diff --git a/cluster-autoscaler/go.mod b/cluster-autoscaler/go.mod index b354b627871f..2ca8dd3d15a2 100644 --- a/cluster-autoscaler/go.mod +++ b/cluster-autoscaler/go.mod @@ -26,23 +26,23 @@ require ( github.com/spf13/pflag v1.0.5 github.com/stretchr/testify v1.8.0 golang.org/x/crypto v0.0.0-20220926161630-eccd6366d1be - golang.org/x/net v0.7.0 + golang.org/x/net v0.8.0 golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 google.golang.org/api v0.46.0 google.golang.org/grpc v1.42.0 google.golang.org/protobuf v1.27.1 gopkg.in/gcfg.v1 v1.2.0 gopkg.in/yaml.v2 v2.4.0 - k8s.io/api v0.24.12 - k8s.io/apimachinery v0.24.12 - k8s.io/apiserver v0.24.12 - k8s.io/client-go v0.24.12 - k8s.io/cloud-provider v0.24.12 - k8s.io/component-base v0.24.12 - k8s.io/component-helpers v0.24.12 + k8s.io/api v0.24.14 + k8s.io/apimachinery v0.24.14 + k8s.io/apiserver v0.24.14 + k8s.io/client-go v0.24.14 + k8s.io/cloud-provider v0.24.14 + k8s.io/component-base v0.24.14 + k8s.io/component-helpers v0.24.14 k8s.io/klog/v2 v2.60.1 k8s.io/kubelet v0.23.5 - k8s.io/kubernetes v1.24.12 + k8s.io/kubernetes v1.24.14 k8s.io/legacy-cloud-providers v0.0.0 k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 sigs.k8s.io/cloud-provider-azure v1.23.11 @@ -129,7 +129,7 @@ require ( github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect github.com/opencontainers/go-digest v1.0.0 // indirect - github.com/opencontainers/runc v1.1.1 // indirect + github.com/opencontainers/runc v1.1.6 // indirect github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 // indirect github.com/opencontainers/selinux v1.10.0 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect @@ -138,7 +138,7 @@ require ( github.com/prometheus/procfs v0.7.3 // indirect github.com/quobyte/api v0.1.8 // indirect github.com/rubiojr/go-vhd v0.0.0-20200706105327-02e210299021 // indirect - github.com/seccomp/libseccomp-golang v0.9.2-0.20210429002308-3879420cc921 // indirect + github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646 // indirect github.com/sirupsen/logrus v1.8.1 // indirect github.com/spf13/cobra v1.4.0 // indirect github.com/storageos/go-api v2.2.0+incompatible // indirect @@ -165,10 +165,10 @@ require ( go.uber.org/atomic v1.7.0 // indirect go.uber.org/multierr v1.6.0 // indirect go.uber.org/zap v1.19.0 // indirect - golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 // indirect - golang.org/x/sys v0.5.0 // indirect - golang.org/x/term v0.5.0 // indirect - golang.org/x/text v0.7.0 // indirect + golang.org/x/sync v0.1.0 // indirect + golang.org/x/sys v0.6.0 // indirect + golang.org/x/term v0.6.0 // indirect + golang.org/x/text v0.8.0 // indirect golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect google.golang.org/appengine v1.6.7 // indirect @@ -178,13 +178,13 @@ require ( gopkg.in/warnings.v0 v0.1.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/cri-api v0.0.0 // indirect - k8s.io/csi-translation-lib v0.24.12 // indirect + k8s.io/csi-translation-lib v0.24.14 // indirect k8s.io/kube-openapi v0.0.0-20220328201542-3ee0da9b0b42 // indirect k8s.io/kube-proxy v0.0.0 // indirect k8s.io/kube-scheduler v0.0.0 // indirect k8s.io/kubectl v0.0.0 // indirect - k8s.io/mount-utils v0.24.12 // indirect - sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.35 // indirect + k8s.io/mount-utils v0.24.14 // indirect + sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.37 // indirect sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect sigs.k8s.io/yaml v1.3.0 // indirect @@ -196,56 +196,56 @@ replace github.com/digitalocean/godo => github.com/digitalocean/godo v1.27.0 replace github.com/rancher/go-rancher => github.com/rancher/go-rancher v0.1.0 -replace k8s.io/api => k8s.io/api v0.24.12 +replace k8s.io/api => k8s.io/api v0.24.14 -replace k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.24.12 +replace k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.24.14 -replace k8s.io/apimachinery => k8s.io/apimachinery v0.24.12 +replace k8s.io/apimachinery => k8s.io/apimachinery v0.24.14 -replace k8s.io/apiserver => k8s.io/apiserver v0.24.12 +replace k8s.io/apiserver => k8s.io/apiserver v0.24.14 -replace k8s.io/cli-runtime => k8s.io/cli-runtime v0.24.12 +replace k8s.io/cli-runtime => k8s.io/cli-runtime v0.24.14 -replace k8s.io/client-go => k8s.io/client-go v0.24.12 +replace k8s.io/client-go => k8s.io/client-go v0.24.14 -replace k8s.io/cloud-provider => k8s.io/cloud-provider v0.24.12 +replace k8s.io/cloud-provider => k8s.io/cloud-provider v0.24.14 -replace k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.24.12 +replace k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.24.14 -replace k8s.io/code-generator => k8s.io/code-generator v0.24.12 +replace k8s.io/code-generator => k8s.io/code-generator v0.24.14 -replace k8s.io/component-base => k8s.io/component-base v0.24.12 +replace k8s.io/component-base => k8s.io/component-base v0.24.14 -replace k8s.io/component-helpers => k8s.io/component-helpers v0.24.12 +replace k8s.io/component-helpers => k8s.io/component-helpers v0.24.14 -replace k8s.io/controller-manager => k8s.io/controller-manager v0.24.12 +replace k8s.io/controller-manager => k8s.io/controller-manager v0.24.14 -replace k8s.io/cri-api => k8s.io/cri-api v0.24.12 +replace k8s.io/cri-api => k8s.io/cri-api v0.24.14 -replace k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.24.12 +replace k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.24.14 -replace k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.24.12 +replace k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.24.14 -replace k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.24.12 +replace k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.24.14 -replace k8s.io/kube-proxy => k8s.io/kube-proxy v0.24.12 +replace k8s.io/kube-proxy => k8s.io/kube-proxy v0.24.14 -replace k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.24.12 +replace k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.24.14 -replace k8s.io/kubectl => k8s.io/kubectl v0.24.12 +replace k8s.io/kubectl => k8s.io/kubectl v0.24.14 -replace k8s.io/kubelet => k8s.io/kubelet v0.24.12 +replace k8s.io/kubelet => k8s.io/kubelet v0.24.14 -replace k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.24.12 +replace k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.24.14 -replace k8s.io/metrics => k8s.io/metrics v0.24.12 +replace k8s.io/metrics => k8s.io/metrics v0.24.14 -replace k8s.io/mount-utils => k8s.io/mount-utils v0.24.12 +replace k8s.io/mount-utils => k8s.io/mount-utils v0.24.14 -replace k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.24.12 +replace k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.24.14 -replace k8s.io/sample-cli-plugin => k8s.io/sample-cli-plugin v0.24.12 +replace k8s.io/sample-cli-plugin => k8s.io/sample-cli-plugin v0.24.14 -replace k8s.io/sample-controller => k8s.io/sample-controller v0.24.12 +replace k8s.io/sample-controller => k8s.io/sample-controller v0.24.14 -replace k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.24.12 +replace k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.24.14 diff --git a/cluster-autoscaler/go.sum b/cluster-autoscaler/go.sum index 0077b840bd2c..b9a2a3e99319 100644 --- a/cluster-autoscaler/go.sum +++ b/cluster-autoscaler/go.sum @@ -481,8 +481,8 @@ github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3I github.com/opencontainers/image-spec v1.0.2 h1:9yCKha/T5XdGtO0q9Q9a6T5NUCsTn/DrBg0D7ufOcFM= github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= github.com/opencontainers/runc v1.1.0/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc= -github.com/opencontainers/runc v1.1.1 h1:PJ9DSs2sVwE0iVr++pAHE6QkS9tzcVWozlPifdwMgrU= -github.com/opencontainers/runc v1.1.1/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc= +github.com/opencontainers/runc v1.1.6 h1:XbhB8IfG/EsnhNvZtNdLB0GBw92GYEFvKlhaJk9jUgA= +github.com/opencontainers/runc v1.1.6/go.mod h1:CbUumNnWCuTGFukNXahoo/RFBZvDAgRh/smNYNOhA50= github.com/opencontainers/runtime-spec v1.0.2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.0.3-0.20200929063507-e6143ca7d51d/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 h1:3snG66yBm59tKhhSPQrQ/0bCrv1LQbKt40LnUPiUxdc= @@ -535,8 +535,9 @@ github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQD github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/satori/go.uuid v1.2.0 h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww= github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= -github.com/seccomp/libseccomp-golang v0.9.2-0.20210429002308-3879420cc921 h1:58EBmR2dMNL2n/FnbQewK3D14nXr0V9CObDSvMJLq+Y= github.com/seccomp/libseccomp-golang v0.9.2-0.20210429002308-3879420cc921/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg= +github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646 h1:RpforrEYXWkmGwJHIGnLZ3tTWStkjVVstwzNGqxX2Ds= +github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg= github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q= @@ -747,8 +748,8 @@ golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96b golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g= -golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.8.0 h1:Zrh2ngAOFYneWTAIAPethzeaQLuHwhuBkuV6ZiRnUaQ= +golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -776,8 +777,8 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 h1:uVc8UZUe6tr40fFVnUP5Oj+veunVezqYl9z7DYw9xzw= -golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o= +golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -843,11 +844,11 @@ golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU= -golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ= +golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.5.0 h1:n2a8QNdAb0sZNpU9R1ALUXBbY+w51fCQDN+7EdxNBsY= -golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= +golang.org/x/term v0.6.0 h1:clScbb1cHjoCkyRbWwBEUZ5H/tIFu5TAXIqaZD0Gcjw= +golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -856,8 +857,8 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo= -golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.8.0 h1:57P1ETyNKtuIjB4SRd15iJxuhj8Gc416Y78H3qgMh68= +golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -1083,24 +1084,24 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -k8s.io/api v0.24.12 h1:Ksw4BtqjN8IZaUMLsLCZsget/RfBgHXYmahscAqobd8= -k8s.io/api v0.24.12/go.mod h1:hR/v44Wm3fe/pLCaPpREMZ55ZJB/sX8ROv9HpiuKAxM= -k8s.io/apimachinery v0.24.12 h1:S6jCrT+2FWhG9aGl6jue+7rywlRO8f+XpkhmlQ8aV5I= -k8s.io/apimachinery v0.24.12/go.mod h1:Yg8GIoNnVG9af59MrlKMm4Unsw3EBj+MfEBvfSid2/4= -k8s.io/apiserver v0.24.12 h1:rraKkjlx8HQ1PPM2jLtY0MQJMn4eMFKnFlt148ReEhg= -k8s.io/apiserver v0.24.12/go.mod h1:YcGUZmuwQ0GqtEO0ovM0BReQ4jQ7hj6U6G+9dkR+LT8= -k8s.io/client-go v0.24.12 h1:i38g1SL83zs4CBCY9vQqtBfx+evsghBoBGz5u6lwtKs= -k8s.io/client-go v0.24.12/go.mod h1:yY5hsSExZV2ZWwBANP/eBhB3SorSf0nkADD7/KYgPmU= -k8s.io/cloud-provider v0.24.12 h1:nvvMBBHEv+pMgx+mdXryfcrXxJZaOMxRYjqF6bAKOBc= -k8s.io/cloud-provider v0.24.12/go.mod h1:5Wdc7lCGn6ofNhyfFhi5DfeXSCDaFXvTPQgAvjzcGd0= -k8s.io/component-base v0.24.12 h1:+q1myd+LJv5xEMyG8KrwromIcLYkk8DGMwBJbCcCXSA= -k8s.io/component-base v0.24.12/go.mod h1:vfKpKKTm3iXonv1zwUeLj8/fNZXfK2jfgzDMU8zfars= -k8s.io/component-helpers v0.24.12 h1:16o0RUM34j6QkOFLU87kbyaMP+Fit+PzG2iRsJ9Azt8= -k8s.io/component-helpers v0.24.12/go.mod h1:oBT9p6Dd0lIW7CGQNHiDfUveWEECXTVFzwmYHg4PVyg= -k8s.io/cri-api v0.24.12 h1:KD7cOKGNGScbwQK5cLpy7Hdoo0B+pUOK3+vCsowbnSE= -k8s.io/cri-api v0.24.12/go.mod h1:mVwfZC0ML/MrtJOPTS4koasKFj22ctIc7kqBzZcOz1I= -k8s.io/csi-translation-lib v0.24.12 h1:3hGTHvE+Jul49lvDK4zriQFTWg36J5OjnXb326B2sik= -k8s.io/csi-translation-lib v0.24.12/go.mod h1:ZCC6ME+45EHSiot+/dIFJV06xvcbxWviM/7UZClUcas= +k8s.io/api v0.24.14 h1:plWo5FZi1VJ7XC2NEeKyGS946e252vijDlqxeiN0cBk= +k8s.io/api v0.24.14/go.mod h1:dmyjYMJoi/FOIyH1RwYpgskcrl1RRmqsBfDVbB9VpqQ= +k8s.io/apimachinery v0.24.14 h1:i7GrBju4O0onF1+jqXXPVmfXWilplxWYkTNU6G/h6Cs= +k8s.io/apimachinery v0.24.14/go.mod h1:Yyft+DTAvOmHyT332HkCMoTKroxYDEEx7NRLsdCYDoc= +k8s.io/apiserver v0.24.14 h1:fy7L74G4KxBbUUhZv2N15CGjKpbl5yv/matCAHSRA80= +k8s.io/apiserver v0.24.14/go.mod h1:bFaqCBfsExCsXQRm0sSUcF9jkUO/3R6xTjlOjpPl3bc= +k8s.io/client-go v0.24.14 h1:vwnWSAPLNN+IHi8yt08Q8InP71JXG5ix8YrBE32OOZU= +k8s.io/client-go v0.24.14/go.mod h1:/loTxPCTlfIOw1qAgzj7lGyFfXiHBPVWet+NB/+e2ho= +k8s.io/cloud-provider v0.24.14 h1:FBTXIPQnGRVE3DdWORW2YWF2BJmg3yhbL6jYFsCJcO4= +k8s.io/cloud-provider v0.24.14/go.mod h1:8uh/T9Zzv7nYACeXVjmY4Vx6L2tzIkVz8SWzHvITQSw= +k8s.io/component-base v0.24.14 h1:wKMSPRV1Ud8FByaOA6sE63iSEoOn299PjXAQel+6dEg= +k8s.io/component-base v0.24.14/go.mod h1:fvCLkVgILslt0LrXaPRyZal9A+uxs8FdMZb33IkSenA= +k8s.io/component-helpers v0.24.14 h1:jXg4/ofiWlFggqKcgBKpHQ1YX8ubxzVUMFCNcC0Kc2k= +k8s.io/component-helpers v0.24.14/go.mod h1:ZK0c7aqPZiSIj2svaKSIsmEHT08iN3ng4q5eLIDxRSg= +k8s.io/cri-api v0.24.14 h1:9MhQ4yMTIhCOVOnCUrELkojNA038y7vl0rL7y7aiMoM= +k8s.io/cri-api v0.24.14/go.mod h1:/KjYFI3BwY8/ytCQa0+Hla8FyGpDps88N45g4jet5I4= +k8s.io/csi-translation-lib v0.24.14 h1:x/faOe7qS/f50P4FybXtz7SpXEHmCQUhNXKafFpylZk= +k8s.io/csi-translation-lib v0.24.14/go.mod h1:rRXUQMsO9cQZFGujAi7HN0Y/gy7mjJQvj8lp9F8qhJU= k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= @@ -1109,20 +1110,20 @@ k8s.io/klog/v2 v2.60.1 h1:VW25q3bZx9uE3vvdL6M8ezOX79vA2Aq1nEWLqNQclHc= k8s.io/klog/v2 v2.60.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/kube-openapi v0.0.0-20220328201542-3ee0da9b0b42 h1:Gii5eqf+GmIEwGNKQYQClCayuJCe2/4fZUvF7VG99sU= k8s.io/kube-openapi v0.0.0-20220328201542-3ee0da9b0b42/go.mod h1:Z/45zLw8lUo4wdiUkI+v/ImEGAvu3WatcZl3lPMR4Rk= -k8s.io/kube-proxy v0.24.12 h1:3ZHDz5dFsUyxpXgCNlMd7VOuSKdHgC7UIJyz7mh5TFM= -k8s.io/kube-proxy v0.24.12/go.mod h1:Epw2pnFlbMOkFxCN8kp2Wc2ZrAsgVfrpvrY6VOeBNS0= -k8s.io/kube-scheduler v0.24.12 h1:tqurv2mhg6304r4WgCHboI20i7jkg0iVngGUwenfC58= -k8s.io/kube-scheduler v0.24.12/go.mod h1:BN95Ci4ZULGmUO5YZB0NbW6J7qfuoouMb7tJ5xZr/Yo= -k8s.io/kubectl v0.24.12 h1:K80S7L+pOyGQfQBdsr+arH33a5cdfufCqOnIv/jLYQU= -k8s.io/kubectl v0.24.12/go.mod h1:e0nhakMQ9X7X+m0tHj1ubrU7zFY/e0R294yM24F2fOU= -k8s.io/kubelet v0.24.12 h1:ZwkjH9/QzILvd1Efs4enqOO5xdun/+4RVpBMnorxi8A= -k8s.io/kubelet v0.24.12/go.mod h1:pTeTScSdSfFMOfx8qApY80Z0NADIrT9mut6mhO0np58= -k8s.io/kubernetes v1.24.12 h1:C+kv8hXZxNR8A4lj61fKAeTMt6BtSlOl0EmGNKPU9hI= -k8s.io/kubernetes v1.24.12/go.mod h1:hjTcy0pW9P0ZkwTZHiN0cxEx5GttFFXw0X9ZMOh5PBU= -k8s.io/legacy-cloud-providers v0.24.12 h1:gP+16dPB9H7i2Kj2dNN6q+3EkY6r6i0IRkALypSVinQ= -k8s.io/legacy-cloud-providers v0.24.12/go.mod h1:sJT9jgLyIYyas7vGB8eKoeKmcckDY8lNTcepOnN3CDg= -k8s.io/mount-utils v0.24.12 h1:BXzNLR/BRnQ+8CFQyveSOW0RAlFJogmkCuTVORMKgYI= -k8s.io/mount-utils v0.24.12/go.mod h1:Xjtb0dquC5PG63kOD8shViqRczdkdQqW5Pc/rlmbsiU= +k8s.io/kube-proxy v0.24.14 h1:Ipuldu5ejxJJ+eRxOD+IqdwA2N9W12543jx6ur4DHgI= +k8s.io/kube-proxy v0.24.14/go.mod h1:dHPRrJ29MIoVdQJ+a4Di8C1jcm5nDtfgj0olGVF9xIA= +k8s.io/kube-scheduler v0.24.14 h1:hhJCrMfkdcSuouYwGOMZMyIl9VCVvcEjPcZU7JV+hiA= +k8s.io/kube-scheduler v0.24.14/go.mod h1:bkXm+7TomicEW3TbWGq4FVtUyKFMTMBT+ued6hML2Ho= +k8s.io/kubectl v0.24.14 h1:DGeNx2p/6N2Y86D7rPpMb36pvU9lPbsXWm18BiqJhOc= +k8s.io/kubectl v0.24.14/go.mod h1:Vy0BsawMuqDcvXIHGyotE5dskH9inejjMH6C5UApFBQ= +k8s.io/kubelet v0.24.14 h1:3Eh3HtywWmHzc7F3IUHWhCs933RdfomsIJu8BOTQLQQ= +k8s.io/kubelet v0.24.14/go.mod h1:azAPTMEmOZW+TREIMHKVeYT0W6swjSUpd5cvYLBoqVM= +k8s.io/kubernetes v1.24.14 h1:GgPqHpXKf1ECOG5XqTPJA/gwJ6zpJupD4I8gmon+AhQ= +k8s.io/kubernetes v1.24.14/go.mod h1:QrcYLfTDAGt5RKsRCVHMBAL3g7NWhe6vFR5pIg9CB9g= +k8s.io/legacy-cloud-providers v0.24.14 h1:koQbst7p56TmI+EHfM/S399X3QbfnibBKL+fNC5B0u8= +k8s.io/legacy-cloud-providers v0.24.14/go.mod h1:WkerwN9eXHRF0FvChA8ln90Lg32dCqkEH9a2JVpCEPQ= +k8s.io/mount-utils v0.24.14 h1:xCRzj6rVD57avo0KiN+dP1g01YoqZ8t150c8W65mnnw= +k8s.io/mount-utils v0.24.14/go.mod h1:Xjtb0dquC5PG63kOD8shViqRczdkdQqW5Pc/rlmbsiU= k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20211116205334-6203023598ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 h1:HNSDgDCrr/6Ly3WEGKZftiE7IY19Vz2GdbOCyI4qqhc= @@ -1130,8 +1131,8 @@ k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9/go.mod h1:jPW/WVKK9YHAvNhRxK0md/ rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= -sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.35 h1:+xBL5uTc+BkPBwmMi3vYfUJjq+N3K+H6PXeETwf5cPI= -sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.35/go.mod h1:WxjusMwXlKzfAs4p9km6XJRndVt2FROgMVCE4cdohFo= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.37 h1:fAPTNEpzQMOLMGwOHNbUkR2xXTQwMJOZYNx+/mLlOh0= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.37/go.mod h1:vfnxT4FXNT8eGvO+xi/DsyC/qHmdujqwrUa1WSspCsk= sigs.k8s.io/cloud-provider-azure v1.23.11 h1:qyK1Sc765r6SDnSHjYxYf+iSP/XKIpus4pW7Z36g2Wk= sigs.k8s.io/cloud-provider-azure v1.23.11/go.mod h1:erGu3WmmGrDhGeW2NZw7H0zBaFKqgK70FwMzruxLN64= sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 h1:kDi4JBNAsJWfz1aEXhO8Jg87JJaPNLh5tIzYHgStQ9Y= diff --git a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/README.md b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/README.md index 0d91fb71d54d..211c8c91e055 100644 --- a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/README.md +++ b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/README.md @@ -96,22 +96,6 @@ config := &configs.Config{ "CAP_KILL", "CAP_AUDIT_WRITE", }, - Inheritable: []string{ - "CAP_CHOWN", - "CAP_DAC_OVERRIDE", - "CAP_FSETID", - "CAP_FOWNER", - "CAP_MKNOD", - "CAP_NET_RAW", - "CAP_SETGID", - "CAP_SETUID", - "CAP_SETFCAP", - "CAP_SETPCAP", - "CAP_NET_BIND_SERVICE", - "CAP_SYS_CHROOT", - "CAP_KILL", - "CAP_AUDIT_WRITE", - }, Permitted: []string{ "CAP_CHOWN", "CAP_DAC_OVERRIDE", diff --git a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/cgroups/ebpf/ebpf_linux.go b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/cgroups/ebpf/ebpf_linux.go index 104c74a890f8..35b00aaf0552 100644 --- a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/cgroups/ebpf/ebpf_linux.go +++ b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/cgroups/ebpf/ebpf_linux.go @@ -93,7 +93,7 @@ var ( ) // Loosely based on the BPF_F_REPLACE support check in -// . +// https://github.com/cilium/ebpf/blob/v0.6.0/link/syscalls.go. // // TODO: move this logic to cilium/ebpf func haveBpfProgReplace() bool { diff --git a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/fs.go b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/fs.go index fb4fcc7f75bb..9e2f0ec04c8a 100644 --- a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/fs.go +++ b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/fs.go @@ -28,6 +28,7 @@ var subsystems = []subsystem{ &FreezerGroup{}, &RdmaGroup{}, &NameGroup{GroupName: "name=systemd", Join: true}, + &NameGroup{GroupName: "misc", Join: true}, } var errSubsystemDoesNotExist = errors.New("cgroup: subsystem does not exist") diff --git a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/common.go b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/common.go index 98ccc51655cb..50746ae0c569 100644 --- a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/common.go +++ b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/common.go @@ -288,6 +288,24 @@ func generateDeviceProperties(r *configs.Resources) ([]systemdDbus.Property, err case devices.CharDevice: entry.Path = fmt.Sprintf("/dev/char/%d:%d", rule.Major, rule.Minor) } + // systemd will issue a warning if the path we give here doesn't exist. + // Since all of this logic is best-effort anyway (we manually set these + // rules separately to systemd) we can safely skip entries that don't + // have a corresponding path. + if _, err := os.Stat(entry.Path); err != nil { + // Also check /sys/dev so that we don't depend on /dev/{block,char} + // being populated. (/dev/{block,char} is populated by udev, which + // isn't strictly required for systemd). Ironically, this happens most + // easily when starting containerd within a runc created container + // itself. + + // We don't bother with securejoin here because we create entry.Path + // right above here, so we know it's safe. + if _, err := os.Stat("/sys" + entry.Path); err != nil { + logrus.Warnf("skipping device %s for systemd: %s", entry.Path, err) + continue + } + } } deviceAllowList = append(deviceAllowList, entry) } @@ -335,32 +353,52 @@ func isUnitExists(err error) bool { return isDbusError(err, "org.freedesktop.systemd1.UnitExists") } -func startUnit(cm *dbusConnManager, unitName string, properties []systemdDbus.Property) error { +func startUnit(cm *dbusConnManager, unitName string, properties []systemdDbus.Property, ignoreExist bool) error { statusChan := make(chan string, 1) + retry := true + +retry: err := cm.retryOnDisconnect(func(c *systemdDbus.Conn) error { _, err := c.StartTransientUnitContext(context.TODO(), unitName, "replace", properties, statusChan) return err }) - if err == nil { - timeout := time.NewTimer(30 * time.Second) - defer timeout.Stop() - - select { - case s := <-statusChan: - close(statusChan) - // Please refer to https://pkg.go.dev/github.com/coreos/go-systemd/v22/dbus#Conn.StartUnit - if s != "done" { - resetFailedUnit(cm, unitName) - return fmt.Errorf("error creating systemd unit `%s`: got `%s`", unitName, s) - } - case <-timeout.C: + if err != nil { + if !isUnitExists(err) { + return err + } + if ignoreExist { + // TODO: remove this hack. + // This is kubelet making sure a slice exists (see + // https://github.com/opencontainers/runc/pull/1124). + return nil + } + if retry { + // In case a unit with the same name exists, this may + // be a leftover failed unit. Reset it, so systemd can + // remove it, and retry once. resetFailedUnit(cm, unitName) - return errors.New("Timeout waiting for systemd to create " + unitName) + retry = false + goto retry } - } else if !isUnitExists(err) { return err } + timeout := time.NewTimer(30 * time.Second) + defer timeout.Stop() + + select { + case s := <-statusChan: + close(statusChan) + // Please refer to https://pkg.go.dev/github.com/coreos/go-systemd/v22/dbus#Conn.StartUnit + if s != "done" { + resetFailedUnit(cm, unitName) + return fmt.Errorf("error creating systemd unit `%s`: got `%s`", unitName, s) + } + case <-timeout.C: + resetFailedUnit(cm, unitName) + return errors.New("Timeout waiting for systemd to create " + unitName) + } + return nil } diff --git a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/cpuset.go b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/cpuset.go index 83d10dd705fd..dd474cf1b168 100644 --- a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/cpuset.go +++ b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/cpuset.go @@ -51,5 +51,10 @@ func RangeToBits(str string) ([]byte, error) { // do not allow empty values return nil, errors.New("empty value") } + + // fit cpuset parsing order in systemd + for l, r := 0, len(ret)-1; l < r; l, r = l+1, r-1 { + ret[l], ret[r] = ret[r], ret[l] + } return ret, nil } diff --git a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/dbus.go b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/dbus.go index 3e547e282b57..bb87ae83aef1 100644 --- a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/dbus.go +++ b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/dbus.go @@ -2,6 +2,7 @@ package systemd import ( "context" + "errors" "fmt" "sync" @@ -80,8 +81,6 @@ func (d *dbusConnManager) resetConnection(conn *systemdDbus.Conn) { } } -var errDbusConnClosed = dbus.ErrClosed.Error() - // retryOnDisconnect calls op, and if the error it returns is about closed dbus // connection, the connection is re-established and the op is retried. This helps // with the situation when dbus is restarted and we have a stale connection. @@ -92,7 +91,10 @@ func (d *dbusConnManager) retryOnDisconnect(op func(*systemdDbus.Conn) error) er return err } err = op(conn) - if !isDbusError(err, errDbusConnClosed) { + if err == nil { + return nil + } + if !errors.Is(err, dbus.ErrClosed) { return err } d.resetConnection(conn) diff --git a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/v1.go b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/v1.go index a74a05a5cd05..046c3056fba8 100644 --- a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/v1.go +++ b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/v1.go @@ -71,6 +71,7 @@ var legacySubsystems = []subsystem{ &fs.NetClsGroup{}, &fs.NameGroup{GroupName: "name=systemd"}, &fs.RdmaGroup{}, + &fs.NameGroup{GroupName: "misc"}, } func genV1ResourcesProperties(r *configs.Resources, cm *dbusConnManager) ([]systemdDbus.Property, error) { @@ -206,7 +207,7 @@ func (m *legacyManager) Apply(pid int) error { properties = append(properties, c.SystemdProps...) - if err := startUnit(m.dbus, unitName, properties); err != nil { + if err := startUnit(m.dbus, unitName, properties, pid == -1); err != nil { return err } @@ -273,14 +274,7 @@ func getSubsystemPath(slice, unit, subsystem string) (string, error) { return "", err } - initPath, err := cgroups.GetInitCgroup(subsystem) - if err != nil { - return "", err - } - // if pid 1 is systemd 226 or later, it will be in init.scope, not the root - initPath = strings.TrimSuffix(filepath.Clean(initPath), "init.scope") - - return filepath.Join(mountpoint, initPath, slice, unit), nil + return filepath.Join(mountpoint, slice, unit), nil } func (m *legacyManager) Freeze(state configs.FreezerState) error { diff --git a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/v2.go b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/v2.go index de0cb974d460..94d24ee45020 100644 --- a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/v2.go +++ b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/v2.go @@ -284,7 +284,7 @@ func (m *unifiedManager) Apply(pid int) error { properties = append(properties, c.SystemdProps...) - if err := startUnit(m.dbus, unitName, properties); err != nil { + if err := startUnit(m.dbus, unitName, properties, pid == -1); err != nil { return fmt.Errorf("unable to start unit %q (properties %+v): %w", unitName, properties, err) } diff --git a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go index b32af4ee5302..fc4ae44a4853 100644 --- a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go +++ b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go @@ -162,8 +162,10 @@ func readProcsFile(dir string) ([]int, error) { // ParseCgroupFile parses the given cgroup file, typically /proc/self/cgroup // or /proc//cgroup, into a map of subsystems to cgroup paths, e.g. -// "cpu": "/user.slice/user-1000.slice" -// "pids": "/user.slice/user-1000.slice" +// +// "cpu": "/user.slice/user-1000.slice" +// "pids": "/user.slice/user-1000.slice" +// // etc. // // Note that for cgroup v2 unified hierarchy, there are no per-controller diff --git a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/configs/validate/validator.go b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/configs/validate/validator.go index 627621a58d86..4fbd308dadd6 100644 --- a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/configs/validate/validator.go +++ b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/configs/validate/validator.go @@ -131,9 +131,8 @@ func (v *ConfigValidator) cgroupnamespace(config *configs.Config) error { // convertSysctlVariableToDotsSeparator can return sysctl variables in dots separator format. // The '/' separator is also accepted in place of a '.'. // Convert the sysctl variables to dots separator format for validation. -// More info: -// https://man7.org/linux/man-pages/man8/sysctl.8.html -// https://man7.org/linux/man-pages/man5/sysctl.d.5.html +// More info: sysctl(8), sysctl.d(5). +// // For example: // Input sysctl variable "net/ipv4/conf/eno2.100.rp_filter" // will return the converted value "net.ipv4.conf.eno2/100.rp_filter" diff --git a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/container_linux.go b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/container_linux.go index 9df830d8cdbb..dd61dfd3c90c 100644 --- a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/container_linux.go +++ b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/container_linux.go @@ -926,7 +926,7 @@ func (c *linuxContainer) criuSupportsExtNS(t configs.NamespaceType) bool { } func criuNsToKey(t configs.NamespaceType) string { - return "extRoot" + strings.Title(configs.NsName(t)) + "NS" + return "extRoot" + strings.Title(configs.NsName(t)) + "NS" //nolint:staticcheck // SA1019: strings.Title is deprecated } func (c *linuxContainer) handleCheckpointingExternalNamespaces(rpcOpts *criurpc.CriuOpts, t configs.NamespaceType) error { diff --git a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/eaccess_go119.go b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/eaccess_go119.go new file mode 100644 index 000000000000..cc1e2079a795 --- /dev/null +++ b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/eaccess_go119.go @@ -0,0 +1,17 @@ +//go:build !go1.20 +// +build !go1.20 + +package libcontainer + +import "golang.org/x/sys/unix" + +func eaccess(path string) error { + // This check is similar to access(2) with X_OK except for + // setuid/setgid binaries where it checks against the effective + // (rather than real) uid and gid. It is not needed in go 1.20 + // and beyond and will be removed later. + + // Relies on code added in https://go-review.googlesource.com/c/sys/+/468877 + // and older CLs linked from there. + return unix.Faccessat(unix.AT_FDCWD, path, unix.X_OK, unix.AT_EACCESS) +} diff --git a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/eaccess_stub.go b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/eaccess_stub.go new file mode 100644 index 000000000000..7c049fd7aa02 --- /dev/null +++ b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/eaccess_stub.go @@ -0,0 +1,10 @@ +//go:build go1.20 + +package libcontainer + +func eaccess(path string) error { + // Not needed in Go 1.20+ as the functionality is already in there + // (added by https://go.dev/cl/416115, https://go.dev/cl/414824, + // and fixed in Go 1.20.2 by https://go.dev/cl/469956). + return nil +} diff --git a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/factory_linux.go b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/factory_linux.go index 023d623f3709..a1fa7de2d249 100644 --- a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/factory_linux.go +++ b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/factory_linux.go @@ -179,6 +179,12 @@ func (l *LinuxFactory) Create(id string, config *configs.Config) (Container, err return nil, fmt.Errorf("unable to get cgroup PIDs: %w", err) } if len(pids) != 0 { + if config.Cgroups.Systemd { + // systemd cgroup driver can't add a pid to an + // existing systemd unit and will return an + // error anyway, so let's error out early. + return nil, fmt.Errorf("container's cgroup is not empty: %d process(es) found", len(pids)) + } // TODO: return an error. logrus.Warnf("container's cgroup is not empty: %d process(es) found", len(pids)) logrus.Warn("DEPRECATED: running container in a non-empty cgroup won't be supported in runc 1.2; https://github.com/opencontainers/runc/issues/3132") @@ -338,7 +344,11 @@ func (l *LinuxFactory) StartInitialization() (err error) { defer func() { if e := recover(); e != nil { - err = fmt.Errorf("panic from initialization: %w, %v", e, string(debug.Stack())) + if ee, ok := e.(error); ok { + err = fmt.Errorf("panic from initialization: %w, %s", ee, debug.Stack()) + } else { + err = fmt.Errorf("panic from initialization: %v, %s", e, debug.Stack()) + } } }() diff --git a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/init_linux.go b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/init_linux.go index 1e5c394c3e06..2e4c59353c83 100644 --- a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/init_linux.go +++ b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/init_linux.go @@ -411,8 +411,9 @@ func fixStdioPermissions(u *user.ExecUser) error { return &os.PathError{Op: "fstat", Path: file.Name(), Err: err} } - // Skip chown if uid is already the one we want. - if int(s.Uid) == u.Uid { + // Skip chown if uid is already the one we want or any of the STDIO descriptors + // were redirected to /dev/null. + if int(s.Uid) == u.Uid || s.Rdev == null.Rdev { continue } diff --git a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/process_linux.go b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/process_linux.go index e025445d3307..446649af8432 100644 --- a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/process_linux.go +++ b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/process_linux.go @@ -39,13 +39,9 @@ type parentProcess interface { // startTime returns the process start time. startTime() (uint64, error) - signal(os.Signal) error - externalDescriptors() []string - setExternalDescriptors(fds []string) - forwardChildLogs() chan error } diff --git a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go index 51660f5efb92..c3f88fc7038b 100644 --- a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go +++ b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go @@ -80,6 +80,8 @@ func prepareRootfs(pipe io.ReadWriter, iConfig *initConfig, mountFds []int) (err // Therefore, we can access mountFds[i] without any concerns. if mountFds != nil && mountFds[i] != -1 { mountConfig.fd = &mountFds[i] + } else { + mountConfig.fd = nil } if err := mountToRootfs(m, mountConfig); err != nil { @@ -327,26 +329,41 @@ func mountCgroupV2(m *configs.Mount, c *mountConfig) error { if err := os.MkdirAll(dest, 0o755); err != nil { return err } - return utils.WithProcfd(c.root, m.Destination, func(procfd string) error { - if err := mount(m.Source, m.Destination, procfd, "cgroup2", uintptr(m.Flags), m.Data); err != nil { - // when we are in UserNS but CgroupNS is not unshared, we cannot mount cgroup2 (#2158) - if errors.Is(err, unix.EPERM) || errors.Is(err, unix.EBUSY) { - src := fs2.UnifiedMountpoint - if c.cgroupns && c.cgroup2Path != "" { - // Emulate cgroupns by bind-mounting - // the container cgroup path rather than - // the whole /sys/fs/cgroup. - src = c.cgroup2Path - } - err = mount(src, m.Destination, procfd, "", uintptr(m.Flags)|unix.MS_BIND, "") - if c.rootlessCgroups && errors.Is(err, unix.ENOENT) { - err = nil - } - } - return err - } - return nil + err = utils.WithProcfd(c.root, m.Destination, func(procfd string) error { + return mount(m.Source, m.Destination, procfd, "cgroup2", uintptr(m.Flags), m.Data) }) + if err == nil || !(errors.Is(err, unix.EPERM) || errors.Is(err, unix.EBUSY)) { + return err + } + + // When we are in UserNS but CgroupNS is not unshared, we cannot mount + // cgroup2 (#2158), so fall back to bind mount. + bindM := &configs.Mount{ + Device: "bind", + Source: fs2.UnifiedMountpoint, + Destination: m.Destination, + Flags: unix.MS_BIND | m.Flags, + PropagationFlags: m.PropagationFlags, + } + if c.cgroupns && c.cgroup2Path != "" { + // Emulate cgroupns by bind-mounting the container cgroup path + // rather than the whole /sys/fs/cgroup. + bindM.Source = c.cgroup2Path + } + // mountToRootfs() handles remounting for MS_RDONLY. + // No need to set c.fd here, because mountToRootfs() calls utils.WithProcfd() by itself in mountPropagate(). + err = mountToRootfs(bindM, c) + if c.rootlessCgroups && errors.Is(err, unix.ENOENT) { + // ENOENT (for `src = c.cgroup2Path`) happens when rootless runc is being executed + // outside the userns+mountns. + // + // Mask `/sys/fs/cgroup` to ensure it is read-only, even when `/sys` is mounted + // with `rbind,ro` (`runc spec --rootless` produces `rbind,ro` for `/sys`). + err = utils.WithProcfd(c.root, m.Destination, func(procfd string) error { + return maskPath(procfd, c.label) + }) + } + return err } func doTmpfsCopyUp(m *configs.Mount, rootfs, mountLabel string) (Err error) { @@ -396,32 +413,43 @@ func doTmpfsCopyUp(m *configs.Mount, rootfs, mountLabel string) (Err error) { func mountToRootfs(m *configs.Mount, c *mountConfig) error { rootfs := c.root - mountLabel := c.label - mountFd := c.fd - dest, err := securejoin.SecureJoin(rootfs, m.Destination) - if err != nil { - return err - } + // procfs and sysfs are special because we need to ensure they are actually + // mounted on a specific path in a container without any funny business. switch m.Device { case "proc", "sysfs": // If the destination already exists and is not a directory, we bail - // out This is to avoid mounting through a symlink or similar -- which + // out. This is to avoid mounting through a symlink or similar -- which // has been a "fun" attack scenario in the past. // TODO: This won't be necessary once we switch to libpathrs and we can // stop all of these symlink-exchange attacks. + dest := filepath.Clean(m.Destination) + if !strings.HasPrefix(dest, rootfs) { + // Do not use securejoin as it resolves symlinks. + dest = filepath.Join(rootfs, dest) + } if fi, err := os.Lstat(dest); err != nil { if !os.IsNotExist(err) { return err } - } else if fi.Mode()&os.ModeDir == 0 { + } else if !fi.IsDir() { return fmt.Errorf("filesystem %q must be mounted on ordinary directory", m.Device) } if err := os.MkdirAll(dest, 0o755); err != nil { return err } - // Selinux kernels do not support labeling of /proc or /sys + // Selinux kernels do not support labeling of /proc or /sys. return mountPropagate(m, rootfs, "", nil) + } + + mountLabel := c.label + mountFd := c.fd + dest, err := securejoin.SecureJoin(rootfs, m.Destination) + if err != nil { + return err + } + + switch m.Device { case "mqueue": if err := os.MkdirAll(dest, 0o755); err != nil { return err @@ -577,6 +605,7 @@ func checkProcMount(rootfs, dest, source string) error { "/proc/loadavg", "/proc/slabinfo", "/proc/net/dev", + "/proc/sys/kernel/ns_last_pid", } for _, valid := range validProcMounts { path, err := filepath.Rel(filepath.Join(rootfs, valid), dest) diff --git a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/seccomp/config.go b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/seccomp/config.go index d0c9bb71fb0e..98e08e8f0b68 100644 --- a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/seccomp/config.go +++ b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/seccomp/config.go @@ -29,13 +29,15 @@ func KnownOperators() []string { } var actions = map[string]configs.Action{ - "SCMP_ACT_KILL": configs.Kill, - "SCMP_ACT_ERRNO": configs.Errno, - "SCMP_ACT_TRAP": configs.Trap, - "SCMP_ACT_ALLOW": configs.Allow, - "SCMP_ACT_TRACE": configs.Trace, - "SCMP_ACT_LOG": configs.Log, - "SCMP_ACT_NOTIFY": configs.Notify, + "SCMP_ACT_KILL": configs.Kill, + "SCMP_ACT_ERRNO": configs.Errno, + "SCMP_ACT_TRAP": configs.Trap, + "SCMP_ACT_ALLOW": configs.Allow, + "SCMP_ACT_TRACE": configs.Trace, + "SCMP_ACT_LOG": configs.Log, + "SCMP_ACT_NOTIFY": configs.Notify, + "SCMP_ACT_KILL_THREAD": configs.KillThread, + "SCMP_ACT_KILL_PROCESS": configs.KillProcess, } // KnownActions returns the list of the known actions. diff --git a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/seccomp/patchbpf/enosys_linux.go b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/seccomp/patchbpf/enosys_linux.go index dfb8a0a8e592..7d4ec6a42e55 100644 --- a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/seccomp/patchbpf/enosys_linux.go +++ b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/seccomp/patchbpf/enosys_linux.go @@ -72,6 +72,11 @@ import "C" var retErrnoEnosys = uint32(C.C_ACT_ERRNO_ENOSYS) +// This syscall is used for multiplexing "large" syscalls on s390(x). Unknown +// syscalls will end up with this syscall number, so we need to explcitly +// return -ENOSYS for this syscall on those architectures. +const s390xMultiplexSyscall libseccomp.ScmpSyscall = 0 + func isAllowAction(action configs.Action) bool { switch action { // Trace is considered an "allow" action because a good tracer should @@ -305,7 +310,7 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error) // directly from the arch code so we need to do it here. Sadly we can't // share this code between architecture branches. section := []bpf.Instruction{ - // load [0] + // load [0] (syscall number) bpf.LoadAbsolute{Off: 0, Size: 4}, // NOTE: We assume sizeof(int) == 4. } @@ -314,10 +319,37 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error) // No syscalls found for this arch -- skip it and move on. continue case 1: - // Get the only syscall in the map. - var sysno libseccomp.ScmpSyscall - for _, no := range maxSyscalls { + // Get the only syscall and scmpArch in the map. + var ( + scmpArch libseccomp.ScmpArch + sysno libseccomp.ScmpSyscall + ) + for arch, no := range maxSyscalls { sysno = no + scmpArch = arch + } + + switch scmpArch { + // Return -ENOSYS for setup(2) on s390(x). This syscall is used for + // multiplexing "large syscall number" syscalls, but if the syscall + // number is not known to the kernel then the syscall number is + // left unchanged (and because it is sysno=0, you'll end up with + // EPERM for syscalls the kernel doesn't know about). + // + // The actual setup(2) syscall is never used by userspace anymore + // (and hasn't existed for decades) outside of this multiplexing + // scheme so returning -ENOSYS is fine. + case libseccomp.ArchS390, libseccomp.ArchS390X: + section = append(section, []bpf.Instruction{ + // jne [setup=0],1 + bpf.JumpIf{ + Cond: bpf.JumpNotEqual, + Val: uint32(s390xMultiplexSyscall), + SkipTrue: 1, + }, + // ret [ENOSYS] + bpf.RetConstant{Val: retErrnoEnosys}, + }...) } // The simplest case just boils down to a single jgt instruction, @@ -349,12 +381,6 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error) // If we're on x86 we need to add a check for x32 and if we're in // the wrong mode we jump over the section. if uint32(nativeArch) == uint32(C.C_AUDIT_ARCH_X86_64) { - // Grab the only architecture in the map. - var scmpArch libseccomp.ScmpArch - for arch := range maxSyscalls { - scmpArch = arch - } - // Generate a prefix to check the mode. switch scmpArch { case libseccomp.ArchAMD64: @@ -512,7 +538,7 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error) // Prepend the load instruction for the architecture. programTail = append([]bpf.Instruction{ - // load [4] + // load [4] (architecture) bpf.LoadAbsolute{Off: 4, Size: 4}, // NOTE: We assume sizeof(int) == 4. }, programTail...) diff --git a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/seccomp/seccomp_linux.go b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/seccomp/seccomp_linux.go index f177b7f05f2f..8c12af72be9f 100644 --- a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/seccomp/seccomp_linux.go +++ b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/seccomp/seccomp_linux.go @@ -113,8 +113,8 @@ func InitSeccomp(config *configs.Seccomp) (int, error) { // Convert Libcontainer Action to Libseccomp ScmpAction func getAction(act configs.Action, errnoRet *uint) (libseccomp.ScmpAction, error) { switch act { - case configs.Kill: - return libseccomp.ActKill, nil + case configs.Kill, configs.KillThread: + return libseccomp.ActKillThread, nil case configs.Errno: if errnoRet != nil { return libseccomp.ActErrno.SetReturnCode(int16(*errnoRet)), nil @@ -133,8 +133,6 @@ func getAction(act configs.Action, errnoRet *uint) (libseccomp.ScmpAction, error return libseccomp.ActLog, nil case configs.Notify: return libseccomp.ActNotify, nil - case configs.KillThread: - return libseccomp.ActKillThread, nil case configs.KillProcess: return libseccomp.ActKillProcess, nil default: diff --git a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/standard_init_linux.go b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/standard_init_linux.go index 585a04fa0806..c09a7bed30ea 100644 --- a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/standard_init_linux.go +++ b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/standard_init_linux.go @@ -198,6 +198,14 @@ func (l *linuxStandardInit) Init() error { if err != nil { return err } + // exec.LookPath in Go < 1.20 might return no error for an executable + // residing on a file system mounted with noexec flag, so perform this + // extra check now while we can still return a proper error. + // TODO: remove this once go < 1.20 is not supported. + if err := eaccess(name); err != nil { + return &os.PathError{Op: "eaccess", Path: name, Err: err} + } + // Set seccomp as close to execve as possible, so as few syscalls take // place afterward (reducing the amount of syscalls that users need to // enable in their seccomp profiles). However, this needs to be done diff --git a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/sync.go b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/sync.go index c9a23ef3a760..25dc28630710 100644 --- a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/sync.go +++ b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/sync.go @@ -15,16 +15,16 @@ type syncType string // during container setup. They come in pairs (with procError being a generic // response which is followed by an &initError). // -// [ child ] <-> [ parent ] +// [ child ] <-> [ parent ] // -// procHooks --> [run hooks] -// <-- procResume +// procHooks --> [run hooks] +// <-- procResume // -// procReady --> [final setup] -// <-- procRun +// procReady --> [final setup] +// <-- procRun // -// procSeccomp --> [pick up seccomp fd with pidfd_getfd()] -// <-- procSeccompDone +// procSeccomp --> [pick up seccomp fd with pidfd_getfd()] +// <-- procSeccompDone const ( procError syncType = "procError" procReady syncType = "procReady" diff --git a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/user/user.go b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/user/user.go index 2473c5eaddce..a1e216683d90 100644 --- a/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/user/user.go +++ b/cluster-autoscaler/vendor/github.com/opencontainers/runc/libcontainer/user/user.go @@ -280,13 +280,13 @@ func GetExecUserPath(userSpec string, defaults *ExecUser, passwdPath, groupPath // found in any entry in passwd and group respectively. // // Examples of valid user specifications are: -// * "" -// * "user" -// * "uid" -// * "user:group" -// * "uid:gid -// * "user:gid" -// * "uid:group" +// - "" +// - "user" +// - "uid" +// - "user:group" +// - "uid:gid +// - "user:gid" +// - "uid:group" // // It should be noted that if you specify a numeric user or group id, they will // not be evaluated as usernames (only the metadata will be filled). So attempting diff --git a/cluster-autoscaler/vendor/github.com/seccomp/libseccomp-golang/.golangci.yml b/cluster-autoscaler/vendor/github.com/seccomp/libseccomp-golang/.golangci.yml new file mode 100644 index 000000000000..7df8aa19838a --- /dev/null +++ b/cluster-autoscaler/vendor/github.com/seccomp/libseccomp-golang/.golangci.yml @@ -0,0 +1,4 @@ +# For documentation, see https://golangci-lint.run/usage/configuration/ +linters: + enable: + - gofumpt diff --git a/cluster-autoscaler/vendor/github.com/seccomp/libseccomp-golang/.travis.yml b/cluster-autoscaler/vendor/github.com/seccomp/libseccomp-golang/.travis.yml deleted file mode 100644 index 5240d4622805..000000000000 --- a/cluster-autoscaler/vendor/github.com/seccomp/libseccomp-golang/.travis.yml +++ /dev/null @@ -1,57 +0,0 @@ -# Travis CI configuration for libseccomp-golang - -# https://docs.travis-ci.com/user/reference/bionic -# https://wiki.ubuntu.com/Releases - -dist: bionic -sudo: false - -notifications: - email: - on_success: always - on_failure: always - -arch: - - amd64 - -os: - - linux - -language: go - -jobs: - include: - - name: "last libseccomp 2.5.0" - env: - - SECCOMP_VER=2.5.0 - - SECCOMP_SHA256SUM=1ffa7038d2720ad191919816db3479295a4bcca1ec14e02f672539f4983014f3 - - name: "compat libseccomp 2.4.4" - env: - - SECCOMP_VER=2.4.4 - - SECCOMP_SHA256SUM=4e79738d1ef3c9b7ca9769f1f8b8d84fc17143c2c1c432e53b9c64787e0ff3eb - - name: "compat libseccomp 2.2.1" - env: - - SECCOMP_VER=2.2.1 - - SECCOMP_SHA256SUM=0ba1789f54786c644af54cdffc9fd0dd0a8bb2b2ee153933f658855d2851a740 - -addons: - apt: - packages: - - build-essential - - astyle - - golint - - gperf - -install: - - go get -u golang.org/x/lint/golint - -# run all of the tests independently, fail if any of the tests error -script: - - wget https://github.com/seccomp/libseccomp/releases/download/v$SECCOMP_VER/libseccomp-$SECCOMP_VER.tar.gz - - echo $SECCOMP_SHA256SUM libseccomp-$SECCOMP_VER.tar.gz | sha256sum -c - - tar xf libseccomp-$SECCOMP_VER.tar.gz - - pushd libseccomp-$SECCOMP_VER && ./configure --prefix=/opt/libseccomp-$SECCOMP_VER && make && sudo make install && popd - - make check-syntax - - make lint - - PKG_CONFIG_PATH=/opt/libseccomp-$SECCOMP_VER/lib/pkgconfig LD_LIBRARY_PATH=/opt/libseccomp-$SECCOMP_VER/lib make vet - - PKG_CONFIG_PATH=/opt/libseccomp-$SECCOMP_VER/lib/pkgconfig LD_LIBRARY_PATH=/opt/libseccomp-$SECCOMP_VER/lib make test diff --git a/cluster-autoscaler/vendor/github.com/seccomp/libseccomp-golang/CONTRIBUTING.md b/cluster-autoscaler/vendor/github.com/seccomp/libseccomp-golang/CONTRIBUTING.md index d6862cbd5f9f..c2fc80d5af65 100644 --- a/cluster-autoscaler/vendor/github.com/seccomp/libseccomp-golang/CONTRIBUTING.md +++ b/cluster-autoscaler/vendor/github.com/seccomp/libseccomp-golang/CONTRIBUTING.md @@ -1,31 +1,23 @@ -How to Submit Patches to the libseccomp Project +How to Submit Patches to the libseccomp-golang Project =============================================================================== https://github.com/seccomp/libseccomp-golang This document is intended to act as a guide to help you contribute to the -libseccomp project. It is not perfect, and there will always be exceptions -to the rules described here, but by following the instructions below you -should have a much easier time getting your work merged with the upstream +libseccomp-golang project. It is not perfect, and there will always be +exceptions to the rules described here, but by following the instructions below +you should have a much easier time getting your work merged with the upstream project. ## Test Your Code Using Existing Tests -There are two possible tests you can run to verify your code. The first -test is used to check the formatting and coding style of your changes, you -can run the test with the following command: - - # make check-syntax - -... if there are any problems with your changes a diff/patch will be shown -which indicates the problems and how to fix them. - -The second possible test is used to ensure the sanity of your code changes -and to test these changes against the included tests. You can run the test -with the following command: +A number of tests and lint related recipes are provided in the Makefile, if +you want to run the standard regression tests, you can execute the following: # make check -... if there are any faults or errors they will be displayed. +In order to use it, the 'golangci-lint' tool is needed, which can be found at: + +* https://github.com/golangci/golangci-lint ## Add New Tests for New Functionality diff --git a/cluster-autoscaler/vendor/github.com/seccomp/libseccomp-golang/Makefile b/cluster-autoscaler/vendor/github.com/seccomp/libseccomp-golang/Makefile index 38cfa852cd6a..530f5b4adbc8 100644 --- a/cluster-autoscaler/vendor/github.com/seccomp/libseccomp-golang/Makefile +++ b/cluster-autoscaler/vendor/github.com/seccomp/libseccomp-golang/Makefile @@ -4,7 +4,7 @@ all: check-build -check: vet test +check: lint test check-build: go build @@ -16,7 +16,7 @@ fix-syntax: gofmt -w . vet: - go vet -v + go vet -v ./... # Previous bugs have made the tests freeze until the timeout. Golang default # timeout for tests is 10 minutes, which is too long, considering current tests @@ -28,5 +28,4 @@ test: go test -v -timeout $(TEST_TIMEOUT) lint: - @$(if $(shell which golint),true,$(error "install golint and include it in your PATH")) - golint -set_exit_status + golangci-lint run . diff --git a/cluster-autoscaler/vendor/github.com/seccomp/libseccomp-golang/README.md b/cluster-autoscaler/vendor/github.com/seccomp/libseccomp-golang/README.md index 806a5ddf29b7..6430f1c9e257 100644 --- a/cluster-autoscaler/vendor/github.com/seccomp/libseccomp-golang/README.md +++ b/cluster-autoscaler/vendor/github.com/seccomp/libseccomp-golang/README.md @@ -2,7 +2,9 @@ =============================================================================== https://github.com/seccomp/libseccomp-golang -[![Build Status](https://img.shields.io/travis/seccomp/libseccomp-golang/main.svg)](https://travis-ci.org/seccomp/libseccomp-golang) +[![Go Reference](https://pkg.go.dev/badge/github.com/seccomp/libseccomp-golang.svg)](https://pkg.go.dev/github.com/seccomp/libseccomp-golang) +[![validate](https://github.com/seccomp/libseccomp-golang/actions/workflows/validate.yml/badge.svg)](https://github.com/seccomp/libseccomp-golang/actions/workflows/validate.yml) +[![test](https://github.com/seccomp/libseccomp-golang/actions/workflows/test.yml/badge.svg)](https://github.com/seccomp/libseccomp-golang/actions/workflows/test.yml) The libseccomp library provides an easy to use, platform independent, interface to the Linux Kernel's syscall filtering mechanism. The libseccomp API is @@ -26,26 +28,14 @@ list. * https://groups.google.com/d/forum/libseccomp -Documentation is also available at: +Documentation for this package is also available at: -* https://godoc.org/github.com/seccomp/libseccomp-golang +* https://pkg.go.dev/github.com/seccomp/libseccomp-golang ## Installing the package -The libseccomp-golang bindings require at least Go v1.2.1 and GCC v4.8.4; -earlier versions may yield unpredictable results. If you meet these -requirements you can install this package using the command below: - # go get github.com/seccomp/libseccomp-golang -## Testing the Library - -A number of tests and lint related recipes are provided in the Makefile, if -you want to run the standard regression tests, you can excute the following: - - # make check - -In order to execute the 'make lint' recipe the 'golint' tool is needed, it -can be found at: +## Contributing -* https://github.com/golang/lint +See [CONTRIBUTING.md](CONTRIBUTING.md). diff --git a/cluster-autoscaler/vendor/github.com/seccomp/libseccomp-golang/SECURITY.md b/cluster-autoscaler/vendor/github.com/seccomp/libseccomp-golang/SECURITY.md new file mode 100644 index 000000000000..c448faa8e809 --- /dev/null +++ b/cluster-autoscaler/vendor/github.com/seccomp/libseccomp-golang/SECURITY.md @@ -0,0 +1,47 @@ +The libseccomp-golang Security Vulnerability Handling Process +=============================================================================== +https://github.com/seccomp/libseccomp-golang + +This document document attempts to describe the processes through which +sensitive security relevant bugs can be responsibly disclosed to the +libseccomp-golang project and how the project maintainers should handle these +reports. Just like the other libseccomp-golang process documents, this +document should be treated as a guiding document and not a hard, unyielding set +of regulations; the bug reporters and project maintainers are encouraged to +work together to address the issues as best they can, in a manner which works +best for all parties involved. + +### Reporting Problems + +Problems with the libseccomp-golang library that are not suitable for immediate +public disclosure should be emailed to the current libseccomp-golang +maintainers, the list is below. We typically request at most a 90 day time +period to address the issue before it is made public, but we will make every +effort to address the issue as quickly as possible and shorten the disclosure +window. + +* Paul Moore, paul@paul-moore.com +* Tom Hromatka, tom.hromatka@oracle.com + +### Resolving Sensitive Security Issues + +Upon disclosure of a bug, the maintainers should work together to investigate +the problem and decide on a solution. In order to prevent an early disclosure +of the problem, those working on the solution should do so privately and +outside of the traditional libseccomp-golang development practices. One +possible solution to this is to leverage the GitHub "Security" functionality to +create a private development fork that can be shared among the maintainers, and +optionally the reporter. A placeholder GitHub issue may be created, but +details should remain extremely limited until such time as the problem has been +fixed and responsibly disclosed. If a CVE, or other tag, has been assigned to +the problem, the GitHub issue title should include the vulnerability tag once +the problem has been disclosed. + +### Public Disclosure + +Whenever possible, responsible reporting and patching practices should be +followed, including notification to the linux-distros and oss-security mailing +lists. + +* https://oss-security.openwall.org/wiki/mailing-lists/distros +* https://oss-security.openwall.org/wiki/mailing-lists/oss-security diff --git a/cluster-autoscaler/vendor/github.com/seccomp/libseccomp-golang/seccomp.go b/cluster-autoscaler/vendor/github.com/seccomp/libseccomp-golang/seccomp.go index e9b92e2219ad..8dad12fdbb9b 100644 --- a/cluster-autoscaler/vendor/github.com/seccomp/libseccomp-golang/seccomp.go +++ b/cluster-autoscaler/vendor/github.com/seccomp/libseccomp-golang/seccomp.go @@ -1,5 +1,3 @@ -// +build linux - // Public API specification for libseccomp Go bindings // Contains public API for the bindings @@ -18,48 +16,36 @@ import ( "unsafe" ) -// C wrapping code - -// To compile libseccomp-golang against a specific version of libseccomp: -// cd ../libseccomp && mkdir -p prefix -// ./configure --prefix=$PWD/prefix && make && make install -// cd ../libseccomp-golang -// PKG_CONFIG_PATH=$PWD/../libseccomp/prefix/lib/pkgconfig/ make -// LD_PRELOAD=$PWD/../libseccomp/prefix/lib/libseccomp.so.2.5.0 PKG_CONFIG_PATH=$PWD/../libseccomp/prefix/lib/pkgconfig/ make test - -// #cgo pkg-config: libseccomp // #include // #include import "C" // Exported types -// VersionError denotes that the system libseccomp version is incompatible -// with this package. +// VersionError represents an error when either the system libseccomp version +// or the kernel version is too old to perform the operation requested. type VersionError struct { - message string - minimum string + op string // operation that failed or would fail + major, minor, micro uint // minimally required libseccomp version + curAPI, minAPI uint // current and minimally required API versions } func init() { // This forces the cgo libseccomp to initialize its internal API support state, // which is necessary on older versions of libseccomp in order to work // correctly. - GetAPI() + _, _ = getAPI() } func (e VersionError) Error() string { - messageStr := "" - if e.message != "" { - messageStr = e.message + ": " + if e.minAPI != 0 { + return fmt.Sprintf("%s requires libseccomp >= %d.%d.%d and API level >= %d "+ + "(current version: %d.%d.%d, API level: %d)", + e.op, e.major, e.minor, e.micro, e.minAPI, + verMajor, verMinor, verMicro, e.curAPI) } - minimumStr := "" - if e.minimum != "" { - minimumStr = e.minimum - } else { - minimumStr = "2.2.0" - } - return fmt.Sprintf("Libseccomp version too low: %sminimum supported is %s: detected %d.%d.%d", messageStr, minimumStr, verMajor, verMinor, verMicro) + return fmt.Sprintf("%s requires libseccomp >= %d.%d.%d (current version: %d.%d.%d)", + e.op, e.major, e.minor, e.micro, verMajor, verMinor, verMicro) } // ScmpArch represents a CPU architecture. Seccomp can restrict syscalls on a @@ -148,44 +134,46 @@ const ( // variables are invalid ArchInvalid ScmpArch = iota // ArchNative is the native architecture of the kernel - ArchNative ScmpArch = iota + ArchNative // ArchX86 represents 32-bit x86 syscalls - ArchX86 ScmpArch = iota + ArchX86 // ArchAMD64 represents 64-bit x86-64 syscalls - ArchAMD64 ScmpArch = iota + ArchAMD64 // ArchX32 represents 64-bit x86-64 syscalls (32-bit pointers) - ArchX32 ScmpArch = iota + ArchX32 // ArchARM represents 32-bit ARM syscalls - ArchARM ScmpArch = iota + ArchARM // ArchARM64 represents 64-bit ARM syscalls - ArchARM64 ScmpArch = iota + ArchARM64 // ArchMIPS represents 32-bit MIPS syscalls - ArchMIPS ScmpArch = iota + ArchMIPS // ArchMIPS64 represents 64-bit MIPS syscalls - ArchMIPS64 ScmpArch = iota + ArchMIPS64 // ArchMIPS64N32 represents 64-bit MIPS syscalls (32-bit pointers) - ArchMIPS64N32 ScmpArch = iota + ArchMIPS64N32 // ArchMIPSEL represents 32-bit MIPS syscalls (little endian) - ArchMIPSEL ScmpArch = iota + ArchMIPSEL // ArchMIPSEL64 represents 64-bit MIPS syscalls (little endian) - ArchMIPSEL64 ScmpArch = iota + ArchMIPSEL64 // ArchMIPSEL64N32 represents 64-bit MIPS syscalls (little endian, // 32-bit pointers) - ArchMIPSEL64N32 ScmpArch = iota + ArchMIPSEL64N32 // ArchPPC represents 32-bit POWERPC syscalls - ArchPPC ScmpArch = iota + ArchPPC // ArchPPC64 represents 64-bit POWER syscalls (big endian) - ArchPPC64 ScmpArch = iota + ArchPPC64 // ArchPPC64LE represents 64-bit POWER syscalls (little endian) - ArchPPC64LE ScmpArch = iota + ArchPPC64LE // ArchS390 represents 31-bit System z/390 syscalls - ArchS390 ScmpArch = iota + ArchS390 // ArchS390X represents 64-bit System z/390 syscalls - ArchS390X ScmpArch = iota + ArchS390X // ArchPARISC represents 32-bit PA-RISC - ArchPARISC ScmpArch = iota + ArchPARISC // ArchPARISC64 represents 64-bit PA-RISC - ArchPARISC64 ScmpArch = iota + ArchPARISC64 + // ArchRISCV64 represents RISCV64 + ArchRISCV64 ) const ( @@ -194,34 +182,36 @@ const ( // ActInvalid is a placeholder to ensure uninitialized ScmpAction // variables are invalid ActInvalid ScmpAction = iota - // ActKill kills the thread that violated the rule. It is the same as ActKillThread. + // ActKillThread kills the thread that violated the rule. // All other threads from the same thread group will continue to execute. - ActKill ScmpAction = iota + ActKillThread // ActTrap throws SIGSYS - ActTrap ScmpAction = iota + ActTrap // ActNotify triggers a userspace notification. This action is only usable when // libseccomp API level 6 or higher is supported. - ActNotify ScmpAction = iota + ActNotify // ActErrno causes the syscall to return a negative error code. This // code can be set with the SetReturnCode method - ActErrno ScmpAction = iota + ActErrno // ActTrace causes the syscall to notify tracing processes with the // given error code. This code can be set with the SetReturnCode method - ActTrace ScmpAction = iota + ActTrace // ActAllow permits the syscall to continue execution - ActAllow ScmpAction = iota + ActAllow // ActLog permits the syscall to continue execution after logging it. // This action is only usable when libseccomp API level 3 or higher is // supported. - ActLog ScmpAction = iota - // ActKillThread kills the thread that violated the rule. It is the same as ActKill. - // All other threads from the same thread group will continue to execute. - ActKillThread ScmpAction = iota + ActLog // ActKillProcess kills the process that violated the rule. // All threads in the thread group are also terminated. // This action is only usable when libseccomp API level 3 or higher is // supported. - ActKillProcess ScmpAction = iota + ActKillProcess + // ActKill kills the thread that violated the rule. + // All other threads from the same thread group will continue to execute. + // + // Deprecated: use ActKillThread + ActKill = ActKillThread ) const ( @@ -234,36 +224,35 @@ const ( CompareInvalid ScmpCompareOp = iota // CompareNotEqual returns true if the argument is not equal to the // given value - CompareNotEqual ScmpCompareOp = iota + CompareNotEqual // CompareLess returns true if the argument is less than the given value - CompareLess ScmpCompareOp = iota + CompareLess // CompareLessOrEqual returns true if the argument is less than or equal // to the given value - CompareLessOrEqual ScmpCompareOp = iota + CompareLessOrEqual // CompareEqual returns true if the argument is equal to the given value - CompareEqual ScmpCompareOp = iota + CompareEqual // CompareGreaterEqual returns true if the argument is greater than or // equal to the given value - CompareGreaterEqual ScmpCompareOp = iota + CompareGreaterEqual // CompareGreater returns true if the argument is greater than the given // value - CompareGreater ScmpCompareOp = iota - // CompareMaskedEqual returns true if the argument is equal to the given - // value, when masked (bitwise &) against the second given value - CompareMaskedEqual ScmpCompareOp = iota + CompareGreater + // CompareMaskedEqual returns true if the masked argument value is + // equal to the masked datum value. Mask is the first argument, and + // datum is the second one. + CompareMaskedEqual ) -var ( - // ErrSyscallDoesNotExist represents an error condition where - // libseccomp is unable to resolve the syscall - ErrSyscallDoesNotExist = fmt.Errorf("could not resolve syscall name") -) +// ErrSyscallDoesNotExist represents an error condition where +// libseccomp is unable to resolve the syscall +var ErrSyscallDoesNotExist = fmt.Errorf("could not resolve syscall name") const ( // Userspace notification response flags // NotifRespFlagContinue tells the kernel to continue executing the system - // call that triggered the notification. Must only be used when the notication + // call that triggered the notification. Must only be used when the notification // response's error is 0. NotifRespFlagContinue uint32 = 1 ) @@ -314,6 +303,8 @@ func GetArchFromString(arch string) (ScmpArch, error) { return ArchPARISC, nil case "parisc64": return ArchPARISC64, nil + case "riscv64": + return ArchRISCV64, nil default: return ArchInvalid, fmt.Errorf("cannot convert unrecognized string %q", arch) } @@ -358,6 +349,8 @@ func (a ScmpArch) String() string { return "parisc" case ArchPARISC64: return "parisc64" + case ArchRISCV64: + return "riscv64" case ArchNative: return "native" case ArchInvalid: @@ -394,7 +387,7 @@ func (a ScmpCompareOp) String() string { // String returns a string representation of a seccomp match action func (a ScmpAction) String() string { switch a & 0xFFFF { - case ActKill, ActKillThread: + case ActKillThread: return "Action: Kill thread" case ActKillProcess: return "Action: Kill process" @@ -556,8 +549,8 @@ func MakeCondition(arg uint, comparison ScmpCompareOp, values ...uint64) (ScmpCo return condStruct, err } - if comparison == CompareInvalid { - return condStruct, fmt.Errorf("invalid comparison operator") + if err := sanitizeCompareOp(comparison); err != nil { + return condStruct, err } else if arg > 5 { return condStruct, fmt.Errorf("syscalls only have up to 6 arguments (%d given)", arg) } else if len(values) > 2 { @@ -874,10 +867,8 @@ func (f *ScmpFilter) GetNoNewPrivsBit() (bool, error) { func (f *ScmpFilter) GetLogBit() (bool, error) { log, err := f.getFilterAttr(filterAttrLog) if err != nil { - // Ignore error, if not supported returns apiLevel == 0 - apiLevel, _ := GetAPI() - if apiLevel < 3 { - return false, fmt.Errorf("getting the log bit is only supported in libseccomp 2.4.0 and newer with API level 3 or higher") + if e := checkAPI("GetLogBit", 3, 2, 4, 0); e != nil { + err = e } return false, err @@ -899,9 +890,8 @@ func (f *ScmpFilter) GetLogBit() (bool, error) { func (f *ScmpFilter) GetSSB() (bool, error) { ssb, err := f.getFilterAttr(filterAttrSSB) if err != nil { - api, apiErr := getAPI() - if (apiErr != nil && api == 0) || (apiErr == nil && api < 4) { - return false, fmt.Errorf("getting the SSB flag is only supported in libseccomp 2.5.0 and newer with API level 4 or higher") + if e := checkAPI("GetSSB", 4, 2, 5, 0); e != nil { + err = e } return false, err @@ -914,6 +904,42 @@ func (f *ScmpFilter) GetSSB() (bool, error) { return true, nil } +// GetOptimize returns the current optimization level of the filter, +// or an error if an issue was encountered retrieving the value. +// See SetOptimize for more details. +func (f *ScmpFilter) GetOptimize() (int, error) { + level, err := f.getFilterAttr(filterAttrOptimize) + if err != nil { + if e := checkAPI("GetOptimize", 4, 2, 5, 0); e != nil { + err = e + } + + return 0, err + } + + return int(level), nil +} + +// GetRawRC returns the current state of RawRC flag, or an error +// if an issue was encountered retrieving the value. +// See SetRawRC for more details. +func (f *ScmpFilter) GetRawRC() (bool, error) { + rawrc, err := f.getFilterAttr(filterAttrRawRC) + if err != nil { + if e := checkAPI("GetRawRC", 4, 2, 5, 0); e != nil { + err = e + } + + return false, err + } + + if rawrc == 0 { + return false, nil + } + + return true, nil +} + // SetBadArchAction sets the default action taken on a syscall for an // architecture not in the filter, or an error if an issue was encountered // setting the value. @@ -953,10 +979,8 @@ func (f *ScmpFilter) SetLogBit(state bool) error { err := f.setFilterAttr(filterAttrLog, toSet) if err != nil { - // Ignore error, if not supported returns apiLevel == 0 - apiLevel, _ := GetAPI() - if apiLevel < 3 { - return fmt.Errorf("setting the log bit is only supported in libseccomp 2.4.0 and newer with API level 3 or higher") + if e := checkAPI("SetLogBit", 3, 2, 4, 0); e != nil { + err = e } } @@ -976,9 +1000,52 @@ func (f *ScmpFilter) SetSSB(state bool) error { err := f.setFilterAttr(filterAttrSSB, toSet) if err != nil { - api, apiErr := getAPI() - if (apiErr != nil && api == 0) || (apiErr == nil && api < 4) { - return fmt.Errorf("setting the SSB flag is only