* Bump k8s.io/cri-api to latest version - v0.23.0-alpha.4
* Vendor github.com/vishvananda/netlink for network stats
Signed-off-by: David Porter <porterdavid@google.com>
This update will allow us to forcefully delete a Windows sandbox if its
endpoint cannot be found anymore.
Fixes: #6135
Signed-off-by: Claudiu Belu <cbelu@cloudbasesolutions.com>
The mount package of darwin requires to retrive mountinfo to check if
the target of unmount if still mounted or not. Thus pull the upstreamed
version of moby/sys to support this operation.
Signed-off-by: Hajime Tazaki <thehajime@gmail.com>
In linux 5.14 and hopefully some backports, core scheduling allows processes to
be co scheduled within the same domain on SMT enabled systems.
The containerd impl sets the core sched domain when launching a shim. This
allows a clean way for each shim(container/pod) to be in its own domain and any
additional containers, (v2 pods) be be launched with the same domain as well as
any exec'd process added to the container.
kernel docs: https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html
Signed-off-by: Michael Crosby <michael@thepasture.io>
This fixes the issue with the usage of the deprecated attribute.Any
function that original caused build issues.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Currently uncompress converter only supports gzip. This commit fixes it to
support zstd as well.
Signed-off-by: Kohei Tokunaga <ktokunaga.mail@gmail.com>
This picks a fix to properly handle images containing symlinks
inside which point to an unexisting file.
Signed-off-by: Hajime Tazaki <thehajime@gmail.com>
This version brings in some bug fixes to layer handling. The actual fix isn't
present in the diff as it's not used here, but the Windows shim is built from
the tag present in go.mod, so the fix will be in the Windows shim on a new release
of Containerd if this tag is in.
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
Go 1.15.7 contained a security fix for CVE-2021-3115, which allowed arbitrary
code to be executed at build time when using cgo on Windows. This issue also
affects Unix users who have “.” listed explicitly in their PATH and are running
“go get” outside of a module or with module mode disabled.
This issue is not limited to the go command itself, and can also affect binaries
that use `os.Command`, `os.LookPath`, etc.
From the related blogpost (ttps://blog.golang.org/path-security):
> Are your own programs affected?
>
> If you use exec.LookPath or exec.Command in your own programs, you only need to
> be concerned if you (or your users) run your program in a directory with untrusted
> contents. If so, then a subprocess could be started using an executable from dot
> instead of from a system directory. (Again, using an executable from dot happens
> always on Windows and only with uncommon PATH settings on Unix.)
>
> If you are concerned, then we’ve published the more restricted variant of os/exec
> as golang.org/x/sys/execabs. You can use it in your program by simply replacing
This patch replaces all uses of `os/exec` with `golang.org/x/sys/execabs`. While
some uses of `os/exec` should not be problematic (e.g. part of tests), it is
probably good to be consistent, in case code gets moved around.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/pelletier/go-toml/compare/v1.8.1...v1.9.3
- v1.9.3: Clarify license and comply with Apache 2.0
- v1.9.2: Add Encoder.CompactComments to omit extra new line
- v1.9.1: Fix empty trees line counting
v1.9.0
-------------------
The highlight of this version is that the whole toml.Tree structure has been made
public in a backward compatible way. This allows everyone using v1.x to fully
access the data and metadata in the tree to extend the library.
This is hopefully the last release in the v1.x track, as go-toml v2 is the main
focus of development.
What's new
- TOML 1.0.0-rc.3
- Improved default tag for durations
- Provide Tree and treeValue public aliases
- Expose MarshalOrder
- Value string representation public function
Fixed bugs
- Do not allow T-prefix on local dates
- toml.Unmarshaler supports leaf nodes
- Fix date lexer to only support 4-digit year
- Fix ToMap for tables in mixed-type arrays
- Fix ToMap for tables in nested mixed-type arrays
- Support literal multiline marshal
Performance
- Remove date regexp
- Remove underscore regexps
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This brings in some cri api changes for cgroups, Windows pod sandbox security
context changes and some new fields for the Windows version of a privileged
container.
This also unfortunately bumps the prometheus client, grpc middleware, bolt
and klog :(
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
Signed-off-by: Jayme Howard <g.prime@gmail.com>
Run `go mod tidy`
Signed-off-by: Jayme Howard <g.prime@gmail.com>
Follow correct procedure by running `make vendor`
Signed-off-by: Jayme Howard <g.prime@gmail.com>
In containerd 1.5.x, we introduced support for go modules by adding a
go.mod file in the root directory. This go.mod lists all the things
needed across the whole code base (with the exception of
integration/client which has its own go.mod). So when projects that
need to make calls to containerd API will pull in some code from
containerd/containerd, the `go mod` commands will add all the things
listed in the root go.mod to the projects go.mod file. This causes
some problems as the list of things needed to make a simple API call
is enormous. in effect, making a API call will pull everything that a
typical server needs as well as the root go.mod is all encompassing.
In general if we had smaller things folks could use, that will make it
easier by reducing the number of things that will end up in a consumers
go.mod file.
Now coming to a specific problem, the root containerd go.mod has various
k8s.io/* modules listed. Also kubernetes depends on containerd indirectly
via both moby/moby (working with docker maintainers seperately) and via
google/cadvisor. So when the kubernetes maintainers try to use latest
1.5.x containerd, they will see the kubernetes go.mod ending up depending
on the older version of kubernetes!
