Bump CRI for 1.4x release

includes selinux bump.

Signed-off-by: Michael Crosby <michael@thepasture.io>

vendor.conf

@@ -56,7 +56,7 @@ gotest.tools/v3                                     v3.0.2
 github.com/cilium/ebpf                              4032b1d8aae306b7bb94a2a11002932caf88c644
 
 # cri dependencies
-github.com/containerd/cri                           62c91260d2f43b57fff408a9263a800b7a06a647 # master
+github.com/containerd/cri                           4f8a580795344b0f4c1146a3abce0409962f3890 # master
 github.com/davecgh/go-spew                          v1.1.1
 github.com/docker/docker                            4634ce647cf2ce2c6031129ccd109e557244986f
 github.com/docker/spdystream                        449fdfce4d962303d702fec724ef0ad181c92528
@@ -65,7 +65,7 @@ github.com/google/gofuzz                            v1.1.0
 github.com/json-iterator/go                         v1.1.8
 github.com/modern-go/concurrent                     1.0.3
 github.com/modern-go/reflect2                       v1.0.1
-github.com/opencontainers/selinux                   v1.5.2
+github.com/opencontainers/selinux                   bb88c45a3863dc4c38320d71b890bb30ef9feba4
 github.com/seccomp/libseccomp-golang                v0.9.1
 github.com/stretchr/testify                         v1.4.0
 github.com/tchap/go-patricia                        v2.2.6

vendor/github.com/containerd/cri/pkg/config/config.go

@@ -149,6 +149,8 @@ type Registry struct {
 	// be a valid url with host specified.
 	// DEPRECATED: Use Configs instead. Remove in containerd 1.4.
 	Auths map[string]AuthConfig `toml:"auths" json:"auths"`
+	// Headers adds additional HTTP headers that get sent to all registries
+	Headers map[string][]string `toml:"headers" json:"headers"`
 }
 
 // RegistryConfig contains configuration used to communicate with the registry.
@@ -234,6 +236,10 @@ type PluginConfig struct {
 	// container requests with huge page limits if the cgroup controller for hugepages is not present.
 	// This helps with supporting Kubernetes <=1.18 out of the box. (default is `true`)
 	TolerateMissingHugePagesCgroupController bool `toml:"tolerate_missing_hugepages_controller" json:"tolerateMissingHugePagesCgroupController"`
+	// IgnoreImageDefinedVolumes ignores volumes defined by the image. Useful for better resource
+	// isolation, security and early detection of issues in the mount configuration when using
+	// ReadOnlyRootFilesystem since containers won't silently mount a temporary volume.
+	IgnoreImageDefinedVolumes bool `toml:"ignore_image_defined_volumes" json:"ignoreImageDefinedVolumes"`
 }
 
 // X509KeyPairStreaming contains the x509 configuration for streaming

vendor/github.com/containerd/cri/pkg/config/config_unix.go

@@ -66,5 +66,6 @@ func DefaultConfig() PluginConfig {
 		MaxConcurrentDownloads:                   3,
 		DisableProcMount:                         false,
 		TolerateMissingHugePagesCgroupController: true,
+		IgnoreImageDefinedVolumes:                false,
 	}
 }

vendor/github.com/containerd/cri/pkg/config/config_windows.go

@@ -64,7 +64,8 @@ func DefaultConfig() PluginConfig {
 				},
 			},
 		},
-		MaxConcurrentDownloads: 3,
+		MaxConcurrentDownloads:    3,
+		IgnoreImageDefinedVolumes: false,
 		// TODO(windows): Add platform specific config, so that most common defaults can be shared.
 	}
 }

vendor/github.com/containerd/cri/pkg/containerd/opts/spec_windows.go

@@ -188,3 +188,15 @@ func WithWindowsDefaultSandboxShares(ctx context.Context, client oci.Client, c *
 	s.Windows.Resources.CPU.Shares = &i
 	return nil
 }
+
+// WithWindowsCredentialSpec assigns `credentialSpec` to the
+// `runtime.Spec.Windows.CredentialSpec` field.
+func WithWindowsCredentialSpec(credentialSpec string) oci.SpecOpts {
+	return func(ctx context.Context, client oci.Client, c *containers.Container, s *runtimespec.Spec) error {
+		if s.Windows == nil {
+			s.Windows = &runtimespec.Windows{}
+		}
+		s.Windows.CredentialSpec = credentialSpec
+		return nil
+	}
+}

vendor/github.com/containerd/cri/pkg/server/container_create.go

@@ -137,8 +137,13 @@ func (c *criService) CreateContainer(ctx context.Context, r *runtime.CreateConta
 		}
 	}()
 
-	// Create container volumes mounts.
+	var volumeMounts []*runtime.Mount
-	volumeMounts := c.volumeMounts(containerRootDir, config.GetMounts(), &image.ImageSpec.Config)
+	if !c.config.IgnoreImageDefinedVolumes {
+		// Create container image volumes mounts.
+		volumeMounts = c.volumeMounts(containerRootDir, config.GetMounts(), &image.ImageSpec.Config)
+	} else if len(image.ImageSpec.Config.Volumes) != 0 {
+		log.G(ctx).Debugf("Ignoring volumes defined in image %v because IgnoreImageDefinedVolumes is set", image.ID)
+	}
 
 	// Generate container mounts.
 	mounts := c.containerMounts(sandboxID, config)

vendor/github.com/containerd/cri/pkg/server/container_create_windows.go

@@ -68,13 +68,30 @@ func (c *criService) containerSpec(id string, sandboxID string, sandboxPid uint3
 
 	specOpts = append(specOpts, customopts.WithWindowsMounts(c.os, config, extraMounts))
 
