diff --git a/go.mod b/go.mod index 09390b50c..5383bde7a 100644 --- a/go.mod +++ b/go.mod @@ -17,7 +17,7 @@ require ( github.com/cloudfoundry/gosigar v1.3.2 github.com/containerd/containerd v1.6.19 github.com/containerd/typeurl v1.0.2 - github.com/docker/docker v23.0.0+incompatible + github.com/docker/docker v23.0.1+incompatible github.com/eapache/go-resiliency v1.3.0 github.com/hashicorp/go-multierror v1.1.1 github.com/jessevdk/go-flags v1.5.0 @@ -29,7 +29,7 @@ require ( github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/image-spec v1.1.0-rc2 github.com/opencontainers/runc v1.1.4 - github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 + github.com/opencontainers/runtime-spec v1.1.0-rc.1 github.com/pkg/errors v0.9.1 github.com/sirupsen/logrus v1.9.0 github.com/spf13/pflag v1.0.5 diff --git a/go.sum b/go.sum index 4255d12fb..af274ddf9 100644 --- a/go.sum +++ b/go.sum @@ -95,8 +95,6 @@ github.com/Microsoft/hcsshim v0.8.20/go.mod h1:+w2gRZ5ReXQhFOrvSQeNfhrYB/dg3oDwT github.com/Microsoft/hcsshim v0.8.21/go.mod h1:+w2gRZ5ReXQhFOrvSQeNfhrYB/dg3oDwTOcER2fw4I4= github.com/Microsoft/hcsshim v0.8.23/go.mod h1:4zegtUJth7lAvFyc6cH2gGQ5B3OFQim01nnU2M8jKDg= github.com/Microsoft/hcsshim v0.9.2/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc= -github.com/Microsoft/hcsshim v0.9.6 h1:VwnDOgLeoi2du6dAznfmspNqTiwczvjv4K7NxuY9jsY= -github.com/Microsoft/hcsshim v0.9.6/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc= github.com/Microsoft/hcsshim v0.9.7 h1:mKNHW/Xvv1aFH87Jb6ERDzXTJTLPlmzfZ28VBFD/bfg= github.com/Microsoft/hcsshim v0.9.7/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc= github.com/Microsoft/hcsshim/test v0.0.0-20201218223536-d3e5debf77da/go.mod h1:5hlzMzRKMLyo42nCZ9oml8AdTlq/0cvIaBv6tK1RehU= @@ -225,8 +223,6 @@ github.com/containerd/containerd v1.5.1/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTV github.com/containerd/containerd v1.5.7/go.mod h1:gyvv6+ugqY25TiXxcZC3L5yOeYgEw0QMhscqVp1AR9c= github.com/containerd/containerd v1.5.8/go.mod h1:YdFSv5bTFLpG2HIYmfqDpSYYTDX+mc5qtSuYx1YUb/s= github.com/containerd/containerd v1.6.1/go.mod h1:1nJz5xCZPusx6jJU8Frfct988y0NpumIq9ODB0kLtoE= -github.com/containerd/containerd v1.6.16 h1:0H5xH6ABsN7XTrxIAKxFpBkFCBtrZ/OSORhCpUnHjrc= -github.com/containerd/containerd v1.6.16/go.mod h1:1RdCUu95+gc2v9t3IL+zIlpClSmew7/0YS8O5eQZrOw= github.com/containerd/containerd v1.6.19 h1:F0qgQPrG0P2JPgwpxWxYavrVeXAG0ezUIB9Z/4FTUAU= github.com/containerd/containerd v1.6.19/go.mod h1:HZCDMn4v/Xl2579/MvtOC2M206i+JJ6VxFWU/NetrGY= github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= @@ -759,8 +755,9 @@ github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/ github.com/opencontainers/runtime-spec v1.0.2-0.20190207185410-29686dbc5559/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.0.2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.0.3-0.20200929063507-e6143ca7d51d/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= -github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 h1:3snG66yBm59tKhhSPQrQ/0bCrv1LQbKt40LnUPiUxdc= github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= +github.com/opencontainers/runtime-spec v1.1.0-rc.1 h1:wHa9jroFfKGQqFHj0I1fMRKLl0pfj+ynAqBxo3v6u9w= +github.com/opencontainers/runtime-spec v1.1.0-rc.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-tools v0.0.0-20181011054405-1d69bd0f9c39/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs= github.com/opencontainers/selinux v1.8.2 h1:c4ca10UMgRcvZ6h0K4HtS15UaVSBEaE+iln2LVpAuGc= github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xAPP8dBsCoU0KuF8= @@ -1434,8 +1431,8 @@ gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo= gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk= -gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0= gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8= +gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= diff --git a/vendor/github.com/Microsoft/hcsshim/internal/hcs/process.go b/vendor/github.com/Microsoft/hcsshim/internal/hcs/process.go index f4605922a..78490d6cd 100644 --- a/vendor/github.com/Microsoft/hcsshim/internal/hcs/process.go +++ b/vendor/github.com/Microsoft/hcsshim/internal/hcs/process.go @@ -161,7 +161,39 @@ func (process *Process) Kill(ctx context.Context) (bool, error) { return true, nil } - resultJSON, err := vmcompute.HcsTerminateProcess(ctx, process.handle) + // HCS serializes the signals sent to a target pid per compute system handle. + // To avoid SIGKILL being serialized behind other signals, we open a new compute + // system handle to deliver the kill signal. + // If the calls to opening a new compute system handle fail, we forcefully + // terminate the container itself so that no container is left behind + hcsSystem, err := OpenComputeSystem(ctx, process.system.id) + if err != nil { + // log error and force termination of container + log.G(ctx).WithField("err", err).Error("OpenComputeSystem() call failed") + err = process.system.Terminate(ctx) + // if the Terminate() call itself ever failed, log and return error + if err != nil { + log.G(ctx).WithField("err", err).Error("Terminate() call failed") + return false, err + } + process.system.Close() + return true, nil + } + defer hcsSystem.Close() + + newProcessHandle, err := hcsSystem.OpenProcess(ctx, process.Pid()) + if err != nil { + // Return true only if the target process has either already + // exited, or does not exist. + if IsAlreadyStopped(err) { + return true, nil + } else { + return false, err + } + } + defer newProcessHandle.Close() + + resultJSON, err := vmcompute.HcsTerminateProcess(ctx, newProcessHandle.handle) if err != nil { // We still need to check these two cases, as processes may still be killed by an // external actor (human operator, OOM, random script etc). @@ -185,9 +217,9 @@ func (process *Process) Kill(ctx context.Context) (bool, error) { } } events := processHcsResult(ctx, resultJSON) - delivered, err := process.processSignalResult(ctx, err) + delivered, err := newProcessHandle.processSignalResult(ctx, err) if err != nil { - err = makeProcessError(process, operation, err, events) + err = makeProcessError(newProcessHandle, operation, err, events) } process.killSignalDelivered = delivered diff --git a/vendor/github.com/containerd/containerd/Vagrantfile b/vendor/github.com/containerd/containerd/Vagrantfile index 2af802f27..e81bfc2dc 100644 --- a/vendor/github.com/containerd/containerd/Vagrantfile +++ b/vendor/github.com/containerd/containerd/Vagrantfile @@ -93,7 +93,7 @@ EOF config.vm.provision "install-golang", type: "shell", run: "once" do |sh| sh.upload_path = "/tmp/vagrant-install-golang" sh.env = { - 'GO_VERSION': ENV['GO_VERSION'] || "1.18.10", + 'GO_VERSION': ENV['GO_VERSION'] || "1.19.6", } sh.inline = <<~SHELL #!