diff --git a/vendor.conf b/vendor.conf index d4cef1692..69a28e113 100644 --- a/vendor.conf +++ b/vendor.conf @@ -56,7 +56,7 @@ gotest.tools/v3 v3.0.2 github.com/cilium/ebpf 4032b1d8aae306b7bb94a2a11002932caf88c644 # cri dependencies -github.com/containerd/cri 64aa9da76fc0ab333119f455f3b292244c1fae8c # master +github.com/containerd/cri c744b66a3b655f140426f846cf64ef50ea8419c8 # master github.com/davecgh/go-spew v1.1.1 github.com/docker/docker 4634ce647cf2ce2c6031129ccd109e557244986f github.com/docker/spdystream 449fdfce4d962303d702fec724ef0ad181c92528 @@ -65,7 +65,7 @@ github.com/google/gofuzz v1.1.0 github.com/json-iterator/go v1.1.8 github.com/modern-go/concurrent 1.0.3 github.com/modern-go/reflect2 v1.0.1 -github.com/opencontainers/selinux v1.5.1 +github.com/opencontainers/selinux v1.5.2 github.com/seccomp/libseccomp-golang v0.9.1 github.com/stretchr/testify v1.4.0 github.com/tchap/go-patricia v2.2.6 @@ -86,7 +86,7 @@ sigs.k8s.io/structured-merge-diff/v3 v3.0.0 sigs.k8s.io/yaml v1.2.0 # cni dependencies -github.com/containerd/go-cni 0d360c50b10b350b6bb23863fd4dfb1c232b01c9 +github.com/containerd/go-cni v1.0.0 github.com/containernetworking/cni v0.7.1 github.com/containernetworking/plugins v0.7.6 github.com/fsnotify/fsnotify v1.4.8 diff --git a/vendor/github.com/containerd/cri/README.md b/vendor/github.com/containerd/cri/README.md index 8e93b8d69..5ae3f6c04 100644 --- a/vendor/github.com/containerd/cri/README.md +++ b/vendor/github.com/containerd/cri/README.md @@ -25,9 +25,9 @@ With it, you could run Kubernetes using containerd as the container runtime. `cri` is in GA: * It is feature complete. * It (the GA version) works with Kubernetes 1.10 and above. -* It has passed all [CRI validation tests](https://github.com/kubernetes/community/blob/master/contributors/devel/cri-validation.md). -* It has passed all [node e2e tests](https://github.com/kubernetes/community/blob/master/contributors/devel/e2e-node-tests.md). -* It has passed all [e2e tests](https://github.com/kubernetes/community/blob/master/contributors/devel/e2e-tests.md). +* It has passed all [CRI validation tests](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-node/cri-validation.md). +* It has passed all [node e2e tests](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-node/e2e-node-tests.md). +* It has passed all [e2e tests](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-testing/e2e-tests.md). See [test dashboard](https://k8s-testgrid.appspot.com/sig-node-containerd) ## Support Metrics @@ -78,7 +78,7 @@ specifications as appropriate. backport version of `libseccomp-dev` is required. See [travis.yml](.travis.yml) for an example on trusty. * **btrfs development library.** Required by containerd btrfs support. `btrfs-tools`(Ubuntu, Debian) / `btrfs-progs-devel`(Fedora, CentOS, RHEL) 2. Install **`pkg-config`** (required for linking with `libseccomp`). -3. Install and setup a Go 1.13.10 development environment. +3. Install and setup a Go 1.13.11 development environment. 4. Make a local clone of this repository. 5. Install binary dependencies by running the following command from your cloned `cri/` project directory: ```bash diff --git a/vendor/github.com/containerd/cri/pkg/containerd/opts/spec_unix.go b/vendor/github.com/containerd/cri/pkg/containerd/opts/spec_unix.go index a9e78067e..e84cb9d47 100644 --- a/vendor/github.com/containerd/cri/pkg/containerd/opts/spec_unix.go +++ b/vendor/github.com/containerd/cri/pkg/containerd/opts/spec_unix.go @@ -226,7 +226,7 @@ func WithMounts(osi osinterface.OS, config *runtime.ContainerConfig, extra []*ru } if mount.GetSelinuxRelabel() { - if err := label.Relabel(src, mountLabel, true); err != nil && err != unix.ENOTSUP { + if err := label.Relabel(src, mountLabel, false); err != nil && err != unix.ENOTSUP { return errors.Wrapf(err, "relabel %q with %q failed", src, mountLabel) } } diff --git a/vendor/github.com/containerd/cri/pkg/server/container_create.go b/vendor/github.com/containerd/cri/pkg/server/container_create.go index d239eba09..833501de0 100644 --- a/vendor/github.com/containerd/cri/pkg/server/container_create.go +++ b/vendor/github.com/containerd/cri/pkg/server/container_create.go @@ -28,6 +28,7 @@ import ( "github.com/davecgh/go-spew/spew" imagespec "github.com/opencontainers/image-spec/specs-go/v1" runtimespec "github.com/opencontainers/runtime-spec/specs-go" + selinux "github.com/opencontainers/selinux/go-selinux" "github.com/pkg/errors" "golang.org/x/net/context" runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2" @@ -154,6 +155,18 @@ func (c *criService) CreateContainer(ctx context.Context, r *runtime.CreateConta return nil, errors.Wrapf(err, "failed to generate container %q spec", id) } + meta.ProcessLabel = spec.Process.SelinuxLabel + if config.GetLinux().GetSecurityContext().GetPrivileged() { + // If