deps: bump to go-criu v8.3.0

go-criu v8.3.0 switches to protobuf-go-lite, which helps to remove
google.golang.org/protobuf dependency from here, reducing the runc
binary size from ~16M to ~14M.

The only missing piece is proto.String, proto.Bool, proto.Int32 etc.
helpers that return a pointer to a given variable. Those are replaced
by a generic mkPtr, which in turn is to be replaced by the new builtin
once Go < 1.26 is no longer supported.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

Author: kolyshkin

go.mod

@@ -3,7 +3,7 @@ module github.com/opencontainers/runc
 go 1.25.0
 
 require (
-	github.com/checkpoint-restore/go-criu/v8 v8.2.0
+	github.com/checkpoint-restore/go-criu/v8 v8.2.1-0.20260612135546-b8967dc8885e
 	github.com/containerd/console v1.0.5
 	github.com/coreos/go-systemd/v22 v22.7.0
 	github.com/cyphar/filepath-securejoin v0.6.1
@@ -25,10 +25,10 @@ require (
 	github.com/vishvananda/netns v0.0.5
 	golang.org/x/net v0.56.0
 	golang.org/x/sys v0.46.0
-	google.golang.org/protobuf v1.36.11
 )
 
 require (
 	cyphar.com/go-pathrs v0.2.4 // indirect
+	github.com/aperturerobotics/protobuf-go-lite v0.14.0 // indirect
 	github.com/cilium/ebpf v0.17.3 // indirect
 )

go.sum

@@ -1,7 +1,9 @@
 cyphar.com/go-pathrs v0.2.4 h1:iD/mge36swa1UFKdINkr1Frkpp6wZsy3YYEildj9cLY=
 cyphar.com/go-pathrs v0.2.4/go.mod h1:y8f1EMG7r+hCuFf/rXsKqMJrJAUoADZGNh5/vZPKcGc=
-github.com/checkpoint-restore/go-criu/v8 v8.2.0 h1:dsgMgj/eJtZNKn3qn/+Ri0b4bd0uo6o2zt1yd8Nj2NI=
-github.com/checkpoint-restore/go-criu/v8 v8.2.0/go.mod h1:HVKJ1dK+bowJcFI1MtdL2ECIuY+/AtRMHzD9Lqa4uA4=
+github.com/aperturerobotics/protobuf-go-lite v0.14.0 h1:6YhovtoUZtXgXLHZ2VV2GCYUzFfi8UN6172Vl2flNlE=
+github.com/aperturerobotics/protobuf-go-lite v0.14.0/go.mod h1:lGH3s5ArCTXKI4wJdlNpaybUtwSjfAG0vdWjxOfMcF8=
+github.com/checkpoint-restore/go-criu/v8 v8.2.1-0.20260612135546-b8967dc8885e h1:2CLmsg9n9Gph1crSmLUYKgE0Y+u72TcPKQwqcs4fsBA=
+github.com/checkpoint-restore/go-criu/v8 v8.2.1-0.20260612135546-b8967dc8885e/go.mod h1:33d6FwGJGwnzKVvaO0SxlN0tPSuArKU9X/inD/L7/qA=
 github.com/cilium/ebpf v0.17.3 h1:FnP4r16PWYSE4ux6zN+//jMcW4nMVRvuTLVTvCjyyjg=
 github.com/cilium/ebpf v0.17.3/go.mod h1:G5EDHij8yiLzaqn0WjyfJHvRa+3aDlReIaLVRMvOyJk=
 github.com/containerd/console v1.0.5 h1:R0ymNeydRqH2DmakFNdmjR2k0t7UPuiOV/N/27/qqsc=
@@ -75,7 +77,5 @@ golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.46.0 h1:noSf2Fq6F8DBgS+LysIkx7rIExoNHJsxOAtPp4rthXw=
 golang.org/x/sys v0.46.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
-google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
-google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

libcontainer/criu_linux.go

@@ -22,7 +22,6 @@ import (
 	securejoin "github.com/cyphar/filepath-securejoin"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
-	"google.golang.org/protobuf/proto"
 
 	"github.com/opencontainers/cgroups"
 	"github.com/opencontainers/runc/internal/cmsg"
@@ -110,14 +109,17 @@ func (c *Container) checkCriuVersion(minVersion int) error {
 
 const descriptorsFilename = "descriptors.json"
 