So if we can expose just the minimum things needed to make a client API
call then projects like cadvisor can adopt that instead of pulling in
the entire go.mod from containerd. Looking at the existing code in
cadvisor the minimum things needed would be the api/ directory from
containerd. Please see proof of concept here:
github.com/google/cadvisor/pull/2908
To enable that, in this PR, we add a go.mod file in api/ directory. we
split the Protobuild.yaml into two, one for just the things in api/
directory and the rest in the root directory. We adjust various targets
to build things correctly using `protobuild` and also ensure that we
end up with the same generated code as before as well. To ensure we
better take care of the various go.mod/go.sum files, we update the
existing `make vendor` and also add a new `make verify-vendor` that one
can run locally as well in the CI.
Ideally, we would have a `containerd/client` either as a standalone repo
or within `containerd/containerd` as a separate go module. but we will
start here to experiment with a standalone api go module first.
Also there are various follow ups we can do, for example @thaJeztah has
identified two tasks we could do after this PR lands:
github.com/containerd/containerd/pull/5716#discussion_r668821396
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
systemd uses SIGRTMIN+n signals, but containerd didn't support the signals
since Go's sys/unix doesn't support them.
This change introduces SIGRTMIN+n handling by utilizing moby/sys/signal.
Fixes#5402.
https://www.freedesktop.org/software/systemd/man/systemd.html#Signals
Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
0.8.18 contains a fix for shim delete behavior, please see:
microsoft/hcsshim#1041
There's no new vendored files as nothing from hcsshim/cmd/containerd-shim-runhcs-v1
gets imported here but for containerd releases the runhcs shim binary is built from whatever
commit is vendored into containerd.
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
Note that this is the code in containerd that uses runc (as almost
a library). Please see the other commit for the update to runc binary
itself.
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
This package as recently updated to add support for Linux on
32-bit PowerPC (ppc), implemented by gccgo.
Signed-off-by: Ben Hutchings <ben.hutchings@essensium.com>
This forces vendoring to only take dependencies of this repository to
be taken into account, effectively cutting the circular dependency (for
the vendored code), and to prevent depending on transitive dependencies
coming from older versions of containerd.
go mod does not allow using the main module as a local "replace" rule using
a path; see golang/go#45492 and golang/go#34417, so instead, an empty module
is used.
One change observed is that older versions containerd depended on an older
version of imgcrypt that had an "indirect" dependency on more current versions
of gopkg.in/yaml.v2 and prometheus/procfs.
For those, a temporary "indirect" dependency was added, until prometheus/client_golang
and kubernetes are updated.
from go mod graph (before):
github.com/containerd/imgcrypt@v1.0.4-0.20210301171431-0ae5c75f59ba gopkg.in/yaml.v2@v2.4.0
github.com/containerd/imgcrypt@v1.0.4-0.20210301171431-0ae5c75f59ba github.com/prometheus/procfs@v0.6.0
For some reason, some older versions of containerd are still taken into account,
causing satori/go.uuid to be added as "indirect" dependency, likely because some
modules have this dependency in their go.sum. This should likely disappear once
those plugins are updated to contain a current version of containerd.
git grep 'github.com/satori/go.uuid'
vendor/github.com/Microsoft/hcsshim/go.sum:github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
vendor/github.com/containerd/aufs/go.sum:github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
vendor/github.com/containerd/imgcrypt/go.sum:github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
vendor/github.com/containerd/nri/go.sum:github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
vendor/github.com/containerd/zfs/go.sum:github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The proto version was updated with cgroup in v1.0.0 but
the protos were not regenerated. The v1.0.1 tag fixes this.
Signed-off-by: Derek McGowan <derek@mcg.dev>
full diff: https://github.com/google/uuid/compare/v1.1.2...v1.2.0
I did not switch to us the `uuid.NewString()` function; we are not currently using
`uuid.New()`, probably because it can `panic` in case an invalid UUID is produced;
in stead we are using `uuid.NewRandom()`, which is equivalent, but returns an
error instead.
Changes:
- v1.2.0: Add NewString()
This release introduces the NewString() function which is the equivalent of
uuid.New().String().
- v1.1.5: Syntactic cleanup
There are no code changes. A missing period was add to a godoc comment and the
linter was told to not complain that the results of hash.Write() are ignored
(the function cannot fail)
- v1.1.4: Further error optimizations
Do not allocate memory for errors (it is only one word)
- v1.1.3: Optimize error reporting
Optimize length of time it takes to discover an input is bad by no longer using
fmt.Errorf, which is quite slow. It now uses a custom error type that formats
the string when the Error method is called rather than when generating the error.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/containernetworking/plugins/compare/v0.8.6...v0.9.1
changes in vendored code:
- (in containernetworking/plugins): Fix race condition in GetCurrentNS
- (in containernetworking/cni): tighten up plugin-finding logic
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Looks like we had our own copy of the "getDevices" code already, so use
that code (which also matches the code that's used to _generate_ the spec,
so a better match).
Moving the code to a separate file, I also noticed that the _unix and _linux
code was _exactly_ the same (baring some `//nolint:` comments), so also
removing the duplicated code.
With this patch applied, we removed the dependency on the libcontainer/devices
package (leaving only libcontainer/user).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Contains "Implements zfs usage by returning the USED field from the zfs snapshot"
(https://github.com/containerd/zfs/pull/38)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
pkg/cap has the full list of the caps (for UT, originally),
so we can drop dependency on github.com/syndtr/gocapability
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
full diff: 0b889c03f1...8a68de567b
- utils: export RunningInUserNS()
- Support updates for net_cls (adds netclsController.Update())
- Only append Hugetlb in Subsystems list when available
- dependency updates (for compatibility with recent Go versions):
- go.mod: github.com/cilium/ebpf v0.2.0
- go.mod: github.com/coreos/go-systemd v22.1.0
- go.mod: sirupsen/logrus v1.7.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
bump version 1.3.2 for gogo/protobuf due to CVE-2021-3121 discovered
in gogo/protobuf version 1.3.1, CVE has been fixed in 1.3.2
Signed-off-by: Aditi Sharma <adi.sky17@gmail.com>
Trying to reduce duplicated effort in maintaining a mountinfo
parser, this patch replaces the local implementation with the
implementation in github.com/moby/sys, which is actively maintained
and contains various optimizations.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
* Update hcsshim to v0.8.14
* Update go-winio to v0.4.16
This brings in some vhd package changes from winio, and the compute storage api bindings for
the shim. This is to facilitate some coming functionality for the windows snapshotter
as well as possibly for future work down the line for the windows differ.