-	specOpts = append(specOpts, customopts.WithWindowsResources(config.GetWindows().GetResources()))
+	// Start with the image config user and override below if RunAsUsername is not "".
+	username := imageConfig.User
 
-	username := config.GetWindows().GetSecurityContext().GetRunAsUsername()
+	windowsConfig := config.GetWindows()
-	if username != "" {
+	if windowsConfig != nil {
-		specOpts = append(specOpts, oci.WithUser(username))
+		specOpts = append(specOpts, customopts.WithWindowsResources(windowsConfig.GetResources()))
+		securityCtx := windowsConfig.GetSecurityContext()
+		if securityCtx != nil {
+			runAsUser := securityCtx.GetRunAsUsername()
+			if runAsUser != "" {
+				username = runAsUser
+			}
+			cs := securityCtx.GetCredentialSpec()
+			if cs != "" {
+				specOpts = append(specOpts, customopts.WithWindowsCredentialSpec(cs))
+			}
+		}
 	}
-	// TODO(windows): Add CredentialSpec support.
+
+	// There really isn't a good Windows way to verify that the username is available in the
+	// image as early as here like there is for Linux. Later on in the stack hcsshim
+	// will handle the behavior of erroring out if the user isn't available in the image
+	// when trying to run the init process.
+	specOpts = append(specOpts, oci.WithUser(username))
 
 	for pKey, pValue := range getPassthroughAnnotations(sandboxConfig.Annotations,
 		ociRuntime.PodAnnotations) {

vendor/github.com/containerd/cri/pkg/server/image_pull.go

@@ -98,7 +98,8 @@ func (c *criService) PullImage(ctx context.Context, r *runtime.PullImageRequest)
 	}
 	var (
 		resolver = docker.NewResolver(docker.ResolverOptions{
-			Hosts: c.registryHosts(r.GetAuth()),
+			Headers: c.config.Registry.Headers,
+			Hosts:   c.registryHosts(r.GetAuth()),
 		})
 		isSchema1    bool
 		imageHandler containerdimages.HandlerFunc = func(_ context.Context,

vendor/github.com/containerd/cri/pkg/server/sandbox_run.go

@@ -414,9 +414,6 @@ func toCNIPortMappings(criPortMappings []*runtime.PortMapping) []cni.PortMapping
 		if mapping.HostPort <= 0 {
 			continue
 		}
-		if mapping.Protocol != runtime.Protocol_TCP && mapping.Protocol != runtime.Protocol_UDP {
-			continue
-		}
 		portMappings = append(portMappings, cni.PortMapping{
 			HostPort:      mapping.HostPort,
 			ContainerPort: mapping.ContainerPort,

vendor/github.com/containerd/cri/vendor.conf

@@ -1,6 +1,6 @@
 # cri dependencies
 github.com/docker/docker                            4634ce647cf2ce2c6031129ccd109e557244986f
-github.com/opencontainers/selinux                   v1.5.2
+github.com/opencontainers/selinux                   bb88c45a3863dc4c38320d71b890bb30ef9feba4
 github.com/tchap/go-patricia                        v2.2.6
 
 # containerd dependencies

vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go

@@ -73,9 +73,9 @@ func InitLabels(options []string) (plabel string, mlabel string, Err error) {
 				selinux.ReleaseLabel(processLabel)
 			}
 			processLabel = pcon.Get()
-			mountLabel = mcon.Get()
 			selinux.ReserveLabel(processLabel)
 		}
+		mountLabel = mcon.Get()
 	}
 	return processLabel, mountLabel, nil
 }

vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go

@@ -31,6 +31,9 @@ const (
 	// Disabled constant to indicate SELinux is disabled
 	Disabled = -1
 
+	// DefaultCategoryRange is the upper bound on the category range
+	DefaultCategoryRange = uint32(1024)
+
 	contextFile      = "/usr/share/containers/selinux/contexts"
 	selinuxDir       = "/etc/selinux/"
 	selinuxConfig    = selinuxDir + "config"
@@ -57,6 +60,9 @@ var (
 	// InvalidLabel is returned when an invalid label is specified.
 	InvalidLabel = errors.New("Invalid Label")
 
+	// CategoryRange allows the upper bound on the category range to be adjusted
+	CategoryRange = DefaultCategoryRange
+
 	assignRegex = regexp.MustCompile(`^([^=]+)=(.*)$`)
 	roFileLabel string
 	state       = selinuxState{
@@ -790,7 +796,7 @@ func ContainerLabels() (processLabel string, fileLabel string) {
 func addMcs(processLabel, fileLabel string) (string, string) {
 	scon, _ := NewContext(processLabel)
 	if scon["level"] != "" {
-		mcs := uniqMcs(1024)
+		mcs := uniqMcs(CategoryRange)
 		scon["level"] = mcs
 		processLabel = scon.Get()
 		scon, _ = NewContext(fileLabel)

vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go

@@ -13,6 +13,8 @@ const (
 	Permissive = 0
 	// Disabled constant to indicate SELinux is disabled
 	Disabled = -1
+	// DefaultCategoryRange is the upper bound on the category range
+	DefaultCategoryRange = uint32(1024)
 )
 
 var (
@@ -20,6 +22,8 @@ var (
 	ErrMCSAlreadyExists = errors.New("MCS label already exists")
 	// ErrEmptyPath is returned when an empty path has been specified.
 	ErrEmptyPath = errors.New("empty path")
+	// CategoryRange allows the upper bound on the category range to be adjusted
+	CategoryRange = DefaultCategoryRange
 )
 
 // Context is a representation of the SELinux label broken into 4 parts