Add installation scripts needed to generate CRI + CNI tar package on
release.
Update Github action release script to generate CRI release tarballs for
Linux and Windows.
Signed-off-by: Derek McGowan <derek@mcg.dev>
`vagrant up` will build and install containerd and all dependencies,
setting up proper SELinux contexts on the runc and containerd binaries.
The VM is configured to be SELinux Enforcing by default but this gets
changed during various CI passes via a matrix param to Disabled and
Permissive before running tests. I have an open PR to fix the
container-selinux policy for containerd at
https://github.com/containers/container-selinux/pull/98 which once
accepted we will want to update the CI matrix to use Enforcing mode
instead of Permissive.
All tests currently pass in SELinux permissive mode with containerd
configured with `enable_selinux=true`. To see which tests are failing
with SELinux enforcing and an already spun up VM:
`SELINUX=Enforcing vagrant up --provision-with=selinux,test-cri`
To test SELinux enforcing in a new VM:
`vagrant destroy -force; SELINUX=Enforcing vagrant up --provision-with=shell,selinux,test-cri`
The `selinux` shell provisioner, parameterized by the SELINUX envvar,
will configure the system as you would expect, with the side effect that
containerd is configured with `enable_selinux=true` via
`/etc/containerd/config.toml` for Permissive or Enforcing modes and
`enable_selinux=false` when SELINUX=Disabled.
Provided that virtualization is suported, this Vagrantfile and provisioners
make it easy to test containerd/cri for conformance under SELinux on
non-SELinux systems.
Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
Recent changes removed the need for libseccomp-dev when building
containerd. The btrfs tools package is already installed on GH Actions
runners and was already a no-op so the whole step can be removed.
Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
This will ensure that we can always get the current Windows OS build
version, without being put into Windows 8 compatibility mode.
Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
We are going to deprecate shim v1 (#4365), but it is still early to
disable the tests for them
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
GH runners now have a systemd-run containerd running on the standard
socket, impacting the CRI test's expectation of our CI-built containerd
running there.
Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
The previous names were confusing because v1 may look like shim API v1 (io.containerd.runtime.v1.linux").
Also, v2 may look like cgroup v2.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
- always apt-get update before installing packages
- move to tagged official create_release action
The official GH create_release action now has support for body text from
file.
Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
[BeforeEach] [k8s.io] Security Context
/home/runner/work/containerd/containerd/src/github.com/kubernetes-sigs/cri-tools/pkg/framework/framework.go:50
W0624 12:26:28.532644 30569 util_unix.go:103] Using "/var/run/containerd/containerd.sock" as endpoint is deprecated, please consider using full url format "unix:///var/run/containerd/containerd.sock".
W0624 12:26:28.532700 30569 util_unix.go:103] Using "/var/run/containerd/containerd.sock" as endpoint is deprecated, please consider using full url format "unix:///var/run/containerd/containerd.sock".
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This will check that the tag is signed and then checkout the tag, build
official binaries, sha256sum the tarball, and upload those assets to the
release, officially generating a release in GitHub from the signed tag.
Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
- Remove dependency on libcontainer/system
- Get rid of socat for port forwarding
- Roll docker/distribution back to latest (v2.7.1) release
Now that 901bcb2231 was merged in containerd,
we no longer depend on the ParseDockerRef utility from docker/distribution,
so we can safely roll back to the latest release for this dependency.
- vendor: kubernetes v1.18.2
Fix client watch reestablishment handling of client-side timeouts
- Add config flag to default empty seccomp profile
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: fahedouch <fahed.dorgaa@gmail.com>
omit sudo when EUID eqto 0
Signed-off-by: fahedouch <fahed.dorgaa@gmail.com>
omit sudo when EUID eqto 0
Signed-off-by: fahedouch <fahed.dorgaa@gmail.com>
omit sudo when EUID eqto 0
Signed-off-by: fahedouch <fahed.dorgaa@gmail.com>
use gosu to omit sudo in GA
Signed-off-by: fahedouch <fahed.dorgaa@gmail.com>
use gosu to omit sudo in GA
Signed-off-by: fahedouch <fahed.dorgaa@gmail.com>
set working-dir for <<Setup gosu>> step
Signed-off-by: fahedouch <fahed.dorgaa@gmail.com>
fix job permissions
Signed-off-by: fahedouch <fahed.dorgaa@gmail.com>
Integration tests were running with latest Go release rather than the
version used everywhere else. Also, we don't need to install protoc from
tarball and also apt-get the package for Ubuntu when used as a
dependency for criu build.
Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
Also few changes to names of workflow jobs. Integration tests can get
canceled without full completing at 10 minutes. Make sure we only use
checkout v2 action.
Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
full diff: https://github.com/golang/go/compare/go1.13.6...go1.13.7
go1.13.7 (released 2020/01/28) includes two security fixes. One mitigates
the CVE-2020-0601 certificate verification bypass on Windows. The other affects
only 32-bit architectures.
https://github.com/golang/go/issues?q=milestone%3AGo1.13.7+label%3ACherryPickApproved
- X.509 certificate validation bypass on Windows 10
A Windows vulnerability allows attackers to spoof valid certificate chains when
the system root store is in use. These releases include a mitigation for Go
applications, but it’s strongly recommended that affected users install the
Windows security update to protect their system.
This issue is CVE-2020-0601 and Go issue golang.org/issue/36834.
- Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte
On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing
functions of golang.org/x/crypto/cryptobyte can lead to a panic.
The malformed certificate can be delivered via a crypto/tls connection to a
client, or to a server that accepts client certificates. net/http clients can
be made to crash by an HTTPS server, while net/http servers that accept client
certificates will recover the panic and are unaffected.
Thanks to Project Wycheproof for providing the test cases that led to the
discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837.
This is also fixed in version v0.0.0-20200124225646-8b5121be2f68 of golang.org/x/crypto/cryptobyte.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
