Commit graph

2888 commits

Author SHA1 Message Date
Sebastiaan van Stijn
2d0e899819
update runc binary to v1.1.7
release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.7
full diff: https://github.com/opencontainers/runc/compare/v1.1.6...v1.1.7

This is the seventh patch release in the 1.1.z release of runc, and is
the last planned release of the 1.1.z series. It contains a fix for
cgroup device rules with systemd when handling device rules for devices
that don't exist (though for devices whose drivers don't correctly
register themselves in the kernel -- such as the NVIDIA devices -- the
full fix only works with systemd v240+).

- When used with systemd v240+, systemd cgroup drivers no longer skip
  DeviceAllow rules if the device does not exist (a regression introduced
  in runc 1.1.3). This fix also reverts the workaround added in runc 1.1.5,
  removing an extra warning emitted by runc run/start.
- The source code now has a new file, runc.keyring, which contains the keys
  used to sign runc releases.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-27 12:17:14 +02:00
Sebastiaan van Stijn
d0efca893b
update runc binary to v1.1.6
release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.6
full diff: https://github.com/opencontainers/runc/compare/v1.1.5...v1.1.6

This is the sixth patch release in the 1.1.z series of runc, which fixes
a series of cgroup-related issues.

Note that this release can no longer be built from sources using Go
1.16. Using a latest maintained Go 1.20.x or Go 1.19.x release is
recommended. Go 1.17 can still be used.

- systemd cgroup v1 and v2 drivers were deliberately ignoring UnitExist error
  from systemd while trying to create a systemd unit, which in some scenarios
  may result in a container not being added to the proper systemd unit and
  cgroup.
- systemd cgroup v2 driver was incorrectly translating cpuset range from spec's
  resources.cpu.cpus to systemd unit property (AllowedCPUs) in case of more
  than 8 CPUs, resulting in the wrong AllowedCPUs setting.
- systemd cgroup v1 driver was prefixing container's cgroup path with the path
  of PID 1 cgroup, resulting in inability to place PID 1 in a non-root cgroup.
- runc run/start may return "permission denied" error when starting a rootless
  container when the file to be executed does not have executable bit set for
  the user, not taking the CAP_DAC_OVERRIDE capability into account. This is
  a regression in runc 1.1.4, as well as in Go 1.20 and 1.20.1
- cgroup v1 drivers are now aware of misc controller.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-13 19:43:05 +02:00
Sebastiaan van Stijn
f66374f6a8
golangci-lint: enable importas linter to force consistent aliases
This enforces the github.com/containerd/containerd/errdefs package to
be aliased as "cerrdefs". Any other alias (or no alias used) results
in a linting failure:

    integration/container/pause_test.go:9:2: import "github.com/containerd/containerd/errdefs" imported as "c8derrdefs" but must be "cerrdefs" according to config (importas)
        c8derrdefs "github.com/containerd/containerd/errdefs"
        ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-08 20:03:27 +02:00
Sebastiaan van Stijn
77be7b777c
update runc binary to v1.1.5
release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.5
diff: https://github.com/opencontainers/runc/compare/v1.1.4...v1.1.5

This is the fifth patch release in the 1.1.z series of runc, which fixes
three CVEs found in runc.

* CVE-2023-25809 is a vulnerability involving rootless containers where
  (under specific configurations), the container would have write access
  to the /sys/fs/cgroup/user.slice/... cgroup hierarchy. No other
  hierarchies on the host were affected. This vulnerability was
  discovered by Akihiro Suda.
  <https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc>

* CVE-2023-27561 was a regression which effectively re-introduced
  CVE-2019-19921. This bug was present from v1.0.0-rc95 to v1.1.4. This
  regression was discovered by @Beuc.
  <https://github.com/advisories/GHSA-vpvm-3wq2-2wvm>

* CVE-2023-28642 is a variant of CVE-2023-27561 and was fixed by the same
  patch. This variant of the above vulnerability was reported by Lei
  Wang.
  <https://github.com/opencontainers/runc/security/advisories/GHSA-g2j6-57v7-gm8c>

In addition, the following other fixes are included in this release:

* Fix the inability to use `/dev/null` when inside a container.
* Fix changing the ownership of host's `/dev/null` caused by fd redirection
  (a regression in 1.1.1).
* Fix rare runc exec/enter unshare error on older kernels, including
  CentOS < 7.7.
* nsexec: Check for errors in `write_log()`.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-30 14:43:55 +02:00
Sebastiaan van Stijn
a2c29e9128
update containerd binary to v1.7.0
- release notes: https://github.com/containerd/containerd/releases/tag/v1.7.0
- full diff: https://github.com/containerd/containerd/compare/v1.7.0-beta.4...v1.7.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-12 16:09:33 +01:00
Bjorn Neergaard
d4e7a87b96 Upgrade to Go 1.20
Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
Co-authored-by: Cory Snider <csnider@mirantis.com>
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-02-22 16:37:59 -05:00
Sebastiaan van Stijn
e40c4c997e
update containerd binary to v1.7.0-beta.4
release notes: https://github.com/containerd/containerd/releases/tag/v1.7.0-beta.4
full diff: https://github.com/containerd/containerd/compare/v1.7.0-beta.3...v1.7.0-beta.4

