fix: resolve FD leak and correct TimeNamespace validation

.github/contributors.yaml

@@ -83,3 +83,6 @@ users:
   jim-junior:
     name: Beingana Jim Junior
     email: jimjunior854@gmail.com
+  charma7:
+    name: Another test user
+    email: test@mail.com

.github/workflows/add-git-trailers.yml

@@ -1,71 +1,53 @@
 name: Add Git Trailers to PR commits
 
 on:
-  workflow_call:
-    secrets:
-      GIT_CLONE_PAT:
-        required: false
-      URUNC_BOT_PRIVATE_KEY:
-        required: true
+  pull_request_review:
+    types: [submitted]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
 
 permissions:
   contents: read
 
 jobs:
   git-trailers:
     name: Add Git Trailers
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      matrix:
-        include:
-          - arch: amd64
-            runner: ubuntu-22.04
-    continue-on-error: true
-    permissions:
-      contents: write
-      pull-requests: write
+    if: >-
+      github.event.pull_request.base.ref == 'main' &&
+      github.event.review.state == 'approved' &&
+      (github.event.pull_request.rebaseable == null ||
+      github.event.pull_request.rebaseable == true)
+    runs-on: ubuntu-22.04
     steps:
       - name: Harden the runner (Audit all outbound calls)
         uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with:
           egress-policy: audit
 
-      - name: Exit if PR is not rebaseable
-        if: ${{ github.event.pull_request.rebaseable != null && github.event.pull_request.rebaseable == false }}
-        run: exit 1
-
-      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - name: Append git trailers
-        uses: nubificus/git-trailers@8e08c91bb4c1fd9cb1ccbd9cc8029c31acf8da66 # feat_use_rebase
-        with:
-          user_info: .github/contributors.yaml
-
       - name: Generate urunc-bot token
         id: generate-token
         uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
         with:
           app-id: ${{ vars.URUNC_BOT_APP_ID }}
           private-key: ${{ secrets.URUNC_BOT_PRIVATE_KEY }}
 
-      - name: Set up Git
-        run: |
-          git config --global user.name "urunc-bot[bot]"
-          git config --global user.email "urunc-bot[bot]@users.noreply.github.com"
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          token: ${{ steps.generate-token.outputs.token }}
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Append git trailers
-        uses: nubificus/git-trailers@18fd322f3fbfd505b4de728974a4ac1f32f758a7 # feat_auto_merge
+        uses: nubificus/git-trailers@e3cefe03237a8a33f12ee41a8194bfb03a4d179b # fix_auto_merge
         with:
           user_info: .github/contributors.yaml
 
       - name: Merge PR
         env:
           GH_TOKEN: ${{ steps.generate-token.outputs.token }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
         run: |
-          PR_URL=${{ github.event.pull_request.html_url }}
-
           gh pr merge "$PR_URL" --rebase --admin

.github/workflows/pr-merge.yml

@@ -4,6 +4,8 @@ on:
   pull_request_target:
     types:
       - closed
+    branches:
+      - 'main-pr*'
 
 permissions:
   contents: read
@@ -23,11 +25,6 @@ jobs:
         with:
           egress-policy: audit
 
-      - name: Set up Git
-        run: |
-          git config --global user.name "urunc-bot[bot]"
-          git config --global user.email "urunc-bot[bot]@users.noreply.github.com"
-
       - name: Check out repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -42,21 +39,33 @@ jobs:
           private-key: ${{ secrets.URUNC_BOT_PRIVATE_KEY }}
 
       - name: Append git trailers
-        uses: nubificus/git-trailers@18fd322f3fbfd505b4de728974a4ac1f32f758a7 # feat_auto_merge
+        uses: nubificus/git-trailers@e3cefe03237a8a33f12ee41a8194bfb03a4d179b # fix_auto_merge
         with:
           user_info: .github/contributors.yaml
 
       - name: Create a Pull Request from PR_BRANCH to main and merge it
         env:
           GH_TOKEN: ${{ steps.generate-token.outputs.token }}
+          PR_BRANCH: ${{ github.event.pull_request.base.ref }}
         run: |
-          PR_BRANCH=${{ github.event.pull_request.base.ref }}
-
+          PR_NUMBER=${PR_BRANCH#main-pr}
+
+          # Use GitHub's API to get issues referenced with closing keywords
+          CLOSING_ISSUES=$(gh pr view "$PR_NUMBER" --json closingIssuesReferences \
+            --jq '.closingIssuesReferences[].number' || true)
+
+          BODY="This PR was automatically created by GitHub Actions to merge changes from $PR_BRANCH into main."
+          if [ -n "$CLOSING_ISSUES" ]; then
+            while IFS= read -r issue; do
+              BODY="$BODY"$'\n'"Closes #$issue"
+            done <<< "$CLOSING_ISSUES"
+          fi
+
           # Create the pull request
           PR_URL=$(gh pr create \
             --head "$PR_BRANCH" \
             --base main \
             --title "Merge External PR: Merge $PR_BRANCH into main" \
-            --body "This PR was automatically created by GitHub Actions to merge changes from $PR_BRANCH into main.")
+            --body "$BODY")
 
           gh pr merge "$PR_URL" --rebase --admin --delete-branch

README.md

@@ -145,7 +145,7 @@ supported VM/Sandbox monitors and unikernels:
 | Unikraft  | QEMU, Firecracker          | x86         | Initrd, 9pfs                            |
 | MirageOS  | QEMU, Solo5-hvt, Solo5-spt | x86,aarch64 | Block/Devmapper                         |
 | Mewz      | QEMU                       | x86         | In-memory                               |
-| Linux     | QEMU, Firecracker          | x86         | Initrd, Block/Devmapper, 9pfs, Virtiofs |
+| Linux     | QEMU, Firecracker, clh     | x86         | Initrd, Block/Devmapper, 9pfs, Virtiofs |
 | Hermit    | QEMU                       | x86         | Initrd                                  |
 
 We plan to add support for more unikernel frameworks and other platforms too.

tests/e2e/test_functions.go

@@ -310,9 +310,9 @@ func namespaceTest(tool testTool) error {
 				return fmt.Errorf("cgroup: %w", err)
 			}
 		case specs.TimeNamespace:
-			err = compareNS(cntrNsMap["uts"], selfNsMap["uts"], ns.Path)
+			err = compareNS(cntrNsMap["time_for_children"], selfNsMap["time_for_children"], ns.Path)
 			if err != nil {
-				return fmt.Errorf("uts: %w", err)
+				return fmt.Errorf("time: %w", err)
 			}
 		default:
 			continue

tests/e2e/utils.go

@@ -191,6 +191,11 @@ func getProcNS(proc string) (map[string]string, error) {
 	if err != nil {
 		return nil, err
 	}
+	timePath := filepath.Join(procPath, "time_for_children")
+	ns["time_for_children"], err = os.Readlink(timePath)
+	if err != nil {
+		return nil, err
+	}
 
 	return ns, nil
 }
@@ -245,6 +250,7 @@ func findLineInFile(filePath string, pattern string) (string, error) {
 	if err != nil {
 		return "", fmt.Errorf("Failed to open %s: %v", filePath, err)
 	}
+	defer file.Close()
 
 	scanner := bufio.NewScanner(file)