privileged don't set the SELinux label but still record it on the container so + // the unused MCS label can be release later + spec.Process.SelinuxLabel = "" + } + defer func() { + if retErr != nil { + selinux.ReleaseLabel(spec.Process.SelinuxLabel) + } + }() + log.G(ctx).Debugf("Container %q spec: %#+v", id, spew.NewFormatter(spec)) // Set snapshotter before any other options. @@ -275,10 +288,9 @@ func (c *criService) volumeMounts(containerRootDir string, criMounts []*runtime. src := filepath.Join(containerRootDir, "volumes", volumeID) // addOCIBindMounts will create these volumes. mounts = append(mounts, &runtime.Mount{ - ContainerPath: dst, - HostPath: src, - // Use default mount propagation. - // TODO(random-liu): What about selinux relabel? + ContainerPath: dst, + HostPath: src, + SelinuxRelabel: true, }) } return mounts diff --git a/vendor/github.com/containerd/cri/pkg/server/container_create_unix.go b/vendor/github.com/containerd/cri/pkg/server/container_create_unix.go index 0324bc206..d5f0bc955 100644 --- a/vendor/github.com/containerd/cri/pkg/server/container_create_unix.go +++ b/vendor/github.com/containerd/cri/pkg/server/container_create_unix.go @@ -31,6 +31,8 @@ import ( "github.com/containerd/containerd/oci" imagespec "github.com/opencontainers/image-spec/specs-go/v1" runtimespec "github.com/opencontainers/runtime-spec/specs-go" + selinux "github.com/opencontainers/selinux/go-selinux" + "github.com/opencontainers/selinux/go-selinux/label" "github.com/pkg/errors" runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2" @@ -109,7 +111,7 @@ func (c *criService) containerMounts(sandboxID string, config *runtime.Container func (c *criService) containerSpec(id string, sandboxID string, sandboxPid uint32, netNSPath string, containerName string, config *runtime.ContainerConfig, sandboxConfig *runtime.PodSandboxConfig, imageConfig *imagespec.ImageConfig, - extraMounts []*runtime.Mount, ociRuntime config.Runtime) (*runtimespec.Spec, error) { + extraMounts []*runtime.Mount, ociRuntime config.Runtime) (_ *runtimespec.Spec, retErr error) { specOpts := []oci.SpecOpts{ customopts.WithoutRunMount, @@ -151,11 +153,30 @@ func (c *criService) containerSpec(id string, sandboxID string, sandboxPid uint3 specOpts = append(specOpts, oci.WithEnv(env)) securityContext := config.GetLinux().GetSecurityContext() - selinuxOpt := securityContext.GetSelinuxOptions() - processLabel, mountLabel, err := initSelinuxOpts(selinuxOpt) + labelOptions, err := toLabel(securityContext.GetSelinuxOptions()) + if err != nil { + return nil, err + } + if len(labelOptions) == 0 { + // Use pod level SELinux config + if sandbox, err := c.sandboxStore.Get(sandboxID); err == nil { + labelOptions, err = selinux.DupSecOpt(sandbox.ProcessLabel) + if err != nil { + return nil, err + } + } + } + + processLabel, mountLabel, err := label.InitLabels(labelOptions) if err != nil { return nil, errors.Wrapf(err, "failed to init selinux options %+v", securityContext.GetSelinuxOptions()) } + defer func() { + if retErr != nil { + _ = label.ReleaseLabel(processLabel) + } + }() + specOpts = append(specOpts, customopts.WithMounts(c.os, config, extraMounts, mountLabel)) if !c.config.DisableProcMount { diff --git a/vendor/github.com/containerd/cri/pkg/server/helpers_unix.go b/vendor/github.com/containerd/cri/pkg/server/helpers_unix.go index bb7440fc9..674552a04 100644 --- a/vendor/github.com/containerd/cri/pkg/server/helpers_unix.go +++ b/vendor/github.com/containerd/cri/pkg/server/helpers_unix.go @@ -93,47 +93,52 @@ func (c *criService) getSandboxDevShm(id string) string { return filepath.Join(c.getVolatileSandboxRootDir(id), "shm") } -func initSelinuxOpts(selinuxOpt *runtime.SELinuxOption) (string, string, error) { - if selinuxOpt == nil { - return "", "", nil +func toLabel(selinuxOptions *runtime.SELinuxOption) ([]string, error) { + var labels []string + + if selinuxOptions == nil { + return nil, nil + } + if err := checkSelinuxLevel(selinuxOptions.Level); err != nil { + return nil, err + } + if selinuxOptions.User != "" { + labels = append(labels, "user:"+selinuxOptions.User) + } + if selinuxOptions.Role != "" { + labels = append(labels, "role:"+selinuxOptions.Role) + } + if selinuxOptions.Type != "" { + labels = append(labels, "type:"+selinuxOptions.Type) + } + if selinuxOptions.Level != "" { + labels = append(labels, "level:"+selinuxOptions.Level) } - // Should ignored selinuxOpts if they are incomplete. - if selinuxOpt.GetUser() == "" || - selinuxOpt.GetRole() == "" || - selinuxOpt.GetType() == "" { - return "", "", nil - } + return labels, nil +} - // make sure the format of "level" is correct. - ok, err := checkSelinuxLevel(selinuxOpt.GetLevel()) - if err != nil || !ok { - return "", "", err - } - - labelOpts := fmt.Sprintf("%s:%s:%s:%s", - selinuxOpt.GetUser(), - selinuxOpt.GetRole(), - selinuxOpt.GetType(), - selinuxOpt.GetLevel()) - - options, err := label.DupSecOpt(labelOpts) +func initLabelsFromOpt(selinuxOpts *runtime.SELinuxOption) (string, string, error) { + labels, err := toLabel(selinuxOpts) if err != nil { return "", "", err } - return label.InitLabels(options) + return label.InitLabels(labels) } -func checkSelinuxLevel(level string) (bool, error) { +func checkSelinuxLevel(level string) error { if len(level) == 0 { - return true, nil + return nil } - matched, err := regexp.MatchString(`^s\d(-s\d)??