Merge pull request #1550 from thaJeztah/bump_containerd_v1.4.0-rc.0

Bump containerd v1.4.0 rc.0
2020-08-05 17:56:08 -05:00 · 2020-08-05 17:56:08 -05:00 · 5c6c6b2ac7
commit 5c6c6b2ac7
parent a8b6b6b065 117c169992
30 changed files with 149 additions and 68 deletions
--- a/vendor.conf
+++ b/vendor.conf
@ -10,8 +10,8 @@ github.com/BurntSushi/toml                          v0.3.1
 github.com/cespare/xxhash/v2                        v2.1.1
 github.com/containerd/cgroups                       318312a373405e5e91134d8063d04d59768a1bff
 github.com/containerd/console                       v1.0.0
-github.com/containerd/containerd                    d184a0a3430dc4a17a47cce37fb36126ac0c699a
-github.com/containerd/continuity                    d3ef23f19fbb106bb73ffde425d07a9187e30745
+github.com/containerd/containerd                    v1.4.0-rc.0
+github.com/containerd/continuity                    efbc4488d8fe1bdc16bde3b2d2990d9b3a899165
 github.com/containerd/fifo                          f15a3290365b9d2627d189e619ab4008e0069caf
 github.com/containerd/go-runc                       7016d3ce2328dd2cb1192b2076ebd565c4e8df0c
 github.com/containerd/ttrpc                         v1.0.1
@ -37,7 +37,7 @@ github.com/Microsoft/go-winio                       v0.4.14
 github.com/Microsoft/hcsshim                        v0.8.9
 github.com/opencontainers/go-digest                 v1.0.0
 github.com/opencontainers/image-spec                v1.0.1
-github.com/opencontainers/runc                      v1.0.0-rc91
+github.com/opencontainers/runc                      67169a9d43456ff0d5ae12b967acb8e366e2f181 # v1.0.0-rc91-48-g67169a9d
 github.com/opencontainers/runtime-spec              237cc4f519e2e8f9b235bacccfa8ef5a84df2875 # v1.0.2-14-g8e2f17c
 github.com/pkg/errors                               v0.9.1
 github.com/prometheus/client_golang                 v1.6.0
--- a/vendor/github.com/containerd/containerd/container.go
+++ b/vendor/github.com/containerd/containerd/container.go
@ -290,6 +290,7 @@ func (c *container) NewTask(ctx context.Context, ioCreate cio.Creator, opts ...N
 		client: c.client,
 		io:     i,
 		id:     c.id,
+		c:      c,
 	}
 	if info.Checkpoint != nil {
 		request.Checkpoint = info.Checkpoint
@ -407,6 +408,7 @@ func (c *container) loadTask(ctx context.Context, ioAttach cio.Attach) (Task, er
 		io:     i,
 		id:     response.Process.ID,
 		pid:    response.Process.Pid,
+		c:      c,
 	}
 	return t, nil
 }
--- a/vendor/github.com/containerd/containerd/oci/spec_opts_unix.go
+++ b/vendor/github.com/containerd/containerd/oci/spec_opts_unix.go
@ -118,3 +118,10 @@ func deviceFromPath(path, permissions string) (*specs.LinuxDevice, error) {
 		GID:      &stat.Gid,
 	}, nil
 }
+
+// WithCPUCFS sets the container's Completely fair scheduling (CFS) quota and period
+func WithCPUCFS(quota int64, period uint64) SpecOpts {
+	return func(ctx context.Context, _ Client, c *containers.Container, s *Spec) error {
+		return nil
+	}
+}
--- a/vendor/github.com/containerd/containerd/remotes/docker/authorizer.go
+++ b/vendor/github.com/containerd/containerd/remotes/docker/authorizer.go
@ -273,7 +273,7 @@ func (ah *authHandler) doBearerAuth(ctx context.Context) (string, error) {
 	// copy common tokenOptions
 	to := ah.common

-	to.scopes = getTokenScopes(ctx, to.scopes)
+	to.scopes = GetTokenScopes(ctx, to.scopes)

