This test has been flaky in GitHub Actions. This change logs the
values from devmapper to further investigate the issue.
Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
Use the existing `.Close()` method instead of implementing the same
logic in this function.
The defer sets `cios` to `nil` if an error occurred to preserve the
existing behavior.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The defer functions were checking the local variable, and would therefore
not be executed, as the function returned if an error occurred.
Perhaps best illustrated when renaming the local variables;
if fifos.Stdin != "" {
l, err1 := winio.ListenPipe(fifos.Stdin, nil)
if err1 != nil {
return nil, errors.Wrapf(err1, "failed to create stdin pipe %s", fifos.Stdin)
}
defer func(l net.Listener) {
if err1 != nil {
l.Close()
}
}(l)
// ...
}
if fifos.Stdout != "" {
l, err2 := winio.ListenPipe(fifos.Stdout, nil)
if err2 != nil {
return nil, errors.Wrapf(err2, "failed to create stdout pipe %s", fifos.Stdout)
}
defer func(l net.Listener) {
if err2 != nil {
l.Close()
}
}(l)
// ....
}
This patch changes the function to use a named return variable, and to use
a single `defer()` that closes all pipes.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This change is mostly defensive; when checking for the returned
error, it's easy to make a mistake, and check for a "local" error,
not the actual returned error.
This patch changes the function to use a named return variable,
which is checked in the defer.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
bump version 1.3.2 for gogo/protobuf due to CVE-2021-3121 discovered
in gogo/protobuf version 1.3.1, CVE has been fixed in 1.3.2
Signed-off-by: Aditi Sharma <adi.sky17@gmail.com>
`make vendor` did not do a `go mod tidy` after vendoring, whereas
CI does this as part of the vendor validation, causing CI to fail
if `make vendor` was used to update vendoring, without doing a
`go mod tidy` as well.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This was dumping untrusted output to the debug logs from user containers.
We should not dump this type of information to reduce log sizes and any
information leaks from user containers.
Signed-off-by: Michael Crosby <michael@thepasture.io>
The event monitor handles exit events one by one. If there is something
wrong about deleting task, it will slow down the terminating Pods. In
order to reduce the impact, the exit event watcher should handle exit
event separately. If it failed, the watcher should put it into backoff
queue and retry it.
Signed-off-by: Wei Fu <fuweid89@gmail.com>
btrfs plugin needs CGO support. However on riscv64, cgo
is only support on go1.16 (not released yet).
Instead of setting no_btrfs manually, adding a cgo tag tells
the compiler to skip it automatically.
Signed-off-by: Shengjing Zhu <zhsj@debian.org>
Go example:
```go
opts := []converter.Opt{
// convert Docker media types to OCI ones
converter.WithDocker2OCI(true),
// convert tar.gz layers to uncompressed tar layers
converter.WithLayerConvertFunc(uncompress.LayerConvertFunc),
}
srcRef := "example.com/foo:orig"
dstRef := "example.com/foo:converted"
dstImg, err = converter.Convert(ctx, client, dstRef, srcRef, opts...)
fmt.Println(dstImg.Target)
```
ctr example: `ctr images convert --oci --uncompress example.com/foo:orig example.com/foo:converted`
Go test: `go test -exec sudo -test.root -test.run TestConvert`
The implementation is from https://github.com/containerd/stargz-snapshotter/pull/224,
but eStargz-specific functions are not included in this PR.
eStargz converter can be specified by importing `estargz` package and using `WithLayerConvertFunc(estargz.LayerConvertFunc)` option.
This converter interface will be potentially useful for converting zstd and ocicrypt layers as well.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
These syscalls (some of which have been in Linux for a while but were
missing from the profile) fall into a few buckets:
* close_range(2), epoll_wait2(2) are just extensions of existing "safe
for everyone" syscalls.
* The mountv2 API syscalls (fs*(2), move_mount(2), open_tree(2)) are
all equivalent to aspects of mount(2) and thus go into the
CAP_SYS_ADMIN category.
* process_madvise(2) is similar to the other process_*(2) syscalls and
thus goes in the CAP_SYS_PTRACE category.
Co-authored-by: Aleksa Sarai <asarai@suse.de>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This changes platforms.Parse to hit /proc to look up CPU info only when
it's needed, instead of in init(). This makes the package a bit easier
for other packages to consume, especially clients that don't call
platforms.Parse or need to lookup CPU info.
Signed-off-by: Jason Hall <jasonhall@redhat.com>
* Currently we rely on making the UVMs sandbox.vhdx in the shim itself instead of this being
made by the snapshotter itself. This change adds a label that affects whether to create the UVMs
scratch layer in the snapshotter itself.
* Adds container scratch size customization. Before adding the computestorage calls
(vendored in with https://github.com/containerd/containerd/pull/4859) there was no way to make a containers
or UVMs scratch size less than the default (20 for containers and 10 for the UVM).
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
`OnlyStrict()` returns a match comparer for a single platform.
Unlike `Only()`, `OnlyStrict()` does not match sub platforms.
So, "arm/vN" will not match "arm/vM" where M < N, and "amd64" will not also match "386".
`OnlyStrict()` matches non-canonical forms. So, "arm64" matches "arm/64/v8".
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
