github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity
03b9ce56b5
containerd/Vagrantfile
Sebastiaan van Stijn eaf6071019
update to go1.21.1, go1.20.8 
go1.21.1 (released 2023-09-06) includes four security fixes to the cmd/go,
crypto/tls, and html/template packages, as well as bug fixes to the compiler,
the go command, the linker, the runtime, and the context, crypto/tls,
encoding/gob, encoding/xml, go/types, net/http, os, and path/filepath packages.
See the Go 1.21.1 milestone on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.21.1+label%3ACherryPickApproved

full diff: https://github.com/golang/go/compare/go1.21.0...go1.21.1

From the security mailing:

[security] Go 1.21.1 and Go 1.20.8 are released

Hello gophers,

We have just released Go versions 1.21.1 and 1.20.8, minor point releases.

These minor releases include 4 security fixes following the security policy:

- cmd/go: go.mod toolchain directive allows arbitrary execution
  The go.mod toolchain directive, introduced in Go 1.21, could be leveraged to
  execute scripts and binaries relative to the root of the module when the "go"
  command was executed within the module. This applies to modules downloaded using
  the "go" command from the module proxy, as well as modules downloaded directly
  using VCS software.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-39320 and Go issue https://go.dev/issue/62198.

- html/template: improper handling of HTML-like comments within script contexts
  The html/template package did not properly handle HMTL-like "<!--" and "-->"
  comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may
  cause the template parser to improperly interpret the contents of <script>
  contexts, causing actions to be improperly escaped. This could be leveraged to
  perform an XSS attack.

  Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this
  issue.

  This is CVE-2023-39318 and Go issue https://go.dev/issue/62196.

- html/template: improper handling of special tags within script contexts
  The html/template package did not apply the proper rules for handling occurrences
  of "<script", "<!--", and "</script" within JS literals in <script> contexts.
  This may cause the template parser to improperly consider script contexts to be
  terminated early, causing actions to be improperly escaped. This could be
  leveraged to perform an XSS attack.

  Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this
  issue.

  This is CVE-2023-39319 and Go issue https://go.dev/issue/62197.

- crypto/tls: panic when processing post-handshake message on QUIC connections
  Processing an incomplete post-handshake message for a QUIC connection caused a panic.

  Thanks to Marten Seemann for reporting this issue.

  This is CVE-2023-39321 and CVE-2023-39322 and Go issue https://go.dev/issue/62266.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-09 01:02:43 +02:00