+// TODO: replace with new(v) once Go < 1.26 is not supported.
+func mkPtr[T any](v T) *T { return &v }
+
 func (c *Container) addCriuDumpMount(req *criurpc.CriuReq, m *configs.Mount) {
 	mountDest := strings.TrimPrefix(m.Destination, c.config.Rootfs)
 	if dest, err := securejoin.SecureJoin(c.config.Rootfs, mountDest); err == nil {
 		mountDest = dest[len(c.config.Rootfs):]
 	}
 	extMnt := &criurpc.ExtMountMap{
-		Key: proto.String(mountDest),
-		Val: proto.String(mountDest),
+		Key: mkPtr(mountDest),
+		Val: mkPtr(mountDest),
 	}
 	req.Opts.ExtMnt = append(req.Opts.ExtMnt, extMnt)
 }
@@ -136,8 +138,8 @@ func (c *Container) addMaskPaths(req *criurpc.CriuReq) error {
 		}
 
 		extMnt := &criurpc.ExtMountMap{
-			Key: proto.String(path),
-			Val: proto.String("/dev/null"),
+			Key: mkPtr(path),
+			Val: mkPtr("/dev/null"),
 		}
 		req.Opts.ExtMnt = append(req.Opts.ExtMnt, extMnt)
 	}
@@ -157,15 +159,15 @@ func (c *Container) handleCriuConfigurationFile(rpcOpts *criurpc.CriuOpts) {
 		// configuration file. If the file does not exist, CRIU
 		// will just ignore it.
 		if configFile != "" {
-			rpcOpts.ConfigFile = proto.String(configFile)
+			rpcOpts.ConfigFile = mkPtr(configFile)
 		}
 		// If 'org.criu.config' exists and is set to an empty
 		// string, a runc specific CRIU configuration file will
 		// be not set at all.
 	} else {
 		// If the mentioned annotation has not been found, specify
 		// a default CRIU configuration file.
-		rpcOpts.ConfigFile = proto.String("/etc/criu/runc.conf")
+		rpcOpts.ConfigFile = mkPtr("/etc/criu/runc.conf")
 	}
 }
 
@@ -252,8 +254,8 @@ func (c *Container) handleRestoringNamespaces(rpcOpts *criurpc.CriuOpts, extraFi
 			// CRIU will issue a warning for NEWUSER:
 			// criu/namespaces.c: 'join-ns with user-namespace is not fully tested and dangerous'
 			rpcOpts.JoinNs = append(rpcOpts.JoinNs, &criurpc.JoinNamespace{
-				Ns:     proto.String(configs.NsName(ns.Type)),
-				NsFile: proto.String(nsPath),
+				Ns:     mkPtr(configs.NsName(ns.Type)),
+				NsFile: mkPtr(nsPath),
 			})
 		}
 	}
@@ -280,10 +282,10 @@ func (c *Container) handleRestoringExternalNamespaces(rpcOpts *criurpc.CriuOpts,
 		return fmt.Errorf("Requested network namespace %v does not exist", nsPath)
 	}
 	inheritFd := &criurpc.InheritFd{
-		Key: proto.String(criuNsToKey(t)),
+		Key: mkPtr(criuNsToKey(t)),
 		// The offset of four is necessary because 0, 1, 2 and 3 are
 		// already used by stdin, stdout, stderr, 'criu swrk' socket.
-		Fd: proto.Int32(int32(4 + len(*extraFiles))),
+		Fd: mkPtr(int32(4 + len(*extraFiles))),
 	}
 	rpcOpts.InheritFd = append(rpcOpts.InheritFd, inheritFd)
 	// All open FDs need to be transferred to CRIU via extraFiles
@@ -331,25 +333,25 @@ func (c *Container) Checkpoint(criuOpts *CriuOpts) error {
 	defer imageDir.Close()
 