 	// Docs: https://docs.docker.com/registry/spec/auth/scope
 	scoped := strings.Join(to.scopes, " ")
--- a/vendor/github.com/containerd/containerd/remotes/docker/fetcher.go
+++ b/vendor/github.com/containerd/containerd/remotes/docker/fetcher.go
@ -98,6 +98,9 @@ func (r dockerFetcher) Fetch(ctx context.Context, desc ocispec.Descriptor) (io.R
 			var firstErr error
 			for _, host := range r.hosts {
 				req := r.request(host, http.MethodGet, "manifests", desc.Digest.String())
+				if err := req.addNamespace(r.refspec.Hostname()); err != nil {
+					return nil, err
+				}

 				rc, err := r.open(ctx, req, desc.MediaType, offset)
 				if err != nil {
@ -118,6 +121,9 @@ func (r dockerFetcher) Fetch(ctx context.Context, desc ocispec.Descriptor) (io.R
 		var firstErr error
 		for _, host := range r.hosts {
 			req := r.request(host, http.MethodGet, "blobs", desc.Digest.String())
+			if err := req.addNamespace(r.refspec.Hostname()); err != nil {
+				return nil, err
+			}

 			rc, err := r.open(ctx, req, desc.MediaType, offset)
 			if err != nil {
--- a/vendor/github.com/containerd/containerd/remotes/docker/registry.go
+++ b/vendor/github.com/containerd/containerd/remotes/docker/registry.go
@ -73,6 +73,15 @@ type RegistryHost struct {
 	Header       http.Header
 }

+func (h RegistryHost) isProxy(refhost string) bool {
+	if refhost != h.Host {
+		if refhost != "docker.io" || h.Host != "registry-1.docker.io" {
+			return true
+		}
+	}
+	return false
+}
+
 // RegistryHosts fetches the registry hosts for a given namespace,
 // provided by the host component of an distribution image reference.
 type RegistryHosts func(string) ([]RegistryHost, error)
--- a/vendor/github.com/containerd/containerd/remotes/docker/resolver.go
+++ b/vendor/github.com/containerd/containerd/remotes/docker/resolver.go
@ -22,6 +22,7 @@ import (
 	"io"
 	"io/ioutil"
 	"net/http"
+	"net/url"
 	"path"
 	"strings"

@ -276,6 +277,10 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp
 			ctx := log.WithLogger(ctx, log.G(ctx).WithField("host", host.Host))

 			req := base.request(host, http.MethodHead, u...)
+			if err := req.addNamespace(base.refspec.Hostname()); err != nil {
+				return "", ocispec.Descriptor{}, err
+			}
+
 			for key, value := range r.resolveHeader {
 				req.header[key] = append(req.header[key], value...)
 			}
@ -323,6 +328,10 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp
 				log.G(ctx).Debug("no Docker-Content-Digest header, fetching manifest instead")

 				req = base.request(host, http.MethodGet, u...)
+				if err := req.addNamespace(base.refspec.Hostname()); err != nil {
+					return "", ocispec.Descriptor{}, err
+				}
+
 				for key, value := range r.resolveHeader {
 					req.header[key] = append(req.header[key], value...)
 				}
@ -416,10 +425,10 @@ func (r *dockerResolver) Pusher(ctx context.Context, ref string) (remotes.Pusher
 }

 type dockerBase struct {
-	refspec   reference.Spec
-	namespace string
-	hosts     []RegistryHost
-	header    http.Header
+	refspec    reference.Spec
+	repository string
+	hosts      []RegistryHost
+	header     http.Header
 }

 func (r *dockerResolver) base(refspec reference.Spec) (*dockerBase, error) {
@ -429,10 +438,10 @@ func (r *dockerResolver) base(refspec reference.Spec) (*dockerBase, error) {
 		return nil, err
 	}
 	return &dockerBase{
-		refspec:   refspec,
-		namespace: strings.TrimPrefix(refspec.Locator, host+"/"),
-		hosts:     hosts,
-		header:    r.header,
+		refspec:    refspec,
+		repository: strings.TrimPrefix(refspec.Locator, host+"/"),
+		hosts:      hosts,
+		header:     r.header,
 	}, nil
 }