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
The build tag was removed in go-selinux v1.8.0: opencontainers/selinux#132
Related: remove "apparmor" build tag: 0a9147f3aa
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
zstd is a compression algorithm that has a very fast decoder, while
providing also good compression ratios. The fast decoder makes it
suitable for container images, as decompressing the tarballs is a very
expensive operation.
https://github.com/opencontainers/image-spec/pull/788 added support
for zstd to the OCI image specs.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
applyFunc now takes an io.Reader instead of a tar.Reader because I'm
trying to mirror the API of the not-yet-exposed implementation of this
same behaviour in github.com/Microsoft/hcsshim/internal/ociwclayer,
with an eye to later moving to that implementation it is ever exposed.
Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
recent versions of libcontainer/apparmor simplified the AppArmor
check to only check if the host supports AppArmor, but no longer
checks if apparmor_parser is installed, or if we're running
docker-in-docker;
bfb4ea1b1b
> The `apparmor_parser` binary is not really required for a system to run
> AppArmor from a runc perspective. How to apply the profile is more in
> the responsibility of higher level runtimes like Podman and Docker,
> which may do the binary check on their own.
This patch copies the logic from libcontainer/apparmor, and
restores the additional checks.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/sirupsen/logrus/compare/v1.6.0...v1.7.0
removes dependency on github.com/konsorten/go-windows-terminal-sequences
Features:
* a new buffer pool management API has been added
* a set of `<LogLevel>Fn()` functions have been added
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Brings in a variety of changes, mostly to the containerd shim.
There is also a change to the Windows layer unpack code which fixes#4301.
Release link: https://github.com/microsoft/hcsshim/releases/tag/v0.8.10
Signed-off-by: Kevin Parsons <kevpar@microsoft.com>
full diff: https://github.com/containerd/consolve/compare/v1.0.0...v1.0.1
vendor golang.org/x/sys 2334cc1a136f0a5b4384f1a27e3634457be08553
full diff: ed371f2e16...2334cc1a13
- unix: add Darwin support for clonefile syscalls
- Adds openat2 for linux
openat2 is a new syscall added to Linux 5.6. It provides a superset of
openat(2) functionality, extending it with flags telling the kernel how
to resolve the paths.
For more info, see https://lwn.net/Articles/803237/
NOTE that this is a second attempt to add the call; the previous one
(https://golang.org/cl/227280) was reverted
(https://golang.org/cl/227846) due to the test case failure on ARM
(https://golang.org/issue/38357).
This CL has the test case reworked to be less assumptive to the testing
environment. In particular, it first tries if the most simplistic
openat2() call succeeds, and skips the test otherwise. It is done that
way because CI can be under under different kernels and in various
envrionments -- in particular, Docker+seccomp can result in EPERM from a
system call (which is not expected otherwise).
For previous discussions about the test case, see
https://golang.org/cl/227865.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The shim delete action needs bundle information to cleanup resources
created by shim. If the cleanup dead shim is called after delete bundle,
the part of resources maybe leaky.
The ttrpc client UserOnCloseWait() can make sure that resources are
cleanup before delete bundle, which synchronizes task deletion and
cleanup deadshim. It might slow down the task deletion, but it can make
sure that resources can be cleanup and avoid EBUSY umount case. For
example, the sandbox container like Kata/Firecracker might have mount
points over the rootfs. If containerd handles task deletion and cleanup
deadshim parallelly, the task deletion will meet EBUSY during umount and
fail to cleanup bundle, which makes case worse.
And also update cleanupAfterDeadshim, which makes sure that
cleanupAfterDeadshim must be called after shim disconnected. In some
case, shim fails to call runc-create for some reason, but the runc-create
already makes runc-init into ready state. If containerd doesn't call shim
deletion, the runc-init process will be leaky and hold the cgroup, which
makes pod terminating :(.
Signed-off-by: Wei Fu <fuweid89@gmail.com>
The changes needed by opencontainers/selinux are now in a tagged
release. This will make our dependency slightly ahead of what's
used by opencontainers/selinux until a v1.6.1 is tagged.
full diff: https://github.com/willf/bitset/compare/d5bec3311243...v1.1.11
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: f3200d17e0...ab34263943
Worth mentioning that there's a comment updated in golang.org/x/net/websocket:
This package currently lacks some features found in alternative
and more actively maintained WebSocket packages:
https://godoc.org/github.com/gorilla/websockethttps://godoc.org/nhooyr.io/websocket
It's used in k8s.io/apiserver/pkg/util/wsstream/stream.go, so perhaps that should
be reviewed if the alternatives are better for how it's used.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/json-iterator/go/compare/v1.1.9...v1.1.10
- Fix 459 map keys of custom types should serialize using MarshalText when available
- Fix potential panic in (*stringAny).ToInt64 and (*stringAny).ToUint64 (see 450)
- Fix 449 do NOT marshal the field whose name start with underscore
- Reuse stream buffer and remove flush in (*Stream).WriteMore(see 441 440)
- Fix 421 simplify the error string returned by the decoder when it meets error unmarshaling anonymous structs
- Fix 389 411 do NOT marshal the json.RawMessage type field whose real type is integer/float as "null" with ValidateJsonRawMessage option enabled
- Fix 326 do Not marshal private field after calling extra.SetNamingStrategy() to register naming strategy extension
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
8448b92d23...8871d5cdf8
The cgo dependency on libseccomp was removed in containerd/cri#1548.
