This patch release includes just a fix to skip userns tests on host that
don't support the feature. See:
https://github.com/kubernetes-sigs/cri-tools/releases/tag/v1.30.1
This is needed for CI to work fine when we update to runc 1.2 (not yet
released). It is also a blocker for the final runc release to make sure
it works in all known downstreams. This makes it work fine here :)
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
slow_chown is safe to add on all kernels, and when running in old
kernels (as some CI distros on purpose are), we want the expensive
fallback.
Vagrant setup and others use this script to config containerd. This
fixes userns tests with runc 1.2.0-rc.2 when running with old kernels.
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
When runc 1.2.0 is released, it will expose support for userns and
therefore the critest suite will run those tests. The thing is, runc
needs to be able to traverse the path to mount the rootfs on itself.
Let's just mark the paths from the BDIR upwards with +x permissions, so
the tests run fine. Containerd already makes sure that the paths below
(the ones it creates) have the right permissions and for the right
group, etc.
I've tested with runc 1.2.0-rc.2 and CI fails without this path, with
this patch it works just fine.
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
This functionality is not directly related to containerd and could move
to external package at some point.
Signed-off-by: Derek McGowan <derek@mcg.dev>
commit 149ca6880a updated the hcsshim
module to v0.12.4, but did not add a commit to also update the runhcs
binary version.
full diff: https://github.com/microsoft/hcsshim/compare/v0.12.3...v0.12.4
These versions are decoupled since 15b13fb3ea
to allow updating the binary version without updating the module, in cases
where the module doesn't require updates.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
A nil CRIImplementation field can cause a nil pointer dereference and
panic during startup recovery.
Prior to this change, the nri.API struct would have a nil cri
(CRIImplementation) field after nri.NewAPI until nri.Register was
called. Register is called mid-way through initialization of the CRI
plugin, but recovery for containers occurs prior to that. Container
recovery includes establishing new exit monitors for existing containers
that were discovered. When a container exits, NRI plugins are given the
opportunity to be notified about the lifecycle event, and this is done
by accessing that CRIImplementation field inside the nri.API. If a
container exits prior to nri.Register being called, access to the
CRIImplementation field can cause a panic.
Here's the call-path:
* The CRI plugin starts running
[here](ae71819c4f/pkg/cri/server/service.go (L222))
* It then [calls into](ae71819c4f/pkg/cri/server/service.go (L227))
`recover()` to recover state from previous runs of containerd
* `recover()` then attempts to recover all containers through
[`loadContainer()`](ae7d74b9e2/internal/cri/server/restart.go (L175))
* When `loadContainer()` finds a container that is still running, it waits
for the task (internal containerd object) to exit and sets up
[exit monitoring](ae7d74b9e2/internal/cri/server/restart.go (L391))
* Any exit that then happens must be
[handled](ae7d74b9e2/internal/cri/server/events.go (L145))
* Handling an exit includes
[deleting the Task](ae7d74b9e2/internal/cri/server/events.go (L188))
and specifying [`nri.WithContainerExit`](ae7d74b9e2/internal/cri/nri/nri_api_linux.go (L348))
to [notify](ae7d74b9e2/internal/cri/nri/nri_api_linux.go (L356))
any subscribed NRI plugins
* NRI plugins need to know information about the pod (not just the sandbox),
so before a plugin is notified the NRI API package
[queries the Sandbox Store](ae7d74b9e2/internal/cri/nri/nri_api_linux.go (L232))
through the CRI implementation
* The `cri` implementation member field in the `nri.API` struct is set as part of the
[`Register()`](ae7d74b9e2/internal/cri/nri/nri_api_linux.go (L66)) method
* The `nri.Register()` method is only called
[much further down in the CRI `Run()` method](ae71819c4f/pkg/cri/server/service.go (L279))
Signed-off-by: Samuel Karp <samuelkarp@google.com>
Implement calls to the fsverity kernel module, allowing containerd to
enable fsverity on blob data in the content store. This causes fsverity
to veirfy the integrity of blob data when the blob is read.
Signed-off-by: James Jenkins <James.Jenkins@ibm.com>
The behavior of this function is quite counter-intuitive, as it preserves
the delimiter in the result, and its use for external consumers would be
very limited.
Spec.Digest no longer uses this function, and it appears that BuildKit is
currently the only (publicly visible) external consumer of it.
This patch deprecates the function.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The behavior of this function is quite counter-intuitive, as it preserves
the delimiter in the result. This function should probably have been an
internal function, as its use for external consumers would be very limited,
but let's at least document the (surprising) behavior for those that are
considering to use it.
It appears that BuildKit is currently the only (publicly visible) external
consumer of this function; I am planning to inline its functionality in
Spec.Digest() and to deprecate this function so that it can be removed.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These were straight concatenations of strings; reduce some allocations by
removing fmt.Sprintf for this.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
