From 1c946aa2af203dff99ac563e714acd9846456a8d Mon Sep 17 00:00:00 2001 From: Chris Kim Date: Thu, 18 Nov 2021 16:19:19 -0800 Subject: [PATCH 1/3] Bump containerd to v1.4.12-k3s1 Signed-off-by: Chris Kim --- go.mod | 2 +- go.sum | 4 +- .../containerd/containerd/.travis.yml | 2 +- .../containerd/containerd/Vagrantfile | 2 +- .../containerd/containerd/images/image.go | 55 +++++++++++++++++++ .../containerd/remotes/docker/fetcher.go | 4 ++ .../remotes/docker/schema1/converter.go | 9 ++- .../containerd/containerd/version/version.go | 2 +- vendor/modules.txt | 4 +- 9 files changed, 74 insertions(+), 10 deletions(-) diff --git a/go.mod b/go.mod index c82e5f14e15b..79db5afff3c3 100644 --- a/go.mod +++ b/go.mod @@ -9,7 +9,7 @@ replace ( github.com/containerd/btrfs => github.com/containerd/btrfs v1.0.0 github.com/containerd/cgroups => github.com/containerd/cgroups v1.0.1 github.com/containerd/console => github.com/containerd/console v1.0.2 - github.com/containerd/containerd => github.com/k3s-io/containerd v1.4.11-k3s1 // k3s-release/1.4 + github.com/containerd/containerd => github.com/k3s-io/containerd v1.4.12-k3s1 // k3s-release/1.4 github.com/containerd/continuity => github.com/k3s-io/continuity v0.0.0-20210309170710-f93269e0d5c1 github.com/containerd/cri => github.com/k3s-io/cri v1.4.0-k3s.7 // k3s-release/1.4 github.com/containerd/fifo => github.com/containerd/fifo v1.0.0 diff --git a/go.sum b/go.sum index 7129b634621c..fa4c3931a5f6 100644 --- a/go.sum +++ b/go.sum @@ -538,8 +538,8 @@ github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfV github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM= github.com/jung-kurt/gofpdf v1.0.3-0.20190309125859-24315acbbda5/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+r32jIOes= -github.com/k3s-io/containerd v1.4.11-k3s1 h1:nSUL3uWxoe1tZy3+bWii9wEBXCvt/+6X8zijx2wSKq0= -github.com/k3s-io/containerd v1.4.11-k3s1/go.mod h1:g3v4rA/cI6WVYoSAYfUfAnrUSzEgbSZnu7uF1ZzkTmY= +github.com/k3s-io/containerd v1.4.12-k3s1 h1:WVr0W45uXTIDujMtqsfEigIVuEwhW9E8WjV/06/j03w= +github.com/k3s-io/containerd v1.4.12-k3s1/go.mod h1:g3v4rA/cI6WVYoSAYfUfAnrUSzEgbSZnu7uF1ZzkTmY= github.com/k3s-io/continuity v0.0.0-20210309170710-f93269e0d5c1 h1:KEz2rd9IDbrQT8w6RibEYlwfTXiu0P6hQDE+6O4IJdI= github.com/k3s-io/continuity v0.0.0-20210309170710-f93269e0d5c1/go.mod h1:EXlVlkqNba9rJe3j7w3Xa924itAMLgZH4UD/Q4PExuQ= github.com/k3s-io/cri v1.4.0-k3s.7 h1:1ycdF3dMDJMW/k/UxDC6eMsyGSMZ/p0AoUBVdJvNGQs= diff --git a/vendor/github.com/containerd/containerd/.travis.yml b/vendor/github.com/containerd/containerd/.travis.yml index 1726cf6d5556..8314c796b56f 100644 --- a/vendor/github.com/containerd/containerd/.travis.yml +++ b/vendor/github.com/containerd/containerd/.travis.yml @@ -15,7 +15,7 @@ os: - linux go: - - "1.16.8" + - "1.16.10" env: - TRAVIS_GOOS=linux TEST_RUNTIME=io.containerd.runc.v1 TRAVIS_CGO_ENABLED=1 TRAVIS_DISTRO=bionic GOPROXY=direct diff --git a/vendor/github.com/containerd/containerd/Vagrantfile b/vendor/github.com/containerd/containerd/Vagrantfile index d1f30c559992..b31dfaa3416b 100644 --- a/vendor/github.com/containerd/containerd/Vagrantfile +++ b/vendor/github.com/containerd/containerd/Vagrantfile @@ -77,7 +77,7 @@ Vagrant.configure("2") do |config| config.vm.provision "install-golang", type: "shell", run: "once" do |sh| sh.upload_path = "/tmp/vagrant-install-golang" sh.env = { - 'GO_VERSION': ENV['GO_VERSION'] || "1.16.8", + 'GO_VERSION': ENV['GO_VERSION'] || "1.16.10", } sh.inline = <<~SHELL #!