The `seccomp` build tag is now ignored (and the seccomp support is
always built-in).
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
This will ensure that we can always get the current Windows OS build
version, without being put into Windows 8 compatibility mode.
Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
full diff: d3ef23f19f...efbc4488d8
Fix sameFile() to recognize empty files as the same
- fixes "Empty files can diff as "modified" even when they're not"
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This includes an update of the selinux package and the ability in the CRI
configuration to set the upper bounds for the selinux category labels that are
generated.
Signed-off-by: Michael Crosby <michael@thepasture.io>
full diff: 0dbf7f05ba...318312a373
relevant changes:
- cpuset: typo fix for function name
- Retry file writes on EINTR errors to work with Go 1.14 asynchronous preemption
- Various linting issues and cleanup
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
We had once updated bbolt from v1.3.3 to v1.3.4 in #4134,
but reverted to v1.3.3 in #4156 due to "fatal error: sweep increased
allocation count" (etcd-io/bbolt#214).
The issue was fixed in bbolt v1.3.5 (etcd-io/bbolt#220).
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
How to test (from https://github.com/opencontainers/runc/pull/2352#issuecomment-620834524):
(host)$ sudo swapoff -a
(host)$ sudo ctr run -t --rm --memory-limit $((1024*1024*32)) docker.io/library/alpine:latest foo
(container)$ sh -c 'VAR=$(seq 1 100000000)'
An event `/tasks/oom {"container_id":"foo"}` will be displayed in `ctr events`.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
full diff: 0ec596719c...d3ef23f19f
- fs: support for OpenBSD
- sysx/xattr: fix and improve
- remove Windows' Readlink fork
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- Remove dependency on libcontainer/system
- Get rid of socat for port forwarding
- Roll docker/distribution back to latest (v2.7.1) release
Now that 901bcb2231 was merged in containerd,
we no longer depend on the ParseDockerRef utility from docker/distribution,
so we can safely roll back to the latest release for this dependency.
- vendor: kubernetes v1.18.2
Fix client watch reestablishment handling of client-side timeouts
- Add config flag to default empty seccomp profile
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Now that 901bcb2231 was merged in containerd,
we no longer depend on the ParseDockerRef utility from docker/distribution,
so we can safely roll back to the latest release for this dependency.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Reverts change from tagged versions to sha.
Removes tag ambiguity on what version a sha points to when multiple tags available.
Makes comparing versions from previous releases more straight forward, without parsing potentially incorrect comment.
Fixes sync issue between tag in comment and sha, the selinux comment was incorrect here.
Updates reflect2 library to correctly tagged version, includes global variable fix.
Signed-off-by: Derek McGowan <derek@mcg.dev>
full diff: https://github.com/sirupsen/logrus/compare/v1.5.0...v1.6.0
- Add flag to disable quotes in TextFormatter
- Revert "fix race conditions on entry"
- fixes Deadlock during Entry.Infof after upgrade to v1.5.0
- fixes Deadlock when using WithField inside of hook
- fixes Overly-aggressive mutex locks
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/sirupsen/logrus/compare/v1.4.1...v1.5.0
- Ability to DisableHTMLEscape when using the JSON formatter
- Support/fixes for go 1.14
- Many many bugfixes
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 61b7af7564...dc7afe8fbe
This commit includes moving up to the latest critools(1.18.0).
Signed-off-by: Kohei Tokunaga <ktokunaga.mail@gmail.com>
full diff: 92cb4ed978..61b7af7564
This adds new dependency github.com/fsnotify/fsnotify since 4ce334aa49
Signed-off-by: Kohei Tokunaga <ktokunaga.mail@gmail.com>
- relates to moby/buildkit 1111
- relates to moby/buildkit 1079
- relates to docker/buildx 129
full diff: 9461782956...e31b211e4f
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/go-yaml/yaml/compare/v2.2.4...v2.2.8
includes:
- go-yaml/yaml@f90ceb4 Fix check for non-map alias merging in v2
- fix for "yaml.Unmarshal crashes on "assignment to entry in nil map""
- go-yaml/yaml 543 Port stale simple_keys fix to v2
- go-yaml/yaml@1f64d61 Fix issue in simple_keys improvements
- fixes "Invalid simple_keys now cause panics later in decode"
- go-yaml/yaml 555 Optimize cases with long potential simple_keys
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 60c769a6c5...69ecbb4d6d
Includes 69ecbb4d6d
(forward-port of 8b5121be2f),
to address CVE-2020-7919:
Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte
On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing
functions of golang.org/x/crypto/cryptobyte can lead to a panic.
The malformed certificate can be delivered via a crypto/tls connection to a
client, or to a server that accepts client certificates. net/http clients can
be made to crash by an HTTPS server, while net/http servers that accept client
certificates will recover the panic and are unaffected.
Thanks to Project Wycheproof for providing the test cases that led to the
discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
List generated by running:
`git diff c9d45e652619589b4bf9 vendor.conf`
in the containerd/cri repositoru
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
full diff: f4fb1b73fb...v0.9.4
version v0.9.0 is the minimum tagged version to work with go-metrics v0.0.1,
as it depends on `prometheus.Observer`:
vendor/github.com/docker/go-metrics/timer.go:39:4: undefined: prometheus.Observer
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 4c0e84591b...v1.0.1
- beorn7/perks#3 Avoid iterating on maps
- Speed up InsertTargeted* functions by at least 2x by avoiding iterating on maps.
