From 2c77dc63a42f6536e51b5cbb934c0893a4d2c4da Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Sun, 10 May 2020 12:57:06 +0200 Subject: [PATCH] vendor: update containerd/cri to current master - Remove dependency on libcontainer/system - Get rid of socat for port forwarding - Roll docker/distribution back to latest (v2.7.1) release Now that 901bcb2231466229d27aee8d38a6e2fcdc95015e was merged in containerd, we no longer depend on the ParseDockerRef utility from docker/distribution, so we can safely roll back to the latest release for this dependency. - vendor: kubernetes v1.18.2 Fix client watch reestablishment handling of client-side timeouts - Add config flag to default empty seccomp profile Signed-off-by: Sebastiaan van Stijn --- .github/workflows/ci.yml | 3 +- .travis.yml | 1 - vendor.conf | 2 +- vendor/github.com/containerd/cri/README.md | 9 +- .../containerd/cri/pkg/config/config.go | 3 + .../cri/pkg/server/container_create_unix.go | 7 +- .../containerd/cri/pkg/server/image_pull.go | 10 +- .../pkg/server/sandbox_portforward_unix.go | 99 ++++++----- .../cri/pkg/server/sandbox_run_unix.go | 2 +- .../containerd/cri/pkg/server/service_unix.go | 4 +- vendor/github.com/containerd/cri/vendor.conf | 38 +++-- .../runc/libcontainer/system/linux.go | 155 ------------------ .../runc/libcontainer/system/proc.go | 113 ------------- .../libcontainer/system/syscall_linux_32.go | 26 --- .../libcontainer/system/syscall_linux_64.go | 26 --- .../runc/libcontainer/system/sysconfig.go | 12 -- .../libcontainer/system/sysconfig_notcgo.go | 15 -- .../runc/libcontainer/system/unsupported.go | 27 --- .../runc/libcontainer/system/xattrs_linux.go | 35 ---- 19 files changed, 97 insertions(+), 490 deletions(-) delete mode 100644 vendor/github.com/opencontainers/runc/libcontainer/system/linux.go delete mode 100644 vendor/github.com/opencontainers/runc/libcontainer/system/proc.go delete mode 100644 vendor/github.com/opencontainers/runc/libcontainer/system/syscall_linux_32.go delete mode 100644 vendor/github.com/opencontainers/runc/libcontainer/system/syscall_linux_64.go delete mode 100644 vendor/github.com/opencontainers/runc/libcontainer/system/sysconfig.go delete mode 100644 vendor/github.com/opencontainers/runc/libcontainer/system/sysconfig_notcgo.go delete mode 100644 vendor/github.com/opencontainers/runc/libcontainer/system/unsupported.go delete mode 100644 vendor/github.com/opencontainers/runc/libcontainer/system/xattrs_linux.go diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2b921dfa2..50ff2f20b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -311,8 +311,7 @@ jobs: libnl-3-dev \ libnet-dev \ libcap-dev \ - python-future \ - socat + python-future wget https://github.com/checkpoint-restore/criu/archive/v3.13.tar.gz -O criu.tar.gz tar -zxf criu.tar.gz cd criu-3.13 diff --git a/.travis.yml b/.travis.yml index c051c4720..97b66ec43 100644 --- a/.travis.yml +++ b/.travis.yml @@ -46,7 +46,6 @@ addons: - libaio-dev - libprotobuf-c-dev - libprotobuf-dev - - socat before_install: - uname -r diff --git a/vendor.conf b/vendor.conf index 3dee19387..cacda3d41 100644 --- a/vendor.conf +++ b/vendor.conf @@ -56,7 +56,7 @@ gotest.tools/v3 v3.0.2 github.com/cilium/ebpf 4032b1d8aae306b7bb94a2a11002932caf88c644 # cri dependencies -github.com/containerd/cri 65830369b6b2b4edc454bf5cebbd9b76c1c1ac66 # master +github.com/containerd/cri 8252e54f936b85b58799600edcb98987a8665300 # master github.com/davecgh/go-spew v1.1.1 github.com/docker/distribution v2.7.1 github.com/docker/docker 4634ce647cf2ce2c6031129ccd109e557244986f diff --git a/vendor/github.com/containerd/cri/README.md b/vendor/github.com/containerd/cri/README.md index 144c6833b..8e93b8d69 100644 --- a/vendor/github.com/containerd/cri/README.md +++ b/vendor/github.com/containerd/cri/README.md @@ -77,11 +77,10 @@ specifications as appropriate. (Fedora, CentOS, RHEL). On releases of Ubuntu <=Trusty and Debian <=jessie a backport version of `libseccomp-dev` is required. See [travis.yml](.travis.yml) for an example on trusty. * **btrfs development library.