diff --git a/vendor.conf b/vendor.conf index de2f5d0b7..25c7423a1 100644 --- a/vendor.conf +++ b/vendor.conf @@ -10,8 +10,8 @@ github.com/BurntSushi/toml v0.3.1 github.com/cespare/xxhash/v2 v2.1.1 github.com/containerd/cgroups 318312a373405e5e91134d8063d04d59768a1bff github.com/containerd/console v1.0.0 -github.com/containerd/containerd d184a0a3430dc4a17a47cce37fb36126ac0c699a -github.com/containerd/continuity d3ef23f19fbb106bb73ffde425d07a9187e30745 +github.com/containerd/containerd v1.4.0-rc.0 +github.com/containerd/continuity efbc4488d8fe1bdc16bde3b2d2990d9b3a899165 github.com/containerd/fifo f15a3290365b9d2627d189e619ab4008e0069caf github.com/containerd/go-runc 7016d3ce2328dd2cb1192b2076ebd565c4e8df0c github.com/containerd/ttrpc v1.0.1 @@ -37,7 +37,7 @@ github.com/Microsoft/go-winio v0.4.14 github.com/Microsoft/hcsshim v0.8.9 github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/image-spec v1.0.1 -github.com/opencontainers/runc v1.0.0-rc91 +github.com/opencontainers/runc 67169a9d43456ff0d5ae12b967acb8e366e2f181 # v1.0.0-rc91-48-g67169a9d github.com/opencontainers/runtime-spec 237cc4f519e2e8f9b235bacccfa8ef5a84df2875 # v1.0.2-14-g8e2f17c github.com/pkg/errors v0.9.1 github.com/prometheus/client_golang v1.6.0 diff --git a/vendor/github.com/containerd/containerd/container.go b/vendor/github.com/containerd/containerd/container.go index a893364c5..8384a481f 100644 --- a/vendor/github.com/containerd/containerd/container.go +++ b/vendor/github.com/containerd/containerd/container.go @@ -290,6 +290,7 @@ func (c *container) NewTask(ctx context.Context, ioCreate cio.Creator, opts ...N client: c.client, io: i, id: c.id, + c: c, } if info.Checkpoint != nil { request.Checkpoint = info.Checkpoint @@ -407,6 +408,7 @@ func (c *container) loadTask(ctx context.Context, ioAttach cio.Attach) (Task, er io: i, id: response.Process.ID, pid: response.Process.Pid, + c: c, } return t, nil } diff --git a/vendor/github.com/containerd/containerd/oci/spec_opts_unix.go b/vendor/github.com/containerd/containerd/oci/spec_opts_unix.go index bcabf0efb..972c11c8f 100644 --- a/vendor/github.com/containerd/containerd/oci/spec_opts_unix.go +++ b/vendor/github.com/containerd/containerd/oci/spec_opts_unix.go @@ -118,3 +118,10 @@ func deviceFromPath(path, permissions string) (*specs.LinuxDevice, error) { GID: &stat.Gid, }, nil } + +// WithCPUCFS sets the container's Completely fair scheduling (CFS) quota and period +func WithCPUCFS(quota int64, period uint64) SpecOpts { + return func(ctx context.Context, _ Client, c *containers.Container, s *Spec) error { + return nil + } +} diff --git a/vendor/github.com/containerd/containerd/remotes/docker/authorizer.go b/vendor/github.com/containerd/containerd/remotes/docker/authorizer.go index 59d989eff..001423a0d 100644 --- a/vendor/github.com/containerd/containerd/remotes/docker/authorizer.go +++ b/vendor/github.com/containerd/containerd/remotes/docker/authorizer.go @@ -273,7 +273,7 @@ func (ah *authHandler) doBearerAuth(ctx context.Context) (string, error) { // copy common tokenOptions to := ah.common - to.scopes = getTokenScopes(ctx, to.scopes) + to.scopes = GetTokenScopes(ctx, to.scopes) // Docs: https://docs.docker.com/registry/spec/auth/scope scoped := strings.Join(to.scopes, " ") diff --git a/vendor/github.com/containerd/containerd/remotes/docker/fetcher.go b/vendor/github.com/containerd/containerd/remotes/docker/fetcher.go index 55c01beaf..cd0168be5 100644 --- a/vendor/github.com/containerd/containerd/remotes/docker/fetcher.go +++ b/vendor/github.com/containerd/containerd/remotes/docker/fetcher.go @@ -98,6 +98,9 @@ func (r dockerFetcher) Fetch(ctx context.Context, desc ocispec.Descriptor) (io.R var firstErr error for _, host := range r.hosts { req := r.request(host, http.MethodGet, "manifests", desc.Digest.String()) + if err := req.addNamespace(r.refspec.Hostname()); err != nil { + return nil, err + } rc, err := r.open(ctx, req, desc.MediaType, offset) if err != nil { @@ -118,6 +121,9 @@ func (r dockerFetcher) Fetch(ctx context.Context, desc ocispec.Descriptor) (io.R var firstErr error for _, host := range r.hosts { req := r.request(host, http.MethodGet, "blobs", desc.Digest.String()) + if err := req.addNamespace(r.refspec.Hostname()); err != nil { + return nil, err + } rc, err := r.open(ctx, req, desc.MediaType, offset) if err != nil { diff --git a/vendor/github.com/containerd/containerd/remotes/docker/registry.go b/vendor/github.com/containerd/containerd/remotes/docker/registry.go index ffc939b40..7c231d928 100644 --- a/vendor/github.com/containerd/containerd/remotes/docker/registry.go +++ b/vendor/github.com/containerd/containerd/remotes/docker/registry.go @@ -73,6 +73,15 @@ type RegistryHost struct { Header http.Header } +func (h RegistryHost) isProxy(refhost string) bool { + if refhost != h.Host { + if refhost != "docker.io" || h.Host != "registry-1.docker.io" { + return true + } + } + return false +} + // RegistryHosts fetches the registry hosts for a given namespace, // provided by the host component of an distribution image reference. type RegistryHosts func(string) ([]RegistryHost, error) diff --git a/vendor/github.com/containerd/containerd/remotes/docker/resolver.go b/vendor/github.com/containerd/containerd/remotes/docker/resolver.go index 32b6abd90..53e42ecc5 100644 --- a/vendor/github.com/containerd/containerd/remotes/docker/resolver.go +++ b/vendor/github.com/containerd/containerd/remotes/docker/resolver.go @@ -22,6 +22,7 @@ import ( "io" "io/ioutil" "net/http" + "net/url" "path" "strings" @@ -276,6 +277,10 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp ctx := log.WithLogger(ctx, log.G(ctx).WithField("host", host.Host)) req := base.request(host, http.MethodHead, u...) + if err := req.addNamespace(base.refspec.Hostname()); err != nil { + return "", ocispec.Descriptor{}, err + } + for key, value := range r.resolveHeader { req.header[key] = append(req.header[key], value...) } @@ -323,6 +328,10 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp log.G(ctx).Debug("no Docker-Content-Digest header, fetching manifest instead") req = base.request(host, http.MethodGet, u...) + if err := req.addNamespace(base.refspec.Hostname()); err != nil { + return "", ocispec.Descriptor{}, err + } + for key, value := range r.resolveHeader { req.header[key] = append(req.header[key], value...) } @@ -416,10 +425,10 @@ func (r *dockerResolver) Pusher(ctx context.Context, ref string) (remotes.Pusher } type dockerBase struct { - refspec reference.Spec - namespace string - hosts []RegistryHost - header http.Header + refspec reference.Spec + repository string + hosts []RegistryHost + header http.Header } func (r *dockerResolver) base(refspec reference.Spec) (*dockerBase, error) { @@ -429,10 +438,10 @@ func (r *dockerResolver) base(refspec reference.Spec) (*dockerBase, error) { return nil, err } return &dockerBase{ - refspec: refspec, - namespace: strings.TrimPrefix(refspec.Locator, host+"/"), - hosts: hosts, - header: r.header, + refspec: refspec, + repository: strings.TrimPrefix(refspec.Locator, host+"/"), + hosts: hosts, + header: r.header, }, nil } @@ -453,7 +462,7 @@ func (r *dockerBase) request(host RegistryHost, method string, ps ...string) *re for key, value := range host.Header { header[key] = append(header[key], value...) } - parts := append([]string{"/", host.Path, r.namespace}, ps...) + parts := append([]string{"/", host.Path, r.repository}, ps...) p := path.Join(parts...) // Join strips trailing slash, re-add ending "/" if included if len(parts) > 0 && strings.HasSuffix(parts[len(parts)-1], "/") { @@ -478,6 +487,29 @@ func (r *request) authorize(ctx context.Context, req *http.Request) error { return nil } +func (r *request) addNamespace(ns string) (err