supported in libseccomp 2.5.0 and newer with API level 4 or higher") + if e := checkAPI("SetSSB", 4, 2, 5, 0); e != nil { + err = e + } + } + + return err +} + +// SetOptimize sets optimization level of the seccomp filter. By default +// libseccomp generates a set of sequential "if" statements for each rule in +// the filter. SetSyscallPriority can be used to prioritize the order for the +// default cause. The binary tree optimization sorts by syscall numbers and +// generates consistent O(log n) filter traversal for every rule in the filter. +// The binary tree may be advantageous for large filters. Note that +// SetSyscallPriority is ignored when level == 2. +// +// The different optimization levels are: +// 0: Reserved value, not currently used. +// 1: Rules sorted by priority and complexity (DEFAULT). +// 2: Binary tree sorted by syscall number. +func (f *ScmpFilter) SetOptimize(level int) error { + cLevel := C.uint32_t(level) + + err := f.setFilterAttr(filterAttrOptimize, cLevel) + if err != nil { + if e := checkAPI("SetOptimize", 4, 2, 5, 0); e != nil { + err = e + } + } + + return err +} + +// SetRawRC sets whether libseccomp should pass system error codes back to the +// caller, instead of the default ECANCELED. Defaults to false. +func (f *ScmpFilter) SetRawRC(state bool) error { + var toSet C.uint32_t = 0x0 + + if state { + toSet = 0x1 + } + + err := f.setFilterAttr(filterAttrRawRC, toSet) + if err != nil { + if e := checkAPI("SetRawRC", 4, 2, 5, 0); e != nil { + err = e } } @@ -1029,9 +1096,6 @@ func (f *ScmpFilter) AddRuleExact(call ScmpSyscall, action ScmpAction) error { // AddRuleConditional adds a single rule for a conditional action on a syscall. // Returns an error if an issue was encountered adding the rule. // All conditions must match for the rule to match. -// There is a bug in library versions below v2.2.1 which can, in some cases, -// cause conditions to be lost when more than one are used. Consequently, -// AddRuleConditional is disabled on library versions lower than v2.2.1 func (f *ScmpFilter) AddRuleConditional(call ScmpSyscall, action ScmpAction, conds []ScmpCondition) error { return f.addRuleGeneric(call, action, false, conds) } @@ -1043,9 +1107,6 @@ func (f *ScmpFilter) AddRuleConditional(call ScmpSyscall, action ScmpAction, con // The rule will function exactly as described, but it may not function identically // (or be able to be applied to) all architectures. // Returns an error if an issue was encountered adding the rule. -// There is a bug in library versions below v2.2.1 which can, in some cases, -// cause conditions to be lost when more than one are used. Consequently, -// AddRuleConditionalExact is disabled on library versions lower than v2.2.1 func (f *ScmpFilter) AddRuleConditionalExact(call ScmpSyscall, action ScmpAction, conds []ScmpCondition) error { return f.addRuleGeneric(call, action, true, conds) } diff --git a/cluster-autoscaler/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go b/cluster-autoscaler/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go index 8dc7b296f3bc..df4dfb7eba87 100644 --- a/cluster-autoscaler/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go +++ b/cluster-autoscaler/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go @@ -1,11 +1,10 @@ -// +build linux - // Internal functions for libseccomp Go bindings // No exported functions package seccomp import ( + "errors" "fmt" "syscall" ) @@ -27,10 +26,10 @@ import ( #include #include -#if SCMP_VER_MAJOR < 2 -#error Minimum supported version of Libseccomp is v2.2.0 -#elif SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 2 -#error Minimum supported version of Libseccomp is v2.2.0 +#if (SCMP_VER_MAJOR < 2) || \ + (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 3) || \ + (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR == 3 && SCMP_VER_MICRO < 1) +#error This package requires libseccomp >= v2.3.1 #endif #define ARCH_BAD ~0 @@ -65,6 +64,10 @@ const uint32_t C_ARCH_BAD = ARCH_BAD; #define SCMP_ARCH_PARISC64 ARCH_BAD #endif +#ifndef SCMP_ARCH_RISCV64 +#define SCMP_ARCH_RISCV64 ARCH_BAD +#endif + const uint32_t C_ARCH_NATIVE = SCMP_ARCH_NATIVE; const uint32_t C_ARCH_X86 = SCMP_ARCH_X86; const uint32_t C_ARCH_X86_64 = SCMP_ARCH_X86_64; @@ -84,6 +87,7 @@ const uint32_t C_ARCH_S390 = SCMP_ARCH_S390; const uint32_t C_ARCH_S390X = SCMP_ARCH_S390X; const uint32_t C_ARCH_PARISC = SCMP_ARCH_PARISC; const uint32_t C_ARCH_PARISC64 = SCMP_ARCH_PARISC64; +const uint32_t C_ARCH_RISCV64 = SCMP_ARCH_RISCV64; #ifndef SCMP_ACT_LOG #define SCMP_ACT_LOG 0x7ffc0000U @@ -113,20 +117,25 @@ const uint32_t C_ACT_NOTIFY = SCMP_ACT_NOTIFY; // The libseccomp SCMP_FLTATR_CTL_LOG member of the scmp_filter_attr enum was // added in v2.4.0 -#if (SCMP_VER_MAJOR < 2) || \ - (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 4) +#if SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 4 #define SCMP_FLTATR_CTL_LOG _SCMP_FLTATR_MIN #endif + +// The following SCMP_FLTATR_* were added in libseccomp v2.5.0. #if SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 5 -#define SCMP_FLTATR_CTL_SSB _SCMP_FLTATR_MIN +#define SCMP_FLTATR_CTL_SSB _SCMP_FLTATR_MIN +#define SCMP_FLTATR_CTL_OPTIMIZE _SCMP_FLTATR_MIN +#define SCMP_FLTATR_API_SYSRAWRC _SCMP_FLTATR_MIN #endif -const uint32_t C_ATTRIBUTE_DEFAULT = (uint32_t)SCMP_FLTATR_ACT_DEFAULT; -const uint32_t C_ATTRIBUTE_BADARCH = (uint32_t)SCMP_FLTATR_ACT_BADARCH; -const uint32_t C_ATTRIBUTE_NNP = (uint32_t)SCMP_FLTATR_CTL_NNP; -const uint32_t C_ATTRIBUTE_TSYNC = (uint32_t)SCMP_FLTATR_CTL_TSYNC; -const uint32_t C_ATTRIBUTE_LOG = (uint32_t)SCMP_FLTATR_CTL_LOG; -const uint32_t C_ATTRIBUTE_SSB = (uint32_t)SCMP_FLTATR_CTL_SSB; +const uint32_t C_ATTRIBUTE_DEFAULT = (uint32_t)SCMP_FLTATR_ACT_DEFAULT; +const uint32_t C_ATTRIBUTE_BADARCH = (uint32_t)SCMP_FLTATR_ACT_BADARCH; +const uint32_t C_ATTRIBUTE_NNP = (uint32_t)SCMP_FLTATR_CTL_NNP; +const uint32_t C_ATTRIBUTE_TSYNC = (uint32_t)SCMP_FLTATR_CTL_TSYNC; +const uint32_t C_ATTRIBUTE_LOG = (uint32_t)SCMP_FLTATR_CTL_LOG; +const uint32_t C_ATTRIBUTE_SSB = (uint32_t)SCMP_FLTATR_CTL_SSB; +const uint32_t C_ATTRIBUTE_OPTIMIZE = (uint32_t)SCMP_FLTATR_CTL_OPTIMIZE; +const uint32_t C_ATTRIBUTE_SYSRAWRC = (uint32_t)SCMP_FLTATR_API_SYSRAWRC; const int C_CMP_NE = (int)SCMP_CMP_NE; const int C_CMP_LT = (int)SCMP_CMP_LT; @@ -173,8 +182,7 @@ unsigned int get_micro_version() #endif // The libseccomp API level functions were added in v2.4.0 -#if (SCMP_VER_MAJOR < 2) || \ - (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 4) +#if SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 4 const unsigned int seccomp_api_get(void) { // libseccomp-golang requires libseccomp v2.2.0, at a minimum, which @@ -217,8 +225,7 @@ void add_struct_arg_cmp( } // The seccomp notify API functions were added in v2.5.0 -#if (SCMP_VER_MAJOR < 2) || \ - (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 5) +#if SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 5 struct seccomp_data { int nr; @@ -270,11 +277,13 @@ type scmpFilterAttr uint32 const ( filterAttrActDefault scmpFilterAttr = iota - filterAttrActBadArch scmpFilterAttr = iota - filterAttrNNP scmpFilterAttr = iota - filterAttrTsync scmpFilterAttr = iota - filterAttrLog scmpFilterAttr = iota - filterAttrSSB scmpFilterAttr = iota + filterAttrActBadArch + filterAttrNNP + filterAttrTsync + filterAttrLog + filterAttrSSB + filterAttrOptimize + filterAttrRawRC ) const ( @@ -282,9 +291,9 @@ const ( scmpError C.int = -1 // Comparison boundaries to check for architecture validity archStart ScmpArch = ArchNative - archEnd ScmpArch = ArchPARISC64 + archEnd ScmpArch = ArchRISCV64 // Comparison boundaries to check for action validity - actionStart ScmpAction = ActKill + actionStart ScmpAction = ActKillThread actionEnd ScmpAction = ActKillProcess // Comparison boundaries to check for comparison operator validity compareOpStart ScmpCompareOp = CompareNotEqual @@ -292,8 +301,9 @@ const ( ) var ( - // Error thrown on bad filter context - errBadFilter = fmt.Errorf("filter is invalid or uninitialized") + // errBadFilter is thrown on bad filter context. + errBadFilter = errors.New("filter is invalid or uninitialized") + errDefAction = errors.New("requested action matches default action of filter") // Constants representing library major, minor, and micro versions verMajor = uint(C.get_major_version()) verMinor = uint(C.get_minor_version()) @@ -302,19 +312,28 @@ var ( // Nonexported functions -// Check if library version is greater than or equal to the given one -func checkVersionAbove(major, minor, micro uint) bool { - return (verMajor > major) || +// checkVersion returns an error if the libseccomp version being used +// is less than the one specified by major, minor, and micro arguments. +// Argument op is an arbitrary non-empty operation description, which +// is used as a part of the error message returned. +// +// Most users should use checkAPI instead. +func checkVersion(op string, major, minor, micro uint) error { + if (verMajor > major) || (verMajor == major && verMinor > minor) || - (verMajor == major && verMinor == minor && verMicro >= micro) + (verMajor == major && verMinor == minor && verMicro >= micro) { + return nil + } + return &VersionError{ + op: op, + major: major, + minor: minor, + micro: micro, + } } -// Ensure that the library is supported, i.e. >= 2.2.0. func ensureSupportedVersion() error { - if !checkVersionAbove(2, 2, 0) { - return VersionError{} - } - return nil + return checkVersion("seccomp", 2, 3, 1) } // Get the API level @@ -406,8 +425,10 @@ func (f *ScmpFilter) addRuleWrapper(call ScmpSyscall, action ScmpAction, exact b switch e := errRc(retCode); e { case syscall.EFAULT: return fmt.Errorf("unrecognized syscall %#x", int32(call)) - case syscall.EPERM: - return fmt.Errorf("requested action matches default action of filter") + // libseccomp >= v2.5.0 returns EACCES, older versions return EPERM. + // TODO: remove EPERM once libseccomp < v2.5.0 is not supported. + case syscall.EPERM, syscall.EACCES: + return errDefAction case syscall.EINVAL: return fmt.Errorf("two checks on same syscall argument") default: @@ -432,14 +453,6 @@ func (f *ScmpFilter) addRuleGeneric(call ScmpSyscall, action ScmpAction, exact b return err } } else { - // We don't support conditional filtering in library version v2.1 - if !checkVersionAbove(2, 2, 1) { - return VersionError{ - message: "conditional filtering is not supported", - minimum: "2.2.1", - } - } - argsArr := C.make_arg_cmp_array(C.uint(len(conds))) if argsArr == nil { return fmt.Errorf("error allocating memory for conditions") @@ -536,6 +549,8 @@ func archFromNative(a C.uint32_t) (ScmpArch, error) { return ArchPARISC, nil case C.C_ARCH_PARISC64: return ArchPARISC64, nil + case C.C_ARCH_RISCV64: + return ArchRISCV64, nil default: return 0x0, fmt.Errorf("unrecognized architecture %#x", uint32(a)) } @@ -580,6 +595,8 @@ func (a ScmpArch) toNative() C.uint32_t { return C.C_ARCH_PARISC case ArchPARISC64: return C.C_ARCH_PARISC64 + case ArchRISCV64: + return C.C_ARCH_RISCV64 case ArchNative: return C.C_ARCH_NATIVE default: @@ -612,8 +629,6 @@ func (a ScmpCompareOp) toNative() C.int { func actionFromNative(a C.uint32_t) (ScmpAction, error) { aTmp := a & 0xFFFF switch a & 0xFFFF0000 { - case C.C_ACT_KILL: - return ActKill, nil case C.C_ACT_KILL_PROCESS: return ActKillProcess, nil case C.C_ACT_KILL_THREAD: @@ -638,8 +653,6 @@ func actionFromNative(a C.uint32_t) (ScmpAction, error) { // Only use with sanitized actions, no error handling func (a ScmpAction) toNative() C.uint32_t { switch a & 0xFFFF { - case ActKill: - return C.C_ACT_KILL case ActKillProcess: return C.C_ACT_KILL_PROCESS case ActKillThread: @@ -676,15 +689,15 @@ func (a scmpFilterAttr) toNative() uint32 { return uint32(C.C_ATTRIBUTE_LOG) case filterAttrSSB: return uint32(C.C_ATTRIBUTE_SSB) + case filterAttrOptimize: + return uint32(C.C_ATTRIBUTE_OPTIMIZE) + case filterAttrRawRC: + return uint32(C.C_ATTRIBUTE_SYSRAWRC) default: return 0x0 } } -func (a ScmpSyscall) toNative() C.uint32_t { - return C.uint32_t(a) -} - func syscallFromNative(a C.int) ScmpSyscall { return ScmpSyscall(a) } @@ -724,9 +737,34 @@ func (scmpResp *ScmpNotifResp) toNative(resp *C.struct_seccomp_notif_resp) { resp.flags = C.__u32(scmpResp.Flags) } +// checkAPI checks that both the API level and the seccomp version is equal to +// or greater than the specified minLevel and major, minor, micro, +// respectively, and returns an error otherwise. Argument op is an arbitrary +// non-empty operation description, used as a part of the error message +// returned. +func checkAPI(op string, minLevel uint, major, minor, micro uint) error { + // Ignore error from getAPI, as it returns level == 0 in case of error. + level, _ := getAPI() + if level >= minLevel { + return checkVersion(op, major, minor, micro) + } + return &VersionError{ + op: op, + curAPI: level, + minAPI: minLevel, + major: major, + minor: minor, + micro: micro, + } +} + // Userspace Notification API // Calls to C.seccomp_notify* hidden from seccomp.go +func notifSupported() error { + return checkAPI("seccomp notification", 6, 2, 5, 0) +} + func (f *ScmpFilter) getNotifFd() (ScmpFd, error) { f.lock.Lock() defer f.lock.Unlock() @@ -734,11 +772,8 @@ func (f *ScmpFilter) getNotifFd() (ScmpFd, error) { if !f.valid { return -1, errBadFilter } - - // Ignore error, if not supported returns apiLevel == 0 - apiLevel, _ := GetAPI() - if apiLevel < 6 { - return -1, fmt.Errorf("seccomp notification requires API level >= 6; current level = %d", apiLevel) + if err := notifSupported(); err != nil { + return -1, err } fd := C.seccomp_notify_fd(f.filterCtx) @@ -750,10 +785,8 @@ func notifReceive(fd ScmpFd) (*ScmpNotifReq, error) { var req *C.struct_seccomp_notif var resp *C.struct_seccomp_notif_resp - // Ignore error, if not supported returns apiLevel == 0 - apiLevel, _ := GetAPI() - if apiLevel < 6 { - return nil, fmt.Errorf("seccomp notification requires API level >= 6; current level = %d", apiLevel) + if err := notifSupported(); err != nil { + return nil, err } // we only use the request here; the response is unused @@ -789,13 +822,11 @@ func notifRespond(fd ScmpFd, scmpResp *ScmpNotifResp) error { var req *C.struct_seccomp_notif var resp *C.struct_seccomp_notif_resp - // Ignore error, if not supported returns apiLevel == 0 - apiLevel, _ := GetAPI() - if apiLevel < 6 { - return fmt.Errorf("seccomp notification requires API level >= 6; current level = %d", apiLevel) + if err := notifSupported(); err != nil { + return err } - // we only use the reponse here; the request is discarded + // we only use the response here; the request is discarded if retCode := C.seccomp_notify_alloc(&req, &resp); retCode != 0 { return errRc(retCode) } @@ -827,10 +858,8 @@ func notifRespond(fd ScmpFd, scmpResp *ScmpNotifResp) error { } func notifIDValid(fd ScmpFd, id uint64) error { - // Ignore error, if not supported returns apiLevel == 0 - apiLevel, _ := GetAPI() - if apiLevel < 6 { - return fmt.Errorf("seccomp notification requires API level >= 6; current level = %d", apiLevel) + if err := notifSupported(); err != nil { + return err } for { diff --git a/cluster-autoscaler/vendor/golang.org/x/net/html/doc.go b/cluster-autoscaler/vendor/golang.org/x/net/html/doc.go index 822ed42a04c1..7a96eae3310e 100644 --- a/cluster-autoscaler/vendor/golang.org/x/net/html/doc.go +++ b/cluster-autoscaler/vendor/golang.org/x/net/html/doc.go @@ -92,6 +92,21 @@ example, to process each anchor node in depth-first order: The relevant specifications include: https://html.spec.whatwg.org/multipage/syntax.html and https://html.spec.whatwg.org/multipage/syntax.html#tokenization + +# Security Considerations + +Care should be taken when parsing and interpreting HTML, whether full documents +or fragments, within the framework of the HTML specification, especially with +regard to untrusted inputs. + +This package provides both a tokenizer and a parser. Only the parser constructs +a DOM according to the HTML specification, resolving malformed and misplaced +tags where appropriate. The tokenizer simply tokenizes the HTML presented to it, +and as such does not resolve issues that may exist in the processed HTML, +producing a literal interpretation of the input. + +If your use case requires semantically well-formed HTML, as defined by the +WHATWG specifiction, the parser should be used rather than the tokenizer. */ package html // import "golang.org/x/net/html" diff --git a/cluster-autoscaler/vendor/golang.org/x/net/html/escape.go b/cluster-autoscaler/vendor/golang.org/x/net/html/escape.go index d8561396200e..04c6bec21073 100644 --- a/cluster-autoscaler/vendor/golang.org/x/net/html/escape.go +++ b/cluster-autoscaler/vendor/golang.org/x/net/html/escape.go @@ -193,6 +193,87 @@ func lower(b []byte) []byte { return b } +// escapeComment is like func escape but escapes its input bytes less often. +// Per https://github.com/golang/go/issues/58246 some HTML comments are (1) +// meaningful and (2) contain angle brackets that we'd like to avoid escaping +// unless we have to. +// +// "We have to" includes the '&' byte, since that introduces other escapes. +// +// It also includes those bytes (not including EOF) that would otherwise end +// the comment. Per the summary table at the bottom of comment_test.go, this is +// the '>' byte that, per above, we'd like to avoid escaping unless we have to. +// +// Studying the summary table (and T actions in its '>' column) closely, we +// only need to escape in states 43, 44, 49, 51 and 52. State 43 is at the +// start of the comment data. State 52 is after a '!'. The other three states +// are after a '-'. +// +// Our algorithm is thus to escape every '&' and to escape '>' if and only if: +// - The '>' is after a '!' or '-' (in the unescaped data) or +// - The '>' is at the start of the comment data (after the opening ""); err != nil { diff --git a/cluster-autoscaler/vendor/golang.org/x/net/html/token.go b/cluster-autoscaler/vendor/golang.org/x/net/html/token.go index 50f7c6aac8de..5c2a1f4efa55 100644 --- a/cluster-autoscaler/vendor/golang.org/x/net/html/token.go +++ b/cluster-autoscaler/vendor/golang.org/x/net/html/token.go @@ -110,7 +110,7 @@ func (t Token) String() string { case SelfClosingTagToken: return "<" + t.tagString() + "/>" case CommentToken: - return "" + return "" case DoctypeToken: return "" } @@ -598,10 +598,10 @@ scriptDataDoubleEscapeEnd: // readComment reads the next comment token starting with " Ready -----> Stopped +// +// | ^ +// └---------------------------┘ +type ready struct { + state status // represent the state of the variable + lock sync.RWMutex // protect the state variable + restartLock sync.Mutex // protect the transition from ready to pending where the channel is recreated + waitCh chan struct{} // blocks until is ready or stopped +} + +func newReady() *ready { + return &ready{ + waitCh: make(chan struct{}), + state: Pending, + } +} + +// done close the channel once the state is Ready or Stopped +func (r *ready) done() chan struct{} { + r.restartLock.Lock() + defer r.restartLock.Unlock() + return r.waitCh +} + +// wait blocks until it is Ready or Stopped, it returns an error if is Stopped. +func (r *ready) wait(ctx context.Context) error { + for { + // r.done() only blocks if state is Pending + select { + case <-ctx.Done(): + return ctx.Err() + case <-r.done(): + } + + r.lock.RLock() + switch r.state { + case Pending: + // since we allow to switch between the states Pending and Ready + // if there is a quick transition from Pending -> Ready -> Pending + // a process that was waiting can get unblocked and see a Pending + // state again. If the state is Pending we have to wait again to + // avoid an inconsistent state on the system, with some processes not + // waiting despite the state moved back to Pending. + r.lock.RUnlock() + case Ready: + r.lock.RUnlock() + return nil + case Stopped: + r.lock.RUnlock() + return fmt.Errorf("apiserver cacher is stopped") + default: + r.lock.RUnlock() + return fmt.Errorf("unexpected apiserver cache state: %v", r.state) + } + } +} + +// check returns true only if it is Ready. +func (r *ready) check() bool { + r.lock.RLock() + defer r.lock.RUnlock() + return r.state == Ready +} + +// set the state to Pending (false) or Ready (true), it does not have effect if the state is Stopped. +func (r *ready) set(ok bool) { + r.lock.Lock() + defer r.lock.Unlock() + if r.state == Stopped { + return + } + if ok && r.state == Pending { + r.state = Ready + select { + case <-r.waitCh: + default: + close(r.waitCh) + } + } else if !ok && r.state == Ready { + // creating the waitCh can be racy if + // something enter the wait() method + select { + case <-r.waitCh: + r.restartLock.Lock() + r.waitCh = make(chan struct{}) + r.restartLock.Unlock() + default: + } + r.state = Pending + } +} + +// stop the condition variable and set it as Stopped. This state is irreversible. +func (r *ready) stop() { + r.lock.Lock() + defer r.lock.Unlock() + if r.state != Stopped { + r.state = Stopped + } + select { + case <-r.waitCh: + default: + close(r.waitCh) + } +} diff --git a/cluster-autoscaler/vendor/k8s.io/client-go/tools/cache/controller.go b/cluster-autoscaler/vendor/k8s.io/client-go/tools/cache/controller.go index 0762da3befac..96005ff58535 100644 --- a/cluster-autoscaler/vendor/k8s.io/client-go/tools/cache/controller.go +++ b/cluster-autoscaler/vendor/k8s.io/client-go/tools/cache/controller.go @@ -353,17 +353,6 @@ func NewIndexerInformer( return clientState, newInformer(lw, objType, resyncPeriod, h, clientState, nil) } -// TransformFunc allows for transforming an object before it will be processed -// and put into the controller cache and before the corresponding handlers will -// be called on it. -// TransformFunc (similarly to ResourceEventHandler functions) should be able -// to correctly handle the tombstone of type cache.DeletedFinalStateUnknown -// -// The most common usage pattern is to clean-up some parts of the object to -// reduce component memory usage if a given component doesn't care about them. -// given controller doesn't care for them -type TransformFunc func(interface{}) (interface{}, error) - // NewTransformingInformer returns a Store and a controller for populating // the store while also providing event notifications. You should only used // the returned Store for Get/List operations; Add/Modify/Deletes will cause @@ -411,19 +400,11 @@ func processDeltas( // Object which receives event notifications from the given deltas handler ResourceEventHandler, clientState Store, - transformer TransformFunc, deltas Deltas, ) error { // from oldest to newest for _, d := range deltas { obj := d.Object - if transformer != nil { - var err error - obj, err = transformer(obj) - if err != nil { - return err - } - } switch d.Type { case Sync, Replaced, Added, Updated: @@ -475,6 +456,7 @@ func newInformer( fifo := NewDeltaFIFOWithOptions(DeltaFIFOOptions{ KnownObjects: clientState, EmitDeltaTypeReplaced: true, + Transformer: transformer, }) cfg := &Config{ @@ -486,7 +468,7 @@ func newInformer( Process: func(obj interface{}) error { if deltas, ok := obj.