Go 1.15.7 contained a security fix for CVE-2021-3115, which allowed arbitrary
code to be executed at build time when using cgo on Windows. This issue also
affects Unix users who have “.” listed explicitly in their PATH and are running
“go get” outside of a module or with module mode disabled.
This issue is not limited to the go command itself, and can also affect binaries
that use `os.Command`, `os.LookPath`, etc.
From the related blogpost (ttps://blog.golang.org/path-security):
> Are your own programs affected?
>
> If you use exec.LookPath or exec.Command in your own programs, you only need to
> be concerned if you (or your users) run your program in a directory with untrusted
> contents. If so, then a subprocess could be started using an executable from dot
> instead of from a system directory. (Again, using an executable from dot happens
> always on Windows and only with uncommon PATH settings on Unix.)
>
> If you are concerned, then we’ve published the more restricted variant of os/exec
> as golang.org/x/sys/execabs. You can use it in your program by simply replacing
This patch replaces all uses of `os/exec` with `golang.org/x/sys/execabs`. While
some uses of `os/exec` should not be problematic (e.g. part of tests), it is
probably good to be consistent, in case code gets moved around.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Looking at how this image is used, I think we don't even need the
source in the final image, so we can build containerd in a separate
stage, and copy the binaries.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Not critical for intermediate stages, but a minor optimization to
reduce the image cache. Ideally, this would use cache-mounts for this,
but those may not be supported by podman, so taking the traditional
approach.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Building critools only requires the install script and the critools-version
file (to determin the version to build). Moving it to a separate stage
prevents rebuilding it if unrelated changes are made in the code.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Building cni only requires the install script, and the go.mod (to determin
the version to install). Moving it to a separate stage prevents it from
being rebuilt if unrelated changes were made in the codebase.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This allows for easier copying artifacts from stages, by just copying
the directory content to the stage where it's used. These stages are
not used to be run individually so do not have to be "runnable".
Each stage is "responsible" for colllecting all aftifacts in the directory,
so that "consumer" stages do not have to be aware of what needs to be copied.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This makes the following changes:
- The containerd/config.toml, and docker-entrypoint.sh only occasionally change,
so copy them before copying the source code to allow them to be cached.
- The cri-in-userns stage does not need files from proto3, so do not copy them
- The dev environment does need the file from the proto3 stage, so copy them there.
- Change the order of stages. Our CI uses `podman build` which (I think) does not
skips stages that are not used for the specified target (like BuildKit does).
So I moved stages that are not used for the `cri-in-userns` after that stage.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The `cri-in-userns` stage is for testing "CRI-in-UserNS", which should be used in conjunction with "Kubelet-in-UserNS":
https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2033-kubelet-in-userns-aka-rootless
This feature is mostly expected to be used for `kind` and `minikube`.
Requires Rootless Docker/Podman/nerdctl with cgroup v2 delegation: https://rootlesscontaine.rs/getting-started/common/cgroup2/
(Rootless Docker/Podman/nerdctl prepares the UserNS, so we do not need to create UserNS by ourselves)
Usage:
```
podman build --target cri-in-userns -t cri-in-userns -f contrib/Dockerfile.test .
podman run -it --rm --privileged cri-in-userns
```
The stage is tested on CI with Rootless Podman on Fedora 34 on Vagrant.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Note that this is the code in containerd that uses runc (as almost
a library). Please see the other commit for the update to runc binary
itself.
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
This moves the runc version to build to scripts/setup/runc-version,
which makes it easier for packagers to find the default version
to use.
The RUNC_VERSION environment variable can still be used to override
the version, which can be used (e.g.) to test against different versions
in our CI.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Now that the dependency on runc (libcontaienr) code has been reduced
considerably, it is probbaly ok to cut the version dependency between
libcontainer and the runc binary that is supported.
This patch separates the runc binary version from the version of
libcontainer that is defined in go.mod, and updates the documentation
accordingly.
The RUNC_COMMIT variable in the install-runc script is renamed to
RUNC_VERSION to encourage using tagged versions, and the Dockerfile
in contrib is updated to allow building with a custom version.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This function will be used by nerdctl for printing the default AppArmor
profile: `nerdctl system inspect apparmor-profile`
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
