Update containerd to v1.1.0-rc.1

Signed-off-by: Lantao Liu <lantaol@google.com>

vendor.conf

@@ -4,7 +4,7 @@ github.com/boltdb/bolt e9cf4fae01b5a8ff89d0ec6b32f0d9c9f79aefdd
 github.com/BurntSushi/toml a368813c5e648fee92e5f6c30e3944ff9d5e8895
 github.com/containerd/cgroups fe281dd265766145e943a034aa41086474ea6130
 github.com/containerd/console cb7008ab3d8359b78c5f464cb7cf160107ad5925
-github.com/containerd/containerd d1b3ea406130fdb7284f14a8754b2272f2537c4c
+github.com/containerd/containerd v1.1.0-rc.1
 github.com/containerd/continuity 3e8f2ea4b190484acb976a5b378d373429639a1a
 github.com/containerd/fifo 3d5202aec260678c48179c56f40e6f38a095738c
 github.com/containerd/go-runc bcb223a061a3dd7de1a89c0b402a60f4dd9bd307

vendor/github.com/containerd/containerd/cmd/ctr/commands/run/run.go

@@ -68,6 +68,10 @@ var ContainerFlags = []cli.Flag{
 		Name:  "net-host",
 		Usage: "enable host networking for the container",
 	},
+	cli.BoolFlag{
+		Name:  "privileged",
+		Usage: "run privileged container",
+	},
 	cli.BoolFlag{
 		Name:  "read-only",
 		Usage: "set the containers filesystem as readonly",

vendor/github.com/containerd/containerd/cmd/ctr/commands/run/run_unix.go

@@ -103,6 +103,9 @@ func NewContainer(ctx gocontext.Context, client *containerd.Client, context *cli
 	if context.Bool("tty") {
 		opts = append(opts, oci.WithTTY)
 	}
+	if context.Bool("privileged") {
+		opts = append(opts, oci.WithPrivileged)
+	}
 	if context.Bool("net-host") {
 		opts = append(opts, oci.WithHostNamespace(specs.NetworkNamespace), oci.WithHostHostsFile, oci.WithHostResolvconf)
 	}

vendor/github.com/containerd/containerd/oci/spec_opts.go

@@ -27,6 +27,18 @@ import (
 // SpecOpts sets spec specific information to a newly generated OCI spec
 type SpecOpts func(context.Context, Client, *containers.Container, *specs.Spec) error
 
+// Compose converts a sequence of spec operations into a single operation
+func Compose(opts ...SpecOpts) SpecOpts {
+	return func(ctx context.Context, client Client, c *containers.Container, s *specs.Spec) error {
+		for _, o := range opts {
+			if err := o(ctx, client, c, s); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+}
+
 // setProcess sets Process to empty if unset
 func setProcess(s *specs.Spec) {
 	if s.Process == nil {

vendor/github.com/containerd/containerd/oci/spec_opts_unix.go

@@ -443,20 +443,23 @@ func WithUsername(username string) SpecOpts {
 	}
 }
 
-// WithAllCapabilities set all linux capabilities for the process
+// WithCapabilities sets Linux capabilities on the process
-func WithAllCapabilities(_ context.Context, _ Client, _ *containers.Container, s *specs.Spec) error {
+func WithCapabilities(caps []string) SpecOpts {
+	return func(_ context.Context, _ Client, _ *containers.Container, s *specs.Spec) error {
 		setCapabilities(s)
 
-	caps := getAllCapabilities()
-
 		s.Process.Capabilities.Bounding = caps
 		s.Process.Capabilities.Effective = caps
 		s.Process.Capabilities.Permitted = caps
 		s.Process.Capabilities.Inheritable = caps
 
