Merge pull request #28590 from mlaventure/update-containerd

Update containerd & runc

hack/dockerfile/binaries-commits

@@ -1,8 +1,8 @@
 #!/bin/sh
 
 TOMLV_COMMIT=9baf8a8a9f2ed20a8e54160840c492f937eeaf9a
-RUNC_COMMIT=ac031b5bf1cc92239461125f4c1ffb760522bbf2
-CONTAINERD_COMMIT=8517738ba4b82aff5662c97ca4627e7e4d03b531
+RUNC_COMMIT=51371867a01c467f08af739783b8beafc15
+CONTAINERD_COMMIT=03e5862ec0d8d3b3f750e19fca3ee367e13c090e
 TINI_COMMIT=949e6facb77383876aeff8a6944dde66b3089574
 LIBNETWORK_COMMIT=0f534354b813003a754606689722fe253101bc4e
 VNDR_COMMIT=f56bd4504b4fad07a357913687fb652ee54bb3b0

vendor.conf

@@ -59,7 +59,7 @@ github.com/miekg/pkcs11 df8ae6ca730422dba20c768ff38ef7d79077a59f
 github.com/docker/go v1.5.1-1-1-gbaf439e
 github.com/agl/ed25519 d2b94fd789ea21d12fac1a4443dd3a3f79cda72c
 
-github.com/opencontainers/runc ac031b5bf1cc92239461125f4c1ffb760522bbf2 # libcontainer
+github.com/opencontainers/runc 51371867a01c467f08af739783b8beafc15 # libcontainer
 github.com/opencontainers/runtime-spec 1c7c27d043c2a5e513a44084d2b10d77d1402b8c # specs
 github.com/seccomp/libseccomp-golang 32f571b70023028bd57d9288c20efbcb237f3ce0
 # libcontainer deps (see src/github.com/opencontainers/runc/Godeps/Godeps.json)
@@ -96,7 +96,7 @@ google.golang.org/cloud dae7e3d993bc3812a2185af60552bb6b847e52a0
 github.com/docker/docker-credential-helpers f72c04f1d8e71959a6d103f808c50ccbad79b9fd
 
 # containerd
-github.com/docker/containerd 8517738ba4b82aff5662c97ca4627e7e4d03b531
+github.com/docker/containerd 03e5862ec0d8d3b3f750e19fca3ee367e13c090e
 github.com/tonistiigi/fifo 1405643975692217d6720f8b54aeee1bf2cd5cf4
 
 # cluster

vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsexec.c

@@ -598,11 +598,11 @@ void nsexec(void)
 
 	/*
 	 * Stage 1: We're in the first child process. Our job is to join any
-	 *          provided user namespaces in the netlink payload. If we've been
-	 *          asked to CLONE_NEWUSER, we will unshare the user namespace and
-	 *          ask our parent (stage 0) to set up our user mappings for us.
-	 *          Then, we unshare the rest of the requested namespaces and
-	 *          create a new child (stage 2: JUMP_INIT).  We then send the
+	 *          provided namespaces in the netlink payload and unshare all
+	 *          of the requested namespaces. If we've been asked to
+	 *          CLONE_NEWUSER, we will ask our parent (stage 0) to set up
+	 *          our user mappings for us. Then, we create a new child
+	 *          (stage 2: JUMP_INIT) for PID namespace. We then send the
 	 *          child's PID to our parent (stage 0).
 	 */
 	case JUMP_CHILD: {
@@ -660,7 +660,15 @@ void nsexec(void)
 					bail("failed to sync with parent: SYNC_USERMAP_ACK: got %u", s);
 			}
 
-			/* TODO: What about non-namespace clone flags that we're dropping here? */
+			/*
+			 * TODO: What about non-namespace clone flags that we're dropping here?
+			 *
+			 * We fork again because of PID namespace, setns(2) or unshare(2) don't
+			 * change the PID namespace of the calling process, because doing so
+			 * would change the caller's idea of its own PID (as reported by getpid()),
+			 * which would break many applications and libraries, so we must fork
+			 * to actually enter the new PID namespace.
+			 */
 			child = clone_parent(&env, JUMP_INIT);
 			if (child < 0)
 				bail("unable to fork: init_func");