** Required by containerd btrfs support. `btrfs-tools`(Ubuntu, Debian) / `btrfs-progs-devel`(Fedora, CentOS, RHEL) -2. Install **`socat`** (required by portforward). -3. Install **`pkg-config`** (required for linking with `libseccomp`). -4. Install and setup a Go 1.13.10 development environment. -5. Make a local clone of this repository. -6. Install binary dependencies by running the following command from your cloned `cri/` project directory: +2. Install **`pkg-config`** (required for linking with `libseccomp`). +3. Install and setup a Go 1.13.10 development environment. +4. Make a local clone of this repository. +5. Install binary dependencies by running the following command from your cloned `cri/` project directory: ```bash # Note: install.deps installs the above mentioned runc, containerd, and CNI # binary dependencies. install.deps is only provided for general use and ease of diff --git a/vendor/github.com/containerd/cri/pkg/config/config.go b/vendor/github.com/containerd/cri/pkg/config/config.go index 1307dd1b7..d2e10f192 100644 --- a/vendor/github.com/containerd/cri/pkg/config/config.go +++ b/vendor/github.com/containerd/cri/pkg/config/config.go @@ -225,6 +225,9 @@ type PluginConfig struct { // DisableProcMount disables Kubernetes ProcMount support. This MUST be set to `true` // when using containerd with Kubernetes <=1.11. DisableProcMount bool `toml:"disable_proc_mount" json:"disableProcMount"` + // UnsetSeccompProfile is the profile containerd/cri will use If the provided seccomp profile is + // unset (`""`) for a container (default is `unconfined`) + UnsetSeccompProfile string `toml:"unset_seccomp_profile" json:"unsetSeccompProfile"` } // X509KeyPairStreaming contains the x509 configuration for streaming diff --git a/vendor/github.com/containerd/cri/pkg/server/container_create_unix.go b/vendor/github.com/containerd/cri/pkg/server/container_create_unix.go index ef6cce39b..0324bc206 100644 --- a/vendor/github.com/containerd/cri/pkg/server/container_create_unix.go +++ b/vendor/github.com/containerd/cri/pkg/server/container_create_unix.go @@ -286,7 +286,7 @@ func (c *criService) containerSpecOpts(config *runtime.ContainerConfig, imageCon specOpts = append(specOpts, apparmorSpecOpts) } - seccompSpecOpts, err := generateSeccompSpecOpts( + seccompSpecOpts, err := c.generateSeccompSpecOpts( securityContext.GetSeccompProfilePath(), securityContext.GetPrivileged(), c.seccompEnabled()) @@ -300,11 +300,14 @@ func (c *criService) containerSpecOpts(config *runtime.ContainerConfig, imageCon } // generateSeccompSpecOpts generates containerd SpecOpts for seccomp. -func generateSeccompSpecOpts(seccompProf string, privileged, seccompEnabled bool) (oci.SpecOpts, error) { +func (c *criService) generateSeccompSpecOpts(seccompProf string, privileged, seccompEnabled bool) (oci.SpecOpts, error) { if privileged { // Do not set seccomp profile when container is privileged return nil, nil } + if seccompProf == "" { + seccompProf = c.config.UnsetSeccompProfile + } // Set seccomp profile if seccompProf == runtimeDefault || seccompProf == dockerDefault { // use correct default profile (Eg. if not configured otherwise, the default is docker/default) diff --git a/vendor/github.com/containerd/cri/pkg/server/image_pull.go b/vendor/github.com/containerd/cri/pkg/server/image_pull.go index 5c6d6b880..931eaf71a 100644 --- a/vendor/github.com/containerd/cri/pkg/server/image_pull.go +++ b/vendor/github.com/containerd/cri/pkg/server/image_pull.go @@ -324,10 +324,6 @@ func (c *criService) registryHosts(auth *runtime.AuthConfig) docker.RegistryHost config = c.config.Registry.Configs[u.Host] ) - if u.Scheme != "https" && config.TLS != nil { - return nil, errors.Errorf("tls provided for http endpoint %q", e) - } - if config.TLS != nil { transport.TLSClientConfig, err = c.getTLSConfig(*config.TLS) if err != nil { @@ -425,9 +421,9 @@ func newTransport() *http.Transport { return &http.Transport{ Proxy: http.ProxyFromEnvironment, DialContext: (&net.Dialer{ - Timeout: 30 * time.Second, - KeepAlive: 30 * time.Second, - DualStack: true, + Timeout: 30 * time.Second, + KeepAlive: 30 * time.Second, + FallbackDelay: 300 * time.Millisecond, }).DialContext, MaxIdleConns: 10, IdleConnTimeout: 30 * time.Second, diff --git a/vendor/github.com/containerd/cri/pkg/server/sandbox_portforward_unix.go b/vendor/github.com/containerd/cri/pkg/server/sandbox_portforward_unix.go index 07fd1d669..c5fadad2c 100644 --- a/vendor/github.com/containerd/cri/pkg/server/sandbox_portforward_unix.go +++ b/vendor/github.com/containerd/cri/pkg/server/sandbox_portforward_unix.go @@ -19,28 +19,27 @@ package server import ( - "bytes" "fmt" "io" - "os/exec" - "strings" + "net" + "time" "github.com/containerd/containerd/log" "github.com/containernetworking/plugins/pkg/ns" "github.com/pkg/errors" - "github.com/sirupsen/logrus" "golang.org/x/net/context" + runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2" ) -// portForward requires `socat` on the node. It uses netns to enter the sandbox namespace, -// and run `socat` inside the namespace to forward stream for a specific port. The `socat` -// command keeps running until it exits or client disconnect. -func (c *criService) portForward(ctx context.Context, id string, port int32, stream io.ReadWriter) error { +// portForward uses netns to enter the sandbox namespace, and forwards a stream inside the +// the namespace to a specific port. It keeps forwarding until it exits or client disconnect. +func (c *criService) portForward(ctx context.Context, id string, port int32, stream io.ReadWriteCloser) error { s, err := c.sandboxStore.Get(id) if err != nil { return errors.Wrapf(err, "failed to find sandbox %q in store", id) } + var netNSDo func(func(ns.NetNS) error) error // netNSPath is the network namespace path for logging. var netNSPath string @@ -62,48 +61,64 @@ func (c *criService) portForward(ctx context.Context, id string, port int32, str netNSPath = "host" } - socat, err := exec.LookPath("socat") - if err != nil { - return errors.Wrap(err, "failed to find socat") - } - - // Check https://linux.die.net/man/1/socat for meaning of the options. - args := []string{socat, "-", fmt.Sprintf("TCP4:localhost:%d", port)} - - log.G(ctx).Infof("Executing port forwarding command %q in network namespace %q", strings.Join(args, " "), netNSPath) + log.G(ctx).Infof("Executing port forwarding in network namespace %q", netNSPath) err = netNSDo(func(_ ns.NetNS) error { - cmd := exec.Command(args[0], args[1:]...) - cmd.Stdout = stream - - stderr := new(bytes.Buffer) - cmd.Stderr = stderr - - // If we use Stdin, command.Run() won't return until the goroutine that's copying - // from stream finishes. Unfortunately, if you have a client like telnet connected - // via port forwarding, as long as the user's telnet client is connected to the user's - // local listener that port forwarding sets up, the telnet session never exits. This - // means that even if socat has finished running, command.Run() won't ever return - // (because the client still has the connection and stream open). - // - // The work around is to use StdinPipe(), as Wait() (called by Run()) closes the pipe - // when the command (socat) exits. - in, err := cmd.StdinPipe() + defer stream.Close() + // TODO: hardcoded to tcp4 because localhost resolves to ::1 by default if the system has IPv6 enabled. + // Theoretically happy eyeballs will try IPv6 first and fallback to IPv4 + // but resolving localhost doesn't seem to return and IPv4 address, thus failing the connection. + conn, err := net.Dial("tcp4", fmt.Sprintf("localhost:%d", port)) if err != nil { - return errors.Wrap(err, "failed to create stdin pipe") + return errors.Wrapf(err, "failed to dial %d", port) } + defer conn.Close() + + errCh := make(chan error, 2) + // Copy from the the namespace port connection to the client stream go func() { - if _, err := io.Copy(in, stream); err != nil { - logrus.WithError(err).Errorf("Failed to copy port forward input for %q port %d", id, port) - } - in.Close() - logrus.Debugf("Finish copying port forward input for %q port %d", id, port) + log.G(ctx).Debugf("PortForward copying data from namespace %q port %d to the client stream", id, port) + _, err := io.Copy(stream, conn) + errCh <- err }() - if err := cmd.Run(); err != nil { - return errors.Errorf("socat command returns error: %v, stderr: %q", err, stderr.String()) + // Copy from the client stream to the namespace port connection + go func() { + log.G(ctx).Debugf("PortForward copying data from client stream to namespace %q port %d", id, port) + _, err := io.Copy(conn, stream) + errCh <- err + }() + + // Wait until the first error is returned by one of the connections + // we use errFwd to store the result of the port forwarding operation + // if the context is cancelled close everything and return + var errFwd error + select { + case errFwd = <-errCh: + log.G(ctx).Debugf("PortForward stop forwarding in one direction in network namespace %q port %d: %v", id, port, errFwd) + case <-ctx.Done(): + log.G(ctx).Debugf("PortForward cancelled in network namespace %q port %d: %v", id, port, ctx.Err()) + return ctx.Err() } - return