github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity
13,800 Commits 3 Branches 2 Tags 112 MiB
93690baf4e
Commit Graph

895 Commits

Author SHA1 Message Date
Henry Wang
0d76fe5c1d Fix some assertions for integ tests 
Signed-off-by: Henry Wang <henwang@amazon.com>
 2023-10-02 17:14:27 +00:00
Bjorn Neergaard
79acce4621
integration: use mediatype helpers 
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
 2023-09-27 13:12:54 -06:00
Sebastiaan van Stijn
4b1bb1293e
remove github.com/opencontainers/runc dependency 
This migrates uses of github.com/opencontainers/runc/libcontainer/user
to the new github.com/moby/sys/user module, which was extracted from
runc at commit [opencontainers/runc@a3a0ec48c4].

This is the initial release of the module, which is a straight copy, but
some changes may be made in the next release (such as fixing camel-casing
in some fields and functions (Uid -> UID).

[opencontainers/runc@a3a0ec48c4]: a3a0ec48c4

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2023-09-27 17:34:28 +02:00
Derek McGowan
4c344f2fa5
Add warning for plugin configs with unknown fields 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2023-09-25 16:09:15 -07:00
Derek McGowan
650148313c
Add warning log for unknown config fields 
Add error log for failure to parse toml

Signed-off-by: Derek McGowan <derek@mcg.dev>
 2023-09-24 20:50:54 -07:00
Derek McGowan
b5615caf11
Update go-toml to v2 
Updates host file parsing to use new v2 method rather than the removed
toml.Tree.

Signed-off-by: Derek McGowan <derek@mcg.dev>
 2023-09-22 15:35:12 -07:00
Derek McGowan
2f1b92710a
Update zfs library to use new log repository 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2023-09-22 07:53:23 -07:00
Derek McGowan
508aa3a1ef
Move to use github.com/containerd/log 
Add github.com/containerd/log to go.mod

Signed-off-by: Derek McGowan <derek@mcg.dev>
 2023-09-22 07:53:23 -07:00
Sebastiaan van Stijn
d69ae811d6
alias log package to github.com/containerd/log v0.1.0 
This "soft" deprecates the package, but keeps the local uses of the package,
which can make backporting this to release-branches easier (we can
still move all uses in those branches as well though).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2023-09-19 08:44:10 +02:00
Sebastiaan van Stijn
8cbb4ea5d3
vendor: github.com/containerd/nri v0.5.0 
This version no longer has a dependency on containerd, cutting
down the number of circular dependencies.

full diff: https://github.com/containerd/nri/compare/v0.4.0...v0.5.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2023-09-16 10:40:21 +02:00
Fu Wei
fe17f65159
Merge pull request #8287 from kinvolk/rata/userns-stateless-idmap 
Add support for userns in stateless and stateful pods with idmap mounts (KEP-127, k8s >= 1.27)
 2023-09-14 18:14:02 +08:00
Rodrigo Campos
2e13d39546 pkg/process: Only use idmap mounts if runc supports it 
runc, as mandated by the runtime-spec, ignores unknown fields in the
config.json. This is unfortunate for cases where we _must_ enable that
feature or fail.

For example, if we want to start a container with user namespaces and
volumes, using the uidMappings/gidMappings field is needed so the
UID/GIDs in the volume don't end up with garbage. However, if we don't
fail when runc will ignore these fields (because they are unknown to
runc), we will just start a container without using the mappings and the
UID/GIDs the container will persist to volumes the hostUID/GID, that can
change if the container is re-scheduled by Kubernetes.

This will end up in volumes having "garbage" and unmapped UIDs that the
container can no longer change. So, let's avoid this entirely by just
checking that runc supports idmap mounts if the container we are about
to create needs them.

Please note that the "runc features" subcommand is only run when we are
using idmap mounts. If idmap mounts are not used, the subcommand is not
run and therefore this should not affect containers that don't use idmap
mounts in any way.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
 2023-09-13 16:44:54 +02:00
Rodrigo Campos
fce1b95076 go.mod: Update runtime spec to include features.MountExtensions 
Future patches will use that field.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
 2023-09-13 16:44:54 +02:00
Rodrigo Campos
e832605a80 integration: Simplify WithVolumeMount() 
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
 2023-09-13 16:44:54 +02:00
Rodrigo Campos
24aa808fe2 integration: Add userns test with volumes 
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
 2023-09-13 16:44:54 +02:00
Phil Estes
0f52935a53
Merge pull request #9088 from samuelkarp/nri 
vendor: update github.com/containerd/nri@v0.4.0
 2023-09-13 10:26:02 -04:00
Samuel Karp
39804bc3f0
Merge pull request #8909 from liggitt/fieldmask 2023-09-13 00:33:44 -07:00
Samuel Karp
9656b8c0d0
nri: update mock plugin handlers 
Signed-off-by: Samuel Karp <samuelkarp@google.com>
 2023-09-12 17:51:27 -07:00
Samuel Karp
6f9de91efc
vendor: update github.com/containerd/nri@v0.4.0 
Signed-off-by: Samuel Karp <samuelkarp@google.com>
 2023-09-12 16:41:05 -07:00
Sebastiaan van Stijn
05093d7c07
vendor: github.com/cncf-tags/container-device-interface v0.6.1 
Removes uses of the github.com/opencontainers/runc/libcontainer/devices
package.

full diff: https://github.com/cncf-tags/container-device-interface/compare/v0.6.0...v0.6.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2023-09-08 13:53:43 +02:00
Jordan Liggitt
55b2df560f
go.mod: github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.2 
Signed-off-by: Jordan Liggitt <liggitt@google.com>
 2023-09-07 16:53:10 -04:00
Derek McGowan
b11439fc4b
Merge pull request #9034 from thaJeztah/replace_reference 
replace reference/docker for github.com/distribution/reference v0.5.0
 2023-09-05 06:52:29 -07:00
Akihiro Suda
0ee2433c94
Merge pull request #5890 from artqzn/idmapped_mounts 
RFC: Initial support of idmapped mount points
 2023-09-05 20:41:05 +09:00
Akihiro Suda
e30a40eb65
Merge pull request #9016 from djdongjin/remove-most-logrus 
Remove most logrus import
 2023-09-05 16:09:12 +09:00
Ilya Hanov
9d01ed1c32 integration: add test for idmapped mounts 
Signed-off-by: Alexey Perevalov <alexey.perevalov@huawei.com>
Signed-off-by: Ilya Hanov <ilya.hanov@huawei-partners.com>
 2023-09-05 01:23:30 +03:00
Sebastiaan van Stijn
9bc6441c21
vendor: github.com/google/uuid v1.3.1 
Contains some performance improvements:

full diff: https://github.com/google/uuid/compare/v1.3.0...v1.3.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2023-09-01 11:49:50 +02:00
Sebastiaan van Stijn
4923470902
replace reference/docker for github.com/distribution/reference v0.5.0 
The reference/docker package was a fork of github.com/distribution/distribution,
which could not easily be used as a direct dependency, as it brought many other
dependencies with it.

