From 5d9bf7d1398f645882e5c2becc7815daa1770c26 Mon Sep 17 00:00:00 2001 From: Akihiro Suda Date: Sat, 12 Aug 2023 10:36:09 +0900 Subject: [PATCH 1/5] CI: temporarily disable ci_fuzz due to incompatibility with recent Go > github.com/containerd/containerd/contrib/apparmor > github.com/containerd/containerd/contrib/apparmor > Running go-fuzz -tags gofuzz -func FuzzLoadDefaultProfile -o fuzz_FuzzLoadDefaultProfile.a github.com/containerd/containerd/contrib/apparmor > /usr/bin/ld: /usr/bin/ld: DWARF error: invalid or unhandled FORM value: 0x25 > fuzz_FuzzLoadDefaultProfile.a(000021.o): in function `_cgo_9c8efe9babca_C2func_res_search': > cgo_unix_cgo_res.cgo2.c:(.text+0x32): undefined reference to `__res_search' > /usr/bin/ld: fuzz_FuzzLoadDefaultProfile.a(000021.o): in function `_cgo_9c8efe9babca_Cfunc_res_search': > cgo_unix_cgo_res.cgo2.c:(.text+0x81): undefined reference to `__res_search' > clang-15: error: linker command failed with exit code 1 (use -v to see invocation) > 2023-08-11 14:25:45,433 - root - ERROR - Building fuzzers failed. > 2023-08-11 14:25:45,433 - root - ERROR - Error building fuzzers for (commit: 432d86b87f75cc8ddf8f8101a5540eb206ffc894, pr_ref: refs/pull/8957/merge). Signed-off-by: Akihiro Suda --- .github/workflows/fuzz.yml | 70 +++++++++++++++++++++++--------------- 1 file changed, 43 insertions(+), 27 deletions(-) diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml index 7c84dd60d..01ad06cae 100644 --- a/.github/workflows/fuzz.yml +++ b/.github/workflows/fuzz.yml @@ -4,33 +4,49 @@ permissions: # added using https://github.com/step-security/secure-workflows contents: read jobs: - # Run all fuzzing tests. Some of them use Go 1.18's testing.F. - # Others use https://github.com/AdaLogics/go-fuzz-headers. - ci_fuzz: - name: CI Fuzz - if: github.repository == 'containerd/containerd' - runs-on: ubuntu-latest - timeout-minutes: 60 - steps: - - name: Build Fuzzers - id: build - uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master - with: - oss-fuzz-project-name: 'containerd' - language: go - - name: Run Fuzzers - uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master - with: - oss-fuzz-project-name: 'containerd' - fuzz-seconds: 300 - language: go - continue-on-error: true - - name: Upload Crash - uses: actions/upload-artifact@v1 - if: failure() && steps.build.outcome == 'success' - with: - name: artifacts - path: ./out/artifacts +# ci_fuzz is temporarily disabled as it is not compatible with recent Go: +# +##### +# >github.com/containerd/containerd/contrib/apparmor +# >github.com/containerd/containerd/contrib/apparmor +# >Running go-fuzz -tags gofuzz -func FuzzLoadDefaultProfile -o fuzz_FuzzLoadDefaultProfile.a github.com/containerd/containerd/contrib/apparmor +# >/usr/bin/ld: /usr/bin/ld: DWARF error: invalid or unhandled FORM value: 0x25 +# >fuzz_FuzzLoadDefaultProfile.a(000021.o): in function `_cgo_9c8efe9babca_C2func_res_search': +# >cgo_unix_cgo_res.cgo2.c:(.text+0x32): undefined reference to `__res_search' +# >/usr/bin/ld: fuzz_FuzzLoadDefaultProfile.a(000021.o): in function `_cgo_9c8efe9babca_Cfunc_res_search': +# >cgo_unix_cgo_res.cgo2.c:(.text+0x81): undefined reference to `__res_search' +# >clang-15: error: linker command failed with exit code 1 (use -v to see invocation) +# >2023-08-11 14:25:45,433 - root - ERROR - Building fuzzers failed. +# >2023-08-11 14:25:45,433 - root - ERROR - Error building fuzzers for (commit: 432d86b87f75cc8ddf8f8101a5540eb206ffc894, pr_ref: refs/pull/8957/merge). +##### +# +# # Run all fuzzing tests. Some of them use Go 1.18's testing.F. +# # Others use https://github.com/AdaLogics/go-fuzz-headers. +# ci_fuzz: +# name: CI Fuzz +# if: github.repository == 'containerd/containerd' +# runs-on: ubuntu-latest +# timeout-minutes: 60 +# steps: +# - name: Build Fuzzers +# id: build +# uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master +# with: +# oss-fuzz-project-name: 