nil + // give a chance to terminate gracefully or timeout + // 0.5s is the default timeout used in socat + // https://linux.die.net/man/1/socat + timeout := time.Duration(500) * time.Millisecond + select { + case e := <-errCh: + if errFwd == nil { + errFwd = e + } + log.G(ctx).Debugf("PortForward stopped forwarding in both directions in network namespace %q port %d: %v", id, port, e) + case <-time.After(timeout): + log.G(ctx).Debugf("PortForward timed out waiting to close the connection in network namespace %q port %d", id, port) + case <-ctx.Done(): + log.G(ctx).Debugf("PortForward cancelled in network namespace %q port %d: %v", id, port, ctx.Err()) + errFwd = ctx.Err() + } + + return errFwd }) + if err != nil { return errors.Wrapf(err, "failed to execute portforward in network namespace %q", netNSPath) } diff --git a/vendor/github.com/containerd/cri/pkg/server/sandbox_run_unix.go b/vendor/github.com/containerd/cri/pkg/server/sandbox_run_unix.go index 2f4fd1a54..cf460722c 100644 --- a/vendor/github.com/containerd/cri/pkg/server/sandbox_run_unix.go +++ b/vendor/github.com/containerd/cri/pkg/server/sandbox_run_unix.go @@ -161,7 +161,7 @@ func (c *criService) sandboxContainerSpecOpts(config *runtime.PodSandboxConfig, securityContext = config.GetLinux().GetSecurityContext() specOpts []oci.SpecOpts ) - seccompSpecOpts, err := generateSeccompSpecOpts( + seccompSpecOpts, err := c.generateSeccompSpecOpts( securityContext.GetSeccompProfilePath(), securityContext.GetPrivileged(), c.seccompEnabled()) diff --git a/vendor/github.com/containerd/cri/pkg/server/service_unix.go b/vendor/github.com/containerd/cri/pkg/server/service_unix.go index 920fc00e5..44f43f8c4 100644 --- a/vendor/github.com/containerd/cri/pkg/server/service_unix.go +++ b/vendor/github.com/containerd/cri/pkg/server/service_unix.go @@ -19,8 +19,8 @@ package server import ( + "github.com/containerd/containerd/sys" cni "github.com/containerd/go-cni" - runcsystem "github.com/opencontainers/runc/libcontainer/system" "github.com/opencontainers/selinux/go-selinux" "github.com/pkg/errors" "github.com/sirupsen/logrus" @@ -34,7 +34,7 @@ const networkAttachCount = 2 func (c *criService) initPlatform() error { var err error - if runcsystem.RunningInUserNS() { + if sys.RunningInUserNS() { if !(c.config.DisableCgroup && !c.apparmorEnabled() && c.config.RestrictOOMScoreAdj) { logrus.Warn("Running containerd in a user namespace typically requires disable_cgroup, disable_apparmor, restrict_oom_score_adj set to be true") } diff --git a/vendor/github.com/containerd/cri/vendor.conf b/vendor/github.com/containerd/cri/vendor.conf index dec0844e3..4f035b747 100644 --- a/vendor/github.com/containerd/cri/vendor.conf +++ b/vendor/github.com/containerd/cri/vendor.conf @@ -1,5 +1,5 @@ # cri dependencies -github.com/docker/distribution 0d3efadf0154c2b8a4e7b6621fff9809655cc580 +github.com/docker/distribution 2461543d988979529609e8cb6fca9ca190dc48da # v2.7.1 github.com/docker/docker 4634ce647cf2ce2c6031129ccd109e557244986f github.com/opencontainers/selinux 0d49ba2a6aae052c614dfe5de62a158711a6c461 # v1.5.1 github.com/tchap/go-patricia 666120de432aea38ab06bd5c818f04f4129882c9 # v2.2.6 @@ -8,17 +8,17 @@ github.com/tchap/go-patricia 666120de432aea38ab06bd5c818f github.com/beorn7/perks 37c8de3658fcb183f997c4e13e8337516ab753e6 # v1.0.1 github.com/BurntSushi/toml 3012a1dbe2e4bd1391d42b32f0577cb7bbc7f005 # v0.3.1 github.com/cespare/xxhash/v2 d7df74196a9e781ede915320c11c378c1b2f3a1f # v2.1.1 -github.com/containerd/cgroups 7347743e5d1e8500d9f27c8e748e689ed991d92b +github.com/containerd/cgroups b4448137398923af7f4918b8b2ad8249172ca7a6 github.com/containerd/console 8375c3424e4d7b114e8a90a4a40c8e1b40d1d4e6 # v1.0.0 -github.com/containerd/containerd 01310155947cb6eec37dcae29742a165e56acb4a +github.com/containerd/containerd ed261720c86d1e700cd5d39175128322baac6dda github.com/containerd/continuity 0ec596719c75bfd42908850990acea594b7593ac github.com/containerd/fifo bda0ff6ed73c67bfb5e62bc9c697f146b7fd7f13 github.com/containerd/go-runc a5c2862aed5e6358b305b0e16bfce58e0549b1cd -github.com/containerd/ttrpc 92c8520ef9f86600c650dd540266a007bf03670f # v1.0.0 -github.com/containerd/typeurl a93fcdb778cd272c6e9b3028b2f42d813e785d40 # v1.0.0 +github.com/containerd/ttrpc 72bb1b21c5b0a4a107f59dd85f6ab58e564b68d6 # v1.0.1 +github.com/containerd/typeurl cd3ce7159eae562a4f60ceff37dada11a939d247 # v1.0.1 github.com/coreos/go-systemd/v22 