Point NRI dependency to latest HEAD, commit b3cabdec0657. That
pulls in the necessary NRI fix for a recently discovered panic
and crash.
Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
While we need to support CRI v1alpha2, the implementation doesn't have
to be tied to gogo/protobuf.
Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
golang.org/x/net contains a fix for CVE-2022-41717, which was addressed
in stdlib in go1.19.4 and go1.18.9;
> net/http: limit canonical header cache by bytes, not entries
>
> An attacker can cause excessive memory growth in a Go server accepting
> HTTP/2 requests.
>
> HTTP/2 server connections contain a cache of HTTP header keys sent by
> the client. While the total number of entries in this cache is capped,
> an attacker sending very large keys can cause the server to allocate
> approximately 64 MiB per open connection.
>
> This issue is also fixed in golang.org/x/net/http2 v0.4.0,
> for users manually configuring HTTP/2.
full diff: https://github.com/golang/net/compare/c63010009c80...v0.4.0
other dependency updates (due to (circular) dependencies between them):
- golang.org/x/sys v0.3.0: https://github.com/golang/sys/compare/v0.2.0...v0.3.0
- golang.org/x/term v0.3.0: https://github.com/golang/term/compare/v0.1.0...v0.3.0
- golang.org/x/text v0.5.0: https://github.com/golang/text/compare/v0.4.0...v0.5.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Implement the adaptation interface required by the NRI
service plugin to handle CRI sandboxes and containers.
Hook the NRI service plugin into CRI request processing.
Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
Add a common NRI 'service' plugin. It takes care of relaying
requests and respones to and from NRI (external NRI plugins)
and the high-level containerd namespace-independent logic of
applying NRI container adjustments and updates to actual CRI
and other containers.
The namespace-dependent details of the necessary container
manipulation operations are to be implemented by namespace-
specific adaptations. This NRI plugin defines the API which
such adaptations need to implement.
Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
This was updated in 470d3ee057, but we
only needed the ebpf update. As nothing depends on this module anymore,
other than for the stats package (which didn't change in between), we
can (for now) roll it back to v1.0.4, and just force the newer ebpf
package.
Things rolled back (doesn't affect vendored code);
https://github.com/containerd/cgroups/compare/7083cd60b721..v1.0.4
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
ArgsEscaped has now been merged into upstream OCI image spec.
This change removes the workaround we were doing in containerd
to deserialize the extra json outside of the spec and instead
just uses the formal spec types.
Signed-off-by: Justin Terry <jlterry@amazon.com>
Some minor improvements, but biggest for here is ErrPipeListenerClosed
is no longer an errors.New where the string matches the text of the now
exported net.ErrClosed in the stdlib, but is just assigned to net.ErrClosed
directly. This should allow us to get rid of the string check for "use of closed
network connection" here now..
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
github.com/AdaLogics/go-fuzz-headers and
github.com/AdamKorcz/go-118-fuzz-build have less dependencies in
the last versions.
Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
These functions were originally copied from the docker / moby repository in
4a7a8efc2d. Migrating these functions to use the
github.com/moby/sys/sequential module allows them being shared between moby,
docker/cli, and containerd, and to allow using them without importing all of sys
which also depends on hcsshim and more.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This contains quite a bit (also bumps google/uuid to 1.3.0). Some HostProcess
container improvements to get ready for whenever it goes to stable in
Kubernetes, Hyper-V (windows) container support for CRI, and a plethora of
other small additions and fixes.
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
This tag contains some fixes for hostprocess containers, mainly around
fixing task stats which regressed from a change in v0.9.3.
https://github.com/microsoft/hcsshim/releases/tag/v0.9.4
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
This tag brings in a new field to fix an HNS issue in ws2019 as well as
an optimization for collecting Windows stats (memory, cpu, iops).
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
This version contains the CRI changes for user namespaces support.
Future patches will use the new fields in the CRI.
Updating the module without using the new fields doesn't cause any
behaviour change.
Updates: #7063
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
The regression in v1.22.2 has been resolved, so we can drop the
replace rule and use the latest v1.22.x version.
full diff: https://github.com/urfave/cli/compare/v1.22.1...v1.22.9
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
PR #6366 implemented a tree-wide change to replace github.com/pkg/errors
to errors. The new sandbox API PR #6703 had few errors.Wrap*() leftovers
and pulled github.com/pkg/errors back. This commit replaces those
leftovers by following the pattern in #6366.
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
This commit hides types.Any from the diff package's interface. Clients
(incl. imgcrypt) shouldn't aware about gogo/protobuf.
Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
This commit upgrades github.com/containerd/typeurl to use typeurl.Any.
The interface hides gogo/protobuf/types.Any from containerd's Go client.
Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
- Upgrade github.com/containerd/imgcrypt to prepare for typeurl upgrade
(see https://github.com/containerd/imgcrypt/pull/72)
- Upgrade github.com/opencontainers/image-spec since imgcrypto needs at
least 1.0.2.
Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
By taking advantage of smarter traversal of dependencies, a
`go mod tidy` using Go 1.18 remove some items from go.sum.
Signed-off-by: Tom Godkin <tomgodkin@pm.me>
full diff: 32db794688...3147a52a75
This version contains a fix for CVE-2022-27191 (not sure if it affects us).
From the golang mailing list:
Hello gophers,
Version v0.0.0-20220315160706-3147a52a75dd of golang.org/x/crypto/ssh implements
client authentication support for signature algorithms based on SHA-2 for use with
existing RSA keys.
Previously, a client would fail to authenticate with RSA keys to servers that
reject signature algorithms based on SHA-1. This includes OpenSSH 8.8 by default
and—starting today March 15, 2022 for recently uploaded keys.
We are providing this announcement as the error (“ssh: unable to authenticate”)
might otherwise be difficult to troubleshoot.
Version v0.0.0-20220314234659-1baeb1ce4c0b (included in the version above) also
fixes a potential security issue where an attacker could cause a crash in a
golang.org/x/crypto/ssh server under these conditions:
- The server has been configured by passing a Signer to ServerConfig.AddHostKey.
- The Signer passed to AddHostKey does not also implement AlgorithmSigner.
- The Signer passed to AddHostKey does return a key of type “ssh-rsa” from its PublicKey method.
Servers that only use Signer implementations provided by the ssh package are
unaffected. This is CVE-2022-27191.
Alla prossima,
Filippo for the Go Security team
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/emicklei/go-restful/compare/v2.9.5...v3.7.3
- Switch to using go modules
- Add check for wildcard to fix CORS filter
- Add check on writer to prevent compression of response twice
- Add OPTIONS shortcut WebService receiver
- Add Route metadata to request attributes or allow adding attributes to routes
- Add wroteHeader set
- Enable content encoding on Handle and ServeHTTP
- Feat: support google custom verb
- Feature: override list of method allowed without content-type
- Fix Allow header not set on '405: Method Not Allowed' responses
- Fix Go 1.15: conversion from int to string yields a string of one rune
- Fix WriteError return value
- Fix: use request/response resulting from filter chain
- handle path params with prefixes and suffixes
- HTTP response body was broken, if struct to be converted to JSON has boolean value
- List available representations in 406 body
- Support describing response headers
- Unwrap function in filter chain + remove unused dispatchWithFilters
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/fsnotify/fsnotify/compare/v1.4.9...v1.5.1
Relevant changes:
- Fix unsafe pointer conversion
- Drop support/testing for Go 1.11 and earlier
- Update x/sys to latest
- add //go:build lines
- add go 1.17 to test matrix
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This tag brings in some bug fixes related to waiting for containers to terminate and
trying to kill an already terminated process, as well as tty support (exec -it) for
Windows Host Process Containers.
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
The OCI image spec did a v1.0.2 security release for CVE-2021-41190, however
commit 09c9270fee, depends on MediaTypes that
have not yet been released by the OCI image-spec, so using current "main" instead.
full diff: 5ad6f50d62...693428a734
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This tag contains some changes for the Windows shim for retrying
stdio named pipe connections if containerd restarts. It also is built with v1.1.0 of
ttrpc which has some fixes for a deadlock we'd observed on Windows.
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
This tag contains a fix for a deadlock observed when there are multiple
simultaneous requests from the same client connection.
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
* Bump k8s.io/cri-api to latest version - v0.23.0-alpha.4
* Vendor github.com/vishvananda/netlink for network stats
Signed-off-by: David Porter <porterdavid@google.com>
This update will allow us to forcefully delete a Windows sandbox if its
endpoint cannot be found anymore.
Fixes: #6135
Signed-off-by: Claudiu Belu <cbelu@cloudbasesolutions.com>
The mount package of darwin requires to retrive mountinfo to check if
the target of unmount if still mounted or not. Thus pull the upstreamed
version of moby/sys to support this operation.
Signed-off-by: Hajime Tazaki <thehajime@gmail.com>
In linux 5.14 and hopefully some backports, core scheduling allows processes to
be co scheduled within the same domain on SMT enabled systems.
The containerd impl sets the core sched domain when launching a shim. This
allows a clean way for each shim(container/pod) to be in its own domain and any
additional containers, (v2 pods) be be launched with the same domain as well as
any exec'd process added to the container.
kernel docs: https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html
Signed-off-by: Michael Crosby <michael@thepasture.io>
This fixes the issue with the usage of the deprecated attribute.Any
function that original caused build issues.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Currently uncompress converter only supports gzip. This commit fixes it to
support zstd as well.
Signed-off-by: Kohei Tokunaga <ktokunaga.mail@gmail.com>
This picks a fix to properly handle images containing symlinks
inside which point to an unexisting file.
