Allow rootless containers with privileged to mount devices that are accessible
(ignore permission errors in rootless mode).
This patch updates oci.getDevices() to ignore access denied errors on sub-
directories and files within the given path if the container is running with
userns enabled.
Note that these errors are _only_ ignored on paths _under_ the specified path,
and not the path itself, so if `HostDevices()` is used, and `/dev` itself is
not accessible, or `WithDevices()` is used to specify a device that is not
accessible, an error is still produced.
Tests were added, which includes a temporary workaround for compatibility
with Go 1.16 (we could decide to skip these tests on Go 1.16 instead).
To verify the patch in a container:
docker run --rm -v $(pwd):/go/src/github.com/containerd/containerd -w /go/src/github.com/containerd/containerd golang:1.17 sh -c 'go test -v -run TestHostDevices ./oci'
=== RUN TestHostDevicesOSReadDirFailure
--- PASS: TestHostDevicesOSReadDirFailure (0.00s)
=== RUN TestHostDevicesOSReadDirFailureInUserNS
--- PASS: TestHostDevicesOSReadDirFailureInUserNS (0.00s)
=== RUN TestHostDevicesDeviceFromPathFailure
--- PASS: TestHostDevicesDeviceFromPathFailure (0.00s)
=== RUN TestHostDevicesDeviceFromPathFailureInUserNS
--- PASS: TestHostDevicesDeviceFromPathFailureInUserNS (0.00s)
=== RUN TestHostDevicesAllValid
--- PASS: TestHostDevicesAllValid (0.00s)
PASS
ok github.com/containerd/containerd/oci 0.006s
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The OCI image spec did a v1.0.2 security release for CVE-2021-41190, however
commit 09c9270fee, depends on MediaTypes that
have not yet been released by the OCI image-spec, so using current "main" instead.
full diff: 5ad6f50d62...693428a734
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Add file system options for config file, so that user can use
non-default file system parameters for the fs type of choice
Using file system options in config file overwrites the default
options already being used.
Signed-off-by: Alakesh Haloi <alakeshh@amazon.com>
Considering Windows 2004's EoL on the 14th of December, 2021,
this PR removes all periodic integration testing for 2004.
Signed-off-by: Nashwan Azhari <nazhari@cloudbasesolutions.com>
This change enables the TestVolumeOwnership on Windows. The test
assumes that the volume-ownership image is built on Windows, thus
ensuring that Windows file security info (ACLs and ownership info)
are attached to the C:\volumes\test_dir path.
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
As like other integration tests, Windows integration tests should not
fail-fast. So developers can see whether an issue is platform-specific
or not.
Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
I noticed we were using some different versions of the same test
images, so changing them to be the same (can help with find/replace
if we need to update them).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
It seems that the default ACLs inherited from the parent folder
on Windows Server 2022, does not include "CREATOR OWNER" as it
does on Windows Server 2019. This sets explicit ACLs on test
files.
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
GA for ws2022 github actions VMs launched a couple weeks ago so seems like
it's time to try out the CI on this new SKU.
This involved adding new ws2022 runs for the OS matrices in the CI, fixing up
a test in the platforms package and adding a mapping for the ws2022 container image in
integration/client.
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
