Update docker and cri-o to include the sirupsen fix.

Signed-off-by: Lantao Liu <lantaol@google.com>

vendor/github.com/docker/docker/pkg/mount/flags_freebsd.go

@@ -45,4 +45,5 @@ const (
 	RELATIME    = 0
 	REMOUNT     = 0
 	STRICTATIME = 0
+	mntDetach   = 0
 )

vendor/github.com/docker/docker/pkg/mount/flags_linux.go

@@ -1,85 +1,87 @@
 package mount
 
 import (
-	"syscall"
+	"golang.org/x/sys/unix"
 )
 
 const (
 	// RDONLY will mount the file system read-only.
-	RDONLY = syscall.MS_RDONLY
+	RDONLY = unix.MS_RDONLY
 
 	// NOSUID will not allow set-user-identifier or set-group-identifier bits to
 	// take effect.
-	NOSUID = syscall.MS_NOSUID
+	NOSUID = unix.MS_NOSUID
 
 	// NODEV will not interpret character or block special devices on the file
 	// system.
-	NODEV = syscall.MS_NODEV
+	NODEV = unix.MS_NODEV
 
 	// NOEXEC will not allow execution of any binaries on the mounted file system.
-	NOEXEC = syscall.MS_NOEXEC
+	NOEXEC = unix.MS_NOEXEC
 
 	// SYNCHRONOUS will allow I/O to the file system to be done synchronously.
-	SYNCHRONOUS = syscall.MS_SYNCHRONOUS
+	SYNCHRONOUS = unix.MS_SYNCHRONOUS
 
 	// DIRSYNC will force all directory updates within the file system to be done
 	// synchronously. This affects the following system calls: create, link,
 	// unlink, symlink, mkdir, rmdir, mknod and rename.
-	DIRSYNC = syscall.MS_DIRSYNC
+	DIRSYNC = unix.MS_DIRSYNC
 
 	// REMOUNT will attempt to remount an already-mounted file system. This is
 	// commonly used to change the mount flags for a file system, especially to
 	// make a readonly file system writeable. It does not change device or mount
 	// point.
-	REMOUNT = syscall.MS_REMOUNT
+	REMOUNT = unix.MS_REMOUNT
 
 	// MANDLOCK will force mandatory locks on a filesystem.
-	MANDLOCK = syscall.MS_MANDLOCK
+	MANDLOCK = unix.MS_MANDLOCK
 
 	// NOATIME will not update the file access time when reading from a file.
-	NOATIME = syscall.MS_NOATIME
+	NOATIME = unix.MS_NOATIME
 
 	// NODIRATIME will not update the directory access time.
-	NODIRATIME = syscall.MS_NODIRATIME
+	NODIRATIME = unix.MS_NODIRATIME
 
 	// BIND remounts a subtree somewhere else.
-	BIND = syscall.MS_BIND
+	BIND = unix.MS_BIND
 
 	// RBIND remounts a subtree and all possible submounts somewhere else.
-	RBIND = syscall.MS_BIND | syscall.MS_REC
+	RBIND = unix.MS_BIND | unix.MS_REC
 
 	// UNBINDABLE creates a mount which cannot be cloned through a bind operation.
-	UNBINDABLE = syscall.MS_UNBINDABLE
+	UNBINDABLE = unix.MS_UNBINDABLE
 
 	// RUNBINDABLE marks the entire mount tree as UNBINDABLE.
-	RUNBINDABLE = syscall.MS_UNBINDABLE | syscall.MS_REC
+	RUNBINDABLE = unix.MS_UNBINDABLE | unix.MS_REC
 
 	// PRIVATE creates a mount which carries no propagation abilities.
-	PRIVATE = syscall.MS_PRIVATE
+	PRIVATE = unix.MS_PRIVATE
 
 	// RPRIVATE marks the entire mount tree as PRIVATE.
-	RPRIVATE = syscall.MS_PRIVATE | syscall.MS_REC
+	RPRIVATE = unix.MS_PRIVATE | unix.MS_REC
 
 	// SLAVE creates a mount which receives propagation from its master, but not
 	// vice versa.
-	SLAVE = syscall.MS_SLAVE
+	SLAVE = unix.MS_SLAVE
 
 	// RSLAVE marks the entire mount tree as SLAVE.
-	RSLAVE = syscall.MS_SLAVE | syscall.MS_REC
+	RSLAVE = unix.MS_SLAVE | unix.MS_REC
 