(Deltas); ok { - return processDeltas(h, clientState, transformer, deltas) + return processDeltas(h, clientState, deltas) } return errors.New("object given as Process argument is not Deltas") }, diff --git a/cluster-autoscaler/vendor/k8s.io/client-go/tools/cache/delta_fifo.go b/cluster-autoscaler/vendor/k8s.io/client-go/tools/cache/delta_fifo.go index 0c13a41f065b..84f3ab9ca13f 100644 --- a/cluster-autoscaler/vendor/k8s.io/client-go/tools/cache/delta_fifo.go +++ b/cluster-autoscaler/vendor/k8s.io/client-go/tools/cache/delta_fifo.go @@ -51,6 +51,10 @@ type DeltaFIFOOptions struct { // When true, `Replaced` events will be sent for items passed to a Replace() call. // When false, `Sync` events will be sent instead. EmitDeltaTypeReplaced bool + + // If set, will be called for objects before enqueueing them. Please + // see the comment on TransformFunc for details. + Transformer TransformFunc } // DeltaFIFO is like FIFO, but differs in two ways. One is that the @@ -129,8 +133,32 @@ type DeltaFIFO struct { // emitDeltaTypeReplaced is whether to emit the Replaced or Sync // DeltaType when Replace() is called (to preserve backwards compat). emitDeltaTypeReplaced bool + + // Called with every object if non-nil. + transformer TransformFunc } +// TransformFunc allows for transforming an object before it will be processed. +// TransformFunc (similarly to ResourceEventHandler functions) should be able +// to correctly handle the tombstone of type cache.DeletedFinalStateUnknown. +// +// New in v1.27: In such cases, the contained object will already have gone +// through the transform object separately (when it was added / updated prior +// to the delete), so the TransformFunc can likely safely ignore such objects +// (i.e., just return the input object). +// +// The most common usage pattern is to clean-up some parts of the object to +// reduce component memory usage if a given component doesn't care about them. +// +// New in v1.27: unless the object is a DeletedFinalStateUnknown, TransformFunc +// sees the object before any other actor, and it is now safe to mutate the +// object in place instead of making a copy. +// +// Note that TransformFunc is called while inserting objects into the +// notification queue and is therefore extremely performance sensitive; please +// do not do anything that will take a long time. +type TransformFunc func(interface{}) (interface{}, error) + // DeltaType is the type of a change (addition, deletion, etc) type DeltaType string @@ -227,6 +255,7 @@ func NewDeltaFIFOWithOptions(opts DeltaFIFOOptions) *DeltaFIFO { knownObjects: opts.KnownObjects, emitDeltaTypeReplaced: opts.EmitDeltaTypeReplaced, + transformer: opts.Transformer, } f.cond.L = &f.lock return f @@ -411,6 +440,21 @@ func (f *DeltaFIFO) queueActionLocked(actionType DeltaType, obj interface{}) err if err != nil { return KeyError{obj, err} } + + // Every object comes through this code path once, so this is a good + // place to call the transform func. If obj is a + // DeletedFinalStateUnknown tombstone, then the containted inner object + // will already have gone through the transformer, but we document that + // this can happen. In cases involving Replace(), such an object can + // come through multiple times. + if f.transformer != nil { + var err error + obj, err = f.transformer(obj) + if err != nil { + return err + } + } + oldDeltas := f.items[id] newDeltas := append(oldDeltas, Delta{actionType, obj}) newDeltas = dedupDeltas(newDeltas) @@ -566,12 +610,11 @@ func (f *DeltaFIFO) Pop(process PopProcessFunc) (interface{}, error) { // using the Sync or Replace DeltaType and then (2) it does some deletions. // In particular: for every pre-existing key K that is not the key of // an object in `list` there is the effect of -// `Delete(DeletedFinalStateUnknown{K, O})` where O is current object -// of K. If `f.knownObjects == nil` then the pre-existing keys are -// those in `f.items` and the current object of K is the `.Newest()` -// of the Deltas associated with K. Otherwise the pre-existing keys -// are those listed by `f.knownObjects` and the current object of K is -// what `f.knownObjects.GetByKey(K)` returns. +// `Delete(DeletedFinalStateUnknown{K, O})` where O is the latest known +// object of K. The pre-existing keys are those in the union set of the keys in +// `f.items` and `f.knownObjects` (if not nil). The last known object for key K is +// the one present in the last delta in `f.items`. If there is no delta for K +// in `f.items`, it is the object in `f.knownObjects` func (f *DeltaFIFO) Replace(list []interface{}, _ string) error { f.lock.Lock() defer f.lock.Unlock() @@ -595,51 +638,23 @@ func (f *DeltaFIFO) Replace(list []interface{}, _ string) error { } } - if f.knownObjects == nil { - // Do deletion detection against our own list. - queuedDeletions := 0 - for k, oldItem := range f.items { - if keys.Has(k) { - continue - } - // Delete pre-existing items not in the new list. - // This could happen if watch deletion event was missed while - // disconnected from apiserver. - var deletedObj interface{} - if n := oldItem.Newest(); n != nil { - deletedObj = n.Object - } - queuedDeletions++ - if err := f.queueActionLocked(Deleted, DeletedFinalStateUnknown{k, deletedObj}); err != nil { - return err - } - } - - if !f.populated { - f.populated = true - // While there shouldn't be any queued deletions in the initial - // population of the queue, it's better to be on the safe side. - f.initialPopulationCount = keys.Len() + queuedDeletions - } - - return nil - } - - // Detect deletions not already in the queue. - knownKeys := f.knownObjects.ListKeys() + // Do deletion detection against objects in the queue queuedDeletions := 0 - for _, k := range knownKeys { + for k, oldItem := range f.items { if keys.Has(k) { continue } - - deletedObj, exists, err := f.knownObjects.GetByKey(k) - if err != nil { - deletedObj = nil - klog.Errorf("Unexpected error %v during lookup of key %v, placing DeleteFinalStateUnknown marker without object", err, k) - } else if !exists { - deletedObj = nil - klog.Infof("Key %v does not exist in known objects store, placing DeleteFinalStateUnknown marker without object", k) + // Delete pre-existing items not in the new list. + // This could happen if watch deletion event was missed while + // disconnected from apiserver. + var deletedObj interface{} + if n := oldItem.Newest(); n != nil { + deletedObj = n.Object + + // if the previous object is a DeletedFinalStateUnknown, we have to extract the actual Object + if d, ok := deletedObj.(DeletedFinalStateUnknown); ok { + deletedObj = d.Obj + } } queuedDeletions++ if err := f.queueActionLocked(Deleted, DeletedFinalStateUnknown{k, deletedObj}); err != nil { @@ -647,6 +662,32 @@ func (f *DeltaFIFO) Replace(list []interface{}, _ string) error { } } + if f.knownObjects != nil { + // Detect deletions for objects not present in the queue, but present in KnownObjects + knownKeys := f.knownObjects.ListKeys() + for _, k := range knownKeys { + if keys.Has(k) { + continue + } + if len(f.items[k]) > 0 { + continue + } + + deletedObj, exists, err := f.knownObjects.GetByKey(k) + if err != nil { + deletedObj = nil + klog.Errorf("Unexpected error %v during lookup of key %v, placing DeleteFinalStateUnknown marker without object", err, k) + } else if !exists { + deletedObj = nil + klog.Infof("Key %v does not exist in known objects store, placing DeleteFinalStateUnknown marker without object", k) + } + queuedDeletions++ + if err := f.queueActionLocked(Deleted, DeletedFinalStateUnknown{k, deletedObj}); err != nil { + return err + } + } + } + if !f.populated { f.populated = true f.initialPopulationCount = keys.Len() + queuedDeletions diff --git a/cluster-autoscaler/vendor/k8s.io/client-go/tools/cache/shared_informer.go b/cluster-autoscaler/vendor/k8s.io/client-go/tools/cache/shared_informer.go index 9f42782d1792..35ebd396cc55 100644 --- a/cluster-autoscaler/vendor/k8s.io/client-go/tools/cache/shared_informer.go +++ b/cluster-autoscaler/vendor/k8s.io/client-go/tools/cache/shared_informer.go @@ -190,10 +190,7 @@ type SharedInformer interface { // // Must be set before starting the informer. // - // Note: Since the object given to the handler may be already shared with - // other goroutines, it is advisable to copy the object being - // transform before mutating it at all and returning the copy to prevent - // data races. + // Please see the comment on TransformFunc for more details. SetTransform(handler TransformFunc) error } @@ -404,6 +401,7 @@ func (s *sharedIndexInformer) Run(stopCh <-chan struct{}) { fifo := NewDeltaFIFOWithOptions(DeltaFIFOOptions{ KnownObjects: s.indexer, EmitDeltaTypeReplaced: true, + Transformer: s.transform, }) cfg := &Config{ @@ -568,7 +566,7 @@ func (s *sharedIndexInformer) HandleDeltas(obj interface{}) error { defer s.blockDeltas.Unlock() if deltas, ok := obj.(Deltas); ok { - return processDeltas(s, s.indexer, s.transform, deltas) + return processDeltas(s, s.indexer, deltas) } return errors.New("object given as Process argument is not Deltas") } diff --git a/cluster-autoscaler/vendor/k8s.io/cloud-provider/cloud.go b/cluster-autoscaler/vendor/k8s.io/cloud-provider/cloud.go index 44c62ccc03a1..7e7bf9dfab89 100644 --- a/cluster-autoscaler/vendor/k8s.io/cloud-provider/cloud.go +++ b/cluster-autoscaler/vendor/k8s.io/cloud-provider/cloud.go @@ -218,6 +218,11 @@ type Route struct { Name string // TargetNode is the NodeName of the target instance. TargetNode types.NodeName + // EnableNodeAddresses is a feature gate for TargetNodeAddresses. If false, ignore TargetNodeAddresses. + // Without this, if users haven't updated their cloud-provider, reconcile() will delete and create same route every time. + EnableNodeAddresses bool + // TargetNodeAddresses are the Node IPs of the target Node. + TargetNodeAddresses []v1.NodeAddress // DestinationCIDR is the CIDR format IP range that this routing rule // applies to. DestinationCIDR string diff --git a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/apis/core/types.go b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/apis/core/types.go index ef1bb6c682d2..71ba8bf94820 100644 --- a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/apis/core/types.go +++ b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/apis/core/types.go @@ -2003,7 +2003,8 @@ type SecretEnvSource struct { // HTTPHeader describes a custom header to be used in HTTP probes type HTTPHeader struct { - // The header field name + // The header field name. + // This will be canonicalized upon output, so case-variant names will be understood as the same header. Name string // The header field value Value string diff --git a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/kubelet/kubelet_getters.go b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/kubelet/kubelet_getters.go index a963409a1831..ea719d1dddd6 100644 --- a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/kubelet/kubelet_getters.go +++ b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/kubelet/kubelet_getters.go @@ -170,11 +170,14 @@ func (kl *Kubelet) GetPods() []*v1.Pod { pods := kl.podManager.GetPods() // a kubelet running without apiserver requires an additional // update of the static pod status. See #57106 - for _, p := range pods { + for i, p := range pods { if kubelettypes.IsStaticPod(p) { if status, ok := kl.statusManager.GetPodStatus(p.UID); ok { klog.V(2).InfoS("Pod status updated", "pod", klog.KObj(p), "status", status.Phase) + // do not mutate the cache + p = p.DeepCopy() p.Status = status + pods[i] = p } } } diff --git a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/kubelet/kuberuntime/helpers.go b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/kubelet/kuberuntime/helpers.go index de289836a8bf..6138fc958d74 100644 --- a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/kubelet/kuberuntime/helpers.go +++ b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/kubelet/kuberuntime/helpers.go @@ -210,28 +210,32 @@ func toKubeRuntimeStatus(status *runtimeapi.RuntimeStatus) *kubecontainer.Runtim return &kubecontainer.RuntimeStatus{Conditions: conditions} } -func fieldProfile(scmp *v1.SeccompProfile, profileRootPath string, fallbackToRuntimeDefault bool) string { +func fieldProfile(scmp *v1.SeccompProfile, profileRootPath string, fallbackToRuntimeDefault bool) (string, error) { if scmp == nil { if fallbackToRuntimeDefault { - return v1.SeccompProfileRuntimeDefault + return v1.SeccompProfileRuntimeDefault, nil } - return "" + return "", nil } if scmp.Type == v1.SeccompProfileTypeRuntimeDefault { - return v1.SeccompProfileRuntimeDefault - } - if scmp.Type == v1.SeccompProfileTypeLocalhost && scmp.LocalhostProfile != nil && len(*scmp.LocalhostProfile) > 0 { - fname := filepath.Join(profileRootPath, *scmp.LocalhostProfile) - return v1.SeccompLocalhostProfileNamePrefix + fname + return v1.SeccompProfileRuntimeDefault, nil + } + if scmp.Type == v1.SeccompProfileTypeLocalhost { + if scmp.LocalhostProfile != nil && len(*scmp.LocalhostProfile) > 0 { + fname := filepath.Join(profileRootPath, *scmp.LocalhostProfile) + return v1.SeccompLocalhostProfileNamePrefix + fname, nil + } else { + return "", fmt.Errorf("localhostProfile must be set if seccompProfile type is Localhost.") + } } if scmp.Type == v1.SeccompProfileTypeUnconfined { - return v1.SeccompProfileNameUnconfined + return v1.SeccompProfileNameUnconfined, nil } if fallbackToRuntimeDefault { - return v1.SeccompProfileRuntimeDefault + return v1.SeccompProfileRuntimeDefault, nil } - return "" + return "", nil } func annotationProfile(profile, profileRootPath string) string { @@ -244,7 +248,7 @@ func annotationProfile(profile, profileRootPath string) string { } func (m *kubeGenericRuntimeManager) getSeccompProfilePath(annotations map[string]string, containerName string, - podSecContext *v1.PodSecurityContext, containerSecContext *v1.SecurityContext, fallbackToRuntimeDefault bool) string { + podSecContext *v1.PodSecurityContext, containerSecContext *v1.SecurityContext, fallbackToRuntimeDefault bool) (string, error) { // container fields are applied first if containerSecContext != nil && containerSecContext.SeccompProfile != nil { return fieldProfile(containerSecContext.SeccompProfile, m.seccompProfileRoot, fallbackToRuntimeDefault) @@ -253,7 +257,7 @@ func (m *kubeGenericRuntimeManager) getSeccompProfilePath(annotations map[string // if container field does not exist, try container annotation (deprecated) if containerName != "" { if profile, ok := annotations[v1.SeccompContainerAnnotationKeyPrefix+containerName]; ok { - return annotationProfile(profile, m.seccompProfileRoot) + return annotationProfile(profile, m.seccompProfileRoot), nil } } @@ -264,46 +268,50 @@ func (m *kubeGenericRuntimeManager) getSeccompProfilePath(annotations map[string // as last resort, try to apply pod annotation (deprecated) if profile, ok := annotations[v1.SeccompPodAnnotationKey]; ok { - return annotationProfile(profile, m.seccompProfileRoot) + return annotationProfile(profile, m.seccompProfileRoot), nil } if fallbackToRuntimeDefault { - return v1.SeccompProfileRuntimeDefault + return v1.SeccompProfileRuntimeDefault, nil } - return "" + return "", nil } -func fieldSeccompProfile(scmp *v1.SeccompProfile, profileRootPath string, fallbackToRuntimeDefault bool) *runtimeapi.SecurityProfile { +func fieldSeccompProfile(scmp *v1.SeccompProfile, profileRootPath string, fallbackToRuntimeDefault bool) (*runtimeapi.SecurityProfile, error) { if scmp == nil { if fallbackToRuntimeDefault { return &runtimeapi.SecurityProfile{ ProfileType: runtimeapi.SecurityProfile_RuntimeDefault, - } + }, nil } return &runtimeapi.SecurityProfile{ ProfileType: runtimeapi.SecurityProfile_Unconfined, - } + }, nil } if scmp.Type == v1.SeccompProfileTypeRuntimeDefault { return &runtimeapi.SecurityProfile{ ProfileType: runtimeapi.SecurityProfile_RuntimeDefault, - } + }, nil } - if scmp.Type == v1.SeccompProfileTypeLocalhost && scmp.LocalhostProfile != nil && len(*scmp.LocalhostProfile) > 0 { - fname := filepath.Join(profileRootPath, *scmp.LocalhostProfile) - return &runtimeapi.SecurityProfile{ - ProfileType: runtimeapi.SecurityProfile_Localhost, - LocalhostRef: fname, + if scmp.Type == v1.SeccompProfileTypeLocalhost { + if scmp.LocalhostProfile != nil && len(*scmp.LocalhostProfile) > 0 { + fname := filepath.Join(profileRootPath, *scmp.LocalhostProfile) + return &runtimeapi.SecurityProfile{ + ProfileType: runtimeapi.SecurityProfile_Localhost, + LocalhostRef: fname, + }, nil + } else { + return nil, fmt.Errorf("localhostProfile must be set if seccompProfile type is Localhost.") } } return &runtimeapi.SecurityProfile{ ProfileType: runtimeapi.SecurityProfile_Unconfined, - } + }, nil } func (m *kubeGenericRuntimeManager) getSeccompProfile(annotations map[string]string, containerName string, - podSecContext *v1.PodSecurityContext, containerSecContext *v1.SecurityContext, fallbackToRuntimeDefault bool) *runtimeapi.SecurityProfile { + podSecContext *v1.PodSecurityContext, containerSecContext *v1.SecurityContext, fallbackToRuntimeDefault bool) (*runtimeapi.SecurityProfile, error) { // container fields are applied first if containerSecContext != nil && containerSecContext.SeccompProfile != nil { return fieldSeccompProfile(containerSecContext.SeccompProfile, m.seccompProfileRoot, fallbackToRuntimeDefault) @@ -317,12 +325,12 @@ func (m *kubeGenericRuntimeManager) getSeccompProfile(annotations map[string]str if fallbackToRuntimeDefault { return &runtimeapi.SecurityProfile{ ProfileType: runtimeapi.SecurityProfile_RuntimeDefault, - } + }, nil } return &runtimeapi.SecurityProfile{ ProfileType: runtimeapi.SecurityProfile_Unconfined, - } + }, nil } func ipcNamespaceForPod(pod *v1.Pod) runtimeapi.NamespaceMode { diff --git a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/kubelet/kuberuntime/kuberuntime_container_linux.go b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/kubelet/kuberuntime/kuberuntime_container_linux.go index 25917803b1ce..1e9a2377b510 100644 --- a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/kubelet/kuberuntime/kuberuntime_container_linux.go +++ b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/kubelet/kuberuntime/kuberuntime_container_linux.go @@ -45,15 +45,23 @@ func (m *kubeGenericRuntimeManager) applyPlatformSpecificContainerConfig(config libcontainercgroups.IsCgroup2UnifiedMode() { enforceMemoryQoS = true } - config.Linux = m.generateLinuxContainerConfig(container, pod, uid, username, nsTarget, enforceMemoryQoS) + cl, err := m.generateLinuxContainerConfig(container, pod, uid, username, nsTarget, enforceMemoryQoS) + if err != nil { + return err + } + config.Linux = cl return nil } // generateLinuxContainerConfig generates linux container config for kubelet runtime v1. -func (m *kubeGenericRuntimeManager) generateLinuxContainerConfig(container *v1.Container, pod *v1.Pod, uid *int64, username string, nsTarget *kubecontainer.ContainerID, enforceMemoryQoS bool) *runtimeapi.LinuxContainerConfig { +func (m *kubeGenericRuntimeManager) generateLinuxContainerConfig(container *v1.Container, pod *v1.Pod, uid *int64, username string, nsTarget *kubecontainer.ContainerID, enforceMemoryQoS bool) (*runtimeapi.LinuxContainerConfig, error) { + sc, err := m.determineEffectiveSecurityContext(pod, container, uid, username) + if err != nil { + return nil, err + } lc := &runtimeapi.LinuxContainerConfig{ Resources: &runtimeapi.LinuxContainerResources{}, - SecurityContext: m.determineEffectiveSecurityContext(pod, container, uid, username), + SecurityContext: sc, } if nsTarget != nil && lc.SecurityContext.NamespaceOptions.Pid == runtimeapi.NamespaceMode_CONTAINER { @@ -124,7 +132,7 @@ func (m *kubeGenericRuntimeManager) generateLinuxContainerConfig(container *v1.C } } - return lc + return lc, nil } // calculateLinuxResources will create the linuxContainerResources type based on the provided CPU and memory resource requests, limits diff --git a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/kubelet/kuberuntime/security_context.go b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/kubelet/kuberuntime/security_context.go index c9d33e44305f..3b575c8e9748 100644 --- a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/kubelet/kuberuntime/security_context.go +++ b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/kubelet/kuberuntime/security_context.go @@ -24,7 +24,7 @@ import ( ) // determineEffectiveSecurityContext gets container's security context from v1.Pod and v1.Container. -func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container, uid *int64, username string) *runtimeapi.LinuxContainerSecurityContext { +func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container, uid *int64, username string) (*runtimeapi.LinuxContainerSecurityContext, error) { effectiveSc := securitycontext.DetermineEffectiveSecurityContext(pod, container) synthesized := convertToRuntimeSecurityContext(effectiveSc) if synthesized == nil { @@ -36,9 +36,16 @@ func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Po // TODO: Deprecated, remove after we switch to Seccomp field // set SeccompProfilePath. - synthesized.SeccompProfilePath = m.getSeccompProfilePath(pod.Annotations, container.Name, pod.Spec.SecurityContext, container.SecurityContext, m.seccompDefault) + var err error + synthesized.SeccompProfilePath, err = m.getSeccompProfilePath(pod.Annotations, container.Name, pod.Spec.SecurityContext, container.SecurityContext, m.seccompDefault) + if err != nil { + return nil, err + } - synthesized.Seccomp = m.getSeccompProfile(pod.Annotations, container.Name, pod.Spec.SecurityContext, container.SecurityContext, m.seccompDefault) + synthesized.Seccomp, err = m.getSeccompProfile(pod.Annotations, container.Name, pod.Spec.SecurityContext, container.SecurityContext, m.seccompDefault) + if err != nil { + return nil, err + } // set ApparmorProfile. synthesized.ApparmorProfile = apparmor.GetProfileNameFromPodAnnotations(pod.Annotations, container.Name) @@ -74,7 +81,7 @@ func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Po synthesized.MaskedPaths = securitycontext.ConvertToRuntimeMaskedPaths(effectiveSc.ProcMount) synthesized.ReadonlyPaths = securitycontext.ConvertToRuntimeReadonlyPaths(effectiveSc.ProcMount) - return synthesized + return synthesized, nil } // convertToRuntimeSecurityContext converts v1.SecurityContext to runtimeapi.SecurityContext. diff --git a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/kubelet/prober/prober.go b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/kubelet/prober/prober.go index 3fef2b022edd..d56709b02b3e 100644 --- a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/kubelet/prober/prober.go +++ b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/kubelet/prober/prober.go @@ -152,7 +152,7 @@ func (pb *prober) runProbeWithRetries(probeType probeType, p *v1.Probe, pod *v1. func buildHeader(headerList []v1.HTTPHeader) http.Header { headers := make(http.Header) for _, header := range headerList { - headers[header.Name] = append(headers[header.Name], header.Value) + headers.Add(header.Name, header.Value) } return headers } diff --git a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/scheduler/framework/preemption/preemption.go b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/scheduler/framework/preemption/preemption.go index d1c1f8329de1..885f3de3503c 100644 --- a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/scheduler/framework/preemption/preemption.go +++ b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/scheduler/framework/preemption/preemption.go @@ -340,9 +340,13 @@ func (ev *Evaluator) prepareCandidate(c Candidate, pod *v1.Pod, pluginName strin // Otherwise we should delete the victim. if waitingPod := fh.GetWaitingPod(victim.UID); waitingPod != nil { waitingPod.Reject(pluginName, "preempted") - } else if err := util.DeletePod(cs, victim); err != nil { - klog.ErrorS(err, "Preempting pod", "pod", klog.KObj(victim), "preemptor", klog.KObj(pod)) - return framework.AsStatus(err) + klog.V(2).InfoS("Preemptor pod rejected a waiting pod", "preemptor", klog.KObj(pod), "waitingPod", klog.KObj(victim), "node", c.Name()) + } else { + if err := util.DeletePod(cs, victim); err != nil { + klog.ErrorS(err, "Preempting pod", "pod", klog.KObj(victim), "preemptor", klog.KObj(pod)) + return framework.AsStatus(err) + } + klog.V(2).InfoS("Preemptor Pod preempted victim Pod", "preemptor", klog.KObj(pod), "victim", klog.KObj(victim), "node", c.Name()) } fh.EventRecorder().Eventf(victim, pod, v1.EventTypeNormal, "Preempted", "Preempting", "Preempted by a pod on node %v", c.Name()) } diff --git a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/awsebs/aws_ebs.go b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/awsebs/aws_ebs.go index 6d4752d17a70..b02cbea3c343 100644 --- a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/awsebs/aws_ebs.go +++ b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/awsebs/aws_ebs.go @@ -422,7 +422,7 @@ func (b *awsElasticBlockStoreMounter) SetUpAt(dir string, mounterArgs volume.Mou } if !b.readOnly { - volume.SetVolumeOwnership(b, mounterArgs.FsGroup, mounterArgs.FSGroupChangePolicy, util.FSGroupCompleteHook(b.plugin, nil)) + volume.SetVolumeOwnership(b, dir, mounterArgs.FsGroup, mounterArgs.FSGroupChangePolicy, util.FSGroupCompleteHook(b.plugin, nil)) } klog.V(4).Infof("Successfully mounted %s", dir) diff --git a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/azuredd/azure_mounter.go b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/azuredd/azure_mounter.go index 0fe6eec52372..789e75168569 100644 --- a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/azuredd/azure_mounter.go +++ b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/azuredd/azure_mounter.go @@ -160,7 +160,7 @@ func (m *azureDiskMounter) SetUpAt(dir string, mounterArgs volume.MounterArgs) e } if volumeSource.ReadOnly == nil || !