- beorn7/perks#4 Fixed format error
- Use 1000000 instead of 1e6 for int constant
- Add go module support
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
+ archive: don't convert syscall.Timespec to unix.Timespec
archive/tar_unix.go:179:76: error: invalid type conversion (cannot use type syscall.Timespec as type unix.Timespec)
179 | timespec := []unix.Timespec{unix.Timespec(fs.StatAtime(st)), unix.Timespec(fs.StatMtime(st))}
+ gccgo has no plugin support
https://github.com/golang/go/issues/36403
+ update github.com/containerd/continuity
to include same fix for Timespec
Signed-off-by: Shengjing Zhu <zhsj@debian.org>
* only shim v2 runc v2 ("io.containerd.runc.v2") is supported
* only PID metrics is implemented. Others should be implemented in separate PRs.
* lots of code duplication in v1 metrics and v2 metrics. Dedupe should be separate PR.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Update cri and docker to recent commits for mips enablement
Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
This prepares us to be able to update docker/docker vendoring to a
recent commit.
Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
Updates Microsoft/hcsshim vendor commit hash to a recent version that now:
1. Supports container stats via the Stats RuntimeV2 gRPC call.
2. Fixes a regression when issuing a resize of the pty after the container has
exited which previously in Docker was expected to be a non-error case.
3. Puts in a workaround when using a non-default sandbox size for Windows
containers due to a platform bug. This expansion now happens in the go library
itself.
Signed-off-by: Justin Terry (VM) <juterry@microsoft.com>
full diff: https://github.com/grpc/grpc-go/compare/v1.23.0...v1.23.1
- grpc/grpc-go#3018 server: set and advertise max frame size of 16KB
- grpc/grpc-go#3017 grpclb: fix deadlock in grpclb connection cache
- Before the fix, if the timer to remove a SubConn fires at the
same time NewSubConn cancels the timer, it caused a mutex leak
and deadlock.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This change includes a cri master bump and a cgroup bump for windows support
with cgroup stats and reusing the cgroup metric types.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
The switch to urfave/cli had a use of a /v2 API, which
go modules handles correctly but vndr ignores. Downgrade
urfave/cli for now until the switch to go modules. Add
missing dependencies, which vndr now sees.
Note that CI was not catching this issue, it seems that
some part of the build process was pulling in dependencies
even if they weren't in vendor, causing the build to work.
However the vendor check was not seeing it. The ARM build
didn't pull in other dependencies into the gopath, causing
those builds to break.
Signed-off-by: Derek McGowan <derek@mcgstyle.net>
The climan package has a command that can be registered with any urfav
cli app to generate man pages.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
1. Revendors github.com/Microsoft/hcsshim to the latest known good commit.
This includes numerous bug fixes and improvements.
2. Vendors indirect dependency on go.opencensus.io since hcsshim now uses trace
correlation.
Signed-off-by: Justin Terry (VM) <juterry@microsoft.com>
this brings the dependency back to a released version:
- go.etcd.io/bbolt 2eb7227ade...v1.3.3
- etcd-io/bbolt#153 fix rollback panic bug
- fixesetcd-io/bbolt#152 Panic (index out of range) on writeable tx rollback with db.NoFreelistSync
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
We are separating out the encryption code and have designed a few new
interfaces and APIs for processing content streams. This keep the core
clean of encryption code but enables not only encryption but support of
multiple content types ( custom media types ).
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
bump go-runc to 9007c2405372fe28918845901a3276c0915689a1
in order to support get actually error log if checkpint fail, this
version get two new diff
Add common project content/checks:
8e51df4212
Fix Method of judging command execution
failure:4e99c72acd
Signed-off-by: Ace-Tang <aceapril@126.com>
This also refactors the lcow and windows
snapshotters to use go-winio's utility functions for checking the
filesystem type.
Signed-off-by: Eric Hotinger <ehotinger@gmail.com>
full diff: 32f571b700...689e3c1541
Release notes:
* Version 0.9.1 - May 21, 2019
- Minimum supported version of libseccomp bumped to v2.2.0 (fc0298087f)
- PowerPC and S390(x) architectures are unavailable below library version v2.3.0 and will return errors if used with incompatible libraries
- Use Libseccomp's `seccomp_version` API to retrieve library version
- Unconditionally set TSync attribute for filters, due to Go's heavily threaded nature
- Fix [CVE-2017-18367](https://nvd.nist.gov/vuln/detail/CVE-2017-18367) - Multiple syscall arguments were incorrectly combined with logical-OR, instead of logical-AND (06e7a29f36)
- Fix a failure to build on Debian-based distributions due to CGo code
- Fix unit test failures on 32-bit architectures
- Improve several errors to be more verbose about their causes
- Add support for SCMP_ACT_LOG (with libseccomp versions 2.4.x and higher), permitting syscalls but logging their execution
- Add support for SCMP_FLTATR_CTL_LOG (with libseccomp versions 2.4.x and higher), logging not-allowed actions when they are denied
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Full diff: https://github.com/sirupsen/logrus/compare/v1.3.0...v1.4.1
Fixes:
- Remove dependency on golang.org/x/crypto
- Fix wrong method calls Logger.Print and Logger.Warningln
- Update Entry.Logf to not do string formatting unless the log level is enabled
- Fix infinite recursion on unknown Level.String()
- Fix race condition in getCaller
- Fix Entry.WithContext method to return a copy of the initial entry
New:
- Add DeferExitHandler, similar to RegisterExitHandler but prepending the handler to the list of handlers (semantically like defer)
- Add CallerPrettyfier to JSONFormatter and `TextFormatter`
- Add Entry.WithContext() and Entry.Context, to set a context on entries to be used e.g. in hooks
- Enhance TextFormatter to not print caller information when they are empty
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Docker registries return errors in a know format so this change now checks for these
errors and returns the message field. If the error is not in the expected format fall
back to the original behaviour.
