vendor: update containerd/cri to current master

- Remove dependency on libcontainer/system - Get rid of socat for port forwarding - Roll docker/distribution back to latest (v2.7.1) release Now that 901bcb2231 was merged in containerd, we no longer depend on the ParseDockerRef utility from docker/distribution, so we can safely roll back to the latest release for this dependency. - vendor: kubernetes v1.18.2 Fix client watch reestablishment handling of client-side timeouts - Add config flag to default empty seccomp profile Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-05-10 12:57:06 +02:00 · 2020-05-10 12:57:06 +02:00 · 2c77dc63a4
commit 2c77dc63a4
parent a4f8be1d43
19 changed files with 97 additions and 490 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -311,8 +311,7 @@ jobs:
            libnl-3-dev \
            libnet-dev \
            libcap-dev \
-            python-future \
+            python-future
            socat
          wget https://github.com/checkpoint-restore/criu/archive/v3.13.tar.gz -O criu.tar.gz
          tar -zxf criu.tar.gz
          cd criu-3.13
--- a/.travis.yml
+++ b/.travis.yml
@ -46,7 +46,6 @@ addons:
      - libaio-dev
      - libprotobuf-c-dev
      - libprotobuf-dev
      - socat
 before_install:
  - uname -r
--- a/vendor.conf
+++ b/vendor.conf
@ -56,7 +56,7 @@ gotest.tools/v3                                     v3.0.2
 github.com/cilium/ebpf                              4032b1d8aae306b7bb94a2a11002932caf88c644
 # cri dependencies
-github.com/containerd/cri                           65830369b6b2b4edc454bf5cebbd9b76c1c1ac66 # master
+github.com/containerd/cri                           8252e54f936b85b58799600edcb98987a8665300 # master
 github.com/davecgh/go-spew                          v1.1.1
 github.com/docker/distribution                      v2.7.1
 github.com/docker/docker                            4634ce647cf2ce2c6031129ccd109e557244986f
--- a/vendor/github.com/containerd/cri/README.md
+++ b/vendor/github.com/containerd/cri/README.md
@ -77,11 +77,10 @@ specifications as appropriate.
 (Fedora, CentOS, RHEL). On releases of Ubuntu <=Trusty and Debian <=jessie a
 backport version of `libseccomp-dev` is required. See [travis.yml](.travis.yml) for an example on trusty.
 * **btrfs development library.** Required by containerd btrfs support. `btrfs-tools`(Ubuntu, Debian) / `btrfs-progs-devel`(Fedora, CentOS, RHEL)
-2. Install **`socat`** (required by portforward).
+2. Install **`pkg-config`** (required for linking with `libseccomp`).
-3. Install **`pkg-config`** (required for linking with `libseccomp`).
+3. Install and setup a Go 1.13.10 development environment.
-4. Install and setup a Go 1.13.10 development environment.
+4. Make a local clone of this repository.
-5. Make a local clone of this repository.
+5. Install binary dependencies by running the following command from your cloned `cri/` project directory:
 6. Install binary dependencies by running the following command from your cloned `cri/` project directory:
 ```bash
 # Note: install.deps installs the above mentioned runc, containerd, and CNI
 # binary dependencies. install.deps is only provided for general use and ease of
--- a/vendor/github.com/containerd/cri/pkg/config/config.go
+++ b/vendor/github.com/containerd/cri/pkg/config/config.go
@ -225,6 +225,9 @@ type PluginConfig struct {
 	// DisableProcMount disables Kubernetes ProcMount support. This MUST be set to `true`
 	// when using containerd with Kubernetes <=1.11.
 	DisableProcMount bool `toml:"disable_proc_mount" json:"disableProcMount"`
 	// UnsetSeccompProfile is the profile containerd/cri will use If the provided seccomp profile is
 	// unset (`""`) for a container (default is `unconfined`)
 	UnsetSeccompProfile string `toml:"unset_seccomp_profile" json:"unsetSeccompProfile"`
 }
 // X509KeyPairStreaming contains the x509 configuration for streaming
--- a/vendor/github.com/containerd/cri/pkg/server/container_create_unix.go
+++ b/vendor/github.com/containerd/cri/pkg/server/container_create_unix.go
@ -286,7 +286,7 @@ func (c *criService) containerSpecOpts(config *runtime.ContainerConfig, imageCon
 		specOpts = append(specOpts, apparmorSpecOpts)
 	}
-	seccompSpecOpts, err := generateSeccompSpecOpts(
+	seccompSpecOpts, err := c.generateSeccompSpecOpts(
 		securityContext.GetSeccompProfilePath(),
 		securityContext.GetPrivileged(),
 		c.seccompEnabled())
@ -300,11 +300,14 @@ func (c *criService) containerSpecOpts(config *runtime.ContainerConfig, imageCon
 }
 // generateSeccompSpecOpts generates containerd SpecOpts for seccomp.