*volumeSource.ReadOnly { - volume.SetVolumeOwnership(m, mounterArgs.FsGroup, mounterArgs.FSGroupChangePolicy, util.FSGroupCompleteHook(m.plugin, m.spec)) + volume.SetVolumeOwnership(m, dir, mounterArgs.FsGroup, mounterArgs.FSGroupChangePolicy, util.FSGroupCompleteHook(m.plugin, m.spec)) } klog.V(2).Infof("azureDisk - successfully mounted disk %s on %s", diskName, dir) diff --git a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/cinder/cinder.go b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/cinder/cinder.go index 88f89489aec5..53c4c1c971e3 100644 --- a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/cinder/cinder.go +++ b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/cinder/cinder.go @@ -442,7 +442,7 @@ func (b *cinderVolumeMounter) SetUpAt(dir string, mounterArgs volume.MounterArgs } if !b.readOnly { - volume.SetVolumeOwnership(b, mounterArgs.FsGroup, mounterArgs.FSGroupChangePolicy, util.FSGroupCompleteHook(b.plugin, nil)) + volume.SetVolumeOwnership(b, dir, mounterArgs.FsGroup, mounterArgs.FSGroupChangePolicy, util.FSGroupCompleteHook(b.plugin, nil)) } klog.V(3).Infof("Cinder volume %s mounted to %s", b.pdName, dir) diff --git a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/configmap/configmap.go b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/configmap/configmap.go index e72f5bccb707..f8b53fa7aa18 100644 --- a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/configmap/configmap.go +++ b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/configmap/configmap.go @@ -249,7 +249,7 @@ func (b *configMapVolumeMounter) SetUpAt(dir string, mounterArgs volume.MounterA return err } - err = volume.SetVolumeOwnership(b, mounterArgs.FsGroup, nil /*fsGroupChangePolicy*/, volumeutil.FSGroupCompleteHook(b.plugin, nil)) + err = volume.SetVolumeOwnership(b, dir, mounterArgs.FsGroup, nil /*fsGroupChangePolicy*/, volumeutil.FSGroupCompleteHook(b.plugin, nil)) if err != nil { klog.Errorf("Error applying volume ownership settings for group: %v", mounterArgs.FsGroup) return err diff --git a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/csi/csi_attacher.go b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/csi/csi_attacher.go index 11de3c558bc8..051363a630ac 100644 --- a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/csi/csi_attacher.go +++ b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/csi/csi_attacher.go @@ -584,14 +584,13 @@ func (c *csiAttacher) UnmountDevice(deviceMountPath string) error { driverName = data[volDataKey.driverName] volID = data[volDataKey.volHandle] } else { - klog.Error(log("UnmountDevice failed to load volume data file [%s]: %v", dataDir, err)) - - // The volume might have been mounted by old CSI volume plugin. Fall back to the old behavior: read PV from API server - driverName, volID, err = getDriverAndVolNameFromDeviceMountPath(c.k8s, deviceMountPath) - if err != nil { - klog.Errorf(log("attacher.UnmountDevice failed to get driver and volume name from device mount path: %v", err)) - return err + if errors.Is(err, os.ErrNotExist) { + klog.V(4).Info(log("attacher.UnmountDevice skipped because volume data file [%s] does not exist", dataDir)) + return nil } + + klog.Errorf(log("attacher.UnmountDevice failed to get driver and volume name from device mount path: %v", err)) + return err } if c.csiClient == nil { @@ -671,36 +670,6 @@ func makeDeviceMountPath(plugin *csiPlugin, spec *volume.Spec) (string, error) { return filepath.Join(plugin.host.GetPluginDir(plugin.GetPluginName()), driver, volSha, globalMountInGlobalPath), nil } -func getDriverAndVolNameFromDeviceMountPath(k8s kubernetes.Interface, deviceMountPath string) (string, string, error) { - // deviceMountPath structure: /var/lib/kubelet/plugins/kubernetes.io/csi/pv/{pvname}/globalmount - dir := filepath.Dir(deviceMountPath) - if file := filepath.Base(deviceMountPath); file != globalMountInGlobalPath { - return "", "", errors.New(log("getDriverAndVolNameFromDeviceMountPath failed, path did not end in %s", globalMountInGlobalPath)) - } - // dir is now /var/lib/kubelet/plugins/kubernetes.io/csi/pv/{pvname} - pvName := filepath.Base(dir) - - // Get PV and check for errors - pv, err := k8s.CoreV1().PersistentVolumes().Get(context.TODO(), pvName, metav1.GetOptions{}) - if err != nil { - return "", "", err - } - if pv == nil || pv.Spec.CSI == nil { - return "", "", errors.New(log("getDriverAndVolNameFromDeviceMountPath could not find CSI Persistent Volume Source for pv: %s", pvName)) - } - - // Get VolumeHandle and PluginName from pv - csiSource := pv.Spec.CSI - if csiSource.Driver == "" { - return "", "", errors.New(log("getDriverAndVolNameFromDeviceMountPath failed, driver name empty")) - } - if csiSource.VolumeHandle == "" { - return "", "", errors.New(log("getDriverAndVolNameFromDeviceMountPath failed, VolumeHandle empty")) - } - - return csiSource.Driver, csiSource.VolumeHandle, nil -} - func verifyAttachmentStatus(attachment *storage.VolumeAttachment, volumeHandle string) (bool, error) { // when we received a deleted event during attachment, fail fast if attachment == nil { diff --git a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/csi/csi_mounter.go b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/csi/csi_mounter.go index 138a210433f1..f16f66b1611c 100644 --- a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/csi/csi_mounter.go +++ b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/csi/csi_mounter.go @@ -309,7 +309,7 @@ func (c *csiMountMgr) SetUpAt(dir string, mounterArgs volume.MounterArgs) error // Driver doesn't support applying FSGroup. Kubelet must apply it instead. // fullPluginName helps to distinguish different driver from csi plugin - err := volume.SetVolumeOwnership(c, mounterArgs.FsGroup, mounterArgs.FSGroupChangePolicy, util.FSGroupCompleteHook(c.plugin, c.spec)) + err := volume.SetVolumeOwnership(c, dir, mounterArgs.FsGroup, mounterArgs.FSGroupChangePolicy, util.FSGroupCompleteHook(c.plugin, c.spec)) if err != nil { // At this point mount operation is successful: // 1. Since volume can not be used by the pod because of invalid permissions, we must return error diff --git a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/csi/csi_util.go b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/csi/csi_util.go index ad9098b4ef87..41c2d7ab42de 100644 --- a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/csi/csi_util.go +++ b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/csi/csi_util.go @@ -81,7 +81,7 @@ func loadVolumeData(dir string, fileName string) (map[string]string, error) { file, err := os.Open(dataFileName) if err != nil { - return nil, errors.New(log("failed to open volume data file [%s]: %v", dataFileName, err)) + return nil, fmt.Errorf("%s: %w", log("failed to open volume data file [%s]", dataFileName), err) } defer file.Close() data := map[string]string{} diff --git a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/downwardapi/downwardapi.go b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/downwardapi/downwardapi.go index 08899bfb3598..d237548b2c08 100644 --- a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/downwardapi/downwardapi.go +++ b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/downwardapi/downwardapi.go @@ -220,7 +220,7 @@ func (b *downwardAPIVolumeMounter) SetUpAt(dir string, mounterArgs volume.Mounte return err } - err = volume.SetVolumeOwnership(b, mounterArgs.FsGroup, nil /*fsGroupChangePolicy*/, volumeutil.FSGroupCompleteHook(b.plugin, nil)) + err = volume.SetVolumeOwnership(b, dir, mounterArgs.FsGroup, nil /*fsGroupChangePolicy*/, volumeutil.FSGroupCompleteHook(b.plugin, nil)) if err != nil { klog.Errorf("Error applying volume ownership settings for group: %v", mounterArgs.FsGroup) return err diff --git a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/emptydir/empty_dir.go b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/emptydir/empty_dir.go index 19cd6aea2823..1858842562cc 100644 --- a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/emptydir/empty_dir.go +++ b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/emptydir/empty_dir.go @@ -274,7 +274,7 @@ func (ed *emptyDir) SetUpAt(dir string, mounterArgs volume.MounterArgs) error { err = fmt.Errorf("unknown storage medium %q", ed.medium) } - volume.SetVolumeOwnership(ed, mounterArgs.FsGroup, nil /*fsGroupChangePolicy*/, volumeutil.FSGroupCompleteHook(ed.plugin, nil)) + volume.SetVolumeOwnership(ed, dir, mounterArgs.FsGroup, nil /*fsGroupChangePolicy*/, volumeutil.FSGroupCompleteHook(ed.plugin, nil)) // If setting up the quota fails, just log a message but don't actually error out. // We'll use the old du mechanism in this case, at least until we support @@ -296,11 +296,11 @@ func (ed *emptyDir) assignQuota(dir string, mounterSize *resource.Quantity) erro klog.V(3).Infof("Unable to check for quota support on %s: %s", dir, err.Error()) } else if hasQuotas { klog.V(4).Infof("emptydir trying to assign quota %v on %s", mounterSize, dir) - err := fsquota.AssignQuota(ed.mounter, dir, ed.pod.UID, mounterSize) - if err != nil { + if err := fsquota.AssignQuota(ed.mounter, dir, ed.pod.UID, mounterSize); err != nil { klog.V(3).Infof("Set quota on %s failed %s", dir, err.Error()) + return err } - return err + return nil } } return nil diff --git a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/fc/disk_manager.go b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/fc/disk_manager.go index bb054ea16618..02e15c4f85c5 100644 --- a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/fc/disk_manager.go +++ b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/fc/disk_manager.go @@ -91,7 +91,7 @@ func diskSetUp(manager diskManager, b fcDiskMounter, volPath string, mounter mou } if !b.readOnly { - volume.SetVolumeOwnership(&b, fsGroup, fsGroupChangePolicy, util.FSGroupCompleteHook(b.plugin, nil)) + volume.SetVolumeOwnership(&b, volPath, fsGroup, fsGroupChangePolicy, util.FSGroupCompleteHook(b.plugin, nil)) } return nil diff --git a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/flexvolume/mounter.go b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/flexvolume/mounter.go index 8098cfdb66ee..3821af7e9235 100644 --- a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/flexvolume/mounter.go +++ b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/flexvolume/mounter.go @@ -95,7 +95,7 @@ func (f *flexVolumeMounter) SetUpAt(dir string, mounterArgs volume.MounterArgs) if !f.readOnly { if f.plugin.capabilities.FSGroup { // fullPluginName helps to distinguish different driver from flex volume plugin - volume.SetVolumeOwnership(f, mounterArgs.FsGroup, mounterArgs.FSGroupChangePolicy, util.FSGroupCompleteHook(f.plugin, f.spec)) + volume.SetVolumeOwnership(f, dir, mounterArgs.FsGroup, mounterArgs.FSGroupChangePolicy, util.FSGroupCompleteHook(f.plugin, f.spec)) } } diff --git a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/flocker/flocker.go b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/flocker/flocker.go index dcf94a361ba8..581f7b60b89c 100644 --- a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/flocker/flocker.go +++ b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/flocker/flocker.go @@ -355,7 +355,7 @@ func (b *flockerVolumeMounter) SetUpAt(dir string, mounterArgs volume.MounterArg } if !b.readOnly { - volume.SetVolumeOwnership(b, mounterArgs.FsGroup, mounterArgs.FSGroupChangePolicy, util.FSGroupCompleteHook(b.plugin, nil)) + volume.SetVolumeOwnership(b, dir, mounterArgs.FsGroup, mounterArgs.FSGroupChangePolicy, util.FSGroupCompleteHook(b.plugin, nil)) } klog.V(4).Infof("successfully mounted %s", dir) diff --git a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/gcepd/gce_pd.go b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/gcepd/gce_pd.go index 302d6be96138..0d64abc75b90 100644 --- a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/gcepd/gce_pd.go +++ b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/gcepd/gce_pd.go @@ -424,7 +424,7 @@ func (b *gcePersistentDiskMounter) SetUpAt(dir string, mounterArgs volume.Mounte klog.V(4).Infof("mount of disk %s succeeded", dir) if !b.readOnly { - if err := volume.SetVolumeOwnership(b, mounterArgs.FsGroup, mounterArgs.FSGroupChangePolicy, util.FSGroupCompleteHook(b.plugin, nil)); err != nil { + if err := volume.SetVolumeOwnership(b, dir, mounterArgs.FsGroup, mounterArgs.FSGroupChangePolicy, util.FSGroupCompleteHook(b.plugin, nil)); err != nil { klog.Errorf("SetVolumeOwnership returns error %v", err) } } diff --git a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/git_repo/git_repo.go b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/git_repo/git_repo.go index 5f0e7075eb7e..f7a011bf7449 100644 --- a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/git_repo/git_repo.go +++ b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/git_repo/git_repo.go @@ -229,7 +229,7 @@ func (b *gitRepoVolumeMounter) SetUpAt(dir string, mounterArgs volume.MounterArg return fmt.Errorf("failed to exec 'git reset --hard': %s: %v", output, err) } - volume.SetVolumeOwnership(b, mounterArgs.FsGroup, nil /*fsGroupChangePolicy*/, volumeutil.FSGroupCompleteHook(b.plugin, nil)) + volume.SetVolumeOwnership(b, dir, mounterArgs.FsGroup, nil /*fsGroupChangePolicy*/, volumeutil.FSGroupCompleteHook(b.plugin, nil)) volumeutil.SetReady(b.getMetaDir()) return nil diff --git a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/iscsi/disk_manager.go b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/iscsi/disk_manager.go index 6d60e44efaf0..6aa8652bd6b0 100644 --- a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/iscsi/disk_manager.go +++ b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/iscsi/disk_manager.go @@ -96,7 +96,7 @@ func diskSetUp(manager diskManager, b iscsiDiskMounter, volPath string, mounter } if !b.readOnly { - volume.SetVolumeOwnership(&b, fsGroup, fsGroupChangePolicy, util.FSGroupCompleteHook(b.plugin, nil)) + volume.SetVolumeOwnership(&b, volPath, fsGroup, fsGroupChangePolicy, util.FSGroupCompleteHook(b.plugin, nil)) } return nil diff --git a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/local/local.go b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/local/local.go index d6a5ec85cb1a..bff3e1cdaee9 100644 --- a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/local/local.go +++ b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/local/local.go @@ -609,7 +609,7 @@ func (m *localVolumeMounter) SetUpAt(dir string, mounterArgs volume.MounterArgs) if !m.readOnly { // Volume owner will be written only once on the first volume mount if len(refs) == 0 { - return volume.SetVolumeOwnership(m, mounterArgs.FsGroup, mounterArgs.FSGroupChangePolicy, util.FSGroupCompleteHook(m.plugin, nil)) + return volume.SetVolumeOwnership(m, dir, mounterArgs.FsGroup, mounterArgs.FSGroupChangePolicy, util.FSGroupCompleteHook(m.plugin, nil)) } } return nil diff --git a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/portworx/portworx.go b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/portworx/portworx.go index 927c2e471c39..8b224a2eab8c 100644 --- a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/portworx/portworx.go +++ b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/portworx/portworx.go @@ -328,7 +328,7 @@ func (b *portworxVolumeMounter) SetUpAt(dir string, mounterArgs volume.MounterAr return err } if !b.readOnly { - volume.SetVolumeOwnership(b, mounterArgs.FsGroup, mounterArgs.FSGroupChangePolicy, util.FSGroupCompleteHook(b.plugin, nil)) + volume.SetVolumeOwnership(b, dir, mounterArgs.FsGroup, mounterArgs.FSGroupChangePolicy, util.FSGroupCompleteHook(b.plugin, nil)) } klog.Infof("Portworx Volume %s setup at %s", b.volumeID, dir) return nil diff --git a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/projected/projected.go b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/projected/projected.go index e30cb8022435..58aba006fbe3 100644 --- a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/projected/projected.go +++ b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/projected/projected.go @@ -230,7 +230,7 @@ func (s *projectedVolumeMounter) SetUpAt(dir string, mounterArgs volume.MounterA return err } - err = volume.SetVolumeOwnership(s, mounterArgs.FsGroup, nil /*fsGroupChangePolicy*/, volumeutil.FSGroupCompleteHook(s.plugin, nil)) + err = volume.SetVolumeOwnership(s, dir, mounterArgs.FsGroup, nil /*fsGroupChangePolicy*/, volumeutil.FSGroupCompleteHook(s.plugin, nil)) if err != nil { klog.Errorf("Error applying volume ownership settings for group: %v", mounterArgs.FsGroup) return err diff --git a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/rbd/disk_manager.go b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/rbd/disk_manager.go index edff33540f4d..2131c7ecedd8 100644 --- a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/rbd/disk_manager.go +++ b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/rbd/disk_manager.go @@ -96,7 +96,7 @@ func diskSetUp(manager diskManager, b rbdMounter, volPath string, mounter mount. klog.V(3).Infof("rbd: successfully bind mount %s to %s with options %v", globalPDPath, volPath, mountOptions) if !b.ReadOnly { - volume.SetVolumeOwnership(&b, fsGroup, fsGroupChangePolicy, util.FSGroupCompleteHook(b.plugin, nil)) + volume.SetVolumeOwnership(&b, volPath, fsGroup, fsGroupChangePolicy, util.FSGroupCompleteHook(b.plugin, nil)) } return nil diff --git a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/secret/secret.go b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/secret/secret.go index 0899f512667c..a4dd6a7e6c31 100644 --- a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/secret/secret.go +++ b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/secret/secret.go @@ -244,7 +244,7 @@ func (b *secretVolumeMounter) SetUpAt(dir string, mounterArgs volume.MounterArgs return err } - err = volume.SetVolumeOwnership(b, mounterArgs.FsGroup, nil /*fsGroupChangePolicy*/, volumeutil.FSGroupCompleteHook(b.plugin, nil)) + err = volume.SetVolumeOwnership(b, dir, mounterArgs.FsGroup, nil /*fsGroupChangePolicy*/, volumeutil.FSGroupCompleteHook(b.plugin, nil)) if err != nil { klog.Errorf("Error applying volume ownership settings for group: %v", mounterArgs.FsGroup) return err diff --git a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/storageos/storageos.go b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/storageos/storageos.go index d3d938d3b290..27c99b467b78 100644 --- a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/storageos/storageos.go +++ b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/storageos/storageos.go @@ -423,7 +423,7 @@ func (b *storageosMounter) SetUpAt(dir string, mounterArgs volume.MounterArgs) e } if !b.readOnly { - volume.SetVolumeOwnership(b, mounterArgs.FsGroup, mounterArgs.FSGroupChangePolicy, util.FSGroupCompleteHook(b.plugin, nil)) + volume.SetVolumeOwnership(b, dir, mounterArgs.FsGroup, mounterArgs.FSGroupChangePolicy, util.FSGroupCompleteHook(b.plugin, nil)) } klog.V(4).Infof("StorageOS volume setup complete on %s", dir) return nil diff --git a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/util/fsquota/common/quota_common.go b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/util/fsquota/common/quota_common.go new file mode 100644 index 000000000000..425944207682 --- /dev/null +++ b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/util/fsquota/common/quota_common.go @@ -0,0 +1,28 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package common + +// QuotaID is generic quota identifier. +// Data type based on quotactl(2). +type QuotaID int32 + +const ( + // UnknownQuotaID -- cannot determine whether a quota is in force + UnknownQuotaID QuotaID = -1 + // BadQuotaID -- Invalid quota + BadQuotaID QuotaID = 0 +) diff --git a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/util/fsquota/common/quota_linux_common.go b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/util/fsquota/common/quota_common_linux.go similarity index 92% rename from cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/util/fsquota/common/quota_linux_common.go rename to cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/util/fsquota/common/quota_common_linux.go