Signed-off-by: Hajime Tazaki <thehajime@gmail.com>
This version brings in some bug fixes to layer handling. The actual fix isn't
present in the diff as it's not used here, but the Windows shim is built from
the tag present in go.mod, so the fix will be in the Windows shim on a new release
of Containerd if this tag is in.
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
full diff: https://github.com/pelletier/go-toml/compare/v1.8.1...v1.9.3
- v1.9.3: Clarify license and comply with Apache 2.0
- v1.9.2: Add Encoder.CompactComments to omit extra new line
- v1.9.1: Fix empty trees line counting
v1.9.0
-------------------
The highlight of this version is that the whole toml.Tree structure has been made
public in a backward compatible way. This allows everyone using v1.x to fully
access the data and metadata in the tree to extend the library.
This is hopefully the last release in the v1.x track, as go-toml v2 is the main
focus of development.
What's new
- TOML 1.0.0-rc.3
- Improved default tag for durations
- Provide Tree and treeValue public aliases
- Expose MarshalOrder
- Value string representation public function
Fixed bugs
- Do not allow T-prefix on local dates
- toml.Unmarshaler supports leaf nodes
- Fix date lexer to only support 4-digit year
- Fix ToMap for tables in mixed-type arrays
- Fix ToMap for tables in nested mixed-type arrays
- Support literal multiline marshal
Performance
- Remove date regexp
- Remove underscore regexps
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This brings in some cri api changes for cgroups, Windows pod sandbox security
context changes and some new fields for the Windows version of a privileged
container.
This also unfortunately bumps the prometheus client, grpc middleware, bolt
and klog :(
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
Signed-off-by: Jayme Howard <g.prime@gmail.com>
Run `go mod tidy`
Signed-off-by: Jayme Howard <g.prime@gmail.com>
Follow correct procedure by running `make vendor`
Signed-off-by: Jayme Howard <g.prime@gmail.com>
In containerd 1.5.x, we introduced support for go modules by adding a
go.mod file in the root directory. This go.mod lists all the things
needed across the whole code base (with the exception of
integration/client which has its own go.mod). So when projects that
need to make calls to containerd API will pull in some code from
containerd/containerd, the `go mod` commands will add all the things
listed in the root go.mod to the projects go.mod file. This causes
some problems as the list of things needed to make a simple API call
is enormous. in effect, making a API call will pull everything that a
typical server needs as well as the root go.mod is all encompassing.
In general if we had smaller things folks could use, that will make it
easier by reducing the number of things that will end up in a consumers
go.mod file.
Now coming to a specific problem, the root containerd go.mod has various
k8s.io/* modules listed. Also kubernetes depends on containerd indirectly
via both moby/moby (working with docker maintainers seperately) and via
google/cadvisor. So when the kubernetes maintainers try to use latest
1.5.x containerd, they will see the kubernetes go.mod ending up depending
on the older version of kubernetes!
So if we can expose just the minimum things needed to make a client API
call then projects like cadvisor can adopt that instead of pulling in
the entire go.mod from containerd. Looking at the existing code in
cadvisor the minimum things needed would be the api/ directory from
containerd. Please see proof of concept here:
github.com/google/cadvisor/pull/2908
To enable that, in this PR, we add a go.mod file in api/ directory. we
split the Protobuild.yaml into two, one for just the things in api/
directory and the rest in the root directory. We adjust various targets
to build things correctly using `protobuild` and also ensure that we
end up with the same generated code as before as well. To ensure we
better take care of the various go.mod/go.sum files, we update the
existing `make vendor` and also add a new `make verify-vendor` that one
can run locally as well in the CI.
Ideally, we would have a `containerd/client` either as a standalone repo
or within `containerd/containerd` as a separate go module. but we will
start here to experiment with a standalone api go module first.
Also there are various follow ups we can do, for example @thaJeztah has
identified two tasks we could do after this PR lands:
github.com/containerd/containerd/pull/5716#discussion_r668821396
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
systemd uses SIGRTMIN+n signals, but containerd didn't support the signals
since Go's sys/unix doesn't support them.
This change introduces SIGRTMIN+n handling by utilizing moby/sys/signal.
Fixes#5402.
https://www.freedesktop.org/software/systemd/man/systemd.html#Signals
Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
0.8.18 contains a fix for shim delete behavior, please see:
microsoft/hcsshim#1041
There's no new vendored files as nothing from hcsshim/cmd/containerd-shim-runhcs-v1
gets imported here but for containerd releases the runhcs shim binary is built from whatever
commit is vendored into containerd.
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
Note that this is the code in containerd that uses runc (as almost
a library). Please see the other commit for the update to runc binary
itself.
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
This package as recently updated to add support for Linux on
32-bit PowerPC (ppc), implemented by gccgo.
