full diff: https://github.com/containerd/containerd/compare/v1.3.7...v1.3.8
Release notes:
containerd 1.3.8
----------------------
Welcome to the v1.3.8 release of containerd!
The eighth patch release for containerd 1.3 includes several bug fixes and updates.
Notable Updates
- Fix metrics monitoring of v2 runtime tasks
- Fix nil pointer error when restoring checkpoint
- Fix devmapper device deletion on rollback
- Fix integer overflow on Windows
- Update seccomp default profile
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 153d0769a1...026aabaa65
- Fix 'failed to get network during CreateEndpoint'
- log error instead if disabling IPv6 router advertisement failed
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Building gotestsum started to fail after the repository removed some
dependencies on master.
What happens is that first, we `go get` the package (with go modules disabled);
GO111MODULE=off go get -d gotest.tools/gotestsum
Which gets the latest version from master, and fetches the dependencies used
on master. Then we checkout the version we want to install (for example `v0.3.5`)
and run go build.
However, `v0.3.5` depends on logrus, and given that we ran `go get` for `master`,
that dependency was not fetched, and build fails.
This patch modifies the installer to use go modules (alternatively we could
probably run `go get .` after checking out the `v0.3.5` version),
We need to modify all installers, as it looks like this is a standard pattern
we use, but other dependencies were not failing (yet), so this patch only
addresses the immediate failure.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 1d9da1b233)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The TEST_FILTER variable allows running a single integration or integration-cli
test. However, it failed to work properly for integration-cli tests.
Before:
-----------
# Filtering "integration" tests works:
make TEST_FILTER=TestInspectCpusetInConfigPre120 test-integration
...
DONE 1 tests in 18.331s
# But running a single test in "integration-cli" did not:
make TEST_FILTER=TestSwarmNetworkCreateIssue27866 test-integration
...
DONE 0 tests in 17.314s
Trying to manually add the `/` prefix, didn't work either, because that made the
"grep" fail to find which test-suites to run/skip:
make TEST_FILTER=/TestSwarmNetworkCreateIssue27866 test-integration
---> Making bundle: test-integration (in bundles/test-integration)
make: *** [test-integration] Error 1
After:
-----------
make TEST_FILTER=TestInspectCpusetInConfigPre120 test-integration
...
DONE 1 tests in 18.331s
make TEST_FILTER=TestSwarmNetworkCreateIssue27866 test-integration
...
DONE 12 tests in 26.527s
Note that the `12` tests is still a bit misleading, because every _suite_ is
started (which is counted as a test), but no tests are run. This is still
something that could be improved on.
This patch also makes a small modification to the code that's setting
`integration_api_dirs`, and no longer runs `go list` if not needed.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit e7805653b8)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This makes sure that we don't become vulnerable to CVE-2018-17419 or
CVE-2019-19794 in the future. While we are not currently vulnerable to
either, there is a risk that a PR could be made which uses one of the
vulnerable methods in the future, so it's worth going ahead and updating
to ensure that a simple PR that would easily pass code review doesn't
lead to a vulnerability.
Signed-off-by: Sam Whited <sam@samwhited.com>
full diff: e004a1415a...aa1ba87e99
changes:
- Use standard include paths instead of hard-coding
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 5125f8b304)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
```
---> Making bundle: .integration-daemon-stop (in bundles/test-integration)
++++ cat bundles/test-integration/docker.pid
+++ kill 13137
+++ /etc/init.d/apparmor stop
Leaving: AppArmorNo profiles have been unloaded.
Unloading profiles will leave already running processes permanently
unconfined, which can lead to unexpected situations.
To set a process to complain mode, use the command line tool
'aa-complain'. To really tear down all profiles, run 'aa-teardown'."
script returned exit code 255
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 5dbfae6949)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https:/github.com/LK4D4/vndr/compare/v0.1.0...v0.1.1
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 486161a63a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
With this change, go packages/modules that use versioned
import paths (github.com/foo/bar/v2), but don't use a directory
in the repository, can now be supported.
For example:
```
github.com/coreos/go-systemd/v22 v22.0.0
```
will vendor the github.com/coreos/go-systemd repository
into `vendor/github.com/coreos/go-systemd/v22`.
full diff: f5ab8fc5fb...v0.1.0
- LK4D4/vndr#83 migrate bitbucket to api 2.0
- fixesLK4D4/vndr#82https://api.bitbucket.org/1.0/repositories/ww/goautoneg: 410 Gone
- LK4D4/vndr#86 Replace sort.Sort with sort.Strings
- LK4D4/vndr#87 support `github.com/coreos/go-systemd/v22`
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit d4f05c168d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This version avoids doing name lookups on creating tarball that
should be avoided in to not hit loading glibc shared libraries.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
The thirteenth patch release for `containerd` 1.2 fixes a regression introduced
in v1.2.12 that caused container/shim to hang on single core machines, fixes an
issue with blkio, and updates the Golang runtime to 1.12.17.
* Fix container pid race condition
* Update containerd/cgroups dependency to address blkio issue
* Set octet-stream content-type on PUT request
* Pin to libseccomp 2.3.3 to preserve compatibility with hosts that do not have libseccomp 2.4 or higher installed
* Update Golang runtime to 1.12.17, which includes a fix to the runtime
full diff: https://github.com/containerd/containerd/compare/v1.2.12...v1.2.13
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/containerd/containerd/compare/v1.2.11...v1.2.12
Welcome to the v1.2.12 release of containerd!
The twelfth patch release for containerd 1.2 includes an updated runc with
a fix for CVE-2019-19921, an updated version of the opencontainers/selinux
dependency, which includes a fix for CVE-2019-16884, an updated version of the
gopkg.in/yaml.v2 dependency to address CVE-2019-11253, and a Golang update.