index 8275a7f1c837..77f845837b7d 100644 --- a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/util/fsquota/common/quota_linux_common.go +++ b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/util/fsquota/common/quota_common_linux.go @@ -23,17 +23,6 @@ import ( "regexp" ) -// QuotaID is generic quota identifier. -// Data type based on quotactl(2). -type QuotaID int32 - -const ( - // UnknownQuotaID -- cannot determine whether a quota is in force - UnknownQuotaID QuotaID = -1 - // BadQuotaID -- Invalid quota - BadQuotaID QuotaID = 0 -) - // QuotaType -- type of quota to be applied type QuotaType int diff --git a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/util/fsquota/common/quota_linux_common_impl.go b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/util/fsquota/common/quota_common_linux_impl.go similarity index 100% rename from cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/util/fsquota/common/quota_linux_common_impl.go rename to cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/util/fsquota/common/quota_common_linux_impl.go diff --git a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/util/fsquota/project.go b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/util/fsquota/project.go index 3861f990590e..8ebc00687405 100644 --- a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/util/fsquota/project.go +++ b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/util/fsquota/project.go @@ -164,6 +164,9 @@ func readProjectFiles(projects *os.File, projid *os.File) projectsList { return projectsList{parseProjFile(projects, parseProject), parseProjFile(projid, parseProjid)} } +// findAvailableQuota finds the next available quota from the FirstQuota +// it returns error if QuotaIDIsInUse returns error when getting quota id in use; +// it searches at most maxUnusedQuotasToSearch(128) time func findAvailableQuota(path string, idMap map[common.QuotaID]bool) (common.QuotaID, error) { unusedQuotasSearched := 0 for id := common.FirstQuota; true; id++ { @@ -187,13 +190,13 @@ func addDirToProject(path string, id common.QuotaID, list *projectsList) (common idMap := make(map[common.QuotaID]bool) for _, project := range list.projects { if project.data == path { - if id != project.id { + if id != common.BadQuotaID && id != project.id { return common.BadQuotaID, false, fmt.Errorf("attempt to reassign project ID for %s", path) } // Trying to reassign a directory to the project it's // already in. Maybe this should be an error, but for // now treat it as an idempotent operation - return id, false, nil + return project.id, false, nil } idMap[project.id] = true } @@ -318,6 +321,7 @@ func writeProjectFiles(fProjects *os.File, fProjid *os.File, writeProjid bool, l return fmt.Errorf("unable to write project files: %v", err) } +// if ID is common.BadQuotaID, generate new project id if the dir is not in a project func createProjectID(path string, ID common.QuotaID) (common.QuotaID, error) { quotaIDLock.Lock() defer quotaIDLock.Unlock() diff --git a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/util/fsquota/quota.go b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/util/fsquota/quota.go index fbd29fba7359..eb0048d37148 100644 --- a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/util/fsquota/quota.go +++ b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/util/fsquota/quota.go @@ -23,10 +23,15 @@ import ( "k8s.io/apimachinery/pkg/types" utilfeature "k8s.io/apiserver/pkg/util/feature" "k8s.io/kubernetes/pkg/features" + "k8s.io/kubernetes/pkg/volume/util/fsquota/common" ) // Interface -- quota interface type Interface interface { + // GetQuotaOnDir gets the quota ID (if any) that applies to + // this directory + GetQuotaOnDir(m mount.Interface, path string) (common.QuotaID, error) + // Does the path provided support quotas, and if so, what types SupportsQuotas(m mount.Interface, path string) (bool, error) // Assign a quota (picked by the quota mechanism) to a path, diff --git a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/util/fsquota/quota_linux.go b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/util/fsquota/quota_linux.go index 85784204aa1b..240cc356ee88 100644 --- a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/util/fsquota/quota_linux.go +++ b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/util/fsquota/quota_linux.go @@ -35,6 +35,9 @@ import ( "k8s.io/kubernetes/pkg/volume/util/fsquota/common" ) +// Pod -> External Pod UID +var podUidMap = make(map[types.UID]types.UID) + // Pod -> ID var podQuotaMap = make(map[types.UID]common.QuotaID) @@ -214,7 +217,7 @@ func setQuotaOnDir(path string, id common.QuotaID, bytes int64) error { return getApplier(path).SetQuotaOnDir(path, id, bytes) } -func getQuotaOnDir(m mount.Interface, path string) (common.QuotaID, error) { +func GetQuotaOnDir(m mount.Interface, path string) (common.QuotaID, error) { _, _, err := getFSInfo(m, path) if err != nil { return common.BadQuotaID, err @@ -235,7 +238,7 @@ func clearQuotaOnDir(m mount.Interface, path string) error { if !supportsQuotas { return nil } - projid, err := getQuotaOnDir(m, path) + projid, err := GetQuotaOnDir(m, path) if err == nil && projid != common.BadQuotaID { // This means that we have a quota on the directory but // we can't clear it. That's not good. @@ -304,7 +307,7 @@ func SupportsQuotas(m mount.Interface, path string) (bool, error) { // AssignQuota chooses the quota ID based on the pod UID and path. // If the pod UID is identical to another one known, it may (but presently // doesn't) choose the same quota ID as other volumes in the pod. -func AssignQuota(m mount.Interface, path string, poduid types.UID, bytes *resource.Quantity) error { //nolint:staticcheck // SA4009 poduid is overwritten by design, see comment below +func AssignQuota(m mount.Interface, path string, poduid types.UID, bytes *resource.Quantity) error { //nolint:staticcheck if bytes == nil { return fmt.Errorf("attempting to assign null quota to %s", path) } @@ -314,20 +317,32 @@ func AssignQuota(m mount.Interface, path string, poduid types.UID, bytes *resour } quotaLock.Lock() defer quotaLock.Unlock() - // Current policy is to set individual quotas on each volumes. + // Current policy is to set individual quotas on each volume, + // for each new volume we generate a random UUID and we use that as + // the internal pod uid. + // From fsquota point of view each volume is attached to a + // single unique pod. // If we decide later that we want to assign one quota for all - // volumes in a pod, we can simply remove this line of code. + // volumes in a pod, we can simply use poduid parameter directly // If and when we decide permanently that we're going to adopt // one quota per volume, we can rip all of the pod code out. - poduid = types.UID(uuid.NewUUID()) //nolint:staticcheck // SA4009 poduid is overwritten by design, see comment above - if pod, ok := dirPodMap[path]; ok && pod != poduid { - return fmt.Errorf("requesting quota on existing directory %s but different pod %s %s", path, pod, poduid) + externalPodUid := poduid + internalPodUid, ok := dirPodMap[path] + if ok { + if podUidMap[internalPodUid] != externalPodUid { + return fmt.Errorf("requesting quota on existing directory %s but different pod %s %s", path, podUidMap[internalPodUid], externalPodUid) + } + } else { + internalPodUid = types.UID(uuid.NewUUID()) } - oid, ok := podQuotaMap[poduid] + oid, ok := podQuotaMap[internalPodUid] if ok { if quotaSizeMap[oid] != ibytes { return fmt.Errorf("requesting quota of different size: old %v new %v", quotaSizeMap[oid], bytes) } + if _, ok := dirPodMap[path]; ok { + return nil + } } else { oid = common.BadQuotaID } @@ -342,12 +357,13 @@ func AssignQuota(m mount.Interface, path string, poduid types.UID, bytes *resour ibytes = -1 } if err = setQuotaOnDir(path, id, ibytes); err == nil { - quotaPodMap[id] = poduid + quotaPodMap[id] = internalPodUid quotaSizeMap[id] = ibytes - podQuotaMap[poduid] = id + podQuotaMap[internalPodUid] = id dirQuotaMap[path] = id - dirPodMap[path] = poduid - podDirCountMap[poduid]++ + dirPodMap[path] = internalPodUid + podUidMap[internalPodUid] = externalPodUid + podDirCountMap[internalPodUid]++ klog.V(4).Infof("Assigning quota ID %d (%d) to %s", id, ibytes, path) return nil } @@ -415,7 +431,7 @@ func ClearQuota(m mount.Interface, path string) error { if !ok { return fmt.Errorf("clearQuota: No quota available for %s", path) } - projid, err := getQuotaOnDir(m, path) + projid, err := GetQuotaOnDir(m, path) if err != nil { // Log-and-continue instead of returning an error for now // due to unspecified backwards compatibility concerns (a subject to revise) @@ -436,6 +452,7 @@ func ClearQuota(m mount.Interface, path string) error { delete(quotaPodMap, podQuotaMap[poduid]) delete(podDirCountMap, poduid) delete(podQuotaMap, poduid) + delete(podUidMap, poduid) } else { err = removeProjectID(path, projid) podDirCountMap[poduid]-- diff --git a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/util/fsquota/quota_unsupported.go b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/util/fsquota/quota_unsupported.go index 8579f5389300..c5b89a69707a 100644 --- a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/util/fsquota/quota_unsupported.go +++ b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/util/fsquota/quota_unsupported.go @@ -22,6 +22,7 @@ package fsquota import ( "errors" + "k8s.io/kubernetes/pkg/volume/util/fsquota/common" "k8s.io/mount-utils" "k8s.io/apimachinery/pkg/api/resource" @@ -33,6 +34,10 @@ import ( var errNotImplemented = errors.New("not implemented") +func GetQuotaOnDir(_ mount.Interface, _ string) (common.QuotaID, error) { + return common.BadQuotaID, errNotImplemented +} + // SupportsQuotas -- dummy implementation func SupportsQuotas(_ mount.Interface, _ string) (bool, error) { return false, errNotImplemented diff --git a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/volume_linux.go b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/volume_linux.go index 57c02815029a..ec7f6da4bfe9 100644 --- a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/volume_linux.go +++ b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/volume_linux.go @@ -40,22 +40,22 @@ const ( // SetVolumeOwnership modifies the given volume to be owned by // fsGroup, and sets SetGid so that newly created files are owned by // fsGroup. If fsGroup is nil nothing is done. -func SetVolumeOwnership(mounter Mounter, fsGroup *int64, fsGroupChangePolicy *v1.PodFSGroupChangePolicy, completeFunc func(types.CompleteFuncParam)) error { +func SetVolumeOwnership(mounter Mounter, dir string, fsGroup *int64, fsGroupChangePolicy *v1.PodFSGroupChangePolicy, completeFunc func(types.CompleteFuncParam)) error { if fsGroup == nil { return nil } timer := time.AfterFunc(30*time.Second, func() { - klog.Warningf("Setting volume ownership for %s and fsGroup set. If the volume has a lot of files then setting volume ownership could be slow, see https://github.com/kubernetes/kubernetes/issues/69699", mounter.GetPath()) + klog.Warningf("Setting volume ownership for %s and fsGroup set. If the volume has a lot of files then setting volume ownership could be slow, see https://github.com/kubernetes/kubernetes/issues/69699", dir) }) defer timer.Stop() - if skipPermissionChange(mounter, fsGroup, fsGroupChangePolicy) { - klog.V(3).InfoS("Skipping permission and ownership change for volume", "path", mounter.GetPath()) + if skipPermissionChange(mounter, dir, fsGroup, fsGroupChangePolicy) { + klog.V(3).InfoS("Skipping permission and ownership change for volume", "path", dir) return nil } - err := walkDeep(mounter.GetPath(), func(path string, info os.FileInfo, err error) error { + err := walkDeep(dir, func(path string, info os.FileInfo, err error) error { if err != nil { return err } @@ -104,14 +104,12 @@ func changeFilePermission(filename string, fsGroup *int64, readonly bool, info o return nil } -func skipPermissionChange(mounter Mounter, fsGroup *int64, fsGroupChangePolicy *v1.PodFSGroupChangePolicy) bool { - dir := mounter.GetPath() - +func skipPermissionChange(mounter Mounter, dir string, fsGroup *int64, fsGroupChangePolicy *v1.PodFSGroupChangePolicy) bool { if fsGroupChangePolicy == nil || *fsGroupChangePolicy != v1.FSGroupChangeOnRootMismatch { klog.V(4).InfoS("Perform recursive ownership change for directory", "path", dir) return false } - return !requiresPermissionChange(mounter.GetPath(), fsGroup, mounter.GetAttributes().ReadOnly) + return !requiresPermissionChange(dir, fsGroup, mounter.GetAttributes().ReadOnly) } func requiresPermissionChange(rootDir string, fsGroup *int64, readonly bool) bool { diff --git a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/volume_unsupported.go b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/volume_unsupported.go index 20c56d4b63e2..3b5a200a6160 100644 --- a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/volume_unsupported.go +++ b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/volume_unsupported.go @@ -24,6 +24,6 @@ import ( "k8s.io/kubernetes/pkg/volume/util/types" ) -func SetVolumeOwnership(mounter Mounter, fsGroup *int64, fsGroupChangePolicy *v1.PodFSGroupChangePolicy, completeFunc func(types.CompleteFuncParam)) error { +func SetVolumeOwnership(mounter Mounter, dir string, fsGroup *int64, fsGroupChangePolicy *v1.PodFSGroupChangePolicy, completeFunc func(types.CompleteFuncParam)) error { return nil } diff --git a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/vsphere_volume/vsphere_volume.go b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/vsphere_volume/vsphere_volume.go index 0c6c37d66077..cdc947d01cea 100644 --- a/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/vsphere_volume/vsphere_volume.go +++ b/cluster-autoscaler/vendor/k8s.io/kubernetes/pkg/volume/vsphere_volume/vsphere_volume.go @@ -272,7 +272,7 @@ func (b *vsphereVolumeMounter) SetUpAt(dir string, mounterArgs volume.MounterArg os.Remove(dir) return err } - volume.SetVolumeOwnership(b, mounterArgs.FsGroup, mounterArgs.FSGroupChangePolicy, util.FSGroupCompleteHook(b.plugin, nil)) + volume.SetVolumeOwnership(b, dir, mounterArgs.FsGroup, mounterArgs.FSGroupChangePolicy, util.FSGroupCompleteHook(b.plugin, nil)) klog.V(3).Infof("vSphere volume %s mounted to %s", b.volPath, dir) return nil diff --git a/cluster-autoscaler/vendor/k8s.io/mount-utils/fake_mounter.go b/cluster-autoscaler/vendor/k8s.io/mount-utils/fake_mounter.go index 55ea5e2986b2..51e21980527b 100644 --- a/cluster-autoscaler/vendor/k8s.io/mount-utils/fake_mounter.go +++ b/cluster-autoscaler/vendor/k8s.io/mount-utils/fake_mounter.go @@ -32,8 +32,9 @@ type FakeMounter struct { MountCheckErrors map[string]error // Some tests run things in parallel, make sure the mounter does not produce // any golang's DATA RACE warnings. - mutex sync.Mutex - UnmountFunc UnmountFunc + mutex sync.Mutex + UnmountFunc UnmountFunc + skipMountPointCheck bool } // UnmountFunc is a function callback to be executed during the Unmount() call. @@ -64,6 +65,11 @@ func NewFakeMounter(mps []MountPoint) *FakeMounter { } } +func (f *FakeMounter) WithSkipMountPointCheck() *FakeMounter { + f.skipMountPointCheck = true + return f +} + // ResetLog clears all the log entries in FakeMounter func (f *FakeMounter) ResetLog() { f.mutex.Lock() @@ -212,6 +218,10 @@ func (f *FakeMounter) IsLikelyNotMountPoint(file string) (bool, error) { return true, nil } +func (f *FakeMounter) canSafelySkipMountPointCheck() bool { + return f.skipMountPointCheck +} + // GetMountRefs finds all mount references to the path, returns a // list of paths. func (f *FakeMounter) GetMountRefs(pathname string) ([]string, error) { diff --git a/cluster-autoscaler/vendor/k8s.io/mount-utils/mount.go b/cluster-autoscaler/vendor/k8s.io/mount-utils/mount.go index 7cd981c2f266..a93e6d2fab86 100644 --- a/cluster-autoscaler/vendor/k8s.io/mount-utils/mount.go +++ b/cluster-autoscaler/vendor/k8s.io/mount-utils/mount.go @@ -66,6 +66,10 @@ type Interface interface { // care about such situations, this is a faster alternative to calling List() // and scanning that output. IsLikelyNotMountPoint(file string) (bool, error) + // canSafelySkipMountPointCheck indicates whether this mounter returns errors on + // operations for targets that are not mount points. If this returns true, no such + // errors will be returned. + canSafelySkipMountPointCheck() bool // GetMountRefs finds all mount references to pathname, returning a slice of // paths. Pathname can be a mountpoint path or a normal directory // (for bind mount). On Linux, pathname is excluded from the slice. diff --git a/cluster-autoscaler/vendor/k8s.io/mount-utils/mount_helper_common.go b/cluster-autoscaler/vendor/k8s.io/mount-utils/mount_helper_common.go index 196ae30ad1a7..dc4131d78e36 100644 --- a/cluster-autoscaler/vendor/k8s.io/mount-utils/mount_helper_common.go +++ b/cluster-autoscaler/vendor/k8s.io/mount-utils/mount_helper_common.go @@ -31,7 +31,7 @@ import ( func CleanupMountPoint(mountPath string, mounter Interface, extensiveMountPointCheck bool) error { pathExists, pathErr := PathExists(mountPath) if !pathExists && pathErr == nil { - klog.Warningf("Warning: Unmount skipped because path does not exist: %v", mountPath) + klog.Warningf("Warning: mount cleanup skipped because path does not exist: %v", mountPath) return nil } corruptedMnt := IsCorruptedMnt(pathErr) @@ -44,36 +44,41 @@ func CleanupMountPoint(mountPath string, mounter Interface, extensiveMountPointC func CleanupMountWithForce(mountPath string, mounter MounterForceUnmounter, extensiveMountPointCheck bool, umountTimeout time.Duration) error { pathExists, pathErr := PathExists(mountPath) if !pathExists && pathErr == nil { - klog.Warningf("Warning: Unmount skipped because path does not exist: %v", mountPath) + klog.Warningf("Warning: mount cleanup skipped because path does not exist: %v", mountPath) return nil } corruptedMnt := IsCorruptedMnt(pathErr) if pathErr != nil && !corruptedMnt { return fmt.Errorf("Error checking path: %v", pathErr) } - var notMnt bool - var err error - if !corruptedMnt { - notMnt, err = removePathIfNotMountPoint(mountPath, mounter, extensiveMountPointCheck) - // if mountPath was not a mount point - we would have attempted to remove mountPath - // and hence return errors if any. - if err != nil || notMnt { + + if corruptedMnt || mounter.canSafelySkipMountPointCheck() { + klog.V(4).Infof("unmounting %q (corruptedMount: %t, mounterCanSkipMountPointChecks: %t)", + mountPath, corruptedMnt, mounter.canSafelySkipMountPointCheck()) + if err := mounter.UnmountWithForce(mountPath, umountTimeout); err != nil { return err } + return removePath(mountPath) + } + + notMnt, err := removePathIfNotMountPoint(mountPath, mounter, extensiveMountPointCheck) + // if mountPath is not a mount point, it's just been removed or there was an error + if err != nil || notMnt { + return err } - // Unmount the mount path klog.V(4).Infof("%q is a mountpoint, unmounting", mountPath) if err := mounter.UnmountWithForce(mountPath, umountTimeout); err != nil { return err } notMnt, err = removePathIfNotMountPoint(mountPath, mounter, extensiveMountPointCheck) - // mountPath is not a mount point we should return whatever error we saw + // if mountPath is not a mount point, it's either just been removed or there was an error if notMnt { return err } - return fmt.Errorf("Failed to unmount path %v", mountPath) + // mountPath is still a mount point + return fmt.Errorf("failed to cleanup mount point %v", mountPath) } // doCleanupMountPoint unmounts the given path and @@ -82,31 +87,35 @@ func CleanupMountWithForce(mountPath string, mounter MounterForceUnmounter, exte // IsNotMountPoint will be called instead of IsLikelyNotMountPoint. // IsNotMountPoint is more expensive but properly handles bind mounts within the same fs. // if corruptedMnt is true, it means that the mountPath is a corrupted mountpoint, and the mount point check -// will be skipped +// will be skipped. The mount point check will also be skipped if the mounter supports it. func doCleanupMountPoint(mountPath string, mounter Interface, extensiveMountPointCheck bool, corruptedMnt bool) error { - var notMnt bool - var err error - if !corruptedMnt { - notMnt, err = removePathIfNotMountPoint(mountPath, mounter, extensiveMountPointCheck) - // if mountPath was not a mount point - we would have attempted to remove mountPath - // and hence return errors if any. - if err != nil || notMnt { + if corruptedMnt || mounter.canSafelySkipMountPointCheck() { + klog.V(4).Infof("unmounting %q (corruptedMount: %t, mounterCanSkipMountPointChecks: %t)", + mountPath, corruptedMnt, mounter.canSafelySkipMountPointCheck()) + if err := mounter.Unmount(mountPath); err != nil { return err } + return removePath(mountPath) + } + + notMnt, err := removePathIfNotMountPoint(mountPath, mounter, extensiveMountPointCheck) + // if mountPath is not a mount point, it's just been removed or there was an error + if err != nil || notMnt { + return err } - // Unmount the mount path klog.V(4).Infof("%q is a mountpoint, unmounting", mountPath) if err := mounter.Unmount(mountPath); err != nil { return err } notMnt, err = removePathIfNotMountPoint(mountPath, mounter, extensiveMountPointCheck) - // mountPath is not a mount point we should return whatever error we saw + // if mountPath is not a mount point, it's either just been removed or there was an error if notMnt { return err } - return fmt.Errorf("Failed to unmount path %v", mountPath) + // mountPath is still a mount point + return fmt.Errorf("failed to cleanup mount point %v", mountPath) } // removePathIfNotMountPoint verifies if given mountPath is a mount point if not it attempts @@ -135,3 +144,14 @@ func removePathIfNotMountPoint(mountPath string, mounter Interface, extensiveMou } return notMnt, nil } + +// removePath attempts to remove the directory. Returns nil if the directory was removed or does not exist. +func removePath(mountPath string) error { + klog.V(4).Infof("Warning: deleting path %q", mountPath) + err := os.Remove(mountPath) + if os.IsNotExist(err) { + klog.V(4).Infof("%q does not exist", mountPath) + return nil + } + return err +} diff --git a/cluster-autoscaler/vendor/k8s.io/mount-utils/mount_linux.go b/cluster-autoscaler/vendor/k8s.io/mount-utils/mount_linux.go index aaa592161d4c..8718b6d4ee9b 100644 --- a/cluster-autoscaler/vendor/k8s.io/mount-utils/mount_linux.go +++ b/cluster-autoscaler/vendor/k8s.io/mount-utils/mount_linux.go @@ -22,6 +22,7 @@ package mount import ( "context" "fmt" + "io/ioutil" "os" "os/exec" "path/filepath" @@ -48,14 +49,17 @@ const ( fsckErrorsUncorrected = 4 // Error thrown by exec cmd.Run() when process spawned by cmd.Start() completes before cmd.Wait() is called (see - k/k issue #103753) errNoChildProcesses = "wait: no child processes" + // Error returned by some `umount` implementations when the specified path is not a mount point + errNotMounted = "not mounted" ) // Mounter provides the default implementation of mount.Interface // for the linux platform. This