go/go-md2man
+	test? ( "${RDEPEND}" )"
+
+# tests need busybox binary, and portage namespace
+# sandboxing disabled: mount-sandbox pid-sandbox ipc-sandbox
+# majority of tests pass
+RESTRICT+=" test"
+
+src_compile() {
+	# build up optional flags
+	local options=(
+		$(usev apparmor)
+		$(usev seccomp)
+		$(usex kmem '' 'nokmem')
+	)
+
+	myemakeargs=(
+		BUILDTAGS="${options[*]}"
+		COMMIT="${RUNC_COMMIT}"
+	)
+
+	emake "${myemakeargs[@]}" runc man
+}
+
+src_install() {
+	myemakeargs+=(
+		PREFIX="${ED}/usr"
+		BINDIR="${ED}/usr/bin"
+		MANDIR="${ED}/usr/share/man"
+	)
+	emake "${myemakeargs[@]}" install install-man install-bash
+
+	local DOCS=( README.md PRINCIPLES.md docs/. )
+	einstalldocs
+}
+
+src_test() {
+	emake "${myemakeargs[@]}" localunittest
+}

sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.3.3.ebuild

@@ -0,0 +1,71 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit go-module linux-info
+
+# update on bump, look for commit ID on release tag.
+# https://github.com/opencontainers/runc
+RUNC_COMMIT=d842d7719497cc3b774fd71620278ac9e17710e0
+
+CONFIG_CHECK="~USER_NS"
+
+DESCRIPTION="runc container cli tools"
+HOMEPAGE="https://github.com/opencontainers/runc/"
+MY_PV="${PV/_/-}"
+SRC_URI="https://github.com/opencontainers/${PN}/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz"
+S="${WORKDIR}/${PN}-${MY_PV}"
+
+LICENSE="Apache-2.0 BSD-2 BSD MIT"
+SLOT="0"
+KEYWORDS="amd64 ~arm arm64 ~ppc64 ~riscv ~x86"
+IUSE="apparmor hardened +kmem +seccomp selinux test"
+
+COMMON_DEPEND="
+	apparmor? ( sys-libs/libapparmor )
+	seccomp? ( sys-libs/libseccomp )"
+DEPEND="${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}
+	!app-emulation/docker-runc
+	selinux? ( sec-policy/selinux-container )"
+BDEPEND="
+	dev-go/go-md2man
+	test? ( "${RDEPEND}" )"
+
+# tests need busybox binary, and portage namespace
+# sandboxing disabled: mount-sandbox pid-sandbox ipc-sandbox
+# majority of tests pass
+RESTRICT+=" test"
+
+src_compile() {
+	# build up optional flags
+	local options=(
+		$(usev apparmor)
+		$(usev seccomp)
+		$(usex kmem '' 'nokmem')
+	)
+
+	myemakeargs=(
+		BUILDTAGS="${options[*]}"
+		COMMIT="${RUNC_COMMIT}"
+	)
+
+	emake "${myemakeargs[@]}" runc man
+}
+
+src_install() {
+	myemakeargs+=(
+		PREFIX="${ED}/usr"
+		BINDIR="${ED}/usr/bin"
+		MANDIR="${ED}/usr/share/man"
+	)
+	emake "${myemakeargs[@]}" install install-man install-bash
+
+	local DOCS=( README.md PRINCIPLES.md docs/. )
+	einstalldocs
+}
+
+src_test() {
+	emake "${myemakeargs[@]}" localunittest
+}