github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity
Files
a645ff2e681eb3f513d2d00a2ffeabb865266626
containerd/contrib/Dockerfile.test
Sebastiaan van Stijn 157dff2812 update to go1.20.7, go1.19.12 
Includes a fix for CVE-2023-29409

go1.20.7 (released 2023-08-01) includes a security fix to the crypto/tls
package, as well as bug fixes to the assembler and the compiler. See the
Go 1.20.7 milestone on our issue tracker for details:

- https://github.com/golang/go/issues?q=milestone%3AGo1.20.7+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.20.6...go1.20.7

go1.19.12 (released 2023-08-01) includes a security fix to the crypto/tls
package, as well as bug fixes to the assembler and the compiler. See the
Go 1.19.12 milestone on our issue tracker for details.

- https://github.com/golang/go/issues?q=milestone%3AGo1.19.12+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.19.11...go1.19.12

From the mailing list announcement:

[security] Go 1.20.7 and Go 1.19.12 are released

Hello gophers,

We have just released Go versions 1.20.7 and 1.19.12, minor point releases.

These minor releases include 1 security fixes following the security policy:

- crypto/tls: restrict RSA keys in certificates to <= 8192 bits

  Extremely large RSA keys in certificate chains can cause a client/server
  to expend significant CPU time verifying signatures. Limit this by
  restricting the size of RSA keys transmitted during handshakes to <=
  8192 bits.

  Based on a survey of publicly trusted RSA keys, there are currently only
  three certificates in circulation with keys larger than this, and all
  three appear to be test certificates that are not actively deployed. It
  is possible there are larger keys in use in private PKIs, but we target
  the web PKI, so causing breakage here in the interests of increasing the
  default safety of users of crypto/tls seems reasonable.

  Thanks to Mateusz Poliwczak for reporting this issue.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.20.7