 	rpcOpts := criurpc.CriuOpts{
-		ImagesDirFd:       proto.Int32(int32(imageDir.Fd())),
-		LogLevel:          proto.Int32(4),
-		LogFile:           proto.String(logFile),
-		Root:              proto.String(c.config.Rootfs),
-		ManageCgroups:     proto.Bool(true), // Obsoleted by ManageCgroupsMode.
+		ImagesDirFd:       mkPtr(int32(imageDir.Fd())),
+		LogLevel:          mkPtr(int32(4)),
+		LogFile:           mkPtr(logFile),
+		Root:              mkPtr(c.config.Rootfs),
+		ManageCgroups:     mkPtr(true), // Obsoleted by ManageCgroupsMode.
 		ManageCgroupsMode: &cgMode,
-		NotifyScripts:     proto.Bool(true),
-		Pid:               proto.Int32(int32(c.initProcess.pid())),
-		ShellJob:          proto.Bool(criuOpts.ShellJob),
-		LeaveRunning:      proto.Bool(criuOpts.LeaveRunning),
-		TcpEstablished:    proto.Bool(criuOpts.TcpEstablished),
-		TcpSkipInFlight:   proto.Bool(criuOpts.TcpSkipInFlight),
-		LinkRemap:         proto.Bool(criuOpts.LinkRemap),
-		ExtUnixSk:         proto.Bool(criuOpts.ExternalUnixConnections),
-		FileLocks:         proto.Bool(criuOpts.FileLocks),
-		EmptyNs:           proto.Uint32(criuOpts.EmptyNs),
-		OrphanPtsMaster:   proto.Bool(true),
-		AutoDedup:         proto.Bool(criuOpts.AutoDedup),
-		LazyPages:         proto.Bool(criuOpts.LazyPages),
+		NotifyScripts:     mkPtr(true),
+		Pid:               mkPtr(int32(c.initProcess.pid())),
+		ShellJob:          mkPtr(criuOpts.ShellJob),
+		LeaveRunning:      mkPtr(criuOpts.LeaveRunning),
+		TcpEstablished:    mkPtr(criuOpts.TcpEstablished),
+		TcpSkipInFlight:   mkPtr(criuOpts.TcpSkipInFlight),
+		LinkRemap:         mkPtr(criuOpts.LinkRemap),
+		ExtUnixSk:         mkPtr(criuOpts.ExternalUnixConnections),
+		FileLocks:         mkPtr(criuOpts.FileLocks),
+		EmptyNs:           mkPtr(criuOpts.EmptyNs),
+		OrphanPtsMaster:   mkPtr(true),
+		AutoDedup:         mkPtr(criuOpts.AutoDedup),
+		LazyPages:         mkPtr(criuOpts.LazyPages),
 	}
 
 	// if criuOpts.WorkDirectory is not set, criu default is used.
@@ -362,7 +364,7 @@ func (c *Container) Checkpoint(criuOpts *CriuOpts) error {
 			return err
 		}
 		defer workDir.Close()
-		rpcOpts.WorkDirFd = proto.Int32(int32(workDir.Fd()))
+		rpcOpts.WorkDirFd = mkPtr(int32(workDir.Fd()))
 		logDir = criuOpts.WorkDirectory
 	}
 
@@ -388,28 +390,28 @@ func (c *Container) Checkpoint(criuOpts *CriuOpts) error {
 	// Note cgroup v2 freezer is only supported since CRIU release 3.14.
 	if !cgroups.IsCgroup2UnifiedMode() || c.checkCriuVersion(31400) == nil {
 		if fcg := c.cgroupManager.Path("freezer"); fcg != "" {
-			rpcOpts.FreezeCgroup = proto.String(fcg)
+			rpcOpts.FreezeCgroup = mkPtr(fcg)
 		}
 	}
 
 	// append optional criu opts, e.g., page-server and port
 	if criuOpts.PageServer.Address != "" && criuOpts.PageServer.Port != 0 {
 		rpcOpts.Ps = &criurpc.CriuPageServerInfo{
-			Address: proto.String(criuOpts.PageServer.Address),
-			Port:    proto.Int32(criuOpts.PageServer.Port),
+			Address: mkPtr(criuOpts.PageServer.Address),
+			Port:    mkPtr(criuOpts.PageServer.Port),
 		}
 	}
 
 	// pre-dump may need parentImage param to complete iterative migration
 	if criuOpts.ParentImage != "" {
-		rpcOpts.ParentImg = proto.String(criuOpts.ParentImage)
-		rpcOpts.TrackMem = proto.Bool(true)
+		rpcOpts.ParentImg = mkPtr(criuOpts.ParentImage)
+		rpcOpts.TrackMem = mkPtr(true)
 	}
 
 	var t criurpc.CriuReqType
 	if criuOpts.PreDump {
 		feat := criurpc.CriuFeatures{
-			MemTrack: proto.Bool(true),
+			MemTrack: mkPtr(true),
 		}
 
