diff --git a/hack/versions b/hack/versions index b51661f81..edc901bc8 100644 --- a/hack/versions +++ b/hack/versions @@ -1,5 +1,5 @@ RUNC_VERSION=74a17296470088de3805e138d3d87c62e613dfc4 CNI_VERSION=v0.6.0 -CONTAINERD_VERSION=70e0c8443ff15dcbd2ad8e0d07ed087fc2a83e05 +CONTAINERD_VERSION=9e04cff8e9e3a1bf13c088cb3db1c368e93b33ea CRITOOL_VERSION=4cd2b047a26a2ef01bbd02ee55f7d70d8825ebb5 KUBERNETES_VERSION=164317879bcd810b97e5ebf1c8df041770f2ff1b diff --git a/pkg/server/container_create.go b/pkg/server/container_create.go index 3e34c5eef..7458b45ce 100644 --- a/pkg/server/container_create.go +++ b/pkg/server/container_create.go @@ -30,6 +30,7 @@ import ( "github.com/containerd/containerd/linux/runctypes" "github.com/containerd/containerd/mount" "github.com/containerd/containerd/namespaces" + "github.com/containerd/containerd/oci" "github.com/containerd/typeurl" "github.com/davecgh/go-spew/spew" "github.com/golang/glog" @@ -188,16 +189,16 @@ func (c *criContainerdService) CreateContainer(ctx context.Context, r *runtime.C } }() - var specOpts []containerd.SpecOpts + var specOpts []oci.SpecOpts securityContext := config.GetLinux().GetSecurityContext() // Set container username. This could only be done by containerd, because it needs // access to the container rootfs. Pass user name to containerd, and let it overwrite // the spec for us. if uid := securityContext.GetRunAsUser(); uid != nil { - specOpts = append(specOpts, containerd.WithUserID(uint32(uid.GetValue()))) + specOpts = append(specOpts, oci.WithUserID(uint32(uid.GetValue()))) } if username := securityContext.GetRunAsUsername(); username != "" { - specOpts = append(specOpts, containerd.WithUsername(username)) + specOpts = append(specOpts, oci.WithUsername(username)) } apparmorSpecOpts, err := generateApparmorSpecOpts( @@ -724,7 +725,7 @@ func setOCINamespaces(g *generate.Generator, namespaces *runtime.NamespaceOption func defaultRuntimeSpec(id string) (*runtimespec.Spec, error) { // GenerateSpec needs namespace. ctx := namespaces.WithNamespace(context.Background(), k8sContainerdNamespace) - spec, err := containerd.GenerateSpec(ctx, nil, &containers.Container{ID: id}) + spec, err := oci.GenerateSpec(ctx, nil, &containers.Container{ID: id}) if err != nil { return nil, err } @@ -751,7 +752,7 @@ func defaultRuntimeSpec(id string) (*runtimespec.Spec, error) { } // generateSeccompSpecOpts generates containerd SpecOpts for seccomp. -func generateSeccompSpecOpts(seccompProf string, privileged, seccompEnabled bool) (containerd.SpecOpts, error) { +func generateSeccompSpecOpts(seccompProf string, privileged, seccompEnabled bool) (oci.SpecOpts, error) { if privileged { // Do not set seccomp profile when container is privileged return nil, nil @@ -784,7 +785,7 @@ func generateSeccompSpecOpts(seccompProf string, privileged, seccompEnabled bool } // generateApparmorSpecOpts generates containerd SpecOpts for apparmor. -func generateApparmorSpecOpts(apparmorProf string, privileged, apparmorEnabled bool) (containerd.SpecOpts, error) { +func generateApparmorSpecOpts(apparmorProf string, privileged, apparmorEnabled bool) (oci.SpecOpts, error) { if !apparmorEnabled { // Should fail loudly if user try to specify apparmor profile // but we don't support it. diff --git a/pkg/server/container_create_test.go b/pkg/server/container_create_test.go index e110a2f0d..62ab7f48f 100644 --- a/pkg/server/container_create_test.go +++ b/pkg/server/container_create_test.go @@ -21,10 +21,10 @@ import ( "reflect" "testing" - "github.com/containerd/containerd" "github.com/containerd/containerd/contrib/apparmor" "github.com/containerd/containerd/contrib/seccomp" "github.com/containerd/containerd/mount" + "github.com/containerd/containerd/oci" imagespec "github.com/opencontainers/image-spec/specs-go/v1" runtimespec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-tools/generate" @@ -722,7 +722,7 @@ func TestGenerateSeccompSpecOpts(t *testing.T) { profile string privileged bool disable bool - specOpts containerd.SpecOpts + specOpts oci.SpecOpts expectErr bool }{ "should return error if seccomp is specified when seccomp is not supported": { @@ -783,7 +783,7 @@ func TestGenerateApparmorSpecOpts(t *testing.T) { profile string privileged bool disable bool - specOpts containerd.SpecOpts + specOpts oci.SpecOpts expectErr bool }{ "should return error if apparmor is specified when apparmor is not supported": { diff --git a/pkg/server/sandbox_run.go b/pkg/server/sandbox_run.go index 70c6a06a3..c23447f61 100644 --- a/pkg/server/sandbox_run.go +++ b/pkg/server/sandbox_run.go @@ -24,6 +24,7 @@ import ( "github.com/containerd/containerd" containerdio "github.com/containerd/containerd/cio" "github.com/containerd/containerd/linux/runctypes" + "github.com/containerd/containerd/oci" "github.com/containerd/typeurl" "github.com/cri-o/ocicni/pkg/ocicni" "github.com/golang/glog" @@ -128,9 +129,9 @@ func (c *criContainerdService) RunPodSandbox(ctx context.Context, r *runtime.Run } glog.V(4).Infof("Sandbox container spec: %+v", spec) - var specOpts []containerd.SpecOpts + var specOpts []oci.SpecOpts if uid := securityContext.GetRunAsUser(); uid != nil { - specOpts = append(specOpts, containerd.WithUserID(uint32(uid.GetValue()))) + specOpts = append(specOpts, oci.WithUserID(uint32(uid.GetValue()))) } seccompSpecOpts, err := generateSeccompSpecOpts(