The "reference' package has now moved to a separate repository, which means
we can replace the local fork, and use the upstream implementation again.

The new module was extracted from the distribution repository at commit:
b9b19409cf

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2023-08-31 15:54:50 +02:00
Kirtana Ashok
fd5d92a7f5 Update hcsshim tag versioning to v0.12.0-rc.0 
hcsshim tags v0.10.* is deprecated, so using the new
v0.12.0-rc.* versioning for hcsshim tags on containerd/main

Signed-off-by: Kirtana Ashok <kiashok@microsoft.com>
 2023-08-29 17:41:20 -07:00
Jin Dong
fc45365fa1 Remove most logrus 
Signed-off-by: Jin Dong <jin.dong@databricks.com>
 2023-08-26 14:31:53 -04:00
Akihiro Suda
490905be6f
go.mod: github.com/containerd/continuity v0.4.2 
https://github.com/containerd/continuity/compare/1e0d26eb2381...v0.4.2

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-08-25 16:39:55 +09:00
Akihiro Suda
f48bbef193
Merge pull request #8994 from mxpv/cri 
Use sandboxed CRI by default
 2023-08-24 13:42:58 +09:00
Maksym Pavlenko
c3f3cad287
Use sandboxed CRI by default 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2023-08-23 08:50:40 -07:00
Sebastiaan van Stijn
b76cd4d9fd
replace some fmt.Sprintfs with strconv 
Teeny-tiny optimizations:

    BenchmarkSprintf-10       37735996    32.31  ns/op  0 B/op  0 allocs/op
    BenchmarkItoa-10         591945836     2.031 ns/op  0 B/op  0 allocs/op
    BenchmarkFormatUint-10   593701444     2.014 ns/op  0 B/op  0 allocs/op

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2023-08-23 16:43:02 +02:00
James Sturtevant
8399a4ee71 Remove temporary replace 
Signed-off-by: James Sturtevant <jstur@microsoft.com>
 2023-08-21 16:29:18 +00:00
Derek McGowan
465c04c289
Merge pull request #8946 from lengrongfu/feat/bump-client-go 
bump client-go v0.26.4
 2023-08-18 16:35:24 -07:00
Samuel Karp
3b32d3c6f2
Merge pull request #8922 from lengrongfu/feat/sync-image-action 
feat: replace mcr.microsoft.com registry to ghcr.io/containerd registry
 2023-08-17 00:59:46 -07:00
Fu Wei
ba852faf41
Merge pull request #8954 from fuweid/fix-shim-leak 2023-08-17 08:16:20 +08:00
Akihiro Suda
f35d1f08ec
go.mod: github.com/opencontainers/runc v1.1.9 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-08-11 21:25:29 +09:00
Wei Fu
601699a184 integration: add ShouldRetryShutdown case based on #7496 
Since the moby/moby can't handle duplicate exit event well, it's hard
for containerd to retry shutdown if there is error, like context
canceled.

In order to prevent from regression like #4769, I add skipped
integration case as TODO item and we should rethink about how to handle
the task/shim lifecycle.

Signed-off-by: Wei Fu <fuweid89@gmail.com>
 2023-08-11 17:43:51 +08:00
Wei Fu
5bdd9ca938 integration: add case to reproduce #7496 
Signed-off-by: Wei Fu <fuweid89@gmail.com>
 2023-08-11 17:41:04 +08:00
rongfu.leng
b451fa96a6 bump client-go v0.26.4 
Signed-off-by: rongfu.leng <rongfu.leng@daocloud.io>
 2023-08-11 00:30:03 +08:00
Kirtana Ashok
e7e5619fed Update hcsshim tag to v0.10.0 
Signed-off-by: Kirtana Ashok <kiashok@microsoft.com>
 2023-08-09 11:55:54 -07:00
rongfu.leng
4f3c8c4687 replace mcr.microsoft.com registry to ghcr.io/containerd registry 
Signed-off-by: rongfu.leng <rongfu.leng@daocloud.io>
 2023-08-06 21:14:07 +08:00
Fu Wei
2b2195c36b
Merge pull request #8722 from marquiz/devel/cgroup-driver-autoconfig 
cri: implement RuntimeConfig rpc
 2023-08-04 16:09:34 +08:00
Rodrigo Campos
2d64ab8d79 cri: Don't use rel path for image volumes 
Runc 1.1 throws a warning when using rel destination paths, and runc 1.2
is planning to thow an error (i.e. won't start the container).

Let's just make this an abs path in the only place it might not be: the
mounts created due to `VOLUME` directives in the Dockerfile.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
 2023-07-31 12:33:54 +02:00
Iceber Gu
7f7ba31b64 cri: fix using the pinned label to pin image 
Signed-off-by: Iceber Gu <wei.cai-nat@daocloud.io>
 2023-07-26 12:26:00 +08:00
Markus Lehtonen
850b2e1bf3 go.mod: update cri-api to v1.28.0-beta.0 
Required to support upcoming Kubernetes (v1.28) features.

Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
 2023-07-24 14:49:14 +03:00
Akihiro Suda
bc96b9039a
go.mod: github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 
5330a85ea6...8075edf89b

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-07-23 03:08:01 +09:00
Akihiro Suda
da27408854
go.mod: google.golang.org/genproto v0.0.0-20230720185612-659f7aaaa771 
ccb25ca9f1...659f7aaaa7

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-07-23 03:08:01 +09:00
Akihiro Suda
73dc13ad62
go.mod: github.com/urfave/cli/compare v1.22.14 
https://github.com/urfave/cli/compare/v1.22.13...v1.22.14

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-07-23 03:08:00 +09:00
Akihiro Suda
1c4fc568b1
go.mod: github.com/prometheus/client_golang/compare v1.16.0 
https://github.com/prometheus/client_golang/compare/v1.14.0...v1.16.0

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-07-23 03:08:00 +09:00
Akihiro Suda
68abb525a5
go.mod: github.com/minio/sha256-simd v1.0.1 
https://github.com/minio/sha256-simd/compare/v1.0.0...v1.0.1

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-07-23 03:08:00 +09:00
Akihiro Suda
1f2216cc78
go.mod: github.com/klauspost/compress v1.16.7 
https://github.com/imdario/mergo/compare/v0.3.13...v1.0.0

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-07-23 03:08:00 +09:00
Akihiro Suda
3c6ab04203
go.mod: dario.cat/mergo v1.0.0 
https://github.com/imdario/mergo/compare/v0.3.13...v1.0.0

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-07-23 03:08:00 +09:00
Akihiro Suda
4bda0a69e2
go.mod: github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 
https://github.com/grpc-ecosystem/go-grpc-middleware/compare/v1.3.0...v1.4.0

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-07-23 03:07:59 +09:00
Akihiro Suda
0f033b6125
go.mod: github.com/emicklei/go-restful/v3 v3.10.2 
https://github.com/emicklei/go-restful/compare/v3.10.1...v3.10.2

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-07-23 03:07:59 +09:00
Akihiro Suda
90e050298c
go.mod: github.com/containernetworking/plugin v1.3.0 
https://github.com/containernetworking/plugins/compare/v1.2.0...v1.3.0

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-07-23 03:07:59 +09:00
Akihiro Suda
0498acefb9
go.mod: github.com/.../container-device-interface v0.6.0 
https://github.com/container-orchestrated-devices/container-device-interface/compare/v0.5.4...v0.6.0

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-07-23 03:07:59 +09:00
Akihiro Suda
74b8cb850a
go.mod: github.com/opencontainers/runc v1.1.8 
https://github.com/opencontainers/runc/compare/v1.1.7...v1.1.8

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-07-23 03:07:59 +09:00
Akihiro Suda
895dd2e93b
go.mod: github.com/opencontainers/image-spec v1.1.0-rc4 
https://github.com/opencontainers/image-spec/compare/v1.1.0-rc3...v1.1.0-rc4

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-07-23 03:07:58 +09:00
Akihiro Suda
235a4452df
go.mod: github.com/opencontainers/runtime-spec v1.1.0 
https://github.com/opencontainers/runtime-spec/compare/v1.1.0-rc.2...v1.1.0

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-07-23 03:07:58 +09:00
Maksym Pavlenko
8dcc06d14a
Merge pull request #8747 from Iceber/shim_ttrpc_service 
shim: change ttrpcService and ttrpcServerOptioner to exported interfaces
 2023-07-18 17:12:22 -07:00
Kirtana Ashok
56d80f81a2 Update hcsshim tag to v0.10.0-rc.9 
Signed-off-by: Kirtana Ashok <kiashok@microsoft.com>
 2023-07-17 10:28:47 -07:00
Phil Estes
a94918b591
Merge pull request #8803 from kinvolk/rata/userns-sbserver 
cri/sbserver: Add support for user namespaces (KEP-127)
 2023-07-17 10:57:01 -04:00
Phil Estes
34b1653e95
Merge pull request #8780 from slonopotamus/uncopypaste-read-spec 
Uncopypaste parsing of OCI Bundle spec file
 2023-07-11 09:53:00 -04:00
Rodrigo Campos
48cdf1fe2c integration: Enable userns tests for sbserver 
Now we ported support to sbserver, let's enable the e2e tests there too.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
 2023-07-11 15:15:25 +02:00
Marat Radchenko
9e34b8b441 Uncopypaste parsing of OCI Bundle spec file 
Signed-off-by: Marat Radchenko <marat@slonopotamus.org>
 2023-07-11 14:41:15 +03:00
Sebastiaan van Stijn
05fef52b68
vendor: github.com/containerd/zfs v1.1.0 
- update github.com/mistifyio/go-zfs dependency to github.com/mistifyio/go-zfs/v3,
  which contains various bugfixes, and adds go module support (which required a major
  version update): https://github.com/mistifyio/go-zfs/compare/f784269be439...v3.0.1
- remove github.com/pkg/errors dependency
- various minor cleanups/fixes

Full diff: https://github.com/containerd/zfs/compare/v1.0.0...v1.1.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2023-07-06 11:56:07 +02:00
Iceber Gu
00e5ae2118 shim: change ttrpcService and ttrpcServerOptioner to exported interfaces 
Signed-off-by: Iceber Gu <wei.cai-nat@daocloud.io>
 2023-07-06 00:36:43 +08:00
Fu Wei
fec3191abc
Merge pull request #8755 from dcantah/withbytesbuffers-chg 
integration/client: Rework withBytesBuffers
 2023-07-04 10:04:10 +08:00
Danny Canter
d6dbc4040b go.mod: Update cgroups to 3.0.2 
This brings in a ton of great improvements, most notably for the containerd
daemon is performance improvements for cgroups1 and 2 for gathering stats,
as well as some fixes for enabling controllers and deleting v1 cgroups.

Signed-off-by: Danny Canter <danny@dcantah.dev>
 2023-06-29 12:14:59 -07:00
Danny Canter
e85352183e integration/client: Rework withBytesBuffers 
All of the tests using this didn't need stdin/err (one of them not even
stdout), so we can just leave them "empty" and change to a withStdout
naming to make it more obvious.

Signed-off-by: Danny Canter <danny@dcantah.dev>
 2023-06-27 23:47:14 -07:00
Kazuyoshi Kato
9b4ed8acc2
Merge pull request #8696 from fuweid/deflaky-blockfile 
chore: deflake the blockfile testsuite
 2023-06-26 09:54:33 -07:00
Danny Canter
f82d9b7991 Integration: Align empty IO func on Windows 
I think NullIO is fine on Windows now. We have it as an option in ctr
and it's used for the pod sandbox container in CRI. Lets see if CI agrees..

Signed-off-by: Danny Canter <danny@dcantah.dev>
 2023-06-22 20:05:34 -07:00
Wei Fu
59b0b39af0 vendor: update github.com/containerd/continuity 
Pin it with 1e0d26eb2381594984ee80989c9c229dbd930d9f

Signed-off-by: Wei Fu <fuweid89@gmail.com>
 2023-06-17 08:36:45 +08:00
Phil Estes
38b0f970f0
No more nondistributable layers in MS registry 
Microsoft announced the removal of nondistributable layers from their
images today. This makes the convert test fail since it assumes the
first layer is nondistributable on Windows during the test.

