This makes sure that we don't become vulnerable to CVE-2018-17419 or
CVE-2019-19794 in the future. While we are not currently vulnerable to
either, there is a risk that a PR could be made which uses one of the
vulnerable methods in the future, so it's worth going ahead and updating
to ensure that a simple PR that would easily pass code review doesn't
lead to a vulnerability.
Signed-off-by: Sam Whited <sam@samwhited.com>
full diff: e004a1415a...aa1ba87e99
changes:
- Use standard include paths instead of hard-coding
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 5125f8b304)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
CI runs on Ubuntu 16.04 machines, which use iptables (legacy), but
Debian buster uses nftables. Because of this, DNS resolution does not
work if the daemon configures iptables.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit bb0472bd23)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The btrfs-tools was a transitional package, and no longer exists:
> Package btrfs-tools
> stretch (oldstable) (admin): transitional dummy package
> 4.7.3-1: amd64 arm64 armel armhf i386 mips mips64el mipsel ppc64el s390x
It must be replaced either by `btrfs-progs` or `libbtrfs-dev` (which has just the development headers)
> Package: libbtrfs-dev (4.20.1-2)
> Checksumming Copy on Write Filesystem utilities (development headers)
Note that the `libbtrfs-dev` package is not available on Debian stretch
(only in stretch-backports)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 4e3ab9e9fb)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
```
---> Making bundle: .integration-daemon-stop (in bundles/test-integration)
++++ cat bundles/test-integration/docker.pid
+++ kill 13137
+++ /etc/init.d/apparmor stop
Leaving: AppArmorNo profiles have been unloaded.
Unloading profiles will leave already running processes permanently
unconfined, which can lead to unexpected situations.
To set a process to complain mode, use the command line tool
'aa-complain'. To really tear down all profiles, run 'aa-teardown'."
script returned exit code 255
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 5dbfae6949)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Ordering the COPY lines to optimize for layer sharing
when these dependencies are updated.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 8edbe5dec2)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Indenting with tabs can cause the formatting to go wonky,
because the first line of any command is "indented" with spaces,
but following lines are not, therefore they can be mis-aligned with
the first line.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit a42b4144bc)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https:/github.com/LK4D4/vndr/compare/v0.1.0...v0.1.1
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 486161a63a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
With this change, go packages/modules that use versioned
import paths (github.com/foo/bar/v2), but don't use a directory
in the repository, can now be supported.
For example:
```
github.com/coreos/go-systemd/v22 v22.0.0
```
will vendor the github.com/coreos/go-systemd repository
into `vendor/github.com/coreos/go-systemd/v22`.
full diff: f5ab8fc5fb...v0.1.0
- LK4D4/vndr#83 migrate bitbucket to api 2.0
- fixesLK4D4/vndr#82https://api.bitbucket.org/1.0/repositories/ww/goautoneg: 410 Gone
- LK4D4/vndr#86 Replace sort.Sort with sort.Strings
- LK4D4/vndr#87 support `github.com/coreos/go-systemd/v22`
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit d4f05c168d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This version avoids doing name lookups on creating tarball that
should be avoided in to not hit loading glibc shared libraries.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
from XDG_CONFIG_HOME
when in rootless mode
Signed-off-by: Dmitry Sharshakov <d3dx12.xx@gmail.com>
(cherry picked from commit f4fa98f583)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
full diff: https://github.com/grpc/grpc-go/compare/v1.23.0...v1.23.1
- grpc/grpc-go#3018 server: set and advertise max frame size of 16KB
- grpc/grpc-go#3017 grpclb: fix deadlock in grpclb connection cache
- Before the fix, if the timer to remove a SubConn fires at the
same time NewSubConn cancels the timer, it caused a mutex leak
and deadlock.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 39ad39d220)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Specify base64url rather than base64. Also correct other links to the base64url section of RFC4648
Signed-off-by: Mike Bush <mpbush@gmail.com>
(cherry picked from commit f282dde877)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
WithBlock makes sure that the following containerd request is reliable.
In one edge case with high load pressure, kernel kills dockerd, containerd
and containerd-shims caused by OOM. When both dockerd and containerd
restart, but containerd will take time to recover all the existing
containers. Before containerd serving, dockerd will failed with gRPC
error. That bad thing is that restore action will still ignore the
any non-NotFound errors and returns running state for
already stopped container. It is unexpected behavior. And
we need to restart dockerd to make sure that anything is OK.
It is painful. Add WithBlock can prevent the edge case. And
n common case, the containerd will be serving in shortly.
It is not harm to add WithBlock for containerd connection.
Signed-off-by: Wei Fu <fuweid89@gmail.com>
(cherry picked from commit 9f73396dab)
Signed-off-by: Wei Fu <fuweid89@gmail.com>
The latest `ltsc2019` image (`10.0.17763.1039`) appear to be broken,
and even a `RUN Write-Host hello` hangs.
Temporarily switching back to an older version so that CI doesn't fail.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit fa2417984b)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Before the collection goroutine wakes up every 1 second (as configured).
This sleep interval is in case there are no stats to collect we don't
end up in a tight loop.
Instead use a condition variable to signal that a collection is needed.
This prevents us from waking the goroutine needlessly when there is no
one looking for stats.
For now I've kept the sleep just moved it to the end of the loop, which
gives some space between collections.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit e75e6b0e31)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
full diff: 5215b1806f...v1.3.1
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 12c7541f1f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The thirteenth patch release for `containerd` 1.2 fixes a regression introduced
in v1.2.12 that caused container/shim to hang on single core machines, fixes an
issue with blkio, and updates the Golang runtime to 1.12.17.
* Fix container pid race condition
* Update containerd/cgroups dependency to address blkio issue
* Set octet-stream content-type on PUT request
* Pin to libseccomp 2.3.3 to preserve compatibility with hosts that do not have libseccomp 2.4 or higher installed
* Update Golang runtime to 1.12.17, which includes a fix to the runtime
full diff: https://github.com/containerd/containerd/compare/v1.2.12...v1.2.13
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