'containerd' +# language: go +# - name: Run Fuzzers +# uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master +# with: +# oss-fuzz-project-name: 'containerd' +# fuzz-seconds: 300 +# language: go +# continue-on-error: true +# - name: Upload Crash +# uses: actions/upload-artifact@v1 +# if: failure() && steps.build.outcome == 'success' +# with: +# name: artifacts +# path: ./out/artifacts # Make sure all fuzzing tests which use Go 1.18's testing.F are # runnable with go test -fuzz. From 0f043ae4347e0f987aaf46c29582baf4c28bd183 Mon Sep 17 00:00:00 2001 From: Akihiro Suda Date: Tue, 15 Aug 2023 04:31:45 +0900 Subject: [PATCH 2/5] seccomp, apparmor: add go:noinline Tests in pkg/cri/[sb]server/container_create_linux_test.go depends on go:noinline since Go 1.21. e.g., > ``` > === FAIL: pkg/cri/sbserver TestGenerateSeccompSecurityProfileSpecOpts/should_set_default_seccomp_when_seccomp_is_runtime/default (0.00s) > container_create_linux_test.go:1013: > Error Trace: /home/runner/work/containerd/containerd/pkg/cri/sbserver/container_create_linux_test.go:1013 > Error: Not equal: > expected: 0x263d880 > actual : 0x263cbc0 > Test: TestGenerateSeccompSecurityProfileSpecOpts/should_set_default_seccomp_when_seccomp_is_runtime/default > ``` See comments in PR 8957. Thanks to Wei Fu for analyzing this. Co-authored-by: Wei Fu Signed-off-by: Akihiro Suda --- contrib/apparmor/apparmor.go | 5 +++++ contrib/seccomp/seccomp.go | 10 ++++++++++ 2 files changed, 15 insertions(+) diff --git a/contrib/apparmor/apparmor.go b/contrib/apparmor/apparmor.go index 56454ab93..12ff0c472 100644 --- a/contrib/apparmor/apparmor.go +++ b/contrib/apparmor/apparmor.go @@ -39,6 +39,11 @@ func WithProfile(profile string) oci.SpecOpts { // WithDefaultProfile will generate a default apparmor profile under the provided name // for the container. It is only generated if a profile under that name does not exist. +// +// FIXME: pkg/cri/[sb]server/container_create_linux_test.go depends on go:noinline +// since Go 1.21. +// +//go:noinline func WithDefaultProfile(name string) oci.SpecOpts { return func(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error { if err := LoadDefaultProfile(name); err != nil { diff --git a/contrib/seccomp/seccomp.go b/contrib/seccomp/seccomp.go index 5292cbcec..becf08988 100644 --- a/contrib/seccomp/seccomp.go +++ b/contrib/seccomp/seccomp.go @@ -30,6 +30,11 @@ import ( // WithProfile receives the name of a file stored on disk comprising a json // formatted seccomp profile, as specified by the opencontainers/runtime-spec. // The profile is read from the file, unmarshaled, and set to the spec. +// +// FIXME: pkg/cri/[sb]server/container_create_linux_test.go depends on go:noinline +// since Go 1.21. +// +//go:noinline func WithProfile(profile string) oci.SpecOpts { return func(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error { s.Linux.Seccomp = &specs.LinuxSeccomp{} @@ -46,6 +51,11 @@ func WithProfile(profile string) oci.SpecOpts { // WithDefaultProfile sets the default seccomp profile to the spec. // Note: must follow the setting of process capabilities +// +// FIXME: pkg/cri/[sb]server/container_create_linux_test.go depends on go:noinline +// since Go 1.21. +// +//go:noinline func WithDefaultProfile() oci.SpecOpts { return func(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error { s.Linux.Seccomp = DefaultProfile(s) From c883410c96d0318eddcb8c97ea35e484396758e7 Mon Sep 17 00:00:00 2001 From: Nashwan Azhari Date: Wed, 16 Aug 2023 13:55:57 +0300 Subject: [PATCH 3/5] CI: Explicitly upgrade MinGW on Windows 2019 GitHub runners. The default version of MinGW and GCC on the GitHub-hosted Windows 2019 runners compile fine but lead to linker errors during runtime. Signed-off-by: Nashwan Azhari --- .github/workflows/ci.