Signed-off-by: Ben Hutchings <ben.hutchings@essensium.com>
This forces vendoring to only take dependencies of this repository to
be taken into account, effectively cutting the circular dependency (for
the vendored code), and to prevent depending on transitive dependencies
coming from older versions of containerd.
go mod does not allow using the main module as a local "replace" rule using
a path; see golang/go#45492 and golang/go#34417, so instead, an empty module
is used.
One change observed is that older versions containerd depended on an older
version of imgcrypt that had an "indirect" dependency on more current versions
of gopkg.in/yaml.v2 and prometheus/procfs.
For those, a temporary "indirect" dependency was added, until prometheus/client_golang
and kubernetes are updated.
from go mod graph (before):
github.com/containerd/imgcrypt@v1.0.4-0.20210301171431-0ae5c75f59ba gopkg.in/yaml.v2@v2.4.0
github.com/containerd/imgcrypt@v1.0.4-0.20210301171431-0ae5c75f59ba github.com/prometheus/procfs@v0.6.0
For some reason, some older versions of containerd are still taken into account,
causing satori/go.uuid to be added as "indirect" dependency, likely because some
modules have this dependency in their go.sum. This should likely disappear once
those plugins are updated to contain a current version of containerd.
git grep 'github.com/satori/go.uuid'
vendor/github.com/Microsoft/hcsshim/go.sum:github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
vendor/github.com/containerd/aufs/go.sum:github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
vendor/github.com/containerd/imgcrypt/go.sum:github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
vendor/github.com/containerd/nri/go.sum:github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
vendor/github.com/containerd/zfs/go.sum:github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The proto version was updated with cgroup in v1.0.0 but
the protos were not regenerated. The v1.0.1 tag fixes this.
Signed-off-by: Derek McGowan <derek@mcg.dev>
full diff: https://github.com/google/uuid/compare/v1.1.2...v1.2.0
I did not switch to us the `uuid.NewString()` function; we are not currently using
`uuid.New()`, probably because it can `panic` in case an invalid UUID is produced;
in stead we are using `uuid.NewRandom()`, which is equivalent, but returns an
error instead.
Changes:
- v1.2.0: Add NewString()
This release introduces the NewString() function which is the equivalent of
uuid.New().String().
- v1.1.5: Syntactic cleanup
There are no code changes. A missing period was add to a godoc comment and the
linter was told to not complain that the results of hash.Write() are ignored
(the function cannot fail)
- v1.1.4: Further error optimizations
Do not allocate memory for errors (it is only one word)
- v1.1.3: Optimize error reporting
Optimize length of time it takes to discover an input is bad by no longer using
fmt.Errorf, which is quite slow. It now uses a custom error type that formats
the string when the Error method is called rather than when generating the error.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/containernetworking/plugins/compare/v0.8.6...v0.9.1
changes in vendored code:
- (in containernetworking/plugins): Fix race condition in GetCurrentNS
- (in containernetworking/cni): tighten up plugin-finding logic
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Contains "Implements zfs usage by returning the USED field from the zfs snapshot"
(https://github.com/containerd/zfs/pull/38)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
pkg/cap has the full list of the caps (for UT, originally),
so we can drop dependency on github.com/syndtr/gocapability
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
full diff: 0b889c03f1...8a68de567b
- utils: export RunningInUserNS()
- Support updates for net_cls (adds netclsController.Update())
- Only append Hugetlb in Subsystems list when available
- dependency updates (for compatibility with recent Go versions):
- go.mod: github.com/cilium/ebpf v0.2.0
- go.mod: github.com/coreos/go-systemd v22.1.0
- go.mod: sirupsen/logrus v1.7.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
bump version 1.3.2 for gogo/protobuf due to CVE-2021-3121 discovered
in gogo/protobuf version 1.3.1, CVE has been fixed in 1.3.2
Signed-off-by: Aditi Sharma <adi.sky17@gmail.com>
Trying to reduce duplicated effort in maintaining a mountinfo
parser, this patch replaces the local implementation with the
implementation in github.com/moby/sys, which is actively maintained
and contains various optimizations.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
* Update hcsshim to v0.8.14
* Update go-winio to v0.4.16
This brings in some vhd package changes from winio, and the compute storage api bindings for
the shim. This is to facilitate some coming functionality for the windows snapshotter
as well as possibly for future work down the line for the windows differ.
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
The build tag was removed in go-selinux v1.8.0: opencontainers/selinux#132
Related: remove "apparmor" build tag: 0a9147f3aa
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
zstd is a compression algorithm that has a very fast decoder, while
providing also good compression ratios. The fast decoder makes it
suitable for container images, as decompressing the tarballs is a very
expensive operation.
https://github.com/opencontainers/image-spec/pull/788 added support
for zstd to the OCI image specs.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