error) { + if !r.host.isProxy(ns) { + return nil + } + var q url.Values + // Parse query + if i := strings.IndexByte(r.path, '?'); i > 0 { + r.path = r.path[:i+1] + q, err = url.ParseQuery(r.path[i+1:]) + if err != nil { + return + } + } else { + r.path = r.path + "?" + q = url.Values{} + } + q.Add("ns", ns) + + r.path = r.path + q.Encode() + + return +} + type request struct { method string path string diff --git a/vendor/github.com/containerd/containerd/remotes/docker/scope.go b/vendor/github.com/containerd/containerd/remotes/docker/scope.go index fa8401433..c8541c455 100644 --- a/vendor/github.com/containerd/containerd/remotes/docker/scope.go +++ b/vendor/github.com/containerd/containerd/remotes/docker/scope.go @@ -72,8 +72,8 @@ func contextWithAppendPullRepositoryScope(ctx context.Context, repo string) cont return WithScope(ctx, fmt.Sprintf("repository:%s:pull", repo)) } -// getTokenScopes returns deduplicated and sorted scopes from ctx.Value(tokenScopesKey{}) and common scopes. -func getTokenScopes(ctx context.Context, common []string) []string { +// GetTokenScopes returns deduplicated and sorted scopes from ctx.Value(tokenScopesKey{}) and common scopes. +func GetTokenScopes(ctx context.Context, common []string) []string { var scopes []string if x := ctx.Value(tokenScopesKey{}); x != nil { scopes = append(scopes, x.([]string)...) diff --git a/vendor/github.com/containerd/containerd/services/tasks/local.go b/vendor/github.com/containerd/containerd/services/tasks/local.go index c93421d1f..e33c30d98 100644 --- a/vendor/github.com/containerd/containerd/services/tasks/local.go +++ b/vendor/github.com/containerd/containerd/services/tasks/local.go @@ -184,6 +184,11 @@ func (l *local) Create(ctx context.Context, r *api.CreateTaskRequest, _ ...grpc. Options: m.Options, }) } + if strings.HasPrefix(container.Runtime.Name, "io.containerd.runtime.v1.") { + log.G(ctx).Warn("runtime v1 is deprecated since containerd v1.4, consider using runtime v2") + } else if container.Runtime.Name == plugin.RuntimeRuncV1 { + log.G(ctx).Warnf("%q is deprecated since containerd v1.4, consider using %q", plugin.RuntimeRuncV1, plugin.RuntimeRuncV2) + } rtime, err := l.getRuntime(container.Runtime.Name) if err != nil { return nil, err diff --git a/vendor/github.com/containerd/containerd/task.go b/vendor/github.com/containerd/containerd/task.go index a0c1dcd5b..ae966ffc4 100644 --- a/vendor/github.com/containerd/containerd/task.go +++ b/vendor/github.com/containerd/containerd/task.go @@ -35,6 +35,7 @@ import ( "github.com/containerd/containerd/errdefs" "github.com/containerd/containerd/images" "github.com/containerd/containerd/mount" + "github.com/containerd/containerd/oci" "github.com/containerd/containerd/plugin" "github.com/containerd/containerd/rootfs" "github.com/containerd/containerd/runtime/linux/runctypes" @@ -175,18 +176,26 @@ type Task interface { // For the built in Linux runtime, github.com/containerd/cgroups.Metrics // are returned in protobuf format Metrics(context.Context) (*types.Metric, error) + // Spec returns the current OCI specification for the task + Spec(context.Context) (*oci.Spec, error) } var _ = (Task)(&task{}) type task struct { client *Client + c Container io cio.IO id string pid uint32 } +// Spec returns the current OCI specification for the task +func (t *task) Spec(ctx context.Context) (*oci.Spec, error) { + return t.c.Spec(ctx) +} + // ID of the task func (t *task) ID() string { return t.id diff --git a/vendor/github.com/containerd/containerd/vendor.conf b/vendor/github.com/containerd/containerd/vendor.conf index d9eea905f..b2f332820 100644 --- a/vendor/github.com/containerd/containerd/vendor.conf +++ b/vendor/github.com/containerd/containerd/vendor.conf @@ -4,7 +4,7 @@ github.com/cespare/xxhash/v2 v2.1.1 github.com/containerd/btrfs 153935315f4ab9be5bf03650a1341454b05efa5d