containerd

Author	SHA1	Message	Date
Derek McGowan	129bdd7a3d	Merge pull request #1487 from crosbymichael/selinux Add SELinux Support for CRI	2020-05-26 15:53:18 -07:00
Phil Estes	dea6229923	Merge pull request #1491 from thaJeztah/bump_selinux vendor: opencontainers/selinux v1.5.2	2020-05-26 16:49:28 -04:00
Michael Crosby	72edf3016d	Use new SELinux APIs This moves most of the API calls off of the `labels` package onto the root selinux package. This is the newer API for most selinux operations. Signed-off-by: Michael Crosby <michael@thepasture.io>	2020-05-26 15:18:46 -04:00
Sebastiaan van Stijn	0b3c7e1479	vendor: opencontainers/selinux v1.5.2 full diff: https://github.com/opencontainers/selinux/compare/v1.5.1...v1.5.2 - Implement FormatMountLabel unconditionally Implementing FormatMountLabel on situations built without selinux should be possible; the context will be ignored if no SELinux is available. - Remote potential race condition, where mcs label is freed Theorectially if you do not change the MCS Label then we free it and two commands later reserve it. If some other process was grabbing MCS Labels at the same time, the other process could get the same label. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2020-05-26 16:30:35 +02:00
Mike Brown	a7ad3bc01f	add a registry auth tutorial Signed-off-by: Mike Brown <brownwm@us.ibm.com>	2020-05-22 15:39:30 -05:00
Maksym Pavlenko	4cbf59db82	Merge pull request #4279 from AkihiroSuda/ci-cgroup2 cgroup2 CI	2020-05-21 13:35:49 -07:00
Akihiro Suda	af131d7258	cgroup2 CI Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>	2020-05-22 01:15:12 +09:00
Derek McGowan	1c58c5d440	Merge pull request #4277 from lucaskanashiro/fix-build-on-riscv64 riscv64 arch does not support -buildmode=pie	2020-05-20 12:46:50 -07:00
Lucas Kanashiro	e34bf08e58	riscv64 arch does not support -buildmode=pie Signed-off-by: Lucas Kanashiro <lucas.kanashiro@canonical.com>	2020-05-20 16:28:10 -03:00
Darren Shepherd	24209b91bf	Add MCS label support Carry of #1246 Signed-off-by: Darren Shepherd <darren@rancher.com> Signed-off-by: Michael Crosby <michael@thepasture.io>	2020-05-20 13:59:51 -05:00
Mike Brown	e10e07b50e	Merge pull request #1489 from mikebrow/ltag-scan-symlink-fixed no longer need to skip /test header scan due to symlink	2020-05-20 10:44:09 -05:00
Derek McGowan	7ef3c0f47d	Merge pull request #4275 from estesp/fix-image-usage Fix image usage calculation error	2020-05-20 08:35:05 -07:00
Phil Estes	0c9b05fa60	Fix image usage calculation error Including snapshotter usage in total calculation should be gated by the option `snapshotter` boolean. Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>	2020-05-20 08:44:05 -04:00
Mike Brown	cc54a9dca4	no longer need to skip /test due to symlink Signed-off-by: Mike Brown <brownwm@us.ibm.com>	2020-05-20 07:38:12 -05:00
Derek McGowan	84619ee998	Fix configurations with no server provided When a server is specified at the top level, there is a bug that prevents the keys from being checked properly. When no server is provided, the server attempts to parse with an empty host, leaving partial values and a defaulted skip verify configuration. Signed-off-by: Derek McGowan <derek@mcg.dev>	2020-05-19 19:16:50 -07:00
Derek McGowan	06b0cd45ba	Fix nil pointer errors Signed-off-by: Derek McGowan <derek@mcg.dev>	2020-05-19 19:16:39 -07:00
Phil Estes	4e08c2de67	Merge pull request #4269 from KentaTada/remove-unused-syscall seccomp: remove the unused query_module(2)	2020-05-19 11:14:31 -04:00
Kenta Tada	03755821d2	seccomp: remove the unused query_module(2) query_module(2) is only in kernels before Linux 2.6. Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>	2020-05-19 10:36:55 +09:00
Mike Brown	40071878d7	Merge pull request #1486 from thaJeztah/bump_golang_1.13.11 Bump Golang 1.13.11	2020-05-18 09:34:37 -05:00
