golang.org/x/net contains a fix for CVE-2022-41717, which was addressed
in stdlib in go1.19.4 and go1.18.9;
> net/http: limit canonical header cache by bytes, not entries
>
> An attacker can cause excessive memory growth in a Go server accepting
> HTTP/2 requests.
>
> HTTP/2 server connections contain a cache of HTTP header keys sent by
> the client. While the total number of entries in this cache is capped,
> an attacker sending very large keys can cause the server to allocate
> approximately 64 MiB per open connection.
>
> This issue is also fixed in golang.org/x/net/http2 v0.4.0,
> for users manually configuring HTTP/2.
full diff: https://github.com/golang/net/compare/c63010009c80...v0.4.0
other dependency updates (due to (circular) dependencies between them):
- golang.org/x/sys v0.3.0: https://github.com/golang/sys/compare/v0.2.0...v0.3.0
- golang.org/x/term v0.3.0: https://github.com/golang/term/compare/v0.1.0...v0.3.0
- golang.org/x/text v0.5.0: https://github.com/golang/text/compare/v0.4.0...v0.5.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Add a common NRI 'service' plugin. It takes care of relaying
requests and respones to and from NRI (external NRI plugins)
and the high-level containerd namespace-independent logic of
applying NRI container adjustments and updates to actual CRI
and other containers.
The namespace-dependent details of the necessary container
manipulation operations are to be implemented by namespace-
specific adaptations. This NRI plugin defines the API which
such adaptations need to implement.
Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
This was updated in 470d3ee057, but we
only needed the ebpf update. As nothing depends on this module anymore,
other than for the stats package (which didn't change in between), we
can (for now) roll it back to v1.0.4, and just force the newer ebpf
package.
Things rolled back (doesn't affect vendored code);
https://github.com/containerd/cgroups/compare/7083cd60b721..v1.0.4
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
go.mod doesn't always do a great job on keeping the dependencies grouped in the
right block; 2b60770c4b added an extra "require"
block, after which things went downward.
This patch is grouping them back in the right block to nudge it in the right
direction.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Swagat Bora <sbora@amazon.com>
Add spans around image unpack operations
Use image.ref to denote image name and image.id for the image config digest
Add top-level spand and record errors in the CRI instrumentation service
- fix "nolint" comments to be in the correct format (`//nolint:<linters>[,<linter>`
no leading space, required colon (`:`) and linters.
- remove "nolint" comments for errcheck, which is disabled in our config.
- remove "nolint" comments that were no longer needed (nolintlint).
- where known, add a comment describing why a "nolint" was applied.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
ArgsEscaped has now been merged into upstream OCI image spec.
This change removes the workaround we were doing in containerd
to deserialize the extra json outside of the spec and instead
just uses the formal spec types.
Signed-off-by: Justin Terry <jlterry@amazon.com>
Some minor improvements, but biggest for here is ErrPipeListenerClosed
is no longer an errors.New where the string matches the text of the now
exported net.ErrClosed in the stdlib, but is just assigned to net.ErrClosed
directly. This should allow us to get rid of the string check for "use of closed
network connection" here now..
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
For some shims (namely github.com/cpuguy83/containerd-shim-systemd-v1),
the shim cgroup test doesn't make sense since there is only a single
shim process for the entire node.
I use these integration tests to make sure the shim is compatible with
the runc shims and generally works as expected. This will let me skip
the shim cgroup test as there is no process for the shim to stick into
the cgroup... mostly.
There is a bootstrap process as well as a PTY copier proces which do use
the shim cgroup if provided, but the test is not able to check for
those (unless we enable tty on the test, which is a bit arbitrary and
not useful).
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
github.com/AdaLogics/go-fuzz-headers and
github.com/AdamKorcz/go-118-fuzz-build have less dependencies in
the last versions.
Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
ForceRemoveAll was only used in tests/fuzzing, but added hcsshim as dependency
for the sys package. Moving this to integration/client makes the "sys" package
slightly more lightweight, and may help simplifying dependency-management.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These functions were originally copied from the docker / moby repository in
4a7a8efc2d. Migrating these functions to use the
github.com/moby/sys/sequential module allows them being shared between moby,
docker/cli, and containerd, and to allow using them without importing all of sys
which also depends on hcsshim and more.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This contains quite a bit (also bumps google/uuid to 1.3.0). Some HostProcess
container improvements to get ready for whenever it goes to stable in
Kubernetes, Hyper-V (windows) container support for CRI, and a plethora of
other small additions and fixes.