-func generateSeccompSpecOpts(seccompProf string, privileged, seccompEnabled bool) (oci.SpecOpts, error) {
+func (c *criService) generateSeccompSpecOpts(seccompProf string, privileged, seccompEnabled bool) (oci.SpecOpts, error) {
 	if privileged {
 		// Do not set seccomp profile when container is privileged
 		return nil, nil
 	}
 	if seccompProf == "" {
 		seccompProf = c.config.UnsetSeccompProfile
 	}
 	// Set seccomp profile
 	if seccompProf == runtimeDefault || seccompProf == dockerDefault {
 		// use correct default profile (Eg. if not configured otherwise, the default is docker/default)
--- a/vendor/github.com/containerd/cri/pkg/server/image_pull.go
+++ b/vendor/github.com/containerd/cri/pkg/server/image_pull.go
@ -324,10 +324,6 @@ func (c *criService) registryHosts(auth *runtime.AuthConfig) docker.RegistryHost
 				config    = c.config.Registry.Configs[u.Host]
 			)
 			if u.Scheme != "https" && config.TLS != nil {
 				return nil, errors.Errorf("tls provided for http endpoint %q", e)
 			}
 			if config.TLS != nil {
 				transport.TLSClientConfig, err = c.getTLSConfig(*config.TLS)
 				if err != nil {
@ -425,9 +421,9 @@ func newTransport() *http.Transport {
 	return &http.Transport{
 		Proxy: http.ProxyFromEnvironment,
 		DialContext: (&net.Dialer{
-			Timeout:   30 * time.Second,
+			Timeout:       30 * time.Second,
-			KeepAlive: 30 * time.Second,
+			KeepAlive:     30 * time.Second,
-			DualStack: true,
+			FallbackDelay: 300 * time.Millisecond,
 		}).DialContext,
 		MaxIdleConns:          10,
 		IdleConnTimeout:       30 * time.Second,
--- a/vendor/github.com/containerd/cri/pkg/server/sandbox_portforward_unix.go
+++ b/vendor/github.com/containerd/cri/pkg/server/sandbox_portforward_unix.go
@ -19,28 +19,27 @@
 package server
 import (
 	"bytes"
 	"fmt"
 	"io"
-	"os/exec"
+	"net"
-	"strings"
+	"time"
 	"github.com/containerd/containerd/log"
 	"github.com/containernetworking/plugins/pkg/ns"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/net/context"
 	runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
 )
-// portForward requires `socat` on the node. It uses netns to enter the sandbox namespace,
+// portForward uses netns to enter the sandbox namespace, and forwards a stream inside the
-// and run `socat` inside the namespace to forward stream for a specific port. The `socat`
+// the namespace to a specific port. It keeps forwarding until it exits or client disconnect.
-// command keeps running until it exits or client disconnect.
+func (c *criService) portForward(ctx context.Context, id string, port int32, stream io.ReadWriteCloser) error {
 func (c *criService) portForward(ctx context.Context, id string, port int32, stream io.ReadWriter) error {
 	s, err := c.sandboxStore.Get(id)
 	if err != nil {
 		return errors.Wrapf(err, "failed to find sandbox %q in store", id)
 	}
 	var netNSDo func(func(ns.NetNS) error) error
 	// netNSPath is the network namespace path for logging.
 	var netNSPath string
@ -62,48 +61,64 @@ func (c *criService) portForward(ctx context.Context, id string, port int32, str
 		netNSPath = "host"
 	}
-	socat, err := exec.LookPath("socat")
+	log.G(ctx).Infof("Executing port forwarding in network namespace %q", netNSPath)
 	if err != nil {
 		return errors.Wrap(err, "failed to find socat")
 	}
 	// Check https://linux.die.net/man/1/socat for meaning of the options.
 	args := []string{socat, "-", fmt.Sprintf("TCP4:localhost:%d", port)}
 	log.G(ctx).Infof("Executing port forwarding command %q in network namespace %q", strings.Join(args, " "), netNSPath)
 	err = netNSDo(func(_ ns.NetNS) error {
-		cmd := exec.Command(args[0], args[1:]...)
+		defer stream.Close()
-		cmd.Stdout = stream
+		// TODO: hardcoded to tcp4 because localhost resolves to ::1 by default if the system has IPv6 enabled.
-
+		// Theoretically happy eyeballs will try IPv6 first and fallback to IPv4
-		stderr := new(bytes.Buffer)
+		// but resolving localhost doesn't seem to return and IPv4 address, thus failing the connection.
-		cmd.Stderr = stderr
+		conn, err := net.Dial("tcp4", fmt.Sprintf("localhost:%d", port))
 		// If we use Stdin, command.Run() won't return until the goroutine that's copying
 		// from stream finishes. Unfortunately, if you have a client like telnet connected
 		// via port forwarding, as long as the user's telnet client is connected to the user's
 		// local listener that port forwarding sets up, the telnet session never exits. This
 		// means that even if socat has finished running, command.Run() won't ever return
 		// (because the client still has the connection and stream open).