 		return nil
+	}
 }
 
+// WithAllCapabilities sets all linux capabilities for the process
+var WithAllCapabilities = WithCapabilities(getAllCapabilities())
+
 func getAllCapabilities() []string {
 	last := capability.CAP_LAST_CAP
 	// hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap
@@ -512,3 +515,93 @@ func getGIDFromPath(root string, filter func(user.Group) bool) (gid uint32, err
 func isRootfsAbs(root string) bool {
 	return filepath.IsAbs(root)
 }
+
+// WithMaskedPaths sets the masked paths option
+func WithMaskedPaths(paths []string) SpecOpts {
+	return func(_ context.Context, _ Client, _ *containers.Container, s *specs.Spec) error {
+		setLinux(s)
+		s.Linux.MaskedPaths = paths
+		return nil
+	}
+}
+
+// WithReadonlyPaths sets the read only paths option
+func WithReadonlyPaths(paths []string) SpecOpts {
+	return func(_ context.Context, _ Client, _ *containers.Container, s *specs.Spec) error {
+		setLinux(s)
+		s.Linux.ReadonlyPaths = paths
+		return nil
+	}
+}
+
+// WithWriteableSysfs makes any sysfs mounts writeable
+func WithWriteableSysfs(_ context.Context, _ Client, _ *containers.Container, s *specs.Spec) error {
+	for i, m := range s.Mounts {
+		if m.Type == "sysfs" {
+			var options []string
+			for _, o := range m.Options {
+				if o == "ro" {
+					o = "rw"
+				}
+				options = append(options, o)
+			}
+			s.Mounts[i].Options = options
+		}
+	}
+	return nil
+}
+
+// WithWriteableCgroupfs makes any cgroup mounts writeable
+func WithWriteableCgroupfs(_ context.Context, _ Client, _ *containers.Container, s *specs.Spec) error {
+	for i, m := range s.Mounts {
+		if m.Type == "cgroup" {
+			var options []string
+			for _, o := range m.Options {
+				if o == "ro" {
+					o = "rw"
+				}
+				options = append(options, o)
+			}
+			s.Mounts[i].Options = options
+		}
+	}
+	return nil
+}
+
+// WithSelinuxLabel sets the process SELinux label
+func WithSelinuxLabel(label string) SpecOpts {
+	return func(_ context.Context, _ Client, _ *containers.Container, s *specs.Spec) error {
+		setProcess(s)
+		s.Process.SelinuxLabel = label
+		return nil
+	}
+}
+
+// WithApparmorProfile sets the Apparmor profile for the process
+func WithApparmorProfile(profile string) SpecOpts {
+	return func(_ context.Context, _ Client, _ *containers.Container, s *specs.Spec) error {
+		setProcess(s)
+		s.Process.ApparmorProfile = profile
+		return nil
+	}
+}
+
+// WithSeccompUnconfined clears the seccomp profile
+func WithSeccompUnconfined(_ context.Context, _ Client, _ *containers.Container, s *specs.Spec) error {
+	setLinux(s)
+	s.Linux.Seccomp = nil
+	return nil
+}
+
+// WithPrivileged sets up options for a privileged container
+// TODO(justincormack) device handling
+var WithPrivileged = Compose(
+	WithAllCapabilities,
+	WithMaskedPaths(nil),
+	WithReadonlyPaths(nil),
+	WithWriteableSysfs,
+	WithWriteableCgroupfs,
+	WithSelinuxLabel(""),
+	WithApparmorProfile(""),
+	WithSeccompUnconfined,
+)

vendor/github.com/containerd/containerd/vendor.conf

@@ -43,7 +43,7 @@ github.com/gotestyourself/gotestyourself 44dbf532bbf5767611f6f2a61bded572e337010
 github.com/google/go-cmp v0.1.0
 
 # cri dependencies
-github.com/containerd/cri v1.0.0-rc.0
+github.com/containerd/cri v1.0.0-rc.1
 github.com/containerd/go-cni f2d7272f12d045b16ed924f50e91f9f9cecc55a7
 github.com/blang/semver v3.1.0
 github.com/containernetworking/cni v0.6.0
@@ -68,11 +68,11 @@ golang.org/x/crypto 49796115aa4b964c318aad4f3084fdb41e9aa067
 golang.org/x/time f51c12702a4d776e4c1fa9b0fabab841babae631
 gopkg.in/inf.v0 3887ee99ecf07df5b447e9b00d9c0b2adaa9f3e4
 gopkg.in/yaml.v2 53feefa2559fb8dfa8d81baad31be332c97d6c77
-k8s.io/api 5584376ceeffeb13a2e98b5e9f0e9dab37de4bab
+k8s.io/api 7e796de92438aede7cb5d6bcf6c10f4fa65db560
 k8s.io/apimachinery fcb9a12f7875d01f8390b28faedc37dcf2e713b9
-k8s.io/apiserver 837069aa36757a586e4a8165f1ff5ca06170aa4a
+k8s.io/apiserver 4a8377c547bbff4576a35b5b5bf4026d9b5aa763
-k8s.io/client-go 484f27892430b961df38fe6715cc396409207d9f
+k8s.io/client-go b9a0cf870f239c4a4ecfd3feb075a50e7cbe1473
-k8s.io/kubernetes v1.10.0-rc.1
+k8s.io/kubernetes v1.10.0
 k8s.io/utils 258e2a2fa64568210fbd6267cf1d8fd87c3cb86e
 
 # zfs dependencies

vendor/github.com/containerd/containerd/version/version.go

@@ -21,7 +21,7 @@ var (
 	Package = "github.com/containerd/containerd"
 
 	// Version holds the complete version number. Filled in at linking time.
-	Version = "1.1.0-rc.0+unknown"
+	Version = "1.1.0-rc.1+unknown"
 
 	// Revision is filled with the VCS (e.g. git) revision being used to build
 	// the program at linking time.