Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

Kir Kolyshkin (2):
  VERSION: back to development
  VERSION: release 1.1.9

LGTMs: mrunalp AkihiroSuda lifubang cyphar
Closes #3981

kmem.limit_in_bytes has been removed in upstream linux and this patch
is queued to be backported to linux 6.1 stable:

- https://lore.kernel.org/linux-mm/20230705134434.GA156754@cmpxchg.org/T/
- https://www.spinics.net/lists/stable-commits/msg316619.html

Without this change to libcontainerd, GetStats() will return an error
on the latest kernel(s). A downstream effect is that Kubernetes's
kubelet does not start up. This fix was tested by ensuring that it
unblocks kubelet startup when running on the latest kernel.

Signed-off-by: Jordan Rife <jrife0@gmail.com>
(cherry picked from commit 99469eb)
Signed-off-by: Jordan Rife <jrife0@gmail.com>

[1.1 backport] Handle kmem.limit_in_bytes removal

Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit 109dcad)
Signed-off-by: lifubang <lifubang@acmcoder.com>

Signed-off-by: lifubang <lifubang@acmcoder.com>

[1.1 backport] fix typos

Bump fileutils to v0.5.1, which fixes permissions of newly created directories
to not depend on the value of umask.

Add a test case which fails like this before the fix:

	mounts.bats
	 ✗ runc run [tmpcopyup]
	   (in test file tests/integration/mounts.bats, line 28)
	     `[[ "${lines[0]}" == *'drwxrwxrwx'* ]]' failed
	   runc spec (status=0):

	   runc run test_busybox (status=0):
	   drwxr-xr-x    2 root     root            40 Oct  4 22:35 /dir1/dir2

Fixes 3991.

(cherry picked from commit 730bc84)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

[1.1] Fix directory perms vs umask for tmpcopyup

Since today, the URL from download.opensuse.org started returning a
HTTP 302 redirect, so -L option for curl is needed to follow it.

While at it, remove apt-key as per its man page recommendation:

> Note: Instead of using this command a keyring should be placed
> directly in the /etc/apt/trusted.gpg.d/ directory with a descriptive
> name and either "gpg" or "asc" as file extension.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit f944d7b)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

Kir Kolyshkin (1):
  ci/gha: fix downloading Release.key

LGTMs: lifubang cyphar

Separate it out of get_cgroup_value. Needed for the next commit.

This function was initially introduced in main branch commit d4582ae.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

This adds support for hugetlb.<pagesize>.rsvd limiting and accounting.

The previous non-rsvd max/limit_in_bytes does not account for reserved
huge page memory, making it possible for a processes to reserve all the
huge page memory, without being able to allocate it (due to cgroup
restrictions).

In practice this makes it possible to successfully mmap more huge page
memory than allowed via the cgroup settings, but when using the memory
the process will get a SIGBUS and crash. This is bad for applications
trying to mmap at startup (and it succeeds), but the program crashes
when starting to use the memory. eg. postgres is doing this by default.

This also keeps writing to the old max/limit_in_bytes, for backward
compatibility.

More info can be found here: https://lkml.org/lkml/2020/2/3/1153

(commit message mostly written by Odin Ugedal)

[1.1 backport: check for CGROUP_UNIFIED in integration test]

Co-authored-by: Odin Ugedal <odin@ugedal.com>
(cherry picked from commit 4a7d3ae)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

[1.1] libct/cg: support hugetlb rsvd

This prevents potential exploit of using "../" in cgroups.OpenFile
(as well as other methods that use OpenFile) to read or write to
other cgroups.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 2c9598c)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

[1.1] libct/cgroups.OpenFile: clean "file" argument

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>