 	// SHARED creates a mount which provides the ability to create mirrors of
 	// that mount such that mounts and unmounts within any of the mirrors
 	// propagate to the other mirrors.
-	SHARED = syscall.MS_SHARED
+	SHARED = unix.MS_SHARED
 
 	// RSHARED marks the entire mount tree as SHARED.
-	RSHARED = syscall.MS_SHARED | syscall.MS_REC
+	RSHARED = unix.MS_SHARED | unix.MS_REC
 
 	// RELATIME updates inode access times relative to modify or change time.
-	RELATIME = syscall.MS_RELATIME
+	RELATIME = unix.MS_RELATIME
 
 	// STRICTATIME allows to explicitly request full atime updates.  This makes
 	// it possible for the kernel to default to relatime or noatime but still
 	// allow userspace to override it.
-	STRICTATIME = syscall.MS_STRICTATIME
+	STRICTATIME = unix.MS_STRICTATIME
+
+	mntDetach = unix.MNT_DETACH
 )

vendor/github.com/docker/docker/pkg/mount/flags_unsupported.go

@@ -27,4 +27,5 @@ const (
 	STRICTATIME = 0
 	SYNCHRONOUS = 0
 	RDONLY      = 0
+	mntDetach   = 0
 )

vendor/github.com/docker/docker/pkg/mount/mount.go

@@ -1,7 +1,8 @@
 package mount
 
 import (
-	"time"
+	"sort"
+	"strings"
 )
 
 // GetMounts retrieves a list of mounts for the current running process.
@@ -46,29 +47,40 @@ func Mount(device, target, mType, options string) error {
 // flags.go for supported option flags.
 func ForceMount(device, target, mType, options string) error {
 	flag, data := parseOptions(options)
-	if err := mount(device, target, mType, uintptr(flag), data); err != nil {
-		return err
-	}
-	return nil
+	return mount(device, target, mType, uintptr(flag), data)
 }
 
-// Unmount will unmount the target filesystem, so long as it is mounted.
+// Unmount lazily unmounts a filesystem on supported platforms, otherwise
+// does a normal unmount.
 func Unmount(target string) error {
 	if mounted, err := Mounted(target); err != nil || !mounted {
 		return err
 	}
-	return ForceUnmount(target)
+	return unmount(target, mntDetach)
 }
 
-// ForceUnmount will force an unmount of the target filesystem, regardless if
-// it is mounted or not.
-func ForceUnmount(target string) (err error) {
-	// Simple retry logic for unmount
-	for i := 0; i < 10; i++ {
-		if err = unmount(target, 0); err == nil {
-			return nil
-		}
-		time.Sleep(100 * time.Millisecond)
+// RecursiveUnmount unmounts the target and all mounts underneath, starting with
+// the deepsest mount first.
+func RecursiveUnmount(target string) error {
+	mounts, err := GetMounts()
+	if err != nil {
+		return err
 	}
-	return
+
+	// Make the deepest mount be first
+	sort.Sort(sort.Reverse(byMountpoint(mounts)))
+
+	for i, m := range mounts {
+		if !strings.HasPrefix(m.Mountpoint, target) {
+			continue
+		}
+		if err := Unmount(m.Mountpoint); err != nil && i == len(mounts)-1 {
+			if mounted, err := Mounted(m.Mountpoint); err != nil || mounted {
+				return err
+			}
+			// Ignore errors for submounts and continue trying to unmount others
+			// The final unmount should fail if there ane any submounts remaining
+		}
+	}
+	return nil
 }

vendor/github.com/docker/docker/pkg/mount/mounter_freebsd.go

@@ -13,8 +13,9 @@ import "C"
 import (
 	"fmt"
 	"strings"
-	"syscall"
 	"unsafe"
+
+	"golang.org/x/sys/unix"
 )
 
 func allocateIOVecs(options []string) []C.struct_iovec {
@@ -55,5 +56,5 @@ func mount(device, target, mType string, flag uintptr, data string) error {
 }
 
 func unmount(target string, flag int) error {
-	return syscall.Unmount(target, flag)
+	return unix.Unmount(target, flag)
 }

vendor/github.com/docker/docker/pkg/mount/mounter_linux.go

@@ -1,21 +1,57 @@
 package mount
 
 import (
-	"syscall"
+	"golang.org/x/sys/unix"
 )
 