implementation assumes that the // kubelet is running in the host's root mount namespace. type Mounter struct { - mounterPath string - withSystemd bool + mounterPath string + withSystemd bool + withSafeNotMountedBehavior bool } var _ MounterForceUnmounter = &Mounter{} @@ -65,8 +69,9 @@ var _ MounterForceUnmounter = &Mounter{} // mounterPath allows using an alternative to `/bin/mount` for mounting. func New(mounterPath string) Interface { return &Mounter{ - mounterPath: mounterPath, - withSystemd: detectSystemd(), + mounterPath: mounterPath, + withSystemd: detectSystemd(), + withSafeNotMountedBehavior: detectSafeNotMountedBehavior(), } } @@ -223,6 +228,36 @@ func detectSystemd() bool { return true } +// detectSafeNotMountedBehavior returns true if the umount implementation replies "not mounted" +// when the specified path is not mounted. When not sure (permission errors, ...), it returns false. +// When possible, we will trust umount's message and avoid doing our own mount point checks. +// More info: https://github.com/util-linux/util-linux/blob/v2.2/mount/umount.c#L179 +func detectSafeNotMountedBehavior() bool { + return detectSafeNotMountedBehaviorWithExec(utilexec.New()) +} + +// detectSafeNotMountedBehaviorWithExec is for testing with FakeExec. +func detectSafeNotMountedBehaviorWithExec(exec utilexec.Interface) bool { + // create a temp dir and try to umount it + path, err := ioutil.TempDir("", "kubelet-detect-safe-umount") + if err != nil { + klog.V(4).Infof("Cannot create temp dir to detect safe 'not mounted' behavior: %v", err) + return false + } + defer os.RemoveAll(path) + cmd := exec.Command("umount", path) + output, err := cmd.CombinedOutput() + if err != nil { + if strings.Contains(string(output), errNotMounted) { + klog.V(4).Infof("Detected umount with safe 'not mounted' behavior") + return true + } + klog.V(4).Infof("'umount %s' failed with: %v, output: %s", path, err, string(output)) + } + klog.V(4).Infof("Detected umount with unsafe 'not mounted' behavior") + return false +} + // MakeMountArgs makes the arguments to the mount(8) command. // options MUST not contain sensitive material (like passwords). func MakeMountArgs(source, target, fstype string, options []string) (mountArgs []string) { @@ -290,6 +325,7 @@ func AddSystemdScopeSensitive(systemdRunPath, mountName, command string, args [] } // Unmount unmounts the target. +// If the mounter has safe "not mounted" behavior, no error will be returned when the target is not a mount point. func (mounter *Mounter) Unmount(target string) error { klog.V(4).Infof("Unmounting %s", target) command := exec.Command("umount", target) @@ -303,6 +339,10 @@ func (mounter *Mounter) Unmount(target string) error { // Rewrite err with the actual exit error of the process. err = &exec.ExitError{ProcessState: command.ProcessState} } + if mounter.withSafeNotMountedBehavior && strings.Contains(string(output), errNotMounted) { + klog.V(4).Infof("ignoring 'not mounted' error for %s", target) + return nil + } return fmt.Errorf("unmount failed: %v\nUnmounting arguments: %s\nOutput: %s", err, target, string(output)) } return nil @@ -351,6 +391,11 @@ func (mounter *Mounter) IsLikelyNotMountPoint(file string) (bool, error) { return true, nil } +// canSafelySkipMountPointCheck relies on the detected behavior of umount when given a target that is not a mount point. +func (mounter *Mounter) canSafelySkipMountPointCheck() bool { + return mounter.withSafeNotMountedBehavior +} + // GetMountRefs finds all mount references to pathname, returns a // list of paths. Path could be a mountpoint or a normal // directory (for bind mount). diff --git a/cluster-autoscaler/vendor/k8s.io/mount-utils/mount_unsupported.go b/cluster-autoscaler/vendor/k8s.io/mount-utils/mount_unsupported.go index 93ba9b2e3f9b..f3b18c151451 100644 --- a/cluster-autoscaler/vendor/k8s.io/mount-utils/mount_unsupported.go +++ b/cluster-autoscaler/vendor/k8s.io/mount-utils/mount_unsupported.go @@ -74,6 +74,11 @@ func (mounter *Mounter) IsLikelyNotMountPoint(file string) (bool, error) { return true, errUnsupported } +// canSafelySkipMountPointCheck always returns false on unsupported platforms +func (mounter *Mounter) canSafelySkipMountPointCheck() bool { + return false +} + // GetMountRefs always returns an error on unsupported platforms func (mounter *Mounter) GetMountRefs(pathname string) ([]string, error) { return nil, errUnsupported diff --git a/cluster-autoscaler/vendor/k8s.io/mount-utils/mount_windows.go b/cluster-autoscaler/vendor/k8s.io/mount-utils/mount_windows.go index 3286a69c46b5..c7fcde5fc98f 100644 --- a/cluster-autoscaler/vendor/k8s.io/mount-utils/mount_windows.go +++ b/cluster-autoscaler/vendor/k8s.io/mount-utils/mount_windows.go @@ -244,6 +244,11 @@ func (mounter *Mounter) IsLikelyNotMountPoint(file string) (bool, error) { return true, nil } +// canSafelySkipMountPointCheck always returns false on Windows +func (mounter *Mounter) canSafelySkipMountPointCheck() bool { + return false +} + // GetMountRefs : empty implementation here since there is no place to query all mount points on Windows func (mounter *Mounter) GetMountRefs(pathname string) ([]string, error) { windowsPath := NormalizeWindowsPath(pathname) diff --git a/cluster-autoscaler/vendor/modules.txt b/cluster-autoscaler/vendor/modules.txt index 7af5cec5fa29..b250c5be9131 100644 --- a/cluster-autoscaler/vendor/modules.txt +++ b/cluster-autoscaler/vendor/modules.txt @@ -501,8 +501,8 @@ github.com/mxk/go-flowrate/flowrate # github.com/opencontainers/go-digest v1.0.0 ## explicit; go 1.13 github.com/opencontainers/go-digest -# github.com/opencontainers/runc v1.1.1 -## explicit; go 1.16 +# github.com/opencontainers/runc v1.1.6 +## explicit; go 1.17 github.com/opencontainers/runc/libcontainer github.com/opencontainers/runc/libcontainer/apparmor github.com/opencontainers/runc/libcontainer/capabilities @@ -572,7 +572,7 @@ github.com/rubiojr/go-vhd/vhd # github.com/satori/go.uuid v1.2.0 ## explicit github.com/satori/go.uuid -# github.com/seccomp/libseccomp-golang v0.9.2-0.20210429002308-3879420cc921 +# github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646 ## explicit; go 1.14 github.com/seccomp/libseccomp-golang # github.com/sirupsen/logrus v1.8.1 @@ -771,7 +771,7 @@ golang.org/x/crypto/nacl/secretbox golang.org/x/crypto/pkcs12 golang.org/x/crypto/pkcs12/internal/rc2 golang.org/x/crypto/salsa20/salsa -# golang.org/x/net v0.7.0 +# golang.org/x/net v0.8.0 ## explicit; go 1.17 golang.org/x/net/bpf golang.org/x/net/context @@ -797,10 +797,10 @@ golang.org/x/oauth2/google/internal/externalaccount golang.org/x/oauth2/internal golang.org/x/oauth2/jws golang.org/x/oauth2/jwt -# golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 +# golang.org/x/sync v0.1.0 ## explicit golang.org/x/sync/singleflight -# golang.org/x/sys v0.5.0 +# golang.org/x/sys v0.6.0 ## explicit; go 1.17 golang.org/x/sys/cpu golang.org/x/sys/internal/unsafeheader @@ -809,10 +809,10 @@ golang.org/x/sys/unix golang.org/x/sys/windows golang.org/x/sys/windows/registry golang.org/x/sys/windows/svc -# golang.org/x/term v0.5.0 +# golang.org/x/term v0.6.0 ## explicit; go 1.17 golang.org/x/term -# golang.org/x/text v0.7.0 +# golang.org/x/text v0.8.0 ## explicit; go 1.17 golang.org/x/text/encoding golang.org/x/text/encoding/internal @@ -976,7 +976,7 @@ gopkg.in/yaml.v2 # gopkg.in/yaml.v3 v3.0.1 ## explicit gopkg.in/yaml.v3 -# k8s.io/api v0.24.12 => k8s.io/api v0.24.12 +# k8s.io/api v0.24.14 => k8s.io/api v0.24.14 ## explicit; go 1.19 k8s.io/api/admission/v1 k8s.io/api/admission/v1beta1 @@ -1025,7 +1025,7 @@ k8s.io/api/scheduling/v1beta1 k8s.io/api/storage/v1 k8s.io/api/storage/v1alpha1 k8s.io/api/storage/v1beta1 -# k8s.io/apimachinery v0.24.12 => k8s.io/apimachinery v0.24.12 +# k8s.io/apimachinery v0.24.14 => k8s.io/apimachinery v0.24.14 ## explicit; go 1.19 k8s.io/apimachinery/pkg/api/equality k8s.io/apimachinery/pkg/api/errors @@ -1085,7 +1085,7 @@ k8s.io/apimachinery/pkg/watch k8s.io/apimachinery/third_party/forked/golang/json k8s.io/apimachinery/third_party/forked/golang/netutil k8s.io/apimachinery/third_party/forked/golang/reflect -# k8s.io/apiserver v0.24.12 => k8s.io/apiserver v0.24.12 +# k8s.io/apiserver v0.24.14 => k8s.io/apiserver v0.24.14 ## explicit; go 1.19 k8s.io/apiserver/pkg/admission k8s.io/apiserver/pkg/admission/configuration @@ -1213,7 +1213,7 @@ k8s.io/apiserver/plugin/pkg/audit/truncate k8s.io/apiserver/plugin/pkg/audit/webhook k8s.io/apiserver/plugin/pkg/authenticator/token/webhook k8s.io/apiserver/plugin/pkg/authorizer/webhook -# k8s.io/client-go v0.24.12 => k8s.io/client-go v0.24.12 +# k8s.io/client-go v0.24.14 => k8s.io/client-go v0.24.14 ## explicit; go 1.19 k8s.io/client-go/applyconfigurations/admissionregistration/v1 k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1 @@ -1510,7 +1510,7 @@ k8s.io/client-go/util/homedir k8s.io/client-go/util/keyutil k8s.io/client-go/util/retry k8s.io/client-go/util/workqueue -# k8s.io/cloud-provider v0.24.12 => k8s.io/cloud-provider v0.24.12 +# k8s.io/cloud-provider v0.24.14 => k8s.io/cloud-provider v0.24.14 ## explicit; go 1.19 k8s.io/cloud-provider k8s.io/cloud-provider/api @@ -1520,7 +1520,7 @@ k8s.io/cloud-provider/service/helpers k8s.io/cloud-provider/volume k8s.io/cloud-provider/volume/errors k8s.io/cloud-provider/volume/helpers -# k8s.io/component-base v0.24.12 => k8s.io/component-base v0.24.12 +# k8s.io/component-base v0.24.14 => k8s.io/component-base v0.24.14 ## explicit; go 1.19 k8s.io/component-base/cli/flag k8s.io/component-base/codec @@ -1542,7 +1542,7 @@ k8s.io/component-base/metrics/testutil k8s.io/component-base/traces k8s.io/component-base/version k8s.io/component-base/version/verflag -# k8s.io/component-helpers v0.24.12 => k8s.io/component-helpers v0.24.12 +# k8s.io/component-helpers v0.24.14 => k8s.io/component-helpers v0.24.14 ## explicit; go 1.19 k8s.io/component-helpers/apimachinery/lease k8s.io/component-helpers/node/topology @@ -1552,13 +1552,13 @@ k8s.io/component-helpers/scheduling/corev1 k8s.io/component-helpers/scheduling/corev1/nodeaffinity k8s.io/component-helpers/storage/ephemeral k8s.io/component-helpers/storage/volume -# k8s.io/cri-api v0.0.0 => k8s.io/cri-api v0.24.12 +# k8s.io/cri-api v0.0.0 => k8s.io/cri-api v0.24.14 ## explicit; go 1.19 k8s.io/cri-api/pkg/apis k8s.io/cri-api/pkg/apis/runtime/v1 k8s.io/cri-api/pkg/apis/runtime/v1alpha2 k8s.io/cri-api/pkg/errors -# k8s.io/csi-translation-lib v0.24.12 => k8s.io/csi-translation-lib v0.24.12 +# k8s.io/csi-translation-lib v0.24.14 => k8s.io/csi-translation-lib v0.24.14 ## explicit; go 1.19 k8s.io/csi-translation-lib k8s.io/csi-translation-lib/plugins @@ -1586,18 +1586,18 @@ k8s.io/kube-openapi/pkg/spec3 k8s.io/kube-openapi/pkg/util k8s.io/kube-openapi/pkg/util/proto k8s.io/kube-openapi/pkg/validation/spec -# k8s.io/kube-proxy v0.0.0 => k8s.io/kube-proxy v0.24.12 +# k8s.io/kube-proxy v0.0.0 => k8s.io/kube-proxy v0.24.14 ## explicit; go 1.19 k8s.io/kube-proxy/config/v1alpha1 -# k8s.io/kube-scheduler v0.0.0 => k8s.io/kube-scheduler v0.24.12 +# k8s.io/kube-scheduler v0.0.0 => k8s.io/kube-scheduler v0.24.14 ## explicit; go 1.19 k8s.io/kube-scheduler/config/v1beta2 k8s.io/kube-scheduler/config/v1beta3 k8s.io/kube-scheduler/extender/v1 -# k8s.io/kubectl v0.0.0 => k8s.io/kubectl v0.24.12 +# k8s.io/kubectl v0.0.0 => k8s.io/kubectl v0.24.14 ## explicit; go 1.19 k8s.io/kubectl/pkg/scale -# k8s.io/kubelet v0.23.5 => k8s.io/kubelet v0.24.12 +# k8s.io/kubelet v0.23.5 => k8s.io/kubelet v0.24.14 ## explicit; go 1.19 k8s.io/kubelet/config/v1alpha1 k8s.io/kubelet/config/v1beta1 @@ -1611,7 +1611,7 @@ k8s.io/kubelet/pkg/apis/pluginregistration/v1 k8s.io/kubelet/pkg/apis/podresources/v1 k8s.io/kubelet/pkg/apis/podresources/v1alpha1 k8s.io/kubelet/pkg/apis/stats/v1alpha1 -# k8s.io/kubernetes v1.24.12 +# k8s.io/kubernetes v1.24.14 ## explicit; go 1.19 k8s.io/kubernetes/cmd/kube-proxy/app k8s.io/kubernetes/cmd/kubelet/app @@ -1886,7 +1886,7 @@ k8s.io/kubernetes/pkg/volume/vsphere_volume k8s.io/kubernetes/pkg/windows/service k8s.io/kubernetes/test/utils k8s.io/kubernetes/third_party/forked/golang/expansion -# k8s.io/legacy-cloud-providers v0.0.0 => k8s.io/legacy-cloud-providers v0.24.12 +# k8s.io/legacy-cloud-providers v0.0.0 => k8s.io/legacy-cloud-providers v0.24.14 ## explicit; go 1.19 k8s.io/legacy-cloud-providers/aws k8s.io/legacy-cloud-providers/azure @@ -1930,7 +1930,7 @@ k8s.io/legacy-cloud-providers/openstack k8s.io/legacy-cloud-providers/vsphere k8s.io/legacy-cloud-providers/vsphere/vclib k8s.io/legacy-cloud-providers/vsphere/vclib/diskmanagers -# k8s.io/mount-utils v0.24.12 => k8s.io/mount-utils v0.24.12 +# k8s.io/mount-utils v0.24.14 => k8s.io/mount-utils v0.24.14 ## explicit; go 1.19 k8s.io/mount-utils # k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 @@ -1953,7 +1953,7 @@ k8s.io/utils/pointer k8s.io/utils/strings k8s.io/utils/strings/slices k8s.io/utils/trace -# sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.35 +# sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.37 ## explicit; go 1.17 sigs.k8s.io/apiserver-network-proxy/konnectivity-client/pkg/client sigs.k8s.io/apiserver-network-proxy/konnectivity-client/pkg/client/metrics @@ -2025,30 +2025,30 @@ sigs.k8s.io/yaml # github.com/aws/aws-sdk-go/service/eks => github.com/aws/aws-sdk-go/service/eks v1.38.49 # github.com/digitalocean/godo => github.com/digitalocean/godo v1.27.0 # github.com/rancher/go-rancher => github.com/rancher/go-rancher v0.1.0 -# k8s.io/api => k8s.io/api v0.24.12 -# k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.24.12 -# k8s.io/apimachinery => k8s.io/apimachinery v0.24.12 -# k8s.io/apiserver => k8s.io/apiserver v0.24.12 -# k8s.io/cli-runtime => k8s.io/cli-runtime v0.24.12 -# k8s.io/client-go => k8s.io/client-go v0.24.12 -# k8s.io/cloud-provider => k8s.io/cloud-provider v0.24.12 -# k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.24.12 -# k8s.io/code-generator => k8s.io/code-generator v0.24.12 -# k8s.io/component-base => k8s.io/component-base v0.24.12 -# k8s.io/component-helpers => k8s.io/component-helpers v0.24.12 -# k8s.io/controller-manager => k8s.io/controller-manager v0.24.12 -# k8s.io/cri-api => k8s.io/cri-api v0.24.12 -# k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.24.12 -# k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.24.12 -# k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.24.12 -# k8s.io/kube-proxy => k8s.io/kube-proxy v0.24.12 -# k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.24.12 -# k8s.io/kubectl => k8s.io/kubectl v0.24.12 -# k8s.io/kubelet => k8s.io/kubelet v0.24.12 -# k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.24.12 -# k8s.io/metrics => k8s.io/metrics v0.24.12 -# k8s.io/mount-utils => k8s.io/mount-utils v0.24.12 -# k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.24.12 -# k8s.io/sample-cli-plugin => k8s.io/sample-cli-plugin v0.24.12 -# k8s.io/sample-controller => k8s.io/sample-controller v0.24.12 -# k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.24.12 +# k8s.io/api => k8s.io/api v0.24.14 +# k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.24.14 +# k8s.io/apimachinery => k8s.io/apimachinery v0.24.14 +# k8s.io/apiserver => k8s.io/apiserver v0.24.14 +# k8s.io/cli-runtime => k8s.io/cli-runtime v0.24.14 +# k8s.io/client-go => k8s.io/client-go v0.24.14 +# k8s.io/cloud-provider => k8s.io/cloud-provider v0.24.14 +# k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.24.14 +# k8s.io/code-generator => k8s.io/code-generator v0.24.14 +# k8s.io/component-base => k8s.io/component-base v0.24.14 +# k8s.io/component-helpers => k8s.io/component-helpers v0.24.14 +# k8s.io/controller-manager => k8s.io/controller-manager v0.24.14 +# k8s.io/cri-api => k8s.io/cri-api v0.24.14 +# k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.24.14 +# k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.24.14 +# k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.24.14 +# k8s.io/kube-proxy => k8s.io/kube-proxy v0.24.14 +# k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.24.14 +# k8s.io/kubectl => k8s.io/kubectl v0.24.14 +# k8s.io/kubelet => k8s.io/kubelet v0.24.14 +# k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.24.14 +# k8s.io/metrics => k8s.io/metrics v0.24.14 +# k8s.io/mount-utils => k8s.io/mount-utils v0.24.14 +# k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.24.14 +# k8s.io/sample-cli-plugin => k8s.io/sample-cli-plugin v0.24.14 +# k8s.io/sample-controller => k8s.io/sample-controller v0.24.14 +# k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.24.14 diff --git a/cluster-autoscaler/vendor/sigs.k8s.io/apiserver-network-proxy/konnectivity-client/pkg/client/client.go b/cluster-autoscaler/vendor/sigs.k8s.io/apiserver-network-proxy/konnectivity-client/pkg/client/client.go index cb186cefc263..d9c151e9837b 100644 --- a/cluster-autoscaler/vendor/sigs.k8s.io/apiserver-network-proxy/konnectivity-client/pkg/client/client.go +++ b/cluster-autoscaler/vendor/sigs.k8s.io/apiserver-network-proxy/konnectivity-client/pkg/client/client.go @@ -118,6 +118,8 @@ func (cm *connectionManager) closeAll() { // grpcTunnel implements Tunnel type grpcTunnel struct { stream client.ProxyService_ProxyClient + sendLock sync.Mutex + recvLock sync.Mutex clientConn clientConn pendingDial pendingDialManager conns connectionManager @@ -243,20 +245,17 @@ func (t *grpcTunnel) serve(tunnelCtx context.Context) { }() for { - pkt, err := t.stream.Recv() + pkt, err := t.Recv() if err == io.EOF { return } - const segment = commonmetrics.SegmentToClient isClosing := t.isClosing() if err != nil || pkt == nil { if !isClosing { klog.ErrorS(err, "stream read failure") } - metrics.Metrics.ObserveStreamErrorNoPacket(segment, err) return } - metrics.Metrics.ObservePacket(segment, pkt.Type) if isClosing { return } @@ -335,11 +334,23 @@ func (t *grpcTunnel) serve(tunnelCtx context.Context) { case client.PacketType_DATA: resp := pkt.GetData() + if resp.ConnectID == 0 { + klog.ErrorS(nil, "Received packet missing ConnectID", "packetType", "DATA") + continue + } // TODO: flow control conn, ok := t.conns.get(resp.ConnectID) if !ok { - klog.V(1).InfoS("Connection not recognized", "connectionID", resp.ConnectID) + klog.ErrorS(nil, "Connection not recognized", "connectionID", resp.ConnectID, "packetType", "DATA") + t.Send(&client.Packet{ + Type: client.PacketType_CLOSE_REQ, + Payload: &client.Packet_CloseRequest{ + CloseRequest: &client.CloseRequest{ + ConnectID: resp.ConnectID, + }, + }, + }) continue } timer := time.NewTimer((time.Duration)(t.readTimeoutSeconds) * time.Second) @@ -358,7 +369,7 @@ func (t *grpcTunnel) serve(tunnelCtx context.Context) { conn, ok := t.conns.get(resp.ConnectID) if !ok { - klog.V(1).InfoS("Connection not recognized", "connectionID", resp.ConnectID) + klog.V(1).InfoS("Connection not recognized", "connectionID", resp.ConnectID, "packetType", "CLOSE_RSP") continue } close(conn.readCh) @@ -418,18 +429,15 @@ func (t *grpcTunnel) dialContext(requestCtx context.Context, protocol, address s } klog.V(5).InfoS("[tracing] send packet", "type", req.Type) - const segment = commonmetrics.SegmentFromClient - metrics.Metrics.ObservePacket(segment, req.Type) - err := t.stream.Send(req) + err := t.Send(req) if err != nil { - metrics.Metrics.ObserveStreamError(segment, err, req.Type) return nil, err } klog.V(5).Infoln("DIAL_REQ sent to proxy server") c := &conn{ - stream: t.stream, + tunnel: t, random: random, closeTunnel: t.closeTunnel, } @@ -473,10 +481,7 @@ func (t *grpcTunnel) closeDial(dialID int64) { }, }, } - const segment = commonmetrics.SegmentFromClient - metrics.Metrics.ObservePacket(segment, req.Type) - if err := t.stream.Send(req); err != nil { - metrics.Metrics.ObserveStreamError(segment, err, req.Type) + if err := t.Send(req); err != nil { klog.V(5).InfoS("Failed to send DIAL_CLS", "err", err, "dialID", dialID) } t.closeTunnel() @@ -491,6 +496,35 @@ func (t *grpcTunnel) isClosing() bool { return atomic.LoadUint32(&t.closing) != 0 } +func (t *grpcTunnel) Send(pkt *client.Packet) error { + t.sendLock.Lock() + defer t.sendLock.Unlock() + + const segment = commonmetrics.SegmentFromClient + metrics.Metrics.ObservePacket(segment, pkt.Type) + err := t.stream.Send(pkt) + if err != nil && err != io.EOF { + metrics.Metrics.ObserveStreamError(segment, err, pkt.Type) + } + return err +} + +func (t *grpcTunnel) Recv() (*client.Packet, error) { + t.recvLock.Lock() + defer t.recvLock.Unlock() + + const segment = commonmetrics.SegmentToClient + pkt, err := t.stream.Recv() + if err != nil { + if err != io.EOF { + metrics.Metrics.ObserveStreamErrorNoPacket(segment, err) + } + return nil, err + } + metrics.Metrics.ObservePacket(segment, pkt.Type) + return pkt, nil +} + func GetDialFailureReason(err error) (isDialFailure bool, reason metrics.DialFailureReason) { var df *dialFailure if errors.As(err, &df) { diff --git a/cluster-autoscaler/vendor/sigs.k8s.io/apiserver-network-proxy/konnectivity-client/pkg/client/conn.go b/cluster-autoscaler/vendor/sigs.k8s.io/apiserver-network-proxy/konnectivity-client/pkg/client/conn.go index 14384a62cb55..f4d3f788652d 100644 --- a/cluster-autoscaler/vendor/sigs.k8s.io/apiserver-network-proxy/konnectivity-client/pkg/client/conn.go +++ b/cluster-autoscaler/vendor/sigs.k8s.io/apiserver-network-proxy/konnectivity-client/pkg/client/conn.go @@ -24,8 +24,6 @@ import ( "k8s.io/klog/v2" - "sigs.k8s.io/apiserver-network-proxy/konnectivity-client/pkg/client/metrics" - commonmetrics "sigs.k8s.io/apiserver-network-proxy/konnectivity-client/pkg/common/metrics" "sigs.k8s.io/apiserver-network-proxy/konnectivity-client/proto/client" ) @@ -38,7 +36,7 @@ var errConnCloseTimeout = errors.New("close timeout") // conn is an implementation of net.Conn, where the data is transported // over an established tunnel defined by a gRPC service ProxyService. type conn struct { - stream client.ProxyService_ProxyClient + tunnel *grpcTunnel connID int64 random int64 readCh chan []byte @@ -65,11 +63,8 @@ func (c *conn) Write(data []byte) (n int, err error) { klog.V(5).InfoS("[tracing] send req", "type", req.Type) - const segment = commonmetrics.SegmentFromClient - metrics.Metrics.ObservePacket(segment, req.Type) - err = c.stream.Send(req) + err = c.tunnel.Send(req) if err != nil { - metrics.Metrics.ObserveStreamError(segment, err, req.Type) return 0, err } return len(data), err @@ -153,10 +148,7 @@ func (c *conn) Close() error { klog.V(5).InfoS("[tracing] send req", "type", req.Type) - const segment = commonmetrics.SegmentFromClient - metrics.Metrics.ObservePacket(segment, req.Type) - if err := c.stream.Send(req); err != nil { - metrics.Metrics.ObserveStreamError(segment, err, req.Type) + if err := c.tunnel.Send(req); err != nil { return err } diff --git a/cluster-autoscaler/version/version.go b/cluster-autoscaler/version/version.go index 5b7189e31176..f292c4bc7c44 100644 --- a/cluster-autoscaler/version/version.go +++ b/cluster-autoscaler/version/version.go @@ -17,4 +17,4 @@ limitations under the License. package version // ClusterAutoscalerVersion contains version of CA. -const ClusterAutoscalerVersion = "1.24.1" +const ClusterAutoscalerVersion = "1.24.2"