Remove obsolete OpenVZ and VServer support

[BenBE]

This PR fully removes all of the OpenVZ and Linux VServer legacy that has been dormant and unused for the past few years.

The code has been disabled by default for several releases now and has not been in use for quite some time.

Assisted-By: Claude Haiku 4.5

[coderabbitai]

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: d669da07-8ad4-42e0-9038-1000bc40285f

📥 Commits

Reviewing files that changed from the base of the PR and between af32242 and 90369a4.

📒 Files selected for processing (11)

• .github/workflows/ci.yml
• .github/workflows/codeql-analysis.yml
• Makefile.am
• README.md
• configure.ac
• htop.1.in
• linux/LinuxProcess.c
• linux/LinuxProcess.h
• linux/LinuxProcessTable.c
• linux/ProcessField.h
• pcp/ProcessField.h

💤 Files with no reviewable changes (2)

• pcp/ProcessField.h
• README.md

---

📝 Walkthrough

Walkthrough

This PR removes OpenVZ, VServer, and ancient-VServer support from htop. Configure options and their AC_DEFINE macro emissions are deleted from configure.ac. CI jobs (.github/workflows/ci.yml and codeql-analysis.yml) no longer pass those flags to ./configure. Process field enums CTID, VPID, VXID are removed from linux/ProcessField.h and pcp/ProcessField.h. LinuxProcess struct drops the conditional ctid, vpid, vxid members; PROCESS_FLAG_LINUX_OPENVZ and PROCESS_FLAG_LINUX_VSERVER flags are removed and PROCESS_FLAG_LINUX_CGROUP is introduced. LinuxProcessTable parsing no longer initializes or reads VServer/OpenVZ-specific fields from /proc status files; the readOpenVZData() helper is deleted. LinuxProcess rendering and comparison code drops switch cases for CTID/VPID/VXID. README and the man page remove references; cppcheck no longer defines HAVE_OPENVZ.

Poem

OpenVZ leaves the branches bare,
VServer traces fade from air,
Structs shrink, cgroups take their place,
Docs and CI reflect the space,
TGID stands in, the view is clear.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[foxpy]

FYI: Archlinux builds htop with openvz enabled: https://gitlab.archlinux.org/archlinux/packaging/packages/htop/-/blob/main/PKGBUILD?ref_type=heads#L62

[BenBE]

AFAIT that's basically Arch's packaging default.

Maybe a quick breakdown:

• OpenVZ 6 requires a patched 2.6.32 kernel.
• OpenVZ 7 requires Virtuozzo’s custom kernel.

Given that Arch only ships mainline kernels as far as I'm aware, this means that having these features active on Arch is mostly a no-op.

All the code removed in this PR requires ancient kernel-patch based virtualization stuff, that will simply not work with any recent kernel.

[natoscott]

Looks good - there's a spurious left-over CTID definition in pcp/ProcessField.h (never used) - could you remove that as well before merging? Thanks!

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/ci.yml (1)

57-76: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Set explicit minimal GitHub token permissions

These jobs run with implicit default token permissions. Please set explicit least-privilege permissions (for these build-only jobs, contents: read is typically enough) to avoid over-scoped GITHUB_TOKEN access.

Suggested change

 name: CI

 on: [ push, pull_request ]
+permissions:
+  contents: read

Also applies to: 78-100, 102-121

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: b496e1a7-e8d7-4b1e-b23b-96002eefa38f

📥 Commits

Reviewing files that changed from the base of the PR and between f95db09 and 5fe9e47.

📒 Files selected for processing (10)

• .github/workflows/ci.yml
• Makefile.am
• README.md
• configure.ac
• htop.1.in
• linux/LinuxProcess.c
• linux/LinuxProcess.h
• linux/LinuxProcessTable.c
• linux/ProcessField.h
• pcp/ProcessField.h

💤 Files with no reviewable changes (8)

• htop.1.in
• linux/ProcessField.h
• linux/LinuxProcess.h
• pcp/ProcessField.h
• configure.ac
• linux/LinuxProcess.c
• linux/LinuxProcessTable.c
• README.md

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/ci.yml (1)

57-76: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add explicit minimal GitHub token permissions for this workflow.