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
This tag contains some fixes for hostprocess containers, mainly around
fixing task stats which regressed from a change in v0.9.3.
https://github.com/microsoft/hcsshim/releases/tag/v0.9.4
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
This tag brings in a new field to fix an HNS issue in ws2019 as well as
an optimization for collecting Windows stats (memory, cpu, iops).
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
`ioutil` has been deprecated by golang. All the code in `ioutil` just
forwards functionality to code in either the `io` or `os` packages.
See https://github.com/golang/go/pull/51961 for more info.
Signed-off-by: Jeff Widman <jeff@jeffwidman.com>
This version contains the CRI changes for user namespaces support.
Future patches will use the new fields in the CRI.
Updating the module without using the new fields doesn't cause any
behaviour change.
Updates: #7063
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
The regression in v1.22.2 has been resolved, so we can drop the
replace rule and use the latest v1.22.x version.
full diff: https://github.com/urfave/cli/compare/v1.22.1...v1.22.9
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These tests are launching containerd and pulling busybox there, while
other tests are using busybox from TestMain().
This commit shares busybox at least between TestRestartMonitor and
TestRestartMonitorWithOnFailurePolicy to reduce the chance of
throttling from ghcr.io.
Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
This test tends to fail under Cirrus CI + Vagrant. Skipping for now
since running the test on GitHub Actions would be suffice.
Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
This commit hides types.Any from the diff package's interface. Clients
(incl. imgcrypt) shouldn't aware about gogo/protobuf.
Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
This commit upgrades github.com/containerd/typeurl to use typeurl.Any.
The interface hides gogo/protobuf/types.Any from containerd's Go client.
Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
- Upgrade github.com/containerd/imgcrypt to prepare for typeurl upgrade
(see https://github.com/containerd/imgcrypt/pull/72)
- Upgrade github.com/opencontainers/image-spec since imgcrypto needs at
least 1.0.2.
Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
full diff: 32db794688...3147a52a75
This version contains a fix for CVE-2022-27191 (not sure if it affects us).
From the golang mailing list:
Hello gophers,
Version v0.0.0-20220315160706-3147a52a75dd of golang.org/x/crypto/ssh implements
client authentication support for signature algorithms based on SHA-2 for use with
existing RSA keys.
Previously, a client would fail to authenticate with RSA keys to servers that
reject signature algorithms based on SHA-1. This includes OpenSSH 8.8 by default
and—starting today March 15, 2022 for recently uploaded keys.
We are providing this announcement as the error (“ssh: unable to authenticate”)
might otherwise be difficult to troubleshoot.
Version v0.0.0-20220314234659-1baeb1ce4c0b (included in the version above) also
fixes a potential security issue where an attacker could cause a crash in a
golang.org/x/crypto/ssh server under these conditions:
- The server has been configured by passing a Signer to ServerConfig.AddHostKey.
- The Signer passed to AddHostKey does not also implement AlgorithmSigner.
- The Signer passed to AddHostKey does return a key of type “ssh-rsa” from its PublicKey method.
Servers that only use Signer implementations provided by the ssh package are
unaffected. This is CVE-2022-27191.
Alla prossima,
Filippo for the Go Security team
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The directory created by `T.TempDir` is automatically removed when the
test and all its subtests complete.
Reference: https://pkg.go.dev/testing#T.TempDir
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
Using a bytes buffer for this test increases the memory usage on Windows
to over 3 GB. Using a temporary file as a destination for the image
keeps memory usage at a reasonable level.
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
Windows needs a bit more time to finish the restarting containerd. With
the current 2 second timeout, we run the risk of exceeding that
deadline.
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
full diff: https://github.com/emicklei/go-restful/compare/v2.9.5...v3.7.3
- Switch to using go modules
- Add check for wildcard to fix CORS filter
- Add check on writer to prevent compression of response twice
- Add OPTIONS shortcut WebService receiver
- Add Route metadata to request attributes or allow adding attributes to routes
- Add wroteHeader set
- Enable content encoding on Handle and ServeHTTP
- Feat: support google custom verb
- Feature: override list of method allowed without content-type
- Fix Allow header not set on '405: Method Not Allowed' responses
- Fix Go 1.15: conversion from int to string yields a string of one rune
- Fix WriteError return value
- Fix: use request/response resulting from filter chain
- handle path params with prefixes and suffixes
- HTTP response body was broken, if struct to be converted to JSON has boolean value
- List available representations in 406 body
- Support describing response headers
- Unwrap function in filter chain + remove unused dispatchWithFilters
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/fsnotify/fsnotify/compare/v1.4.9...v1.5.1
Relevant changes:
- Fix unsafe pointer conversion
- Drop support/testing for Go 1.11 and earlier
- Update x/sys to latest
- add //go:build lines
- add go 1.17 to test matrix
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
With the release of hcsshim v0.9.2, this test should pass without
issues on Windows.
