feat: 添加 runc 补丁

.github/workflows/build-binaries.yml

@@ -19,6 +19,10 @@ jobs:
         run: |
           PACKAGE_VERSION=v$(curl -sSL https://github.com/docker/containerd-packaging/raw/main/debian/changelog | head -n 1 | grep -oP '\(\K[^\)]+' | cut -d'-' -f1)
           BINARIES_VERSION=$(curl -s "https://api.github.com/repos/containerd/containerd/releases/latest" | jq -r .tag_name)
+          if [ -z "$PACKAGE_VERSION" ] || [ "$PACKAGE_VERSION" == "null" ] || [ -z "$BINARIES_VERSION" ] || [ "$BINARIES_VERSION" == "null" ]; then
+            echo "Failed to get version"
+            exit 1
+          fi
           sed -i "s@CONTAINERD_VERSION=.*@CONTAINERD_VERSION=${PACKAGE_VERSION}@g" build-containerd.sh
           sed -i "s@ARG CONTAINERD_VERSION=.*@ARG CONTAINERD_VERSION=${BINARIES_VERSION}@g" binaries/Dockerfile
           echo "CONTAINERD_VERSION=${BINARIES_VERSION}" >> $GITHUB_ENV

.github/workflows/build-packages.yml

@@ -18,6 +18,10 @@ jobs:
         id: get-version
         run: |
           PACKAGE_VERSION=v$(curl -sSL https://github.com/docker/containerd-packaging/raw/main/debian/changelog | head -n 1 | grep -oP '\(\K[^\)]+' | cut -d'-' -f1)
+          if [ -z "$PACKAGE_VERSION" ] || [ "$PACKAGE_VERSION" == "null" ]; then
+            echo "Failed to get version"
+            exit 1
+          fi
           sed -i "s@CONTAINERD_VERSION=.*@CONTAINERD_VERSION=${PACKAGE_VERSION}@g" build-containerd.sh
           sed -i "s@ARG CONTAINERD_VERSION=.*@ARG CONTAINERD_VERSION=${PACKAGE_VERSION}@g" binaries/Dockerfile
           echo "CONTAINERD_VERSION=${PACKAGE_VERSION}" >> $GITHUB_ENV

binaries/Dockerfile

@@ -5,12 +5,9 @@ FROM ghcr.io/loong64/golang:${GOLANG_VERSION}-trixie AS builder
 ARG DEPENDENCIES="\
     dpkg-dev \
     git \
-    git-lfs \
     make \
     pkg-config\
-    libbtrfs-dev \
     libseccomp-dev \
-    btrfs-progs \
     gcc"
 
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \

binaries/install-runc.patch

@@ -6,7 +6,7 @@ index 67743d7..74eec12 100755
  	git clone "${RUNC_REPO}" "${TMPROOT}"/runc
  	pushd "${TMPROOT}"/runc
  	git checkout "${RUNC_VERSION}"
-+	curl -sSL "https://git.altlinux.org/tasks/archive/done/_352/361175/gears/100/git?p=git;a=blob_plain;f=.gear/runc-alt-libcontainer-loongarch64-support.patch;hb=ff0eabdba6265ddb4aa20d39f4a0ade5e59790f4" | git apply
++	curl -sSL "https://github.com/loong64/containerd-packaging/raw/refs/heads/main/runc.patch" | git apply
 +	go get -u github.com/seccomp/[email protected]
 +	go mod vendor
 +	sed -i "s@--dirty @@g" Makefile

build-containerd.sh

@@ -1,5 +1,8 @@
 #!/bin/bash
 #
+
+set -e
+
 CONTAINERD_VERSION=v2.0.0
 
 ################################################################
@@ -19,7 +22,6 @@ pushd "${TMPDIR}" || exit 1
 # docker.io/docker/dockerfile not support linux/loong64
 #
 sed -i '/syntax=docker/d' dockerfiles/deb.dockerfile
-sed -i 's@ca-certificates@ca-certificates libbtrfs-dev@g' dockerfiles/deb.dockerfile
 sed -i 's@GOLANG_IMAGE=golang@GOLANG_IMAGE=ghcr.io/loong64/golang@g' common/common.mk
 sed -i 's@ARCH=$(shell uname -m)@ARCH=loong64@g' Makefile
 