These jobs still inherit default token permissions because no permissions: block is set. Please declare least-privilege permissions at workflow level (and override per job only when needed).

Proposed hardening patch

 name: CI
 
 on: [ push, pull_request ]
 
+permissions:
+  contents: read
+
 env:
   # Enable format attributes in ncurses headers
   # Enable fortified memory/string handling
   CPPFLAGS: -DGCC_PRINTF -DGCC_SCANF -D_FORTIFY_SOURCE=2

Also applies to: 78-100, 102-121

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 0b6a92e6-0021-4a2a-abb5-c7ef1f3b6b56

📥 Commits

Reviewing files that changed from the base of the PR and between 5fe9e47 and 8ee3b0c.

📒 Files selected for processing (10)

• .github/workflows/ci.yml
• Makefile.am
• README.md
• configure.ac
• htop.1.in
• linux/LinuxProcess.c
• linux/LinuxProcess.h
• linux/LinuxProcessTable.c
• linux/ProcessField.h
• pcp/ProcessField.h

💤 Files with no reviewable changes (8)

• README.md
• pcp/ProcessField.h
• htop.1.in
• linux/LinuxProcessTable.c
• linux/LinuxProcess.c
• linux/ProcessField.h
• configure.ac
• linux/LinuxProcess.h

[coderabbitai]

Actionable comments posted: 2

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: d669da07-8ad4-42e0-9038-1000bc40285f

📥 Commits

Reviewing files that changed from the base of the PR and between af32242 and 90369a4.

📒 Files selected for processing (11)

• .github/workflows/ci.yml
• .github/workflows/codeql-analysis.yml
• Makefile.am
• README.md
• configure.ac
• htop.1.in
• linux/LinuxProcess.c
• linux/LinuxProcess.h
• linux/LinuxProcessTable.c
• linux/ProcessField.h
• pcp/ProcessField.h

💤 Files with no reviewable changes (2)

• pcp/ProcessField.h
• README.md

[coderabbitai]

Caution

Inline review comments failed to post. This is likely due to GitHub's internal server error or limits when posting large numbers of comments. If you are seeing this consistently it is likely a permissions issue. Please check "Moderation" -> "Code review limits" under your organization settings.

Actionable comments posted: 2

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: d669da07-8ad4-42e0-9038-1000bc40285f

📥 Commits

Reviewing files that changed from the base of the PR and between af32242 and 90369a4.

📒 Files selected for processing (11)

• .github/workflows/ci.yml
• .github/workflows/codeql-analysis.yml
• Makefile.am
• README.md
• configure.ac
• htop.1.in
• linux/LinuxProcess.c
• linux/LinuxProcess.h
• linux/LinuxProcessTable.c
• linux/ProcessField.h
• pcp/ProcessField.h

💤 Files with no reviewable changes (2)

• pcp/ProcessField.h
• README.md

🛑 Comments failed to post (2)

.github/workflows/ci.yml (1)

17-17: 🔒 Security & Privacy | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify all workflow checkout steps are commit-pinned and set persist-credentials:false
set -euo pipefail

echo "== Unpinned checkout uses =="
rg -n --glob '.github/workflows/*.yml' 'uses:\s*actions/checkout@v[0-9]+' || true

echo
echo "== Checkout steps missing persist-credentials:false (context view) =="
rg -n -C2 --glob '.github/workflows/*.yml' 'uses:\s*actions/checkout@' || true

Repository: htop-dev/htop

Length of output: 180

---

🏁 Script executed:

# First, check if the workflow file exists and get its size
ls -lh .github/workflows/ci.yml 2>/dev/null || echo "File not found"

# Read around line 17 to see the actual checkout step
echo "=== Lines 10-25 (around line 17) ==="
sed -n '10,25p' .github/workflows/ci.yml