@ -453,7 +462,7 @@ func (r *dockerBase) request(host RegistryHost, method string, ps ...string) *re
 	for key, value := range host.Header {
 		header[key] = append(header[key], value...)
 	}
-	parts := append([]string{"/", host.Path, r.namespace}, ps...)
+	parts := append([]string{"/", host.Path, r.repository}, ps...)
 	p := path.Join(parts...)
 	// Join strips trailing slash, re-add ending "/" if included
 	if len(parts) > 0 && strings.HasSuffix(parts[len(parts)-1], "/") {
@ -478,6 +487,29 @@ func (r *request) authorize(ctx context.Context, req *http.Request) error {
 	return nil
 }

+func (r *request) addNamespace(ns string) (err error) {
+	if !r.host.isProxy(ns) {
+		return nil
+	}
+	var q url.Values
+	// Parse query
+	if i := strings.IndexByte(r.path, '?'); i > 0 {
+		r.path = r.path[:i+1]
+		q, err = url.ParseQuery(r.path[i+1:])
+		if err != nil {
+			return
+		}
+	} else {
+		r.path = r.path + "?"
+		q = url.Values{}
+	}
+	q.Add("ns", ns)
+
+	r.path = r.path + q.Encode()
+
+	return
+}
+
 type request struct {
 	method string
 	path   string
--- a/vendor/github.com/containerd/containerd/remotes/docker/scope.go
+++ b/vendor/github.com/containerd/containerd/remotes/docker/scope.go
@ -72,8 +72,8 @@ func contextWithAppendPullRepositoryScope(ctx context.Context, repo string) cont
 	return WithScope(ctx, fmt.Sprintf("repository:%s:pull", repo))
 }

-// getTokenScopes returns deduplicated and sorted scopes from ctx.Value(tokenScopesKey{}) and common scopes.
-func getTokenScopes(ctx context.Context, common []string) []string {
+// GetTokenScopes returns deduplicated and sorted scopes from ctx.Value(tokenScopesKey{}) and common scopes.
+func GetTokenScopes(ctx context.Context, common []string) []string {
 	var scopes []string
 	if x := ctx.Value(tokenScopesKey{}); x != nil {
 		scopes = append(scopes, x.([]string)...)
--- a/vendor/github.com/containerd/containerd/services/tasks/local.go
+++ b/vendor/github.com/containerd/containerd/services/tasks/local.go
@ -184,6 +184,11 @@ func (l *local) Create(ctx context.Context, r *api.CreateTaskRequest, _ ...grpc.
 			Options: m.Options,
 		})
 	}
+	if strings.HasPrefix(container.Runtime.Name, "io.containerd.runtime.v1.") {
+		log.G(ctx).Warn("runtime v1 is deprecated since containerd v1.4, consider using runtime v2")
+	} else if container.Runtime.Name == plugin.RuntimeRuncV1 {
+		log.G(ctx).Warnf("%q is deprecated since containerd v1.4, consider using %q", plugin.RuntimeRuncV1, plugin.RuntimeRuncV2)
+	}
 	rtime, err := l.getRuntime(container.Runtime.Name)
 	if err != nil {
 		return nil, err
--- a/vendor/github.com/containerd/containerd/task.go
+++ b/vendor/github.com/containerd/containerd/task.go
@ -35,6 +35,7 @@ import (
 	"github.com/containerd/containerd/errdefs"
 	"github.com/containerd/containerd/images"
 	"github.com/containerd/containerd/mount"
+	"github.com/containerd/containerd/oci"
 	"github.com/containerd/containerd/plugin"
 	"github.com/containerd/containerd/rootfs"
 	"github.com/containerd/containerd/runtime/linux/runctypes"
@ -175,18 +176,26 @@ type Task interface {
 	// For the built in Linux runtime, github.com/containerd/cgroups.Metrics
 	// are returned in protobuf format
 	Metrics(context.Context) (*types.Metric, error)
+	// Spec returns the current OCI specification for the task
+	Spec(context.Context) (*oci.Spec, error)
 }