github.com/containerd/cgroups 318312a373405e5e91134d8063d04d59768a1bff github.com/containerd/console v1.0.0 -github.com/containerd/continuity d3ef23f19fbb106bb73ffde425d07a9187e30745 +github.com/containerd/continuity efbc4488d8fe1bdc16bde3b2d2990d9b3a899165 github.com/containerd/fifo f15a3290365b9d2627d189e619ab4008e0069caf github.com/containerd/go-runc 7016d3ce2328dd2cb1192b2076ebd565c4e8df0c github.com/containerd/ttrpc v1.0.1 @@ -31,7 +31,7 @@ github.com/Microsoft/go-winio v0.4.14 github.com/Microsoft/hcsshim v0.8.9 github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/image-spec v1.0.1 -github.com/opencontainers/runc v1.0.0-rc91 +github.com/opencontainers/runc 67169a9d43456ff0d5ae12b967acb8e366e2f181 # v1.0.0-rc91-48-g67169a9d github.com/opencontainers/runtime-spec 237cc4f519e2e8f9b235bacccfa8ef5a84df2875 # v1.0.3-0.20200520003142-237cc4f519e2 github.com/pkg/errors v0.9.1 github.com/prometheus/client_golang v1.6.0 @@ -57,7 +57,7 @@ gotest.tools/v3 v3.0.2 github.com/cilium/ebpf 1c8d4c9ef7759622653a1d319284a44652333b28 # cri dependencies -github.com/containerd/cri 8448b92d237e877bed1e4aa7a0baf0dee234dbcb # master +github.com/containerd/cri 8871d5cdf8102a7d5989c307f2a366946feb54ee # master github.com/davecgh/go-spew v1.1.1 github.com/docker/docker 4634ce647cf2ce2c6031129ccd109e557244986f github.com/docker/spdystream 449fdfce4d962303d702fec724ef0ad181c92528 @@ -68,7 +68,6 @@ github.com/json-iterator/go v1.1.9 github.com/modern-go/concurrent 1.0.3 github.com/modern-go/reflect2 v1.0.1 github.com/opencontainers/selinux v1.6.0 -github.com/seccomp/libseccomp-golang v0.9.1 github.com/tchap/go-patricia v2.2.6 github.com/willf/bitset d5bec3311243426a3c6d1b7a795f24b17c686dbb # 1.1.10+ used by selinux pkg golang.org/x/crypto bac4c82f69751a6dd76e702d54b3ceb88adab236 diff --git a/vendor/github.com/containerd/containerd/version/version.go b/vendor/github.com/containerd/containerd/version/version.go index 566ee1147..077ca2ffb 100644 --- a/vendor/github.com/containerd/containerd/version/version.go +++ b/vendor/github.com/containerd/containerd/version/version.go @@ -23,7 +23,7 @@ var ( Package = "github.com/containerd/containerd" // Version holds the complete version number. Filled in at linking time. - Version = "1.4.0-beta.2+unknown" + Version = "1.4.0-rc.0+unknown" // Revision is filled with the VCS (e.g. git) revision being used to build // the program at linking time. diff --git a/vendor/github.com/containerd/continuity/context.go b/vendor/github.com/containerd/continuity/context.go index 75c98594a..2166142c7 100644 --- a/vendor/github.com/containerd/continuity/context.go +++ b/vendor/github.com/containerd/continuity/context.go @@ -596,7 +596,7 @@ func (c *context) Walk(fn filepath.WalkFunc) error { return err } } - return c.pathDriver.Walk(root, func(p string, fi os.FileInfo, err error) error { + return c.pathDriver.Walk(root, func(p string, fi os.FileInfo, _ error) error { contained, err := c.containWithRoot(p, root) return fn(contained, fi, err) }) @@ -613,12 +613,6 @@ func (c *context) fullpath(p string) (string, error) { return p, nil } -// contain cleans and santizes the filesystem path p to be an absolute path, -// effectively relative to the context root. -func (c *context) contain(p string) (string, error) { - return c.containWithRoot(p, c.root) -} - // containWithRoot cleans and santizes the filesystem path p to be an absolute path, // effectively relative to the passed root. Extra care should be used when calling this // instead of contain. This is needed for Walk, as if context root is a symlink, diff --git a/vendor/github.com/containerd/continuity/devices/devices_unix.go b/vendor/github.com/containerd/continuity/devices/devices_unix.go index 520a5a6f3..950ebf1cd 100644 --- a/vendor/github.com/containerd/continuity/devices/devices_unix.go +++ b/vendor/github.com/containerd/continuity/devices/devices_unix.go @@ -32,6 +32,7 @@ func DeviceInfo(fi os.FileInfo) (uint64, uint64, error) { return 0, 0, fmt.Errorf("cannot extract device from os.FileInfo") } + //nolint:unconvert dev := uint64(sys.Rdev) return uint64(unix.Major(dev)), uint64(unix.Minor(dev)), nil } diff --git a/vendor/github.com/containerd/continuity/digests.go b/vendor/github.com/containerd/continuity/digests.go index bf92275db..c1b699fa7 100644 --- a/vendor/github.com/containerd/continuity/digests.go +++ b/vendor/github.com/containerd/continuity/digests.go @@ -88,13 +88,9 @@ func digestsMatch(as, bs []digest.Digest) bool { } disjoint := len(as) + len(bs) - if len(uniqified) == disjoint { - // if these two sets have the same cardinality, we know both sides - // didn't share any digests. - return false - } - - return true + // if these two sets have the same cardinality, we know both sides + // didn't share any digests. + return len(uniqified) != disjoint } type digestSlice []digest.Digest diff --git a/vendor/github.com/containerd/continuity/driver/driver_windows.go b/vendor/github.com/containerd/continuity/driver/driver_windows.go index c2a9a3b81..9baea3ba6 100644 --- a/vendor/github.com/containerd/continuity/driver/driver_windows.go +++ b/vendor/github.com/containerd/continuity/driver/driver_windows.go @@ -1,3 +1,5 @@ +// +build go1.13 + /* Copyright The containerd Authors. @@ -14,8 +16,6 @@ limitations under the License. */ -// +build go1.13 - // Go 1.13 is the minimally supported version for Windows. // Earlier golang releases have bug in os.Readlink // (see https://github.com/golang/go/issues/30463). diff --git a/vendor/github.com/containerd/continuity/fs/path.go b/vendor/github.com/containerd/continuity/fs/path.go index 8863caa9d..c26be7989 100644 --- a/vendor/github.com/containerd/continuity/fs/path.go +++ b/vendor/github.com/containerd/continuity/fs/path.go @@ -117,15 +117,13 @@ func sameFile(f1, f2 *currentPath) (bool, error) { // If the timestamp may have been truncated in both of the // files, check content of file to determine difference if t1.Nanosecond() == 0 && t2.Nanosecond() == 0 { - var eq bool if (f1.f.Mode() & os.ModeSymlink) == os.ModeSymlink { - eq, err = compareSymlinkTarget(f1.fullPath, f2.fullPath) - } else if f1.f.Size() > 0 { - eq, err = compareFileContent(f1.fullPath, f2.fullPath) + return compareSymlinkTarget(f1.fullPath, f2.fullPath) } - if err != nil || !eq { - return eq, err + if f1.f.Size() == 0 { // if file sizes are zero length, the files are the same by definition + return true, nil } + return compareFileContent(f1.fullPath, f2.fullPath) } else if t1.Nanosecond() != t2.Nanosecond() { return false, nil } diff --git a/vendor/github.com/containerd/continuity/go.mod b/vendor/github.com/containerd/continuity/go.mod index 86a7f148c..75a061aaa 100644 --- a/vendor/github.com/containerd/continuity/go.mod +++ b/vendor/github.com/containerd/continuity/go.mod @@ -1,6 +1,6 @@ module github.com/containerd/continuity -go 1.11 +go 1.13 require ( bazil.org/fuse v0.0.0-20160811212531-371fbbdaa898 diff --git a/vendor/github.com/containerd/continuity/groups_unix.go b/vendor/github.com/containerd/continuity/groups_unix.go index 022d8ab78..7b8676749 100644 --- a/vendor/github.com/containerd/continuity/groups_unix.go +++ b/vendor/github.com/containerd/continuity/groups_unix.go @@ -14,6 +14,7 @@ limitations under the License. */ +//nolint:unused,deadcode package continuity import ( diff --git a/vendor/github.com/containerd/continuity/hardlinks.go b/vendor/github.com/containerd/continuity/hardlinks.go index d493dd777..e72c0e72c 100644 --- a/vendor/github.com/containerd/continuity/hardlinks.go +++ b/vendor/github.com/containerd/continuity/hardlinks.go @@ -53,7 +53,7 @@ func (hlm *hardlinkManager) Add(fi os.FileInfo, resource Resource) error { } // Merge processes the current state of the hardlink manager