-func mount(device, target, mType string, flag uintptr, data string) error {
-	if err := syscall.Mount(device, target, mType, flag, data); err != nil {
-		return err
+const (
+	// ptypes is the set propagation types.
+	ptypes = unix.MS_SHARED | unix.MS_PRIVATE | unix.MS_SLAVE | unix.MS_UNBINDABLE
+
+	// pflags is the full set valid flags for a change propagation call.
+	pflags = ptypes | unix.MS_REC | unix.MS_SILENT
+
+	// broflags is the combination of bind and read only
+	broflags = unix.MS_BIND | unix.MS_RDONLY
+)
+
+// isremount returns true if either device name or flags identify a remount request, false otherwise.
+func isremount(device string, flags uintptr) bool {
+	switch {
+	// We treat device "" and "none" as a remount request to provide compatibility with
+	// requests that don't explicitly set MS_REMOUNT such as those manipulating bind mounts.
+	case flags&unix.MS_REMOUNT != 0, device == "", device == "none":
+		return true
+	default:
+		return false
+	}
+}
+
+func mount(device, target, mType string, flags uintptr, data string) error {
+	oflags := flags &^ ptypes
+	if !isremount(device, flags) || data != "" {
+		// Initial call applying all non-propagation flags for mount
+		// or remount with changed data
+		if err := unix.Mount(device, target, mType, oflags, data); err != nil {
+			return err
+		}
 	}
 
-	// If we have a bind mount or remount, remount...
-	if flag&syscall.MS_BIND == syscall.MS_BIND && flag&syscall.MS_RDONLY == syscall.MS_RDONLY {
-		return syscall.Mount(device, target, mType, flag|syscall.MS_REMOUNT, data)
+	if flags&ptypes != 0 {
+		// Change the propagation type.
+		if err := unix.Mount("", target, "", flags&pflags, ""); err != nil {
+			return err
+		}
 	}
+
+	if oflags&broflags == broflags {
+		// Remount the bind to apply read only.
+		return unix.Mount("", target, "", oflags|unix.MS_REMOUNT, "")
+	}
+
 	return nil
 }
 
 func unmount(target string, flag int) error {
-	return syscall.Unmount(target, flag)
+	return unix.Unmount(target, flag)
 }

vendor/github.com/docker/docker/pkg/mount/mountinfo.go

@@ -38,3 +38,17 @@ type Info struct {
 	// VfsOpts represents per super block options.
 	VfsOpts string
 }
+
+type byMountpoint []*Info
+
+func (by byMountpoint) Len() int {
+	return len(by)
+}
+
+func (by byMountpoint) Less(i, j int) bool {
+	return by[i].Mountpoint < by[j].Mountpoint
+}
+
+func (by byMountpoint) Swap(i, j int) {
+	by[i], by[j] = by[j], by[i]
+}

vendor/github.com/docker/docker/pkg/random/random.go

@@ -1,71 +0,0 @@
-package random
-
-import (
-	cryptorand "crypto/rand"
-	"io"
-	"math"
-	"math/big"
-	"math/rand"
-	"sync"
-	"time"
-)
-
-// Rand is a global *rand.Rand instance, which initialized with NewSource() source.
-var Rand = rand.New(NewSource())
-
-// Reader is a global, shared instance of a pseudorandom bytes generator.
-// It doesn't consume entropy.
-var Reader io.Reader = &reader{rnd: Rand}
-
-// copypaste from standard math/rand
-type lockedSource struct {
-	lk  sync.Mutex
-	src rand.Source
-}
-
-func (r *lockedSource) Int63() (n int64) {
-	r.lk.Lock()
-	n = r.src.Int63()
-	r.lk.Unlock()
-	return
-}
-
-func (r *lockedSource) Seed(seed int64) {
-	r.lk.Lock()
-	r.src.Seed(seed)
-	r.lk.Unlock()
-}
-
-// NewSource returns math/rand.Source safe for concurrent use and initialized
-// with current unix-nano timestamp
-func NewSource() rand.Source {
-	var seed int64
-	if cryptoseed, err := cryptorand.Int(cryptorand.Reader, big.NewInt(math.MaxInt64)); err != nil {
-		// This should not happen, but worst-case fallback to time-based seed.
-		seed = time.Now().UnixNano()
-	} else {
-		seed = cryptoseed.Int64()
-	}
-	return &lockedSource{
-		src: rand.NewSource(seed),
-	}
-}
-
-type reader struct {
-	rnd *rand.Rand
-}
-
-func (r *reader) Read(b []byte) (int, error) {
-	i := 0
-	for {
-		val := r.rnd.Int63()
-		for val > 0 {
-			b[i] = byte(val)
-			i++
-			if i == len(b) {
-				return i, nil
-			}
-			val >>= 8
-		}
-	}
-}