Signed-off-by: Phil Estes <estesp@amazon.com>
 2023-06-13 16:34:44 -04:00
Derek McGowan
dd5e9f6538
Merge pull request #7944 from adisky/new-pinned-image 
CRI Pinned image support
 2023-06-10 22:29:34 -07:00
Derek McGowan
98b7dfb870
Merge pull request #8673 from thaJeztah/no_any 
avoid "any" as variable name
 2023-06-10 20:44:30 -07:00
Sebastiaan van Stijn
4bb709c018
avoid "any" as variable name 
Avoid shadowing / confusion with Go's "any" built-in type.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2023-06-10 13:49:06 +02:00
Sebastiaan van Stijn
577696f608
replace some basic uses of fmt.Sprintf() 
Really tiny gains here, and doesn't significantly impact readability:

    BenchmarkSprintf
    BenchmarkSprintf-10    11528700     91.59 ns/op   32 B/op  1 allocs/op
    BenchmarkConcat
    BenchmarkConcat-10    100000000     11.76 ns/op    0 B/op  0 allocs/op

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2023-06-10 13:24:43 +02:00
Derek McGowan
ee2c8b79bf
Merge pull request #8664 from laurazard/timeout-integration-test-shim-oomscore 
integration/client: add timeout to `TestShimOOMScore`
 2023-06-09 11:49:48 -07:00
Laura Brehm
df280942a7
integration/client: add timeout to TestShimOOMScore 
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
 2023-06-09 10:10:42 +01:00
Kazuyoshi Kato
326cd0623e
Merge pull request #8362 from gabriel-samfira/fix-non-c-volume 
Fix non C volumes on Windows
 2023-06-08 21:07:23 -07:00
Brian Goff
104b9ef9eb Update x/sys to 0.8.0 
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
 2023-06-03 16:14:38 +00:00
Aditi Sharma
fe4f8bd884 Pinned image support 
Signed-off-by: Aditi Sharma <adi.sky17@gmail.com>
 2023-06-02 09:57:22 +05:30
Kazuyoshi Kato
73645b1dfe
Merge pull request #8588 from lengrongfu/feat/cleanup_config_tls 
Cleanup DEPRECATED TLS config
 2023-05-31 18:50:54 -07:00
Derek McGowan
2a60fe5a60
Remove events from init context 
Events from the init context have been replaced by the events plugin

Signed-off-by: Derek McGowan <derek@mcg.dev>
 2023-05-31 09:35:03 -07:00
Evan Lezar
d3887b2e62 Support CDI devices in ctr --device flag 
This change adds support for CDI devices to the ctr --device flag.
If a fully-qualified CDI device name is specified, this is injected
into the OCI specification before creating the container.

Note that the CDI specifications and the devices that they represent
are local and mirror the behaviour of linux devices in the ctr command.

Signed-off-by: Evan Lezar <elezar@nvidia.com>
 2023-05-31 16:14:01 +02:00
rongfu.leng
d2b7a1e293 cleanup DEPRECATED TLS config 
Signed-off-by: rongfu.leng <rongfu.leng@daocloud.io>
 2023-05-31 09:37:41 +08:00
rongfu.leng
9287711b7a upgrade registry.k8s.io/pause version 
Signed-off-by: rongfu.leng <rongfu.leng@daocloud.io>
 2023-05-28 07:59:10 +08:00
Gabriel Adrian Samfira
b9dfd29b73 Update tests to use volume-copy-up:2.2 
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
 2023-05-26 07:33:06 +00:00
Phil Estes
579b5596c5 Update volume-ownership image with latest hashes 
Fixes test which requires static content to match a GHCR-located image which was recently updated.

Signed-off-by: Phil Estes <estesp@amazon.com>
 2023-05-25 11:13:57 -04:00
Gabriel Adrian Samfira
79709a2058 disable provenance 
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
 2023-05-19 00:01:05 +03:00
Derek McGowan
44eb8f3466
Merge pull request #8524 from gabriel-samfira/update-volume-copy-up 
Update volume-copy-up
 2023-05-17 09:28:40 -07:00
Gabriel Adrian Samfira
f8907ab872
Update volume-copy-up 
Add new test cases for volumes on both Linux and Windows. These new
volumes will be used to test that we don't accidentally mangle volume
paths on Linux and that non-C volume mounts work properly when defined
in an image on Windows.

Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
 2023-05-17 14:20:37 +03:00
Akihiro Suda
811456b314
go.mod: github.com/containerd/continuity v0.4.0 
https://github.com/containerd/continuity/compare/72c70feb3081...v0.4.0

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-05-17 19:50:20 +09:00
Akihiro Suda
6f715ab101
go.mod: github.com/containerd/go-runc v1.1.0 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-05-17 13:45:37 +09:00
Samuel Karp
c60ba138b6
Merge pull request #8502 from mstmdev/fix-typos 2023-05-16 08:41:02 -07:00
mstmdev
cdaa4025e9 Fix some typos 
Signed-off-by: Pan Yibo <mstmdev@gmail.com>
 2023-05-16 10:12:50 +08:00
Akihiro Suda
2eeb4b6238
Merge pull request #8373 from Iceber/shim_run 
runtime/shim: rename RunManager to Run and remove `runc/v2/services` package
 2023-05-12 00:46:46 +09:00
Phil Estes
43bbffba37
Merge pull request #8500 from AkihiroSuda/runtime-spec-v1.1.0-rc.2 
go.mod: github.com/opencontainers/runtime-spec v1.1.0-rc.2
 2023-05-09 10:42:53 -07:00
Akihiro Suda
4347fc8bc2
go.mod: github.com/opencontainers/image-spec v1.1.0-rc3 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-05-09 23:35:58 +09:00
Derek McGowan
718250b6ba
Update ttrpc to v1.2.2 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2023-05-09 13:08:46 -07:00
Akihiro Suda
5e054ee631
go.mod: github.com/opencontainers/runtime-spec v1.1.0-rc.2 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-05-09 22:26:37 +09:00
Iceber Gu
ecb693ec74 bump typeurl to v2.1.1 
Signed-off-by: Iceber Gu <wei.cai-nat@daocloud.io>
 2023-05-09 13:23:02 +08:00
Sebastiaan van Stijn
0ba0664742
vendor: github.com/opencontainers/runc v1.1.7 
release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.7
full diff: https://github.com/opencontainers/runc/compare/v1.1.6...v1.1.7

This is the seventh patch release in the 1.1.z release of runc, and is
the last planned release of the 1.1.z series. It contains a fix for
cgroup device rules with systemd when handling device rules for devices
that don't exist (though for devices whose drivers don't correctly
register themselves in the kernel -- such as the NVIDIA devices -- the
full fix only works with systemd v240+).