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-01 23:57:32 +02:00

144 lines
6.1 KiB
Docker
Raw Blame History

# This dockerfile is used to test containerd within a container
#
# usage:
# 1.) docker build -t containerd-test -f Dockerfile.test ../
# 2.) docker run -it --privileged -v /tmp:/tmp --tmpfs /var/lib/containerd-test containerd-test bash
# 3.) $ make binaries install test
#
# Use the RUNC_VERSION build-arg to build with a custom version of runc, for example,
# to build runc v1.0.0-rc94, use:
#
# docker build -t containerd-test --build-arg RUNC_VERSION=v1.0.0-rc94 -f Dockerfile.test ../
# ------------------------------------------------------------------------------
# Public stages:
# "integration": for running integration tests:
# docker build -t containerd-test -f Dockerfile.test --target integration ../
# docker run --privileged containerd-test
#
# "cri-integration": for running cri-integration tests:
# docker build -t containerd-test -f Dockerfile.test --target cri-integration ../
# docker run --privileged --sysctl net.ipv6.conf.all.disable_ipv6=0 containerd-test
#
# "critest: for running critest:
# docker build -t containerd-test -f Dockerfile.test --target critest ../
# docker run --privileged --sysctl net.ipv6.conf.all.disable_ipv6=0 containerd-test
#
# "cri-in-userns": for running critest with "CRI-in-UserNS" mode; needs Rootless Docker/Podman/nerdctl:
# docker build -t containerd-test -f Dockerfile.test --target cri-in-userns ../
# docker run --privileged containerd-test
# ------------------------------------------------------------------------------
ARG GOLANG_VERSION=1.20.7
ARG GOLANG_IMAGE=golang
FROM ${GOLANG_IMAGE}:${GOLANG_VERSION} AS golang
# Install runc
FROM golang AS runc
RUN apt-get update && apt-get install -y --no-install-recommends \
libseccomp-dev \
&& rm -rf /var/lib/apt/lists/*
COPY script/setup/runc-version script/setup/install-runc ./
# Allow overriding the version of runc to install through build-args
ARG RUNC_VERSION
ARG GOPROXY=direct
ARG DESTDIR=/build
RUN ./install-runc
FROM golang AS build-env
RUN apt-get update && apt-get install -y --no-install-recommends \
btrfs-progs \
libseccomp-dev \
xfsprogs \
&& rm -rf /var/lib/apt/lists/*
RUN mkdir -p /go/src/github.com/containerd/containerd
WORKDIR /go/src/github.com/containerd/containerd
FROM golang AS cni
ENV DESTDIR=/build
COPY script/setup/install-cni go.mod /
RUN DESTDIR=/build /install-cni
FROM golang AS critools
ARG DESTDIR=/build
COPY script/setup/install-critools script/setup/critools-version ./
RUN GOBIN=$DESTDIR/usr/local/bin ./install-critools
# integration stage is for running integration tests.
FROM build-env AS integration
RUN apt-get update && apt-get install -y --no-install-recommends \
lsof \
&& rm -rf /var/lib/apt/lists/*
COPY --from=runc /build/ /
COPY contrib/Dockerfile.test.d/docker-entrypoint.sh /docker-entrypoint.sh
COPY . .
RUN make BUILDTAGS="no_btrfs no_devmapper" binaries install
VOLUME /tmp
# TestMain wants to unlink /var/lib/containerd-test, so the entire /var/lib has to be volumified.
VOLUME /var/lib
# The entrypoint script is needed for nesting cgroup v2.
ENTRYPOINT ["/docker-entrypoint.sh"]
CMD ["make", "integration"]
# cri-integration stage is for running cri-integration tests.
FROM integration AS cri-integration
RUN apt-get update && apt-get install -y --no-install-recommends \
sudo iptables \
&& rm -rf /var/lib/apt/lists/*
COPY --from=cni /build/ /
COPY --from=critools /build/ /
RUN make BUILDTAGS="no_btrfs no_devmapper" bin/cri-integration.test
# install-failpoint-binaries cannot be easily executed in a substage as it does not support custom DESTDIR.
RUN ./script/setup/install-failpoint-binaries
# The test scripts need these env vars to be explicitly set
ENV GITHUB_WORKSPACE=""
ENV ENABLE_CRI_SANDBOXES=""
ENV CONTAINERD_RUNTIME="io.containerd.runc.v2"
CMD ["make", "cri-integration"]
# critest stage is for running critest.
FROM cri-integration AS critest
# critest wants to create mounts under this directory, so it has to be volumified.
VOLUME /go/src/github.com/containerd/containerd
ENV TEST_RUNTIME="io.containerd.runc.v2"
CMD ["script/critest.sh", "/tmp"]
# cri-in-userns stage is for testing "CRI-in-UserNS", which should be used in conjunction with
# "Kubelet-in-UserNS": https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2033-kubelet-in-userns-aka-rootless
# This feature is mostly expected to be used for `kind` and `minikube`.
#
# Requires Rootless Docker/Podman/nerdctl with cgroup v2 delegation: https://rootlesscontaine.rs/getting-started/common/cgroup2/
# (Rootless Docker/Podman/nerdctl prepares the UserNS, so we do not need to create UserNS by ourselves)
FROM critest AS cri-in-userns
COPY contrib/Dockerfile.test.d/cri-in-userns/etc_containerd_config.toml /etc/containerd/config.toml
COPY contrib/Dockerfile.test.d/cri-in-userns/docker-entrypoint.sh /docker-entrypoint.sh
ENTRYPOINT ["/docker-entrypoint.sh"]
# Skip "runtime should support unsafe sysctls": `container init caused: write sysctl key fs.mqueue.msg_max: open /proc/sys/fs/mqueue/msg_max: permission denied`
# Skip "runtime should support safe sysctls": `container init caused: write sysctl key kernel.shm_rmid_forced: open /proc/sys/kernel/shm_rmid_forced: permission denied`
# Skip "should allow privilege escalation when (NoNewPrivis is) false": expected log "Effective uid: 0\n" (stream="stdout") not found in logs [{timestamp:{wall:974487519 ext:63761339984 loc:<nil>} stream:stdout log:Effective uid: 1000) }]
CMD ["critest", "--ginkgo.skip=should support unsafe sysctls|should support safe sysctls|should allow privilege escalation when false"]
# Install proto3
FROM golang AS proto3
ARG DESTDIR=/build
RUN apt-get update && apt-get install -y --no-install-recommends \
autoconf \
automake \
g++ \
libtool \
unzip \
&& rm -rf /var/lib/apt/lists/*
COPY script/setup/install-protobuf install-protobuf
RUN ./install-protobuf \
&& mkdir -p $DESTDIR/usr/local/bin $DESTDIR/usr/local/include \
&& mv /usr/local/bin/protoc $DESTDIR/usr/local/bin/protoc \
&& mv /usr/local/include/google $DESTDIR/usr/local/include/google
FROM build-env AS dev
COPY --from=proto3 /build/ /
COPY --from=runc /build/ /
COPY . .
Reference in New Issue View Git Blame Copy Permalink