From 41961946e93355c226f9907784d9a07ddcc2b7a8 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 19 May 2023 11:32:50 +0200 Subject: [PATCH] vendor: github.com/containerd/containerd v1.6.21 updates the digest in testReproSourceDateEpoch to account for https://github.com/containerd/containerd/commit/d1f3771c41470b3460b37edad9e8776b913f02e5 release notes: https://github.com/containerd/containerd/releases/tag/v1.6.21 Notable Updates - update runc binary to v1.1.7 - Remove entry for container from container store on error - oci: partially restore comment on read-only mounts for uid/gid uses - windows: Add ArgsEscaped support for CRI - oci: Use WithReadonlyTempMount when adding users/groups - archive: consistently respect value of WithSkipDockerManifest full diff: https://github.com/containerd/containerd/compare/c0efc63d3907...v1.6.21 Signed-off-by: Sebastiaan van Stijn --- frontend/dockerfile/dockerfile_test.go | 2 +- go.mod | 2 +- go.sum | 4 +- .../containerd/containerd/Vagrantfile | 2 +- .../containerd/containerd/container.go | 1 + .../containerd/images/archive/exporter.go | 40 +++++++------- .../containerd/containerd/oci/spec_opts.go | 53 +++++++++---------- .../containerd/oci/spec_opts_windows.go | 10 ++++ .../github.com/containerd/containerd/task.go | 5 ++ .../containerd/containerd/task_opts.go | 2 +- .../containerd/containerd/version/version.go | 2 +- vendor/modules.txt | 2 +- 12 files changed, 68 insertions(+), 57 deletions(-) diff --git a/frontend/dockerfile/dockerfile_test.go b/frontend/dockerfile/dockerfile_test.go index bb911e2a155ec..2914f7cbc3e2b 100644 --- a/frontend/dockerfile/dockerfile_test.go +++ b/frontend/dockerfile/dockerfile_test.go @@ -6565,7 +6565,7 @@ COPY --from=0 / / // note that this digest differs from the one in master, due to // commit a89f482dcb3428c0297f39474eebd7de15e4792a not being included // in this branch. - const expectedDigest = "sha256:e26093cc8a7524089a1d0136457e6c09a34176e2b2efcf99ac471baa729c7dc9" + const expectedDigest = "sha256:aa2d0a0f9a6560c267b0c2d41c758ca60386d6001cd687adf837365236507a0a" dir, err := integration.Tmpdir( t, diff --git a/go.mod b/go.mod index b766ca69c0982..710d0f36ba16f 100644 --- a/go.mod +++ b/go.mod @@ -15,7 +15,7 @@ require ( github.com/aws/aws-sdk-go-v2/service/s3 v1.26.9 github.com/aws/smithy-go v1.11.2 github.com/containerd/console v1.0.3 - github.com/containerd/containerd v1.6.20 + github.com/containerd/containerd v1.6.21 github.com/containerd/continuity v0.3.0 github.com/containerd/fuse-overlayfs-snapshotter v1.0.2 github.com/containerd/go-cni v1.1.6 diff --git a/go.sum b/go.sum index ac08571dff74e..684d5c4cf933e 100644 --- a/go.sum +++ b/go.sum @@ -370,8 +370,8 @@ github.com/containerd/containerd v1.5.7/go.mod h1:gyvv6+ugqY25TiXxcZC3L5yOeYgEw0 github.com/containerd/containerd v1.5.8/go.mod h1:YdFSv5bTFLpG2HIYmfqDpSYYTDX+mc5qtSuYx1YUb/s= github.com/containerd/containerd v1.6.1/go.mod h1:1nJz5xCZPusx6jJU8Frfct988y0NpumIq9ODB0kLtoE= github.com/containerd/containerd v1.6.9/go.mod h1:XVicUvkxOrftE2Q1YWUXgZwkkAxwQYNOFzYWvfVfEfQ= -github.com/containerd/containerd v1.6.20 h1:+itjwpdqXpzHB/QAiWc/BZCjjVfcNgw69w/oIeF4Oy0= -github.com/containerd/containerd v1.6.20/go.mod h1:apei1/i5Ux2FzrK6+DM/suEsGuK/MeVOfy8tR2q7Wnw= +github.com/containerd/containerd v1.6.21 h1:eSTAmnvDKRPWan+MpSSfNyrtleXd86ogK9X8fMWpe/Q= +github.com/containerd/containerd v1.6.21/go.mod h1:apei1/i5Ux2FzrK6+DM/suEsGuK/MeVOfy8tR2q7Wnw= github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= github.com/containerd/continuity