2d78030078ef61b3cae27f42ad6d0e46db51b339 # v22.0.0 github.com/cpuguy83/go-md2man 7762f7e404f8416dfa1d9bb6a8c192aa9acb4d19 # v1.0.10 -github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9 +github.com/docker/go-events e31b211e4f1cd09aa76fe4ac244571fab96ae47f github.com/docker/go-metrics b619b3592b65de4f087d9f16863a7e6ff905973c # v0.0.1 github.com/docker/go-units 519db1ee28dcc9fd2474ae59fca29a810482bfb1 # v0.4.0 github.com/godbus/dbus/v5 37bf87eef99d69c4f1d3528bd66e3a87dc201472 # v5.0.3 @@ -27,23 +27,25 @@ github.com/gogo/protobuf 5628607bb4c51c3157aacc3a50f0 github.com/golang/protobuf d23c5127dc24889085f8ccea5c9d560a57a879d8 # v1.3.3 github.com/google/uuid 0cd6bf5da1e1c83f8b45653022c74f71af0538a4 # v1.1.1 github.com/grpc-ecosystem/go-grpc-prometheus c225b8c3b01faf2899099b768856a9e916e5087b # v1.2.0 +github.com/hashicorp/errwrap 8a6fb523712970c966eefc6b39ed2c5e74880354 # v1.0.0 +github.com/hashicorp/go-multierror 886a7fbe3eb1c874d46f623bfa70af45f425b3d1 # v1.0.0 github.com/hashicorp/golang-lru 7f827b33c0f158ec5dfbba01bb0b14a4541fd81d # v0.5.3 github.com/imdario/mergo 7c29201646fa3de8506f701213473dd407f19646 # v0.3.7 -github.com/konsorten/go-windows-terminal-sequences 5c8c8bd35d3832f5d134ae1e1e375b69a4d25242 # v1.0.1 +github.com/konsorten/go-windows-terminal-sequences edb144dfd453055e1e49a3d8b410a660b5a87613 # v1.0.3 github.com/matttproud/golang_protobuf_extensions c12348ce28de40eed0136aa2b644d0ee0650e56c # v1.0.1 github.com/Microsoft/go-winio 6c72808b55902eae4c5943626030429ff20f3b63 # v0.4.14 -github.com/Microsoft/hcsshim 0b571ac85d7c5842b26d2571de4868634a4c39d7 # v0.8.7-24-g0b571ac8 +github.com/Microsoft/hcsshim 5bc557dd210ff2caf615e6e22d398123de77fc11 # v0.8.9 github.com/opencontainers/go-digest c9281466c8b2f606084ac71339773efd177436e7 github.com/opencontainers/image-spec d60099175f88c47cd379c4738d158884749ed235 # v1.0.1 github.com/opencontainers/runc dc9208a3303feef5b3839f4323d9beb36df0a9dd # v1.0.0-rc10 -github.com/opencontainers/runtime-spec 29686dbc5559d93fb1ef402eeda3e35c38d75af4 # v1.0.1-59-g29686db -github.com/pkg/errors ba968bfe8b2f7e042a574c888954fccecfa385b4 # v0.8.1 +github.com/opencontainers/runtime-spec c4ee7d12c742ffe806cd9350b6af3b4b19faed6f # v1.0.2 +github.com/pkg/errors 614d223910a179a466c1767a985424175c39b465 # v0.9.1 github.com/prometheus/client_golang c42bebe5a5cddfc6b28cd639103369d8a75dfa89 # v1.3.0 github.com/prometheus/client_model d1d2010b5beead3fa1c5f271a5cf626e40b3ad6e # v0.1.0 github.com/prometheus/common 287d3e634a1e550c9e463dd7e5a75a422c614505 # v0.7.0 github.com/prometheus/procfs 6d489fc7f1d9cd890a250f3ea3431b1744b9623f # v0.0.8 github.com/russross/blackfriday 05f3235734ad95d0016f6a23902f06461fcf567a # v1.5.2 -github.com/sirupsen/logrus 8bdbc7bcc01dcbb8ec23dc8a28e332258d25251f # v1.4.1 +github.com/sirupsen/logrus 60c74ad9be0d874af0ab0daef6ab07c5c5911f0d # v1.6.0 github.com/syndtr/gocapability d98352740cb2c55f81556b63d4a1ec64c5a319c2 github.com/urfave/cli bfe2e925cfb6d44b40ad3a779165ea7e8aff9212 # v1.22.0 go.etcd.io/bbolt a0458a2b35708eef59eb5f620ceb3cd1c01a824d # v1.3.3 @@ -56,7 +58,7 @@ google.golang.org/genproto e50cd9704f63023d62cd06a1994b google.golang.org/grpc f495f5b15ae7ccda3b38c53a1bfcde4c1a58a2bc # v1.27.1 # cgroups dependencies -github.com/cilium/ebpf 60c3aa43f488292fe2ee50fb8b833b383ca8ebbb +github.com/cilium/ebpf 4032b1d8aae306b7bb94a2a11002932caf88c644 # kubernetes dependencies github.com/davecgh/go-spew 8991bc29aa16c548c550c7ff78260e27b9ab7c73 # v1.1.1 @@ -74,13 +76,13 @@ golang.org/x/oauth2 0f29369cfe4552d0e4bcddc57cc7 golang.org/x/time 9d24e82272b4f38b78bc8cff74fa936d31ccd8ef gopkg.in/inf.v0 d2d2541c53f18d2a059457998ce2876cc8e67cbf # v0.9.1 gopkg.in/yaml.v2 53403b58ad1b561927d19068c655246f2db79d48 # v2.2.8 -k8s.io/api d2dce8e1788e4be2be3a62b6439b3eaa087df0df # v0.18.0 -k8s.io/apimachinery 105e0c6d63f10531ed07f3b5a2195771a0fa444b # v0.18.0 -k8s.io/apiserver 5c8e895629a454efd75a453d1dea5b8142db0013 # v0.18.0 -k8s.io/client-go 0b19784585bd0a0ee5509855829ead81feaa2bdc # v0.18.0 -k8s.io/cri-api 3d1680d8d202aa12c5dc5689170c3c03a488d35b # v0.18.0 +k8s.io/api a9db9afcc0e93a2a30a381bbd92c1d40ccc72b24 # v0.18.2 +k8s.io/apimachinery ab1231685bfe66237a116092641da00923cc00ca # v0.18.2 +k8s.io/apiserver de7df530d0c1046048acda2312486694046bfc6c # v0.18.2 +k8s.io/client-go 6b7c68377979c821b73d98d1bd4c5a466034f491 # v0.18.2 +k8s.io/cri-api 3d1680d8d202aa12c5dc5689170c3c03a488d35b # v0.18.2 k8s.io/klog 2ca9ad30301bf30a8a6e0fa2110db6b8df699a91 # v1.0.0 -k8s.io/kubernetes 9e991415386e4cf155a24b1da15becaa390438d8 # v1.18.0 +k8s.io/kubernetes 52c56ce7a8272c798dbc29846288d7cd9fbae032 # v1.18.2 k8s.io/utils a9aa75ae1b89e1b992c33383f48e942d97e52dae sigs.k8s.io/structured-merge-diff/v3 877aee05330847a873a1a8998b40e12a1e0fde25 # v3.0.0 sigs.k8s.io/yaml 9fc95527decd95bb9d28cc2eab08179b2d0f6971 # v1.2.0 diff --git a/vendor/github.com/opencontainers/runc/libcontainer/system/linux.go b/vendor/github.com/opencontainers/runc/libcontainer/system/linux.go deleted file mode 100644 index a4ae8901a..000000000 --- a/vendor/github.com/opencontainers/runc/libcontainer/system/linux.go +++ /dev/null @@ -1,155 +0,0 @@ -// +build linux - -package system - -import ( - "os" - "os/exec" - "syscall" // only for exec - "unsafe" - - "github.com/opencontainers/runc/libcontainer/user" - "golang.org/x/sys/unix" -) - -// If arg2 is nonzero, set the "child subreaper" attribute of the -// calling process; if arg2 is zero, unset the attribute. When a -// process is marked as a child subreaper, all of the children -// that it creates, and their descendants, will be marked as -// having a subreaper. In effect, a subreaper fulfills the role -// of init(1) for its descendant processes. Upon termination of -// a process that is orphaned (i.e., its immediate parent has -// already terminated) and marked as having a subreaper, the -// nearest still living ancestor subreaper will receive a SIGCHLD -// signal and be able to wait(2) on the process to discover its -// termination status. -const PR_SET_CHILD_SUBREAPER = 36 - -type ParentDeathSignal int - -func (p ParentDeathSignal) Restore() error { - if p == 0 { - return nil - } - current, err := GetParentDeathSignal() - if err != nil { - return err - } - if p == current { - return nil - } - return p.Set() -} - -func (p ParentDeathSignal) Set() error { - return SetParentDeathSignal(uintptr(p)) -} - -func Execv(cmd string, args []string, env []string) error { - name, err := exec.LookPath(cmd) - if err != nil { - return err - } - - return syscall.Exec(name, args, env) -} - -func Prlimit(pid, resource int, limit unix.Rlimit) error { - _, _, err := unix.RawSyscall6(unix.SYS_PRLIMIT64, uintptr(pid), uintptr(resource), uintptr(unsafe.Pointer(&limit)), uintptr(unsafe.Pointer(&limit)), 0, 0) - if err != 0 { - return err - } - return nil -} - -func SetParentDeathSignal(sig uintptr) error { - if err := unix.Prctl(unix.PR_SET_PDEATHSIG, sig, 0, 0, 0); err != nil { - return err - } - return nil -} - -func GetParentDeathSignal() (ParentDeathSignal, error) { - var sig int - if err := unix.Prctl(unix.PR_GET_PDEATHSIG, uintptr(unsafe.Pointer(&sig)), 0, 0, 0); err != nil { - return -1, err - } - return ParentDeathSignal(sig), nil -} - -func SetKeepCaps() error { - if err := unix.Prctl(unix.PR_SET_KEEPCAPS, 1, 0, 0, 0); err != nil { - return err - } - - return nil -} - -func ClearKeepCaps() error { - if err := unix.Prctl(unix.PR_SET_KEEPCAPS, 0, 0, 0, 0); err != nil { - return err - } - - return nil -} - -func Setctty() error { - if err := unix.IoctlSetInt(0, unix.TIOCSCTTY, 0); err != nil { - return err - } - return nil -} - -// RunningInUserNS detects whether we are currently running in a user namespace. -// Originally copied from github.com/lxc/lxd/shared/util.go -func RunningInUserNS() bool { - uidmap, err := user.CurrentProcessUIDMap() - if err != nil { - // This kernel-provided file only exists if user namespaces are supported - return false - } - return UIDMapInUserNS(uidmap) -} - -func UIDMapInUserNS(uidmap []user.IDMap) bool { - /* - * We assume we are in the initial user namespace if we have a full - * range - 4294967295 uids starting at uid 0. - */ - if len(uidmap) == 1 && uidmap[0].ID == 0 && uidmap[0].ParentID == 0 && uidmap[0].Count == 4294967295 { - return false - } - return true -} - -// GetParentNSeuid returns the euid within the parent user namespace -func GetParentNSeuid() int64 { - euid := int64(os.Geteuid()) - uidmap, err := user.CurrentProcessUIDMap() - if err != nil { - // This kernel-provided file only exists if user namespaces are supported - return euid - } - for _, um := range uidmap { - if um.ID <= euid && euid <= um.ID+um.Count-1 { - return um.ParentID + euid - um.ID - } - } - return euid -} - -// SetSubreaper sets the value i as the subreaper setting for the calling process -func