- When used with systemd v240+, systemd cgroup drivers no longer skip
  DeviceAllow rules if the device does not exist (a regression introduced
  in runc 1.1.3). This fix also reverts the workaround added in runc 1.1.5,
  removing an extra warning emitted by runc run/start.
- The source code now has a new file, runc.keyring, which contains the keys
  used to sign runc releases.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2023-04-27 12:00:23 +02:00
Sebastiaan van Stijn
cbd10e41a6
vendor: github.com/opencontainers/runc v1.1.6 
release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.6
full diff: opencontainers/runc@v1.1.5...v1.1.6

This is the sixth patch release in the 1.1.z series of runc, which fixes
a series of cgroup-related issues.

Note that this release can no longer be built from sources using Go
1.16. Using a latest maintained Go 1.20.x or Go 1.19.x release is
recommended. Go 1.17 can still be used.

- systemd cgroup v1 and v2 drivers were deliberately ignoring UnitExist error
  from systemd while trying to create a systemd unit, which in some scenarios
  may result in a container not being added to the proper systemd unit and
  cgroup.
- systemd cgroup v2 driver was incorrectly translating cpuset range from spec's
  resources.cpu.cpus to systemd unit property (AllowedCPUs) in case of more
  than 8 CPUs, resulting in the wrong AllowedCPUs setting.
- systemd cgroup v1 driver was prefixing container's cgroup path with the path
  of PID 1 cgroup, resulting in inability to place PID 1 in a non-root cgroup.
- runc run/start may return "permission denied" error when starting a rootless
  container when the file to be executed does not have executable bit set for
  the user, not taking the CAP_DAC_OVERRIDE capability into account. This is
  a regression in runc 1.1.4, as well as in Go 1.20 and 1.20.1
- cgroup v1 drivers are now aware of misc controller.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2023-04-27 11:59:14 +02:00
Rodrigo Campos
92b93e376a cri: Vendor v0.27.1 
As requested by Akihiro Suda here:
	https://github.com/containerd/containerd/pull/8211#discussion_r1171041922

This just bumps the tag name to the k8s final release. There are no
changes other than the tag name, though.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
 2023-04-24 16:11:42 +02:00
Sebastiaan van Stijn
f238167408
go.mod: add comment explaining go-fuzz-headers replace rule 
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2023-04-15 13:03:12 +02:00
Sebastiaan van Stijn
ec9e74ed92
go.mod: remove replace for github.com/opencontainers/runtime-tools 
The replace rule was actually downgrading the package by one commit;
946c877fa8...2e043c6bd6

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2023-04-15 13:01:24 +02:00
Sebastiaan van Stijn
6c40cf3051
go.mod: integration: use non-pre-release of containerd 
The actual version is replaced, so only "optics"

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2023-04-15 12:50:51 +02:00
Sebastiaan van Stijn
92d1e9bee0
go.mod: integration: move indirect dependencies to the right group 
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2023-04-15 12:45:06 +02:00
Kazuyoshi Kato
ffc70c45c4
Merge pull request #8359 from kiashok/argsEscapedTestFix 
Fix argsEscaped tests
 2023-04-14 13:08:51 -07:00
Iceber Gu
b71f4b7518 runtime/shim: rename RunManager to Run 
Signed-off-by: Iceber Gu <wei.cai-nat@daocloud.io>
 2023-04-14 11:42:21 +08:00
Rodrigo Campos
85afda6f52 cri: Vendor v0.27.0-beta.0 for mounts uid/gid mappings 
We will use this in future commits to see if the kubelet requested idmap
mounts for volumes, that we don't yet support.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
 2023-04-11 17:31:27 +02:00
Kirtana Ashok
e0b817ec15 Fix argsEscaped tests 
- Rename test name
- Add a tag to the container image used in the tests instead of the latest tag
- Add a 5 second delay between container start and stop to ensure that the
  container is fully initialized

Signed-off-by: Kirtana Ashok <Kirtana.Ashok@microsoft.com>
 2023-04-07 13:25:03 -07:00
Gabriel Adrian Samfira
4012c1b853 Remove escalated privileges 
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
 2023-03-31 06:17:35 -07:00
Gabriel Adrian Samfira
54f8abe553 Use DefaultSnapshotter 
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
 2023-03-31 06:17:35 -07:00
Gabriel Adrian Samfira
47dd3dcffb use t.Fatal if we cannot enable process privileges 
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
 2023-03-31 06:17:35 -07:00
Gabriel Adrian Samfira
e31bef15fa Update continuity 
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
 2023-03-31 06:17:32 -07:00
Gabriel Adrian Samfira
95687a9324 Fix go.mod, simplify boolean logic, add logging 
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
 2023-03-31 06:16:56 -07:00
Gabriel Adrian Samfira
db32798592 Update continuity, go-winio and hcsshim 
Update dependencies and remove the local bindfilter files. Those have
been moved to go-winio.

Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
 2023-03-31 06:16:52 -07:00
Gabriel Adrian Samfira
dc980b14a0 Grant needed privileges for snapshotter tests 
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
 2023-03-31 06:15:19 -07:00
Paul "TBBle" Hampson
d591bb0421 Enable TestSnapshotterClient on Windows 
Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
 2023-03-31 06:15:18 -07:00
Fu Wei
988ee8ffef
Merge pull request #8208 from Iceber/fix_runtime_path 
fix the task setting the runtime path
 2023-03-31 12:38:08 +08:00
Akihiro Suda
b55dad06aa
go.mod: github.com/opencontainers/runc v1.1.5 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-03-29 17:16:57 +09:00
Iceber Gu
c89438e834 integration: add container start test using abs runtime path 
Signed-off-by: Iceber Gu <wei.cai-nat@daocloud.io>
 2023-03-29 11:54:52 +08:00
Fu Wei
e735405c15
Merge pull request #7951 from Iceber/fix_restart_monitor 2023-03-16 08:58:20 +08:00
Maksym Pavlenko
07c2ae12e1 Remove v1 runctypes 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2023-03-15 09:18:16 -07:00
Maksym Pavlenko
ef516a1507 Remove runtime v1 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2023-03-15 09:18:14 -07:00
Iceber Gu
76778aee64 integration: add restart monitor test for paused task 
Signed-off-by: Iceber Gu <wei.cai-nat@daocloud.io>
 2023-03-15 14:32:17 +08:00
Kazuyoshi Kato
a570c8184a
Merge pull request #8213 from jedevc/export-skip-docker-manifest 
archive: consistently respect value of WithSkipDockerManifest
 2023-03-14 15:01:08 -07:00
Akihiro Suda
86fc1ccab4
Remove aufs snapshotter (deprecated since v1.5) 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-03-14 14:37:13 +09:00
Justin Chadwell
d3e856da7f export: add test for WithSkipDockerManifest 
Signed-off-by: Justin Chadwell <me@jedevc.com>
 2023-03-13 09:02:53 +00:00
Derek McGowan
56354c7de5
Update ttrpc to v1.2.1 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2023-03-08 10:29:44 -08:00
Paweł Gronowski
dd3eedf3c3 labels: Add LabelDistributionSource 
Add a public const for "containerd.io/distribution.source" in `labels`
package and replace hardcoded usages.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
 2023-03-08 10:01:58 +01:00
Akihiro Suda
6d46bb410b
go.mod: go.opentelemetry.io/otel/* v1.14.0 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-03-08 02:06:41 +09:00
Akihiro Suda
535ef5054d
go.mod: github.com/stretchr/testify v1.8.2 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-03-07 22:06:39 +09:00
Akihiro Suda
2b4f830ede
go.mod: github.com/opencontainers/selinux v1.11.0 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-03-07 22:06:39 +09:00
Akihiro Suda
6bfc82dafe
go.mod: github.com/opencontainers/runtime-spec v1.1.0-rc.1 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-03-07 22:06:39 +09:00
Akihiro Suda
7c70185ae9
go.mod: github.com/klauspost/compress v1.16.0 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-03-07 22:06:39 +09:00
Akihiro Suda
8e67b27315
go.mod: github.com/imdario/mergo v0.3.13 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-03-07 22:06:38 +09:00
Akihiro Suda
6afec55581
go.mod: github.com/emicklei/go-restful/v3 v3.10.1 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-03-07 22:06:38 +09:00
Akihiro Suda
c4f928f88c
go.mod: github.com/containerd/ttrpc v1.2.0 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-03-07 22:06:38 +09:00
Akihiro Suda
5630d6a840
go.mod: github.com/containerd/fifo v1.1.0 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-03-07 22:06:38 +09:00
Akihiro Suda
6d95132313
go.mod: github.com/containerd/cgroups/v3 v3.0.1 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-03-07 22:06:38 +09:00
Akihiro Suda
da1ffdd757
go.mod: github.com/Microsoft/hcsshim v0.10.0-rc.7 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-03-07 21:48:06 +09:00
Akihiro Suda
c77ddf5381
Merge pull request #8131 from lucacome/bump-k8s.io-deps 
Bump k8s.io deps
 2023-03-07 21:44:13 +09:00
Akihiro Suda
56f629fd9c
Merge pull request #8217 from dmcgowan/update-imgcrypt 
Update imgcrypt to v1.1.7
 2023-03-07 21:40:10 +09:00
Fu Wei
5ae3a7f417
Merge pull request #8198 from kiashok/argsEscapedSupportInCri 
Add ArgsEscaped support for CRI
 2023-03-07 16:12:24 +08:00
Derek McGowan
60738e31d2
Update imgcrypt to v1.1.7 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2023-03-06 22:22:26 -08:00
Kirtana Ashok
8137e41c48 Add ArgsEscaped support for CRI 
This commit adds supports for the ArgsEscaped
value for the image got from the dockerfile.
It is used to evaluate and process the image
entrypoint/cmd and container entrypoint/cmd
options got from the podspec.

Signed-off-by: Kirtana Ashok <Kirtana.Ashok@microsoft.com>
 2023-03-03 13:38:06 -08:00
Wei Fu
55e25f1644 integration: add testcase to drain exec IO in time 
Signed-off-by: Wei Fu <fuweid89@gmail.com>
 2023-03-03 11:59:07 +08:00
Wei Fu
a9cbddd65d *: fix typo and skip exec-io-drain-testcase in win 
Signed-off-by: Wei Fu <fuweid89@gmail.com>
 2023-03-02 21:57:43 +08:00
Luca Comellini
8145b15f08
Bump k8s.io deps 
Signed-off-by: Luca Comellini <luca.com@gmail.com>
 2023-03-01 21:37:21 -08:00
Wei Fu
82c0f4ff86 pkg/cri/server: add timeout to drain exec io 
By default, the child processes spawned by exec process will inherit standard
io file descriptors. The shim server creates a pipe as data channel. Both exec
process and its children write data into the write end of the pipe. And the
shim server will read data from the pipe. If the write end is still open, the
shim server will continue to wait for data from pipe.

So, if the exec command is like `bash -c "sleep 365d &"`, the exec process is
bash and quit after create `sleep 365d`. But the `sleep 365d` will hold the
write end of the pipe for a year! It doesn't make senses that CRI plugin
should wait for it.

For this case, we should use timeout to drain exec process's io instead of
waiting for it.

Fixes: #7802

Signed-off-by: Wei Fu <fuweid89@gmail.com>
 2023-03-02 13:06:45 +08:00
Derek McGowan
a5a4c9ce04
Merge pull request #8173 from fuweid/update-go-cni-ver 
bump go-cni to v1.1.9
 2023-02-27 23:22:44 -08:00
Akihiro Suda
e0a05b56e5
Merge pull request #8152 from bart0sh/PR007-upgrade-CDI-to-0.5.4 
update CDI version to v0.5.4
 2023-02-28 09:22:30 +09:00
Wei Fu
36ae2f6b9e bump go-cni to v1.1.9 
Signed-off-by: Wei Fu <fuweid89@gmail.com>
 2023-02-28 07:30:59 +08:00
Krisztian Litkey
310be5ce6e pkg/nri: update NRI configuration. 
Update NRI plugin configuration to match that of NRI. Remove
option for the eliminated NRI configuration file. Add option
to disable connections from externally launched plugins. Add
options to override default plugin registration and request
timeouts.

Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
 2023-02-26 19:56:31 +02:00
Ed Bartosh
30e4a14092 update CDI version to v0.5.4 
Signed-off-by: Ed Bartosh <eduard.bartosh@intel.com>
 2023-02-22 16:38:37 +02:00
Fu Wei
8cb00f45c9
Merge pull request #8143 from mxpv/log 
Add Fields type alias to log package
 2023-02-21 10:22:23 +08:00
Maksym Pavlenko
06e085c8b5 Add Fields type alias to log package 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2023-02-20 17:29:08 -08:00
Benjamin Wang
2716fd041a dependency: bump go.etcd.io/bbolt to v1.3.7 
Please refer to link below to get more detailed info on bbolt@v1.3.7,
- https://github.com/etcd-io/bbolt/blob/master/CHANGELOG/CHANGELOG-1.3.md#v1372023-01-31

Signed-off-by: Benjamin Wang <wachao@vmware.com>
 2023-02-17 16:34:53 +08:00
Maksym Pavlenko
24cf85f5a3
Merge pull request #8103 from AkihiroSuda/go-1.20 
Go 1.20.1
 2023-02-15 20:09:28 -08:00
Derek McGowan
f885e07456
Merge pull request #8044 from fish98/main 
docs: fix function names in fuzzing test documentation
 2023-02-15 15:23:15 -08:00
Derek McGowan
aa6418fadd
Merge pull request from GHSA-hmfx-3pcx-653p 
oci: fix additional GIDs
 2023-02-15 13:45:14 -08:00
Akihiro Suda
281f89a9dc
go.mod: go 1.19 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-02-16 03:50:23 +09:00
Zechun Chen
39bac0dbef error strings should not be capitalized 
Signed-off-by: Zechun Chen <zechun.chen@daocloud.io>
 2023-02-15 14:30:36 +08:00
Casey Callendrello
d14758b605 go.mod: bump to go-cni main 
Signed-off-by: Casey Callendrello <c1@caseyc.net>
 2023-02-14 16:49:17 +01:00
Akihiro Suda
4e2eb8ba4e
Merge pull request #7964 from dmcgowan/transfer-image-store-references 
[transfer] update imagestore interface to support multiple references
 2023-02-14 11:22:27 +09:00
Derek McGowan
081601f521
Update imagestore interface to support multiple references 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2023-02-13 13:58:33 -08:00
Derek McGowan
edb8ebaf07
Merge pull request #8047 from ruiwen-zhao/send_nil 
Send container events with nil PodSandboxStatus
 2023-02-13 11:38:14 -08:00
Akihiro Suda
b61988670c
go.mod: github.com/containerd/typeurl/v2 v2.1.0 
Changes: https://github.com/containerd/typeurl/compare/7f6e6d160d67...v2.1.0

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-02-11 23:39:52 +09:00
ruiwen-zhao
27c8f4085c Move PLEG event generation back to sbserver to avoid missing pod sandbox status 
Signed-off-by: ruiwen-zhao <ruiwen@google.com>
 2023-02-11 01:34:33 +00:00
Akihiro Suda
3eda46af12
oci: fix additional GIDs 
Test suite:
```yaml

---
apiVersion: v1
kind: Pod
metadata:
  name: test-no-option
  annotations:
    description: "Equivalent of `docker run` (no option)"
spec:
  restartPolicy: Never
  containers:
    - name: main
      image: ghcr.io/containerd/busybox:1.28
      args: ['sh', '-euxc',
             '[ "$(id)" = "uid=0(root) gid=0(root) groups=0(root),10(wheel)" ]']
---
apiVersion: v1
kind: Pod
metadata:
  name: test-group-add-1-group-add-1234
  annotations:
    description: "Equivalent of `docker run --group-add 1 --group-add 1234`"
spec:
  restartPolicy: Never
  containers:
    - name: main
      image: ghcr.io/containerd/busybox:1.28
      args: ['sh', '-euxc',
             '[ "$(id)" = "uid=0(root) gid=0(root) groups=0(root),1(daemon),10(wheel),1234" ]']
  securityContext:
    supplementalGroups: [1, 1234]
---
apiVersion: v1
kind: Pod
metadata:
  name: test-user-1234
  annotations:
    description: "Equivalent of `docker run --user 1234`"
spec:
  restartPolicy: Never
  containers:
    - name: main
      image: ghcr.io/containerd/busybox:1.28
      args: ['sh', '-euxc',
             '[ "$(id)" = "uid=1234 gid=0(root) groups=0(root)" ]']
  securityContext:
    runAsUser: 1234
---
apiVersion: v1
kind: Pod
metadata:
  name: test-user-1234-1234
  annotations:
    description: "Equivalent of `docker run --user 1234:1234`"
spec:
  restartPolicy: Never
  containers:
    - name: main
      image: ghcr.io/containerd/busybox:1.28
      args: ['sh', '-euxc',
             '[ "$(id)" = "uid=1234 gid=1234 groups=1234" ]']
  securityContext:
    runAsUser: 1234
    runAsGroup: 1234
---
apiVersion: v1
kind: Pod
metadata:
  name: test-user-1234-group-add-1234
  annotations:
    description: "Equivalent of `docker run --user 1234 --group-add 1234`"
spec:
  restartPolicy: Never
  containers:
    - name: main
      image: ghcr.io/containerd/busybox:1.28
      args: ['sh', '-euxc',
             '[ "$(id)" = "uid=1234 gid=0(root) groups=0(root),1234" ]']
  securityContext:
    runAsUser: 1234
    supplementalGroups: [1234]
```

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-02-10 15:53:00 +09:00
Akihiro Suda
52f82acb7b
btrfs: depend on kernel UAPI instead of libbtrfs 
See containerd/btrfs PR 40 and moby/moby PR 44761. (Thanks to [@]neersighted.)

