This call is what is used to implement `dmesg` to get kernel messages
about the host. This can leak substantial information about the host.
It is normally available to unprivileged users on the host, unless
the sysctl `kernel.dmesg_restrict = 1` is set, but this is not set
by standard on the majority of distributions. Blocking this to restrict
leaks about the configuration seems correct.
Relates to docker/docker#37897 "docker exposes dmesg to containers by default"
See also https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This prevents packages with no Go included files due to build constraints
being included in the package list. These packages cause the test command
to fail with "can't load package build constraints exclude all Go files".
Signed-off-by: Derek McGowan <derek@mcg.dev>
The rollback mechanism is implemented by calling deleteDevice() and
RemoveDevice(). But RemoveDevice() is internally calling
deleteDevice() as well.
Since a device will be deleted by first deleteDevice(),
RemoveDevice() always will see ENODATA. The specific error must be
ignored to remove the device's metadata correctly.
Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
According to the systemd documentation, `infinity` can be used for all limits;
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Process%20Properties
> Resource limits may be specified in two formats: either as single value to set a
> specific soft and hard limit to the same value, or as colon-separated pair soft:hard
> (...) Use the string infinity to configure no limit on a specific resource.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
* `-linkmode external` is required since Go 1.15 for static builds: https://github.com/golang/go/issues/40711
* Clarify the meaning of "loading plugins"
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Add installation scripts needed to generate CRI + CNI tar package on
release.
Update Github action release script to generate CRI release tarballs for
Linux and Windows.
Signed-off-by: Derek McGowan <derek@mcg.dev>
Expose environment variables in the GCE containerd configuration
script for configuring an additional runtime handler. This unblocks
E2E testing of custom runtime handlers.
Signed-off-by: Tim Allclair <tallclair@google.com>
