diff --git a/vendor.conf b/vendor.conf index 02f0d46d04..a3e3b876ef 100644 --- a/vendor.conf +++ b/vendor.conf @@ -127,7 +127,7 @@ github.com/googleapis/gax-go bd5b16380fd03dc758d11cef74ba google.golang.org/genproto 3f1135a288c9a07e340ae8ba4cc6c7065a3160e8 # containerd -github.com/containerd/containerd 72cec4be58a9eb6b2910f5d10f1c01ca47d231c0 # v1.5.5 +github.com/containerd/containerd 8686ededfc90076914c5238eb96c883ea093a8ba # v1.5.7 github.com/containerd/fifo 650e8a8a179d040123db61f016cb133143e7a581 # v1.0.0 github.com/containerd/continuity bce1c3f9669b6f3e7f6656ee715b0b4d75fa64a6 # v0.1.0 github.com/containerd/cgroups b9de8a2212026c07cec67baf3323f1fc0121e048 # v1.0.1 diff --git a/vendor/github.com/containerd/containerd/container_opts.go b/vendor/github.com/containerd/containerd/container_opts.go index 3a851fd2a0..024d6e10b6 100644 --- a/vendor/github.com/containerd/containerd/container_opts.go +++ b/vendor/github.com/containerd/containerd/container_opts.go @@ -18,14 +18,19 @@ package containerd import ( "context" + "encoding/json" + "fmt" "github.com/containerd/containerd/containers" + "github.com/containerd/containerd/content" "github.com/containerd/containerd/errdefs" + "github.com/containerd/containerd/images" "github.com/containerd/containerd/oci" "github.com/containerd/containerd/snapshots" "github.com/containerd/typeurl" "github.com/gogo/protobuf/types" "github.com/opencontainers/image-spec/identity" + v1 "github.com/opencontainers/image-spec/specs-go/v1" "github.com/pkg/errors" ) @@ -95,6 +100,39 @@ func WithContainerLabels(labels map[string]string) NewContainerOpts { } } +// WithImageConfigLabels sets the image config labels on the container. +// The existing labels are cleared as this is expected to be the first +// operation in setting up a container's labels. Use WithAdditionalContainerLabels +// to add/overwrite the existing image config labels. +func WithImageConfigLabels(image Image) NewContainerOpts { + return func(ctx context.Context, _ *Client, c *containers.Container) error { + ic, err := image.Config(ctx) + if err != nil { + return err + } + var ( + ociimage v1.Image + config v1.ImageConfig + ) + switch ic.MediaType { + case v1.MediaTypeImageConfig, images.MediaTypeDockerSchema2Config: + p, err := content.ReadBlob(ctx, image.ContentStore(), ic) + if err != nil { + return err + } + + if err := json.Unmarshal(p, &ociimage); err != nil { + return err + } + config = ociimage.Config + default: + return fmt.Errorf("unknown image config media type %s", ic.MediaType) + } + c.Labels = config.Labels + return nil + } +} + // WithAdditionalContainerLabels adds the provided labels to the container // The existing labels are preserved as long as they do not conflict with the added labels. func WithAdditionalContainerLabels(labels map[string]string) NewContainerOpts { diff --git a/vendor/github.com/containerd/containerd/content/helpers.go b/vendor/github.com/containerd/containerd/content/helpers.go index 4c4a35308e..00fae1fc80 100644 --- a/vendor/github.com/containerd/containerd/content/helpers.go +++ b/vendor/github.com/containerd/containerd/content/helpers.go @@ -144,9 +144,14 @@ func Copy(ctx context.Context, cw Writer, r io.Reader, size int64, expected dige } } - if _, err := copyWithBuffer(cw, r); err != nil { + copied, err := copyWithBuffer(cw, r) + if err != nil { return errors.Wrap(err, "failed to copy") } + if size != 0 && copied < size-ws.Offset { + // Short writes would return its