Wei Fu	48ee0b348c	Merge pull request #1485 from thaJeztah/vendor_back_to_tags vendor.conf: back to using tags	2020-05-18 22:31:59 +08:00
Sebastiaan van Stijn	8f02fe04d8	Bump Golang 1.13.11 full diff: https://github.com/golang/go/compare/go1.13.10...go1.13.11 go1.13.11 (released 2020/05/14) includes fixes to the compiler. See the Go 1.13.11 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.13.11+label%3ACherryPickApproved Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2020-05-18 15:54:17 +02:00
Sebastiaan van Stijn	6096c0ebbb	vendor.conf: back to using tags When I changed the vendor.conf format to use tags, many of the dependencies didn't use tagged versions, and the column format made the file slightly more consistent / easier to read. With many dependencies moving to go modules, we see more deps tagging releases, and we're now more actively trying to use tagged releases for our dependencies. With containerd/containerd changing the format to use tags as default, it makes sense to do the same here as well (to allow for easier comparing the vendor.conf files between repositories) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2020-05-18 15:44:42 +02:00
Phil Estes	d7c4bda3b1	Merge pull request #4264 from thaJeztah/seccomp_allow_clock_adjtime seccomp: Whitelist `clock_adjtime`	2020-05-18 09:36:08 -04:00
Phil Estes	0f2b15b7af	Merge pull request #4261 from gaurav1086/fix_docker_data_race docker: fix data race on err	2020-05-18 09:34:04 -04:00
Phil Estes	0814750023	Merge pull request #4262 from gaurav1086/fix_data_race_in_unpacker unpacker: Fix data race and possible data corruption	2020-05-18 09:32:24 -04:00
Phil Estes	49db7dfcfb	Merge pull request #4260 from thaJeztah/bump_golang_1.13.11 Bump Golang 1.13.11	2020-05-18 09:24:14 -04:00
Mike Brown	dc81240a6d	Merge pull request #1484 from thaJeztah/bump_containerd vendor: containerd/containerd v1.4.0-beta.0	2020-05-18 08:11:36 -05:00
Mike Brown	36ba7766fb	Merge pull request #1483 from thaJeztah/bump_cni vendor: containerd/go-cni 0553354f0046ccd41a02e724826040491a3d8998	2020-05-18 08:04:16 -05:00
Stanislav Levin	5765991f2c	seccomp: Whitelist `clock_adjtime` This only allows making the syscall. CAP_SYS_TIME is still required for time adjustment (enforced by the kernel): ``` kernel/time/posix-timers.c: 1112 SYSCALL_DEFINE2(clock_adjtime, const clockid_t, which_clock, 1113 struct __kernel_timex __user , utx) ... 1121 err = do_clock_adjtime(which_clock, &ktx); 1100 int do_clock_adjtime(const clockid_t which_clock, struct __kernel_timex ktx) 1101 { ... 1109 return kc->clock_adj(which_clock, ktx); 1299 static const struct k_clock clock_realtime = { ... 1304 .clock_adj = posix_clock_realtime_adj, 188 static int posix_clock_realtime_adj(const clockid_t which_clock, 189 struct __kernel_timex t) 190 { 191 return do_adjtimex(t); kernel/time/timekeeping.c: 2312 int do_adjtimex(struct __kernel_timex txc) 2313 { ... 2321 /* Validate the data before disabling interrupts / 2322 ret = timekeeping_validate_timex(txc); 2246 static int timekeeping_validate_timex(const struct __kernel_timex txc) 2247 { 2248 if (txc->modes & ADJ_ADJTIME) { ... 2252 if (!(txc->modes & ADJ_OFFSET_READONLY) && 2253 !capable(CAP_SYS_TIME)) 2254 return -EPERM; 2255 } else { 2256 /* In order to modify anything, you gotta be super-user! */ 2257 if (txc->modes && !capable(CAP_SYS_TIME)) 2258 return -EPERM; ``` Fixes: moby/moby 40919 Signed-off-by: Stanislav Levin <slev@altlinux.org> Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2020-05-17 23:11:04 +02:00
Gaurav Singh	db74d3115e	unpacker: Fix data race and possible data corruption Signed-off-by: Gaurav Singh <gaurav1086@gmail.com>	2020-05-17 10:55:52 -04:00
Gaurav Singh	2325182529	docker: fix data race on err Signed-off-by: Gaurav Singh <gaurav1086@gmail.com>	2020-05-17 09:20:38 -04:00