/usr/bin/env bash diff --git a/vendor/github.com/containerd/containerd/api/services/content/v1/content.pb.go b/vendor/github.com/containerd/containerd/api/services/content/v1/content.pb.go index 97c7d4a92..df272237c 100644 --- a/vendor/github.com/containerd/containerd/api/services/content/v1/content.pb.go +++ b/vendor/github.com/containerd/containerd/api/services/content/v1/content.pb.go @@ -299,7 +299,7 @@ type ListContentRequest struct { // filters. Expanded, containers that match the following will be // returned: // - // filters[0] or filters[1] or ... or filters[n-1] or filters[n] + // filters[0] or filters[1] or ... or filters[n-1] or filters[n] // // If filters is zero-length or nil, all items will be returned. Filters []string `protobuf:"bytes,1,rep,name=filters,proto3" json:"filters,omitempty"` diff --git a/vendor/github.com/containerd/containerd/cmd/ctr/commands/run/run.go b/vendor/github.com/containerd/containerd/cmd/ctr/commands/run/run.go index bf0ebfe5c..55cff7ab5 100644 --- a/vendor/github.com/containerd/containerd/cmd/ctr/commands/run/run.go +++ b/vendor/github.com/containerd/containerd/cmd/ctr/commands/run/run.go @@ -97,7 +97,7 @@ var Command = cli.Command{ Flags: append([]cli.Flag{ cli.BoolFlag{ Name: "rm", - Usage: "remove the container after running", + Usage: "remove the container after running, cannot be used with --detach", }, cli.BoolFlag{ Name: "null-io", @@ -109,7 +109,7 @@ var Command = cli.Command{ }, cli.BoolFlag{ Name: "detach,d", - Usage: "detach from the task after it has started execution", + Usage: "detach from the task after it has started execution, cannot be used with --rm", }, cli.StringFlag{ Name: "fifo-dir", @@ -136,6 +136,7 @@ var Command = cli.Command{ id string ref string + rm = context.Bool("rm") tty = context.Bool("tty") detach = context.Bool("detach") config = context.IsSet("config") @@ -158,6 +159,10 @@ var Command = cli.Command{ if id == "" { return errors.New("container id must be provided") } + if rm && detach { + return errors.New("flags --detach and --rm cannot be specified together") + } + client, ctx, cancel, err := commands.NewClient(context) if err != nil { return err @@ -167,7 +172,7 @@ var Command = cli.Command{ if err != nil { return err } - if context.Bool("rm") && !detach { + if rm && !detach { defer container.Delete(ctx, containerd.WithSnapshotCleanup) } var con console.Console diff --git a/vendor/github.com/containerd/containerd/images/archive/importer.go b/vendor/github.com/containerd/containerd/images/archive/importer.go index 2b9fa4da2..c1c802fb5 100644 --- a/vendor/github.com/containerd/containerd/images/archive/importer.go +++ b/vendor/github.com/containerd/containerd/images/archive/importer.go @@ -232,12 +232,14 @@ func ImportIndex(ctx context.Context, store content.Store, reader io.Reader, opt return writeManifest(ctx, store, idx, ocispec.MediaTypeImageIndex) } +const ( + kib = 1024 + mib = 1024 * kib + jsonLimit = 20 * mib +) + func onUntarJSON(r io.Reader, j interface{}) error { - b, err := io.ReadAll(r) - if err != nil { - return err - } - return json.Unmarshal(b, j) + return json.NewDecoder(io.LimitReader(r, jsonLimit)).Decode(j) } func onUntarBlob(ctx context.Context, r io.Reader, store content.Ingester, size int64, ref string) (digest.Digest, error) { diff --git a/vendor/github.com/containerd/containerd/oci/spec_opts.go b/vendor/github.com/containerd/containerd/oci/spec_opts.go index 81c148627..3330ad108 100644 --- a/vendor/github.com/containerd/containerd/oci/spec_opts.go +++ b/vendor/github.com/containerd/containerd/oci/spec_opts.go @@ -113,6 +113,17 @@ func setCapabilities(s *Spec) { } } +// ensureAdditionalGids ensures that the primary GID is also included in the additional GID list. +func ensureAdditionalGids(s *Spec) { + setProcess(s) + for _, f := range s.Process.User.AdditionalGids { + if f == s.Process.User.GID { + return + } + } + s.Process.User.AdditionalGids = append([]uint32{s.Process.User.GID}, s.Process.User.AdditionalGids...) +} + // WithDefaultSpec returns a SpecOpts that will populate the spec with default // values. // @@ -522,7 +533,9 @@ func WithNamespacedCgroup() SpecOpts { // user, uid, user:group, uid:gid, uid:group, user:gid func WithUser(userstr string) SpecOpts { return func(ctx context.Context, client Client, c *containers.Container, s *Spec) error { + defer ensureAdditionalGids(s) setProcess(s) + s.Process.User.AdditionalGids = nil // For LCOW it's a bit harder to confirm that the user actually exists on the host as a rootfs isn't // mounted on the host and shared into the guest, but rather the rootfs is constructed entirely in the @@ -615,7 +628,9 @@ func WithUser(userstr string) SpecOpts { // WithUIDGID allows the UID and GID for the Process to be set func WithUIDGID(uid, gid uint32) SpecOpts { return func(_ context.Context, _ Client, _ *containers.Container, s *Spec) error { + defer ensureAdditionalGids(s) setProcess(s) + s.Process.User.AdditionalGids = nil s.Process.User.UID = uid s.Process.User.GID = gid return nil @@ -628,12 +643,11 @@ func WithUIDGID(uid, gid uint32) SpecOpts { // additionally sets the gid to 0, and does not return an error. func WithUserID(uid uint32) SpecOpts { return func(ctx context.Context, client Client, c *containers.Container, s *Spec) (err error) { + defer ensureAdditionalGids(s) setProcess(s) - if c.Snapshotter == "" && c.SnapshotKey == "" { - if !isRootfsAbs(s.Root.Path) { - return errors.New("rootfs absolute path is required") - } - user, err := UserFromPath(s.Root.Path, func(u user.User) bool { + s.Process.User.AdditionalGids = nil + setUser := func(root string) error { + user, err := UserFromPath(root, func(u user.User) bool { return u.Uid == int(uid) }) if err != nil { @@ -645,7 +659,12 @@ func WithUserID(uid uint32) SpecOpts { } s.Process.User.UID, s.Process.User.GID = uint32(user.Uid), uint32(user.Gid) return nil - + } + if c.Snapshotter == "" && c.SnapshotKey == "" { + if !isRootfsAbs(s.Root.Path) { + return errors.New("rootfs absolute path is required") + } + return setUser(s.Root.Path) } if c.Snapshotter == "" { return errors.New("no snapshotter set for container") @@ -660,20 +679,7 @@ func WithUserID(uid uint32) SpecOpts { } mounts = tryReadonlyMounts(mounts) - return mount.WithTempMount(ctx, mounts, func(root string) error { - user, err := UserFromPath(root, func(u user.User) bool { - return u.Uid == int(uid) - }) - if err != nil { - if os.IsNotExist(err) || err == ErrNoUsersFound { - s.Process.User.UID, s.Process.User.GID = uid, 0 - return nil - } - return err - } - s.Process.User.UID, s.Process.User.GID = uint32(user.Uid), uint32(user.Gid) - return nil - }) + return mount.WithTempMount(ctx, mounts, setUser) } } @@ -685,13 +691,12 @@ func WithUserID(uid uint32) SpecOpts { // the container. func WithUsername(username string) SpecOpts { return func(ctx context.Context, client Client, c *containers.Container, s *Spec) (err error) { + defer ensureAdditionalGids(s) setProcess(s) + s.Process.User.AdditionalGids = nil if s.Linux != nil { - if c.Snapshotter == "" && c.SnapshotKey == "" { - if !isRootfsAbs(s.Root.Path) { - return errors.New("rootfs absolute path is required") - } - user, err := UserFromPath(s.Root.Path, func(u user.User) bool { + setUser := func(root string) error { + user, err := UserFromPath(root, func(u user.User) bool { return u.Name == username }) if err != nil { @@ -700,6 +705,12 @@ func WithUsername(username string) SpecOpts { s.Process.User.UID, s.Process.User.GID = uint32(user.Uid), uint32(user.Gid) return nil } + if c.Snapshotter == "" && c.SnapshotKey == "" { + if !isRootfsAbs(s.Root.Path) { + return errors.New("rootfs absolute path is required") + } + return setUser(s.Root.Path) + } if c.Snapshotter == "" { return errors.New("no snapshotter set for container") } @@ -713,16 +724,7 @@ func WithUsername(username string) SpecOpts { } mounts = tryReadonlyMounts(mounts) - return mount.WithTempMount(ctx, mounts, func(root string) error { - user, err := UserFromPath(root, func(u user.User) bool { - return u.Name == username - }) - if err != nil { - return err - } - s.Process.User.UID, s.Process.User.GID = uint32(user.Uid), uint32(user.Gid) - return nil - }) + return mount.WithTempMount(ctx, mounts, setUser) } else if s.Windows != nil { s.Process.User.Username = username } else { @@ -733,7 +735,7 @@ func WithUsername(username string) SpecOpts { } // WithAdditionalGIDs sets the OCI spec's additionalGids array to any additional groups listed -// for a particular user in the /etc/groups file of the image's root filesystem +// for a particular user in the /etc/group file of the image's root filesystem // The passed in user can be either a uid or a username. func WithAdditionalGIDs(userstr string) SpecOpts { return func(ctx context.Context, client Client, c *containers.Container, s *Spec) (err error) { @@ -742,7 +744,9 @@ func WithAdditionalGIDs(userstr string) SpecOpts { return nil } setProcess(s) + s.Process.User.AdditionalGids = nil setAdditionalGids := func(root string) error { + defer ensureAdditionalGids(s) var username string uid, err := strconv.Atoi(userstr) if err == nil { @@ -803,6 +807,68 @@ func WithAdditionalGIDs(userstr string) SpecOpts { } } +// WithAppendAdditionalGroups append additional groups within the container. +// The passed in groups can be either a gid or a groupname. +func WithAppendAdditionalGroups(groups ...string) SpecOpts { + return func(ctx context.Context, client Client, c *containers.Container, s *Spec) (err error) { + // For LCOW or on Darwin additional GID's are not supported + if s.Windows != nil || runtime.GOOS == "darwin" { + return nil + } + setProcess(s) + setAdditionalGids := func(root string) error { + defer ensureAdditionalGids(s) + gpath, err := fs.RootPath(root, "/etc/group") + if err != nil { + return err + } + ugroups, err := user.ParseGroupFile(gpath) + if err != nil { + return err + } + groupMap := make(map[string]user.Group) + for _, group := range ugroups { + groupMap[group.Name] = group + } + var gids []uint32 + for _, group := range groups { + gid, err := strconv.ParseUint(group, 10, 32) + if err == nil { + gids = append(gids, uint32(gid)) + } else { + g, ok := groupMap[group] + if !ok { + return fmt.Errorf("unable to find group %s", group) + } + gids = append(gids, uint32(g.Gid)) + } + } + s.Process.User.AdditionalGids = append(s.Process.User.AdditionalGids, gids...) + return nil + } + if c.Snapshotter == "" && c.SnapshotKey == "" { + if !filepath.IsAbs(s.Root.Path) { + return errors.New("rootfs absolute path is required") + } + return setAdditionalGids(s.Root.Path) + } + if c.Snapshotter == "" { + return errors.New("no snapshotter set for container") + } + if c.SnapshotKey == "" { + return errors.New("rootfs snapshot not created for container") + } + snapshotter := client.SnapshotService(c.Snapshotter) + mounts, err := snapshotter.Mounts(ctx, c.SnapshotKey) + if err != nil { + return err + } + + mounts = tryReadonlyMounts(mounts) + return mount.WithTempMount(ctx, mounts, setAdditionalGids) + } +} + // WithCapabilities sets Linux capabilities on the process func WithCapabilities(caps []string) SpecOpts { return func(_ context.Context, _ Client, _ *containers.Container, s *Spec) error { @@ -907,7 +973,7 @@ func UserFromPath(root string, filter func(user.User) bool) (user.User, error) { // ErrNoGroupsFound can be returned from GIDFromPath var ErrNoGroupsFound = errors.New("no groups found") -// GIDFromPath inspects the GID using /etc/passwd in the specified rootfs. +// GIDFromPath inspects the GID using /etc/group in the specified rootfs. // filter can be nil. func GIDFromPath(root string, filter func(user.Group) bool) (gid uint32, err error) { gpath, err := fs.RootPath(root, "/etc/group") diff --git a/vendor/github.com/containerd/containerd/pkg/apparmor/apparmor.go b/vendor/github.com/containerd/containerd/pkg/apparmor/apparmor.go index ef64e5af6..293f8ba49 100644 --- a/vendor/github.com/containerd/containerd/pkg/apparmor/apparmor.go +++ b/vendor/github.com/containerd/containerd/pkg/apparmor/apparmor.go @@ -16,13 +16,13 @@ package apparmor -// HostSupports returns true if apparmor is enabled for the host, // On non-Linux returns false -// On Linux returns true if apparmor_parser is enabled, and if we +// HostSupports returns true if apparmor is enabled for the host: +// - On Linux returns true if apparmor is enabled, apparmor_parser is +// present, and if we are not running docker-in-docker. +// - On non-Linux returns false. // -// are not running docker-in-docker. -// -// It is a modified version of libcontainer/apparmor.IsEnabled(), which does not -// check for apparmor_parser to be present, or if we're running docker-in-docker. +// This is derived from libcontainer/apparmor.IsEnabled(), with the addition +// of checks for apparmor_parser to be present and docker-in-docker. func HostSupports() bool { return hostSupports() } diff --git a/vendor/github.com/containerd/containerd/pkg/apparmor/apparmor_linux.go b/vendor/github.com/containerd/containerd/pkg/apparmor/apparmor_linux.go index ab54df8ea..c96de6a26 100644 --- a/vendor/github.com/containerd/containerd/pkg/apparmor/apparmor_linux.go +++ b/vendor/github.com/containerd/containerd/pkg/apparmor/apparmor_linux.go @@ -29,14 +29,16 @@ var ( // hostSupports returns true if apparmor is enabled for the host, if // apparmor_parser is enabled, and if we are not running docker-in-docker. // -// It is a modified version of libcontainer/apparmor.IsEnabled(), which does not -// check for apparmor_parser to be present, or if we're running docker-in-docker. +// This is derived from libcontainer/apparmor.IsEnabled(), with the addition +// of checks for apparmor_parser to be present and docker-in-docker. func hostSupports() bool { checkAppArmor.Do(func() { // see https://github.com/opencontainers/runc/blob/0d49470392206f40eaab3b2190a57fe7bb3df458/libcontainer/apparmor/apparmor_linux.go