 		//
 		// The work around is to use StdinPipe(), as Wait() (called by Run()) closes the pipe
 		// when the command (socat) exits.
 		in, err := cmd.StdinPipe()
 		if err != nil {
-			return errors.Wrap(err, "failed to create stdin pipe")
+			return errors.Wrapf(err, "failed to dial %d", port)
 		}
 		defer conn.Close()
 		errCh := make(chan error, 2)
 		// Copy from the the namespace port connection to the client stream
 		go func() {
-			if _, err := io.Copy(in, stream); err != nil {
+			log.G(ctx).Debugf("PortForward copying data from namespace %q port %d to the client stream", id, port)
-				logrus.WithError(err).Errorf("Failed to copy port forward input for %q port %d", id, port)
+			_, err := io.Copy(stream, conn)
-			}
+			errCh <- err
 			in.Close()
 			logrus.Debugf("Finish copying port forward input for %q port %d", id, port)
 		}()
-		if err := cmd.Run(); err != nil {
+		// Copy from the client stream to the namespace port connection
-			return errors.Errorf("socat command returns error: %v, stderr: %q", err, stderr.String())
+		go func() {
 			log.G(ctx).Debugf("PortForward copying data from client stream to namespace %q port %d", id, port)
 			_, err := io.Copy(conn, stream)
 			errCh <- err
 		}()
 		// Wait until the first error is returned by one of the connections
 		// we use errFwd to store the result of the port forwarding operation
 		// if the context is cancelled close everything and return
 		var errFwd error
 		select {
 		case errFwd = <-errCh:
 			log.G(ctx).Debugf("PortForward stop forwarding in one direction in network namespace %q port %d: %v", id, port, errFwd)
 		case <-ctx.Done():
 			log.G(ctx).Debugf("PortForward cancelled in network namespace %q port %d: %v", id, port, ctx.Err())
 			return ctx.Err()
 		}
-		return nil
+		// give a chance to terminate gracefully or timeout
 		// 0.5s is the default timeout used in socat
 		// https://linux.die.net/man/1/socat
 		timeout := time.Duration(500) * time.Millisecond
 		select {
 		case e := <-errCh:
 			if errFwd == nil {
 				errFwd = e
 			}
 			log.G(ctx).Debugf("PortForward stopped forwarding in both directions in network namespace %q port %d: %v", id, port, e)
 		case <-time.After(timeout):
 			log.G(ctx).Debugf("PortForward timed out waiting to close the connection in network namespace %q port %d", id, port)
 		case <-ctx.Done():
 			log.G(ctx).Debugf("PortForward cancelled in network namespace %q port %d: %v", id, port, ctx.Err())
 			errFwd = ctx.Err()
 		}
 		return errFwd
 	})
 	if err != nil {
 		return errors.Wrapf(err, "failed to execute portforward in network namespace %q", netNSPath)
 	}
--- a/vendor/github.com/containerd/cri/pkg/server/sandbox_run_unix.go
+++ b/vendor/github.com/containerd/cri/pkg/server/sandbox_run_unix.go
@ -161,7 +161,7 @@ func (c *criService) sandboxContainerSpecOpts(config *runtime.PodSandboxConfig,
 		securityContext = config.GetLinux().GetSecurityContext()
 		specOpts        []oci.SpecOpts
 	)
-	seccompSpecOpts, err := generateSeccompSpecOpts(
+	seccompSpecOpts, err := c.generateSeccompSpecOpts(
 		securityContext.GetSeccompProfilePath(),
 		securityContext.GetPrivileged(),
 		c.seccompEnabled())
--- a/vendor/github.com/containerd/cri/pkg/server/service_unix.go
+++ b/vendor/github.com/containerd/cri/pkg/server/service_unix.go
@ -19,8 +19,8 @@
 package server
 import (
 	"github.com/containerd/containerd/sys"
 	cni "github.com/containerd/go-cni"
 	runcsystem "github.com/opencontainers/runc/libcontainer/system"
 	"github.com/opencontainers/selinux/go-selinux"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@ -34,7 +34,7 @@ const networkAttachCount = 2
 func (c *criService) initPlatform() error {
 	var err error
-	if runcsystem.RunningInUserNS() {
+	if sys.RunningInUserNS() {
 		if !(c.config.DisableCgroup && !c.apparmorEnabled() && c.config.RestrictOOMScoreAdj) {
 			logrus.Warn("Running containerd in a user namespace typically requires disable_cgroup, disable_apparmor, restrict_oom_score_adj set to be true")