 		if err := c.checkCriuFeatures(criuOpts, &feat); err != nil {
@@ -424,7 +426,7 @@ func (c *Container) Checkpoint(criuOpts *CriuOpts) error {
 	if criuOpts.LazyPages {
 		// lazy migration requested; check if criu supports it
 		feat := criurpc.CriuFeatures{
-			LazyPages: proto.Bool(true),
+			LazyPages: mkPtr(true),
 		}
 		if err := c.checkCriuFeatures(criuOpts, &feat); err != nil {
 			return err
@@ -444,7 +446,7 @@ func (c *Container) Checkpoint(criuOpts *CriuOpts) error {
 			if c.checkCriuVersion(31500) != nil {
 				// For criu 3.15+, use notifications (see case "status-ready"
 				// in criuNotifications). Otherwise, rely on criu status fd.
-				rpcOpts.StatusFd = proto.Int32(int32(fd))
+				rpcOpts.StatusFd = mkPtr(int32(fd))
 			}
 		}
 	}
@@ -512,8 +514,8 @@ func (c *Container) addCriuRestoreMount(req *criurpc.CriuReq, m *configs.Mount)
 		mountDest = dest[len(c.config.Rootfs):]
 	}
 	extMnt := &criurpc.ExtMountMap{
-		Key: proto.String(mountDest),
-		Val: proto.String(m.Source),
+		Key: mkPtr(mountDest),
+		Val: mkPtr(m.Source),
 	}
 	req.Opts.ExtMnt = append(req.Opts.ExtMnt, extMnt)
 }
@@ -523,17 +525,17 @@ func (c *Container) restoreNetwork(req *criurpc.CriuReq, criuOpts *CriuOpts) {
 		switch iface.Type {
 		case "veth":
 			veth := new(criurpc.CriuVethPair)
-			veth.IfOut = proto.String(iface.HostInterfaceName)
-			veth.IfIn = proto.String(iface.Name)
+			veth.IfOut = mkPtr(iface.HostInterfaceName)
+			veth.IfIn = mkPtr(iface.Name)
 			req.Opts.Veths = append(req.Opts.Veths, veth)
 		case "loopback":
 			// Do nothing
 		}
 	}
 	for _, i := range criuOpts.VethPairs {
 		veth := new(criurpc.CriuVethPair)
-		veth.IfOut = proto.String(i.HostInterfaceName)
-		veth.IfIn = proto.String(i.ContainerInterfaceName)
+		veth.IfOut = mkPtr(i.HostInterfaceName)
+		veth.IfIn = mkPtr(i.ContainerInterfaceName)
 		req.Opts.Veths = append(req.Opts.Veths, veth)
 	}
 }
@@ -687,23 +689,23 @@ func (c *Container) Restore(process *Process, criuOpts *CriuOpts) error {
 	req := &criurpc.CriuReq{
 		Type: &t,
 		Opts: &criurpc.CriuOpts{
-			ImagesDirFd:       proto.Int32(int32(imageDir.Fd())),
-			EvasiveDevices:    proto.Bool(true),
-			LogLevel:          proto.Int32(4),
-			LogFile:           proto.String(logFile),
-			RstSibling:        proto.Bool(true),
-			Root:              proto.String(root),
-			ManageCgroups:     proto.Bool(true), // Obsoleted by ManageCgroupsMode.
+			ImagesDirFd:       mkPtr(int32(imageDir.Fd())),
+			EvasiveDevices:    mkPtr(true),
+			LogLevel:          mkPtr(int32(4)),
+			LogFile:           mkPtr(logFile),
+			RstSibling:        mkPtr(true),
+			Root:              mkPtr(root),
+			ManageCgroups:     mkPtr(true), // Obsoleted by ManageCgroupsMode.
 			ManageCgroupsMode: &cgMode,
-			NotifyScripts:     proto.Bool(true),
-			ShellJob:          proto.Bool(criuOpts.ShellJob),
-			ExtUnixSk:         proto.Bool(criuOpts.ExternalUnixConnections),
-			TcpEstablished:    proto.Bool(criuOpts.TcpEstablished),
-			FileLocks:         proto.Bool(criuOpts.FileLocks),
-			EmptyNs:           proto.Uint32(criuOpts.EmptyNs),
-			OrphanPtsMaster:   proto.Bool(true),
-			AutoDedup:         proto.Bool(criuOpts.AutoDedup),
-			LazyPages:         proto.Bool(criuOpts.LazyPages),
+			NotifyScripts:     mkPtr(true),
+			ShellJob:          mkPtr(criuOpts.ShellJob),
+			ExtUnixSk:         mkPtr(criuOpts.ExternalUnixConnections),
+			TcpEstablished:    mkPtr(criuOpts.TcpEstablished),
+			FileLocks:         mkPtr(criuOpts.FileLocks),
+			EmptyNs:           mkPtr(criuOpts.EmptyNs),
+			OrphanPtsMaster:   mkPtr(true),
+			AutoDedup:         mkPtr(criuOpts.AutoDedup),
+			LazyPages:         mkPtr(criuOpts.LazyPages),
 		},
 	}
 