https://github.com/containerd/containerd/issues/3076
Signed-off-by: Jack Baines <jack.baines@uk.ibm.com>
This includes an improved fix for CVE-2019-5736 to reduce the
increased memory-consumption introduced by the original patch,
RHEL 7.6 getting into a loop due to a kernel bug in those kernels,
and improve compatibility with older kernels.
changes included:
- opencontainers/runc#1973 Vendor opencontainers/runtime-spec 29686dbc
- opencontainers/runc#1978 Remove detection for scope properties, which have always been broken
- opencontainers/runc#1963 Vendor in go-criu and use it for CRIU's RPC definition
- opencontainers/runc#1995 exec: expose --preserve-fds
- opencontainers/runc#2000 fix preserve-fds flag may cause runc hang
- opencontainers/runc#1968 Create bind mount mountpoints during restore
- opencontainers/runc#1984 nsenter: cloned_binary: "memfd" cleanups
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Relevant changes:
- ectd-io/bbolt#139 update the freelist readIDs
- etcd-io/bbolt#140 add getFreePageIDs
- etcd-io/bbolt#141 use segregated hashmap to boost the freelist allocate and release performance
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Includes 6635b4f0c6,
which fixes a vulnerability in runc that allows a container escape (CVE-2019-5736)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
```
1152b960fcee041f50df15cdc67c29dbccf801ef (HEAD -> master, origin/master)
Merge pull request #73 from gliptak/gofmt1
afd5981a16647b45b6dba3a50a88418b576cc17d Gofmt cgroup_test
65ce98b3dfeb0a9a8fecd7e4ebffb24ad0bfe28f Merge pull request #69 from
cclerget/master-weight-pointer
0f372c6d4a65a49c72b0afbd1aee6214637958bf Merge pull request #71 from
JoeWrightss/patch-1
f48bd85c9cbc306fada0cebc3a646a1f1fe99afe Fixs return error message
10cd53efd916e22b9bdea67223d287684f57f1f4 Merge pull request #70 from
gliptak/patch-1
64bade4cea6c438ee51a7a12528225946b42c6ca Take value instead of pointer
value
b49c4713f3824e81bfa67faddcdde1414171b54e Correct ineffassign warning
3bc6dde829bc2dc8d4097ce8ad5acc275de3df06 Merge pull request #68 from
cclerget/master-net_prio-typo
6b552a86e60e31903d3f8f3f494eda71f562cc54 Fix net_prio typo
c0437c3dd5958f74d7f54e9f5def749850b9d6a1 Merge pull request #67 from
gpanouts/get-all-cgroup-tasks
a31a0ff985237eddf30d9fe30a3643c7da4ae912 Add functionality for
retrieving all tasks of a cgroup
82cb49fc1779971dfef4ad696f1453f6f44987b1 Merge pull request #63 from
ChrsMark/lenient-subsystems-checking
7d825b29aecc02bb1e9bede427f8ed62bbc3030d Add test for cgroups load when
missing hierarchy in one subsystem
f6cbfb45aec6a2590c7e7f4b84a080602b3e642d Change Load function in order
to be more lenient on subsystems' checking
965bb1da4db7c8ce2690108c5a081562ce7493cb Merge pull request #66 from
crosbymichael/systemdci
ab9ec0e4abde2c2cb999719ff43af2d3b5830f75 (fork/systemdci, systemdci) Add
go-systemd dep for CI testing
0e94a83b6eb6cf4bc05d7f91ec1eaad57a77d3b6 Merge pull request #59 from
gliptak/patch-1
4479d118c89b5500a08cce7a78bbe822229c1e65 Merge pull request #62 from
estesp/fix-gofmt
9beb998c23f510b1e6670ad7791807eb9aff6741 Merge pull request #61 from
gliptak/patch-3
9a09e5899acc95fabcc620d6489fec674e6dddfa Fix gofmt of systemd.go
84e6e6ed2afdf661cd9dbf47c6f3412b546bc67f Merge pull request #60 from
gliptak/patch-2
e13f6cc3b9637c36e6a8af393b561127498f4be5 Add GoReportCard badge to
README
d124595ee85c245e7c1443fe402adf7ce4f7f6a4 Add Go 1.11 to Travis
d961ab930c38eb8bedcded479f1708b2ef4984c5 Correct typo
d2400726cfa7904fb79e3b896ec0e6ae500a76bd Merge pull request #57 from
estesp/project-update
e4cf832b95deb7ce898ece716307abc35cbd0a09 Add project references and use
common project travis
8baeff6b9d069acde48ef1bedec7e0f8ba684f05 Merge pull request #56 from
grantseltzer/patch-1
9de57ffeb46f6179333d7939436d92dcb5631e5f Add godoc badge to README.md
5017d4e9a9cf2d4381db99eacd9baf84b95bfb14 Merge pull request #54 from
WeiZhang555/bugfix
13aaafdc37e772059d3234ec762303537f440c5b Bugfix: can't write to cpuset
cgroup
58556f5ad8448d99a6f7bea69ea4bdb7747cfeb0 Merge pull request #53 from
baude/systemdslicedelegate
15ed73c1c075e6590ecf56170acedcba0da8167e systemd-239+ no longer allows
delegate slice
3024bc7cc0c88af4b32d38a14444f38e65ab169f Merge pull request #52 from
Sykomaniac/bugfix/slice-name
2596f332e449ea374f0f24a977437116714ce7ef Remove call to unitName
2e2922e146ed53ccf4481c245187b6afe244fded Merge pull request #51 from
containerd/type
0f3de2f77d3b76b3871242fbab2a6116179229af (type) Fix empty device type
```
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Signed-off-by: John Howard <jhoward@microsoft.com>
Allows containerd.exe to run as a Windows service. eg
Register: `.\containerd.exe --register-service`
Start: `net start containerd`
...