if _, err := os.Stat("/sys/kernel/security/apparmor"); err == nil && os.Getenv("container") == "" { - buf, err := os.ReadFile("/sys/module/apparmor/parameters/enabled") - appArmorSupported = err == nil && len(buf) > 1 && buf[0] == 'Y' + if _, err = os.Stat("/sbin/apparmor_parser"); err == nil { + buf, err := os.ReadFile("/sys/module/apparmor/parameters/enabled") + appArmorSupported = err == nil && len(buf) > 1 && buf[0] == 'Y' + } } }) return appArmorSupported diff --git a/vendor/github.com/containerd/containerd/pkg/cri/server/cni_conf_syncer.go b/vendor/github.com/containerd/containerd/pkg/cri/server/cni_conf_syncer.go index 2d3940056..60fe1e140 100644 --- a/vendor/github.com/containerd/containerd/pkg/cri/server/cni_conf_syncer.go +++ b/vendor/github.com/containerd/containerd/pkg/cri/server/cni_conf_syncer.go @@ -19,6 +19,7 @@ package server import ( "fmt" "os" + "path/filepath" "sync" cni "github.com/containerd/go-cni" @@ -46,6 +47,13 @@ func newCNINetConfSyncer(confDir string, netPlugin cni.CNI, loadOpts []cni.Opt) return nil, fmt.Errorf("failed to create fsnotify watcher: %w", err) } + // /etc/cni has to be readable for non-root users (0755), because /etc/cni/tuning/allowlist.conf is used for rootless mode too. + // This file was introduced in CNI plugins 1.2.0 (https://github.com/containernetworking/plugins/pull/693), and its path is hard-coded. + confDirParent := filepath.Dir(confDir) + if err := os.MkdirAll(confDirParent, 0755); err != nil { + return nil, fmt.Errorf("failed to create the parent of the cni conf dir=%s: %w", confDirParent, err) + } + if err := os.MkdirAll(confDir, 0700); err != nil { return nil, fmt.Errorf("failed to create cni conf dir=%s for watch: %w", confDir, err) } diff --git a/vendor/github.com/containerd/containerd/pkg/cri/server/container_create_linux.go b/vendor/github.com/containerd/containerd/pkg/cri/server/container_create_linux.go index c9851b175..cbdbdcc51 100644 --- a/vendor/github.com/containerd/containerd/pkg/cri/server/container_create_linux.go +++ b/vendor/github.com/containerd/containerd/pkg/cri/server/container_create_linux.go @@ -348,7 +348,8 @@ func (c *criService) containerSpecOpts(config *runtime.ContainerConfig, imageCon // Because it is still useful to get additional gids for uid 0. userstr = strconv.FormatInt(securityContext.GetRunAsUser().GetValue(), 10) } - specOpts = append(specOpts, customopts.WithAdditionalGIDs(userstr)) + specOpts = append(specOpts, customopts.WithAdditionalGIDs(userstr), + customopts.WithSupplementalGroups(securityContext.GetSupplementalGroups())) asp := securityContext.GetApparmor() if asp == nil { diff --git a/vendor/github.com/containerd/containerd/pkg/cri/server/image_pull.go b/vendor/github.com/containerd/containerd/pkg/cri/server/image_pull.go index 7e6fd23bd..0519bc579 100644 --- a/vendor/github.com/containerd/containerd/pkg/cri/server/image_pull.go +++ b/vendor/github.com/containerd/containerd/pkg/cri/server/image_pull.go @@ -32,8 +32,8 @@ import ( "github.com/containerd/containerd" "github.com/containerd/containerd/errdefs" containerdimages "github.com/containerd/containerd/images" - "github.com/containerd/containerd/labels" "github.com/containerd/containerd/log" + snpkg "github.com/containerd/containerd/pkg/snapshotters" distribution "github.com/containerd/containerd/reference/docker" "github.com/containerd/containerd/remotes/docker" "github.com/containerd/containerd/remotes/docker/config" @@ -129,7 +129,7 @@ func (c *criService) PullImage(ctx context.Context, r *runtime.PullImageRequest) pullOpts = append(pullOpts, c.encryptedImagesPullOpts()...) if !c.config.ContainerdConfig.DisableSnapshotAnnotations { pullOpts = append(pullOpts, - containerd.WithImageHandlerWrapper(appendInfoHandlerWrapper(ref))) + containerd.WithImageHandlerWrapper(snpkg.AppendInfoHandlerWrapper(ref))) } if c.config.ContainerdConfig.DiscardUnpackedLayers { @@ -495,73 +495,3 @@ func (c *criService) encryptedImagesPullOpts() []containerd.RemoteOpt { } return nil } - -const ( - // targetRefLabel is a label which contains image reference and will be passed - // to snapshotters. - targetRefLabel = "containerd.io/snapshot/cri.image-ref" - // targetManifestDigestLabel is a label which contains manifest digest and will be passed - // to snapshotters. - targetManifestDigestLabel = "containerd.io/snapshot/cri.manifest-digest" - // targetLayerDigestLabel is a label which contains layer digest and will be passed - // to snapshotters. - targetLayerDigestLabel = "containerd.io/snapshot/cri.layer-digest" - // targetImageLayersLabel is a label which contains layer digests contained in - // the target image and will be passed to snapshotters for preparing layers in - // parallel. Skipping some layers is allowed and only affects performance. - targetImageLayersLabel = "containerd.io/snapshot/cri.image-layers" -) - -// appendInfoHandlerWrapper makes a handler which appends some basic information -// of images like digests for manifest and their child layers as annotations during unpack. -// These annotations will be passed to snapshotters as labels. These labels will be -// used mainly by stargz-based snapshotters for querying image contents from the -// registry. -func appendInfoHandlerWrapper(ref string) func(f containerdimages.Handler) containerdimages.Handler { - return func(f containerdimages.Handler) containerdimages.Handler { - return containerdimages.HandlerFunc(func(ctx context.Context, desc imagespec.Descriptor) ([]imagespec.Descriptor, error) { - children, err := f.Handle(ctx, desc) - if err != nil { - return nil, err - } - switch desc.MediaType { - case imagespec.MediaTypeImageManifest, containerdimages.MediaTypeDockerSchema2Manifest: - for i := range children { - c := &children[i] - if containerdimages.IsLayerType(c.MediaType) { - if c.Annotations == nil { - c.Annotations = make(map[string]string) - } - c.Annotations[targetRefLabel] = ref - c.Annotations[targetLayerDigestLabel] = c.Digest.String() - c.Annotations[targetImageLayersLabel] = getLayers(ctx, targetImageLayersLabel, children[i:], labels.Validate) - c.Annotations[targetManifestDigestLabel] = desc.Digest.String() - } - } - } - return children, nil - }) - } -} - -// getLayers returns comma-separated digests based on the passed list of -// descriptors. The returned list contains as many digests as possible as well -// as meets the label validation. -func getLayers(ctx context.Context, key string, descs []imagespec.Descriptor, validate func(k, v string) error) (layers string) { - var item string - for _, l := range descs { - if containerdimages.IsLayerType(l.MediaType) { - item = l.Digest.String() - if layers != "" { - item = "," + item - } - // This avoids the label hits the size limitation. - if err := validate(key, layers+item); err != nil { - log.G(ctx).WithError(err).WithField("label", key).Debugf("%q is omitted in