This moves most of the API calls off of the `labels` package onto the root
selinux package. This is the newer API for most selinux operations.
Signed-off-by: Michael Crosby <michael@thepasture.io>
full diff: https://github.com/opencontainers/selinux/compare/v1.5.1...v1.5.2
- Implement FormatMountLabel unconditionally
Implementing FormatMountLabel on situations built without selinux
should be possible; the context will be ignored if no SELinux is available.
- Remote potential race condition, where mcs label is freed
Theorectially if you do not change the MCS Label then we free it and two
commands later reserve it. If some other process was grabbing MCS Labels
at the same time, the other process could get the same label.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
When I changed the vendor.conf format to use tags, many of the
dependencies didn't use tagged versions, and the column format
made the file slightly more consistent / easier to read.
With many dependencies moving to go modules, we see more deps
tagging releases, and we're now more actively trying to use
tagged releases for our dependencies.
With containerd/containerd changing the format to use tags as
default, it makes sense to do the same here as well (to allow
for easier comparing the vendor.conf files between repositories)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 0d360c50b1...0553354f00
- Add WithConfList opt for adding conf list from bytes
- Use Go modules instead of vndr
- Test on go1.13, 1.14, remove go1.12
- Update pkg/errors v0.9.1, switch to using errors.Is() instead of errors.Cause()
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
We encountered two failing end-to-end tests after the adoption of
https://github.com/containerd/cri/pull/1470 in
https://github.com/cri-o/cri-o/pull/3749:
```
Summarizing 2 Failures:
[Fail] [sig-cli] Kubectl Port forwarding With a server listening on 0.0.0.0 that expects a client request [It] should support a client that connects,
sends DATA, and disconnects
test/e2e/kubectl/portforward.go:343
[Fail] [sig-cli] Kubectl Port forwarding With a server listening on localhost that expects a client request [It] should support a client that connects
, sends DATA, and disconnects
test/e2e/kubectl/portforward.go:343
```
Increasing the timeout to 1s fixes the issue.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
This swaps the RunningInUserNS() function that we're using
from libcontainer/system with the one in containerd/sys.
This removes the dependency on libcontainer/system, given
these were the only functions we're using from that package.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The `DualStack` option was deprecated in Go 1.12, and is now enabled by default
(through commit github.com/golang/go@efc185029bf770894defe63cec2c72a4c84b2ee9).
> The Dialer.DualStack field is now meaningless and documented as deprecated.
>
> To disable fallback, set FallbackDelay to a negative value.
The default `FallbackDelay` is 300ms; to make this more explicit, this patch
sets `FallbackDelay` to the default value.
Note that Docker Hub currently does not support IPv6 (DNS for registry-1.docker.io
has no AAAA records, so we should not hit the 300ms delay).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Now that 901bcb2231 was merged in containerd,
we no longer depend on the ParseDockerRef utility from docker/distribution,
so we can safely roll back to the latest release for this dependency.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- relates to moby/buildkit 1111
- relates to moby/buildkit 1079
- relates to docker/buildx 129
full diff: 9461782956...e31b211e4f
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
