github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity
13,758 Commits 3 Branches 2 Tags 112 MiB
eb5a0c04b4
Commit Graph

490 Commits

Author SHA1 Message Date
Akihiro Suda
eb5a0c04b4
apparmor: add signal (receive) peer=/usr/local/bin/rootlesskit, 
Fix containerd/nerdctl issue 2730
> [Rootless] `nerdctl rm` fails when AppArmor is loaded:
> `error="unknown error after kill: runc did not terminate successfully: exit status 1:
> unable to signal init: permission denied\n: unknown"`

Caused by:
> kernel: audit: type=1400 audit(1713840662.766:122): apparmor="DENIED" operation="signal" class="signal"
> profile="nerdctl-default" pid=366783 comm="runc" requested_mask="receive" denied_mask="receive" signal=kill
> peer="/usr/local/bin/rootlesskit"

The issue is known to happen on Ubuntu 23.10 and 24.04 LTS.
Doesn't seem to happen on Ubuntu 22.04 LTS.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2024-04-23 12:21:26 +09:00
Sebastiaan van Stijn
13e6b2b686
update to go1.21.9, go1.22.2 
go1.21.9 (released 2024-04-03) includes a security fix to the net/http
package, as well as bug fixes to the linker, and the go/types and
net/http packages. See the Go 1.21.9 milestone for more details;
https://github.com/golang/go/issues?q=milestone%3AGo1.21.9+label%3ACherryPickApproved

These minor releases include 1 security fixes following the security policy:

- http2: close connections when receiving too many headers

Maintaining HPACK state requires that we parse and process all HEADERS
and CONTINUATION frames on a connection. When a request's headers exceed
MaxHeaderBytes, we don't allocate memory to store the excess headers but
we do parse them. This permits an attacker to cause an HTTP/2 endpoint
to read arbitrary amounts of header data, all associated with a request
which is going to be rejected. These headers can include Huffman-encoded
data which is significantly more expensive for the receiver to decode
than for an attacker to send.

Set a limit on the amount of excess header frames we will process before
closing a connection.

Thanks to Bartek Nowotarski (https://nowotarski.info/) for reporting this issue.

This is CVE-2023-45288 and Go issue https://go.dev/issue/65051.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.22.2

- https://github.com/golang/go/issues?q=milestone%3AGo1.21.9+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.8...go1.21.9

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2024-04-22 19:43:32 +02:00
guangwu
b82ced57f9 fix: close profile 
Signed-off-by: guoguangwu <guoguangwug@gmail.com>
 2024-04-12 18:08:29 +08:00
Derek McGowan
7c1fca096d
Update migration script based on usage 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-03-18 12:14:44 -07:00
Akihiro Suda
7ecdebff93
update to go 1.21.8, 1.22.1 
See https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2024-03-07 08:32:40 +09:00
Derek McGowan
9128ee0a91
Move nri packages to plugin and internal 
NRI is still newer and mostly used by CRI plugin. Keep the package in
internal to allow for interfaces as the project matures.

Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-02-29 21:37:36 -08:00
Derek McGowan
72f21833b1
Move events to plugins and core 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-02-27 22:09:20 -08:00
Akhil Mohan
0693b936d2
replace deprecated Prestart to CreateRuntime hook 
Prestart Hook is deprecated and can be replaced with CreateRuntime hook

Signed-off-by: Akhil Mohan <akhilerm@gmail.com>
 2024-02-20 21:54:47 +05:30
Derek McGowan
a086125ae3
Move config version to version package 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-02-14 21:09:44 -08:00
Maksym Pavlenko
4f76ebcb86
Merge pull request #9778 from adisky/use-latest-registry-conf 
Update gce configure.sh to use registry config_path
 2024-02-12 19:34:47 +00:00
Davanum Srinivas
41bb8b816b
Revert "Fix for k8s nfs related tests" 
This reverts commit 23ebfd0305.

Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2024-02-10 22:34:30 -05:00
Davanum Srinivas
bb45ce1e06
Merge pull request #9799 from dims/fix-for-k8s-nfs-related-tests 
Fix for k8s nfs related tests probably caused by `ulimit` changes
 2024-02-10 20:46:45 +00:00
Davanum Srinivas
23ebfd0305
Fix for k8s nfs related tests 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2024-02-10 11:28:23 -05:00
Derek McGowan
634ac2f8fa
Update migration script for transfer packages 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-02-07 22:43:19 -08:00
Aditi Sharma
d9b95ab686 Update gce configure.sh to use registry config_path 
Signed-off-by: Aditi Sharma <adi.sky17@gmail.com>
 2024-02-08 09:26:39 +05:30
Maksym Pavlenko
bbac058cf3 Move CRI from pkg/ to internal/ 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2024-02-02 10:12:08 -08:00
Derek McGowan
58ff9d368d
Move cri plugin to plugins subpackage 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-28 20:57:19 -08:00
Derek McGowan
9795677fe9
Move cri base plugin to CRI runtime service 
Create new plugin type for CRI runtime and image services.

Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-28 20:57:18 -08:00
Derek McGowan
010857d33b
Add errdefs and platforms to migration script 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-25 22:18:45 -08:00
Derek McGowan
fb9b59a843
Switch to new errdefs package 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-25 22:18:45 -08:00
Phil Estes
a2d0ddc88e
Merge pull request #9684 from AkihiroSuda/seccomp-6.7 
seccomp: kernel 6.7
 2024-01-25 19:07:42 +00:00
Akihiro Suda
eb8981f352
mv contrib/seccomp/kernelversion pkg/kernelversion 
The package isn't really relevant to seccomp

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2024-01-24 19:03:53 +09:00
Akihiro Suda
a6e52c74fa
seccomp: kernel 6.7 
The following syscalls were added since kernel v5.16:
- v5.17 (libseccomp v2.5.4): set_mempolicy_home_node
- v6.5  (libseccomp v2.5.5): cachestat
- v6.6  (libseccomp v2.5.5): fchmodat2, map_shadow_stack
- v6.7  (libseccomp v2.5.5): futex_wake, futex_wait, futex_requeue

[Not covered in this commit]
- v6.8-rc1: statmount, listmount, lsm_get_self_attr, lsm_set_self_attr, lsm_list_modules

ref:
- `syscalls: update the syscall list for Linux v5.17` (libseccomp v2.5.4)
   d83cb7ac25
- `all: update the syscall table for Linux v6.7-rc3`  (libseccomp v2.5.5)
   53267af3fb

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2024-01-24 18:35:41 +09:00
Derek McGowan
e79ec7a095
Remove deprecated platforms package 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-23 09:14:03 -08:00
Derek McGowan
94d1b20988
Add migration script to contrib 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 10:00:15 -08:00
Derek McGowan
dbc74db6a1
Move runtime to core/runtime 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:58:04 -08:00
Derek McGowan
df9b0a0675
Move metrics to core/metrics 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:57:55 -08:00
Derek McGowan
6be90158cd
Move sys to pkg/sys 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:56:16 -08:00
Derek McGowan
e59f64792b
Move oci to pkg/oci 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:55:48 -08:00
Derek McGowan
fa8cae99d1
Move namespaces to pkg/namespaces 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:55:39 -08:00
Derek McGowan
11114b0a9a
Move gc/scheduler to plugins/gc 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:55:03 -08:00
Derek McGowan
44a836c9b5
Move errdefs to pkg/errdefs 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:54:45 -08:00
Derek McGowan
70ed2696fa
Move events to pkg/events 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:54:36 -08:00
Derek McGowan
8e14c39e80
Move archive to pkg/archive 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:54:18 -08:00
Derek McGowan
fcd39ccc53
Move snapshots to core/snapshots 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:54:09 -08:00
Derek McGowan
e0fe656daf
Move snapshots/windows to plugins/snapshots/windows 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:54:00 -08:00
Derek McGowan
57bdbfba6a
Move snapshots/overlay to plugins/snapshots/overlay 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:53:51 -08:00
Derek McGowan
9b8c558f9f
Move snapshots/native to plugins/snapshots/native 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:53:42 -08:00
Derek McGowan
5c07d5d361
Move snapshots/lcow to plugins/snapshots/lcow 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:53:33 -08:00
Derek McGowan
2909f07f85
Move snapshots/blockfile to plugins/snapshots/blockfile 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:53:06 -08:00
Derek McGowan
92d2a5fc02
Move services to plugins/services 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:52:57 -08:00
Derek McGowan
ce41d1c90a
Move services/server to cmd/containerd/server 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:52:48 -08:00
Derek McGowan
d133019c9b
Move runtime/restart/monitor to plugins/restart 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:52:30 -08:00
Derek McGowan
6e5408dcec
Move mount to core/mount 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:52:12 -08:00
Derek McGowan
1a1e0e8c81
Move metadata to core/metadata 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:52:03 -08:00
Derek McGowan
18b3cbe4fa
Move metadata/plugin to plugins/metadata 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:51:54 -08:00
Derek McGowan
f80760f9ff
Move leases to core/leases 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:51:45 -08:00
Derek McGowan
cc6a5c9c69
Move leases/plugin to plugins/leases 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:51:35 -08:00
Derek McGowan
57ea8aef3d
Move images to core/images 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:51:26 -08:00
Derek McGowan
913edcd489
Move diff to core/diff 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:51:17 -08:00