Merge pull request #30729 from dmcgowan/update-go-connections

Update go-connections package

pkg/listeners/group_unix.go

@@ -0,0 +1,32 @@
+// +build !windows
+
+package listeners
+
+import (
+	"fmt"
+	"strconv"
+
+	"github.com/opencontainers/runc/libcontainer/user"
+	"github.com/pkg/errors"
+)
+
+func lookupGID(name string) (int, error) {
+	groupFile, err := user.GetGroupPath()
+	if err != nil {
+		return -1, errors.Wrap(err, "error looking up groups")
+	}
+	groups, err := user.ParseGroupFileFilter(groupFile, func(g user.Group) bool {
+		return g.Name == name || strconv.Itoa(g.Gid) == name
+	})
+	if err != nil {
+		return -1, errors.Wrapf(err, "error parsing groups for %s", name)
+	}
+	if groups != nil && len(groups) > 0 {
+		return groups[0].Gid, nil
+	}
+	gid, err := strconv.Atoi(name)
+	if err == nil {
+		return gid, nil
+	}
+	return -1, fmt.Errorf("group %s not found", name)
+}

pkg/listeners/listeners_solaris.go

@@ -18,7 +18,11 @@ func Init(proto, addr, socketGroup string, tlsConfig *tls.Config) (ls []net.List
 		}
 		ls = append(ls, l)
 	case "unix":
-		l, err := sockets.NewUnixSocket(addr, socketGroup)
+		gid, err := lookupGID(socketGroup)
+		if err != nil {
+			return nil, err
+		}
+		l, err := sockets.NewUnixSocket(addr, gid)
 		if err != nil {
 			return nil, fmt.Errorf("can't create unix socket %s: %v", addr, err)
 		}

pkg/listeners/listeners_unix.go

@@ -31,7 +31,11 @@ func Init(proto, addr, socketGroup string, tlsConfig *tls.Config) ([]net.Listene
 		}
 		ls = append(ls, l)
 	case "unix":
-		l, err := sockets.NewUnixSocket(addr, socketGroup)
+		gid, err := lookupGID(socketGroup)
+		if err != nil {
+			return nil, err
+		}
+		l, err := sockets.NewUnixSocket(addr, gid)
 		if err != nil {
 			return nil, fmt.Errorf("can't create unix socket %s: %v", addr, err)
 		}

vendor.conf

@@ -16,7 +16,7 @@ github.com/vdemeester/shakers 24d7f1d6a71aa5d9cbe7390e4afb66b7eef9e1b3
 golang.org/x/net c427ad74c6d7a814201695e9ffde0c5d400a7674
 golang.org/x/sys 8f0908ab3b2457e2e15403d3697c9ef5cb4b57a9
 github.com/docker/go-units 9e638d38cf6977a37a8ea0078f3ee75a7cdb2dd1
-github.com/docker/go-connections 4ccf312bf1d35e5dbda654e57a9be4c3f3cd0366
+github.com/docker/go-connections 7da10c8c50cad14494ec818dcdfb6506265c0086
 golang.org/x/text f72d8390a633d5dfb0cc84043294db9f6c935756
 
 github.com/RackSec/srslog 456df3a81436d29ba874f3590eeeee25d666f8a5

vendor/github.com/docker/go-connections/sockets/unix_socket.go

@@ -1,30 +1,26 @@
-// +build linux freebsd solaris
+// +build !windows
 
 package sockets
 
 import (
-	"fmt"
 	"net"
 	"os"
-	"strconv"
 	"syscall"
-
-	"github.com/Sirupsen/logrus"
-	"github.com/opencontainers/runc/libcontainer/user"
 )
 
 // NewUnixSocket creates a unix socket with the specified path and group.
-func NewUnixSocket(path, group string) (net.Listener, error) {
+func NewUnixSocket(path string, gid int) (net.Listener, error) {
 	if err := syscall.Unlink(path); err != nil && !os.IsNotExist(err) {
 		return nil, err
 	}
 	mask := syscall.Umask(0777)
 	defer syscall.Umask(mask)
+
 	l, err := net.Listen("unix", path)
 	if err != nil {
 		return nil, err
 	}
-	if err := setSocketGroup(path, group); err != nil {
+	if err := os.Chown(path, 0, gid); err != nil {
 		l.Close()
 		return nil, err
 	}
@@ -34,47 +30,3 @@ func NewUnixSocket(path, group string) (net.Listener, error) {
 	}
 	return l, nil
 }
-
-func setSocketGroup(path, group string) error {
-	if group == "" {
-		return nil
-	}
-	if err := changeGroup(path, group); err != nil {
-		if group != "docker" {
-			return err
-		}
-		logrus.Debugf("Warning: could not change group %s to docker: %v", path, err)
-	}
-	return nil
-}
-
-func changeGroup(path string, nameOrGid string) error {
-	gid, err := lookupGidByName(nameOrGid)
-	if err != nil {
-		return err
-	}
-	logrus.Debugf("%s group found. gid: %d", nameOrGid, gid)
-	return os.Chown(path, 0, gid)
-}
-
-func lookupGidByName(nameOrGid string) (int, error) {
-	groupFile, err := user.GetGroupPath()
-	if err != nil {
-		return -1, err
-	}
-	groups, err := user.ParseGroupFileFilter(groupFile, func(g user.Group) bool {
-		return g.Name == nameOrGid || strconv.Itoa(g.Gid) == nameOrGid
-	})
-	if err != nil {
-		return -1, err
-	}
-	if groups != nil && len(groups) > 0 {
-		return groups[0].Gid, nil
-	}
-	gid, err := strconv.Atoi(nameOrGid)
-	if err == nil {
-		logrus.Warnf("Could not find GID %d", gid)
-		return gid, nil
-	}
-	return -1, fmt.Errorf("Group %s not found", nameOrGid)
-}

vendor/github.com/docker/go-connections/tlsconfig/certpool_go17.go

@@ -14,7 +14,7 @@ import (
 func SystemCertPool() (*x509.CertPool, error) {
 	certpool, err := x509.SystemCertPool()
 	if err != nil && runtime.GOOS == "windows" {
-		logrus.Warnf("Unable to use system certificate pool: %v", err)
+		logrus.Infof("Unable to use system certificate pool: %v", err)
 		return x509.NewCertPool(), nil
 	}
 	return certpool, err

vendor/github.com/docker/go-connections/tlsconfig/config.go

@@ -118,7 +118,7 @@ func Server(options Options) (*tls.Config, error) {
 		return nil, fmt.Errorf("Error reading X509 key pair (cert: %q, key: %q): %v. Make sure the key is not encrypted.", options.CertFile, options.KeyFile, err)
 	}
 	tlsConfig.Certificates = []tls.Certificate{tlsCert}
-	if options.ClientAuth >= tls.VerifyClientCertIfGiven {
+	if options.ClientAuth >= tls.VerifyClientCertIfGiven && options.CAFile != "" {
 		CAs, err := certPool(options.CAFile)
 		if err != nil {
 			return nil, err