full diff: https://github.com/opencontainers/runc/compare/v1.1.2...v1.1.3
This is the third release of the 1.1.z series of runc, and contains
various minor improvements and bugfixes.
- Our seccomp `-ENOSYS` stub now correctly handles multiplexed syscalls on
s390 and s390x. This solves the issue where syscalls the host kernel did not
support would return `-EPERM` despite the existence of the `-ENOSYS` stub
code (this was due to how s390x does syscall multiplexing).
- Retry on dbus disconnect logic in libcontainer/cgroups/systemd now works as
intended; this fix does not affect runc binary itself but is important for
libcontainer users such as Kubernetes.
- Inability to compile with recent clang due to an issue with duplicate
constants in libseccomp-golang.
- When using systemd cgroup driver, skip adding device paths that don't exist,
to stop systemd from emitting warnings about those paths.
- Socket activation was failing when more than 3 sockets were used.
- Various CI fixes.
- Allow to bind mount `/proc/sys/kernel/ns_last_pid` to inside container.
- runc static binaries are now linked against libseccomp v2.5.4.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This change does a couple things to remove some cruft/unused functionality
in the Windows snapshotter, as well as add a way to specify the rootfs
size in bytes for a Windows container via a new field added in the CRI api in
k8s 1.24. Setting the rootfs/scratch volume size was assumed to be working
prior to this but turns out not to be the case.
Previously I'd added a change to pass any annotations in the containerd
snapshot form (containerd.io/snapshot/*) as labels for the containers
rootfs snapshot. This was added as a means for a client to be able to provide
containerd.io/snapshot/io.microsoft.container.storage.rootfs.size-gb as an
annotation and have that be translated to a label and ultimately set the
size for the scratch volume in Windows. However, this actually only worked if
interfacing with the CRI api directly (crictl) as Kubernetes itself will
fail to validate annotations that if split by "/" end up with > 2 parts,
which the snapshot labels will (containerd.io / snapshot / foobarbaz).
With this in mind, passing the annotations and filtering to
containerd.io/snapshot/* is moot, so I've removed this code in favor of
a new `snapshotterOpts()` function that will return platform specific
snapshotter options if ones exist. Now on Windows we can just check if
RootfsSizeInBytes is set on the WindowsContainerResources struct and
then return a snapshotter option that sets the right label.
So all in all this change:
- Gets rid of code to pass CRI annotations as labels down to snapshotters.
- Gets rid of the functionality to create a 1GB sized scratch disk if
the client provided a size < 20GB. This code is not used currently and
has a few logical shortcomings as it won't be able to create the disk
if a container is already running and using the same base layer. WCIFS
(driver that handles the unioning of windows container layers together)
holds open handles to some files that we need to delete to create the
1GB scratch disk is the underlying problem.
- Deprecates the containerd.io/snapshot/io.microsoft.container.storage.rootfs.size-gb
label in favor of a new containerd.io/snapshot/windows/rootfs.sizebytes label.
The previous label/annotation wasn't being used by us, and from a cursory
github search wasn't being used by anyone else either. Now that there is a CRI
field to specify the size, this should just be a field that users can set
on their pod specs and don't need to concern themselves with what it eventually
gets translated to, but non-CRI clients can still use the new label/deprecated
label as usual.
- Add test to cri integration suite to validate expanding the rootfs size.
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
go1.18.3 (released 2022-06-01) includes security fixes to the crypto/rand,
crypto/tls, os/exec, and path/filepath packages, as well as bug fixes to the
compiler, and the crypto/tls and text/template/parse packages. See the Go
1.18.3 milestone on our issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.18.3+label%3ACherryPickApproved
update golang to 1.17.11
go1.17.11 (released 2022-06-01) includes security fixes to the crypto/rand,
crypto/tls, os/exec, and path/filepath packages, as well as bug fixes to the
crypto/tls package. See the Go 1.17.11 milestone on our issue tracker for details.
https://github.com/golang/go/issues?q=milestone%3AGo1.17.11+label%3ACherryPickApproved
Hello gophers,
We have just released Go versions 1.18.3 and 1.17.11, minor point releases.
These minor releases include 4 security fixes following the security policy:
- crypto/rand: rand.Read hangs with extremely large buffers
On Windows, rand.Read will hang indefinitely if passed a buffer larger than
1 << 32 - 1 bytes.
Thanks to Davis Goodin and Quim Muntal, working at Microsoft on the Go toolset,
for reporting this issue.
This is [CVE-2022-30634][CVE-2022-30634] and Go issue https://go.dev/issue/52561.
- crypto/tls: session tickets lack random ticket_age_add
Session tickets generated by crypto/tls did not contain a randomly generated
ticket_age_add. This allows an attacker that can observe TLS handshakes to
correlate successive connections by comparing ticket ages during session
resumption.
Thanks to GitHub user nervuri for reporting this.
This is [CVE-2022-30629][CVE-2022-30629] and Go issue https://go.dev/issue/52814.
- `os/exec`: empty `Cmd.Path` can result in running unintended binary on Windows
If, on Windows, `Cmd.Run`, `cmd.Start`, `cmd.Output`, or `cmd.CombinedOutput`
are executed when Cmd.Path is unset and, in the working directory, there are
binaries named either "..com" or "..exe", they will be executed.
