Previously a typo was introduced that caused the wrong error to be
checked against when calling exec.LookPath. This had the effect that
containerd would never locate the shim binary if it was in the same
directory as containerd's binary, but not in PATH.
Signed-off-by: Kevin Parsons <kevpar@microsoft.com>
This function will be used by nerdctl for printing the default AppArmor
profile: `nerdctl system inspect apparmor-profile`
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Since both cri-containerd and runC runtime are widely used, the relevent
information should include runC and CRI configuration when file bug.
Signed-off-by: Wei Fu <fuweid89@gmail.com>
When an error is returned here, unlike the other error returns in the function, nothing is done to mark the added device as faulty or remove it.
I have observed this causing future snapshot creations to continue to attempt to use the same ID (from the sequence) to create new devices
and get blocked because the device already exists because it was not rolled back here.
Hopefully fixes#5110
Signed-off-by: Jeremy Williams <ctrlaltdel121@gmail.com>
`go get -d` uses go modules by default in Go 1.16 and up, which results
in modules being fetched for the "latest" module version, after which we
tried to "git checkout" to `<VERSION>`.
For runc, this means that (possibly incorrectly), `go get` will download
runc `v0.1.1` (most recent non-"pre-release", which caused failures (e.g
the old `Sirupsen/logrus` being downloaded).
In addition, some of the dependencies we're installing use vendoring, and
thus would not require the modules to be downloaded (and vendored files
will be ignored when using `go get` with modules).
This patch switches several uses `go get -d` to use a regular
git clone, after which the desired version is checked out,
and the binaries are built.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Phil Estes <estesp@amazon.com>
The "userxattr" option is needed for mounting overlayfs inside a user namespace with kernel >= 5.11.
The "userxattr" option is NOT needed for the initial user namespace (aka "the host").
Also, Ubuntu (since circa 2015) and Debian (since 10) with kernel < 5.11 can mount the overlayfs in a user namespace without the "userxattr" option.
The corresponding kernel commit: 2d2f2d7322ff43e0fe92bf8cccdc0b09449bf2e1
> ovl: user xattr
>
> Optionally allow using "user.overlay." namespace instead of "trusted.overlay."
> ...
> Disable redirect_dir and metacopy options, because these would allow privilege escalation through direct manipulation of the
> "user.overlay.redirect" or "user.overlay.metacopy" xattrs.
Fix issue 5060
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
