From 1a7bbd1f71ccef5941437a4ee31e2c3da64d732f Mon Sep 17 00:00:00 2001
From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Date: Mon, 20 Jul 2020 13:14:11 +0900
Subject: [PATCH] vendor: update containerd/cri

Changes: https://github.com/containerd/cri/compare/8fb244a65baad2457e6c8658db18ed28b1f77cfe...fcda0cf4a7e70f0317238b09556329239321353b

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
---
 vendor.conf                                   |  2 +-
 .../containerd/cri/pkg/config/config.go       |  4 +++
 .../containerd/cri/pkg/config/config_unix.go  |  5 +++-
 .../cri/pkg/config/config_windows.go          |  2 +-
 .../cri/pkg/containerd/opts/spec_unix.go      | 28 ++++++++++---------
 .../cri/pkg/server/container_create_unix.go   |  2 +-
 .../server/container_update_resources_unix.go |  6 ++--
 7 files changed, 29 insertions(+), 20 deletions(-)

diff --git a/vendor.conf b/vendor.conf
index ebcab4705..062b30b2f 100644
--- a/vendor.conf
+++ b/vendor.conf
@@ -57,7 +57,7 @@ gotest.tools/v3                                     v3.0.2
 github.com/cilium/ebpf                              1c8d4c9ef7759622653a1d319284a44652333b28
 
 # cri dependencies
-github.com/containerd/cri                           8fb244a65baad2457e6c8658db18ed28b1f77cfe # master
+github.com/containerd/cri                           fcda0cf4a7e70f0317238b09556329239321353b # master
 github.com/davecgh/go-spew                          v1.1.1
 github.com/docker/docker                            4634ce647cf2ce2c6031129ccd109e557244986f
 github.com/docker/spdystream                        449fdfce4d962303d702fec724ef0ad181c92528
diff --git a/vendor/github.com/containerd/cri/pkg/config/config.go b/vendor/github.com/containerd/cri/pkg/config/config.go
index 3ca236e92..579d72480 100644
--- a/vendor/github.com/containerd/cri/pkg/config/config.go
+++ b/vendor/github.com/containerd/cri/pkg/config/config.go
@@ -236,6 +236,10 @@ type PluginConfig struct {
 	// container requests with huge page limits if the cgroup controller for hugepages is not present.
 	// This helps with supporting Kubernetes <=1.18 out of the box. (default is `true`)
 	TolerateMissingHugetlbController bool `toml:"tolerate_missing_hugetlb_controller" json:"tolerateMissingHugetlbController"`
+	// DisableHugetlbController indicates to silently disable the hugetlb controller, even when it is
+	// present in /sys/fs/cgroup/cgroup.controllers.
+	// This helps with running rootless mode + cgroup v2 + systemd but without hugetlb delegation.
+	DisableHugetlbController bool `toml:"disable_hugetlb_controller" json:"disableHugetlbController"`
 	// IgnoreImageDefinedVolumes ignores volumes defined by the image. Useful for better resource
 	// isolation, security and early detection of issues in the mount configuration when using
 	// ReadOnlyRootFilesystem since containers won't silently mount a temporary volume.
diff --git a/vendor/github.com/containerd/cri/pkg/config/config_unix.go b/vendor/github.com/containerd/cri/pkg/config/config_unix.go
index 2b42a7a89..906301726 100644
--- a/vendor/github.com/containerd/cri/pkg/config/config_unix.go
+++ b/vendor/github.com/containerd/cri/pkg/config/config_unix.go
@@ -19,6 +19,7 @@
 package config
 
 import (
+	"github.com/BurntSushi/toml"
 	"github.com/containerd/containerd"
 	"github.com/containerd/cri/pkg/streaming"
 )
@@ -38,7 +39,8 @@ func DefaultConfig() PluginConfig {
 			NoPivot:            false,
 			Runtimes: map[string]Runtime{
 				"runc": {
-					Type: "io.containerd.runc.v2",
+					Type:    "io.containerd.runc.v2",
+					Options: new(toml.Primitive),
 				},
 			},
 		},
@@ -66,6 +68,7 @@ func DefaultConfig() PluginConfig {
 		MaxConcurrentDownloads:           3,
 		DisableProcMount:                 false,
 		TolerateMissingHugetlbController: true,
+		DisableHugetlbController:         true,
 		IgnoreImageDefinedVolumes:        false,
 	}
 }
diff --git a/vendor/github.com/containerd/cri/pkg/config/config_windows.go b/vendor/github.com/containerd/cri/pkg/config/config_windows.go
index 9f8378678..d559b4160 100644
--- a/vendor/github.com/containerd/cri/pkg/config/config_windows.go
+++ b/vendor/github.com/containerd/cri/pkg/config/config_windows.go
@@ -54,7 +54,7 @@ func DefaultConfig() PluginConfig {
 			TLSKeyFile:  "",
 			TLSCertFile: "",
 		},
-		SandboxImage:            "mcr.microsoft.com/k8s/core/pause:1.2.0",
+		SandboxImage:            "mcr.microsoft.com/oss/kubernetes/pause:1.4.0",
 		StatsCollectPeriod:      10,
 		MaxContainerLogLineSize: 16 * 1024,
 		Registry: Registry{
diff --git a/vendor/github.com/containerd/cri/pkg/containerd/opts/spec_unix.go b/vendor/github.com/containerd/cri/pkg/containerd/opts/spec_unix.go
index 97c819446..d644962d5 100644
--- a/vendor/github.com/containerd/cri/pkg/containerd/opts/spec_unix.go
+++ b/vendor/github.com/containerd/cri/pkg/containerd/opts/spec_unix.go
@@ -408,7 +408,7 @@ func WithSelinuxLabels(process, mount string) oci.SpecOpts {
 }
 