 		}
--- a/vendor/github.com/containerd/cri/vendor.conf
+++ b/vendor/github.com/containerd/cri/vendor.conf
@ -1,5 +1,5 @@
 # cri dependencies
-github.com/docker/distribution                      0d3efadf0154c2b8a4e7b6621fff9809655cc580
+github.com/docker/distribution                      2461543d988979529609e8cb6fca9ca190dc48da # v2.7.1
 github.com/docker/docker                            4634ce647cf2ce2c6031129ccd109e557244986f
 github.com/opencontainers/selinux                   0d49ba2a6aae052c614dfe5de62a158711a6c461 # v1.5.1
 github.com/tchap/go-patricia                        666120de432aea38ab06bd5c818f04f4129882c9 # v2.2.6
@ -8,17 +8,17 @@ github.com/tchap/go-patricia                        666120de432aea38ab06bd5c818f
 github.com/beorn7/perks                             37c8de3658fcb183f997c4e13e8337516ab753e6 # v1.0.1
 github.com/BurntSushi/toml                          3012a1dbe2e4bd1391d42b32f0577cb7bbc7f005 # v0.3.1
 github.com/cespare/xxhash/v2                        d7df74196a9e781ede915320c11c378c1b2f3a1f # v2.1.1
-github.com/containerd/cgroups                       7347743e5d1e8500d9f27c8e748e689ed991d92b
+github.com/containerd/cgroups                       b4448137398923af7f4918b8b2ad8249172ca7a6
 github.com/containerd/console                       8375c3424e4d7b114e8a90a4a40c8e1b40d1d4e6 # v1.0.0
-github.com/containerd/containerd                    01310155947cb6eec37dcae29742a165e56acb4a
+github.com/containerd/containerd                    ed261720c86d1e700cd5d39175128322baac6dda
 github.com/containerd/continuity                    0ec596719c75bfd42908850990acea594b7593ac
 github.com/containerd/fifo                          bda0ff6ed73c67bfb5e62bc9c697f146b7fd7f13
 github.com/containerd/go-runc                       a5c2862aed5e6358b305b0e16bfce58e0549b1cd
-github.com/containerd/ttrpc                         92c8520ef9f86600c650dd540266a007bf03670f # v1.0.0
+github.com/containerd/ttrpc                         72bb1b21c5b0a4a107f59dd85f6ab58e564b68d6 # v1.0.1
-github.com/containerd/typeurl                       a93fcdb778cd272c6e9b3028b2f42d813e785d40 # v1.0.0
+github.com/containerd/typeurl                       cd3ce7159eae562a4f60ceff37dada11a939d247 # v1.0.1
 github.com/coreos/go-systemd/v22                    2d78030078ef61b3cae27f42ad6d0e46db51b339 # v22.0.0
 github.com/cpuguy83/go-md2man                       7762f7e404f8416dfa1d9bb6a8c192aa9acb4d19 # v1.0.10
-github.com/docker/go-events                         9461782956ad83b30282bf90e31fa6a70c255ba9
+github.com/docker/go-events                         e31b211e4f1cd09aa76fe4ac244571fab96ae47f
 github.com/docker/go-metrics                        b619b3592b65de4f087d9f16863a7e6ff905973c # v0.0.1
 github.com/docker/go-units                          519db1ee28dcc9fd2474ae59fca29a810482bfb1 # v0.4.0
 github.com/godbus/dbus/v5                           37bf87eef99d69c4f1d3528bd66e3a87dc201472 # v5.0.3
@ -27,23 +27,25 @@ github.com/gogo/protobuf                            5628607bb4c51c3157aacc3a50f0
 github.com/golang/protobuf                          d23c5127dc24889085f8ccea5c9d560a57a879d8 # v1.3.3
 github.com/google/uuid                              0cd6bf5da1e1c83f8b45653022c74f71af0538a4 # v1.1.1
 github.com/grpc-ecosystem/go-grpc-prometheus        c225b8c3b01faf2899099b768856a9e916e5087b # v1.2.0
 github.com/hashicorp/errwrap                        8a6fb523712970c966eefc6b39ed2c5e74880354 # v1.0.0
 github.com/hashicorp/go-multierror                  886a7fbe3eb1c874d46f623bfa70af45f425b3d1 # v1.0.0
 github.com/hashicorp/golang-lru                     7f827b33c0f158ec5dfbba01bb0b14a4541fd81d # v0.5.3
 github.com/imdario/mergo                            7c29201646fa3de8506f701213473dd407f19646 # v0.3.7
-github.com/konsorten/go-windows-terminal-sequences  5c8c8bd35d3832f5d134ae1e1e375b69a4d25242 # v1.0.1
+github.com/konsorten/go-windows-terminal-sequences  edb144dfd453055e1e49a3d8b410a660b5a87613 # v1.0.3