vendor/github.com/docker/docker/pkg/signal/signal_linux.go

@@ -2,6 +2,8 @@ package signal
 
 import (
 	"syscall"
+
+	"golang.org/x/sys/unix"
 )
 
 const (
@@ -11,41 +13,41 @@ const (
 
 // SignalMap is a map of Linux signals.
 var SignalMap = map[string]syscall.Signal{
-	"ABRT":     syscall.SIGABRT,
-	"ALRM":     syscall.SIGALRM,
-	"BUS":      syscall.SIGBUS,
-	"CHLD":     syscall.SIGCHLD,
-	"CLD":      syscall.SIGCLD,
-	"CONT":     syscall.SIGCONT,
-	"FPE":      syscall.SIGFPE,
-	"HUP":      syscall.SIGHUP,
-	"ILL":      syscall.SIGILL,
-	"INT":      syscall.SIGINT,
-	"IO":       syscall.SIGIO,
-	"IOT":      syscall.SIGIOT,
-	"KILL":     syscall.SIGKILL,
-	"PIPE":     syscall.SIGPIPE,
-	"POLL":     syscall.SIGPOLL,
-	"PROF":     syscall.SIGPROF,
-	"PWR":      syscall.SIGPWR,
-	"QUIT":     syscall.SIGQUIT,
-	"SEGV":     syscall.SIGSEGV,
-	"STKFLT":   syscall.SIGSTKFLT,
-	"STOP":     syscall.SIGSTOP,
-	"SYS":      syscall.SIGSYS,
-	"TERM":     syscall.SIGTERM,
-	"TRAP":     syscall.SIGTRAP,
-	"TSTP":     syscall.SIGTSTP,
-	"TTIN":     syscall.SIGTTIN,
-	"TTOU":     syscall.SIGTTOU,
-	"UNUSED":   syscall.SIGUNUSED,
-	"URG":      syscall.SIGURG,
-	"USR1":     syscall.SIGUSR1,
-	"USR2":     syscall.SIGUSR2,
-	"VTALRM":   syscall.SIGVTALRM,
-	"WINCH":    syscall.SIGWINCH,
-	"XCPU":     syscall.SIGXCPU,
-	"XFSZ":     syscall.SIGXFSZ,
+	"ABRT":     unix.SIGABRT,
+	"ALRM":     unix.SIGALRM,
+	"BUS":      unix.SIGBUS,
+	"CHLD":     unix.SIGCHLD,
+	"CLD":      unix.SIGCLD,
+	"CONT":     unix.SIGCONT,
+	"FPE":      unix.SIGFPE,
+	"HUP":      unix.SIGHUP,
+	"ILL":      unix.SIGILL,
+	"INT":      unix.SIGINT,
+	"IO":       unix.SIGIO,
+	"IOT":      unix.SIGIOT,
+	"KILL":     unix.SIGKILL,
+	"PIPE":     unix.SIGPIPE,
+	"POLL":     unix.SIGPOLL,
+	"PROF":     unix.SIGPROF,
+	"PWR":      unix.SIGPWR,
+	"QUIT":     unix.SIGQUIT,
+	"SEGV":     unix.SIGSEGV,
+	"STKFLT":   unix.SIGSTKFLT,
+	"STOP":     unix.SIGSTOP,
+	"SYS":      unix.SIGSYS,
+	"TERM":     unix.SIGTERM,
+	"TRAP":     unix.SIGTRAP,
+	"TSTP":     unix.SIGTSTP,
+	"TTIN":     unix.SIGTTIN,
+	"TTOU":     unix.SIGTTOU,
+	"UNUSED":   unix.SIGUNUSED,
+	"URG":      unix.SIGURG,
+	"USR1":     unix.SIGUSR1,
+	"USR2":     unix.SIGUSR2,
+	"VTALRM":   unix.SIGVTALRM,
+	"WINCH":    unix.SIGWINCH,
+	"XCPU":     unix.SIGXCPU,
+	"XFSZ":     unix.SIGXFSZ,
 	"RTMIN":    sigrtmin,
 	"RTMIN+1":  sigrtmin + 1,
 	"RTMIN+2":  sigrtmin + 2,

vendor/github.com/docker/docker/pkg/signal/trap.go

@@ -11,7 +11,6 @@ import (
 	"syscall"
 	"time"
 
