Merge pull request containerd#10449 from rata/rata/userns-ci-fixes

CI fixes for upcoming runc 1.2.0

Author: dmcgowan

script/critest.sh

@@ -19,7 +19,26 @@ set -eu -o pipefail
 report_dir=$1
 
 mkdir -p $report_dir
+
+function traverse_path() {
+    local path=$1
+    cd "$path"
+    sudo chmod go+rx "$PWD"
+
+    while [ $PWD != "/" ]; do
+	sudo chmod go+x "$PWD/../"
+	cd ..
+    done
+}
+
 BDIR="$(mktemp -d -p $PWD)"
+# runc needs to traverse (+x) the directories in the path to the rootfs. This is important when we
+# create a user namespace, as the final stage of the runc initialization is not as root on the host.
+# While containerd creates the directories with the right permissions, the right group (so only the
+# hostGID has access, etc.), those directories live below $BDIR. So, to make sure runc can traverse
+# the directories, let's fix the dirs from $BDIR up, as the ones below are managed by containerd
+# that does the right thing.
+traverse_path "$BDIR"
 
 function cleanup() {
     pkill containerd || true

script/setup/config-containerd

@@ -30,6 +30,15 @@ mkdir -p /etc/containerd
 
 cat << EOF | sudo tee /etc/containerd/config.toml
 version = 2
+
+[plugins."io.containerd.snapshotter.v1.overlayfs"]
+# slow_chown is needed to avoid an error with kernel < 5.19:
+# > "snapshotter \"overlayfs\" doesn't support idmap mounts on this host,
+# > configure \`slow_chown\` to allow a slower and expensive fallback"
+# https://github.com/containerd/containerd/pull/9920#issuecomment-1978901454
+# This is safely ignored for kernel >= 5.19.
+slow_chown = true
+
 [plugins]
   [plugins."io.containerd.grpc.v1.cri"]
     enable_selinux = ${enable_selinux}

script/setup/critools-version

@@ -1 +1 @@
-v1.30.0
+v1.30.1