github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity
6,049 Commits 3 Branches 4 Tags
4453aac0057a809e719d56e22d9e53c324867626
Commit Graph

93 Commits

Author SHA1 Message Date
Lantao Liu
4453aac005 Improve gce bootstrapping in various ways. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:08 -07:00
Lantao Liu
1bd3cdc572 Add cni config template support. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:07 -07:00
Lantao Liu
d520fac508 Enable TLS streaming in all the setup. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:07 -07:00
Lantao Liu
cdb4aec93a Use systemd service cgroup and oom score adj. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:07 -07:00
Lantao Liu
af8bd80689 Fix for kube-up.sh and update several documments. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:07 -07:00
Lantao Liu
005da4a9b9 Replace ctrcri with ctr cri. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:07 -07:00
Lantao Liu
0e2bd216ce Update GCE cluster bootstrapping and e2e test 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:07 -07:00
Lantao Liu
59e65e1f37 Enable container log rotation. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:07 -07:00
Lantao Liu
85b4e69c9f Do not block on stream server close. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:07 -07:00
Lantao Liu
2ea6584ca7 Add initial wait for health-monitor and use pkill -x. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:07 -07:00
Lantao Liu
56b7ef2c4d The ENV is finalized as KUBE_KUBELET_EXTRA_ARGS. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:06 -07:00
Mike Brown
24a3a0a068 change crictl sandboxes to pods; other references to sandboxes 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2020-08-11 09:15:06 -07:00
Lantao Liu
8bc30e7a2e Update ocicni to main stream. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:06 -07:00
Lantao Liu
a010715584 Add a separate CLI for cri-containerd ctrcri. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:06 -07:00
Lantao Liu
a843a30645 Use registry-1.docker.io as backup 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:06 -07:00
Lantao Liu
ec649079a9 Put version into metadata so that version won't be changed across 
restart.

Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:06 -07:00
Lantao Liu
7cbc1c8dc3 Set registry mirror. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:06 -07:00
Lantao Liu
9f0816ac43 Configure container runtime cgroups for cgroup. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:06 -07:00
Lantao Liu
be72f47ec9 Add runtime cgroup and fix a cli panic. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:05 -07:00
Lantao Liu
680e21c430 Update all glog flags to log-level. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:05 -07:00
Lantao Liu
d50b9dd64c Update containerd to 6c7abf7c76c1973d4fb4b0bad51691de84869a51. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:05 -07:00
Lantao Liu
869ea6b0c8 Add document for kube-up.sh 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:05 -07:00
Lantao Liu
30cbfb62ec Add OS and arch in release tarball. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:05 -07:00
Lantao Liu
0512d1e0b2 Add cluster directory and health-monitor.sh. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:05 -07:00
Sebastiaan van Stijn
55c9eade39 Bump Golang 1.13.15 
full diff: https://github.com/golang/go/compare/go1.13.14...go1.13.15

go1.13.15 (released 2020/08/06) includes security fixes to the encoding/binary
package. See the Go 1.13.15 milestone on the issue tracker for details.

https://github.com/golang/go/issues?q=milestone%3AGo1.13.15+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2020-08-08 15:07:28 +02:00
Sebastiaan van Stijn
089672fff4 Bump Golang 1.13.14 
full diff: https://github.com/golang/go/compare/go1.13.13...go1.13.14

go1.13.14 (released 2020/07/16) includes fixes to the compiler, vet, and the
database/sql, net/http, and reflect packages. See the Go 1.13.14 milestone on
the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.13.14+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2020-07-17 15:37:52 +02:00
Akihiro Suda
c520f819a2 Bump Go 1.13.13 
Includes security fixes to the `crypto/x509` and `net/http` packages.

https://github.com/golang/go/issues?q=milestone%3AGo1.13.13+label%3ACherryPickApproved

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2020-07-15 14:24:48 +09:00
Florian Schmaus
e977564a8b seccomp: allow 'rseq' syscall in default seccomp profile 
Restartable Sequences (rseq) are a kernel-based mechanism for fast
update operations on per-core data in user-space. Some libraries, like
the newest version of Google's TCMalloc, depend on it [1].

This also makes dockers default seccomp profile on par with systemd's,
which enabled 'rseq' in early 2019 [2].

1: https://google.github.io/tcmalloc/design.html
2: systemd/systemd@6fee3be

Signed-off-by: Florian Schmaus <flo@geekplace.eu>
 2020-06-26 17:10:05 +02:00
Wei Fu
e89500bcb0 Merge pull request #4333 from AkihiroSuda/golang-1.13.12 
Bump Golang 1.13.12
 2020-06-23 08:54:05 +08:00
Davanum Srinivas
2b0a994ccc explicitly fail apparmor when !linux 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2020-06-22 12:54:09 -04:00
Akihiro Suda
1a83f9a638 Bump Golang 1.13.12 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2020-06-22 16:49:31 +09:00
Michael Crosby
0f831093ce Update usage of whitelist in project 
Signed-off-by: Michael Crosby <michael@thepasture.io>
 2020-06-08 12:49:22 -05:00
Kenta Tada
03755821d2 seccomp: remove the unused query_module(2) 
query_module(2) is only in kernels before Linux 2.6.

Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
 2020-05-19 10:36:55 +09:00
Phil Estes
d7c4bda3b1 Merge pull request #4264 from thaJeztah/seccomp_allow_clock_adjtime 
seccomp: Whitelist `clock_adjtime`
 2020-05-18 09:36:08 -04:00
Stanislav Levin
5765991f2c seccomp: Whitelist clock_adjtime 
This only allows making the syscall. CAP_SYS_TIME is still required
for time adjustment (enforced by the kernel):

```
kernel/time/posix-timers.c:

1112 SYSCALL_DEFINE2(clock_adjtime, const clockid_t, which_clock,
1113                 struct __kernel_timex __user *, utx)
...
1121         err = do_clock_adjtime(which_clock, &ktx);

1100 int do_clock_adjtime(const clockid_t which_clock, struct __kernel_timex * ktx)
1101 {
...
1109         return kc->clock_adj(which_clock, ktx);

1299 static const struct k_clock clock_realtime = {
...
1304         .clock_adj              = posix_clock_realtime_adj,

188 static int posix_clock_realtime_adj(const clockid_t which_clock,
189                                     struct __kernel_timex *t)
190 {
191         return do_adjtimex(t);

kernel/time/timekeeping.c:

2312 int do_adjtimex(struct __kernel_timex *txc)
2313 {
...
2321         /* Validate the data before disabling interrupts */
2322         ret = timekeeping_validate_timex(txc);

2246 static int timekeeping_validate_timex(const struct __kernel_timex *txc)
2247 {
2248         if (txc->modes & ADJ_ADJTIME) {
...
2252                 if (!(txc->modes & ADJ_OFFSET_READONLY) &&
2253                     !capable(CAP_SYS_TIME))
2254                         return -EPERM;
2255         } else {
2256                 /* In order to modify anything, you gotta be super-user! */
2257                 if (txc->modes && !capable(CAP_SYS_TIME))
2258                         return -EPERM;

```

Fixes: moby/moby 40919
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2020-05-17 23:11:04 +02:00
Sebastiaan van Stijn
d07a71b97f Bump Golang 1.13.11 
full diff: https://github.com/golang/go/compare/go1.13.10...go1.13.11

go1.13.11 (released 2020/05/14) includes fixes to the compiler. See the Go 1.13.11
milestone on the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.13.11+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2020-05-16 14:57:04 +02:00
Sebastiaan van Stijn
7da1e13b5d Bump Golang 1.13.10 
go1.13.10 (released 2020/04/08) includes fixes to the go command, the runtime,
os/exec, and time packages. See the Go 1.13.10 milestone on the issue tracker
for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.13.10+label%3ACherryPickApproved

full diff: https://github.com/golang/go/compare/go1.13.9...go1.13.10

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2020-04-09 22:03:48 +02:00
Sebastiaan van Stijn
aa76d95375 Bump Golang 1.13.9 
go1.13.9 (released 2020/03/19) includes fixes to the go command, tools, the
runtime, the toolchain, and the crypto/cypher package. See the Go 1.13.9
milestone on the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.13.9+label%3ACherryPickApproved

full diff: https://github.com/golang/go/compare/go1.13.8...go1.13.9

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2020-04-03 19:55:37 +02:00
Sebastiaan van Stijn
9529c69b8a seccomp: add 64-bit time_t syscalls 
Relates to https://patchwork.kernel.org/patch/10756415/

Added to whitelist:

- `clock_getres_time64` (equivalent of `clock_getres`, which was whitelisted)
- `clock_gettime64` (equivalent of `clock_gettime`, which was whitelisted)
- `clock_nanosleep_time64` (equivalent of `clock_nanosleep`, which was whitelisted)
- `futex_time64` (equivalent of `futex`, which was whitelisted)
- `io_pgetevents_time64` (equivalent of `io_pgetevents`, which was whitelisted)
- `mq_timedreceive_time64` (equivalent of `mq_timedreceive`, which was whitelisted)
- `mq_timedsend_time64 ` (equivalent of `mq_timedsend`, which was whitelisted)
- `ppoll_time64` (equivalent of `ppoll`, which was whitelisted)
- `pselect6_time64` (equivalent of `pselect6`, which was whitelisted)
- `recvmmsg_time64` (equivalent of `recvmmsg`, which was whitelisted)
- `rt_sigtimedwait_time64` (equivalent of `rt_sigtimedwait`, which was whitelisted)
- `sched_rr_get_interval_time64` (equivalent of `sched_rr_get_interval`, which was whitelisted)
- `semtimedop_time64` (equivalent of `semtimedop`, which was whitelisted)
- `timer_gettime64` (equivalent of `timer_gettime`, which was whitelisted)
- `timer_settime64` (equivalent of `timer_settime`, which was whitelisted)
- `timerfd_gettime64` (equivalent of `timerfd_gettime`, which was whitelisted)
- `timerfd_settime64` (equivalent of `timerfd_settime`, which was whitelisted)
- `utimensat_time64` (equivalent of `utimensat`, which was whitelisted)

Not added to whitelist:

- `clock_adjtime64` (equivalent of `clock_adjtime`, which was not whitelisted)
- `clock_settime64` (equivalent of `clock_settime`, which was not whitelisted)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2020-03-25 14:07:38 +01:00
Sebastiaan van Stijn
499ab8a99a Update Golang 1.13.8 
full diff: https://github.com/golang/go/compare/go1.13.7...go1.13.8

go1.13.8 (released 2020/02/12) includes fixes to the runtime, the crypto/x509,
and net/http packages. See the Go 1.13.8 milestone on the issue tracker for details.

https://github.com/golang/go/issues?q=milestone%3AGo1.13.8+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2020-02-17 17:18:25 +01:00
Shengjing Zhu
348e683ceb Fix zsh autocomplete script 
Fix completion when argument startswith `-`
Merged in upstream https://github.com/urfave/cli/pull/1062

Signed-off-by: Shengjing Zhu <zhsj@debian.org>
 2020-02-11 19:56:27 +08:00
Sebastiaan van Stijn
32ba75f0fb Update Golang 1.13.7 (CVE-2020-0601, CVE-2020-7919) 
full diff: https://github.com/golang/go/compare/go1.13.6...go1.13.7

go1.13.7 (released 2020/01/28) includes two security fixes. One mitigates
the CVE-2020-0601 certificate verification bypass on Windows. The other affects
only 32-bit architectures.

https://github.com/golang/go/issues?q=milestone%3AGo1.13.7+label%3ACherryPickApproved

- X.509 certificate validation bypass on Windows 10
  A Windows vulnerability allows attackers to spoof valid certificate chains when
  the system root store is in use. These releases include a mitigation for Go
  applications, but it’s strongly recommended that affected users install the
  Windows security update to protect their system.
  This issue is CVE-2020-0601 and Go issue golang.org/issue/36834.
- Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte
  On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing
  functions of golang.org/x/crypto/cryptobyte can lead to a panic.
  The malformed certificate can be delivered via a crypto/tls connection to a
  client, or to a server that accepts client certificates. net/http clients can
  be made to crash by an HTTPS server, while net/http servers that accept client
  certificates will recover the panic and are unaffected.
  Thanks to Project Wycheproof for providing the test cases that led to the
  discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837.
  This is also fixed in version v0.0.0-20200124225646-8b5121be2f68 of golang.org/x/crypto/cryptobyte.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2020-01-28 18:35:49 +01:00
Sebastiaan van Stijn
94964b36d0 Update Golang 1.13.6 
full diff: https://github.com/golang/go/compare/go1.13.5...go1.13.6

go1.13.6 (released 2020/01/09) includes fixes to the runtime and the net/http
package. See the Go 1.13.6 milestone on the issue tracker for details.

https://github.com/golang/go/issues?q=milestone%3AGo1.13.6+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2020-01-17 15:54:16 +01:00
Derek McGowan
123af61c0b Add Cleanup to snapshot API 
Cleanup is an optional method a snapshotter may implement.
Cleanup can be used to cleanup resources after a snapshot
has been removed. This function allows a snapshotter to defer
longer resource cleanup until after snapshot removals are
completed. Adding this to the API allows proxy snapshotters
to leverage this enhancement.

Signed-off-by: Derek McGowan <derek@mcgstyle.net>
 2020-01-07 14:59:20 -08:00
Sebastiaan van Stijn
c07e356d29 Update Golang 1.13.5 
go1.13.5 (released 2019/12/04) includes fixes to the go command, the runtime, the
linker, and the net/http package. See the Go 1.13.5 milestone on our issue tracker
for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.13.5+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2019-12-23 15:27:18 +01:00
Wei Fu
f684e5a775 Merge pull request #3815 from estesp/fix-Dockerfile 
Update name for btrfs headers package
 2019-11-11 14:12:27 +08:00
Phil Estes
fda652be5a Update name for btrfs headers package 
Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
 2019-11-09 15:22:35 -05:00
Sebastiaan van Stijn
608791bfc3 Update to Golang 1.13.4 
go1.13.4 (released 2019/10/31) includes fixes to the net/http and syscall
packages. It also fixes an issue on macOS 10.15 Catalina where the non-
notarized installer and binaries were being rejected by Gatekeeper.
See the Go 1.13.4 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.13.4

Update to Golang 1.13.3:

go1.13.3 (released 2019/10/17) includes fixes to the go command, the toolchain,
the runtime, syscall, net, net/http, and crypto/ecdsa packages. See the Go
1.13.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.13.3

Update to Golang 1.13.2:

go1.13.2 (released 2019/10/17) includes security fixes to the crypto/dsa
package and the compiler. See the Go 1.13.2 milestone on the issue tracker
for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.13.2

Update to Golang 1.13.1:

go1.13.1 (released 2019/09/25) includes security fixes to the
net/http and net/textproto packages. See the Go 1.13.1 milestone
on the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.13.1

Update to Golang 1.13.0:

Full diff: https://github.com/golang/go/compare/go1.12.9...go1.13
Milestone: https://github.com/golang/go/milestone/83?closed=1

Today the Go team is very happy to announce the release of Go 1.13. You can get it
from the download page.

Some of the highlights include:

- The go command now downloads and authenticates modules using the Go module
  mirror and Go checksum database by default (https://golang.org/doc/go1.13#introduction)
- Improvements to number literals (https://golang.org/doc/go1.13#language)
- Error wrapping (https://golang.org/doc/go1.13#error_wrapping)
- TLS 1.3 on by default (https://golang.org/doc/go1.13#tls_1_3)
- Improved modules support (https://golang.org/doc/go1.13#modules)

For the complete list of changes and more information about the improvements above,
see the Go 1.13 release notes: https://golang.org/doc/go1.13

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2019-11-08 13:26:59 -08:00
Sebastiaan van Stijn
15669a1d34 Update to Golang 1.12.13 
go1.12.13 (released 2019/10/31) fixes an issue on macOS 10.15 Catalina
where the non-notarized installer and binaries were being rejected by
Gatekeeper. Only macOS users who hit this issue need to update.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2019-11-08 10:28:40 -08:00
Derek McGowan
66aa1d3ef6 Add snapshot walk implementations 
Temporarily remove zfs and aufs until interface update

Signed-off-by: Derek McGowan <derek@mcgstyle.net>
 2019-10-24 11:11:22 -07:00