and merges any -// shared nodes into hardlinked resources. +// shared nodes into hard linked resources. func (hlm *hardlinkManager) Merge() ([]Resource, error) { var resources []Resource for key, linked := range hlm.hardlinks { diff --git a/vendor/github.com/containerd/continuity/hardlinks_unix.go b/vendor/github.com/containerd/continuity/hardlinks_unix.go index a15d1759e..7105a7cf5 100644 --- a/vendor/github.com/containerd/continuity/hardlinks_unix.go +++ b/vendor/github.com/containerd/continuity/hardlinks_unix.go @@ -48,5 +48,6 @@ func newHardlinkKey(fi os.FileInfo) (hardlinkKey, error) { return hardlinkKey{}, errNotAHardLink } + //nolint:unconvert return hardlinkKey{dev: uint64(sys.Dev), inode: uint64(sys.Ino)}, nil } diff --git a/vendor/github.com/containerd/continuity/manifest.go b/vendor/github.com/containerd/continuity/manifest.go index 8074bbfbb..299fbccee 100644 --- a/vendor/github.com/containerd/continuity/manifest.go +++ b/vendor/github.com/containerd/continuity/manifest.go @@ -114,11 +114,13 @@ func BuildManifest(ctx Context) (*Manifest, error) { } // merge and post-process the hardlinks. + // nolint:misspell hardlinked, err := hardlinks.Merge() if err != nil { return nil, err } + // nolint:misspell for _, resource := range hardlinked { resourcesByPath[resource.Path()] = resource } diff --git a/vendor/github.com/containerd/continuity/sysx/xattr_unsupported.go b/vendor/github.com/containerd/continuity/sysx/xattr_unsupported.go index c9ef3a1d2..f8fa8c63f 100644 --- a/vendor/github.com/containerd/continuity/sysx/xattr_unsupported.go +++ b/vendor/github.com/containerd/continuity/sysx/xattr_unsupported.go @@ -23,7 +23,7 @@ import ( "runtime" ) -var unsupported = errors.New("extended attributes unsupported on " + runtime.GOOS) +var errUnsupported = errors.New("extended attributes unsupported on " + runtime.GOOS) // Listxattr calls syscall listxattr and reads all content // and returns a string array @@ -33,17 +33,17 @@ func Listxattr(path string) ([]string, error) { // Removexattr calls syscall removexattr func Removexattr(path string, attr string) (err error) { - return unsupported + return errUnsupported } // Setxattr calls syscall setxattr func Setxattr(path string, attr string, data []byte, flags int) (err error) { - return unsupported + return errUnsupported } // Getxattr calls syscall getxattr func Getxattr(path, attr string) ([]byte, error) { - return []byte{}, unsupported + return []byte{}, errUnsupported } // LListxattr lists xattrs, not following symlinks @@ -53,12 +53,12 @@ func LListxattr(path string) ([]string, error) { // LRemovexattr removes an xattr, not following symlinks func LRemovexattr(path string, attr string) (err error) { - return unsupported + return errUnsupported } // LSetxattr sets an xattr, not following symlinks func LSetxattr(path string, attr string, data []byte, flags int) (err error) { - return unsupported + return errUnsupported } // LGetxattr gets an xattr, not following symlinks diff --git a/vendor/github.com/opencontainers/runc/go.mod b/vendor/github.com/opencontainers/runc/go.mod index 3c6f6d47e..44b8777c1 100644 --- a/vendor/github.com/opencontainers/runc/go.mod +++ b/vendor/github.com/opencontainers/runc/go.mod @@ -4,7 +4,7 @@ go 1.14 require ( github.com/checkpoint-restore/go-criu/v4 v4.0.2 - github.com/cilium/ebpf v0.0.0-20200507155900-a9f01edf17e3 + github.com/cilium/ebpf v0.0.0-20200702112145-1c8d4c9ef775 github.com/containerd/console v1.0.0 github.com/coreos/go-systemd/v22 v22.0.0 github.com/cyphar/filepath-securejoin v0.2.2 diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_linux.go index f1a5bd11f..6e90ae16b 100644 --- a/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_linux.go +++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_linux.go @@ -126,4 +126,11 @@ type Resources struct { // CpuWeight sets a proportional bandwidth limit. CpuWeight uint64 `json:"cpu_weight"` + + // SkipDevices allows to skip configuring device permissions. + // Used by e.g. kubelet while creating a parent cgroup (kubepods) + // common for many containers. + // + // NOTE it is impossible to start a container which has this flag set. + SkipDevices bool `json:"skip_devices"` } diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/device.