diff --git a/SPECS/moby-containerd-cc/fix_cc_tests_for_golang1.21.patch b/SPECS/moby-containerd-cc/fix_cc_tests_for_golang1.21.patch new file mode 100644 index 00000000000..eb93509f8f6 --- /dev/null +++ b/SPECS/moby-containerd-cc/fix_cc_tests_for_golang1.21.patch @@ -0,0 +1,47 @@ +Backported from upstream 5d9bf7d1398f645882e5c2becc7815daa1770c26 + +Signed-off-by: Akihiro Suda +Signed-off-by: Henry Beberman + +diff -Naur a/contrib/apparmor/apparmor.go b/contrib/apparmor/apparmor.go +--- a/contrib/apparmor/apparmor.go 2024-02-09 13:19:03.000000000 +0000 ++++ b/contrib/apparmor/apparmor.go 2024-02-22 00:22:43.993021818 +0000 +@@ -39,6 +39,11 @@ + + // WithDefaultProfile will generate a default apparmor profile under the provided name + // for the container. It is only generated if a profile under that name does not exist. ++// ++// FIXME: pkg/cri/[sb]server/container_create_linux_test.go depends on go:noinline ++// since Go 1.21. ++// ++//go:noinline + func WithDefaultProfile(name string) oci.SpecOpts { + return func(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error { + if err := LoadDefaultProfile(name); err != nil { +diff -Naur a/contrib/seccomp/seccomp.go b/contrib/seccomp/seccomp.go +--- a/contrib/seccomp/seccomp.go 2024-02-09 13:19:03.000000000 +0000 ++++ b/contrib/seccomp/seccomp.go 2024-02-22 00:49:25.471844786 +0000 +@@ -30,6 +30,11 @@ + // WithProfile receives the name of a file stored on disk comprising a json + // formatted seccomp profile, as specified by the opencontainers/runtime-spec. + // The profile is read from the file, unmarshaled, and set to the spec. ++// ++// FIXME: pkg/cri/[sb]server/container_create_linux_test.go depends on go:noinline ++// since Go 1.21. ++// ++//go:noinline + func WithProfile(profile string) oci.SpecOpts { + return func(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error { + s.Linux.Seccomp = &specs.LinuxSeccomp{} +@@ -46,6 +51,11 @@ + + // WithDefaultProfile sets the default seccomp profile to the spec. + // Note: must follow the setting of process capabilities ++// ++// FIXME: pkg/cri/[sb]server/container_create_linux_test.go depends on go:noinline ++// since Go 1.21. ++// ++//go:noinline + func WithDefaultProfile() oci.SpecOpts { + return func(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error { + s.Linux.Seccomp = DefaultProfile(s) diff --git a/SPECS/moby-containerd-cc/moby-containerd-cc.spec b/SPECS/moby-containerd-cc/moby-containerd-cc.spec index a6a589dc51e..7c252de2057 100644 --- a/SPECS/moby-containerd-cc/moby-containerd-cc.spec +++ b/SPECS/moby-containerd-cc/moby-containerd-cc.spec @@ -6,7 +6,7 @@ Summary: Industry-standard container runtime for confidential containers Name: moby-%{upstream_name} Version: 1.7.7 -Release: 1%{?dist} +Release: 2%{?dist} License: ASL 2.0 Group: Tools/Container URL: https://www.containerd.io @@ -18,6 +18,7 @@ Source1: containerd.service Source2: containerd.toml Patch0: CVE-2023-47108.patch Patch1: CVE-2023-44487.patch +Patch2: fix_cc_tests_for_golang1.21.patch %{?systemd_requires} @@ -79,6 +80,9 @@ fi %config(noreplace) %{_sysconfdir}/containerd/config.toml %changelog +* Wed Feb 21 2024 Henry Beberman - 1.7.7-2 +- Backport upstream patch for no-inlining seccomp and apparmor functions to fix tests. + * Tue Feb 20 2024 Mitch Zhu - 1.7.7-1 - Upgrade