This allows running Linux containers on FreeBSD and modifies the
mounts so that they represent the linux emulated filesystems, as per:
https://wiki.freebsd.org/LinuxJails
Co-authored-by: Gijs Peskens <gijs@peskens.net>, Samuel Karp <samuelkarp@users.noreply.github.com>
Signed-off-by: Artem Khramov <akhramov@pm.me>
The regression in v1.22.2 has been resolved, so we can drop the
replace rule and use the latest v1.22.x version.
full diff: https://github.com/urfave/cli/compare/v1.22.1...v1.22.9
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Before this patch, if the go.mod did not contain a replace rule, jq would fail
(Cannot iterate over null), and Bash would produce an error when trying to add
an empty `$key` to `map_requires`:
make verify-vendor
+ verify-vendor
jq: error (at <stdin>:581): Cannot iterate over null (null)
/go/src/github.com/containerd/containerd//script/verify-go-modules.sh: line 44: map_replaces_1[$key]: bad array subscript
make: *** [Makefile:435: verify-vendor] Error 1
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Before:
```
$ nerdctl pull gcr.io/kubeflow-images-public/tensorflow-1.14.0-notebook-cpu:v0.7.0
FATA[0026] failed to extract layer sha256:f8a604834d388fd3d04c26e4ed832b36b617ea8a4e0b1665b9199bd10cfcb171: mount callback failed on /var/lib/containerd/tmpmounts/containerd-mount1818823128:
lchown /var/lib/containerd/tmpmounts/containerd-mount1818823128/usr/local/bin/docker-credential-gcr: invalid argument: unknown
```
After:
```
$ nerdctl pull gcr.io/kubeflow-images-public/tensorflow-1.14.0-notebook-cpu:v0.7.0
FATA[0027] failed to extract layer sha256:f8a604834d388fd3d04c26e4ed832b36b617ea8a4e0b1665b9199bd10cfcb171: mount callback failed on /var/lib/containerd/tmpmounts/containerd-mount3521205359:
failed to Lchown "/var/lib/containerd/tmpmounts/containerd-mount3521205359/usr/local/bin/docker-credential-gcr" for UID 205001, GID 5000:
lchown /var/lib/containerd/tmpmounts/containerd-mount3521205359/usr/local/bin/docker-credential-gcr: invalid argument
(Hint: try increasing the number of subordinate IDs in /etc/subuid and /etc/subgid): unknown
```
Related to moby/moby issue 43576 but for containerd
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
When upperdirLabel specified, overlay Update will throw tx closed error since Commit is invoked before GetInfo
Signed-off-by: cardy.tang <zuniorone@gmail.com>
"ctr s r" help suggests <pod-config.json> is taken as the first
parameter and the sandbox ID becomes next. However, only the latter
is read and used.
Add code that reads <pod-config.json> and passes it to Sanbox.
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
PR #6366 implemented a tree-wide change to replace github.com/pkg/errors
to errors. The new sandbox API PR #6703 had few errors.Wrap*() leftovers
and pulled github.com/pkg/errors back. This commit replaces those
leftovers by following the pattern in #6366.
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
This is the second patch release of the runc 1.1 release branch. It
fixes CVE-2022-29162, a minor security issue (which appears to not be
exploitable) related to process capabilities.
This is a similar bug to the ones found and fixed in Docker and
containerd recently (CVE-2022-24769).
- A bug was found in runc where runc exec --cap executed processes with
non-empty inheritable Linux process capabilities, creating an atypical Linux
environment. For more information, see GHSA-f3fp-gc8g-vw66 and CVE-2022-29162.
- runc spec no longer sets any inheritable capabilities in the created
example OCI spec (config.json) file.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
As we know, shim starts twice. The first time we execute the shim with the
`start` arguments, the `-debug` argument is passed to the shim
process correctly. But the second time we execute shim, the debug flag
is ignored.
Signed-off-by: wllenyj <wllenyj@linux.alibaba.com>