Notable Updates
- Update the runc vendor to v1.0.0-rc10 which includes a mitigation for CVE-2019-19921.
- Update the opencontainers/selinux which includes a mitigation for CVE-2019-16884.
- Update Golang runtime to 1.12.16, mitigating the CVE-2020-0601 certificate verification
bypass on Windows, and CVE-2020-7919, which only affects 32-bit architectures.
- Update Golang runtime to 1.12.15, which includes a fix to the runtime (Go 1.12.14,
Go 1.12.15) and and the net/http package (Go 1.12.15)
- A fix to prevent SIGSEGV when starting containerd-shim containerd/containerd#3960
- Fixes to exec containerd/containerd#3755
- Prevent docker exec hanging if an earlier docker exec left a zombie process
- Prevent High system load/CPU utilization with liveness and readiness probes
- Prevent Docker healthcheck causing high CPU utilization
CRI fixes:
- Update the gopkg.in/yaml.v2 vendor to v2.2.8 with a mitigation for CVE-2019-11253
API
- Fix API filters to properly handle and return parse errors containerd/containerd#3950
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Unlike Linux which uses a temp dir as GOPATH, Windows
uses c:\go. Among other things, this blocks go get.
Moving GOPATH to c:\gopath and updating references in
comments and documentation.
Currently the change is being scoped narrowly. In the
future GOPATH value could be passed as a parameter to
the ps1 scripts.
Signed-off-by: Vikram bir Singh <vikrambir.singh@docker.com>
(cherry picked from commit ecf91f0d7f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
btrfs_noversion was added in d7c37b5a28
for distributions that did not have the `btrfs/version.h` header file.
Seeing how all of the distributions we currently support do have the
`btrfs/version.h` file we should probably just remove this build flag
altogether.
Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
(cherry picked from commit e665263b10)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The ImageCollectionTest.test_pull_multiple test performs a `docker pull` without
a `:tag` specified) to pull all tags of the given repository (image).
After pulling the image, the image(s) pulled are checked to verify if the list
of images contains the `:latest` tag.
However, the test assumes that all tags of the image are tags for the same
version of the image (same digest), and thus a *single* image is returned, which
is not always the case.
Currently, the `hello-world:latest` and `hello-world:linux` tags point to a
different digest, therefore the `client.images.pull()` returns multiple images:
one image for digest, making the test fail:
=================================== FAILURES ===================================
____________________ ImageCollectionTest.test_pull_multiple ____________________
tests/integration/models_images_test.py:90: in test_pull_multiple
assert len(images) == 1
E AssertionError: assert 2 == 1
E + where 2 = len([<Image: 'hello-world:linux'>, <Image: 'hello-world:latest'>])
This patch temporarily skips the broken test until it is fixed upstream.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit f2b25e498f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/containerd/containerd/compare/v1.2.10...v1.2.11
The eleventh patch release for containerd 1.2 includes an updated runc with
an additional fix for CVE-2019-16884 and a Golang update.
Notable Updates
-----------------------
- Update the runc vendor to v1.0.0-rc9 which includes an additional mitigation
for CVE-2019-16884.
More details on the runc CVE in opencontainers/runc#2128, and the additional
mitigations in opencontainers/runc#2130.
- Add local-fs.target to service file to fix corrupt image after unexpected host
reboot. Reported in containerd/containerd#3671, and fixed by containerd/containerd#3746.
- Update Golang runtime to 1.12.13, which includes security fixes to the crypto/dsa
package made in Go 1.12.11 (CVE-2019-17596), and fixes to the go command, runtime,
syscall and net packages (Go 1.12.12).
CRI fixes:
-----------------------
- Fix shim delete error code to avoid unnecessary retries in the CRI plugin. Discovered
in containerd/cri#1309, and fixed by containerd/containerd#3732 and containerd/containerd#3739.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 3e425f80a8...v1.0.0-rc9
- opencontainers/runc#1951 Add SCMP_ACT_LOG as a valid Seccomp action
- opencontainers/runc#2130 *: verify operations on /proc/... are on procfs
This is an additional mitigation for CVE-2019-16884. The primary problem
is that Docker can be coerced into bind-mounting a file system on top of
/proc (resulting in label-related writes to /proc no longer happening).
While we are working on mitigations against permitting the mounts, this
helps avoid our code from being tricked into writing to non-procfs
files. This is not a perfect solution (after all, there might be a
bind-mount of a different procfs file over the target) but in order to
exploit that you would need to be able to tweak a config.json pretty
specifically (which thankfully Docker doesn't allow).
Specifically this stops AppArmor from not labeling a process silently
due to /proc/self/attr/... being incorrectly set, and stops any
accidental fd leaks because /proc/self/fd/... is not real.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
also updates libnetwork to d9a6682a4dbb13b1f0d8216c425fe9ae010a0f23
full diff:
3eb39382bf...d9a6682a4d
- docker/libnetwork#2482 [19.03 backport] Shorten controller ID in exec-root to not hit UNIX_PATH_MAX
- docker/libnetwork#2483 [19.03 backport] Fix panic in drivers/overlay/encryption.go
Signed-off-by: Grant Millar <rid@cylo.io>
(cherry picked from commit df7b8f458a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
When trying to build with some pretty typical version strings this was
causing failures trying to generate the windows resource file.
The resource file is already gated by an `ifdef` for this var, so
instead of blindly setting based on "VERSION", which can contain some
characters which are incompatible (e.g. 1.2.3.rc.0 will fail due to the
".rc").
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit ce931f28ea)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