 var _ = (Task)(&task{})

 type task struct {
 	client *Client
+	c      Container

 	io  cio.IO
 	id  string
 	pid uint32
 }

+// Spec returns the current OCI specification for the task
+func (t *task) Spec(ctx context.Context) (*oci.Spec, error) {
+	return t.c.Spec(ctx)
+}
+
 // ID of the task
 func (t *task) ID() string {
 	return t.id
--- a/vendor/github.com/containerd/containerd/vendor.conf
+++ b/vendor/github.com/containerd/containerd/vendor.conf
@ -4,7 +4,7 @@ github.com/cespare/xxhash/v2                        v2.1.1
 github.com/containerd/btrfs                         153935315f4ab9be5bf03650a1341454b05efa5d
 github.com/containerd/cgroups                       318312a373405e5e91134d8063d04d59768a1bff
 github.com/containerd/console                       v1.0.0
-github.com/containerd/continuity                    d3ef23f19fbb106bb73ffde425d07a9187e30745
+github.com/containerd/continuity                    efbc4488d8fe1bdc16bde3b2d2990d9b3a899165
 github.com/containerd/fifo                          f15a3290365b9d2627d189e619ab4008e0069caf
 github.com/containerd/go-runc                       7016d3ce2328dd2cb1192b2076ebd565c4e8df0c
 github.com/containerd/ttrpc                         v1.0.1
@ -31,7 +31,7 @@ github.com/Microsoft/go-winio                       v0.4.14
 github.com/Microsoft/hcsshim                        v0.8.9
 github.com/opencontainers/go-digest                 v1.0.0
 github.com/opencontainers/image-spec                v1.0.1
-github.com/opencontainers/runc                      v1.0.0-rc91
+github.com/opencontainers/runc                      67169a9d43456ff0d5ae12b967acb8e366e2f181 # v1.0.0-rc91-48-g67169a9d
 github.com/opencontainers/runtime-spec              237cc4f519e2e8f9b235bacccfa8ef5a84df2875 # v1.0.3-0.20200520003142-237cc4f519e2
 github.com/pkg/errors                               v0.9.1
 github.com/prometheus/client_golang                 v1.6.0
@ -57,7 +57,7 @@ gotest.tools/v3                                     v3.0.2
 github.com/cilium/ebpf                              1c8d4c9ef7759622653a1d319284a44652333b28

 # cri dependencies
-github.com/containerd/cri                           8448b92d237e877bed1e4aa7a0baf0dee234dbcb # master
+github.com/containerd/cri                           8871d5cdf8102a7d5989c307f2a366946feb54ee # master
 github.com/davecgh/go-spew                          v1.1.1
 github.com/docker/docker                            4634ce647cf2ce2c6031129ccd109e557244986f
 github.com/docker/spdystream                        449fdfce4d962303d702fec724ef0ad181c92528
@ -68,7 +68,6 @@ github.com/json-iterator/go                         v1.1.9
 github.com/modern-go/concurrent                     1.0.3
 github.com/modern-go/reflect2                       v1.0.1
 github.com/opencontainers/selinux                   v1.6.0
-github.com/seccomp/libseccomp-golang                v0.9.1
 github.com/tchap/go-patricia                        v2.2.6
 github.com/willf/bitset                             d5bec3311243426a3c6d1b7a795f24b17c686dbb # 1.1.10+ used by selinux pkg
 golang.org/x/crypto                                 bac4c82f69751a6dd76e702d54b3ceb88adab236
--- a/vendor/github.com/containerd/containerd/version/version.go
+++ b/vendor/github.com/containerd/containerd/version/version.go
@ -23,7 +23,7 @@ var (
 	Package = "github.com/containerd/containerd"

 	// Version holds the complete version number. Filled in at linking time.
-	Version = "1.4.0-beta.2+unknown"
+	Version = "1.4.0-rc.0+unknown"