@@ -713,13 +715,13 @@ func (c *Container) Restore(process *Process, criuOpts *CriuOpts) error {
 		if err := c.checkCriuVersion(31600); err != nil {
 			return errors.New("--lsm-profile requires at least CRIU 3.16")
 		}
-		req.Opts.LsmProfile = proto.String(criuOpts.LsmProfile)
+		req.Opts.LsmProfile = mkPtr(criuOpts.LsmProfile)
 	}
 	if criuOpts.LsmMountContext != "" {
 		if err := c.checkCriuVersion(31600); err != nil {
 			return errors.New("--lsm-mount-context requires at least CRIU 3.16")
 		}
-		req.Opts.LsmMountContext = proto.String(criuOpts.LsmMountContext)
+		req.Opts.LsmMountContext = mkPtr(criuOpts.LsmMountContext)
 	}
 
 	if criuOpts.WorkDirectory != "" {
@@ -733,7 +735,7 @@ func (c *Container) Restore(process *Process, criuOpts *CriuOpts) error {
 			return err
 		}
 		defer workDir.Close()
-		req.Opts.WorkDirFd = proto.Int32(int32(workDir.Fd()))
+		req.Opts.WorkDirFd = mkPtr(int32(workDir.Fd()))
 		logDir = criuOpts.WorkDirectory
 	}
 	c.handleCriuConfigurationFile(req.Opts)
@@ -796,8 +798,8 @@ func (c *Container) Restore(process *Process, criuOpts *CriuOpts) error {
 	for i := range fds {
 		if s := fds[i]; strings.Contains(s, "pipe:") {
 			inheritFd := new(criurpc.InheritFd)
-			inheritFd.Key = proto.String(s)
-			inheritFd.Fd = proto.Int32(int32(i))
+			inheritFd.Key = mkPtr(s)
+			inheritFd.Fd = mkPtr(int32(i))
 			req.Opts.InheritFd = append(req.Opts.InheritFd, inheritFd)
 		}
 	}
@@ -889,8 +891,8 @@ func (c *Container) criuApplyCgroups(pid int, req *criurpc.CriuReq) error {
 
 	for c, p := range cgroupsPaths {
 		cgroupRoot := &criurpc.CgroupRoot{
-			Ctrl: proto.String(c),
-			Path: proto.String(p),
+			Ctrl: mkPtr(c),
+			Path: mkPtr(p),
 		}
 		req.Opts.CgRoot = append(req.Opts.CgRoot, cgroupRoot)
 	}
@@ -984,7 +986,7 @@ func (c *Container) criuSwrk(process *Process, req *criurpc.CriuReq, opts *CriuO
 			}
 		}
 	}
-	data, err := proto.Marshal(req)
+	data, err := req.MarshalVT()
 	if err != nil {
 		return err
 	}
@@ -1017,7 +1019,7 @@ func (c *Container) criuSwrk(process *Process, req *criurpc.CriuReq, opts *CriuO
 		}
 
 		resp := new(criurpc.CriuResp)
-		err = proto.Unmarshal(buf[:n], resp)
+		err = resp.UnmarshalVT(buf[:n])
 		if err != nil {
 			return err
 		}
@@ -1036,9 +1038,9 @@ func (c *Container) criuSwrk(process *Process, req *criurpc.CriuReq, opts *CriuO
 			}
 			req = &criurpc.CriuReq{
 				Type:          &t,
-				NotifySuccess: proto.Bool(true),
+				NotifySuccess: mkPtr(true),
 			}
-			data, err = proto.Marshal(req)
+			data, err = req.MarshalVT()
 			if err != nil {
 				return err
 			}

update.go

@@ -18,6 +18,7 @@ import (
 	"github.com/urfave/cli/v3"
 )
 
+// TODO: replace with new(v) once Go < 1.26 is not supported.
 func mkPtr[T any](v T) *T { return &v }
 
 var updateCommand = &cli.Command{