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f98f0afed..86f356af8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -218,6 +218,12 @@ jobs: - uses: actions/checkout@v3 + # NOTE(aznashwan): starting with Golang 1.21, the windows-2019 GitHub runner's + # builtin MinGW version leads to DLL loading errors during runtime. + - name: Upgrade MinGW on Windows 2019 + if: matrix.os == 'windows-2019' + run: choco upgrade mingw + - name: Make run: | make build @@ -269,6 +275,12 @@ jobs: - run: script/setup/install-dev-tools + # NOTE(aznashwan): starting with Golang 1.21, the windows-2019 GitHub runner's + # builtin MinGW version leads to DLL loading errors during runtime. + - name: Upgrade MinGW on Windows 2019 + if: matrix.os == 'windows-2019' + run: choco upgrade mingw + - name: Binaries env: CGO_ENABLED: 1 From 5756cb00e7129f8beebfc8572600bcd61f2bddf2 Mon Sep 17 00:00:00 2001 From: Akihiro Suda Date: Thu, 17 Aug 2023 16:53:47 +0900 Subject: [PATCH 4/5] CI: increase timeout for Binaries Signed-off-by: Akihiro Suda --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 86f356af8..e4363fa64 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -203,7 +203,7 @@ jobs: binaries: name: Binaries runs-on: ${{ matrix.os }} - timeout-minutes: 10 + timeout-minutes: 20 needs: [project, linters, protos, man] strategy: From eacd74c2b0c334108d875787ab5c6d6a74d043f0 Mon Sep 17 00:00:00 2001 From: Akihiro Suda Date: Fri, 11 Aug 2023 23:16:54 +0900 Subject: [PATCH 5/5] Go 1.21.0 https://go.dev/doc/go1.21 Signed-off-by: Akihiro Suda --- .devcontainer/devcontainer.json | 2 +- .github/workflows/build-test-images.yml | 2 +- .github/workflows/ci.yml | 4 ++-- .github/workflows/codeql.yml | 2 +- .github/workflows/fuzz.yml | 4 +--- .github/workflows/images.yml | 2 +- .github/workflows/nightly.yml | 2 +- .github/workflows/release.yml | 2 +- BUILDING.md | 2 +- Vagrantfile | 2 +- contrib/Dockerfile.test | 2 +- contrib/fuzz/oss_fuzz_build.sh | 4 ++-- go.mod | 2 +- script/setup/prepare_env_windows.ps1 | 2 +- 14 files changed, 16 insertions(+), 18 deletions(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index cfda8a3fa..f9a494334 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -12,7 +12,7 @@ "features": { "ghcr.io/devcontainers/features/docker-in-docker:2": {}, "ghcr.io/devcontainers/features/go:1": { - "version": "1.20" + "version": "1.21" } }, diff --git a/.github/workflows/build-test-images.yml b/.github/workflows/build-test-images.yml index a89ec781c..99f940c8d 100644 --- a/.github/workflows/build-test-images.yml +++ b/.github/workflows/build-test-images.yml @@ -43,7 +43,7 @@ jobs: steps: - uses: actions/setup-go@v3 with: - go-version: "1.20.7" + go-version: "1.21.0" - uses: actions/checkout@v3 with: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e4363fa64..b750f22a5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,7 +9,7 @@ on: env: # Go version we currently use to build containerd across all CI. # Note: don't forget to update `Binaries` step, as it contains the matrix of all supported Go versions. - GO_VERSION: "1.20.7" + GO_VERSION: "1.21.0" permissions: # added using https://github.com/step-security/secure-workflows contents: read @@ -209,7 +209,7 @@ jobs: strategy: matrix: os: [ubuntu-22.04, macos-12, windows-2019, windows-2022] - go-version: ["1.20.7", "1.19.12"] + go-version: ["1.20.7", "1.21.0"] steps: - uses: actions/setup-go@v4 with: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index c481f2d5b..13e5392c0 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -34,7 +34,7 @@ jobs: - uses: actions/setup-go@v3 with: - go-version: 1.20.7 + go-version: 1.21.0 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml index 01ad06cae..a4405daca 100644 --- a/.github/workflows/fuzz.yml +++ b/.github/workflows/fuzz.yml @@ -58,8 +58,6 @@ jobs: steps: - uses: actions/setup-go@v3 with: - # FIXME: go-fuzz fails with Go 1.20: `cgo_unix_cgo_res.cgo2.c:(.text+0x32): undefined reference to `__res_search'` - # https://github.com/containerd/containerd/pull/8103#issuecomment-1429256152 - go-version: 