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-02-17 01:28:29 +01:00
Sebastiaan van Stijn
31f4ec92f6
update containerd binary to v1.7.0-beta.3
full diff: https://github.com/containerd/containerd/compare/v1.7.0-beta.2...v1.7.0-beta.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-01-30 09:13:07 +01:00
Sebastiaan van Stijn
abdf23c6c0
Merge pull request #44853 from crazy-max/rm-install-suffix
hack: remove -installsuffix build flag
2023-01-20 18:25:50 +01:00
CrazyMax
67aa86f1e0
hack: check if cross-compiling before setting ARM target name
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-01-20 15:13:11 +01:00
CrazyMax
170a1c4709
hack: display build cmd when DOCKER_DEBUG set
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-01-19 21:33:39 +01:00
CrazyMax
877baae03e
hack: remove unnecessary vars in make.sh script
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-01-19 21:33:38 +01:00
CrazyMax
b80f16157e
hack: remove ORIG_BUILDFLAGS var
This var was used for the cross target but it has been removed
in 8086f40123 so not necessary anymore

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-01-19 21:33:38 +01:00
CrazyMax
0c008cc4f8
hack: remove -installsuffix build flag
Has been introduced in 232d59baeb to work around a bug with
"go build" but not required anymore since go 1.5: 4dab6d01f1

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-01-19 21:33:38 +01:00
Kevin Alvarez
945704208a
hack: name for target ARM architecture not specified
Build currently doesn't set the right name for target ARM
architecture through switches in CGO_CFLAGS and CGO_CXXFLAGS
when doing cross-compilation. This was previously fixed in https://github.com/moby/moby/pull/43474

Also removes the toolchain configuration. Following changes for
cross-compilation in https://github.com/moby/moby/pull/44546,
we forgot to remove the toolchain configuration that is
not used anymore as xx already sets correct cc/cxx envs already.

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-01-16 11:40:47 +01:00
CrazyMax
94639eb66f
hack: typo in displayed platform name
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-01-16 11:40:47 +01:00
Sebastiaan van Stijn
57af88a654
Merge pull request #44748 from vvoland/buildflags-nopie-whenrace
hack/make: Don't add -buildmode=pie with -race
2023-01-05 20:24:21 +01:00
Paweł Gronowski
bbe6e9e8d1
hack/make: Don't add -buildmode=pie with -race
Make it possible to add `-race` to the BUILDFLAGS without making the
build fail with error:
"-buildmode=pie not supported when -race is enabled"

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-01-05 15:28:03 +01:00
CrazyMax
7e7b0622a6
hack: restore copy_binaries func
This function is still useful for the dev environment.

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-01-05 13:21:28 +01:00
CrazyMax
27ba1766e7
ci: use GITHUB_REF and GITHUB_SHA to set version and commit
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-01-01 18:03:03 +01:00
CrazyMax
491467b0b9
hack: update buildmode pie condition
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-01-01 18:03:02 +01:00
CrazyMax
347a5f68da
hack: do not set buildmode pie for statically linked binary
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-01-01 18:03:02 +01:00
CrazyMax
e37985f590
hack: use PKG_CONFIG var when checking libdevmapper
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-01-01 18:03:02 +01:00
CrazyMax
84ea9ee0f9
IAmStatic not used anymore
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-01-01 18:03:02 +01:00
CrazyMax
04c90b8cf5
hack: remove containerutility script
this script is not used anymore. containerutility is
built in the Dockerfile.

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-01-01 18:03:02 +01:00
CrazyMax
8086f40123
Dockerfile: use TARGETPLATFORM to build Docker
Better support for cross compilation so we can fully rely
on `--platform` flag of buildx for a seamless integration.

This removes unnecessary extra cross logic in the Dockerfile,
DOCKER_CROSSPLATFORMS and CROSS vars and some hack scripts as well.

Non-sandboxed build invocation is still supported and dev stages
in the Dockerfile have been updated accordingly.

Bake definition and GitHub Actions workflows have been updated
accordingly as well.

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-01-01 18:03:01 +01:00
Sebastiaan van Stijn
d20ddb6807
update containerd binary to v1.7.0-beta.1
release notes: https://github.com/containerd/containerd/releases/tag/v1.7.0-beta.1

full diff: https://github.com/containerd/containerd/compare/v1.7.0-beta.0...v1.7.0-beta.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-15 23:10:18 +01:00
Bjorn Neergaard
25c3421802 hack: introduce validate/no-module
Moby is not a Go module; to prevent anyone from mistakenly trying to
convert it to one before we are ready, introduce a check (usable in CI
and locally) for a go.mod file.

This is preferable to trying to .gitignore the file as we can ensure
that a mistakenly created go.mod is surfaced by Git-based tooling and is
less likely to surprise a contributor.

Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
2022-12-12 18:39:06 -07:00
Bjorn Neergaard
a449f77774 hack: replace go-mod-prepare.sh with wrapper script
To make the local build environment more correct and consistent, we
should never leave an uncommitted go.mod in the tree; however, we need a
go.mod for certain commands to work properly. Use a wrapper script to
create and destroy the go.mod as needed instead of potentially changing
tooling behavior by leaving it.

If a go.mod already exists, this script will warn and call the wrapped
command with GO111MODULE=on.

Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
2022-12-12 18:39:06 -07:00
Sebastiaan van Stijn
7b0d2464ff
Merge pull request #44459 from neersighted/validate_always_tidy
validate/vendor: always tidy
2022-12-12 18:49:42 +01:00
Sebastiaan van Stijn
5d88037e37
Merge pull request #44531 from thaJeztah/containerd_1.7_binary
update containerd binary to v1.7.0-beta.0
2022-12-01 20:49:32 +01:00
Bjorn Neergaard
b94d1604a9
hack/generate-authors.sh: refactor and simplify
Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-11-30 12:05:27 +01:00
Sebastiaan van Stijn
c1756e1b63
update containerd binary to v1.7.0-beta.0
release notes: https://github.com/containerd/containerd/releases/tag/v1.7.0-beta.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-11-26 14:20:28 +01:00
Sebastiaan van Stijn
d6d0e4c942
Merge pull request #44494 from crazy-max/go-autogen
hack: remove obsolete sources for go-autogen
2022-11-23 11:59:32 +01:00
CrazyMax
8a46a2a364
Dockerfile: remove hardcoded platforms for vpnkit stage
Current Dockerfile downloads vpnkit for both linux/amd64
and linux/arm64 platforms even if target platform does not
match. This change will download vpnkit only if target
platform matches, otherwise it will just use a dummy scratch
stage.

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-11-22 17:07:54 +01:00
Bjorn Neergaard
af8e955e8f
hack/go-mod-prepare.sh: find root robustly; make steps transparent
Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
2022-11-18 15:43:44 -07:00
Bjorn Neergaard
9f004830a5
hack/validate/vendor: clean up license validation step
Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
2022-11-18 08:18:10 -07:00
Bjorn Neergaard
dbd76848ca
hack/validate/vendor: split tidy from vendor
Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
2022-11-18 08:18:09 -07:00
Bjorn Neergaard
72568286ab
hack/vendor.sh: allow running tidy & vendor separately
Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
2022-11-18 08:18:07 -07:00
CrazyMax
40069797ef
hack: remove obsolete sources for go-autogen
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-11-18 15:03:39 +01:00
Sebastiaan van Stijn
d806d0760d
Merge pull request #44466 from neersighted/drop_changelog
cleanup: drop historical CHANGELOG.md
2022-11-16 21:24:20 +01:00
Sebastiaan van Stijn
2799bbc562
Merge pull request #44467 from AkihiroSuda/rootlesskit-1.1.0
update RootlessKit to v1.1.0
2022-11-16 14:10:14 +01:00
Akihiro Suda
7ca03c1a79
rootlesskit.installer: s/vendor.conf/vendor.mod/
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2022-11-16 07:46:57 +09:00
Akihiro Suda
d9fb730148
update RootlessKit to v1.1.0
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2022-11-15 20:43:58 +09:00
Bjorn Neergaard
be18f92bf4
hack/validate: drop changelog-related steps
Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
2022-11-15 01:59:01 -07:00
Jintao Zhang
a5979a2106 update containerd binary to v1.6.10
Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
2022-11-15 15:00:45 +08:00
Cory Snider
1f32e3c95d Add integration test for #38995, #43390
Modify the DinD entrypoint scripts to make the issue reproducible inside
a DinD container.

Co-authored-by: Bjorn Neergaard <bneergaard@mirantis.com>
Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-10-26 12:04:37 -04:00
Sebastiaan van Stijn
ac79a02ace
update containerd binary to v1.6.9
release notes: https://github.com/containerd/containerd/releases/tag/v1.6.9

full diff: containerd/containerd@v1.6.8...v1.6.9

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-24 13:52:01 -04:00
Sebastiaan van Stijn
7ff0f654fb
daemon: add TEST_INTEGRATION_USE_SNAPSHOTTER for CI
This allows us to run CI with the containerd snapshotter enabled, without
patching the daemon.json, or changing how tests set up daemon flags.

A warning log is added during startup, to inform if this variable is set,
as it should only be used for our integration tests.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-17 15:13:53 +02:00
Cory Snider
40429857c3
Merge pull request #44296 from corhere/narrow-pkg-imports-validator
hack: allow pkg/ to import internal/ packages
2022-10-14 12:30:57 -04:00