[pull] main from containerd:main

.github/workflows/ci.yml

@@ -238,6 +238,7 @@ jobs:
           echo "${{ github.workspace }}/bin" >> $GITHUB_PATH
           echo "${{ github.workspace }}/src/github.com/containerd/containerd/bin" >> $GITHUB_PATH
           echo "${{ github.workspace }}/src/github.com/kubernetes-sigs/cri-tools/build/bin/windows/amd64" >> $GITHUB_PATH
+          echo "CRITOOLS_VERSION=$(cat script/setup/critools-version)" >> $GITHUB_ENV
 
       - run: script/setup/install-dev-tools
 
@@ -248,9 +249,8 @@ jobs:
         run: |
           set -o xtrace
           mingw32-make.exe binaries
-          CRITEST_VERSION=$(cat script/setup/critools-version)
           cd ../../kubernetes-sigs/cri-tools
-          git checkout "${CRITEST_VERSION}"
+          git checkout "${CRITOOLS_VERSION}"
           make critest
 
       - run: script/setup/install-cni-windows
@@ -275,7 +275,7 @@ jobs:
         shell: powershell
         run: |
           # Get critctl tool. Used for cri-integration tests
-          $CRICTL_DOWNLOAD_URL="https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.26.0/crictl-v1.26.0-windows-amd64.tar.gz"
+          $CRICTL_DOWNLOAD_URL="https://github.com/kubernetes-sigs/cri-tools/releases/download/$env:CRITOOLS_VERSION/crictl-$env:CRITOOLS_VERSION-windows-amd64.tar.gz"
           curl.exe -L $CRICTL_DOWNLOAD_URL -o c:\crictl.tar.gz
           tar -xvf c:\crictl.tar.gz
           mv crictl.exe "${{ github.workspace }}/bin/crictl.exe" # Move crictl somewhere in path

core/mount/mount_linux.go

@@ -231,7 +231,7 @@ func getUnprivilegedMountFlags(path string) (int, error) {
 	}
 
 	var flags int
-	for flag := range unprivilegedFlags {
+	for _, flag := range unprivilegedFlags {
 		if int(statfs.Flags)&flag == flag {
 			flags |= flag
 		}

core/mount/mount_linux_test.go

@@ -404,6 +404,50 @@ func TestDoPrepareIDMappedOverlay(t *testing.T) {
 	}
 }
 
+func TestGetUnprivilegedMountFlags(t *testing.T) {
+	testutil.RequiresRoot(t)
+
+	td := t.TempDir()
+	target := filepath.Join(td, "mnt")
+	require.NoError(t, os.Mkdir(target, 0755))
+
+	// Mount a tmpfs with noexec,noatime,nodiratime -- these are the flags
+	// that were previously missed due to iterating over slice indices
+	// instead of values.
+	require.NoError(t, unix.Mount("tmpfs", target, "tmpfs", unix.MS_NOEXEC|unix.MS_NOATIME|unix.MS_NODIRATIME, ""))
+	defer unix.Unmount(target, unix.MNT_DETACH)
+
+	flags, err := getUnprivilegedMountFlags(target)
+	require.NoError(t, err)
+
+	for _, tc := range []struct {
+		flag int
+		name string
+	}{
+		{unix.MS_NOEXEC, "MS_NOEXEC"},
+		{unix.MS_NOATIME, "MS_NOATIME"},
+		{unix.MS_NODIRATIME, "MS_NODIRATIME"},
+	} {
+		if flags&tc.flag != tc.flag {
+			t.Errorf("expected %s (0x%x) to be set in flags 0x%x", tc.name, tc.flag, flags)
+		}
+	}
+
+	// MS_NOSUID and MS_NODEV should NOT be set since we didn't mount with them.
+	for _, tc := range []struct {
+		flag int
+		name string
+	}{
+		{unix.MS_NOSUID, "MS_NOSUID"},
+		{unix.MS_NODEV, "MS_NODEV"},
+		{unix.MS_RDONLY, "MS_RDONLY"},
+	} {
+		if flags&tc.flag != 0 {
+			t.Errorf("expected %s (0x%x) to NOT be set in flags 0x%x", tc.name, tc.flag, flags)
+		}
+	}
+}
+
 func setupMounts(t *testing.T) (target string, mounts []Mount) {
 	dir1 := t.TempDir()
 	dir2 := t.TempDir()