 github.com/matttproud/golang_protobuf_extensions    c12348ce28de40eed0136aa2b644d0ee0650e56c # v1.0.1
 github.com/Microsoft/go-winio                       6c72808b55902eae4c5943626030429ff20f3b63 # v0.4.14
-github.com/Microsoft/hcsshim                        0b571ac85d7c5842b26d2571de4868634a4c39d7 # v0.8.7-24-g0b571ac8
+github.com/Microsoft/hcsshim                        5bc557dd210ff2caf615e6e22d398123de77fc11 # v0.8.9
 github.com/opencontainers/go-digest                 c9281466c8b2f606084ac71339773efd177436e7
 github.com/opencontainers/image-spec                d60099175f88c47cd379c4738d158884749ed235 # v1.0.1
 github.com/opencontainers/runc                      dc9208a3303feef5b3839f4323d9beb36df0a9dd # v1.0.0-rc10
-github.com/opencontainers/runtime-spec              29686dbc5559d93fb1ef402eeda3e35c38d75af4 # v1.0.1-59-g29686db
+github.com/opencontainers/runtime-spec              c4ee7d12c742ffe806cd9350b6af3b4b19faed6f # v1.0.2
-github.com/pkg/errors                               ba968bfe8b2f7e042a574c888954fccecfa385b4 # v0.8.1
+github.com/pkg/errors                               614d223910a179a466c1767a985424175c39b465 # v0.9.1
 github.com/prometheus/client_golang                 c42bebe5a5cddfc6b28cd639103369d8a75dfa89 # v1.3.0
 github.com/prometheus/client_model                  d1d2010b5beead3fa1c5f271a5cf626e40b3ad6e # v0.1.0
 github.com/prometheus/common                        287d3e634a1e550c9e463dd7e5a75a422c614505 # v0.7.0
 github.com/prometheus/procfs                        6d489fc7f1d9cd890a250f3ea3431b1744b9623f # v0.0.8
 github.com/russross/blackfriday                     05f3235734ad95d0016f6a23902f06461fcf567a # v1.5.2
-github.com/sirupsen/logrus                          8bdbc7bcc01dcbb8ec23dc8a28e332258d25251f # v1.4.1
+github.com/sirupsen/logrus                          60c74ad9be0d874af0ab0daef6ab07c5c5911f0d # v1.6.0
 github.com/syndtr/gocapability                      d98352740cb2c55f81556b63d4a1ec64c5a319c2
 github.com/urfave/cli                               bfe2e925cfb6d44b40ad3a779165ea7e8aff9212 # v1.22.0
 go.etcd.io/bbolt                                    a0458a2b35708eef59eb5f620ceb3cd1c01a824d # v1.3.3
@ -56,7 +58,7 @@ google.golang.org/genproto                          e50cd9704f63023d62cd06a1994b
 google.golang.org/grpc                              f495f5b15ae7ccda3b38c53a1bfcde4c1a58a2bc # v1.27.1
 # cgroups dependencies
-github.com/cilium/ebpf                              60c3aa43f488292fe2ee50fb8b833b383ca8ebbb
+github.com/cilium/ebpf                              4032b1d8aae306b7bb94a2a11002932caf88c644
 # kubernetes dependencies
 github.com/davecgh/go-spew                          8991bc29aa16c548c550c7ff78260e27b9ab7c73 # v1.1.1
@ -74,13 +76,13 @@ golang.org/x/oauth2                                 0f29369cfe4552d0e4bcddc57cc7
 golang.org/x/time                                   9d24e82272b4f38b78bc8cff74fa936d31ccd8ef
 gopkg.in/inf.v0                                     d2d2541c53f18d2a059457998ce2876cc8e67cbf # v0.9.1
 gopkg.in/yaml.v2                                    53403b58ad1b561927d19068c655246f2db79d48 # v2.2.8
-k8s.io/api                                          d2dce8e1788e4be2be3a62b6439b3eaa087df0df # v0.18.0
+k8s.io/api                                          a9db9afcc0e93a2a30a381bbd92c1d40ccc72b24 # v0.18.2
-k8s.io/apimachinery                                 105e0c6d63f10531ed07f3b5a2195771a0fa444b # v0.18.0
+k8s.io/apimachinery                                 ab1231685bfe66237a116092641da00923cc00ca # v0.18.2
-k8s.io/apiserver                                    5c8e895629a454efd75a453d1dea5b8142db0013 # v0.18.0
+k8s.io/apiserver                                    de7df530d0c1046048acda2312486694046bfc6c # v0.18.2
-k8s.io/client-go                                    0b19784585bd0a0ee5509855829ead81feaa2bdc # v0.18.0
+k8s.io/client-go                                    6b7c68377979c821b73d98d1bd4c5a466034f491 # v0.18.2