332 lines
12 KiB
Ruby
Raw Blame History

# -*- mode: ruby -*-
# vi: set ft=ruby :
# Copyright The containerd Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Vagrantfile for Fedora and EL
Vagrant.configure("2") do |config|
config.vm.box = ENV["BOX"] ? ENV["BOX"].split("@")[0] : "fedora/38-cloud-base"
# BOX_VERSION is deprecated. Use "BOX=<BOX>@<BOX_VERSION>".
config.vm.box_version = ENV["BOX_VERSION"] || (ENV["BOX"].split("@")[1] if ENV["BOX"])
memory = 4096
cpus = 2
disk_size = 60
config.vm.provider :virtualbox do |v, o|
v.memory = memory
v.cpus = cpus
# Needs env var VAGRANT_EXPERIMENTAL="disks"
o.vm.disk :disk, size: "#{disk_size}GB", primary: true
v.customize ["modifyvm", :id, "--firmware", "efi"]
end
config.vm.provider :libvirt do |v|
v.memory = memory
v.cpus = cpus
v.machine_virtual_size = disk_size
v.loader = "/usr/share/OVMF/OVMF_CODE.fd"
end
config.vm.synced_folder ".", "/vagrant", type: "rsync"
config.vm.provision 'shell', path: 'script/resize-vagrant-root.sh'
# Disabled by default. To run:
# vagrant up --provision-with=upgrade-packages
# To upgrade only specific packages:
# UPGRADE_PACKAGES=selinux vagrant up --provision-with=upgrade-packages
#
config.vm.provision "upgrade-packages", type: "shell", run: "never" do |sh|
sh.upload_path = "/tmp/vagrant-upgrade-packages"
sh.env = {
'UPGRADE_PACKAGES': ENV['UPGRADE_PACKAGES'],
}
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eux -o pipefail
dnf -y upgrade ${UPGRADE_PACKAGES}
SHELL
end
# To re-run, installing CNI from RPM:
# INSTALL_PACKAGES="containernetworking-plugins" vagrant up --provision-with=install-packages
#
config.vm.provision "install-packages", type: "shell", run: "once" do |sh|
sh.upload_path = "/tmp/vagrant-install-packages"
sh.env = {
'INSTALL_PACKAGES': ENV['INSTALL_PACKAGES'],
}
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eux -o pipefail
dnf -y install \
container-selinux \
curl \
gcc \
git \
iptables \
libseccomp-devel \
libselinux-devel \
lsof \
make \
strace \
${INSTALL_PACKAGES}
SHELL
end
# EL does not have /usr/local/{bin,sbin} in the PATH by default
config.vm.provision "setup-etc-environment", type: "shell", run: "once" do |sh|
sh.upload_path = "/tmp/vagrant-setup-etc-environment"
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eux -o pipefail
cat >> /etc/environment <<EOF
PATH=/usr/local/go/bin:/usr/local/bin:/usr/local/sbin:$PATH
EOF
source /etc/environment
SHELL
end
# To re-run this provisioner, installing a different version of go:
# GO_VERSION="1.14.6" vagrant up --provision-with=install-golang
#
config.vm.provision "install-golang", type: "shell", run: "once" do |sh|
sh.upload_path = "/tmp/vagrant-install-golang"
sh.env = {
'GO_VERSION': ENV['GO_VERSION'] || "1.21.1",
}
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eux -o pipefail
curl -fsSL "https://dl.google.com/go/go${GO_VERSION}.linux-amd64.tar.gz" | tar Cxz /usr/local
cat >> /etc/profile.d/sh.local <<EOF
GOPATH=\\$HOME/go
PATH=\\$GOPATH/bin:\\$PATH
export GOPATH PATH
git config --global --add safe.directory /vagrant
EOF
source /etc/profile.d/sh.local
SHELL
end
config.vm.provision "setup-gopath", type: "shell", run: "once" do |sh|
sh.upload_path = "/tmp/vagrant-setup-gopath"
sh.inline = <<~SHELL
#!/usr/bin/env bash
source /etc/environment
source /etc/profile.d/sh.local
set -eux -o pipefail
mkdir -p ${GOPATH}/src/github.com/containerd
ln -fnsv /vagrant ${GOPATH}/src/github.com/containerd/containerd
SHELL
end
config.vm.provision "install-runc", type: "shell", run: "once" do |sh|
sh.upload_path = "/tmp/vagrant-install-runc"
sh.env = {
'RUNC_FLAVOR': ENV['RUNC_FLAVOR'] || "runc",
}
sh.inline = <<~SHELL
#!/usr/bin/env bash
source /etc/environment
source /etc/profile.d/sh.local
set -eux -o pipefail
${GOPATH}/src/github.com/containerd/containerd/script/setup/install-runc
type runc
runc --version
chcon -v -t container_runtime_exec_t $(type -ap runc)
SHELL
end
config.vm.provision "install-cni", type: "shell", run: "once" do |sh|
sh.upload_path = "/tmp/vagrant-install-cni"
sh.env = {
'CNI_BINARIES': 'bridge dhcp flannel host-device host-local ipvlan loopback macvlan portmap ptp tuning vlan',
}
sh.inline = <<~SHELL
#!/usr/bin/env bash
source /etc/environment
source /etc/profile.d/sh.local
set -eux -o pipefail
cd ${GOPATH}/src/github.com/containerd/containerd
script/setup/install-cni
PATH=/opt/cni/bin:$PATH type ${CNI_BINARIES} || true
SHELL
end
config.vm.provision "install-cri-tools", type: "shell", run: "once" do |sh|
sh.upload_path = "/tmp/vagrant-install-cri-tools"
sh.env = {
'CRI_TOOLS_VERSION': ENV['CRI_TOOLS_VERSION'] || '16911795a3c33833fa0ec83dac1ade3172f6989e',
'GOBIN': '/usr/local/bin',
}
sh.inline = <<~SHELL
#!/usr/bin/env bash
source /etc/environment
source /etc/profile.d/sh.local
set -eux -o pipefail
${GOPATH}/src/github.com/containerd/containerd/script/setup/install-critools
type crictl critest
critest --version
SHELL
end
config.vm.provision "install-containerd", type: "shell", run: "once" do |sh|