the layers list", l.Digest.String()) - break - } - layers += item - } - } - return -} diff --git a/vendor/github.com/containerd/containerd/pkg/cri/server/metrics.go b/vendor/github.com/containerd/containerd/pkg/cri/server/metrics.go index 9712bb112..0e285fe20 100644 --- a/vendor/github.com/containerd/containerd/pkg/cri/server/metrics.go +++ b/vendor/github.com/containerd/containerd/pkg/cri/server/metrics.go @@ -34,6 +34,10 @@ var ( containerCreateTimer metrics.LabeledTimer containerStopTimer metrics.LabeledTimer containerStartTimer metrics.LabeledTimer + + networkPluginOperations metrics.LabeledCounter + networkPluginOperationsErrors metrics.LabeledCounter + networkPluginOperationsLatency metrics.LabeledTimer ) func init() { @@ -54,5 +58,17 @@ func init() { containerStopTimer = ns.NewLabeledTimer("container_stop", "time to stop a container", "runtime") containerStartTimer = ns.NewLabeledTimer("container_start", "time to start a container", "runtime") + networkPluginOperations = ns.NewLabeledCounter("network_plugin_operations_total", "cumulative number of network plugin operations by operation type", "operation_type") + networkPluginOperationsErrors = ns.NewLabeledCounter("network_plugin_operations_errors_total", "cumulative number of network plugin operations by operation type", "operation_type") + networkPluginOperationsLatency = ns.NewLabeledTimer("network_plugin_operations_duration_seconds", "latency in seconds of network plugin operations. Broken down by operation type", "operation_type") + metrics.Register(ns) } + +// for backwards compatibility with kubelet/dockershim metrics +// https://github.com/containerd/containerd/issues/7801 +const ( + networkStatusOp = "get_pod_network_status" + networkSetUpOp = "set_up_pod" + networkTearDownOp = "tear_down_pod" +) diff --git a/vendor/github.com/containerd/containerd/pkg/cri/server/sandbox_run.go b/vendor/github.com/containerd/containerd/pkg/cri/server/sandbox_run.go index 082344022..5f19ffb62 100644 --- a/vendor/github.com/containerd/containerd/pkg/cri/server/sandbox_run.go +++ b/vendor/github.com/containerd/containerd/pkg/cri/server/sandbox_run.go @@ -444,8 +444,12 @@ func (c *criService) setupPodNetwork(ctx context.Context, sandbox *sandboxstore. return fmt.Errorf("get cni namespace options: %w", err) } log.G(ctx).WithField("podsandboxid", id).Debugf("begin cni setup") + netStart := time.Now() result, err := netPlugin.Setup(ctx, id, path, opts...) + networkPluginOperations.WithValues(networkSetUpOp).Inc() + networkPluginOperationsLatency.WithValues(networkSetUpOp).UpdateSince(netStart) if err != nil { + networkPluginOperationsErrors.WithValues(networkSetUpOp).Inc() return err } logDebugCNIResult(ctx, id, result) diff --git a/vendor/github.com/containerd/containerd/pkg/cri/server/sandbox_stop.go b/vendor/github.com/containerd/containerd/pkg/cri/server/sandbox_stop.go index a32316310..f2d4e6b84 100644 --- a/vendor/github.com/containerd/containerd/pkg/cri/server/sandbox_stop.go +++ b/vendor/github.com/containerd/containerd/pkg/cri/server/sandbox_stop.go @@ -185,7 +185,15 @@ func (c *criService) teardownPodNetwork(ctx context.Context, sandbox sandboxstor return fmt.Errorf("get cni namespace options: %w", err) } - return netPlugin.Remove(ctx, id, path, opts...) + netStart := time.Now() + err = netPlugin.Remove(ctx, id, path, opts...) + networkPluginOperations.WithValues(networkTearDownOp).Inc() + networkPluginOperationsLatency.WithValues(networkTearDownOp).UpdateSince(netStart) + if err != nil { + networkPluginOperationsErrors.WithValues(networkTearDownOp).Inc() + return err + } + return nil } // cleanupUnknownSandbox cleanup stopped sandbox in unknown state. diff --git a/vendor/github.com/containerd/containerd/pkg/cri/server/update_runtime_config.go b/vendor/github.com/containerd/containerd/pkg/cri/server/update_runtime_config.go index 3cf0b5529..ad991c674 100644 --- a/vendor/github.com/containerd/containerd/pkg/cri/server/update_runtime_config.go +++ b/vendor/github.com/containerd/containerd/pkg/cri/server/update_runtime_config.go @@ -23,6 +23,7 @@ import ( "path/filepath" "strings" "text/template" + "time" "github.com/containerd/containerd/log" "golang.org/x/net/context" @@ -74,10 +75,17 @@ func (c *criService) UpdateRuntimeConfig(ctx context.Context, r *runtime.UpdateR log.G(ctx).Infof("Network plugin is ready, skip generating cni config from template %q", confTemplate) return &runtime.UpdateRuntimeConfigResponse{}, nil } - if err := netPlugin.Status(); err == nil { + + netStart := time.Now() + err = netPlugin.Status() + networkPluginOperations.WithValues(networkStatusOp).Inc() + networkPluginOperationsLatency.WithValues(networkStatusOp).UpdateSince(netStart) + if err == nil { log.G(ctx).Infof("Network plugin is ready, skip generating cni config from template %q", confTemplate) return &runtime.UpdateRuntimeConfigResponse{}, nil - } else if err := netPlugin.Load(c.cniLoadOptions()...); err == nil { + } + networkPluginOperationsErrors.WithValues(networkStatusOp).Inc() + if err := netPlugin.Load(c.cniLoadOptions()...); err == nil { log.G(ctx).Infof("CNI config is successfully loaded, skip generating cni config from template %q", confTemplate) return &runtime.UpdateRuntimeConfigResponse{}, nil } diff --git a/vendor/github.com/containerd/containerd/pkg/snapshotters/annotations.go b/vendor/github.com/containerd/containerd/pkg/snapshotters/annotations.go new file mode 100644 index 000000000..c7ad97c15 --- /dev/null +++ b/vendor/github.com/containerd/containerd/pkg/snapshotters/annotations.go @@ -0,0 +1,97 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package snapshotters + +import ( + "context" + + "github.com/containerd/containerd/images" + "github.com/containerd/containerd/labels" + "github.com/containerd/containerd/log" + ocispec "github.com/opencontainers/image-spec/specs-go/v1" +) + +// NOTE: The following labels contain "cri" prefix but they are not specific to CRI and +// can be used by non-CRI clients as well for enabling remote snapshotters. We need to +// retain that string for keeping compatibility with snapshotter implementations. +const ( + // TargetRefLabel is a label which contains image reference and will be passed + // to snapshotters. + TargetRefLabel = "containerd.io/snapshot/cri.image-ref" + // TargetManifestDigestLabel is a label which contains manifest digest and will be passed + // to snapshotters. + TargetManifestDigestLabel = "containerd.io/snapshot/cri.manifest-digest" + // TargetLayerDigestLabel is a label which contains layer digest and will be passed + // to snapshotters. + TargetLayerDigestLabel = "containerd.io/snapshot/cri.layer-digest" + // TargetImageLayersLabel is a label which contains layer digests contained in + // the target image and will be passed to snapshotters for preparing layers in + // parallel. Skipping some layers is allowed and only affects