 	// Revision is filled with the VCS (e.g. git) revision being used to build
 	// the program at linking time.
--- a/vendor/github.com/containerd/continuity/context.go
+++ b/vendor/github.com/containerd/continuity/context.go
@ -596,7 +596,7 @@ func (c *context) Walk(fn filepath.WalkFunc) error {
 			return err
 		}
 	}
-	return c.pathDriver.Walk(root, func(p string, fi os.FileInfo, err error) error {
+	return c.pathDriver.Walk(root, func(p string, fi os.FileInfo, _ error) error {
 		contained, err := c.containWithRoot(p, root)
 		return fn(contained, fi, err)
 	})
@ -613,12 +613,6 @@ func (c *context) fullpath(p string) (string, error) {
 	return p, nil
 }

-// contain cleans and santizes the filesystem path p to be an absolute path,
-// effectively relative to the context root.
-func (c *context) contain(p string) (string, error) {
-	return c.containWithRoot(p, c.root)
-}
-
 // containWithRoot cleans and santizes the filesystem path p to be an absolute path,
 // effectively relative to the passed root. Extra care should be used when calling this
 // instead of contain. This is needed for Walk, as if context root is a symlink,
--- a/vendor/github.com/containerd/continuity/devices/devices_unix.go
+++ b/vendor/github.com/containerd/continuity/devices/devices_unix.go
@ -32,6 +32,7 @@ func DeviceInfo(fi os.FileInfo) (uint64, uint64, error) {
 		return 0, 0, fmt.Errorf("cannot extract device from os.FileInfo")
 	}

+	//nolint:unconvert
 	dev := uint64(sys.Rdev)
 	return uint64(unix.Major(dev)), uint64(unix.Minor(dev)), nil
 }
--- a/vendor/github.com/containerd/continuity/digests.go
+++ b/vendor/github.com/containerd/continuity/digests.go
@ -88,13 +88,9 @@ func digestsMatch(as, bs []digest.Digest) bool {
 	}

 	disjoint := len(as) + len(bs)
-	if len(uniqified) == disjoint {
-		// if these two sets have the same cardinality, we know both sides
-		// didn't share any digests.
-		return false
-	}
-
-	return true
+	// if these two sets have the same cardinality, we know both sides
+	// didn't share any digests.
+	return len(uniqified) != disjoint
 }

 type digestSlice []digest.Digest
--- a/vendor/github.com/containerd/continuity/driver/driver_windows.go
+++ b/vendor/github.com/containerd/continuity/driver/driver_windows.go
@ -1,3 +1,5 @@
+// +build go1.13
+
 /*
   Copyright The containerd Authors.

@ -14,8 +16,6 @@
   limitations under the License.
 */

-// +build go1.13
-
 // Go 1.13 is the minimally supported version for Windows.
 // Earlier golang releases have bug in os.Readlink
 // (see https://github.com/golang/go/issues/30463).
--- a/vendor/github.com/containerd/continuity/fs/path.go
+++ b/vendor/github.com/containerd/continuity/fs/path.go
@ -117,15 +117,13 @@ func sameFile(f1, f2 *currentPath) (bool, error) {
 		// If the timestamp may have been truncated in both of the
 		// files, check content of file to determine difference
 		if t1.Nanosecond() == 0 && t2.Nanosecond() == 0 {
-			var eq bool
 			if (f1.f.Mode() & os.ModeSymlink) == os.ModeSymlink {
-				eq, err = compareSymlinkTarget(f1.fullPath, f2.fullPath)
-			} else if f1.f.Size() > 0 {
-				eq, err = compareFileContent(f1.fullPath, f2.fullPath)
+				return compareSymlinkTarget(f1.fullPath, f2.fullPath)
 			}
-			if err != nil || !eq {
-				return eq, err
+			if f1.f.Size() == 0 { // if file sizes are zero length, the files are the same by definition
+				return true, nil
 			}
+			return compareFileContent(f1.fullPath, f2.fullPath)
 		} else if t1.Nanosecond() != t2.Nanosecond() {
 			return false, nil
 		}
--- a/vendor/github.com/containerd/continuity/go.mod
+++ b/vendor/github.com/containerd/continuity/go.mod
@ -1,6 +1,6 @@
 module github.com/containerd/continuity