/usr/bin/env bash diff --git a/vendor/github.com/containerd/containerd/images/image.go b/vendor/github.com/containerd/containerd/images/image.go index 1868ee88dd1f..2e42ca09a64f 100644 --- a/vendor/github.com/containerd/containerd/images/image.go +++ b/vendor/github.com/containerd/containerd/images/image.go @@ -19,6 +19,7 @@ package images import ( "context" "encoding/json" + "fmt" "sort" "time" @@ -154,6 +155,10 @@ func Manifest(ctx context.Context, provider content.Provider, image ocispec.Desc return nil, err } + if err := validateMediaType(p, desc.MediaType); err != nil { + return nil, errors.Wrapf(err, "manifest: invalid desc %s", desc.Digest) + } + var manifest ocispec.Manifest if err := json.Unmarshal(p, &manifest); err != nil { return nil, err @@ -194,6 +199,10 @@ func Manifest(ctx context.Context, provider content.Provider, image ocispec.Desc return nil, err } + if err := validateMediaType(p, desc.MediaType); err != nil { + return nil, errors.Wrapf(err, "manifest: invalid desc %s", desc.Digest) + } + var idx ocispec.Index if err := json.Unmarshal(p, &idx); err != nil { return nil, err @@ -336,6 +345,10 @@ func Children(ctx context.Context, provider content.Provider, desc ocispec.Descr return nil, err } + if err := validateMediaType(p, desc.MediaType); err != nil { + return nil, errors.Wrapf(err, "children: invalid desc %s", desc.Digest) + } + // TODO(stevvooe): We just assume oci manifest, for now. There may be // subtle differences from the docker version. var manifest ocispec.Manifest @@ -351,6 +364,10 @@ func Children(ctx context.Context, provider content.Provider, desc ocispec.Descr return nil, err } + if err := validateMediaType(p, desc.MediaType); err != nil { + return nil, errors.Wrapf(err, "children: invalid desc %s", desc.Digest) + } + var index ocispec.Index if err := json.Unmarshal(p, &index); err != nil { return nil, err @@ -368,6 +385,44 @@ func Children(ctx context.Context, provider content.Provider, desc ocispec.Descr return descs, nil } +// unknownDocument represents a manifest, manifest list, or index that has not +// yet been validated. +type unknownDocument struct { + MediaType string `json:"mediaType,omitempty"` + Config json.RawMessage `json:"config,omitempty"` + Layers json.RawMessage `json:"layers,omitempty"` + Manifests json.RawMessage `json:"manifests,omitempty"` + FSLayers json.RawMessage `json:"fsLayers,omitempty"` // schema 1 +} + +// validateMediaType returns an error if the byte slice is invalid JSON or if +// the media type identifies the blob as one format but it contains elements of +// another format. +func validateMediaType(b []byte, mt string) error { + var doc unknownDocument + if err := json.Unmarshal(b, &doc); err != nil { + return err + } + if len(doc.FSLayers) != 0 { + return fmt.Errorf("media-type: schema 1 not supported") + } + switch mt { + case MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest: + if len(doc.Manifests) != 0 || + doc.MediaType == MediaTypeDockerSchema2ManifestList || + doc.MediaType == ocispec.MediaTypeImageIndex { + return fmt.Errorf("media-type: expected