(:c\d{1,4}((.c\d{1,4})?,c\d{1,4})*(.c\d{1,4})?(,c\d{1,4}(.c\d{1,4})?)*)?$`, level) - if err != nil || !matched { - return false, errors.Wrapf(err, "the format of 'level' %q is not correct", level) + matched, err := regexp.MatchString(`^s\d(-s\d)??(:c\d{1,4}(\.c\d{1,4})?(,c\d{1,4}(\.c\d{1,4})?)*)?$`, level) + if err != nil { + return errors.Wrapf(err, "the format of 'level' %q is not correct", level) } - return true, nil + if !matched { + return fmt.Errorf("the format of 'level' %q is not correct", level) + } + return nil } func (c *criService) apparmorEnabled() bool { diff --git a/vendor/github.com/containerd/cri/pkg/server/sandbox_run.go b/vendor/github.com/containerd/cri/pkg/server/sandbox_run.go index becbf9e1b..dd4c51e36 100644 --- a/vendor/github.com/containerd/cri/pkg/server/sandbox_run.go +++ b/vendor/github.com/containerd/cri/pkg/server/sandbox_run.go @@ -42,6 +42,7 @@ import ( "github.com/containerd/cri/pkg/netns" sandboxstore "github.com/containerd/cri/pkg/store/sandbox" "github.com/containerd/cri/pkg/util" + selinux "github.com/opencontainers/selinux/go-selinux" ) func init() { @@ -157,6 +158,18 @@ func (c *criService) RunPodSandbox(ctx context.Context, r *runtime.RunPodSandbox return nil, errors.Wrap(err, "failed to generate sandbox container spec") } log.G(ctx).Debugf("Sandbox container %q spec: %#+v", id, spew.NewFormatter(spec)) + sandbox.ProcessLabel = spec.Process.SelinuxLabel + defer func() { + if retErr != nil { + selinux.ReleaseLabel(sandbox.ProcessLabel) + } + }() + + if config.GetLinux().GetSecurityContext().GetPrivileged() { + // If privileged don't set selinux label, but we still record the MCS label so that + // the unused label can be freed later. + spec.Process.SelinuxLabel = "" + } // Generate spec options that will be applied to the spec later. specOpts, err := c.sandboxContainerSpecOpts(config, &image.ImageSpec.Config) diff --git a/vendor/github.com/containerd/cri/pkg/server/sandbox_run_unix.go b/vendor/github.com/containerd/cri/pkg/server/sandbox_run_unix.go index cf460722c..8391872c4 100644 --- a/vendor/github.com/containerd/cri/pkg/server/sandbox_run_unix.go +++ b/vendor/github.com/containerd/cri/pkg/server/sandbox_run_unix.go @@ -28,6 +28,7 @@ import ( "github.com/containerd/containerd/plugin" imagespec "github.com/opencontainers/image-spec/specs-go/v1" runtimespec "github.com/opencontainers/runtime-spec/specs-go" + selinux "github.com/opencontainers/selinux/go-selinux" "github.com/pkg/errors" "golang.org/x/sys/unix" runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2" @@ -38,7 +39,7 @@ import ( ) func (c *criService) sandboxContainerSpec(id string, config *runtime.PodSandboxConfig, - imageConfig *imagespec.ImageConfig, nsPath string, runtimePodAnnotations []string) (*runtimespec.Spec, error) { + imageConfig *imagespec.ImageConfig, nsPath string, runtimePodAnnotations []string) (_ *runtimespec.Spec, retErr error) { // Creates a spec Generator with the default spec. // TODO(random-liu): [P1] Compare the default settings with docker and containerd default. specOpts := []oci.SpecOpts{ @@ -117,11 +118,15 @@ func (c *criService) sandboxContainerSpec(id string, config *runtime.PodSandboxC }, })) - selinuxOpt := securityContext.GetSelinuxOptions() - processLabel, mountLabel, err := initSelinuxOpts(selinuxOpt) + processLabel, mountLabel, err := initLabelsFromOpt(securityContext.GetSelinuxOptions()) if err != nil { return nil, errors.Wrapf(err, "failed to init selinux options %+v", securityContext.GetSelinuxOptions()) } + defer func() { + if retErr != nil { + selinux.ReleaseLabel(processLabel) + } + }() supplementalGroups := securityContext.GetSupplementalGroups() specOpts = append(specOpts, diff --git a/vendor/github.com/containerd/cri/pkg/server/service.go b/vendor/github.com/containerd/cri/pkg/server/service.go index fba3d5a42..d4a0d2817 100644 --- a/vendor/github.com/containerd/cri/pkg/server/service.go +++ b/vendor/github.com/containerd/cri/pkg/server/service.go @@ -25,6 +25,7 @@ import ( "github.com/containerd/containerd" "github.com/containerd/containerd/plugin" + "github.com/containerd/cri/pkg/store/label" cni "github.com/containerd/go-cni" "github.com/pkg/errors" "github.com/sirupsen/logrus" @@ -99,12 +100,13 @@ type criService struct { // NewCRIService returns a new instance of CRIService func NewCRIService(config criconfig.Config, client *containerd.Client) (CRIService, error) { var err error + labels := label.NewStore() c := &criService{ config: config, client: client, os: osinterface.RealOS{}, - sandboxStore: sandboxstore.NewStore(), - containerStore: containerstore.NewStore(), + sandboxStore: sandboxstore.NewStore(labels), + containerStore: containerstore.NewStore(labels), imageStore: imagestore.NewStore(client), snapshotStore: snapshotstore.NewStore(), sandboxNameIndex: registrar.NewRegistrar(), diff --git a/vendor/github.com/containerd/cri/pkg/store/container/container.go b/vendor/github.com/containerd/cri/pkg/store/container/container.go index 998a39c4f..53c0745a5 100644 --- a/vendor/github.com/containerd/cri/pkg/store/container/container.go +++ b/vendor/github.com/containerd/cri/pkg/store/container/container.go @@ -20,6 +20,7 @@ import ( "sync" "github.com/containerd/containerd" + "github.com/containerd/cri/pkg/store/label" "github.com/docker/docker/pkg/truncindex" runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2" @@ -101,13 +102,15 @@ type Store struct { lock sync.RWMutex containers map[string]Container idIndex *truncindex.TruncIndex + labels *label.Store } // NewStore creates a container store. -func NewStore() *Store { +func NewStore(labels *label.Store) *Store { return &Store{ containers: make(map[string]Container), idIndex: truncindex.NewTruncIndex([]string{}), + labels: labels, } } @@ -119,6 +122,9 @@ func (s *Store) Add(c Container) error { if _, ok := s.containers[c.ID]; ok { return store.ErrAlreadyExist } + if err := s.labels.Reserve(c.ProcessLabel); err != nil { + return err + } if err := s.idIndex.Add(c.ID); err != nil { return err } @@ -165,6 +171,7 @@ func (s *Store) Delete(id string) { // So we need to return if there are error. return } + s.labels.Release(s.containers[id].ProcessLabel) s.idIndex.Delete(id) // nolint: errcheck delete(s.containers, id) } diff --git a/vendor/github.com/containerd/cri/pkg/store/container/metadata.go b/vendor/github.com/containerd/cri/pkg/store/container/metadata.go index 23e35dbee..ff9b5f2a3 100644 --- a/vendor/github.com/containerd/cri/pkg/store/container/metadata.go +++ b/vendor/github.com/containerd/cri/pkg/store/container/metadata.go @@ -61,6 +61,8 @@ type Metadata struct { // StopSignal is the system call signal that will be sent to the container to exit. // TODO(random-liu): Add integration test for stop signal. StopSignal string + // ProcessLabel is the SELinux process label for the container + ProcessLabel string } // MarshalJSON encodes Metadata into bytes in json format. diff --git a/vendor/github.com/containerd/cri/pkg/store/label/label.go b/vendor/github.com/containerd/cri/pkg/store/label/label.go new file mode 100644 index 000000000..c8c5ff924 --- /dev/null +++ b/vendor/github.com/containerd/cri/pkg/store/label/label.go @@ -0,0 +1,90 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package label + +import ( + "sync" + + "github.com/opencontainers/selinux/go-selinux" +) + +type Store struct { + sync.Mutex + levels map[string]int + Releaser func(string) + Reserver func(string) +} + +func NewStore() *Store { + return &Store{ + levels: map[string]int{}, + Releaser: selinux.ReleaseLabel, + Reserver: selinux.ReserveLabel, + } +} + +func (s *Store) Reserve(label string) error { + s.Lock() + defer s.Unlock() + + context, err := selinux.NewContext(label) + if err != nil { + return err + } + + level := context["level"] + // no reason to count empty + if level == "" { + return nil + } + + if _, ok := s.levels[level]; !ok { + s.Reserver(label) + } + + s.levels[level]++ + return nil +} + +func (s *Store) Release(label string) { + s.Lock() + defer s.Unlock() + + context, err := selinux.NewContext(label) + if err != nil { + return + } + + level := context["level"] + if level == "" { + return + } + + count, ok := s.levels[level] + if !ok { + return + } + switch { + case count == 1: + s.Releaser(label) + delete(s.levels, level) + case count < 1: + delete(s.levels, level) + case count > 1: + s.levels[level] = count - 1 + } +} diff --git a/vendor/github.com/containerd/cri/pkg/store/sandbox/metadata.go b/vendor/github.com/containerd/cri/pkg/store/sandbox/metadata.go index 399cf2457..eb3aa8e83 100644 --- a/vendor/github.com/containerd/cri/pkg/store/sandbox/metadata.go +++ b/vendor/github.com/containerd/cri/pkg/store/sandbox/metadata.go @@ -61,6 +61,8 @@ type Metadata struct { RuntimeHandler string // CNIresult resulting configuration for attached network namespace interfaces CNIResult *cni.CNIResult + // ProcessLabel is the SELinux process label for the container + ProcessLabel string } // MarshalJSON encodes Metadata into bytes in json format. diff --git a/vendor/github.com/containerd/cri/pkg/store/sandbox/sandbox.go