-	"github.com/sirupsen/logrus"
 	"github.com/pkg/errors"
 )
 
@@ -27,7 +26,9 @@ import (
 //   the docker daemon is not restarted and also running under systemd.
 //   Fixes https://github.com/docker/docker/issues/19728
 //
-func Trap(cleanup func()) {
+func Trap(cleanup func(), logger interface {
+	Info(args ...interface{})
+}) {
 	c := make(chan os.Signal, 1)
 	// we will handle INT, TERM, QUIT, SIGPIPE here
 	signals := []os.Signal{os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT, syscall.SIGPIPE}
@@ -40,7 +41,7 @@ func Trap(cleanup func()) {
 			}
 
 			go func(sig os.Signal) {
-				logrus.Infof("Processing signal '%v'", sig)
+				logger.Info(fmt.Sprintf("Processing signal '%v'", sig))
 				switch sig {
 				case os.Interrupt, syscall.SIGTERM:
 					if atomic.LoadUint32(&interruptCount) < 3 {
@@ -54,11 +55,11 @@ func Trap(cleanup func()) {
 						}
 					} else {
 						// 3 SIGTERM/INT signals received; force exit without cleanup
-						logrus.Info("Forcing docker daemon shutdown without cleanup; 3 interrupts received")
+						logger.Info("Forcing docker daemon shutdown without cleanup; 3 interrupts received")
 					}
 				case syscall.SIGQUIT:
 					DumpStacks("")
-					logrus.Info("Forcing docker daemon shutdown without cleanup on SIGQUIT")
+					logger.Info("Forcing docker daemon shutdown without cleanup on SIGQUIT")
 				}
 				//for the SIGINT/TERM, and SIGQUIT non-clean shutdown case, exit with 128 + signal #
 				os.Exit(128 + int(sig.(syscall.Signal)))

vendor/github.com/docker/docker/pkg/stringid/stringid.go

@@ -2,19 +2,25 @@
 package stringid
 
 import (
-	"crypto/rand"
+	cryptorand "crypto/rand"
 	"encoding/hex"
+	"fmt"
 	"io"
+	"math"
+	"math/big"
+	"math/rand"
 	"regexp"
 	"strconv"
 	"strings"
-
-	"github.com/docker/docker/pkg/random"
+	"time"
 )
 
 const shortLen = 12
 
-var validShortID = regexp.MustCompile("^[a-z0-9]{12}$")
+var (
+	validShortID = regexp.MustCompile("^[a-f0-9]{12}$")
+	validHex     = regexp.MustCompile(`^[a-f0-9]{64}$`)
+)
 
 // IsShortID determines if an arbitrary string *looks like* a short ID.
 func IsShortID(id string) bool {
@@ -35,12 +41,8 @@ func TruncateID(id string) string {
 	return id
 }
 
-func generateID(crypto bool) string {
+func generateID(r io.Reader) string {
 	b := make([]byte, 32)
-	r := random.Reader
-	if crypto {
-		r = rand.Reader
-	}
 	for {
 		if _, err := io.ReadFull(r, b); err != nil {
 			panic(err) // This shouldn't happen
@@ -58,12 +60,40 @@ func generateID(crypto bool) string {
 
 // GenerateRandomID returns a unique id.
 func GenerateRandomID() string {
-	return generateID(true)
+	return generateID(cryptorand.Reader)
 }
 
 // GenerateNonCryptoID generates unique id without using cryptographically
 // secure sources of random.
 // It helps you to save entropy.
 func GenerateNonCryptoID() string {
-	return generateID(false)
+	return generateID(readerFunc(rand.Read))
+}
+
+// ValidateID checks whether an ID string is a valid image ID.
+func ValidateID(id string) error {
+	if ok := validHex.MatchString(id); !ok {
+		return fmt.Errorf("image ID %q is invalid", id)
+	}
+	return nil
+}
+
+func init() {
+	// safely set the seed globally so we generate random ids. Tries to use a
+	// crypto seed before falling back to time.
+	var seed int64
+	if cryptoseed, err := cryptorand.Int(cryptorand.Reader, big.NewInt(math.MaxInt64)); err != nil {
+		// This should not happen, but worst-case fallback to time-based seed.
+		seed = time.Now().UnixNano()
+	} else {
+		seed = cryptoseed.Int64()
+	}
+
+	rand.Seed(seed)
+}
+
+type readerFunc func(p []byte) (int, error)
+
+func (fn readerFunc) Read(p []byte) (int, error) {
+	return fn(p)
 }