The containerd/btrfs library now requires headers from kernel 4.12 or newer:
- https://github.com/torvalds/linux/blob/master/include/uapi/linux/btrfs.h
- https://github.com/torvalds/linux/blob/master/include/uapi/linux/btrfs_tree.h

These files are licensed under the GPL-2.0 WITH Linux-syscall-note, so it should be compatible with the Apache License 2.0.
https://spdx.org/licenses/Linux-syscall-note.html

The dependency on the kernel headers only affects users building from source.
Users on older kernels may opt to not compile this library (`BUILDTAGS=no_btfs`),
or to provide headers from a newer kernel.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-02-10 10:07:34 +09:00
TTFISH
5bc3fea621 update fuzz function names in docs with golang naming convention 
Signed-off-by: Jiongchi Yu <jcyu.2022@phdcs.smu.edu.sg>
 2023-02-06 17:59:07 +08:00
Kirtana Ashok
e5c57f2422 update hcsshim tag to v0.10.0-rc.5 and revendor 
Signed-off-by: Kirtana Ashok <Kirtana.Ashok@microsoft.com>
 2023-02-03 10:50:56 -08:00
TTFISH
904a87d26d docs: fix function names in fuzzing test documentation 
Signed-off-by: Jiongchi Yu <jcyu.2022@phdcs.smu.edu.sg>
 2023-02-03 23:19:00 +08:00
Maksym Pavlenko
99580e0aad Update TTRPC and Protobuild dependencies 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2023-02-02 09:58:43 -08:00
Sebastiaan van Stijn
d6070f8a74
go.mod: github.com/urfave/cli v1.22.12 
full diff: https://github.com/urfave/cli/compare/v1.22.10...v1.22.12

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2023-02-01 12:42:03 +01:00
Krisztian Litkey
58bd5a0940 go.mod: update github.com/containerd/nri. 
Point NRI dependency to latest HEAD, commit b3cabdec0657. That
pulls in the necessary NRI fix for a recently discovered panic
and crash.

Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
 2023-01-31 15:03:45 +02:00
Tony Fang
c46aaa8df4 Add integration test for tracing on image pull 
Create an in-memory exporter and global tracer provider
Pull image with client which should create spans
Validate spans in the exporter

Signed-off-by: Tony Fang <nhfang@amazon.com>
 2023-01-31 05:45:26 +00:00
Akihiro Suda
b5bdd6c7f2
Merge pull request #8027 from AkihiroSuda/containerd-cgroups-v3 
go.mod: github.com/containerd/cgroups/v3 v3.0.0
 2023-01-30 23:06:47 +09:00
Aditi
7ec75b1207 Update CNI to 1.2.0 
Signed-off-by: Aditi <sharmaad@vmware.com>
 2023-01-30 10:25:37 +00:00
Akihiro Suda
306db3e707
go.mod: github.com/containerd/cgroups/v3 v3.0.0 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-01-30 11:57:46 +09:00
Akihiro Suda
5082fb3958
go.mod: go.opentelemetry.io/otel v1.12.0 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-01-30 08:40:46 +09:00
Wei Fu
8886b05dc3 integration: use sleep inf with busybox:1.36 
Signed-off-by: Wei Fu <fuweid89@gmail.com>
 2023-01-29 18:02:18 +08:00
Wei Fu
005d30e849 deflake: TestContainerPids 
It is kind of race because `sleep 1s` is short live process.

See: https://github.com/containerd/containerd/issues/7965#issuecomment-1383218025
Fixes: #7965

Signed-off-by: Wei Fu <fuweid89@gmail.com>
 2023-01-29 16:51:52 +08:00
Kazuyoshi Kato
753bfd6575
Merge pull request #7959 from Jenkins-J/fix-mem-limit-test 
Fix Memory Limit test
 2023-01-26 10:33:35 -08:00
Markus Lehtonen
d845b2a9c2 go.mod: update goresctrl to v0.3.0 
Update github.com/intel/goresctrl to v0.3.0 which ontains multiple
bugfixes to rdt support.

Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
 2023-01-24 11:34:33 +02:00
James Jenkins
b1c5c57be0 Fix Memory Limit test 
Modify the memory limit test, allowing the test to pass when swap is not
enabled.

Signed-off-by: James Jenkins <James.Jenkins@ibm.com>
 2023-01-17 13:07:28 -05:00
Kirtana Ashok
66eeee0439 Update hcsshim tag to v0.10.0-rc.4 
Signed-off-by: Kirtana Ashok <Kirtana.Ashok@microsoft.com>
 2023-01-12 11:29:01 -08:00
AdamKorcz
802c6c5c0d fuzzing: improve archive fuzzer 
Signed-off-by: AdamKorcz <adam@adalogics.com>
 2023-01-11 23:32:45 +00:00
Tony Fang
82d6c2f931 Revert container_stats_test.go change which caused Windows CRI integration test failure 
PR #7892 which supposed to fix issue on Linux introduced random failure
on Windows, this commit is to revert that change for Windows platform

Signed-off-by: Tony Fang <nenghui.fang@gmail.com>
 2023-01-09 05:22:25 +00:00
Samuel Karp
6f9936e305
mod: update github.com/pelletier/go-toml@v1.9.5 
Signed-off-by: Samuel Karp <samuelkarp@google.com>
 2023-01-06 13:11:07 -08:00
Akihiro Suda
7b1f08bf50
nri_test.go: skip if SELinux is enabled 
SELinux relabeling is not implemented for NRI yet

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-01-04 02:20:42 +09:00
Akihiro Suda
dcbb32d6fb
cri-integration: set SelinuxRelabel 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-01-04 02:20:42 +09:00
Akihiro Suda
0f163d6960
TestVolumeOwnership: compare GID, not group name 
The name of the GID 65534 differs across distros.
("nogroup" on Debian derivatives, "nobody" on Red Hat derivatives)

Fix the following test failure:
```
=== RUN   TestVolumeOwnership
    volume_copy_up_test.go:103: Create a sandbox
    main_test.go:667: Pull test image "ghcr.io/containerd/volume-ownership:2.1"
    volume_copy_up_test.go:108: Create a container with volume-ownership test image
    volume_copy_up_test.go:117: Start the container
    volume_copy_up_test.go:125: Check ownership of test directory inside container
    volume_copy_up_test.go:146: Check ownership of test directory on the host
    volume_copy_up_test.go:153:
        	Error Trace:	/root/go/src/github.com/containerd/containerd/volume_copy_up_test.go:153
        	Error:      	Not equal:
        	            	expected: "nobody:nogroup\n"
        	            	actual  : "nobody:nobody\n"

        	            	Diff:
        	            	--- Expected
        	            	+++ Actual
        	            	@@ -1,2 +1,2 @@
        	            	-nobody:nogroup
        	            	+nobody:nobody

        	Test:       	TestVolumeOwnership
--- FAIL: TestVolumeOwnership (3.45s)
```

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-01-04 02:20:42 +09:00