own error, this indicates a read failure + return errors.Wrapf(io.ErrUnexpectedEOF, "failed to read expected number of bytes") + } if err := cw.Commit(ctx, size, expected, opts...); err != nil { if !errdefs.IsAlreadyExists(err) { @@ -165,8 +170,15 @@ func CopyReaderAt(cw Writer, ra ReaderAt, n int64) error { return err } - _, err = copyWithBuffer(cw, io.NewSectionReader(ra, ws.Offset, n)) - return err + copied, err := copyWithBuffer(cw, io.NewSectionReader(ra, ws.Offset, n)) + if err != nil { + return errors.Wrap(err, "failed to copy") + } + if copied < n { + // Short writes would return its own error, this indicates a read failure + return errors.Wrap(io.ErrUnexpectedEOF, "failed to read expected number of bytes") + } + return nil } // CopyReader copies to a writer from a given reader, returning diff --git a/vendor/github.com/containerd/containerd/go.mod b/vendor/github.com/containerd/containerd/go.mod index 3c32d1eb87..81e9c8019b 100644 --- a/vendor/github.com/containerd/containerd/go.mod +++ b/vendor/github.com/containerd/containerd/go.mod @@ -4,7 +4,7 @@ go 1.16 require ( github.com/Microsoft/go-winio v0.4.17 - github.com/Microsoft/hcsshim v0.8.18 + github.com/Microsoft/hcsshim v0.8.21 github.com/containerd/aufs v1.0.0 github.com/containerd/btrfs v1.0.0 github.com/containerd/cgroups v1.0.1 @@ -33,14 +33,14 @@ require ( github.com/google/uuid v1.2.0 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 github.com/hashicorp/go-multierror v1.0.0 - github.com/imdario/mergo v0.3.11 + github.com/imdario/mergo v0.3.12 github.com/klauspost/compress v1.11.13 github.com/moby/locker v1.0.1 github.com/moby/sys/mountinfo v0.4.1 github.com/moby/sys/symlink v0.1.0 github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/image-spec v1.0.1 - github.com/opencontainers/runc v1.0.1 + github.com/opencontainers/runc v1.0.2 github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 github.com/opencontainers/selinux v1.8.2 github.com/pelletier/go-toml v1.8.1 diff --git a/vendor/github.com/containerd/containerd/metadata/content.go b/vendor/github.com/containerd/containerd/metadata/content.go index a3858afec8..ee68ccfe1e 100644 --- a/vendor/github.com/containerd/containerd/metadata/content.go +++ b/vendor/github.com/containerd/containerd/metadata/content.go @@ -551,13 +551,13 @@ func (nw *namespacedWriter) createAndCopy(ctx context.Context, desc ocispec.Desc if desc.Size > 0 { ra, err := nw.provider.ReaderAt(ctx, nw.desc) if err != nil { + w.Close() return err } defer ra.Close() if err := content.CopyReaderAt(w, ra, desc.Size); err != nil { - nw.w.Close() - nw.w = nil + w.Close() return err } } diff --git a/vendor/github.com/containerd/containerd/oci/spec_opts_linux.go b/vendor/github.com/containerd/containerd/oci/spec_opts_linux.go index 9c5fd6c84d..ae8c0a7d8f 100644 --- a/vendor/github.com/containerd/containerd/oci/spec_opts_linux.go +++ b/vendor/github.com/containerd/containerd/oci/spec_opts_linux.go @@ -48,13 +48,13 @@ func WithDevices(devicePath, containerPath, permissions string) SpecOpts { if err != nil { return err } - for _, dev := range devs { - s.Linux.Devices = append(s.Linux.Devices, dev) + for i := range devs { + s.Linux.Devices = append(s.Linux.Devices, devs[i]) s.Linux.Resources.Devices = append(s.Linux.Resources.Devices, specs.LinuxDeviceCgroup{ Allow: true, - Type: dev.Type, - Major: &dev.Major, - Minor: &dev.Minor, + Type: devs[i].Type, + Major: &devs[i].Major, + Minor: &devs[i].Minor, Access: permissions, }) } diff --git a/vendor/github.com/containerd/containerd/runtime/v1/linux/bundle.go b/vendor/github.com/containerd/containerd/runtime/v1/linux/bundle.go index 9d0a6c4478..48d81e8e09 100644 --- a/vendor/github.com/containerd/containerd/runtime/v1/linux/bundle.go +++ b/vendor/github.com/containerd/containerd/runtime/v1/linux/bundle.go @@ -21,6 +21,7 @@ package linux import ( "context" "crypto/sha256" + "encoding/json" "fmt" "io/ioutil" "os" @@ -30,6 +31,7 @@ import ( "github.com/containerd/containerd/runtime/linux/runctypes" "github.com/containerd/containerd/runtime/v1/shim" "github.com/containerd/containerd/runtime/v1/shim/client" + "github.com/opencontainers/runtime-spec/specs-go" "github.com/pkg/errors" ) @@ -48,7 +50,7 @@ func newBundle(id, path, workDir string, spec []byte) (b *bundle, err error) { return nil, err } path = filepath.Join(path, id) - if err := os.Mkdir(path, 0711); err != nil { + if err := os.Mkdir(path, 0700); err != nil { return nil, err } defer func() { @@ -56,6 +58,9 @@ func newBundle(id, path, workDir string, spec []byte) (b *bundle, err error) { os.RemoveAll(path) } }() + if err := prepareBundleDirectoryPermissions(path, spec); err != nil { + return nil, err + } workDir = filepath.Join(workDir, id) if err := os.MkdirAll(workDir, 0711); err != nil { return nil, err @@ -77,6 +82,55 @@ func newBundle(id, path, workDir string, spec []byte) (b *bundle, err error) { }, err } +// prepareBundleDirectoryPermissions prepares the permissions of the bundle +// directory. When user namespaces are enabled, the permissions are modified +// to allow the remapped root GID to access the bundle. +func prepareBundleDirectoryPermissions(path string, spec []byte) error { + gid, err := remappedGID(spec) + if err != nil { + return err + } + if gid == 0 { + return nil + } + if err := os.Chown(path, -1, int(gid)); err != nil { + return err + } + return os.Chmod(path, 0710) +} + +// ociSpecUserNS is a subset of specs.Spec used to reduce garbage during +// unmarshal. +type ociSpecUserNS struct { + Linux *linuxSpecUserNS +} + +// linuxSpecUserNS is a subset of specs.Linux used to reduce garbage during +// unmarshal. +type linuxSpecUserNS struct { + GIDMappings []specs.LinuxIDMapping +} + +// remappedGID reads the remapped GID 0 from the OCI spec, if it exists. If +// there is no remapping, remappedGID returns 0. If the spec cannot be parsed, +// remappedGID returns an error. +func remappedGID(spec []byte) (uint32, error) { + var ociSpec ociSpecUserNS + err := json.Unmarshal(spec, &ociSpec) + if err != nil { + return 0, err + } + if ociSpec.Linux == nil || len(ociSpec.Linux.GIDMappings) == 0 { + return 0, nil + } + for _, mapping := range ociSpec.Linux.GIDMappings { + if mapping.ContainerID == 0 { + return mapping.HostID, nil + } + } + return 0, nil +} + type bundle struct { id string path string diff --git a/vendor/github.com/containerd/containerd/version/version.go b/vendor/github.com/containerd/containerd/version/version.go index 9b53cb13e9..b0d1fd48cf 100644 --- a/vendor/github.com/containerd/containerd/version/version.go +++ b/vendor/github.com/containerd/containerd/version/version.go @@ -23,7 +23,7 @@ var ( Package = "github.com/containerd/containerd" // Version holds the complete version number. Filled in at linking time. - Version = "1.5.5+unknown" + Version = "1.5.7+unknown" // Revision is filled with the VCS (e.g. git) revision being used to build // the program at linking time.