b/vendor/github.com/containerd/cri/pkg/store/sandbox/sandbox.go index 2e809cad2..223e88369 100644 --- a/vendor/github.com/containerd/cri/pkg/store/sandbox/sandbox.go +++ b/vendor/github.com/containerd/cri/pkg/store/sandbox/sandbox.go @@ -20,6 +20,7 @@ import ( "sync" "github.com/containerd/containerd" + "github.com/containerd/cri/pkg/store/label" "github.com/docker/docker/pkg/truncindex" "github.com/containerd/cri/pkg/netns" @@ -62,13 +63,15 @@ type Store struct { lock sync.RWMutex sandboxes map[string]Sandbox idIndex *truncindex.TruncIndex + labels *label.Store } // NewStore creates a sandbox store. -func NewStore() *Store { +func NewStore(labels *label.Store) *Store { return &Store{ sandboxes: make(map[string]Sandbox), idIndex: truncindex.NewTruncIndex([]string{}), + labels: labels, } } @@ -79,6 +82,9 @@ func (s *Store) Add(sb Sandbox) error { if _, ok := s.sandboxes[sb.ID]; ok { return store.ErrAlreadyExist } + if err := s.labels.Reserve(sb.ProcessLabel); err != nil { + return err + } if err := s.idIndex.Add(sb.ID); err != nil { return err } @@ -125,6 +131,7 @@ func (s *Store) Delete(id string) { // So we need to return if there are error. return } + s.labels.Release(s.sandboxes[id].ProcessLabel) s.idIndex.Delete(id) // nolint: errcheck delete(s.sandboxes, id) } diff --git a/vendor/github.com/containerd/cri/vendor.conf b/vendor/github.com/containerd/cri/vendor.conf index bb9668599..16cdb53b3 100644 --- a/vendor/github.com/containerd/cri/vendor.conf +++ b/vendor/github.com/containerd/cri/vendor.conf @@ -1,99 +1,99 @@ # cri dependencies github.com/docker/docker 4634ce647cf2ce2c6031129ccd109e557244986f -github.com/opencontainers/selinux 0d49ba2a6aae052c614dfe5de62a158711a6c461 # v1.5.1 -github.com/tchap/go-patricia 666120de432aea38ab06bd5c818f04f4129882c9 # v2.2.6 +github.com/opencontainers/selinux v1.5.2 +github.com/tchap/go-patricia v2.2.6 # containerd dependencies -github.com/beorn7/perks 37c8de3658fcb183f997c4e13e8337516ab753e6 # v1.0.1 -github.com/BurntSushi/toml 3012a1dbe2e4bd1391d42b32f0577cb7bbc7f005 # v0.3.1 -github.com/cespare/xxhash/v2 d7df74196a9e781ede915320c11c378c1b2f3a1f # v2.1.1 +github.com/beorn7/perks v1.0.1 +github.com/BurntSushi/toml v0.3.1 +github.com/cespare/xxhash/v2 v2.1.1 github.com/containerd/cgroups b4448137398923af7f4918b8b2ad8249172ca7a6 -github.com/containerd/console 8375c3424e4d7b114e8a90a4a40c8e1b40d1d4e6 # v1.0.0 -github.com/containerd/containerd ed261720c86d1e700cd5d39175128322baac6dda -github.com/containerd/continuity 0ec596719c75bfd42908850990acea594b7593ac -github.com/containerd/fifo bda0ff6ed73c67bfb5e62bc9c697f146b7fd7f13 -github.com/containerd/go-runc a5c2862aed5e6358b305b0e16bfce58e0549b1cd -github.com/containerd/ttrpc 72bb1b21c5b0a4a107f59dd85f6ab58e564b68d6 # v1.0.1 -github.com/containerd/typeurl cd3ce7159eae562a4f60ceff37dada11a939d247 # v1.0.1 -github.com/coreos/go-systemd/v22 2d78030078ef61b3cae27f42ad6d0e46db51b339 # v22.0.0 -github.com/cpuguy83/go-md2man 7762f7e404f8416dfa1d9bb6a8c192aa9acb4d19 # v1.0.10 +github.com/containerd/console v1.0.0 +github.com/containerd/containerd v1.4.0-beta.0 +github.com/containerd/continuity d3ef23f19fbb106bb73ffde425d07a9187e30745 +github.com/containerd/fifo f15a3290365b9d2627d189e619ab4008e0069caf +github.com/containerd/go-runc 7016d3ce2328dd2cb1192b2076ebd565c4e8df0c +github.com/containerd/ttrpc v1.0.1 +github.com/containerd/typeurl v1.0.1 +github.com/coreos/go-systemd/v22 v22.0.0 +github.com/cpuguy83/go-md2man v1.0.10 github.com/docker/go-events e31b211e4f1cd09aa76fe4ac244571fab96ae47f -github.com/docker/go-metrics b619b3592b65de4f087d9f16863a7e6ff905973c # v0.0.1 -github.com/docker/go-units 519db1ee28dcc9fd2474ae59fca29a810482bfb1 # v0.4.0 -github.com/godbus/dbus/v5 37bf87eef99d69c4f1d3528bd66e3a87dc201472 # v5.0.3 -github.com/gogo/googleapis 01e0f9cca9b92166042241267ee2a5cdf5cff46c # v1.3.2 -github.com/gogo/protobuf 5628607bb4c51c3157aacc3a50f0ab707582b805 # v1.3.1 -github.com/golang/protobuf d23c5127dc24889085f8ccea5c9d560a57a879d8 # v1.3.3 -github.com/google/uuid 0cd6bf5da1e1c83f8b45653022c74f71af0538a4 # v1.1.1 -github.com/grpc-ecosystem/go-grpc-prometheus c225b8c3b01faf2899099b768856a9e916e5087b # v1.2.0 -github.com/hashicorp/errwrap 8a6fb523712970c966eefc6b39ed2c5e74880354 # v1.0.0 -github.com/hashicorp/go-multierror 886a7fbe3eb1c874d46f623bfa70af45f425b3d1 # v1.0.0 -github.com/hashicorp/golang-lru 7f827b33c0f158ec5dfbba01bb0b14a4541fd81d # v0.5.3 -github.com/imdario/mergo 7c29201646fa3de8506f701213473dd407f19646 # v0.3.7 -github.com/konsorten/go-windows-terminal-sequences edb144dfd453055e1e49a3d8b410a660b5a87613 # v1.0.3 -github.com/matttproud/golang_protobuf_extensions c12348ce28de40eed0136aa2b644d0ee0650e56c # v1.0.1 -github.com/Microsoft/go-winio 6c72808b55902eae4c5943626030429ff20f3b63 # v0.4.14 -github.com/Microsoft/hcsshim 