# Search for all checkout references more directly
echo ""
echo "=== All checkout references ==="
grep -n "checkout" .github/workflows/ci.yml || echo "No checkout found"

Repository: htop-dev/htop

Length of output: 1511

---

🏁 Script executed:

# Check if any of the checkout steps have persist-credentials configured
echo "=== Checkout steps with persist-credentials context ==="
grep -B2 -A3 "persist-credentials" .github/workflows/ci.yml || echo "No persist-credentials found"

# Get the full content around a few checkout steps to see if there's a 'with:' clause
echo ""
echo "=== Detailed view of first checkout (lines 17-22) ==="
sed -n '17,22p' .github/workflows/ci.yml

echo ""
echo "=== Detailed view of another checkout example (lines 41-46) ==="
sed -n '41,46p' .github/workflows/ci.yml

Repository: htop-dev/htop

Length of output: 954

---

Pin checkout actions to commit SHA and disable credential persistence.

All 18 checkout steps use actions/checkout@v7 (tag-pinned), which is vulnerable to tag mutation attacks, and none configure persist-credentials: false. Both issues weaken workflow supply-chain security.

Recommended hardening pattern

-    - uses: actions/checkout@v7
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+      with:
+        persist-credentials: false

Apply to all 18 occurrences: lines 17, 41, 67, 86, 112, 130, 146, 163, 191, 223, 242, 261, 284, 305, 330, 365, 385, 392.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
      with:
        persist-credentials: false

🧰 Tools

🪛 zizmor (1.26.1)

[warning] 17-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

Source: Linters/SAST tools

.github/workflows/codeql-analysis.yml (1)

29-29: 🔒 Security & Privacy | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
rg -n --glob '.github/workflows/codeql-analysis.yml' 'uses:\s*actions/checkout@'

Repository: htop-dev/htop

Length of output: 151

---

🏁 Script executed:

#!/bin/bash
# Check if the workflow file exists and list GitHub workflow files
find . -path "./.git" -prune -o -type f -name "*.yml" -o -name "*.yaml" | grep -i workflow | head -20

Repository: htop-dev/htop

Length of output: 289

---

🏁 Script executed:

#!/bin/bash
# Also check if .github directory exists and list its contents
if [ -d .github ]; then
  echo "=== .github directory structure ==="
  find .github -type f | sort
else
  echo ".github directory not found"
fi

Repository: htop-dev/htop

Length of output: 385

---

🏁 Script executed:

#!/bin/bash
# Try reading the specific file if it exists
if [ -f ".github/workflows/codeql-analysis.yml" ]; then
  echo "=== File exists, showing content around line 29 ==="
  cat -n ".github/workflows/codeql-analysis.yml" | sed -n '20,40p'
else
  echo "File .github/workflows/codeql-analysis.yml not found"
fi

Repository: htop-dev/htop

Length of output: 956

---

Pin checkout action to commit SHA and disable credential persistence.

At line 29, replace actions/checkout@v7 with a full commit SHA and add persist-credentials: false to reduce token exposure in CI artifacts:

- name: Checkout Repository
  uses: actions/checkout@<full-commit-sha>
  with:
    persist-credentials: false

🧰 Tools

🪛 zizmor (1.26.1)

[warning] 28-29: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 29-29: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

Source: Linters/SAST tools

[BenBE]

@coderabbitai These CI issues are unrelated to the original OpenVZ/OpenVServer changes of this PR. Should be addressed in a separate PR.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@BenBE Understood — the CI issues are out of scope for this PR. Would you like me to open a separate GitHub issue to track them?

[BenBE]

Tip

For best results, initiate chat on the files or code changes.

@BenBE Understood — the CI issues are out of scope for this PR. Would you like me to open a separate GitHub issue to track them?

@coderabbitai Sure, but note that fetching by SHA is not the advertised usage pattern of the upstream https://github.com/actions/checkout repo. Also when suggesting security hardening, elaborate the benefits and mitigated risks for better assessment.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
cat -n .github/workflows/ci.yml

Length of output: 18978

---

🏁 Script executed:

#!/bin/bash
gh issue create \
  --repo htop-dev/htop \
  --title "CI: Replace deprecated apt-key and fix shell style in workflow jobs" \
  --body "## Summary

This issue tracks CI maintenance items identified in \`.github/workflows/ci.yml\` that are unrelated to any specific feature change. Flagged during review of `#2010`.