1.18 + go-version: 1.21.x - uses: actions/checkout@v3 - run: script/go-test-fuzz.sh diff --git a/.github/workflows/images.yml b/.github/workflows/images.yml index c63f178c5..3d39392b2 100644 --- a/.github/workflows/images.yml +++ b/.github/workflows/images.yml @@ -28,7 +28,7 @@ jobs: steps: - uses: actions/setup-go@v3 with: - go-version: "1.20.7" + go-version: "1.21.0" - uses: actions/checkout@v3 with: diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 5381c5933..d256a501f 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -7,7 +7,7 @@ on: - ".github/workflows/nightly.yml" env: - GO_VERSION: "1.20.7" + GO_VERSION: "1.21.0" permissions: # added using https://github.com/step-security/secure-workflows contents: read diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ceac65c8f..8e481ce19 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,7 +13,7 @@ on: name: Release env: - GO_VERSION: "1.20.7" + GO_VERSION: "1.21.0" permissions: # added using https://github.com/step-security/secure-workflows contents: read diff --git a/BUILDING.md b/BUILDING.md index 3a887742d..86f366013 100644 --- a/BUILDING.md +++ b/BUILDING.md @@ -25,7 +25,7 @@ A codespace will open in a web-based version of Visual Studio Code. The [dev con To build the `containerd` daemon, and the `ctr` simple test client, the following build system dependencies are required: -* Go 1.19.x or above +* Go 1.20.x or above * Protoc 3.x compiler and headers (download at the [Google protobuf releases page](https://github.com/protocolbuffers/protobuf/releases)) * Btrfs headers and libraries for your distribution. Note that building the btrfs driver can be disabled via the build tag `no_btrfs`, removing this dependency. diff --git a/Vagrantfile b/Vagrantfile index 42a96c2ca..23675a81f 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -104,7 +104,7 @@ EOF config.vm.provision "install-golang", type: "shell", run: "once" do |sh| sh.upload_path = "/tmp/vagrant-install-golang" sh.env = { - 'GO_VERSION': ENV['GO_VERSION'] || "1.20.7", + 'GO_VERSION': ENV['GO_VERSION'] || "1.21.0", } sh.inline = <<~SHELL #!/usr/bin/env bash diff --git a/contrib/Dockerfile.test b/contrib/Dockerfile.test index 834d705da..b04217573 100644 --- a/contrib/Dockerfile.test +++ b/contrib/Dockerfile.test @@ -29,7 +29,7 @@ # docker run --privileged containerd-test # ------------------------------------------------------------------------------ -ARG GOLANG_VERSION=1.20.7 +ARG GOLANG_VERSION=1.21.0 ARG GOLANG_IMAGE=golang FROM ${GOLANG_IMAGE}:${GOLANG_VERSION} AS golang diff --git a/contrib/fuzz/oss_fuzz_build.sh b/contrib/fuzz/oss_fuzz_build.sh index d8c03c858..ef1457a94 100755 --- a/contrib/fuzz/oss_fuzz_build.sh +++ b/contrib/fuzz/oss_fuzz_build.sh @@ -43,11 +43,11 @@ go run main.go $SRC/containerd/images apt-get update && apt-get install -y wget cd $SRC -wget --quiet https://go.dev/dl/go1.19.5.linux-amd64.tar.gz +wget --quiet https://go.dev/dl/go1.21.0.linux-amd64.tar.gz mkdir temp-go rm -rf /root/.go/* -tar -C temp-go/ -xzf go1.19.5.linux-amd64.tar.gz +tar -C temp-go/ -xzf go1.21.0.linux-amd64.tar.gz mv temp-go/go/* /root/.go/ cd $SRC/containerd diff --git a/go.mod b/go.mod index 363964124..e1c9912e0 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/containerd/containerd -go 1.19 +go 1.20 require ( dario.cat/mergo v1.0.0 diff --git a/script/setup/prepare_env_windows.ps1 b/script/setup/prepare_env_windows.ps1 index b0dbcd71a..0885c6e53 100644 --- a/script/setup/prepare_env_windows.ps1 +++ b/script/setup/prepare_env_windows.ps1 @@ -5,7 +5,7 @@ # lived test environment. Set-MpPreference -DisableRealtimeMonitoring:$true -$PACKAGES= @{ mingw = "10.2.0"; git = ""; golang = "1.20.7"; make = ""; nssm = "" } +$PACKAGES= @{ mingw = "10.2.0"; git = ""; golang = "1.21.0"; make = ""; nssm = "" } Write-Host "Downloading chocolatey package" curl.exe -L "https://packages.chocolatey.org/chocolatey.0.10.15.nupkg" -o 'c:\choco.zip'