5bc557dd210ff2caf615e6e22d398123de77fc11 # v0.8.9 -github.com/opencontainers/go-digest 28d3ccc31a47933556673856d9807b4ca436108e -github.com/opencontainers/image-spec d60099175f88c47cd379c4738d158884749ed235 # v1.0.1 -github.com/opencontainers/runc dc9208a3303feef5b3839f4323d9beb36df0a9dd # v1.0.0-rc10 -github.com/opencontainers/runtime-spec c4ee7d12c742ffe806cd9350b6af3b4b19faed6f # v1.0.2 -github.com/pkg/errors 614d223910a179a466c1767a985424175c39b465 # v0.9.1 -github.com/prometheus/client_golang c42bebe5a5cddfc6b28cd639103369d8a75dfa89 # v1.3.0 -github.com/prometheus/client_model d1d2010b5beead3fa1c5f271a5cf626e40b3ad6e # v0.1.0 -github.com/prometheus/common 287d3e634a1e550c9e463dd7e5a75a422c614505 # v0.7.0 -github.com/prometheus/procfs 6d489fc7f1d9cd890a250f3ea3431b1744b9623f # v0.0.8 -github.com/russross/blackfriday 05f3235734ad95d0016f6a23902f06461fcf567a # v1.5.2 -github.com/sirupsen/logrus 60c74ad9be0d874af0ab0daef6ab07c5c5911f0d # v1.6.0 +github.com/docker/go-metrics v0.0.1 +github.com/docker/go-units v0.4.0 +github.com/godbus/dbus/v5 v5.0.3 +github.com/gogo/googleapis v1.3.2 +github.com/gogo/protobuf v1.3.1 +github.com/golang/protobuf v1.3.3 +github.com/google/uuid v1.1.1 +github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 +github.com/hashicorp/errwrap v1.0.0 +github.com/hashicorp/go-multierror v1.0.0 +github.com/hashicorp/golang-lru v0.5.3 +github.com/imdario/mergo v0.3.7 +github.com/konsorten/go-windows-terminal-sequences v1.0.3 +github.com/matttproud/golang_protobuf_extensions v1.0.1 +github.com/Microsoft/go-winio v0.4.14 +github.com/Microsoft/hcsshim v0.8.9 +github.com/opencontainers/go-digest v1.0.0 +github.com/opencontainers/image-spec v1.0.1 +github.com/opencontainers/runc v1.0.0-rc10 +github.com/opencontainers/runtime-spec v1.0.2 +github.com/pkg/errors v0.9.1 +github.com/prometheus/client_golang v1.3.0 +github.com/prometheus/client_model v0.1.0 +github.com/prometheus/common v0.7.0 +github.com/prometheus/procfs v0.0.8 +github.com/russross/blackfriday v1.5.2 +github.com/sirupsen/logrus v1.6.0 github.com/syndtr/gocapability d98352740cb2c55f81556b63d4a1ec64c5a319c2 -github.com/urfave/cli bfe2e925cfb6d44b40ad3a779165ea7e8aff9212 # v1.22.0 -go.etcd.io/bbolt a0458a2b35708eef59eb5f620ceb3cd1c01a824d # v1.3.3 -go.opencensus.io 9c377598961b706d1542bd2d84d538b5094d596e # v0.22.0 +github.com/urfave/cli v1.22.0 +go.etcd.io/bbolt v1.3.3 +go.opencensus.io v0.22.0 golang.org/x/net f3200d17e092c607f615320ecaad13d87ad9a2b3 golang.org/x/sync 42b317875d0fa942474b76e1b46a6060d720ae6e golang.org/x/sys 5c8b2ff67527cb88b770f693cebf3799036d8bc0 golang.org/x/text 19e51611da83d6be54ddafce4a4af510cb3e9ea4 google.golang.org/genproto e50cd9704f63023d62cd06a1994b98227fc4d21a -google.golang.org/grpc f495f5b15ae7ccda3b38c53a1bfcde4c1a58a2bc # v1.27.1 +google.golang.org/grpc v1.27.1 # cgroups dependencies github.com/cilium/ebpf 4032b1d8aae306b7bb94a2a11002932caf88c644 # kubernetes dependencies -github.com/davecgh/go-spew 8991bc29aa16c548c550c7ff78260e27b9ab7c73 # v1.1.1 +github.com/davecgh/go-spew v1.1.1 github.com/docker/spdystream 449fdfce4d962303d702fec724ef0ad181c92528 -github.com/emicklei/go-restful b993709ae1a4f6dd19cfa475232614441b11c9d5 # v2.9.5 -github.com/google/gofuzz db92cf7ae75e4a7a28abc005addab2b394362888 # v1.1.0 -github.com/json-iterator/go 03217c3e97663914aec3faafde50d081f197a0a2 # v1.1.8 -github.com/modern-go/concurrent bacd9c7ef1dd9b15be4a9909b8ac7a4e313eec94 # 1.0.3 -github.com/modern-go/reflect2 4b7aa43c6742a2c18fdef89dd197aaae7dac7ccd # 1.0.1 -github.com/pmezard/go-difflib 792786c7400a136282c1664665ae0a8db921c6c2 # v1.0.0 -github.com/seccomp/libseccomp-golang 689e3c1541a84461afc49c1c87352a6cedf72e9c # v0.9.1 -github.com/stretchr/testify 221dbe5ed46703ee255b1da0dec05086f5035f62 # v1.4.0 +github.com/emicklei/go-restful v2.9.5 +github.com/google/gofuzz v1.1.0 +github.com/json-iterator/go v1.1.8 +github.com/modern-go/concurrent 1.0.3 +github.com/modern-go/reflect2 v1.0.1 +github.com/pmezard/go-difflib v1.0.0 +github.com/seccomp/libseccomp-golang v0.9.1 +github.com/stretchr/testify v1.4.0 golang.org/x/crypto bac4c82f69751a6dd76e702d54b3ceb88adab236 golang.org/x/oauth2 0f29369cfe4552d0e4bcddc57cc75f4d7e672a33 golang.org/x/time 9d24e82272b4f38b78bc8cff74fa936d31ccd8ef -gopkg.in/inf.v0 d2d2541c53f18d2a059457998ce2876cc8e67cbf # v0.9.1 -gopkg.in/yaml.v2 53403b58ad1b561927d19068c655246f2db79d48 # v2.2.8 -k8s.io/api a9db9afcc0e93a2a30a381bbd92c1d40ccc72b24 # v0.18.2 -k8s.io/apimachinery ab1231685bfe66237a116092641da00923cc00ca # v0.18.2 -k8s.io/apiserver de7df530d0c1046048acda2312486694046bfc6c # v0.18.2 -k8s.io/client-go 6b7c68377979c821b73d98d1bd4c5a466034f491 # v0.18.2 -k8s.io/cri-api 3d1680d8d202aa12c5dc5689170c3c03a488d35b # v0.18.2 -k8s.io/klog 2ca9ad30301bf30a8a6e0fa2110db6b8df699a91 # v1.0.0 -k8s.io/kubernetes 52c56ce7a8272c798dbc29846288d7cd9fbae032 # v1.18.2 +gopkg.in/inf.v0 v0.9.1 +gopkg.in/yaml.v2 v2.2.8 +k8s.io/api v0.18.2 +k8s.io/apimachinery v0.18.2 +k8s.io/apiserver v0.18.2 +k8s.io/client-go v0.18.2 +k8s.io/cri-api v0.18.2 +k8s.io/klog v1.0.0 +k8s.io/kubernetes v1.18.2 k8s.io/utils a9aa75ae1b89e1b992c33383f48e942d97e52dae -sigs.k8s.io/structured-merge-diff/v3 877aee05330847a873a1a8998b40e12a1e0fde25 # v3.0.0 -sigs.k8s.io/yaml 9fc95527decd95bb9d28cc2eab08179b2d0f6971 # v1.2.0 +sigs.k8s.io/structured-merge-diff/v3 v3.0.0 +sigs.k8s.io/yaml v1.2.0 # cni dependencies -github.com/containerd/go-cni 0d360c50b10b350b6bb23863fd4dfb1c232b01c9 -github.com/containernetworking/cni 4cfb7b568922a3c79a23e438dc52fe537fc9687e # v0.7.1 -github.com/containernetworking/plugins 9f96827c7cabb03f21d86326000c00f61e181f6a # v0.7.6 -github.com/fsnotify/fsnotify 4bf2d1fec78374803a39307bfb8d340688f4f28e # v1.4.8 +github.com/containerd/go-cni v1.0.0 +github.com/containernetworking/cni v0.7.1 +github.com/containernetworking/plugins v0.7.6 +github.com/fsnotify/fsnotify v1.4.8 # image decrypt depedencies -github.com/containerd/imgcrypt 9e761ccd6069fb707ec9493435f31475b5524b38 # v1.0.1 -github.com/containers/ocicrypt 0343cc6053fd65069df55bce6838096e09b4033a # v1.0.1 from containerd/imgcrypt -github.com/fullsailor/pkcs7 8306686428a5fe132eac8cb7c4848af725098bd4 # from containers/ocicrypt -gopkg.in/square/go-jose.v2 730df5f748271903322feb182be83b43ebbbe27d # v2.3.1 from containers/ocicrypt +github.com/containerd/imgcrypt v1.0.1 +github.com/containers/ocicrypt v1.0.1 +github.com/fullsailor/pkcs7 8306686428a5fe132eac8cb7c4848af725098bd4 +gopkg.in/square/go-jose.v2 v2.3.1 diff --git a/vendor/github.com/containerd/go-cni/README.md b/vendor/github.com/containerd/go-cni/README.md index 1bd2f0013..3b1a4aa75 100644 --- a/vendor/github.com/containerd/go-cni/README.md +++ b/vendor/github.com/containerd/go-cni/README.md @@ -1,4 +1,4 @@ -[![Build Status](https://travis-ci.org/containerd/go-cni.svg?branch=master)](https://travis-ci.org/containerd/go-cni) +[![Build Status](https://travis-ci.org/containerd/go-cni.svg?branch=master)](https://travis-ci.org/containerd/go-cni) [![GoDoc](https://godoc.org/github.com/containerd/go-cni?status.svg)](https://godoc.org/github.com/containerd/go-cni) # go-cni diff --git a/vendor/github.com/containerd/go-cni/errors.go b/vendor/github.com/containerd/go-cni/errors.go index 28761711e..3fbdf777a 100644 --- a/vendor/github.com/containerd/go-cni/errors.go +++ b/vendor/github.com/containerd/go-cni/errors.go @@ -31,25 +31,25 @@ var ( // IsCNINotInitialized returns true if the error is due to cni config not being initialized func IsCNINotInitialized(err error) bool { - return errors.Cause(err) == ErrCNINotInitialized + return errors.Is(err, ErrCNINotInitialized) } // IsInvalidConfig returns true if the error is invalid cni config func IsInvalidConfig(err error) bool { - return errors.Cause(err) == ErrInvalidConfig + return errors.Is(err, ErrInvalidConfig) } // IsNotFound returns true if the error is due to a missing config or result func IsNotFound(err error) bool { - return errors.Cause(err) == ErrNotFound + return errors.Is(err, ErrNotFound) } // IsReadFailure return true if the error is a config read failure func IsReadFailure(err error) bool { - return errors.Cause(err) == ErrRead + return errors.Is(err, ErrRead) } // IsInvalidResult return true if the error is due to invalid cni result func IsInvalidResult(err error) bool { - return errors.Cause(err) == ErrInvalidResult + return errors.Is(err, ErrInvalidResult) } diff --git a/vendor/github.com/containerd/go-cni/go.mod b/vendor/github.com/containerd/go-cni/go.mod new file mode 100644 index 000000000..0040b34b7 --- /dev/null +++ b/vendor/github.com/containerd/go-cni/go.mod @@ -0,0 +1,14 @@ +module github.com/containerd/go-cni + +require ( + github.com/containernetworking/cni v0.7.1 + github.com/davecgh/go-spew v1.1.1 // indirect + github.com/onsi/ginkgo v1.10.3 // indirect + github.com/onsi/gomega v1.7.1 // indirect + github.com/pkg/errors v0.9.1 + github.com/pmezard/go-difflib v1.0.0 // indirect + github.com/stretchr/objx v0.0.0-20180129172003-8a3f7159479f // indirect + github.com/stretchr/testify v0.0.0-20180303142811-b89eecf5ca5d +) + +go 1.13 diff --git a/vendor/github.com/containerd/go-cni/opts.go b/vendor/github.com/containerd/go-cni/opts.go index 5222df1e9..1dd7869a2 100644 --- a/vendor/github.com/containerd/go-cni/opts.go +++ b/vendor/github.com/containerd/go-cni/opts.go @@ -142,6 +142,24 @@ func WithConfFile(fileName string) CNIOpt { } } +// WithConfListBytes can be used to load network config list directly +// from byte +func WithConfListBytes(bytes []byte) CNIOpt { + return func(c *libcni) error { + confList, err := cnilibrary.ConfListFromBytes(bytes) + if err != nil { + return err + } + i := len(c.networks) + c.networks = append(c.networks, &Network{ + cni: c.cniConfig, + config: confList, + ifName: getIfName(c.prefix, i), + }) + return nil + } +} + // WithConfListFile can be used to load network config // from an .conflist file. Supported with absolute fileName // with path only. diff --git a/vendor/github.com/containerd/go-cni/vendor.conf b/vendor/github.com/containerd/go-cni/vendor.conf deleted file mode 100644 index 31d06e0fc..000000000 --- a/vendor/github.com/containerd/go-cni/vendor.conf +++ /dev/null @@ -1,6 +0,0 @@ -github.com/stretchr/testify b89eecf5ca5db6d3ba60b237ffe3df7bafb7662f -github.com/davecgh/go-spew 8991bc29aa16c548c550c7ff78260e27b9ab7c73 -github.com/pmezard/go-difflib 792786c7400a136282c1664665ae0a8db921c6c2 -github.com/stretchr/objx 8a3f7159479fbc75b30357fbc48f380b7320f08e -github.com/containernetworking/cni v0.7.1 -github.com/pkg/errors v0.8.0 diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go index 6e38d3d32..fea096c18 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go @@ -1,6 +1,8 @@ package label import ( + "fmt" + "github.com/opencontainers/selinux/go-selinux" ) @@ -46,7 +48,7 @@ var PidLabel = selinux.PidLabel // Init initialises the labeling system func Init() { - selinux.GetEnabled() + _ = selinux.GetEnabled() } // ClearLabels will clear all reserved labels @@ -75,3 +77,21 @@ func ReleaseLabel(label string) error { // can be used to set duplicate labels on future container processes // Deprecated: use selinux.DupSecOpt var DupSecOpt = selinux.DupSecOpt + +// FormatMountLabel returns a string to be used by the mount command. +// The format of this string will be used to alter the labeling of the mountpoint. +// The string returned is suitable to be used as the options field of the mount command. +// If you need to have additional mount point options, you can pass them in as +// the first parameter. Second parameter is the label that you wish to apply +// to all content in the mount point. +func FormatMountLabel(src, mountLabel string) string { + if mountLabel != "" { + switch src { + case "": + src = fmt.Sprintf("context=%q", mountLabel) + default: + src = fmt.Sprintf("%s,context=%q", src, mountLabel) + } + } + return src +} diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go index 903829958..779e2e3a8 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go @@ -3,7 +3,6 @@ package label import ( - "fmt" "os" "os/user" "strings" @@ -43,7 +42,7 @@ func InitLabels(options []string) (plabel string, mlabel string, Err error) { if err != nil { return "", "", err } - + mcsLevel := pcon["level"] mcon, err := selinux.NewContext(mountLabel) if err != nil { return "", "", err @@ -62,16 +61,21 @@ func InitLabels(options []string) (plabel string, mlabel string, Err error) { } if con[0] == "filetype" { mcon["type"] = con[1] + continue } pcon[con[0]] = con[1] if con[0] == "level" || con[0] == "user" { mcon[con[0]] = con[1] } } - selinux.ReleaseLabel(processLabel) - processLabel = pcon.Get() - mountLabel = mcon.Get() - selinux.ReserveLabel(processLabel) + if pcon.Get() != processLabel { + if pcon["level"] != mcsLevel { + selinux.ReleaseLabel(processLabel) + } + processLabel = pcon.Get() + mountLabel = mcon.Get() + selinux.ReserveLabel(processLabel) + } } return processLabel, mountLabel, nil } @@ -82,24 +86,6 @@ func GenLabels(options string) (string, string, error) { return InitLabels(strings.Fields(options)) } -// FormatMountLabel returns a string to be used by the mount command. -// The format of this string will be used to alter the labeling of the mountpoint. -// The string returned is suitable to be used as the options field of the mount command. -// If you need to have additional mount point options, you can pass them in as -// the first parameter. Second parameter is the label that you wish to apply -// to all content in the mount point. -func FormatMountLabel(src, mountLabel string) string { - if mountLabel != "" { - switch src { - case "": - src = fmt.Sprintf("context=%q", mountLabel) - default: - src = fmt.Sprintf("%s,context=%q", src, mountLabel) - } - } - return src -} - // SetFileLabel modifies the "path" label to the specified file label func SetFileLabel(path string, fileLabel string) error { if !selinux.GetEnabled() || fileLabel == "" { diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_stub.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_stub.go index cda59d671..c2bdd35d7 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_stub.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_stub.go @@ -15,10 +15,6 @@ func GenLabels(options string) (string, string, error) { return "", "", nil } -func FormatMountLabel(src string, mountLabel string) string { - return src -} - func SetFileLabel(path string, fileLabel string) error { return nil }