sh.upload_path = "/tmp/vagrant-install-containerd"
sh.inline = <<~SHELL
#!/usr/bin/env bash
source /etc/environment
source /etc/profile.d/sh.local
set -eux -o pipefail
cd ${GOPATH}/src/github.com/containerd/containerd
make BUILDTAGS="seccomp selinux no_btrfs no_devmapper no_zfs" binaries install
type containerd
containerd --version
chcon -v -t container_runtime_exec_t /usr/local/bin/{containerd,containerd-shim*}
./script/setup/config-containerd
SHELL
end
config.vm.provision "install-gotestsum", type: "shell", run: "once" do |sh|
sh.upload_path = "/tmp/vagrant-install-gotestsum"
sh.inline = <<~SHELL
#!/usr/bin/env bash
source /etc/environment
source /etc/profile.d/sh.local
set -eux -o pipefail
${GOPATH}/src/github.com/containerd/containerd/script/setup/install-gotestsum
sudo cp ${GOPATH}/bin/gotestsum /usr/local/bin/
SHELL
end
config.vm.provision "install-failpoint-binaries", type: "shell", run: "once" do |sh|
sh.upload_path = "/tmp/vagrant-install-failpoint-binaries"
sh.inline = <<~SHELL
#!/usr/bin/env bash
source /etc/environment
source /etc/profile.d/sh.local
set -eux -o pipefail
${GOPATH}/src/github.com/containerd/containerd/script/setup/install-failpoint-binaries
chcon -v -t container_runtime_exec_t $(type -ap containerd-shim-runc-fp-v1)
containerd-shim-runc-fp-v1 -v
SHELL
end
# SELinux is Enforcing by default.
# To set SELinux as Disabled on a VM that has already been provisioned:
# SELINUX=Disabled vagrant up --provision-with=selinux
# To set SELinux as Permissive on a VM that has already been provsioned
# SELINUX=Permissive vagrant up --provision-with=selinux
config.vm.provision "selinux", type: "shell", run: "never" do |sh|
sh.upload_path = "/tmp/vagrant-selinux"
sh.env = {
'SELINUX': ENV['SELINUX'] || "Enforcing"
}
sh.inline = <<~SHELL
/vagrant/script/setup/config-selinux
/vagrant/script/setup/config-containerd
SHELL
end
# SELinux is Enforcing by default (via provisioning) in this VM. To re-run with SELinux disabled:
# SELINUX=Disabled vagrant up --provision-with=selinux,test-integration
#
config.vm.provision "test-integration", type: "shell", run: "never" do |sh|
sh.upload_path = "/tmp/test-integration"
sh.env = {
'RUNC_FLAVOR': ENV['RUNC_FLAVOR'] || "runc",
'GOTEST': ENV['GOTEST'] || "go test",
'GOTESTSUM_JUNITFILE': ENV['GOTESTSUM_JUNITFILE'],
'GOTESTSUM_JSONFILE': ENV['GOTESTSUM_JSONFILE'],
}
sh.inline = <<~SHELL
#!/usr/bin/env bash
source /etc/environment
source /etc/profile.d/sh.local
set -eux -o pipefail
rm -rf /var/lib/containerd-test /run/containerd-test
cd ${GOPATH}/src/github.com/containerd/containerd
go test -v -count=1 -race ./metrics/cgroups
make integration EXTRA_TESTFLAGS="-timeout 15m -no-criu -test.v" TEST_RUNTIME=io.containerd.runc.v2 RUNC_FLAVOR=$RUNC_FLAVOR
SHELL
end
# SELinux is Enforcing by default (via provisioning) in this VM. To re-run with SELinux disabled:
# SELINUX=Disabled vagrant up --provision-with=selinux,test-cri-integration
#
config.vm.provision "test-cri-integration", type: "shell", run: "never" do |sh|
sh.upload_path = "/tmp/test-cri-integration"
sh.env = {
'GOTEST': ENV['GOTEST'] || "go test",
'GOTESTSUM_JUNITFILE': ENV['GOTESTSUM_JUNITFILE'],
'GOTESTSUM_JSONFILE': ENV['GOTESTSUM_JSONFILE'],
'GITHUB_WORKSPACE': '',
'DISABLE_CRI_SANDBOXES': ENV['DISABLE_CRI_SANDBOXES'],
}
sh.inline = <<~SHELL
#!/usr/bin/env bash
source /etc/environment
source /etc/profile.d/sh.local
set -eux -o pipefail
cleanup() {
rm -rf /var/lib/containerd* /run/containerd* /tmp/containerd* /tmp/test* /tmp/failpoint* /tmp/nri*
}
cleanup
cd ${GOPATH}/src/github.com/containerd/containerd
# cri-integration.sh executes containerd from ./bin, not from $PATH .
make BUILDTAGS="seccomp selinux no_btrfs no_devmapper no_zfs" binaries bin/cri-integration.test
chcon -v -t container_runtime_exec_t ./bin/{containerd,containerd-shim*}
CONTAINERD_RUNTIME=io.containerd.runc.v2 ./script/test/cri-integration.sh
cleanup
SHELL
end
# SELinux is Enforcing by default (via provisioning) in this VM. To re-run with SELinux disabled:
# SELINUX=Disabled vagrant up --provision-with=selinux,test-cri
#
config.vm.provision "test-cri", type: "shell", run: "never" do |sh|
sh.upload_path = "/tmp/test-cri"
sh.env = {
'GOTEST': ENV['GOTEST'] || "go test",
'REPORT_DIR': ENV['REPORT_DIR'],
}
sh.inline = <<~SHELL
#!/usr/bin/env bash
source /etc/environment
source /etc/profile.d/sh.local
set -eux -o pipefail
systemctl disable --now containerd || true
rm -rf /var/lib/containerd /run/containerd
function cleanup()
{
journalctl -u containerd > /tmp/containerd.log
cat /tmp/containerd.log
systemctl stop containerd
}
selinux=$(getenforce)
if [[ $selinux == Enforcing ]]; then
setenforce 0
fi
systemctl enable --now ${GOPATH}/src/github.com/containerd/containerd/containerd.service
if [[ $selinux == Enforcing ]]; then
setenforce 1
fi
trap cleanup EXIT
ctr version
critest --parallel=$[$(nproc)+2] --ginkgo.skip='HostIpc is true' --report-dir="${REPORT_DIR}"
SHELL
end
end
Reference in New Issue View Git Blame Copy Permalink