diff --git a/vendor.conf b/vendor.conf index bb3825252..08de42a23 100644 --- a/vendor.conf +++ b/vendor.conf @@ -56,7 +56,7 @@ gotest.tools/v3 v3.0.2 github.com/cilium/ebpf 4032b1d8aae306b7bb94a2a11002932caf88c644 # cri dependencies -github.com/containerd/cri 62c91260d2f43b57fff408a9263a800b7a06a647 # master +github.com/containerd/cri 4f8a580795344b0f4c1146a3abce0409962f3890 # master github.com/davecgh/go-spew v1.1.1 github.com/docker/docker 4634ce647cf2ce2c6031129ccd109e557244986f github.com/docker/spdystream 449fdfce4d962303d702fec724ef0ad181c92528 @@ -65,7 +65,7 @@ github.com/google/gofuzz v1.1.0 github.com/json-iterator/go v1.1.8 github.com/modern-go/concurrent 1.0.3 github.com/modern-go/reflect2 v1.0.1 -github.com/opencontainers/selinux v1.5.2 +github.com/opencontainers/selinux bb88c45a3863dc4c38320d71b890bb30ef9feba4 github.com/seccomp/libseccomp-golang v0.9.1 github.com/stretchr/testify v1.4.0 github.com/tchap/go-patricia v2.2.6 diff --git a/vendor/github.com/containerd/cri/pkg/config/config.go b/vendor/github.com/containerd/cri/pkg/config/config.go index 8f4c24ee6..9c8d2e30e 100644 --- a/vendor/github.com/containerd/cri/pkg/config/config.go +++ b/vendor/github.com/containerd/cri/pkg/config/config.go @@ -149,6 +149,8 @@ type Registry struct { // be a valid url with host specified. // DEPRECATED: Use Configs instead. Remove in containerd 1.4. Auths map[string]AuthConfig `toml:"auths" json:"auths"` + // Headers adds additional HTTP headers that get sent to all registries + Headers map[string][]string `toml:"headers" json:"headers"` } // RegistryConfig contains configuration used to communicate with the registry. @@ -234,6 +236,10 @@ type PluginConfig struct { // container requests with huge page limits if the cgroup controller for hugepages is not present. // This helps with supporting Kubernetes <=1.18 out of the box. (default is `true`) TolerateMissingHugePagesCgroupController bool `toml:"tolerate_missing_hugepages_controller" json:"tolerateMissingHugePagesCgroupController"` + // IgnoreImageDefinedVolumes ignores volumes defined by the image. Useful for better resource + // isolation, security and early detection of issues in the mount configuration when using + // ReadOnlyRootFilesystem since containers won't silently mount a temporary volume. + IgnoreImageDefinedVolumes bool `toml:"ignore_image_defined_volumes" json:"ignoreImageDefinedVolumes"` } // X509KeyPairStreaming contains the x509 configuration for streaming diff --git a/vendor/github.com/containerd/cri/pkg/config/config_unix.go b/vendor/github.com/containerd/cri/pkg/config/config_unix.go index 4d72dd2f2..ce441c612 100644 --- a/vendor/github.com/containerd/cri/pkg/config/config_unix.go +++ b/vendor/github.com/containerd/cri/pkg/config/config_unix.go @@ -66,5 +66,6 @@ func DefaultConfig() PluginConfig { MaxConcurrentDownloads: 3, DisableProcMount: false, TolerateMissingHugePagesCgroupController: true, + IgnoreImageDefinedVolumes: false, } } diff --git a/vendor/github.com/containerd/cri/pkg/config/config_windows.go b/vendor/github.com/containerd/cri/pkg/config/config_windows.go index 2a8e3e76f..a5a44a084 100644 --- a/vendor/github.com/containerd/cri/pkg/config/config_windows.go +++ b/vendor/github.com/containerd/cri/pkg/config/config_windows.go @@ -64,7 +64,8 @@ func DefaultConfig() PluginConfig { }, }, }, - MaxConcurrentDownloads: 3, + MaxConcurrentDownloads: 3, + IgnoreImageDefinedVolumes: false, // TODO(windows): Add platform specific config, so that most common defaults can be shared. } } diff --git a/vendor/github.com/containerd/cri/pkg/containerd/opts/spec_windows.go b/vendor/github.com/containerd/cri/pkg/containerd/opts/spec_windows.go index 80b874b08..b0850b8c7 100644 --- a/vendor/github.com/containerd/cri/pkg/containerd/opts/spec_windows.go +++ b/vendor/github.com/containerd/cri/pkg/containerd/opts/spec_windows.go @@ -188,3 +188,15 @@ func WithWindowsDefaultSandboxShares(ctx context.Context, client oci.Client, c * s.Windows.Resources.CPU.Shares = &i return nil } + +// WithWindowsCredentialSpec assigns `credentialSpec` to the +// `runtime.Spec.Windows.CredentialSpec` field. +func WithWindowsCredentialSpec(credentialSpec string) oci.SpecOpts { + return func(ctx context.Context, client oci.Client, c *containers.Container, s *runtimespec.Spec) error { + if s.Windows == nil { + s.Windows = &runtimespec.Windows{} + } + s.Windows.CredentialSpec = credentialSpec + return nil + } +} diff --git a/vendor/github.com/containerd/cri/pkg/server/container_create.go b/vendor/github.com/containerd/cri/pkg/server/container_create.go index cbed9e236..12c068518 100644 --- a/vendor/github.com/containerd/cri/pkg/server/container_create.go +++ b/vendor/github.com/containerd/cri/pkg/server/container_create.go @@ -137,8 +137,13 @@ func (c *criService) CreateContainer(ctx context.Context, r *runtime.CreateConta } }() - // Create container volumes mounts. - volumeMounts := c.volumeMounts(containerRootDir, config.GetMounts(), &image.ImageSpec.Config) + var volumeMounts []*runtime.Mount + if !c.config.IgnoreImageDefinedVolumes { + // Create container image volumes mounts. + volumeMounts = c.volumeMounts(containerRootDir, config.GetMounts(), &image.ImageSpec.Config) + } else if len(image.ImageSpec.Config.Volumes) != 0 { + log.G(ctx).Debugf("Ignoring volumes defined in image %v because IgnoreImageDefinedVolumes is set", image.ID) + } // Generate container mounts. mounts := c.containerMounts(sandboxID, config) diff --git a/vendor/github.com/containerd/cri/pkg/server/container_create_windows.go b/vendor/github.com/containerd/cri/pkg/server/container_create_windows.go index e8c81808d..86a08d89e 100644 --- a/vendor/github.com/containerd/cri/pkg/server/container_create_windows.go +++ b/vendor/github.com/containerd/cri/pkg/server/container_create_windows.go @@ -68,13 +68,30 @@ func (c *criService) containerSpec(id string, sandboxID string, sandboxPid uint3 specOpts = append(specOpts, customopts.WithWindowsMounts(c.os, config, extraMounts)) - specOpts = append(specOpts, customopts.WithWindowsResources(config.GetWindows().GetResources())) + // Start with the image config user and override below if RunAsUsername is not "". + username := imageConfig.User - username := config.GetWindows().GetSecurityContext().GetRunAsUsername() - if username != "" { - specOpts = append(specOpts, oci.WithUser(username)) + windowsConfig := config.GetWindows() + if windowsConfig != nil { + specOpts = append(specOpts, customopts.WithWindowsResources(windowsConfig.GetResources())) + securityCtx := windowsConfig.GetSecurityContext() + if securityCtx != nil { + runAsUser := securityCtx.GetRunAsUsername() + if runAsUser != "" { + username = runAsUser + } + cs := securityCtx.GetCredentialSpec() + if cs != "" { + specOpts = append(specOpts, customopts.WithWindowsCredentialSpec(cs)) + } + } } - // TODO(windows): Add CredentialSpec support. + + // There really isn't a good Windows way to verify that the username is available in the + // image as early as here like there is for Linux. Later on in the stack hcsshim + // will handle the behavior of erroring out if the user isn't available in the image + // when trying to run the init process. + specOpts = append(specOpts, oci.WithUser(username)) for pKey, pValue := range getPassthroughAnnotations(sandboxConfig.Annotations, ociRuntime.PodAnnotations) { diff --git a/vendor/github.com/containerd/cri/pkg/server/image_pull.go b/vendor/github.com/containerd/cri/pkg/server/image_pull.go index 931eaf71a..864b2d0a4 100644 --- a/vendor/github.com/containerd/cri/pkg/server/image_pull.go +++ b/vendor/github.com/containerd/cri/pkg/server/image_pull.go @@ -98,7 +98,8 @@ func (c *criService) PullImage(ctx context.Context, r *runtime.PullImageRequest) } var ( resolver = docker.NewResolver(docker.ResolverOptions{ - Hosts: c.registryHosts(r.GetAuth()), + Headers: c.config.Registry.Headers, + Hosts: c.registryHosts(r.GetAuth()), }) isSchema1 bool imageHandler containerdimages.HandlerFunc = func(_ context.Context, diff --git a/vendor/github.com/containerd/cri/pkg/server/sandbox_run.go b/vendor/github.com/containerd/cri/pkg/server/sandbox_run.go index dd4c51e36..942388369 100644 --- a/vendor/github.com/containerd/cri/pkg/server/sandbox_run.go +++ b/vendor/github.com/containerd/cri/pkg/server/sandbox_run.go @@ -414,9 +414,6 @@ func toCNIPortMappings(criPortMappings []*runtime.PortMapping) []cni.PortMapping if mapping.HostPort <= 0 { continue } - if mapping.Protocol != runtime.Protocol_TCP && mapping.Protocol != runtime.Protocol_UDP { - continue - } portMappings = append(portMappings, cni.PortMapping{ HostPort: mapping.HostPort, ContainerPort: mapping.ContainerPort, diff --git a/vendor/github.com/containerd/cri/vendor.conf b/vendor/github.com/containerd/cri/vendor.conf index 16cdb53b3..564e13e7c 100644 --- a/vendor/github.com/containerd/cri/vendor.conf +++ b/vendor/github.com/containerd/cri/vendor.conf @@ -1,6 +1,6 @@ # cri dependencies github.com/docker/docker 4634ce647cf2ce2c6031129ccd109e557244986f -github.com/opencontainers/selinux v1.5.2 +github.com/opencontainers/selinux bb88c45a3863dc4c38320d71b890bb30ef9feba4 github.com/tchap/go-patricia v2.2.6 # containerd dependencies diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go index 779e2e3a8..10ac15a85 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go @@ -73,9 +73,9 @@ func InitLabels(options []string) (plabel string, mlabel string, Err error) { selinux.ReleaseLabel(processLabel) } processLabel = pcon.Get() - mountLabel = mcon.Get() selinux.ReserveLabel(processLabel) } + mountLabel = mcon.Get() } return processLabel, mountLabel, nil } diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go index 9c979e5e2..f22c04b6c 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go @@ -31,6 +31,9 @@ const ( // Disabled constant to indicate SELinux is disabled Disabled = -1 + // DefaultCategoryRange is the upper bound on the category range + DefaultCategoryRange = uint32(1024) + contextFile = "/usr/share/containers/selinux/contexts" selinuxDir = "/etc/selinux/" selinuxConfig = selinuxDir + "config" @@ -57,6 +60,9 @@ var ( // InvalidLabel is returned when an invalid label is specified. InvalidLabel = errors.New("Invalid Label") + // CategoryRange allows the upper bound on the category range to be adjusted + CategoryRange = DefaultCategoryRange + assignRegex = regexp.MustCompile(`^([^=]+)=(.*)$`) roFileLabel string state = selinuxState{ @@ -790,7 +796,7 @@ func ContainerLabels() (processLabel string, fileLabel string) { func addMcs(processLabel, fileLabel string) (string, string) { scon, _ := NewContext(processLabel) if scon["level"] != "" { - mcs := uniqMcs(1024) + mcs := uniqMcs(CategoryRange) scon["level"] = mcs processLabel = scon.Get() scon, _ = NewContext(fileLabel) diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go index f9f5e2061..c5fbba2fa 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go @@ -13,6 +13,8 @@ const ( Permissive = 0 // Disabled constant to indicate SELinux is disabled Disabled = -1 + // DefaultCategoryRange is the upper bound on the category range + DefaultCategoryRange = uint32(1024) ) var ( @@ -20,6 +22,8 @@ var ( ErrMCSAlreadyExists = errors.New("MCS label already exists") // ErrEmptyPath is returned when an empty path has been specified. ErrEmptyPath = errors.New("empty path") + // CategoryRange allows the upper bound on the category range to be adjusted + CategoryRange = DefaultCategoryRange ) // Context is a representation of the SELinux label broken into 4 parts