Since both cri-containerd and runC runtime are widely used, the relevent
information should include runC and CRI configuration when file bug.
Signed-off-by: Wei Fu <fuweid89@gmail.com>
When an error is returned here, unlike the other error returns in the function, nothing is done to mark the added device as faulty or remove it.
I have observed this causing future snapshot creations to continue to attempt to use the same ID (from the sequence) to create new devices
and get blocked because the device already exists because it was not rolled back here.
Hopefully fixes#5110
Signed-off-by: Jeremy Williams <ctrlaltdel121@gmail.com>
`go get -d` uses go modules by default in Go 1.16 and up, which results
in modules being fetched for the "latest" module version, after which we
tried to "git checkout" to `<VERSION>`.
For runc, this means that (possibly incorrectly), `go get` will download
runc `v0.1.1` (most recent non-"pre-release", which caused failures (e.g
the old `Sirupsen/logrus` being downloaded).
In addition, some of the dependencies we're installing use vendoring, and
thus would not require the modules to be downloaded (and vendored files
will be ignored when using `go get` with modules).
This patch switches several uses `go get -d` to use a regular
git clone, after which the desired version is checked out,
and the binaries are built.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Phil Estes <estesp@amazon.com>
The "userxattr" option is needed for mounting overlayfs inside a user namespace with kernel >= 5.11.
The "userxattr" option is NOT needed for the initial user namespace (aka "the host").
Also, Ubuntu (since circa 2015) and Debian (since 10) with kernel < 5.11 can mount the overlayfs in a user namespace without the "userxattr" option.
The corresponding kernel commit: 2d2f2d7322ff43e0fe92bf8cccdc0b09449bf2e1
> ovl: user xattr
>
> Optionally allow using "user.overlay." namespace instead of "trusted.overlay."
> ...
> Disable redirect_dir and metacopy options, because these would allow privilege escalation through direct manipulation of the
> "user.overlay.redirect" or "user.overlay.metacopy" xattrs.
Fix issue 5060
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
pkg/cap has the full list of the caps (for UT, originally),
so we can drop dependency on github.com/syndtr/gocapability
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
The only shared variable `m.client` is thread-safe, so we can safely
parallelize the loops.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
The CI host was probably updated recently and the permission bits of the
directory was changed.
Fix 5077
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