 // WithResources sets the provided resource restrictions
-func WithResources(resources *runtime.LinuxContainerResources, tolerateMissingHugetlbController bool) oci.SpecOpts {
+func WithResources(resources *runtime.LinuxContainerResources, tolerateMissingHugetlbController, disableHugetlbController bool) oci.SpecOpts {
 	return func(ctx context.Context, client oci.Client, c *containers.Container, s *runtimespec.Spec) (err error) {
 		if resources == nil {
 			return nil
@@ -451,19 +451,21 @@ func WithResources(resources *runtime.LinuxContainerResources, tolerateMissingHu
 		if limit != 0 {
 			s.Linux.Resources.Memory.Limit = &limit
 		}
-		if isHugetlbControllerPresent() {
-			for _, limit := range hugepages {
-				s.Linux.Resources.HugepageLimits = append(s.Linux.Resources.HugepageLimits, runtimespec.LinuxHugepageLimit{
-					Pagesize: limit.PageSize,
-					Limit:    limit.Limit,
-				})
+		if !disableHugetlbController {
+			if isHugetlbControllerPresent() {
+				for _, limit := range hugepages {
+					s.Linux.Resources.HugepageLimits = append(s.Linux.Resources.HugepageLimits, runtimespec.LinuxHugepageLimit{
+						Pagesize: limit.PageSize,
+						Limit:    limit.Limit,
+					})
+				}
+			} else {
+				if !tolerateMissingHugetlbController {
+					return errors.Errorf("huge pages limits are specified but hugetlb cgroup controller is missing. " +
+						"Please set tolerate_missing_hugetlb_controller to `true` to ignore this error")
+				}
+				logrus.Warn("hugetlb cgroup controller is absent. skipping huge pages limits")
 			}
-		} else {
-			if !tolerateMissingHugetlbController {
-				return errors.Errorf("huge pages limits are specified but hugetlb cgroup controller is missing. " +
-					"Please set tolerate_missing_hugetlb_controller to `true` to ignore this error")
-			}
-			logrus.Warn("hugetlb cgroup controller is absent. skipping huge pages limits")
 		}
 		return nil
 	}
diff --git a/vendor/github.com/containerd/cri/pkg/server/container_create_unix.go b/vendor/github.com/containerd/cri/pkg/server/container_create_unix.go
index b2b79287f..28863cb0c 100644
--- a/vendor/github.com/containerd/cri/pkg/server/container_create_unix.go
+++ b/vendor/github.com/containerd/cri/pkg/server/container_create_unix.go
@@ -225,7 +225,7 @@ func (c *criService) containerSpec(id string, sandboxID string, sandboxPid uint3
 	if c.config.DisableCgroup {
 		specOpts = append(specOpts, customopts.WithDisabledCgroups)
 	} else {
-		specOpts = append(specOpts, customopts.WithResources(config.GetLinux().GetResources(), c.config.TolerateMissingHugetlbController))
+		specOpts = append(specOpts, customopts.WithResources(config.GetLinux().GetResources(), c.config.TolerateMissingHugetlbController, c.config.DisableHugetlbController))
 		if sandboxConfig.GetLinux().GetCgroupParent() != "" {
 			cgroupsPath := getCgroupsPath(sandboxConfig.GetLinux().GetCgroupParent(), id)
 			specOpts = append(specOpts, oci.WithCgroup(cgroupsPath))
diff --git a/vendor/github.com/containerd/cri/pkg/server/container_update_resources_unix.go b/vendor/github.com/containerd/cri/pkg/server/container_update_resources_unix.go
index b87f460f4..23e0d409b 100644
--- a/vendor/github.com/containerd/cri/pkg/server/container_update_resources_unix.go
+++ b/vendor/github.com/containerd/cri/pkg/server/container_update_resources_unix.go
@@ -73,7 +73,7 @@ func (c *criService) updateContainerResources(ctx context.Context,
 		return errors.Wrap(err, "failed to get container spec")
 	}
 	newSpec, err := updateOCILinuxResource(ctx, oldSpec, resources,
-		c.config.TolerateMissingHugetlbController)
+		c.config.TolerateMissingHugetlbController, c.config.DisableHugetlbController)
 	if err != nil {
 		return errors.Wrap(err, "failed to update resource in spec")
 	}
@@ -134,7 +134,7 @@ func updateContainerSpec(ctx context.Context, cntr containerd.Container, spec *r
 
 // updateOCILinuxResource updates container resource limit.
 func updateOCILinuxResource(ctx context.Context, spec *runtimespec.Spec, new *runtime.LinuxContainerResources,
-	tolerateMissingHugetlbController bool) (*runtimespec.Spec, error) {
+	tolerateMissingHugetlbController, disableHugetlbController bool) (*runtimespec.Spec, error) {
 	// Copy to make sure old spec is not changed.
 	var cloned runtimespec.Spec
 	if err := util.DeepCopy(&cloned, spec); err != nil {
@@ -143,7 +143,7 @@ func updateOCILinuxResource(ctx context.Context, spec *runtimespec.Spec, new *ru
 	if cloned.Linux == nil {
 		cloned.Linux = &runtimespec.Linux{}
 	}
-	if err := opts.WithResources(new, tolerateMissingHugetlbController)(ctx, nil, nil, &cloned); err != nil {
+	if err := opts.WithResources(new, tolerateMissingHugetlbController, disableHugetlbController)(ctx, nil, nil, &cloned); err != nil {
 		return nil, errors.Wrap(err, "unable to set linux container resources")
 	}
 	return &cloned, nil