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
ShimV2 has shim.Delete command to cleanup task's temporary resource,
like bundle folder. Since the shim server exits and no persistent store
is for task's exit code, the result of shim.Delete is always 137 exit
code, like the task has been killed.
And the result of shim.Delete can be used as task event only when the
shim server is killed somehow after container is running. Therefore,
dockerd, which watches task exit event to update status of container,
can report correct status.
Back to the issue #6429, the container is not running because the
entrypoint is not found. Based on this design, we should not send
137 exitcode event to subscriber.
This commit is aimed to remove shim instance first and then the
`cleanupAfterDeadShim` should not send event.
Similar Issue: #4769Fix#6429
Signed-off-by: Wei Fu <fuweid89@gmail.com>
The build number used to determine whether we need to pull the Windows
Server 2022 image for the integration tests was previously hardcoded as there
wasn't an hcsshim release with the build number. Now that there is and it's
vendored in, this change just swaps to it.
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
This tag brings in some bug fixes related to waiting for containers to terminate and
trying to kill an already terminated process, as well as tty support (exec -it) for
Windows Host Process Containers.
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
This is a effective revert of 294143bf38
The one thing that makes it not a total revert is this keeps the usage
of chain interceptors, which prevents us from overwriting interceptors
passed into client options.
The automatic trace injection is unnecessary overhead since callers of
this function can add the necessary interceptors when creating the
client.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
The global &daemon{} object only gets an address assigned if you call
start() on it, which only gets called if you don't pass no-daemon. The
aftermath of this is that running the integration tests with no-daemon
just has them fail trying to create a client for containerd.
This change just assigns whatever address is passed to the binary even in
the no-daemon case so you can run the integration tests against an already
running containerd instance.
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
OCI hooks aren't implemented on Windows. The test will, and has been,
actuallyrunning fine on Windows because the Github runners seem to have
a 'ps' binary in the users PATH, but there's not any actual hook
functionality being tested as any of the OCI fields are ignored for
Windows containers.
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
Skip this test until this error can be evaluated and the appropriate
test fix or environment configuration can be determined.
Signed-off-by: Derek McGowan <derek@mcg.dev>
The OCI image spec did a v1.0.2 security release for CVE-2021-41190, however
commit 09c9270fee, depends on MediaTypes that
have not yet been released by the OCI image-spec, so using current "main" instead.
full diff: 5ad6f50d62...693428a734
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
GA for ws2022 github actions VMs launched a couple weeks ago so seems like
it's time to try out the CI on this new SKU.
This involved adding new ws2022 runs for the OS matrices in the CI, fixing up
a test in the platforms package and adding a mapping for the ws2022 container image in
integration/client.
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
With the ghcr images now built and working, switch over to
use these new images and update the default name.
Signed-off-by: Derek McGowan <derek@mcg.dev>
This change skips the TestExportAndImportMultiLayer in integration/client
for the time being. It seems the image was updated recently and no longer
has a Windows entry in the manifest so the test will always fail. This should
be reverted when we figure out what happened to the image, but this is to
unblock PRs for the time being.
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
This tag contains some changes for the Windows shim for retrying
stdio named pipe connections if containerd restarts. It also is built with v1.1.0 of
ttrpc which has some fixes for a deadlock we'd observed on Windows.
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
This tag contains a fix for a deadlock observed when there are multiple
simultaneous requests from the same client connection.
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
Use the time for the last non-running status to determine
whether the restart did not occur as expected. The
current timestamp only accounts for when the running
status was seen, however, the restart would have always
occurred in between the previous check and latest check.
Therefore, it makes more sense to use the previous check
to determine whether a failure was seen from the restart
monitor not restarting as expected.
Signed-off-by: Derek McGowan <derek@mcg.dev>
* Bump k8s.io/cri-api to latest version - v0.23.0-alpha.4
* Vendor github.com/vishvananda/netlink for network stats
Signed-off-by: David Porter <porterdavid@google.com>
restart monitor test was failing due to occasionally taking past the
deadline on windows tests. Add a small additional grace period to
deflake the test.
Signed-off-by: David Porter <porterdavid@google.com>
Some of the tests that are currently running only on Linux can be made
to run on Windows with a few changes.
Signed-off-by: Claudiu Belu <cbelu@cloudbasesolutions.com>
Some of the tests in containerd/integration/client/ are not
currently being run on Windows, even though they can pass.