-k8s.io/cri-api                                      3d1680d8d202aa12c5dc5689170c3c03a488d35b # v0.18.0
+k8s.io/cri-api                                      3d1680d8d202aa12c5dc5689170c3c03a488d35b # v0.18.2
 k8s.io/klog                                         2ca9ad30301bf30a8a6e0fa2110db6b8df699a91 # v1.0.0
-k8s.io/kubernetes                                   9e991415386e4cf155a24b1da15becaa390438d8 # v1.18.0
+k8s.io/kubernetes                                   52c56ce7a8272c798dbc29846288d7cd9fbae032 # v1.18.2
 k8s.io/utils                                        a9aa75ae1b89e1b992c33383f48e942d97e52dae
 sigs.k8s.io/structured-merge-diff/v3                877aee05330847a873a1a8998b40e12a1e0fde25 # v3.0.0
 sigs.k8s.io/yaml                                    9fc95527decd95bb9d28cc2eab08179b2d0f6971 # v1.2.0
--- a/vendor/github.com/opencontainers/runc/libcontainer/system/linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/system/linux.go
@ -1,155 +0,0 @@
 // +build linux
 package system
 import (
 	"os"
 	"os/exec"
 	"syscall" // only for exec
 	"unsafe"
 	"github.com/opencontainers/runc/libcontainer/user"
 	"golang.org/x/sys/unix"
 )
 // If arg2 is nonzero, set the "child subreaper" attribute of the
 // calling process; if arg2 is zero, unset the attribute.  When a
 // process is marked as a child subreaper, all of the children
 // that it creates, and their descendants, will be marked as
 // having a subreaper.  In effect, a subreaper fulfills the role
 // of init(1) for its descendant processes.  Upon termination of
 // a process that is orphaned (i.e., its immediate parent has
 // already terminated) and marked as having a subreaper, the
 // nearest still living ancestor subreaper will receive a SIGCHLD
 // signal and be able to wait(2) on the process to discover its
 // termination status.
 const PR_SET_CHILD_SUBREAPER = 36
 type ParentDeathSignal int
 func (p ParentDeathSignal) Restore() error {
 	if p == 0 {
 		return nil
 	}
 	current, err := GetParentDeathSignal()
 	if err != nil {
 		return err
 	}
 	if p == current {
 		return nil
 	}
 	return p.Set()
 }
 func (p ParentDeathSignal) Set() error {
 	return SetParentDeathSignal(uintptr(p))
 }
 func Execv(cmd string, args []string, env []string) error {
 	name, err := exec.LookPath(cmd)
 	if err != nil {
 		return err
 	}
 	return syscall.Exec(name, args, env)
 }
 func Prlimit(pid, resource int, limit unix.Rlimit) error {
 	_, _, err := unix.RawSyscall6(unix.SYS_PRLIMIT64, uintptr(pid), uintptr(resource), uintptr(unsafe.Pointer(&limit)), uintptr(unsafe.Pointer(&limit)), 0, 0)
 	if err != 0 {
 		return err
 	}
 	return nil
 }
 func SetParentDeathSignal(sig uintptr) error {
 	if err := unix.Prctl(unix.PR_SET_PDEATHSIG, sig, 0, 0, 0); err != nil {
 		return err
 	}
 	return nil
 }
 func GetParentDeathSignal() (ParentDeathSignal, error) {
 	var sig int
 	if err := unix.Prctl(unix.PR_GET_PDEATHSIG, uintptr(unsafe.Pointer(&sig)), 0, 0, 0); err != nil {
 		return -1, err
 	}
 	return ParentDeathSignal(sig), nil
 }
 func SetKeepCaps() error {
 	if err := unix.Prctl(unix.PR_SET_KEEPCAPS, 1, 0, 0, 0); err != nil {
 		return err
 	}
 	return nil
 }
 func ClearKeepCaps() error {
 	if err := unix.Prctl(unix.PR_SET_KEEPCAPS, 0, 0, 0, 0); err != nil {
 		return err
 	}
 	return nil
 }
 func Setctty() error {
 	if err := unix.IoctlSetInt(0, unix.TIOCSCTTY, 0); err != nil {
 		return err
 	}
 	return nil
 }
 // RunningInUserNS detects whether we are currently running in a user namespace.
 // Originally copied from github.com/lxc/lxd/shared/util.go
 func RunningInUserNS() bool {
 	uidmap, err := user.CurrentProcessUIDMap()
 	if err != nil {
 		// This kernel-provided file only exists if user namespaces are supported
 		return false
 	}
 	return UIDMapInUserNS(uidmap)
 }
 func UIDMapInUserNS(uidmap []user.IDMap) bool {
 	/*
 	 * We assume we are in the initial user namespace if we have a full
 	 * range - 4294967295 uids starting at uid 0.