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/device.go index 24c5bbfa6..632bf6ac4 100644 --- a/vendor/github.com/opencontainers/runc/libcontainer/configs/device.go +++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/device.go @@ -1,20 +1,15 @@ package configs import ( - "errors" "fmt" "os" "strconv" - - "golang.org/x/sys/unix" ) const ( Wildcard = -1 ) -// TODO Windows: This can be factored out in the future - type Device struct { DeviceRule @@ -173,10 +168,3 @@ func (d *DeviceRule) CgroupString() string { } return fmt.Sprintf("%c %s:%s %s", d.Type, major, minor, d.Permissions) } - -func (d *DeviceRule) Mkdev() (uint64, error) { - if d.Major == Wildcard || d.Minor == Wildcard { - return 0, errors.New("cannot mkdev() device with wildcards") - } - return unix.Mkdev(uint32(d.Major), uint32(d.Minor)), nil -} diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/device_unix.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/device_unix.go new file mode 100644 index 000000000..650c46848 --- /dev/null +++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/device_unix.go @@ -0,0 +1,16 @@ +// +build !windows + +package configs + +import ( + "errors" + + "golang.org/x/sys/unix" +) + +func (d *DeviceRule) Mkdev() (uint64, error) { + if d.Major == Wildcard || d.Minor == Wildcard { + return 0, errors.New("cannot mkdev() device with wildcards") + } + return unix.Mkdev(uint32(d.Major), uint32(d.Minor)), nil +} diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/device_windows.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/device_windows.go new file mode 100644 index 000000000..729289393 --- /dev/null +++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/device_windows.go @@ -0,0 +1,5 @@ +package configs + +func (d *DeviceRule) Mkdev() (uint64, error) { + return 0, nil +} diff --git a/vendor/github.com/opencontainers/runc/libcontainer/devices/devices.go b/vendor/github.com/opencontainers/runc/libcontainer/devices/devices.go index 702f913ec..79f89c2d7 100644 --- a/vendor/github.com/opencontainers/runc/libcontainer/devices/devices.go +++ b/vendor/github.com/opencontainers/runc/libcontainer/devices/devices.go @@ -37,12 +37,12 @@ func DeviceFromPath(path, permissions string) (*configs.Device, error) { major = unix.Major(devNumber) minor = unix.Minor(devNumber) ) - switch { - case mode&unix.S_IFBLK == unix.S_IFBLK: + switch mode & unix.S_IFMT { + case unix.S_IFBLK: devType = configs.BlockDevice - case mode&unix.S_IFCHR == unix.S_IFCHR: + case unix.S_IFCHR: devType = configs.CharDevice - case mode&unix.S_IFIFO == unix.S_IFIFO: + case unix.S_IFIFO: devType = configs.FifoDevice default: return nil, ErrNotADevice @@ -104,6 +104,9 @@ func GetDevices(path string) ([]*configs.Device, error) { } return nil, err } + if device.Type == configs.FifoDevice { + continue + } out = append(out, device) } return out, nil diff --git a/vendor/github.com/opencontainers/runc/libcontainer/user/user.go b/vendor/github.com/opencontainers/runc/libcontainer/user/user.go index de30982ba..4b89dad73 100644 --- a/vendor/github.com/opencontainers/runc/libcontainer/user/user.go +++ b/vendor/github.com/opencontainers/runc/libcontainer/user/user.go @@ -60,7 +60,7 @@ type Group struct { // groupFromOS converts an os/user.(*Group) to local Group // -// (This does not include Pass, Shell or Gecos) +// (This does not include Pass or List) func groupFromOS(g *user.Group) (Group, error) { newGroup := Group{ Name: g.Name,