-go 1.11
+go 1.13

 require (
 	bazil.org/fuse v0.0.0-20160811212531-371fbbdaa898
--- a/vendor/github.com/containerd/continuity/groups_unix.go
+++ b/vendor/github.com/containerd/continuity/groups_unix.go
@ -14,6 +14,7 @@
   limitations under the License.
 */

+//nolint:unused,deadcode
 package continuity

 import (
--- a/vendor/github.com/containerd/continuity/hardlinks.go
+++ b/vendor/github.com/containerd/continuity/hardlinks.go
@ -53,7 +53,7 @@ func (hlm *hardlinkManager) Add(fi os.FileInfo, resource Resource) error {
 }

 // Merge processes the current state of the hardlink manager and merges any
-// shared nodes into hardlinked resources.
+// shared nodes into hard linked resources.
 func (hlm *hardlinkManager) Merge() ([]Resource, error) {
 	var resources []Resource
 	for key, linked := range hlm.hardlinks {
--- a/vendor/github.com/containerd/continuity/hardlinks_unix.go
+++ b/vendor/github.com/containerd/continuity/hardlinks_unix.go
@ -48,5 +48,6 @@ func newHardlinkKey(fi os.FileInfo) (hardlinkKey, error) {
 		return hardlinkKey{}, errNotAHardLink
 	}

+	//nolint:unconvert
 	return hardlinkKey{dev: uint64(sys.Dev), inode: uint64(sys.Ino)}, nil
 }
--- a/vendor/github.com/containerd/continuity/manifest.go
+++ b/vendor/github.com/containerd/continuity/manifest.go
@ -114,11 +114,13 @@ func BuildManifest(ctx Context) (*Manifest, error) {
 	}

 	// merge and post-process the hardlinks.
+	// nolint:misspell
 	hardlinked, err := hardlinks.Merge()
 	if err != nil {
 		return nil, err
 	}

+	// nolint:misspell
 	for _, resource := range hardlinked {
 		resourcesByPath[resource.Path()] = resource
 	}
--- a/vendor/github.com/containerd/continuity/sysx/xattr_unsupported.go
+++ b/vendor/github.com/containerd/continuity/sysx/xattr_unsupported.go
@ -23,7 +23,7 @@ import (
 	"runtime"
 )

-var unsupported = errors.New("extended attributes unsupported on " + runtime.GOOS)
+var errUnsupported = errors.New("extended attributes unsupported on " + runtime.GOOS)

 // Listxattr calls syscall listxattr and reads all content
 // and returns a string array
@ -33,17 +33,17 @@ func Listxattr(path string) ([]string, error) {

 // Removexattr calls syscall removexattr
 func Removexattr(path string, attr string) (err error) {
-	return unsupported
+	return errUnsupported
 }

 // Setxattr calls syscall setxattr
 func Setxattr(path string, attr string, data []byte, flags int) (err error) {
-	return unsupported
+	return errUnsupported
 }

 // Getxattr calls syscall getxattr
 func Getxattr(path, attr string) ([]byte, error) {
-	return []byte{}, unsupported
+	return []byte{}, errUnsupported
 }

 // LListxattr lists xattrs, not following symlinks
@ -53,12 +53,12 @@ func LListxattr(path string) ([]string, error) {

 // LRemovexattr removes an xattr, not following symlinks
 func LRemovexattr(path string, attr string) (err error) {
-	return unsupported
+	return errUnsupported
 }

 // LSetxattr sets an xattr, not following symlinks
 func LSetxattr(path string, attr string, data []byte, flags int) (err error) {
-	return unsupported
+	return errUnsupported
 }