to upstream containerd v1.7.7. diff --git a/SPECS/moby-containerd/fix_tests_for_golang1.21.patch b/SPECS/moby-containerd/fix_tests_for_golang1.21.patch new file mode 100644 index 00000000000..e777c5fc4a1 --- /dev/null +++ b/SPECS/moby-containerd/fix_tests_for_golang1.21.patch @@ -0,0 +1,47 @@ +Backported from upstream 5d9bf7d1398f645882e5c2becc7815daa1770c26 + +Signed-off-by: Akihiro Suda +Signed-off-by: Henry Beberman + +diff -Naur a/contrib/apparmor/apparmor.go b/contrib/apparmor/apparmor.go +--- a/contrib/apparmor/apparmor.go 2023-12-08 23:30:22.000000000 +0000 ++++ b/contrib/apparmor/apparmor.go 2024-02-21 23:33:58.302514996 +0000 +@@ -40,6 +40,11 @@ + + // WithDefaultProfile will generate a default apparmor profile under the provided name + // for the container. It is only generated if a profile under that name does not exist. ++// ++// FIXME: pkg/cri/[sb]server/container_create_linux_test.go depends on go:noinline ++// since Go 1.21. ++// ++//go:noinline + func WithDefaultProfile(name string) oci.SpecOpts { + return func(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error { + if err := LoadDefaultProfile(name); err != nil { +diff -Naur a/contrib/seccomp/seccomp.go b/contrib/seccomp/seccomp.go +--- a/contrib/seccomp/seccomp.go 2023-12-08 23:30:22.000000000 +0000 ++++ b/contrib/seccomp/seccomp.go 2024-02-21 23:34:20.362648277 +0000 +@@ -30,6 +30,11 @@ + // WithProfile receives the name of a file stored on disk comprising a json + // formatted seccomp profile, as specified by the opencontainers/runtime-spec. + // The profile is read from the file, unmarshaled, and set to the spec. ++// ++// FIXME: pkg/cri/[sb]server/container_create_linux_test.go depends on go:noinline ++// since Go 1.21. ++// ++//go:noinline + func WithProfile(profile string) oci.SpecOpts { + return func(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error { + s.Linux.Seccomp = &specs.LinuxSeccomp{} +@@ -46,6 +51,11 @@ + + // WithDefaultProfile sets the default seccomp profile to the spec. + // Note: must follow the setting of process capabilities ++// ++// FIXME: pkg/cri/[sb]server/container_create_linux_test.go depends on go:noinline ++// since Go 1.21. ++// ++//go:noinline + func WithDefaultProfile() oci.SpecOpts { + return func(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error { + s.Linux.Seccomp = DefaultProfile(s) diff --git a/SPECS/moby-containerd/moby-containerd.spec b/SPECS/moby-containerd/moby-containerd.spec index 4083bc5d059..bac51fa79c9 100644 --- a/SPECS/moby-containerd/moby-containerd.spec +++ b/SPECS/moby-containerd/moby-containerd.spec @@ -5,7 +5,7 @@ Summary: Industry-standard container runtime Name: moby-%{upstream_name} Version: 1.6.26 -Release: 3%{?dist} +Release: 4%{?dist} License: ASL 2.0 Group: Tools/Container URL: https://www.containerd.io @@ -17,6 +17,7 @@ Source1: containerd.service Source2: containerd.toml Patch0: Makefile.patch Patch1: add_ptrace_readby_tracedby_to_apparmor.patch +Patch2: fix_tests_for_golang1.21.patch %{?systemd_requires} @@ -90,6 +91,9 @@ fi %dir /opt/containerd/lib %changelog +* Wed Feb 21 2024 Henry Beberman - 1.6.26-4 +- Backport upstream patch for no-inlining seccomp and apparmor functions to fix tests. + * Fri Feb 02 2024 CBL-Mariner Servicing Account - 1.6.26-3 - Bump release to rebuild with go 1.21.6