Thanks to Chris Darroch, brian m. carlson, and Mikhail Shcherbakov for reporting
this.
This is [CVE-2022-30580][CVE-2022-30580] and Go issue https://go.dev/issue/52574.
- `path/filepath`: Clean(`.\c:`) returns `c:` on Windows
On Windows, the `filepath.Clean` function could convert an invalid path to a
valid, absolute path. For example, Clean(`.\c:`) returned `c:`.
Thanks to Unrud for reporting this issue.
This is [CVE-2022-29804][CVE-2022-29804] and Go issue https://go.dev/issue/52476.
[CVE-2022-30634]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30634
[CVE-2022-30629]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30629
[CVE-2022-30580]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30580
[CVE-2022-29804]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29804
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This allows running Linux containers on FreeBSD and modifies the
mounts so that they represent the linux emulated filesystems, as per:
https://wiki.freebsd.org/LinuxJails
Co-authored-by: Gijs Peskens <gijs@peskens.net>, Samuel Karp <samuelkarp@users.noreply.github.com>
Signed-off-by: Artem Khramov <akhramov@pm.me>
A majority of the tests in /pkg/cri are testing/validating multiple
things per test (generally spec or options validations). This flow
lends itself well to using *testing.T's Run method to run each thing
as a subtest so `go test` output can actually display which subtest
failed/passed.
Some of the tests in the packages in pkg/cri already did this, but
a bunch simply logged what sub-testcase was currently running without
invoking t.Run.
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
HostProcess containers require every container in the pod to be a
host process container and have the corresponding field set. The Kubelet
usually enforces this so we'd error before even getting here but we recently
found a bug in this logic so better to be safe than sorry.
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
We only need the `ToMan()` as part of the `bin/gen-manpages` binary, which
generates the man-pages; other binaries don't use this code, so we can
set the `urfave_cli_no_docs` build-tag to exclude `cpuguy83/md2man` and
`russross/blackfriday` (and other dependencies) from the binaries:
Before:
ls -lh bin
total 149M
-rwxr-xr-x 1 root root 49M May 27 10:12 containerd
-rwxr-xr-x 1 root root 6.1M May 27 10:13 containerd-shim
-rwxr-xr-x 1 root root 8.1M May 27 10:13 containerd-shim-runc-v1
-rwxr-xr-x 1 root root 8.2M May 27 10:13 containerd-shim-runc-v2
-rwxr-xr-x 1 root root 22M May 27 10:12 containerd-stress
-rwxr-xr-x 1 root root 26M May 27 10:11 ctr
-rwxr-xr-x 1 root root 30M May 27 10:14 gen-manpages
ls -l bin
total 151676
-rwxr-xr-x 1 root root 51280184 May 27 10:12 containerd
-rwxr-xr-x 1 root root 6332416 May 27 10:13 containerd-shim
-rwxr-xr-x 1 root root 8458240 May 27 10:13 containerd-shim-runc-v1
-rwxr-xr-x 1 root root 8536064 May 27 10:13 containerd-shim-runc-v2
-rwxr-xr-x 1 root root 22567160 May 27 10:12 containerd-stress
-rwxr-xr-x 1 root root 26873752 May 27 10:11 ctr
-rwxr-xr-x 1 root root 30508888 May 27 10:14 gen-manpages
After:
ls -lh bin
total 147M
-rwxr-xr-x 1 root root 49M May 27 10:26 containerd
-rwxr-xr-x 1 root root 6.1M May 27 10:26 containerd-shim
-rwxr-xr-x 1 root root 8.1M May 27 10:26 containerd-shim-runc-v1
-rwxr-xr-x 1 root root 8.2M May 27 10:26 containerd-shim-runc-v2
-rwxr-xr-x 1 root root 22M May 27 10:26 containerd-stress
-rwxr-xr-x 1 root root 26M May 27 10:26 ctr
-rwxr-xr-x 1 root root 30M May 27 10:27 gen-manpages
ls -l bin
total 149912
-rwxr-xr-x 1 root root 50930360 May 27 10:26 containerd
-rwxr-xr-x 1 root root 6332416 May 27 10:26 containerd-shim
-rwxr-xr-x 1 root root 8458240 May 27 10:26 containerd-shim-runc-v1
-rwxr-xr-x 1 root root 8536064 May 27 10:26 containerd-shim-runc-v2
-rwxr-xr-x 1 root root 22209144 May 27 10:26 containerd-stress
-rwxr-xr-x 1 root root 26523896 May 27 10:26 ctr
-rwxr-xr-x 1 root root 30508888 May 27 10:27 gen-manpages
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The regression in v1.22.2 has been resolved, so we can drop the
replace rule and use the latest v1.22.x version.
full diff: https://github.com/urfave/cli/compare/v1.22.1...v1.22.9
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Before this patch, if the go.mod did not contain a replace rule, jq would fail
(Cannot iterate over null), and Bash would produce an error when trying to add
an empty `$key` to `map_requires`:
make verify-vendor
+ verify-vendor
jq: error (at <stdin>:581): Cannot iterate over null (null)
/go/src/github.com/containerd/containerd//script/verify-go-modules.sh: line 44: map_replaces_1[$key]: bad array subscript
make: *** [Makefile:435: verify-vendor] Error 1
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