manifest but found index (%s)", mt) + } + case MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex: + if len(doc.Config) != 0 || len(doc.Layers) != 0 || + doc.MediaType == MediaTypeDockerSchema2Manifest || + doc.MediaType == ocispec.MediaTypeImageManifest { + return fmt.Errorf("media-type: expected index but found manifest (%s)", mt) + } + } + return nil +} + // RootFS returns the unpacked diffids that make up and images rootfs. // // These are used to verify that a set of layers unpacked to the expected diff --git a/vendor/github.com/containerd/containerd/remotes/docker/fetcher.go b/vendor/github.com/containerd/containerd/remotes/docker/fetcher.go index 022c456a9f60..5aaaf9e2a5ce 100644 --- a/vendor/github.com/containerd/containerd/remotes/docker/fetcher.go +++ b/vendor/github.com/containerd/containerd/remotes/docker/fetcher.go @@ -60,6 +60,10 @@ func (r dockerFetcher) Fetch(ctx context.Context, desc ocispec.Descriptor) (io.R log.G(ctx).WithError(err).Debug("failed to parse") continue } + if u.Scheme != "http" && u.Scheme != "https" { + log.G(ctx).Debug("non-http(s) alternative url is unsupported") + continue + } log.G(ctx).Debug("trying alternative url") // Try this first, parse it diff --git a/vendor/github.com/containerd/containerd/remotes/docker/schema1/converter.go b/vendor/github.com/containerd/containerd/remotes/docker/schema1/converter.go index 8314c01d5a6f..f15a9acf3e81 100644 --- a/vendor/github.com/containerd/containerd/remotes/docker/schema1/converter.go +++ b/vendor/github.com/containerd/containerd/remotes/docker/schema1/converter.go @@ -256,6 +256,9 @@ func (c *Converter) fetchManifest(ctx context.Context, desc ocispec.Descriptor) if err := json.Unmarshal(b, &m); err != nil { return err } + if len(m.Manifests) != 0 || len(m.Layers) != 0 { + return errors.New("converter: expected schema1 document but found extra keys") + } c.pulledManifest = &m return nil @@ -472,8 +475,10 @@ type history struct { } type manifest struct { - FSLayers []fsLayer `json:"fsLayers"` - History []history `json:"history"` + FSLayers []fsLayer `json:"fsLayers"` + History []history `json:"history"` + Layers json.RawMessage `json:"layers,omitempty"` // OCI manifest + Manifests json.RawMessage `json:"manifests,omitempty"` // OCI index } type v1History struct { diff --git a/vendor/github.com/containerd/containerd/version/version.go b/vendor/github.com/containerd/containerd/version/version.go index 77f581f7cfef..dab4a1656a6d 100644 --- a/vendor/github.com/containerd/containerd/version/version.go +++ b/vendor/github.com/containerd/containerd/version/version.go @@ -23,7 +23,7 @@ var ( Package = "github.com/containerd/containerd" // Version holds the complete version number. Filled in at linking time. - Version = "1.4.11+unknown" + Version = "1.4.12+unknown" // Revision is filled with the VCS (e.g. git) revision being used to build // the program at linking time. diff --git a/vendor/modules.txt b/vendor/modules.txt index 6d27f48fe033..bf7f8515b531 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -183,7 +183,7 @@ github.com/containerd/cgroups/v2 github.com/containerd/cgroups/v2/stats # github.com/containerd/console v1.0.2 => github.com/containerd/console v1.0.2 github.com/containerd/console -# github.com/containerd/containerd v1.5.1 => github.com/k3s-io/containerd v1.4.11-k3s1 +# github.com/containerd/containerd v1.5.1 => github.com/k3s-io/containerd v1.4.12-k3s1 ## explicit github.com/containerd/containerd github.com/containerd/containerd/api/events @@ -3272,7 +3272,7 @@ sigs.k8s.io/yaml # github.com/containerd/btrfs => github.com/containerd/btrfs v1.0.0 # github.com/containerd/cgroups => github.com/containerd/cgroups v1.0.1 # github.com/containerd/console => github.com/containerd/console v1.0.2 -# github.com/containerd/containerd => github.com/k3s-io/containerd v1.4.11-k3s1 +# github.com/containerd/containerd => github.com/k3s-io/containerd v1.4.12-k3s1 # github.com/containerd/continuity => github.com/k3s-io/continuity v0.0.0-20210309170710-f93269e0d5c1 # github.com/containerd/cri => github.com/k3s-io/cri v1.4.0-k3s.7 # github.com/containerd/fifo => github.com/containerd/fifo v1.0.0 From 6f1c5260c82ff12b34aa4ef4cbae4709d46c3c75 Mon Sep 17 00:00:00 2001 From: Chris Kim Date: Thu, 18 Nov 2021 16:20:27 -0800 Subject: [PATCH 2/3] Bump golang to 1.16.10 and sonobuoy to 0.55.0 Signed-off-by: Chris Kim --- Dockerfile.dapper | 2 +- Dockerfile.manifest | 2 +- Dockerfile.test.dapper | 4 ++-- Dockerfile.test.mod.dapper | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Dockerfile.dapper b/Dockerfile.dapper index 074a1d28ae52..155e2be119f1 100644 --- a/Dockerfile.dapper +++ b/Dockerfile.dapper @@ -1,4 +1,4 @@ -ARG GOLANG=golang:1.16.6-alpine3.13 +ARG GOLANG=golang:1.16.10-alpine3.13 FROM ${GOLANG} ARG http_proxy=$http_proxy diff --git a/Dockerfile.manifest b/Dockerfile.manifest index c2e28312a748..343ed8710168 100644 --- a/Dockerfile.manifest +++ b/Dockerfile.manifest @@ -1,4 +1,4 @@ -ARG GOLANG=golang:1.16.6-alpine3.13 +ARG GOLANG=golang:1.16.10-alpine3.13 FROM ${GOLANG} COPY --from=plugins/manifest:1.2.3 /bin/* /bin/ diff --git a/Dockerfile.test.dapper b/Dockerfile.test.dapper index e583569073bb..b6442dc983d0 100644 --- a/Dockerfile.test.dapper +++ b/Dockerfile.test.dapper @@ -1,9 +1,9 @@ -ARG GOLANG=golang:1.16.6-alpine3.13 +ARG GOLANG=golang:1.16.10-alpine3.13 FROM ${GOLANG} RUN apk -U --no-cache add bash git gcc musl-dev docker curl jq coreutils python3 openssl py3-pip -ENV SONOBUOY_VERSION 0.50.0 +ENV SONOBUOY_VERSION 0.55.0 RUN OS=linux; \ ARCH=$(go env GOARCH); \ diff --git a/Dockerfile.test.mod.dapper b/Dockerfile.test.mod.dapper index e4a2e6ec30b2..0584e958d8af 100644 --- a/Dockerfile.test.mod.dapper +++ b/Dockerfile.test.mod.dapper @@ -1,4 +1,4 @@ -ARG GOLANG=golang:1.16.6-alpine3.13 +ARG GOLANG=golang:1.16.10-alpine3.13 FROM ${GOLANG} RUN apk -U --no-cache add bash jq From b1a82f8fbeea50cd5b22dd314e2adfe28244a1bf Mon Sep 17 00:00:00 2001 From: Chris Kim Date: Thu, 18 Nov 2021 16:20:47 -0800 Subject: [PATCH 3/3] Change timeout to 60m Signed-off-by: Chris Kim --- scripts/test-helpers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/test-helpers b/scripts/test-helpers index 61010178f0d4..bd34a6d86b65 100755 --- a/scripts/test-helpers +++ b/scripts/test-helpers @@ -240,7 +240,7 @@ sonobuoy-test() { local sonobuoyPID=$! local code=0 - time timeout --foreground 30m bash -c test-wait $sonobuoyPID || code=$? + time timeout --foreground 60m bash -c test-wait $sonobuoyPID || code=$? echo "Sonobuoy finished with code $code" retrieve-sonobuoy-logs return $code