v0.0.0-20191127005431-f65d91d395eb/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= diff --git a/vendor/github.com/containerd/containerd/Vagrantfile b/vendor/github.com/containerd/containerd/Vagrantfile index a4a05edf86cf1..f706788eccdda 100644 --- a/vendor/github.com/containerd/containerd/Vagrantfile +++ b/vendor/github.com/containerd/containerd/Vagrantfile @@ -93,7 +93,7 @@ EOF config.vm.provision "install-golang", type: "shell", run: "once" do |sh| sh.upload_path = "/tmp/vagrant-install-golang" sh.env = { - 'GO_VERSION': ENV['GO_VERSION'] || "1.19.7", + 'GO_VERSION': ENV['GO_VERSION'] || "1.19.9", } sh.inline = <<~SHELL #!/usr/bin/env bash diff --git a/vendor/github.com/containerd/containerd/container.go b/vendor/github.com/containerd/containerd/container.go index 7d8d674c89da8..2cf15666f1322 100644 --- a/vendor/github.com/containerd/containerd/container.go +++ b/vendor/github.com/containerd/containerd/container.go @@ -279,6 +279,7 @@ func (c *container) NewTask(ctx context.Context, ioCreate cio.Creator, opts ...N }) } } + request.RuntimePath = info.RuntimePath if info.Options != nil { any, err := typeurl.MarshalAny(info.Options) if err != nil { diff --git a/vendor/github.com/containerd/containerd/images/archive/exporter.go b/vendor/github.com/containerd/containerd/images/archive/exporter.go index 40a0a33df06ea..6943a7f8bc0c1 100644 --- a/vendor/github.com/containerd/containerd/images/archive/exporter.go +++ b/vendor/github.com/containerd/containerd/images/archive/exporter.go @@ -176,7 +176,7 @@ func Export(ctx context.Context, store content.Provider, writer io.Writer, opts } name := desc.Annotations[images.AnnotationImageName] - if name != "" && !eo.skipDockerManifest { + if name != "" { mt.names = append(mt.names, name) } case images.MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex: @@ -215,26 +215,24 @@ func Export(ctx context.Context, store content.Provider, writer io.Writer, opts records = append(records, r...) } - if !eo.skipDockerManifest { - if len(manifests) >= 1 { - if len(manifests) > 1 { - sort.SliceStable(manifests, func(i, j int) bool { - if manifests[i].Platform == nil { - return false - } - if manifests[j].Platform == nil { - return true - } - return eo.platform.Less(*manifests[i].Platform, *manifests[j].Platform) - }) - } - d = manifests[0].Digest - dManifests[d] = &exportManifest{ - manifest: manifests[0], - } - } else if eo.platform != nil { - return fmt.Errorf("no manifest found for platform: %w", errdefs.ErrNotFound) + if len(manifests) >= 1 { + if len(manifests) > 1 { + sort.SliceStable(manifests, func(i, j int) bool { + if manifests[i].Platform == nil { + return false + } + if manifests[j].Platform == nil { + return true + } + return eo.platform.Less(*manifests[i].Platform, *manifests[j].Platform) + }) + } + d = manifests[0].Digest + dManifests[d] = &exportManifest{ + manifest: manifests[0], } + } else if eo.platform != nil { + return fmt.Errorf("no manifest found for platform: %w", errdefs.ErrNotFound) } resolvedIndex[desc.Digest] = d } @@ -250,7 +248,7 @@ func Export(ctx context.Context, store content.Provider, writer io.Writer, opts } } - if len(dManifests) > 0 { + if !eo.skipDockerManifest && len(dManifests) > 0 { tr, err := manifestsRecord(ctx, store, dManifests) if err != nil { return fmt.Errorf("unable to create manifests file: %w", err) diff --git a/vendor/github.com/containerd/containerd/oci/spec_opts.go