performance. + TargetImageLayersLabel = "containerd.io/snapshot/cri.image-layers" +) + +// AppendInfoHandlerWrapper makes a handler which appends some basic information +// of images like digests for manifest and their child layers as annotations during unpack. +// These annotations will be passed to snapshotters as labels. These labels will be +// used mainly by remote snapshotters for querying image contents from the remote location. +func AppendInfoHandlerWrapper(ref string) func(f images.Handler) images.Handler { + return func(f images.Handler) images.Handler { + return images.HandlerFunc(func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) { + children, err := f.Handle(ctx, desc) + if err != nil { + return nil, err + } + switch desc.MediaType { + case ocispec.MediaTypeImageManifest, images.MediaTypeDockerSchema2Manifest: + for i := range children { + c := &children[i] + if images.IsLayerType(c.MediaType) { + if c.Annotations == nil { + c.Annotations = make(map[string]string) + } + c.Annotations[TargetRefLabel] = ref + c.Annotations[TargetLayerDigestLabel] = c.Digest.String() + c.Annotations[TargetImageLayersLabel] = getLayers(ctx, TargetImageLayersLabel, children[i:], labels.Validate) + c.Annotations[TargetManifestDigestLabel] = desc.Digest.String() + } + } + } + return children, nil + }) + } +} + +// getLayers returns comma-separated digests based on the passed list of +// descriptors. The returned list contains as many digests as possible as well +// as meets the label validation. +func getLayers(ctx context.Context, key string, descs []ocispec.Descriptor, validate func(k, v string) error) (layers string) { + for _, l := range descs { + if images.IsLayerType(l.MediaType) { + item := l.Digest.String() + if layers != "" { + item = "," + item + } + // This avoids the label hits the size limitation. + if err := validate(key, layers+item); err != nil { + log.G(ctx).WithError(err).WithField("label", key).WithField("digest", l.Digest.String()).Debug("omitting digest in the layers list") + break + } + layers += item + } + } + return +} diff --git a/vendor/github.com/containerd/containerd/platforms/defaults_windows.go b/vendor/github.com/containerd/containerd/platforms/defaults_windows.go index c1aaf72ca..ff9771a60 100644 --- a/vendor/github.com/containerd/containerd/platforms/defaults_windows.go +++ b/vendor/github.com/containerd/containerd/platforms/defaults_windows.go @@ -46,10 +46,14 @@ type matchComparer struct { // Match matches platform with the same windows major, minor // and build version. -func (m matchComparer) Match(p imagespec.Platform) bool { - if m.defaults.Match(p) { - // TODO(windows): Figure out whether OSVersion is deprecated. - return strings.HasPrefix(p.OSVersion, m.osVersionPrefix) +func (m matchComparer) Match(p specs.Platform) bool { + match := m.defaults.Match(p) + + if match && p.OS == "windows" { + if strings.HasPrefix(p.OSVersion, m.osVersionPrefix) { + return true + } + return p.OSVersion == "" } return false } diff --git a/vendor/github.com/containerd/containerd/remotes/docker/config/config_unix.go b/vendor/github.com/containerd/containerd/remotes/docker/config/config_unix.go index 092b82a87..6967f680d 100644 --- a/vendor/github.com/containerd/containerd/remotes/docker/config/config_unix.go +++ b/vendor/github.com/containerd/containerd/remotes/docker/config/config_unix.go @@ -24,16 +24,18 @@ import ( "path/filepath" ) -func hostPaths(root, host string) []string { +func hostPaths(root, host string) (hosts []string) { ch := hostDirectory(host) - if ch == host { - return []string{filepath.Join(root, host)} + if ch != host { + hosts = append(hosts, filepath.Join(root, ch)) } - return []string{ - filepath.Join(root, ch), + hosts = append(hosts, filepath.Join(root, host), - } + filepath.Join(root, "_default"), + ) + + return } func rootSystemPool() (*x509.CertPool, error) { diff --git a/vendor/github.com/containerd/containerd/remotes/docker/config/config_windows.go b/vendor/github.com/containerd/containerd/remotes/docker/config/config_windows.go index 4a9d3361e..4697728b9 100644 --- a/vendor/github.com/containerd/containerd/remotes/docker/config/config_windows.go +++ b/vendor/github.com/containerd/containerd/remotes/docker/config/config_windows.go @@ -22,16 +22,18 @@ import ( "strings" ) -func hostPaths(root, host string) []string { +func hostPaths(root, host string) (hosts []string) { ch := hostDirectory(host) - if ch == host { - return []string{filepath.Join(root, host)} + if ch != host { + hosts = append(hosts, filepath.Join(root, strings.Replace(ch, ":", "", -1))) } - return []string{ - filepath.Join(root, strings.Replace(ch, ":", "", -1)), + hosts = append(hosts, filepath.Join(root, strings.Replace(host, ":", "", -1)), - } + filepath.Join(root, "_default"), + ) + + return } func rootSystemPool() (*x509.CertPool, error) { diff --git a/vendor/github.com/containerd/containerd/snapshots/devmapper/pool_device.go b/vendor/github.com/containerd/containerd/snapshots/devmapper/pool_device.go index 1bf742944..dc8120b20 100644 --- a/vendor/github.com/containerd/containerd/snapshots/devmapper/pool_device.go +++ b/vendor/github.com/containerd/containerd/snapshots/devmapper/pool_device.go @@ -89,6 +89,15 @@ func NewPoolDevice(ctx context.Context, config *Config) (*PoolDevice, error) { return poolDevice, nil } +func skipRetry(err error) bool { + if err == nil { + return true // skip retry if no error + } else if !errors.Is(err, unix.EBUSY) { + return true // skip retry if error is not due to device or resource busy + } + return false +} + func retry(ctx context.Context, f func() error) error { var ( maxRetries = 100 @@ -98,9 +107,8 @@ func retry(ctx context.Context, f func() error) error { for attempt := 1; attempt <= maxRetries; attempt++ { retryErr = f() - if retryErr == nil { - return nil - } else if retryErr != unix.EBUSY { + + if skipRetry(retryErr) { return retryErr } diff --git a/vendor/github.com/containerd/containerd/version/version.go b/vendor/github.com/containerd/containerd/version/version.go index ee6b711c7..6bc3ed178 100644 --- a/vendor/github.com/containerd/containerd/version/version.go +++ b/vendor/github.com/containerd/containerd/version/version.go @@ -23,7 +23,7 @@ var ( Package = "github.com/containerd/containerd" // Version holds the complete version number. Filled in at linking time. - Version = "1.6.16+unknown" + Version = "1.6.19+unknown" // Revision is filled with the VCS (e.g. git) revision being used to build // the program at linking time. diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go index 6a7a91e55..5b4f691c7 100644 --- a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go +++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go @@ -12,10 +12,12 @@ type Spec struct { Root *Root `json:"root,omitempty"` // Hostname configures the container's hostname. Hostname string `json:"hostname,omitempty"` + // Domainname