From f5209d23a8a9df3db6287a1e2c60638be1bf920c Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Mon, 15 Apr 2024 15:53:55 +0200 Subject: [PATCH 1/2] daemon: add nolint-comments for deprecated kernel-memory options, hooks This adds some nolint-comments for the deprecated kernel-memory options; we deprecated these, but they could technically still be accepted by alternative runtimes. daemon/daemon_unix.go:108:3: SA1019: memory.Kernel is deprecated: kernel-memory limits are not supported in cgroups v2, and were obsoleted in [kernel v5.4]. This field should no longer be used, as it may be ignored by runtimes. (staticcheck) memory.Kernel = &config.KernelMemory ^ daemon/update_linux.go:63:3: SA1019: memory.Kernel is deprecated: kernel-memory limits are not supported in cgroups v2, and were obsoleted in [kernel v5.4]. This field should no longer be used, as it may be ignored by runtimes. (staticcheck) memory.Kernel = &resources.KernelMemory ^ Prestart hooks are deprecated, and more granular hooks should be used instead. CreateRuntime are the closest equivalent, and executed in the same locations as Prestart-hooks, but depending on what these hooks do, possibly one of the other hooks could be used instead (such as CreateContainer or StartContainer). As these hooks are still supported, this patch adds nolint comments, but adds some TODOs to consider migrating to something else; daemon/nvidia_linux.go:86:2: SA1019: s.Hooks.Prestart is deprecated: use [Hooks.CreateRuntime], [Hooks.CreateContainer], and [Hooks.StartContainer] instead, which allow more granular hook control during the create and start phase. (staticcheck) s.Hooks.Prestart = append(s.Hooks.Prestart, specs.Hook{ ^ daemon/oci_linux.go:76:5: SA1019: s.Hooks.Prestart is deprecated: use [Hooks.CreateRuntime], [Hooks.CreateContainer], and [Hooks.StartContainer] instead, which allow more granular hook control during the create and start phase. (staticcheck) s.Hooks.Prestart = append(s.Hooks.Prestart, specs.Hook{ ^ Signed-off-by: Sebastiaan van Stijn --- daemon/daemon_unix.go | 4 ++-- daemon/nvidia_linux.go | 8 +++++++- daemon/oci_linux.go | 2 +- daemon/update_linux.go | 4 ++-- 4 files changed, 12 insertions(+), 6 deletions(-) diff --git a/daemon/daemon_unix.go b/daemon/daemon_unix.go index 120f514ef7..cda787b570 100644 --- a/daemon/daemon_unix.go +++ b/daemon/daemon_unix.go @@ -104,8 +104,8 @@ func getMemoryResources(config containertypes.Resources) *specs.LinuxMemory { memory.DisableOOMKiller = config.OomKillDisable } - if config.KernelMemory != 0 { - memory.Kernel = &config.KernelMemory + if config.KernelMemory != 0 { //nolint:staticcheck // ignore SA1019: memory.Kernel is deprecated: kernel-memory limits are not supported in cgroups v2, and were obsoleted in [kernel v5.4]. This field should no longer be used, as it may be ignored by runtimes. + memory.Kernel = &config.KernelMemory //nolint:staticcheck // ignore SA1019: memory.Kernel is deprecated: kernel-memory limits are not supported in cgroups v2, and were obsoleted in [kernel v5.4]. This field should no longer be used, as it may be ignored by runtimes. } if config.KernelMemoryTCP != 0 { diff --git a/daemon/nvidia_linux.go b/daemon/nvidia_linux.go index 9f1c914146..7243b522bc 100644 --- a/daemon/nvidia_linux.go +++ b/daemon/nvidia_linux.go @@ -83,7 +83,13 @@ func setNvidiaGPUs(s *specs.Spec, dev *deviceInstance) error { if s.Hooks == nil { s.Hooks = &specs.Hooks{} } - s.Hooks.Prestart = append(s.Hooks.Prestart, specs.Hook{ + + // This implementation uses prestart hooks, which are deprecated. + // CreateRuntime is the closest equivalent, and executed in the same + // locations as prestart-hooks, but depending on what these hooks do, + // possibly one of the other hooks could be used instead (such as + // CreateContainer or StartContainer). + s.Hooks.Prestart = append(s.Hooks.Prestart, specs.Hook{ //nolint:staticcheck // FIXME(thaJeztah); replace prestart hook with a non-deprecated one. Path: path, Args: []string{ nvidiaHook, diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go index 37ad941847..75aecfa45f 100644 --- a/daemon/oci_linux.go +++ b/daemon/oci_linux.go @@ -73,7 +73,7 @@ func withLibnetwork(daemon *Daemon, daemonCfg *dconfig.Config, c *container.Cont s.Hooks = &specs.Hooks{} } shortNetCtlrID := stringid.TruncateID(daemon.netController.ID()) - s.Hooks.Prestart = append(s.Hooks.Prestart, specs.Hook{ + s.Hooks.Prestart = append(s.Hooks.Prestart, specs.Hook{ //nolint:staticcheck // FIXME(thaJeztah); replace prestart hook with a non-deprecated one. Path: filepath.Join("/proc", strconv.Itoa(os.Getpid()), "exe"), Args: []string{"libnetwork-setkey", "-exec-root=" + daemonCfg.GetExecRoot(), c.ID, shortNetCtlrID}, }) diff --git a/daemon/update_linux.go b/daemon/update_linux.go index 3105402e3c..8f3bde9eed 100644 --- a/daemon/update_linux.go +++ b/daemon/update_linux.go @@ -59,8 +59,8 @@ func toContainerdResources(resources container.Resources) *libcontainerdtypes.Re if resources.MemoryReservation != 0 { memory.Reservation = &resources.MemoryReservation } - if resources.KernelMemory != 0 { - memory.Kernel = &resources.KernelMemory + if resources.KernelMemory != 0 { //nolint:staticcheck // ignore SA1019: memory.Kernel is deprecated: kernel-memory limits are not supported in cgroups v2, and were obsoleted in [kernel v5.4]. This field should no longer be used, as it may be ignored by runtimes. + memory.Kernel = &resources.KernelMemory //nolint:staticcheck // ignore SA1019: memory.Kernel is deprecated: kernel-memory limits are not supported in cgroups v2, and were obsoleted in [kernel v5.4]. This field should no longer be used, as it may be ignored by runtimes. } if resources.MemorySwap > 0 { memory.Swap = &resources.MemorySwap From 0d6a1a212b00b67543e83e9cc4a45f098f4abb61 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 3 Apr 2024 14:20:19 +0200 Subject: [PATCH 2/2] vendor: github.com/opencontainers/runtime-spec v1.2.0 - deprecate Prestart hook - deprecate kernel memory limits Additions - config: add idmap and ridmap mount options - config.md: allow empty mappings for [r]idmap - features-linux: Expose idmap information - mount: Allow relative mount destinations on Linux - features: add potentiallyUnsafeConfigAnnotations - config: add support for org.opencontainers.image annotations Minor fixes: - config: improve bind mount and propagation doc full diff: https://github.com/opencontainers/runtime-spec/compare/v1.1.0...v1.2.0 Signed-off-by: Sebastiaan van Stijn --- vendor.mod | 2 +- vendor.sum | 4 +-- .../runtime-spec/specs-go/config.go | 10 +++++++ .../specs-go/features/features.go | 30 +++++++++++++++---- .../runtime-spec/specs-go/version.go | 2 +- vendor/modules.txt | 2 +- 6 files changed, 40 insertions(+), 10 deletions(-) diff --git a/vendor.mod b/vendor.mod index 9dc7ca2b20..bb5a38dd5b 100644 --- a/vendor.mod +++ b/vendor.mod @@ -78,7 +78,7 @@ require ( github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/image-spec v1.1.0-rc5 github.com/opencontainers/runc v1.1.12 - github.com/opencontainers/runtime-spec v1.1.0 + github.com/opencontainers/runtime-spec v1.2.0 github.com/opencontainers/selinux v1.11.0 github.com/pelletier/go-toml v1.9.5 github.com/pkg/errors v0.9.1 diff --git a/vendor.sum b/vendor.sum index bc2c3e700a..e72f4ee362 100644 --- a/vendor.sum +++ b/vendor.sum @@ -542,8 +542,8 @@ github.com/opencontainers/image-spec v1.1.0-rc5/go.mod h1:X4pATf0uXsnn3g5aiGIsVn github.com/opencontainers/runc v1.1.12 h1:BOIssBaW1La0/qbNZHXOOa71dZfZEQOzW7dqQf3phss= github.com/opencontainers/runc v1.1.12/go.mod h1:S+lQwSfncpBha7XTy/5lBwWgm5+y5Ma/O44Ekby9FK8= github.com/opencontainers/runtime-spec v1.0.3-0.20220825212826-86290f6a00fb/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= -github.com/opencontainers/runtime-spec v1.1.0 h1:HHUyrt9mwHUjtasSbXSMvs4cyFxh+Bll4AjJ9odEGpg= -github.com/opencontainers/runtime-spec v1.1.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= +github.com/opencontainers/runtime-spec v1.2.0 h1:z97+pHb3uELt/yiAWD691HNHQIF07bE7dzrbT927iTk= +github.com/opencontainers/runtime-spec v1.2.