Signed-off-by: Claudiu Belu <cbelu@cloudbasesolutions.com>
This update will allow us to forcefully delete a Windows sandbox if its
endpoint cannot be found anymore.
Fixes: #6135
Signed-off-by: Claudiu Belu <cbelu@cloudbasesolutions.com>
The mount package of darwin requires to retrive mountinfo to check if
the target of unmount if still mounted or not. Thus pull the upstreamed
version of moby/sys to support this operation.
Signed-off-by: Hajime Tazaki <thehajime@gmail.com>
This fixes the issue with the usage of the deprecated attribute.Any
function that original caused build issues.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Currently uncompress converter only supports gzip. This commit fixes it to
support zstd as well.
Signed-off-by: Kohei Tokunaga <ktokunaga.mail@gmail.com>
This test will make sure there aren't any issues with multilayered
images during import. Keep in mind that in the case of multilayered
images, they have to be unpacked first in order to be usable.
Signed-off-by: Claudiu Belu <cbelu@cloudbasesolutions.com>
The io/ioutil package has been deprecated as of Go 1.16, see
https://golang.org/doc/go1.16#ioutil. This commit replaces the existing
io/ioutil functions with their new definitions in io and os packages.
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
During import, if an image does not match the host's platform,
it won't have any children labels set, which will result in the
Garbage Collector deleting its content later, resulting in an
unusable image. In this case, we should fail early.
This can still be bypassed by using ctr import --all-platforms.
Signed-off-by: Claudiu Belu <cbelu@cloudbasesolutions.com>
This picks a fix to properly handle images containing symlinks
inside which point to an unexisting file.
Signed-off-by: Hajime Tazaki <thehajime@gmail.com>
This version brings in some bug fixes to layer handling. The actual fix isn't
present in the diff as it's not used here, but the Windows shim is built from
the tag present in go.mod, so the fix will be in the Windows shim on a new release
of Containerd if this tag is in.
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
With the introduction of Windows Server 2022, some images have been updated
to support WS2022 in their manifest list. This commit updates the test images
accordingly.
Signed-off-by: Adelina Tuvenie <atuvenie@cloudbasesolutions.com>
Go 1.15.7 contained a security fix for CVE-2021-3115, which allowed arbitrary
code to be executed at build time when using cgo on Windows. This issue also
affects Unix users who have “.” listed explicitly in their PATH and are running
“go get” outside of a module or with module mode disabled.
This issue is not limited to the go command itself, and can also affect binaries
that use `os.Command`, `os.LookPath`, etc.
From the related blogpost (ttps://blog.golang.org/path-security):
> Are your own programs affected?
>
> If you use exec.LookPath or exec.Command in your own programs, you only need to
> be concerned if you (or your users) run your program in a directory with untrusted
> contents. If so, then a subprocess could be started using an executable from dot
> instead of from a system directory. (Again, using an executable from dot happens
> always on Windows and only with uncommon PATH settings on Unix.)
>
> If you are concerned, then we’ve published the more restricted variant of os/exec
> as golang.org/x/sys/execabs. You can use it in your program by simply replacing
This patch replaces all uses of `os/exec` with `golang.org/x/sys/execabs`. While
some uses of `os/exec` should not be problematic (e.g. part of tests), it is
probably good to be consistent, in case code gets moved around.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/pelletier/go-toml/compare/v1.8.1...v1.9.3
- v1.9.3: Clarify license and comply with Apache 2.0
- v1.9.2: Add Encoder.CompactComments to omit extra new line
- v1.9.1: Fix empty trees line counting
v1.9.0
-------------------
The highlight of this version is that the whole toml.Tree structure has been made
public in a backward compatible way. This allows everyone using v1.x to fully
access the data and metadata in the tree to extend the library.
This is hopefully the last release in the v1.x track, as go-toml v2 is the main
focus of development.
What's new
- TOML 1.0.0-rc.3
- Improved default tag for durations
- Provide Tree and treeValue public aliases
- Expose MarshalOrder
- Value string representation public function
Fixed bugs
- Do not allow T-prefix on local dates
- toml.Unmarshaler supports leaf nodes
- Fix date lexer to only support 4-digit year
- Fix ToMap for tables in mixed-type arrays
- Fix ToMap for tables in nested mixed-type arrays
- Support literal multiline marshal
Performance
- Remove date regexp
- Remove underscore regexps
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- task.Kill() might fail in theory
- Giving a longer timeout may help us understand whether the failure is
a timing issue or not.
Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