configures the container's domainname. + Domainname string `json:"domainname,omitempty"` // Mounts configures additional mounts (on top of Root). Mounts []Mount `json:"mounts,omitempty"` // Hooks configures callbacks for container lifecycle events. - Hooks *Hooks `json:"hooks,omitempty" platform:"linux,solaris"` + Hooks *Hooks `json:"hooks,omitempty" platform:"linux,solaris,zos"` // Annotations contains arbitrary metadata for the container. Annotations map[string]string `json:"annotations,omitempty"` @@ -27,6 +29,8 @@ type Spec struct { Windows *Windows `json:"windows,omitempty" platform:"windows"` // VM specifies configuration for virtual-machine-based containers. VM *VM `json:"vm,omitempty" platform:"vm"` + // ZOS is platform-specific configuration for z/OS based containers. + ZOS *ZOS `json:"zos,omitempty" platform:"zos"` } // Process contains information to start a specific application inside the container. @@ -49,7 +53,7 @@ type Process struct { // Capabilities are Linux capabilities that are kept for the process. Capabilities *LinuxCapabilities `json:"capabilities,omitempty" platform:"linux"` // Rlimits specifies rlimit options to apply to the process. - Rlimits []POSIXRlimit `json:"rlimits,omitempty" platform:"linux,solaris"` + Rlimits []POSIXRlimit `json:"rlimits,omitempty" platform:"linux,solaris,zos"` // NoNewPrivileges controls whether additional privileges could be gained by processes in the container. NoNewPrivileges bool `json:"noNewPrivileges,omitempty" platform:"linux"` // ApparmorProfile specifies the apparmor profile for the container. @@ -86,11 +90,11 @@ type Box struct { // User specifies specific user (and group) information for the container process. type User struct { // UID is the user id. - UID uint32 `json:"uid" platform:"linux,solaris"` + UID uint32 `json:"uid" platform:"linux,solaris,zos"` // GID is the group id. - GID uint32 `json:"gid" platform:"linux,solaris"` + GID uint32 `json:"gid" platform:"linux,solaris,zos"` // Umask is the umask for the init process. - Umask *uint32 `json:"umask,omitempty" platform:"linux,solaris"` + Umask *uint32 `json:"umask,omitempty" platform:"linux,solaris,zos"` // AdditionalGids are additional group ids set for the container's process. AdditionalGids []uint32 `json:"additionalGids,omitempty" platform:"linux,solaris"` // Username is the user name. @@ -110,11 +114,16 @@ type Mount struct { // Destination is the absolute path where the mount will be placed in the container. Destination string `json:"destination"` // Type specifies the mount kind. - Type string `json:"type,omitempty" platform:"linux,solaris"` + Type string `json:"type,omitempty" platform:"linux,solaris,zos"` // Source specifies the source path of the mount. Source string `json:"source,omitempty"` // Options are fstab style mount options. Options []string `json:"options,omitempty"` + + // UID/GID mappings used for changing file owners w/o calling chown, fs should support it. + // Every mount point could have its own mapping. + UIDMappings []LinuxIDMapping `json:"uidMappings,omitempty" platform:"linux"` + GIDMappings []LinuxIDMapping `json:"gidMappings,omitempty" platform:"linux"` } // Hook specifies a command that is run at a particular event in the lifecycle of a container @@ -178,7 +187,7 @@ type Linux struct { // MountLabel specifies the selinux context for the mounts in the container. MountLabel string `json:"mountLabel,omitempty"` // IntelRdt contains Intel Resource Director Technology (RDT) information for - // handling resource constraints (e.g., L3 cache, memory bandwidth) for the container + // handling resource constraints and monitoring metrics (e.g., L3 cache, memory bandwidth) for the container IntelRdt *LinuxIntelRdt `json:"intelRdt,omitempty"` // Personality contains configuration for the Linux personality syscall Personality *LinuxPersonality `json:"personality,omitempty"` @@ -250,8 +259,8 @@ type LinuxInterfacePriority struct { Priority uint32 `json:"priority"` } -// linuxBlockIODevice holds major:minor format supported in blkio cgroup -type linuxBlockIODevice struct { +// LinuxBlockIODevice holds major:minor format supported in blkio cgroup +type LinuxBlockIODevice struct { // Major is the device's major number. Major int64 `json:"major"` // Minor is the device's minor number. @@ -260,7 +269,7 @@ type linuxBlockIODevice struct { // LinuxWeightDevice struct holds a `major:minor weight` pair for weightDevice type LinuxWeightDevice struct { - linuxBlockIODevice + LinuxBlockIODevice // Weight is the bandwidth rate for the device. Weight *uint16 `json:"weight,omitempty"` // LeafWeight is the bandwidth rate for the device while competing with the cgroup's child cgroups, CFQ scheduler only @@ -269,7 +278,7 @@ type LinuxWeightDevice struct { // LinuxThrottleDevice struct holds a `major:minor rate_per_second` pair type LinuxThrottleDevice struct { - linuxBlockIODevice + LinuxBlockIODevice // Rate is the IO rate limit per cgroup per device Rate uint64 `json:"rate"` } @@ -310,6 +319,10 @@ type LinuxMemory struct { DisableOOMKiller *bool `json:"disableOOMKiller,omitempty"` // Enables hierarchical memory accounting UseHierarchy *bool `json:"useHierarchy,omitempty"` + // CheckBeforeUpdate enables checking if a new memory limit is lower + // than the current usage during update, and if so, rejecting the new + // limit. + CheckBeforeUpdate *bool `json:"checkBeforeUpdate,omitempty"` } // LinuxCPU for Linux cgroup 'cpu' resource management @@ -318,6 +331,9 @@ type LinuxCPU struct { Shares *uint64 `json:"shares,omitempty"` // CPU hardcap limit (in usecs). Allowed cpu time in a given period. Quota *int64 `json:"quota,omitempty"` + // CPU hardcap burst limit (in usecs). Allowed accumulated cpu time additionally for burst in a + // given period. + Burst *uint64 `json:"burst,omitempty"` // CPU period to be used for hardcapping (in usecs). Period *uint64 `json:"period,omitempty"` // How much time realtime scheduling may use (in usecs). @@ -328,6 +344,8 @@ type LinuxCPU struct { Cpus string `json:"cpus,omitempty"` // List of memory nodes in the cpuset. Default is to use any available memory node. Mems string `json:"mems,omitempty"` + // cgroups are configured with minimum weight, 0: default behavior, 1: SCHED_IDLE. + Idle *int64 `json:"idle,omitempty"` } // LinuxPids for Linux cgroup 'pids' resource management (Linux 4.3) @@ -522,11 +540,21 @@ type WindowsMemoryResources struct { // WindowsCPUResources contains CPU resource management settings. type WindowsCPUResources struct { - // Number of CPUs available to the container. + // Count is the number of CPUs available to the container. It represents the + // fraction of the configured processor `count` in a container in relation + // to the processors available in the host. The fraction ultimately + // determines the portion of processor cycles that the threads