 // LGetxattr gets an xattr, not following symlinks
--- a/vendor/github.com/opencontainers/runc/go.mod
+++ b/vendor/github.com/opencontainers/runc/go.mod
@ -4,7 +4,7 @@ go 1.14

 require (
 	github.com/checkpoint-restore/go-criu/v4 v4.0.2
-	github.com/cilium/ebpf v0.0.0-20200507155900-a9f01edf17e3
+	github.com/cilium/ebpf v0.0.0-20200702112145-1c8d4c9ef775
 	github.com/containerd/console v1.0.0
 	github.com/coreos/go-systemd/v22 v22.0.0
 	github.com/cyphar/filepath-securejoin v0.2.2
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_linux.go
@ -126,4 +126,11 @@ type Resources struct {

 	// CpuWeight sets a proportional bandwidth limit.
 	CpuWeight uint64 `json:"cpu_weight"`
+
+	// SkipDevices allows to skip configuring device permissions.
+	// Used by e.g. kubelet while creating a parent cgroup (kubepods)
+	// common for many containers.
+	//
+	// NOTE it is impossible to start a container which has this flag set.
+	SkipDevices bool `json:"skip_devices"`
 }
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/device.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/device.go
@ -1,20 +1,15 @@
 package configs

 import (
-	"errors"
 	"fmt"
 	"os"
 	"strconv"
-
-	"golang.org/x/sys/unix"
 )

 const (
 	Wildcard = -1
 )

-// TODO Windows: This can be factored out in the future
-
 type Device struct {
 	DeviceRule

@ -173,10 +168,3 @@ func (d *DeviceRule) CgroupString() string {
 	}
 	return fmt.Sprintf("%c %s:%s %s", d.Type, major, minor, d.Permissions)
 }
-
-func (d *DeviceRule) Mkdev() (uint64, error) {
-	if d.Major == Wildcard || d.Minor == Wildcard {
-		return 0, errors.New("cannot mkdev() device with wildcards")
-	}
-	return unix.Mkdev(uint32(d.Major), uint32(d.Minor)), nil
-}
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/device_unix.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/device_unix.go
@ -0,0 +1,16 @@
+// +build !windows
+
+package configs
+
+import (
+	"errors"
+
+	"golang.org/x/sys/unix"
+)
+
+func (d *DeviceRule) Mkdev() (uint64, error) {
+	if d.Major == Wildcard || d.Minor == Wildcard {
+		return 0, errors.New("cannot mkdev() device with wildcards")
+	}
+	return unix.Mkdev(uint32(d.Major), uint32(d.Minor)), nil
+}
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/device_windows.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/device_windows.go
@ -0,0 +1,5 @@
+package configs
+
+func (d *DeviceRule) Mkdev() (uint64, error) {
+	return 0, nil
+}
--- a/vendor/github.com/opencontainers/runc/libcontainer/devices/devices.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/devices/devices.go
@ -37,12 +37,12 @@ func DeviceFromPath(path, permissions string) (*configs.Device, error) {
 		major     = unix.Major(devNumber)
 		minor     = unix.Minor(devNumber)
 	)
-	switch {
-	case mode&unix.S_IFBLK == unix.S_IFBLK:
+	switch mode & unix.S_IFMT {
+	case unix.S_IFBLK:
 		devType = configs.BlockDevice
-	case mode&unix.S_IFCHR == unix.S_IFCHR:
+	case unix.S_IFCHR:
 		devType = configs.CharDevice
-	case mode&unix.S_IFIFO == unix.S_IFIFO:
+	case unix.S_IFIFO:
 		devType = configs.FifoDevice
 	default:
 		return nil, ErrNotADevice
@ -104,6 +104,9 @@ func GetDevices(path string) ([]*configs.Device, error) {
 			}
 			return nil, err
 		}
+		if device.Type == configs.FifoDevice {
+			continue
+		}
 		out = append(out, device)
 	}
 	return out, nil
--- a/vendor/github.com/opencontainers/runc/libcontainer/user/user.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/user/user.go
@ -60,7 +60,7 @@ type Group struct {

 // groupFromOS converts an os/user.(*Group) to local Group
 //
-// (This does not include Pass, Shell or Gecos)
+// (This does not include Pass or List)
 func groupFromOS(g *user.Group) (Group, error) {
 	newGroup := Group{
 		Name: g.Name,