Stop: `net stop containerd`
Unregister: `.\containerd.exe --unregister-service`
When running as a service, logs will go to the Windows application
event log.
logrus v1.0.3 was the first release that include the change in
terminal_windows.go that stops exec'ing "cmd ver" to obtain the version
information and rather uses the x/sys/crypto/terminal.IsTerminal on the
console fd. On Windows this is a significant performance difference to
avoid the additional process activation of the "cmd ver" for each
invocation of the shim/runhcs executables.
Signed-off-by: Justin Terry (VM) <juterry@microsoft.com>
This includes fixes for user namespaces as well as a long standing bug
for running docker and containerd inside an lxc container.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
This change no longer requires the use of a UtlityVM on Windows to convert the
layer tar to an ext4 vhd for LCOW. This has a significant performance boost
that makes linux/amd64 layer extraction comparable to native Linux performance.
Signed-off-by: Justin Terry (VM) <juterry@microsoft.com>
Revendors to Microsoft/hcsshim v0.7.5 that added support for logging all
runhcs.exe commands via Windows named pipes. This now launches all runhcs.exe
commands and forwards debug logging to the containerd-shim-runhcs log when
with --debug.
Signed-off-by: Justin Terry (VM) <juterry@microsoft.com>
Signed-off-by: John Howard <jhoward@microsoft.com>
This is the maintained version of boltdb, which includes the Windows-specific fix
detailed in https://github.com/etcd-io/bbolt/pull/122
This has releases, and the vendored version is very old predating
the change from LGPL to Apache licensing.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This makes sure that runc does not get any valid IO for the pipe. Some
builds and other containers will be stuck if they inspect stdin
expecially and its a pipe but not connected to any user input.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Some images like `criu` will have extra libs that it requires. This
adds lib support via LD_LIBRARY_PATH and InstallOpts
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
github.com/gotestyourself/gotestyourself moved to gotest.tools with
version 2.0.0. Moving to that one, bumping it to v2.1.0.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
This change allows implementations to resolve the location of the actual data
using OCI descriptor fields such as MediaType.
No OCI descriptor field is written to the store.
No change on gRPC API.
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
This seems to pickup a bunch of *.c files and some other changes which follow
from having included some new packages because of that.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
This renames the license file (so automated tooling can find it, which I care
about) and also pulls in some documentation and comment changes, plus some
functional changes:
PR#33 -- future-proof the algorithm field.
PR#34 -- disallow upper case in hex portion.
No changes appear to be required to containerd code.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
This version includes "x/net/context" which is fully compatible with
the standard Go "context" package, so the two can be mixed together.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
We move from having our own generated version of the googleapis files to
an upstream version that is present in gogo. As part of this, we update
the protobuf package to 1.0 and make some corrections for slight
differences in the generated code.
The impact of this change is very low.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
Allows the client to choose the context to finish the lease.
This allows the client to switch contexts when the main context
used to the create the lease may have been cancelled.
Signed-off-by: Derek McGowan <derek@mcgstyle.net>
I noticed this file showed up when revendoring dependencies
with vndr.
Also removed `github.com/Microsoft/opengcs` from vendor.conf
as it was not used;
2017/12/05 22:41:58 WARNING: package github.com/Microsoft/opengcs is unused, consider removing it from vendor.conf
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Because of a side-effect import, we have the possibility of pulling in
several unnecessary packages that are used by the plugin and not at
runtime to implement protobuf structures. Setting these imports to
`weak` prevents this from happening, reducing the total import set,
reducing memory usage and binary size.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
This bumps the runc version to 74a17296470088de3805e138d3d87c62e613dfc4
that includes various fixes.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
This change removes the ClearONLCR from the console package providing
a console with the default settings from the console package.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Depends on https://github.com/containerd/go-runc/pull/24
The is currently a race with the reaper where you could miss some exit
events from processes.
The problem before and why the reaper was so complex was because
processes could fork, getting a pid, and then fail on an execve before
we would have time to register the process with the reaper. This could
cause pids to fill up in a map as a way to reduce the race.
This changes makes the reaper handle multiple subscribers so that the
caller can handle locking, for when they want to wait for a specific
pid, without affecting other callers using the reaper code.
Exit events are broadcast to multiple subscribers, in the case, the runc
commands and container pids that we get from a pid-file. Locking while
the entire container stats no longs affects runc commands where you want
to call `runc create` and wait until that has been completed.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
This resolves logrus issues with containerd not being in sync with the
version runc is using.
This also updates the OCI runtime spec to v1.0.0
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
The race usually happens when `closeHandle()` and `prepareIo()` are called
concurrently; the former tries to set `closing` to `true` the latter tries
to read its value.
In order to avoid this issue, we added a lock around the variable.
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
events: update events package to include emitter and use envelope proto
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
events: add events service
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
events: enable events service and update ctr events to use events service
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
event listeners
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
events: helper func for emitting in services
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
events: improved cli for containers and tasks
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
create event envelope with poster
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
events: introspect event data to use for type url
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
events: use pb encoding; add event types
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
events: instrument content and snapshot services with events
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
events: instrument image service with events
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
events: instrument namespace service with events
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
events: add namespace support
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
events: only send events from namespace requested from client
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
events: switch to go-events for broadcasting
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
Updates content service to handle lock errors and return
them to the client. The client remote handler has been
updated to retry when a resource is locked until the
resource is unlocked or the expected resource exists.