in a + // container can use during each scheduling interval, as the number of + // cycles per 10,000 cycles. Count *uint64 `json:"count,omitempty"` - // CPU shares (relative weight to other containers with cpu shares). + // Shares limits the share of processor time given to the container relative + // to other workloads on the processor. The processor `shares` (`weight` at + // the platform level) is a value between 0 and 10000. Shares *uint16 `json:"shares,omitempty"` - // Specifies the portion of processor cycles that this container can use as a percentage times 100. + // Maximum determines the portion of processor cycles that the threads in a + // container can use during each scheduling interval, as the number of + // cycles per 10,000 cycles. Set processor `maximum` to a percentage times + // 100. Maximum *uint16 `json:"maximum,omitempty"` } @@ -613,6 +641,23 @@ type Arch string // LinuxSeccompFlag is a flag to pass to seccomp(2). type LinuxSeccompFlag string +const ( + // LinuxSeccompFlagLog is a seccomp flag to request all returned + // actions except SECCOMP_RET_ALLOW to be logged. An administrator may + // override this filter flag by preventing specific actions from being + // logged via the /proc/sys/kernel/seccomp/actions_logged file. (since + // Linux 4.14) + LinuxSeccompFlagLog LinuxSeccompFlag = "SECCOMP_FILTER_FLAG_LOG" + + // LinuxSeccompFlagSpecAllow can be used to disable Speculative Store + // Bypass mitigation. (since Linux 4.17) + LinuxSeccompFlagSpecAllow LinuxSeccompFlag = "SECCOMP_FILTER_FLAG_SPEC_ALLOW" + + // LinuxSeccompFlagWaitKillableRecv can be used to switch to the wait + // killable semantics. (since Linux 5.19) + LinuxSeccompFlagWaitKillableRecv LinuxSeccompFlag = "SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV" +) + // Additional architectures permitted to be used for system calls // By default only the native architecture of the kernel is permitted const ( @@ -683,8 +728,9 @@ type LinuxSyscall struct { Args []LinuxSeccompArg `json:"args,omitempty"` } -// LinuxIntelRdt has container runtime resource constraints for Intel RDT -// CAT and MBA features which introduced in Linux 4.10 and 4.12 kernel +// LinuxIntelRdt has container runtime resource constraints for Intel RDT CAT and MBA +// features and flags enabling Intel RDT CMT and MBM features. +// Intel RDT features are available in Linux 4.14 and newer kernel versions. type LinuxIntelRdt struct { // The identity for RDT Class of Service ClosID string `json:"closID,omitempty"` @@ -697,4 +743,36 @@ type LinuxIntelRdt struct { // The unit of memory bandwidth is specified in "percentages" by // default, and in "MBps" if MBA Software Controller is enabled. MemBwSchema string `json:"memBwSchema,omitempty"` + + // EnableCMT is the flag to indicate if the Intel RDT CMT is enabled. CMT (Cache Monitoring Technology) supports monitoring of + // the last-level cache (LLC) occupancy for the container. + EnableCMT bool `json:"enableCMT,omitempty"` + + // EnableMBM is the flag to indicate if the Intel RDT MBM is enabled. MBM (Memory Bandwidth Monitoring) supports monitoring of + // total and local memory bandwidth for the container. + EnableMBM bool `json:"enableMBM,omitempty"` +} + +// ZOS contains platform-specific configuration for z/OS based containers. +type ZOS struct { + // Devices are a list of device nodes that are created for the container + Devices []ZOSDevice `json:"devices,omitempty"` +} + +// ZOSDevice represents the mknod information for a z/OS special device file +type ZOSDevice struct { + // Path to the device. + Path string `json:"path"` + // Device type, block, char, etc. + Type string `json:"type"` + // Major is the device's major number. + Major int64 `json:"major"` + // Minor is the device's minor number. + Minor int64 `json:"minor"` + // FileMode permission bits for the device. + FileMode *os.FileMode `json:"fileMode,omitempty"` + // UID of the device. + UID *uint32 `json:"uid,omitempty"` + // Gid of the device. + GID *uint32 `json:"gid,omitempty"` } diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go index 596af0c2f..8ae4227b9 100644 --- a/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go +++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go @@ -6,12 +6,12 @@ const ( // VersionMajor is for an API incompatible changes VersionMajor = 1 // VersionMinor is for functionality in a backwards-compatible manner - VersionMinor = 0 + VersionMinor = 1 // VersionPatch is for backwards-compatible bug fixes - VersionPatch = 2 + VersionPatch = 0 // VersionDev indicates development branch. Releases will be empty string. - VersionDev = "-dev" + VersionDev = "-rc.1" ) // Version is the specification version that the package types support. diff --git a/vendor/modules.txt b/vendor/modules.txt index 988f7f07d..a44bab0ac 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -56,7 +56,7 @@ github.com/Microsoft/go-winio/pkg/fs github.com/Microsoft/go-winio/pkg/guid github.com/Microsoft/go-winio/pkg/security github.com/Microsoft/go-winio/vhd -# github.com/Microsoft/hcsshim v0.9.6 +# github.com/Microsoft/hcsshim v0.9.7 ## explicit; go 1.13 github.com/Microsoft/hcsshim github.com/Microsoft/hcsshim/cmd/containerd-shim-runhcs-v1/options @@ -161,7 +161,7 @@ github.com/containerd/cgroups/v2/stats # github.com/containerd/console v1.0.3 ## explicit; go 1.13 github.com/containerd/console -# github.com/containerd/containerd v1.6.16 +# github.com/containerd/containerd v1.6.19 ## explicit; go 1.17 github.com/containerd/containerd github.com/containerd/containerd/api/events @@ -288,6 +288,7 @@ github.com/containerd/containerd/pkg/seccomp github.com/containerd/containerd/pkg/seed github.com/containerd/containerd/pkg/seutil github.com/containerd/containerd/pkg/shutdown +github.com/containerd/containerd/pkg/snapshotters github.com/containerd/containerd/pkg/stdio github.com/containerd/containerd/pkg/timeout github.com/containerd/containerd/pkg/ttrpcutil @@ -440,7 +441,7 @@ github.com/cyphar/filepath-securejoin # github.com/davecgh/go-spew v1.1.1 ## explicit github.com/davecgh/go-spew/spew -# github.com/docker/docker v23.0.0+incompatible => github.com/docker/docker v20.10.13+incompatible +# github.com/docker/docker v23.0.1+incompatible => github.com/docker/docker v20.10.13+incompatible ## explicit github.com/docker/docker/pkg/reexec # github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c @@ -681,7 +682,7 @@ github.com/opencontainers/runc/libcontainer/system github.com/opencontainers/runc/libcontainer/user github.com/opencontainers/runc/libcontainer/userns github.com/opencontainers/runc/libcontainer/utils -# github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 +# github.com/opencontainers/runtime-spec v1.1.0-rc.1 ## explicit github.com/opencontainers/runtime-spec/specs-go # github.com/opencontainers/selinux v1.10.1 => github.com/opencontainers/selinux v1.8.2