 	 */
 	if len(uidmap) == 1 && uidmap[0].ID == 0 && uidmap[0].ParentID == 0 && uidmap[0].Count == 4294967295 {
 		return false
 	}
 	return true
 }
 // GetParentNSeuid returns the euid within the parent user namespace
 func GetParentNSeuid() int64 {
 	euid := int64(os.Geteuid())
 	uidmap, err := user.CurrentProcessUIDMap()
 	if err != nil {
 		// This kernel-provided file only exists if user namespaces are supported
 		return euid
 	}
 	for _, um := range uidmap {
 		if um.ID <= euid && euid <= um.ID+um.Count-1 {
 			return um.ParentID + euid - um.ID
 		}
 	}
 	return euid
 }
 // SetSubreaper sets the value i as the subreaper setting for the calling process
 func SetSubreaper(i int) error {
 	return unix.Prctl(PR_SET_CHILD_SUBREAPER, uintptr(i), 0, 0, 0)
 }
 // GetSubreaper returns the subreaper setting for the calling process
 func GetSubreaper() (int, error) {
 	var i uintptr
 	if err := unix.Prctl(unix.PR_GET_CHILD_SUBREAPER, uintptr(unsafe.Pointer(&i)), 0, 0, 0); err != nil {
 		return -1, err
 	}
 	return int(i), nil
 }
--- a/vendor/github.com/opencontainers/runc/libcontainer/system/proc.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/system/proc.go
@ -1,113 +0,0 @@
 package system
 import (
 	"fmt"
 	"io/ioutil"
 	"path/filepath"
 	"strconv"
 	"strings"
 )
 // State is the status of a process.
 type State rune
 const ( // Only values for Linux 3.14 and later are listed here
 	Dead        State = 'X'
 	DiskSleep   State = 'D'
 	Running     State = 'R'
 	Sleeping    State = 'S'
 	Stopped     State = 'T'
 	TracingStop State = 't'
 	Zombie      State = 'Z'
 )
 // String forms of the state from proc(5)'s documentation for
 // /proc/[pid]/status' "State" field.
 func (s State) String() string {
 	switch s {
 	case Dead:
 		return "dead"
 	case DiskSleep:
 		return "disk sleep"
 	case Running:
 		return "running"
 	case Sleeping:
 		return "sleeping"
 	case Stopped:
 		return "stopped"
 	case TracingStop:
 		return "tracing stop"
 	case Zombie:
 		return "zombie"
 	default:
 		return fmt.Sprintf("unknown (%c)", s)
 	}
 }
 // Stat_t represents the information from /proc/[pid]/stat, as
 // described in proc(5) with names based on the /proc/[pid]/status
 // fields.
 type Stat_t struct {
 	// PID is the process ID.
 	PID uint
 	// Name is the command run by the process.
 	Name string
 	// State is the state of the process.
 	State State
 	// StartTime is the number of clock ticks after system boot (since
 	// Linux 2.6).
 	StartTime uint64
 }
 // Stat returns a Stat_t instance for the specified process.
 func Stat(pid int) (stat Stat_t, err error) {
 	bytes, err := ioutil.ReadFile(filepath.Join("/proc", strconv.Itoa(pid), "stat"))
 	if err != nil {
 		return stat, err
 	}
 	return parseStat(string(bytes))
 }
 // GetProcessStartTime is deprecated.  Use Stat(pid) and
 // Stat_t.StartTime instead.
 func GetProcessStartTime(pid int) (string, error) {
 	stat, err := Stat(pid)
 	if err != nil {
 		return "", err
 	}
 	return fmt.Sprintf("%d", stat.StartTime), nil
 }
 func parseStat(data string) (stat Stat_t, err error) {
 	// From proc(5), field 2 could contain space and is inside `(` and `)`.
 	// The following is an example:
 	// 89653 (gunicorn: maste) S 89630 89653 89653 0 -1 4194560 29689 28896 0 3 146 32 76 19 20 0 1 0 2971844 52965376 3920 18446744073709551615 1 1 0 0 0 0 0 16781312 137447943 0 0 0 17 1 0 0 0 0 0 0 0 0 0 0 0 0 0
 	i := strings.LastIndex(data, ")")
 	if i <= 2 || i >= len(data)-1 {
 		return stat, fmt.Errorf("invalid stat data: %q", data)
 	}
 	parts := strings.SplitN(data[:i], "(", 2)
 	if len(parts) != 2 {
 		return stat, fmt.Errorf("invalid stat data: %q", data)
 	}
 	stat.Name = parts[1]
 	_, err = fmt.Sscanf(parts[0], "%d", &stat.PID)
 	if err != nil {
 		return stat, err
 	}
 	// parts indexes should be offset by 3 from the field number given
 	// proc(5), because parts is zero-indexed and we've removed fields
 	// one (PID) and two (Name) in the paren-split.
 	parts = strings.Split(data[i+2:], " ")
 	var state int
 	fmt.Sscanf(parts[3-3], "%c", &state)
 	stat.State = State(state)
 	fmt.Sscanf(parts[22-3], "%d", &stat.StartTime)
 	return stat, nil
 }
--- a/vendor/github.com/opencontainers/runc/libcontainer/system/syscall_linux_32.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/system/syscall_linux_32.go
@ -1,26 +0,0 @@
 // +build linux
 // +build 386 arm
 package system
 import (
 	"golang.org/x/sys/unix"
 )
 // Setuid sets the uid of the calling thread to the specified uid.
