Following the addition of annotations to the grpc/ttrpc API surface,
follow suit with adding annotations to the controller api surface.
Signed-off-by: Danny Canter <danny@dcantah.dev>
An oft employed scheme for a lot of our APIs is to include an
annotations field which is just a map of string to string. This
usually allows folks using the API to send over metadata or auxiliary
information without needing to get a new field added (especially where
the field might not make sense for it to be a standalone field). I think
having annotations for CreateSandbox make sense for this same use case.
Signed-off-by: Danny Canter <danny@dcantah.dev>
Required for distros that wanna use their local version and
can't have some (possibly failing) git commands being run here.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
There still was one place that's calling the `go` command directly
instead of using the $(GO) variable.
Fixes: 9ea25634bd
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
We have been using Cirrus CI for running vagrant workloads
as the standard runners of GHA lacks nested virtualization,
but it looks like GHA with the "larger" runners support nested
virtualization.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
In the sbserver we should not use the GOOS, as windows hosts can run
linux containers. On the sbserver we should use the platform param.
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
Includes a fix for CVE-2023-29409
go1.20.7 (released 2023-08-01) includes a security fix to the crypto/tls
package, as well as bug fixes to the assembler and the compiler. See the
Go 1.20.7 milestone on our issue tracker for details:
- https://github.com/golang/go/issues?q=milestone%3AGo1.20.7+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.20.6...go1.20.7
go1.19.12 (released 2023-08-01) includes a security fix to the crypto/tls
package, as well as bug fixes to the assembler and the compiler. See the
Go 1.19.12 milestone on our issue tracker for details.
- https://github.com/golang/go/issues?q=milestone%3AGo1.19.12+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.19.11...go1.19.12
From the mailing list announcement:
[security] Go 1.20.7 and Go 1.19.12 are released
Hello gophers,
We have just released Go versions 1.20.7 and 1.19.12, minor point releases.
These minor releases include 1 security fixes following the security policy:
- crypto/tls: restrict RSA keys in certificates to <= 8192 bits
Extremely large RSA keys in certificate chains can cause a client/server
to expend significant CPU time verifying signatures. Limit this by
restricting the size of RSA keys transmitted during handshakes to <=
8192 bits.
Based on a survey of publicly trusted RSA keys, there are currently only
three certificates in circulation with keys larger than this, and all
three appear to be test certificates that are not actively deployed. It
is possible there are larger keys in use in private PKIs, but we target
the web PKI, so causing breakage here in the interests of increasing the
default safety of users of crypto/tls seems reasonable.
Thanks to Mateusz Poliwczak for reporting this issue.
View the release notes for more information:
https://go.dev/doc/devel/release#go1.20.7
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Before this PR, if a stdin/stdout/stderr stream is nil,
and the corresponding FIFO is not an empty string,
a panic will occur when Read/Write of the nil stream is invoked in io.CopyBuffer.
Signed-off-by: Hsing-Yu (David) Chen <davidhsingyuchen@gmail.com>
Runc 1.1 throws a warning when using rel destination paths, and runc 1.2
is planning to thow an error (i.e. won't start the container).
Let's just make this an abs path in the only place it might not be: the
mounts created due to `VOLUME` directives in the Dockerfile.
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
The rpc only reports one field, i.e. the cgroup driver, to kubelet.
Containerd determines the effective cgroup driver by looking at all
runtime handlers, starting from the default runtime handler (the rest in
alphabetical order), and returning the cgroup driver setting of the
first runtime handler that supports one. If no runtime handler supports
cgroup driver (i.e. has a config option for it) containerd falls back to
auto-detection, returning systemd if systemd is running and cgroupfs
otherwise.
This patch implements the CRI server side of Kubernetes KEP-4033:
https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/4033-group-driver-detection-over-cri
Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
- `release.yml` continues to use Ubuntu 20.04 for glibc compatibility
- cgroup v1 is no longer tested with Ubuntu, but still tested with Rocky 8
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