Signed-off-by: Derek McGowan <derek@mcgstyle.net>
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Update go-runc to 49b2a02ec1ed3e4ae52d30b54a291b75
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Add shim to restore creation
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Keep checkpoint path in service
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Add C/R to non-shim build
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Checkpoint rw and image
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Pause container on bind checkpoints
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Return dump.log in error on checkpoint failure
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Pause container for checkpoint
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Update runc to 639454475cb9c8b861cc599f8bcd5c8c790ae402
For checkpoint into to work you need runc version
639454475cb9c8b861cc599f8bcd5c8c790ae402 + and criu 3.0 as this is what
I have been testing with.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Move restore behind create calls
This remove the restore RPCs in favor of providing the checkpoint
information to the `Create` calls of a container. If provided, the
container will be created/restored from the checkpoint instead of an
existing container.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Regen protos after rebase
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
For runtime and image spec from OCI, reference the actual versions
instead of a git hash for clarity on versions in use.
Actual impact was zero; runtime spec was the exact hash of the released
rc5 already, image spec was one commit behind the tagged release, but
made no code changes other than version string.
Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
Update go-runc to master with portability fixes.
Subreaper only exists on Linux, and only Linux runs the shim in a
mount namespace.
With these changes the shim compiles on Darwin, which means the
whole build compiles without errors now.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This updates containerd to use the latest versions of cgroups, fifo,
console, and go-runc from the containerd org.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
This mainly fixes Linux vs generic Unix differences, with some
differences between Darwin and Freebsd (which are close bit not
identical). Should make fixing for other Unix platforms easier.
Note there are not yet `runc` equivalents for these platforms;
my current use case is image manipulation for the `moby` tool.
However there is interest in OCI runtime ports for both platforms.
Current status is that MacOS can build and run `ctr`, `dist`
and `containerd` and some operations are supported. FreeBSD 11
still needs some more fixes to continuity for extended attributes.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Adjust paths that were not canonical.
Add nested vendors that are required.
Now no errors with latest `vndr`.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This fixes the ugly build errors on Alpine Linux which the old version gave
from C type mismatches, and now gives a nice neat line of whales on build...
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Also remove the comment fields in the vndr script, they are too hard to
keep up to date and add little value when we have the git commit
timestamps
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
That is, e55af28bae.
Since f77ece9cb5
the license files regex is case insensitive which picks up one more file.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
Updates to the gogo/protobuf dependency are required to correctly
generate time types. We also remove an unused windows dependency.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
This adds a config file for containerd configuration. It is hard to
have structure data on cli flags and the config file should be used for
the majority of fields when configuring containerd.
There are still a few flags on the daemon that override config file
values but flags should take a back seat going forward and should be
kept at a minimum.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
We now include btrfs in the snapshot driver test suite. This includes
the addition of parent links and name hashing into the btrfs driver.
We'll probably endup replacing this with a common metadata store, as
these relationships are generally identical between implementations.
A small bug was discovered in the delete implementation in the course
testing, so the btrfs package has been updated with a fix.
The overlay driver was modified accordingly with the btrfs driver to use
`Driver` as the exported type of each driver packge.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
With this changeset we introduce several new things. The first is the
top-level dist command. This is a toolkit that implements various
distribution primitives, such as fetching, unpacking and ingesting.
The first component to this is a simple `fetch` command. It is a
low-level command that takes a "remote", identified by a `locator`, and
an object identifier. Keyed by the locator, this tool can identify a
remote implementation to fetch the content and write it back to standard
out. By allowing this to be the unit of pluggability in fetching
content, we can have quite a bit of flexibility in how we retrieve
images.
The current `fetch` implementation provides anonymous access to docker
hub images, through the namespace `docker.io`. As an example, one can
fetch the manifest for `redis` with the following command:
```
$ ./dist fetch docker.io/library/redis latest mediatype:application/vnd.docker.distribution.manifest.v2+json
```
Note that we have provided a mediatype "hint", nudging the fetch
implementation to grab the correct endpoint. We can hash the output of
that to fetch the same content by digest:
```
$ ./dist fetch docker.io/library/redis sha256:$(./dist fetch docker.io/library/redis latest mediatype:application/vnd.docker.distribution.manifest.v2+json | shasum -a256)
```
Note that the hint is now elided, since we have affixed the content to a
particular hash.
If you are not yet entertained, let's bring `jq` and `xargs` into the
mix for maximum fun. The following incantation fetches the same manifest
and downloads all layers into the convenience of `/dev/null`:
```
$ ./dist fetch docker.io/library/redis sha256:a027a470aa2b9b41cc2539847a97b8a14794ebd0a4c7c5d64e390df6bde56c73 | jq -r '.layers[] | .digest' | xargs -n1 -P10 ./dist fetch docker.io/library/redis > /dev/null
```
This is just the beginning. We should be able to centralize
configuration around fetch to implement a number of distribution
methodologies that have been challenging or impossible up to this point.
The `locator`, mentioned earlier, is a schemaless URL that provides a
host and path that can be used to resolve the remote. By dispatching on
this common identifier, we should be able to support almost any protocol
and discovery mechanism imaginable.
When this is more solidified, we can roll these up into higher-level
operations that can be orchestrated through the `dist` tool or via GRPC.
What a time to be alive!
Signed-off-by: Stephen J Day <stephen.day@docker.com>