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626 h1:DmNGcqH3WDbV5k8OJ+esPWbqUOX5rMLR2PMvziDMJi0= github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626/go.mod h1:BRHJJd0E+cx42OybVYSgUvZmU0B8P9gZuRXlZUP7TKI= github.com/opencontainers/selinux v1.9.1/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI= diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go index 4e7717d53f..d1236ba721 100644 --- a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go +++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go @@ -187,6 +187,10 @@ type Hook struct { type Hooks struct { // Prestart is Deprecated. Prestart is a list of hooks to be run before the container process is executed. // It is called in the Runtime Namespace + // + // Deprecated: use [Hooks.CreateRuntime], [Hooks.CreateContainer], and + // [Hooks.StartContainer] instead, which allow more granular hook control + // during the create and start phase. Prestart []Hook `json:"prestart,omitempty"` // CreateRuntime is a list of hooks to be run after the container has been created but before pivot_root or any equivalent operation has been called // It is called in the Runtime Namespace @@ -371,6 +375,12 @@ type LinuxMemory struct { // Total memory limit (memory + swap). Swap *int64 `json:"swap,omitempty"` // Kernel memory limit (in bytes). + // + // Deprecated: kernel-memory limits are not supported in cgroups v2, and + // were obsoleted in [kernel v5.4]. This field should no longer be used, + // as it may be ignored by runtimes. + // + // [kernel v5.4]: https://github.com/torvalds/linux/commit/0158115f702b0ba208ab0 Kernel *int64 `json:"kernel,omitempty"` // Kernel memory limit for tcp (in bytes) KernelTCP *int64 `json:"kernelTCP,omitempty"` diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/features/features.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/features/features.go index 230e88f568..949f532b65 100644 --- a/vendor/github.com/opencontainers/runtime-spec/specs-go/features/features.go +++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/features/features.go @@ -24,6 +24,12 @@ type Features struct { // Annotations contains implementation-specific annotation strings, // such as the implementation version, and third-party extensions. Annotations map[string]string `json:"annotations,omitempty"` + + // PotentiallyUnsafeConfigAnnotations the list of the potential unsafe annotations + // that may appear in `config.json`. + // + // A value that ends with "." is interpreted as a prefix of annotations. + PotentiallyUnsafeConfigAnnotations []string `json:"potentiallyUnsafeConfigAnnotations,omitempty"` } // Linux is specific to Linux. @@ -36,11 +42,12 @@ type Linux struct { // Nil value means "unknown", not "no support for any capability". Capabilities []string `json:"capabilities,omitempty"` - Cgroup *Cgroup `json:"cgroup,omitempty"` - Seccomp *Seccomp `json:"seccomp,omitempty"` - Apparmor *Apparmor `json:"apparmor,omitempty"` - Selinux *Selinux `json:"selinux,omitempty"` - IntelRdt *IntelRdt `json:"intelRdt,omitempty"` + Cgroup *Cgroup `json:"cgroup,omitempty"` + Seccomp *Seccomp `json:"seccomp,omitempty"` + Apparmor *Apparmor `json:"apparmor,omitempty"` + Selinux *Selinux `json:"selinux,omitempty"` + IntelRdt *IntelRdt `json:"intelRdt,omitempty"` + MountExtensions *MountExtensions `json:"mountExtensions,omitempty"` } // Cgroup represents the "cgroup" field. @@ -123,3 +130,16 @@ type IntelRdt struct { // Nil value means "unknown", not "false". Enabled *bool `json:"enabled,omitempty"` } + +// MountExtensions represents the "mountExtensions" field. +type MountExtensions struct { + // IDMap represents the status of idmap mounts support. + IDMap *IDMap `json:"idmap,omitempty"` +} + +type IDMap struct { + // Enabled represents whether idmap mounts supports is compiled in. + // Unrelated to whether the host supports it or not. + // Nil value means "unknown", not "false". + Enabled *bool `json:"enabled,omitempty"` +} diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go index b3fca349cb..503971e058 100644 --- a/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go +++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go @@ -6,7 +6,7 @@ const ( // VersionMajor is for an API incompatible changes VersionMajor = 1 // VersionMinor is for functionality in a backwards-compatible manner - VersionMinor = 1 + VersionMinor = 2 // VersionPatch is for backwards-compatible bug fixes VersionPatch = 0 diff --git a/vendor/modules.txt b/vendor/modules.txt index 0bd2ae3ce1..93c9e6baa1 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -993,7 +993,7 @@ github.com/opencontainers/runc/libcontainer/devices github.com/opencontainers/runc/libcontainer/user github.com/opencontainers/runc/libcontainer/userns github.com/opencontainers/runc/libcontainer/utils -# github.com/opencontainers/runtime-spec v1.1.0 +# github.com/opencontainers/runtime-spec v1.2.0 ## explicit github.com/opencontainers/runtime-spec/specs-go github.com/opencontainers/runtime-spec/specs-go/features