SetSubreaper(i int) error { - return unix.Prctl(PR_SET_CHILD_SUBREAPER, uintptr(i), 0, 0, 0) -} - -// GetSubreaper returns the subreaper setting for the calling process -func GetSubreaper() (int, error) { - var i uintptr - - if err := unix.Prctl(unix.PR_GET_CHILD_SUBREAPER, uintptr(unsafe.Pointer(&i)), 0, 0, 0); err != nil { - return -1, err - } - - return int(i), nil -} diff --git a/vendor/github.com/opencontainers/runc/libcontainer/system/proc.go b/vendor/github.com/opencontainers/runc/libcontainer/system/proc.go deleted file mode 100644 index 79232a437..000000000 --- a/vendor/github.com/opencontainers/runc/libcontainer/system/proc.go +++ /dev/null @@ -1,113 +0,0 @@ -package system - -import ( - "fmt" - "io/ioutil" - "path/filepath" - "strconv" - "strings" -) - -// State is the status of a process. -type State rune - -const ( // Only values for Linux 3.14 and later are listed here - Dead State = 'X' - DiskSleep State = 'D' - Running State = 'R' - Sleeping State = 'S' - Stopped State = 'T' - TracingStop State = 't' - Zombie State = 'Z' -) - -// String forms of the state from proc(5)'s documentation for -// /proc/[pid]/status' "State" field. -func (s State) String() string { - switch s { - case Dead: - return "dead" - case DiskSleep: - return "disk sleep" - case Running: - return "running" - case Sleeping: - return "sleeping" - case Stopped: - return "stopped" - case TracingStop: - return "tracing stop" - case Zombie: - return "zombie" - default: - return fmt.Sprintf("unknown (%c)", s) - } -} - -// Stat_t represents the information from /proc/[pid]/stat, as -// described in proc(5) with names based on the /proc/[pid]/status -// fields. -type Stat_t struct { - // PID is the process ID. - PID uint - - // Name is the command run by the process. - Name string - - // State is the state of the process. - State State - - // StartTime is the number of clock ticks after system boot (since - // Linux 2.6). - StartTime uint64 -} - -// Stat returns a Stat_t instance for the specified process. -func Stat(pid int) (stat Stat_t, err error) { - bytes, err := ioutil.ReadFile(filepath.Join("/proc", strconv.Itoa(pid), "stat")) - if err != nil { - return stat, err - } - return parseStat(string(bytes)) -} - -// GetProcessStartTime is deprecated. Use Stat(pid) and -// Stat_t.StartTime instead. -func GetProcessStartTime(pid int) (string, error) { - stat, err := Stat(pid) - if err != nil { - return "", err - } - return fmt.Sprintf("%d", stat.StartTime), nil -} - -func parseStat(data string) (stat Stat_t, err error) { - // From proc(5), field 2 could contain space and is inside `(` and `)`. - // The following is an example: - // 89653 (gunicorn: maste) S 89630 89653 89653 0 -1 4194560 29689 28896 0 3 146 32 76 19 20 0 1 0 2971844 52965376 3920 18446744073709551615 1 1 0 0 0 0 0 16781312 137447943 0 0 0 17 1 0 0 0 0 0 0 0 0 0 0 0 0 0 - i := strings.LastIndex(data, ")") - if i <= 2 || i >= len(data)-1 { - return stat, fmt.Errorf("invalid stat data: %q", data) - } - - parts := strings.SplitN(data[:i], "(", 2) - if len(parts) != 2 { - return stat, fmt.Errorf("invalid stat data: %q", data) - } - - stat.Name = parts[1] - _, err = fmt.Sscanf(parts[0], "%d", &stat.PID) - if err != nil { - return stat, err - } - - // parts indexes should be offset by 3 from the field number given - // proc(5), because parts is zero-indexed and we've removed fields - // one (PID) and two (Name) in the paren-split. - parts = strings.Split(data[i+2:], " ") - var state int - fmt.Sscanf(parts[3-3], "%c", &state) - stat.State = State(state) - fmt.Sscanf(parts[22-3], "%d", &stat.StartTime) - return stat, nil -} diff --git a/vendor/github.com/opencontainers/runc/libcontainer/system/syscall_linux_32.go b/vendor/github.com/opencontainers/runc/libcontainer/system/syscall_linux_32.go deleted file mode 100644 index c5ca5d862..000000000 --- a/vendor/github.com/opencontainers/runc/libcontainer/system/syscall_linux_32.go +++ /dev/null @@ -1,26 +0,0 @@ -// +build linux -// +build 386 arm - -package system - -import ( - "golang.org/x/sys/unix" -) - -// Setuid sets the uid of the calling thread to the specified uid. -func Setuid(uid int) (err error) { - _, _, e1 := unix.RawSyscall(unix.SYS_SETUID32, uintptr(uid), 0, 0) - if e1 != 0 { - err = e1 - } - return -} - -// Setgid sets the gid of the calling thread to the specified gid. -func Setgid(gid int) (err error) { - _, _, e1 := unix.RawSyscall(unix.SYS_SETGID32, uintptr(gid), 0, 0) - if e1 != 0 { - err = e1 - } - return -} diff --git a/vendor/github.com/opencontainers/runc/libcontainer/system/syscall_linux_64.go b/vendor/github.com/opencontainers/runc/libcontainer/system/syscall_linux_64.go deleted file mode 100644 index e05e30adc..000000000 --- a/vendor/github.com/opencontainers/runc/libcontainer/system/syscall_linux_64.go +++ /dev/null @@ -1,26 +0,0 @@ -// +build linux -// +build arm64 amd64 mips mipsle mips64 mips64le ppc ppc64 ppc64le riscv64 s390x - -package system - -import ( - "golang.org/x/sys/unix" -) - -// Setuid sets the uid of the calling thread to the specified uid. -func Setuid(uid int) (err error) { - _, _, e1 := unix.RawSyscall(unix.SYS_SETUID, uintptr(uid), 0, 0) - if e1 != 0 { - err = e1 - } - return -} - -// Setgid sets the gid of the calling thread to the specified gid. -func Setgid(gid int) (err error) { - _, _, e1 := unix.RawSyscall(unix.SYS_SETGID, uintptr(gid), 0, 0) - if e1 != 0 { - err = e1 - } - return -} diff --git a/vendor/github.com/opencontainers/runc/libcontainer/system/sysconfig.go b/vendor/github.com/opencontainers/runc/libcontainer/system/sysconfig.go deleted file mode 100644 index b8434f105..000000000 --- a/vendor/github.com/opencontainers/runc/libcontainer/system/sysconfig.go +++ /dev/null @@ -1,12 +0,0 @@ -// +build cgo,linux - -package system - -/* -#include -*/ -import "C" - -func GetClockTicks() int { - return int(C.sysconf(C._SC_CLK_TCK)) -} diff --git a/vendor/github.com/opencontainers/runc/libcontainer/system/sysconfig_notcgo.go b/vendor/github.com/opencontainers/runc/libcontainer/system/sysconfig_notcgo.go deleted file mode 100644 index d93b5d5fd..000000000 --- a/vendor/github.com/opencontainers/runc/libcontainer/system/sysconfig_notcgo.go +++ /dev/null @@ -1,15 +0,0 @@ -// +build !cgo windows - -package system - -func GetClockTicks() int { - // TODO figure out a better alternative for platforms where we're missing cgo - // - // TODO Windows. This could be implemented using Win32 QueryPerformanceFrequency(). - // https://msdn.microsoft.com/en-us/library/windows/desktop/ms644905(v=vs.85).aspx - // - // An example of its usage can be found here. - // https://msdn.microsoft.com/en-us/library/windows/desktop/dn553408(v=vs.85).aspx - - return 100 -} diff --git a/vendor/github.com/opencontainers/runc/libcontainer/system/unsupported.go b/vendor/github.com/opencontainers/runc/libcontainer/system/unsupported.go deleted file mode 100644 index b94be74a6..000000000 --- a/vendor/github.com/opencontainers/runc/libcontainer/system/unsupported.go +++ /dev/null @@ -1,27 +0,0 @@ -// +build !linux - -package system - -import ( - "os" - - "github.com/opencontainers/runc/libcontainer/user" -) - -// RunningInUserNS is a stub for non-Linux systems -// Always returns false -func RunningInUserNS() bool { - return false -} - -// UIDMapInUserNS is a stub for non-Linux systems -// Always returns false -func UIDMapInUserNS(uidmap []user.IDMap) bool { - return false -} - -// GetParentNSeuid returns the euid within the parent user namespace -// Always returns os.Geteuid on non-linux -func GetParentNSeuid() int { - return os.Geteuid() -} diff --git a/vendor/github.com/opencontainers/runc/libcontainer/system/xattrs_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/system/xattrs_linux.go deleted file mode 100644 index a6823fc99..000000000 --- a/vendor/github.com/opencontainers/runc/libcontainer/system/xattrs_linux.go +++ /dev/null @@ -1,35 +0,0 @@ -package system - -import "golang.org/x/sys/unix" - -// Returns a []byte slice if the xattr is set and nil otherwise -// Requires path and its attribute as arguments -func Lgetxattr(path string, attr string) ([]byte, error) { - var sz int - // Start with a 128 length byte array - dest := make([]byte, 128) - sz, errno := unix.Lgetxattr(path, attr, dest) - - switch { - case errno == unix.ENODATA: - return nil, errno - case errno == unix.ENOTSUP: - return nil, errno - case errno == unix.ERANGE: - // 128 byte array might just not be good enough, - // A dummy buffer is used to get the real size - // of the xattrs on disk - sz, errno = unix.Lgetxattr(path, attr, []byte{}) - if errno != nil { - return nil, errno - } - dest = make([]byte, sz) - sz, errno = unix.Lgetxattr(path, attr, dest) - if errno != nil { - return nil, errno - } - case errno != nil: - return nil, errno - } - return dest[:sz], nil -}