 func Setuid(uid int) (err error) {
 	_, _, e1 := unix.RawSyscall(unix.SYS_SETUID32, uintptr(uid), 0, 0)
 	if e1 != 0 {
 		err = e1
 	}
 	return
 }
 // Setgid sets the gid of the calling thread to the specified gid.
 func Setgid(gid int) (err error) {
 	_, _, e1 := unix.RawSyscall(unix.SYS_SETGID32, uintptr(gid), 0, 0)
 	if e1 != 0 {
 		err = e1
 	}
 	return
 }
--- a/vendor/github.com/opencontainers/runc/libcontainer/system/syscall_linux_64.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/system/syscall_linux_64.go
@ -1,26 +0,0 @@
 // +build linux
 // +build arm64 amd64 mips mipsle mips64 mips64le ppc ppc64 ppc64le riscv64 s390x
 package system
 import (
 	"golang.org/x/sys/unix"
 )
 // Setuid sets the uid of the calling thread to the specified uid.
 func Setuid(uid int) (err error) {
 	_, _, e1 := unix.RawSyscall(unix.SYS_SETUID, uintptr(uid), 0, 0)
 	if e1 != 0 {
 		err = e1
 	}
 	return
 }
 // Setgid sets the gid of the calling thread to the specified gid.
 func Setgid(gid int) (err error) {
 	_, _, e1 := unix.RawSyscall(unix.SYS_SETGID, uintptr(gid), 0, 0)
 	if e1 != 0 {
 		err = e1
 	}
 	return
 }
--- a/vendor/github.com/opencontainers/runc/libcontainer/system/sysconfig.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/system/sysconfig.go
@ -1,12 +0,0 @@
 // +build cgo,linux
 package system
 /*
 #include <unistd.h>
 */
 import "C"
 func GetClockTicks() int {
 	return int(C.sysconf(C._SC_CLK_TCK))
 }
--- a/vendor/github.com/opencontainers/runc/libcontainer/system/sysconfig_notcgo.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/system/sysconfig_notcgo.go
@ -1,15 +0,0 @@
 // +build !cgo windows
 package system
 func GetClockTicks() int {
 	// TODO figure out a better alternative for platforms where we're missing cgo
 	//
 	// TODO Windows. This could be implemented using Win32 QueryPerformanceFrequency().
 	// https://msdn.microsoft.com/en-us/library/windows/desktop/ms644905(v=vs.85).aspx
 	//
 	// An example of its usage can be found here.
 	// https://msdn.microsoft.com/en-us/library/windows/desktop/dn553408(v=vs.85).aspx
 	return 100
 }
--- a/vendor/github.com/opencontainers/runc/libcontainer/system/unsupported.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/system/unsupported.go
@ -1,27 +0,0 @@
 // +build !linux
 package system
 import (
 	"os"
 	"github.com/opencontainers/runc/libcontainer/user"
 )
 // RunningInUserNS is a stub for non-Linux systems
 // Always returns false
 func RunningInUserNS() bool {
 	return false
 }
 // UIDMapInUserNS is a stub for non-Linux systems
 // Always returns false
 func UIDMapInUserNS(uidmap []user.IDMap) bool {
 	return false
 }
 // GetParentNSeuid returns the euid within the parent user namespace
 // Always returns os.Geteuid on non-linux
 func GetParentNSeuid() int {
 	return os.Geteuid()
 }
--- a/vendor/github.com/opencontainers/runc/libcontainer/system/xattrs_linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/system/xattrs_linux.go
@ -1,35 +0,0 @@
 package system
 import "golang.org/x/sys/unix"
 // Returns a []byte slice if the xattr is set and nil otherwise
 // Requires path and its attribute as arguments
 func Lgetxattr(path string, attr string) ([]byte, error) {
 	var sz int
 	// Start with a 128 length byte array
 	dest := make([]byte, 128)
 	sz, errno := unix.Lgetxattr(path, attr, dest)
 	switch {
 	case errno == unix.ENODATA:
 		return nil, errno
 	case errno == unix.ENOTSUP:
 		return nil, errno
 	case errno == unix.ERANGE:
 		// 128 byte array might just not be good enough,
 		// A dummy buffer is used to get the real size
 		// of the xattrs on disk
 		sz, errno = unix.Lgetxattr(path, attr, []byte{})
 		if errno != nil {
 			return nil, errno
 		}
 		dest = make([]byte, sz)
 		sz, errno = unix.Lgetxattr(path, attr, dest)
 		if errno != nil {
 			return nil, errno
 		}
 	case errno != nil:
 		return nil, errno
 	}
 	return dest[:sz], nil
 }