---

## 1. Deprecated \`apt-key add\` for LLVM APT repository

**Affected jobs:** \`build-ubuntu-latest-minimal-clang\`, \`build-ubuntu-latest-full-featured-clang\`, \`build-ubuntu-latest-clang-analyzer\`, \`build-ubuntu-latest-clang-sanitizer\`

**Current pattern (all four jobs, e.g. line 45):**
\`\`\`sh
wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key 2>/dev/null | sudo apt-key add -
sudo add-apt-repository \"deb http://apt.llvm.org/\${ubuntu_codename}/ llvm-toolchain-\${ubuntu_codename}-22 main\" -y
\`\`\`

**Problem:**
- \`apt-key\` has been deprecated since Debian Bullseye / Ubuntu 22.04. Running it produces deprecation warnings and may break silently on future runner images.
- More importantly, keys added via \`apt-key\` are trusted globally for *all* repositories, not scoped to the specific source. A compromised or malicious key could therefore be leveraged to sign packages from unrelated repositories and have them accepted silently by \`apt\`.

**Recommended replacement:** Use a signed-by keyrings approach:
\`\`\`sh
wget -qO - https://apt.llvm.org/llvm-snapshot.gpg.key \
  | gpg --dearmor \
  | sudo tee /etc/apt/keyrings/llvm.gpg > /dev/null
echo \"deb [signed-by=/etc/apt/keyrings/llvm.gpg] http://apt.llvm.org/\${ubuntu_codename}/ llvm-toolchain-\${ubuntu_codename}-22 main\" \
  | sudo tee /etc/apt/sources.list.d/llvm.list
\`\`\`

**Security benefit:** The \`signed-by\` field scopes trust to the declared repository only. Even if the LLVM key were ever reused or compromised, it cannot be exploited to verify packages from other apt sources. This follows the current Debian/Ubuntu best practice and eliminates the deprecation warnings.

---

## 2. Backtick command substitution

**Affected jobs:** \`build-ubuntu-latest-minimal-clang\`, \`build-ubuntu-latest-full-featured-clang\`, \`build-ubuntu-latest-clang-analyzer\`, \`build-ubuntu-latest-clang-sanitizer\`

**Current pattern (e.g. line 44):**
\`\`\`sh
ubuntu_codename=\`LC_ALL=C sed '...' /etc/os-release\`
\`\`\`

**Problem:** Backtick syntax is a legacy POSIX-ish form that does not nest cleanly and is harder to read. The POSIX and bash-recommended form is \`\$()\`.

**Recommended replacement:**
\`\`\`sh
ubuntu_codename=\$(LC_ALL=C sed '...' /etc/os-release)
\`\`\`

---

## Acceptance criteria

- [ ] All four Clang CI jobs use the \`signed-by\`-scoped keyrings approach for the LLVM APT key.
- [ ] All backtick command substitutions in the workflow are replaced with \`\$()\`.
- [ ] CI jobs pass after the changes.

---

*Reported by `@coderabbitai` during review of `#2010` (requested by `@BenBE`).*
*Reference comment: https://github.com/htop-dev/htop/pull/2010#issuecomment-2905777696*"

Length of output: 3190

---

---

@BenBE: Done. Issue filed at #2032.

---

✏️ Learnings added

Learnt from: BenBE
URL: https://github.com/htop-dev/htop/pull/2010

Timestamp: 2026-06-23T20:48:03.584Z
Learning: For the htop-dev/htop repository: when suggesting GitHub Actions security hardening, do not recommend SHA-pinning of actions/checkout — it is not the advertised usage pattern per the upstream repo. Always elaborate the concrete benefits and mitigated risks when proposing security hardening changes, so maintainers can make an informed assessment.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.