From 62a05b94cd6cfded1243962925eed890ccef1b8e Mon Sep 17 00:00:00 2001
From: Kir Kolyshkin <kolyshkin@gmail.com>
Date: Mon, 30 Mar 2026 11:40:49 -0700
Subject: [PATCH 1/3] tests/int: allow cpu quota cgroup v1 files fds

Since switching to Go 1.25 in go.mod, the "detect fd leaks" test fails
like this:

> not ok 57 runc create[detect fd leak as comprehensively as possible]
> # (in test file tests/integration/create.bats, line 76)
> #   `[ "$violation_found" -eq 0 ]' failed
> ...
> # Violation: FD 9 -> '/system.slice/runc-test_busybox.scope/cpu.cfs_quota_us'
> # Violation: FD 10 -> '/system.slice/runc-test_busybox.scope/cpu.cfs_period_us'
> ...

This happens because Go 1.25 adds a feature to dynamically set GOMAXPROC
based on current CPU quota values. This feature can be disabled by setting

	GODEBUG=containermaxprocs=0,updatemaxprocs=0

but it is harmless to keep it (except for the above test failure).

Add an exception to the test case.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit f9a9a36fa8973d826aac89fd2fb56aab32c009b7)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
 tests/integration/create.bats | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/tests/integration/create.bats b/tests/integration/create.bats
index f96c2e2aad7..8c9e7b00922 100644
--- a/tests/integration/create.bats
+++ b/tests/integration/create.bats
@@ -38,7 +38,9 @@ is_allowed_fdtarget() {
 			# overlayfs binary reference (CVE-2019-5736)
 			grep -Ex "/runc" <<<"$target" ||
 			# memfd cloned binary (CVE-2019-5736)
-			grep -Fx "/memfd:runc_cloned:/proc/self/exe (deleted)" <<<"$target"
+			grep -Fx "/memfd:runc_cloned:/proc/self/exe (deleted)" <<<"$target" ||
+			# Go 1.25+ runtime opens these cgroup v1 files (see https://go.dev/cl/670497).
+			grep -Ex ".*/cpu.cfs_(quota|period)_us" <<<"$target"
 	} >/dev/null
 	return "$?"
 }

From b66fa4c2186cb15c4e71c6370aaabfcb3fa695fb Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <cyphar@cyphar.com>
Date: Thu, 12 Mar 2026 19:53:27 +0900
Subject: [PATCH 2/3] go.mod: bump minimum to Go 1.25

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 99d054b93f410717218e71392135b97c0280e99c)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
 .github/workflows/test.yml | 6 +-----
 go.mod                     | 2 +-
 2 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index dac927b98a9..1abd3df14db 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -26,7 +26,7 @@ jobs:
       fail-fast: false
       matrix:
         os: [ubuntu-24.04, ubuntu-24.04-arm]
-        go-version: [1.24.x, 1.25.x, 1.26.x]
+        go-version: [1.25.x, 1.26.x]
         libpathrs: ["libpathrs", ""]
         rootless: ["rootless", ""]
         race: ["-race", ""]
@@ -34,15 +34,11 @@ jobs:
         exclude:
           # Disable most of criu-dev jobs, as they are expensive
           # (need to compile criu) and don't add much value/coverage.
-          - criu: criu-dev
-            go-version: 1.24.x
           - criu: criu-dev
             go-version: 1.25.x
           - criu: criu-dev
             rootless: rootless
           # Do race detection only with latest stable Go version.
-          - race: -race
-            go-version: 1.24.x
           - race: -race
             go-version: 1.25.x
 
diff --git a/go.mod b/go.mod
index 0d221283b9c..d719bacd44b 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/opencontainers/runc
 
-go 1.24.0
+go 1.25.0
 
 require (
 	github.com/checkpoint-restore/go-criu/v7 v7.2.0

From a7dc07d5af8f9b6af290cffdbd2e35fd60b855bc Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <cyphar@cyphar.com>
Date: Thu, 12 Mar 2026 20:03:38 +0900
Subject: [PATCH 3/3] go fix: use (*sync.WaitGroup).Go

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 47fba7e4b16f60cfb8eb06d5c512573ec676f1a5)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
 events.go                    |  6 ++----
 tests/cmd/recvtty/recvtty.go | 12 ++++--------
 2 files changed, 6 insertions(+), 12 deletions(-)

diff --git a/events.go b/events.go
index 28d324984dc..f024448491f 100644
--- a/events.go
+++ b/events.go
@@ -53,16 +53,14 @@ information is displayed once every 5 seconds.`,
 			events = make(chan *types.Event, 1024)
 			group  = &sync.WaitGroup{}
 		)
-		group.Add(1)
-		go func() {
-			defer group.Done()
+		group.Go(func() {
 			enc := json.NewEncoder(os.Stdout)
 			for e := range events {
 				if err := enc.Encode(e); err != nil {
 					logrus.Error(err)
 				}
 			}
-		}()
+		})
 		if context.Bool("stats") {
 			s, err := container.Stats()
 			if err != nil {
diff --git a/tests/cmd/recvtty/recvtty.go b/tests/cmd/recvtty/recvtty.go
index 135ad2290c9..847baab111a 100644
--- a/tests/cmd/recvtty/recvtty.go
+++ b/tests/cmd/recvtty/recvtty.go
@@ -117,17 +117,13 @@ func handleSingle(path string, noStdin bool) error {
 		wg            sync.WaitGroup
 		inErr, outErr error
 	)
-	wg.Add(1)
-	go func() {
+	wg.Go(func() {
 		_, outErr = io.Copy(os.Stdout, c)
-		wg.Done()
-	}()
+	})
 	if !noStdin {
-		wg.Add(1)
-		go func() {
+		wg.Go(func() {
 			_, inErr = io.Copy(c, os.Stdin)
-			wg.Done()
-		}()
+		})
 	}
 
 	// Only close the master fd once we've stopped copying.