Sebastiaan van Stijn	d07a71b97f	Bump Golang 1.13.11 full diff: https://github.com/golang/go/compare/go1.13.10...go1.13.11 go1.13.11 (released 2020/05/14) includes fixes to the compiler. See the Go 1.13.11 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.13.11+label%3ACherryPickApproved Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2020-05-16 14:57:04 +02:00
Sebastiaan van Stijn	f9083f167a	vendor: containerd/containerd v1.4.0-beta.0 full diff: `ed261720c8`...v1.4.0-beta.0 Relevant changes: - Replace errors.Cause() with errors.Is() - Transfer error to ErrNotFound when kill a not exist container - vendor: update containerd/cri, remove "docker/distribution" dependency - vendor: containerd/continuity, containerd/fifo, containerd/go-runc - vendor: opencontainers/go-digest v1.0.0 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2020-05-16 14:37:00 +02:00
Sebastiaan van Stijn	103785ea26	vendor: containerd/go-cni 0553354f0046ccd41a02e724826040491a3d8998 full diff: `0d360c50b1...0553354f00` - Add WithConfList opt for adding conf list from bytes - Use Go modules instead of vndr - Test on go1.13, 1.14, remove go1.12 - Update pkg/errors v0.9.1, switch to using errors.Is() instead of errors.Cause() Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2020-05-16 12:58:26 +02:00
Maksym Pavlenko	b7cf3c68e7	Merge pull request #4258 from estesp/codeql Add CodeQL Analysis workflow	2020-05-15 10:05:21 -07:00
Phil Estes	0207b7ff0e	Enable running CodeQL on PRs that modify Action Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>	2020-05-15 12:51:48 -04:00
Phil Estes	5425067e8f	Merge pull request #4256 from mxpv/nightly_pr Trigger nightly builds on pull reuqest events	2020-05-15 12:38:26 -04:00
Justin Hutchings	1a06884f18	Add CodeQL Analysis workflow Signed-off-by: Justin Hutchings <jhutchings1@github.com> Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>	2020-05-15 10:15:46 -04:00
Maksym Pavlenko	563964e9d5	Trigger nightly builds on pull reuqest events Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>	2020-05-14 18:39:32 -07:00
Mike Brown	82a602bf12	Merge pull request #1480 from mikebrow/remove-boilerplate removing boilerplate test already replaced by project boiler check	2020-05-14 19:37:01 -05:00
Wei Fu	6312b52de5	Merge pull request #4245 from thaJeztah/remove_deprecated_dualstack ConfigureHosts: remove deprecated DualStack option	2020-05-15 08:00:03 +08:00
Derek McGowan	32985949d4	Merge pull request #4242 from dmcgowan/1.4-beta Add release notes for 1.4 beta	2020-05-14 16:20:50 -07:00
Mike Brown	3f0aa45453	removing boilerplate test replace by projectboiler check Signed-off-by: Mike Brown <brownwm@us.ibm.com>	2020-05-14 17:52:12 -05:00
Derek McGowan	77ab0104e2	Add release notes for 1.4 beta Signed-off-by: Derek McGowan <derek@mcg.dev>	2020-05-14 13:04:02 -07:00
Maksym Pavlenko	7fd23fe143	Merge pull request #4254 from thaJeztah/bump_go_digest vendor: opencontainers/go-digest v1.0.0	2020-05-14 11:42:16 -07:00
Sebastiaan van Stijn	6eeed18cb4	vendor: opencontainers/go-digest v1.0.0 full diff: `28d3ccc31a`...v1.0.0 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2020-05-14 18:49:49 +02:00
Derek McGowan	7207226e9d	Merge pull request #4253 from estesp/no-codecov-comment Set codecov to not comment on PRs	2020-05-13 07:32:25 -07:00
Phil Estes	7cdacdda81	Set codecov to not comment on PRs Until we totally remove codecov, this will keep it from commenting on PRs but reports will still be available on codecov.io Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>	2020-05-13 09:19:42 -04:00
Phil Estes	f13ba8f2f2	Merge pull request #4247 from thaJeztah/bump_continuity vendor: containerd/continuity, containerd/fifo, containerd/go-runc	2020-05-12 10:41:02 -04:00
Phil Estes	65df60b3c9	Merge pull request #4251 from thaJeztah/bump_cri vendor: update containerd/cri, remove "docker/distribution" dependency	2020-05-12 09:49:22 -04:00

... 18 19 20 21 22 ...

8706 Commits