containerd.patch

@@ -12,7 +12,7 @@ index baa8f59..993540c 100755
 +				if ! grep -q "LOONGARCH64" "$SRC/libcontainer/seccomp/patchbpf/enosys_linux.go"; then
 +					CURRENT_DIR=$(pwd)
 +					cd "$SRC"
-+					curl -sSL "https://git.altlinux.org/tasks/archive/done/_352/361175/gears/100/git?p=git;a=blob_plain;f=.gear/runc-alt-libcontainer-loongarch64-support.patch;hb=ff0eabdba6265ddb4aa20d39f4a0ade5e59790f4" | git apply
++					curl -sSL "https://github.com/loong64/containerd-packaging/raw/refs/heads/main/runc.patch" | git apply
 +					go get -u github.com/seccomp/[email protected]
 +					go mod vendor
 +					sed -i "s@--dirty @@g" Makefile

runc.patch

@@ -0,0 +1,55 @@
+diff --git a/Makefile b/Makefile
+index 39c1ef91..c2ac33d8 100644
+--- a/Makefile
++++ b/Makefile
+@@ -31,7 +31,7 @@ TRIMPATH := -trimpath
+
+ GO_BUILDMODE :=
+ # Enable dynamic PIE executables on supported platforms.
+-ifneq (,$(filter $(GOARCH),386 amd64 arm arm64 ppc64le riscv64 s390x))
++ifneq (,$(filter $(GOARCH),386 amd64 arm arm64 loong64 ppc64le riscv64 s390x))
+ 	ifeq (,$(findstring -race,$(EXTRA_FLAGS)))
+ 		GO_BUILDMODE := "-buildmode=pie"
+ 	endif
+@@ -109,7 +109,7 @@ static-bin:
+ 	$(GO_BUILD_STATIC) -o runc .
+
+ .PHONY: releaseall
+-releaseall: RELEASE_ARGS := "-a 386 -a amd64 -a arm64 -a armel -a armhf -a ppc64le -a riscv64 -a s390x"
++releaseall: RELEASE_ARGS := "-a 386 -a amd64 -a arm64 -a armel -a armhf -a loong64 -a ppc64le -a riscv64 -a s390x"
+ releaseall: release
+
+ .PHONY: release
+diff --git a/libcontainer/seccomp/config.go b/libcontainer/seccomp/config.go
+index 3ca03ed8..f0e4c865 100644
+--- a/libcontainer/seccomp/config.go
++++ b/libcontainer/seccomp/config.go
+@@ -62,6 +62,7 @@ var archs = map[string]string{
+ 	"SCMP_ARCH_X32":         "x32",
+ 	"SCMP_ARCH_ARM":         "arm",
+ 	"SCMP_ARCH_AARCH64":     "arm64",
++	"SCMP_ARCH_LOONGARCH64": "loong64",
+ 	"SCMP_ARCH_MIPS":        "mips",
+ 	"SCMP_ARCH_MIPS64":      "mips64",
+ 	"SCMP_ARCH_MIPS64N32":   "mips64n32",
+diff --git a/libcontainer/seccomp/patchbpf/enosys_linux.go b/libcontainer/seccomp/patchbpf/enosys_linux.go
+index 86de3137..1df96b89 100644
+--- a/libcontainer/seccomp/patchbpf/enosys_linux.go
++++ b/libcontainer/seccomp/patchbpf/enosys_linux.go
+@@ -66,6 +66,7 @@ const uint32_t C_AUDIT_ARCH_I386         = AUDIT_ARCH_I386;
+ const uint32_t C_AUDIT_ARCH_X86_64       = AUDIT_ARCH_X86_64;
+ const uint32_t C_AUDIT_ARCH_ARM          = AUDIT_ARCH_ARM;
+ const uint32_t C_AUDIT_ARCH_AARCH64      = AUDIT_ARCH_AARCH64;
++const uint32_t C_AUDIT_ARCH_LOONGARCH64  = AUDIT_ARCH_LOONGARCH64;
+ const uint32_t C_AUDIT_ARCH_MIPS         = AUDIT_ARCH_MIPS;
+ const uint32_t C_AUDIT_ARCH_MIPS64       = AUDIT_ARCH_MIPS64;
+ const uint32_t C_AUDIT_ARCH_MIPS64N32    = AUDIT_ARCH_MIPS64N32;
+@@ -193,6 +194,8 @@ func scmpArchToAuditArch(arch libseccomp.ScmpArch) (linuxAuditArch, error) {
+ 		return linuxAuditArch(C.C_AUDIT_ARCH_ARM), nil
+ 	case libseccomp.ArchARM64:
+ 		return linuxAuditArch(C.C_AUDIT_ARCH_AARCH64), nil
++	case libseccomp.ArchLOONGARCH64:
++		return linuxAuditArch(C.C_AUDIT_ARCH_LOONGARCH64), nil
+ 	case libseccomp.ArchMIPS:
+ 		return linuxAuditArch(C.C_AUDIT_ARCH_MIPS), nil
+ 	case libseccomp.ArchMIPS64: