Samuel Karp
9aab446733
introspection: add support for deprecations
...
Deprecation warnings are retrieved from the warning service and
returned via the Server RPC.
Signed-off-by: Samuel Karp <samuelkarp@google.com>
2023-10-24 22:38:31 -07:00
Samuel Karp
57c897f10d
api/introspection: deprecation warnings in server
...
The Server rpc in introspection service is extended to expose
deprecation warnings based on observed feature use in containerd.
Signed-off-by: Samuel Karp <samuelkarp@google.com>
2023-10-24 22:38:31 -07:00
Samuel Karp
240733ce2f
warning: new service for deprecations
...
Signed-off-by: Samuel Karp <samuelkarp@google.com>
2023-10-24 22:38:31 -07:00
Samuel Karp
aff5b809c5
deprecation: new package for deprecations
...
This package enumerates the known deprecations in the current version of
containerd. New deprecations should be added here, and old ones
removed.
Signed-off-by: Samuel Karp <samuelkarp@google.com>
2023-10-24 22:38:30 -07:00
Derek McGowan
f74ca32b89
Merge pull request #9290 from ktock/golangci-lint-1.55.0
...
ci: bump up golangci-lint to v1.55.0
2023-10-25 04:38:31 +00:00
Derek McGowan
d48ceb6065
Avoid TLS fallback when protocol is not ambiguous
...
The TLS fallback should only be used when the protocol is ambiguous due
to provided TLS configurations and defaulting to http. Do not add TLS
configurations when defaulting to http. When the port is 80 or will be
defaulted to 80, there is no protocol ambiguity and TLS fallback should
not be used.
Signed-off-by: Derek McGowan <derek@mcg.dev>
2023-10-24 20:27:19 -07:00
Derek McGowan
ed759bae32
Update go fuzz to directly instantiate server
...
Avoid importing the cmd libraries and create the server instance
directly from the server library.
Signed-off-by: Derek McGowan <derek@mcg.dev>
2023-10-24 20:20:41 -07:00
沈陵
09e40511af
fix bug that using invalid token to retry fetching layer
...
Signed-off-by: frankyang <yyb196@gmail.com>
2023-10-25 10:30:24 +08:00
Phil Estes
fa4ae46b15
Merge pull request #9295 from dmcgowan/disable-windows-2019
...
Disable windows-2019 integration test temporarily
2023-10-25 01:41:31 +00:00
Derek McGowan
2fea521d0c
Disable windows-2019 integration test temporarily
...
Disable windows-2019 integration tests until mingw issue is fixed
Signed-off-by: Derek McGowan <derek@mcg.dev>
2023-10-24 15:50:08 -07:00
Kohei Tokunaga
9fc407d8cf
ci: bump up golangci-lint to v1.55.0
...
Signed-off-by: Kohei Tokunaga <ktokunaga.mail@gmail.com>
2023-10-24 10:34:02 +09:00
Derek McGowan
18c9e7ec4c
Merge pull request #9270 from fuweid/fix-sb-issues
...
pkg/cri: should ignore no sandbox bucket
2023-10-21 21:44:16 +00:00
Derek McGowan
788f7f248a
Merge pull request #9218 from fuweid/followup-idmapped
...
idmapped: use pidfd to avoid pid reuse issue
2023-10-20 17:34:02 +00:00
Derek McGowan
e973109c2d
Merge pull request #9233 from mxpv/tasks
...
Switch runc shim to task service v3 and fix restore
2023-10-20 17:26:31 +00:00
Derek McGowan
e3c3478cb6
Merge pull request #9279 from abel-von/remove-validate-mode
...
sandbox: remove ValidateMode as it is not used
2023-10-20 06:13:16 -07:00
Abel Feng
8b4f9656d2
sandbox: remove ValidateMode as it is not used
...
Signed-off-by: Abel Feng <fshb1988@gmail.com>
2023-10-20 16:02:13 +08:00
Wei Fu
337cc21719
pkg/cri: should ignore no sandbox bucket
...
The sandbox might be recovered from v1.x release. It doesn't have
metadata bucket. We should ignore the not-found error.
How to reproduce the issue:
```bash
➜ containerd git:(main) sudo ctr version
Client:
Version: 1.6.22
Revision: 8165feabfdfe38c65b599c4993d227328c231fca
Go version: go1.19.11
Server:
Version: 1.6.22
Revision: 8165feabfdfe38c65b599c4993d227328c231fca
UUID: be4216aa-8a2e-4305-9186-efeacd2d9a17
➜ containerd git:(main) cat /tmp/pod.json
{
"metadata": {
"name": "nginx-sandbox",
"namespace": "default",
"attempt": 1,
"uid": "hdishd83djaidwnduwk28bcsb"
},
"log_directory": "/tmp",
"linux": {
}
}
➜ containerd git:(main) sudo crictl runp /tmp/pod.json
616ea1cc657c57e80abf74e707a8177878ac2ec1ab7c346b4adb7bc0fadf986e
➜ containerd git:(main) sudo crictl pods
POD ID CREATED STATE NAME NAMESPACE ATTEMPT RUNTIME
616ea1cc657c5 9 seconds ago Ready nginx-sandbox default 1 (default)
➜ containerd git:(main) make BUILDTAGS=no_btrfs
➜ containerd git:(main) sudo PREFIX=/usr make install
+ install bin/ctr bin/containerd bin/containerd-stress bin/containerd-shim-runc-v2
➜ containerd git:(main) sudo systemctl restart containerd
➜ containerd git:(main) sudo ctr version
Client:
Version: v1.7.0-943-g980767551
Revision: 98076755189807675518
2023-10-20 15:20:18 +08:00
Maksym Pavlenko
f90f80d9b3
Merge pull request #9254 from adisky/cri-streaming-from-k8s
...
Use staging k8s.io/kubelet/cri/streaming package
2023-10-19 12:32:12 -07:00
Maksym Pavlenko
f515cd5c55
Reorder fields when writing bootstrap params
...
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
2023-10-19 12:29:06 -07:00
Maksym Pavlenko
3d53fbe858
Fix CRI integration tests
...
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
2023-10-19 12:29:05 -07:00
Maksym Pavlenko
f76eaf5a6b
Fix 'not a directory' error when restoring bootstrap.json
...
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
2023-10-19 12:29:05 -07:00
Maksym Pavlenko
cf75cfa32c
Add more logs around shim restore
...
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
2023-10-19 12:29:04 -07:00
Maksym Pavlenko
8061cb0237
Save bootstrap.json instead of address file
...
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
2023-10-19 12:29:03 -07:00
Maksym Pavlenko
e03bf32b86
Switch runc to v3
...
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
2023-10-19 12:29:03 -07:00
Maksym Pavlenko
7a2d801d62
Expose shim instance version
...
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
2023-10-19 12:29:02 -07:00
Maksym Pavlenko
f66c46806a
Bridge task service v2
...
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
2023-10-19 12:29:01 -07:00
Maksym Pavlenko
daaf67662f
Switch runc shim to task v3
...
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
2023-10-19 12:28:59 -07:00
Maksym Pavlenko
f7af7fce8a
Merge pull request #9268 from dmcgowan/cri-sandbox-controller-initialization
...
Initialize sandbox controller list on CRI server creation
2023-10-19 10:38:18 -07:00
Derek McGowan
bb64e6a8ef
Initialize sandbox controller list on CRI server creation
...
Avoid calling out to the client to get a sandbox controller and instead
setup the list of controllers on initialization. This fixes a test
failure which does not set the client.
Signed-off-by: Derek McGowan <derek@mcg.dev>
2023-10-18 15:25:25 -07:00
Derek McGowan
9807675518
Merge pull request #8268 from abel-von/sandbox-plugin
...
Sandbox: make sandbox controller plugin
2023-10-18 10:16:10 -07:00
Aditi Sharma
03d81f595f
Use cri streaming pkg from k8s staging
...
Use staging k8s.io/kubelet/cri/streaming package
Signed-off-by: Aditi Sharma <adi.sky17@gmail.com>
2023-10-18 09:14:28 +05:30
Fu Wei
dc7dba9c20
Merge pull request #9239 from jiangliu/cri-multi-snapshotters
...
CRI: use (snapshotter_id, snapshot_key) to uniquely identify snapshots
2023-10-18 09:30:55 +08:00
Maksym Pavlenko
8e62cfcf89
Merge pull request #9253 from dmcgowan/add-proxy-diff-exports
...
Add exports to proxy plugin config
2023-10-17 15:34:41 -07:00
Maksym Pavlenko
bb27db4970
Merge pull request #8736 from dcantah/testcontainerpids-windows
...
Integration: Alter TestContainerPids for Windows
2023-10-17 13:26:13 -07:00
Maksym Pavlenko
5b8f401bab
Merge pull request #9255 from thaJeztah/update_image_spec
...
replace some hardcoded strings with ocispec consts
2023-10-17 11:53:02 -07:00
Sebastiaan van Stijn
b006f1c159
integration/client: replace hardcoded strings for OCI-spec consts
...
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-17 17:53:24 +02:00
Sebastiaan van Stijn
d3f5e0c90e
images/archive: replace hardcoded strings for OCI-spec consts
...
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-17 17:53:21 +02:00
Akihiro Suda
562d2998ab
Merge pull request #9251 from ktock/image-spec-v1.1.0-rc5
...
go.mod: bump up github.com/opencontainers/image-spec to v1.1.0-rc5
2023-10-18 00:51:31 +09:00
Jiang Liu
8e7c10c6d0
CRI: enhance ImageFsInfo() to support multiple snapshotters
...
Enhance cri/server/image/imagefs_info.go:ImageFsInfo() to support
snapshotter per runtime. Now `ImageFsInfoResponse.ImageFilesystems` may
contain multiple entries.
Signed-off-by: Jiang Liu <gerry@linux.alibaba.com>
2023-10-17 17:38:18 +08:00
Samuel Karp
423c7ad4fe
Merge pull request #9211 from UiPath/use-loop-configure
2023-10-16 23:40:58 -07:00
Derek McGowan
e4639ad18b
Add exports to proxy plugin config
...
Allows external plugins to define exports.
Signed-off-by: Derek McGowan <derek@mcg.dev>
2023-10-16 21:25:57 -07:00
Kohei Tokunaga
3986f80c35
go.mod: bump up github.com/opencontainers/image-spec to v1.1.0-rc5
...
Release note: https://github.com/opencontainers/image-spec/releases/tag/v1.1.0-rc5
Signed-off-by: Kohei Tokunaga <ktokunaga.mail@gmail.com>
2023-10-17 10:19:55 +09:00
Derek McGowan
aef2ebc76a
Merge pull request #9250 from thaJeztah/bump_x_net
...
vendor: golang.org/x/net v0.17.0
2023-10-16 15:42:53 -07:00
Kazuyoshi Kato
14c50204e1
Merge pull request #9247 from thaJeztah/bump_grpc
...
vendor: google.golang.org/grpc v1.57.1
2023-10-16 14:48:01 -07:00
Sebastiaan van Stijn
f7c9e99422
vendor: golang.org/x/net v0.17.0
...
full diff: https://github.com/golang/text/compare/v0.13.0...v0.17.0
This fixes the same CVE as go1.21.3 and go1.20.10;
- net/http: rapid stream resets can cause excessive work
A malicious HTTP/2 client which rapidly creates requests and
immediately resets them can cause excessive server resource consumption.
While the total number of requests is bounded to the
http2.Server.MaxConcurrentStreams setting, resetting an in-progress
request allows the attacker to create a new request while the existing
one is still executing.
HTTP/2 servers now bound the number of simultaneously executing
handler goroutines to the stream concurrency limit. New requests
arriving when at the limit (which can only happen after the client
has reset an existing, in-flight request) will be queued until a
handler exits. If the request queue grows too large, the server
will terminate the connection.
This issue is also fixed in golang.org/x/net/http2 v0.17.0,
for users manually configuring HTTP/2.
The default stream concurrency limit is 250 streams (requests)
per HTTP/2 connection. This value may be adjusted using the
golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams
setting and the ConfigureServer function.
This is CVE-2023-39325 and Go issue https://go.dev/issue/63417 .
This is also tracked by CVE-2023-44487.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-16 21:50:24 +02:00
Sebastiaan van Stijn
c3652540c7
vendor: golang.org/x/text v0.13.0
...
full diff: https://github.com/golang/text/compare/v0.11.0...v0.13.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-16 21:48:18 +02:00
Sebastiaan van Stijn
ff602c2133
vendor: golang.org/x/sys v0.13.0
...
full diff: https://github.com/golang/sys/compare/v0.10.0...v0.13.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-16 21:47:15 +02:00
Sebastiaan van Stijn
39b168cdb7
vendor: google.golang.org/grpc v1.57.1
...
server: prohibit more than MaxConcurrentStreams handlers from running at once
(CVE-2023-44487).
In addition to this change, applications should ensure they do not leave running
tasks behind related to the RPC before returning from method handlers, or should
enforce appropriate limits on any such work.
- https://github.com/grpc/grpc-go/compare/v1.57.0...v1.57.1
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-16 20:50:18 +02:00
Maksym Pavlenko
eb9ce4fd64
Merge pull request #9246 from GoodDaisy/main
...
Fix typos
2023-10-16 09:04:54 -07:00
Daisy Rong
930ee552e0
Fix typos
...
Signed-off-by: Daisy Rong <zrong0405@gmail.com>
2023-10-16 22:14:09 +08:00