b/vendor/github.com/containerd/containerd/oci/spec_opts.go index cd251c3886b1a..65811fc23d5a4 100644 --- a/vendor/github.com/containerd/containerd/oci/spec_opts.go +++ b/vendor/github.com/containerd/containerd/oci/spec_opts.go @@ -663,8 +663,11 @@ func WithUser(userstr string) SpecOpts { return err } - mounts = tryReadonlyMounts(mounts) - return mount.WithTempMount(ctx, mounts, f) + // Use a read-only mount when trying to get user/group information + // from the container's rootfs. Since the option does read operation + // only, we append ReadOnly mount option to prevent the Linux kernel + // from syncing whole filesystem in umount syscall. + return mount.WithReadonlyTempMount(ctx, mounts, f) default: return fmt.Errorf("invalid USER value %s", userstr) } @@ -724,8 +727,11 @@ func WithUserID(uid uint32) SpecOpts { return err } - mounts = tryReadonlyMounts(mounts) - return mount.WithTempMount(ctx, mounts, setUser) + // Use a read-only mount when trying to get user/group information + // from the container's rootfs. Since the option does read operation + // only, we append ReadOnly mount option to prevent the Linux kernel + // from syncing whole filesystem in umount syscall. + return mount.WithReadonlyTempMount(ctx, mounts, setUser) } } @@ -769,8 +775,11 @@ func WithUsername(username string) SpecOpts { return err } - mounts = tryReadonlyMounts(mounts) - return mount.WithTempMount(ctx, mounts, setUser) + // Use a read-only mount when trying to get user/group information + // from the container's rootfs. Since the option does read operation + // only, we append ReadOnly mount option to prevent the Linux kernel + // from syncing whole filesystem in umount syscall. + return mount.WithReadonlyTempMount(ctx, mounts, setUser) } else if s.Windows != nil { s.Process.User.Username = username } else { @@ -848,8 +857,11 @@ func WithAdditionalGIDs(userstr string) SpecOpts { return err } - mounts = tryReadonlyMounts(mounts) - return mount.WithTempMount(ctx, mounts, setAdditionalGids) + // Use a read-only mount when trying to get user/group information + // from the container's rootfs. Since the option does read operation + // only, we append ReadOnly mount option to prevent the Linux kernel + // from syncing whole filesystem in umount syscall. + return mount.WithReadonlyTempMount(ctx, mounts, setAdditionalGids) } } @@ -910,8 +922,11 @@ func WithAppendAdditionalGroups(groups ...string) SpecOpts { return err } - mounts = tryReadonlyMounts(mounts) - return mount.WithTempMount(ctx, mounts, setAdditionalGids) + // Use a read-only mount when trying to get user/group information + // from the container's rootfs. Since the option does read operation + // only, we append ReadOnly mount option to prevent the Linux kernel + // from syncing whole filesystem in umount syscall. + return mount.WithReadonlyTempMount(ctx, mounts, setAdditionalGids) } } @@ -1389,21 +1404,3 @@ func WithDevShmSize(kb int64) SpecOpts { return ErrNoShmMount } } - -// tryReadonlyMounts is used by the options which are trying to get user/group -// information from container's rootfs. Since the option does read operation -// only, this helper will append ReadOnly mount option to prevent linux kernel -// from syncing whole filesystem in umount syscall. -// -// TODO(fuweid): -// -// Currently, it only works for overlayfs. I think we can apply it to other -// kinds of filesystem. Maybe we can return `ro` option by `snapshotter.Mount` -// API, when the caller passes that experimental annotation -// `containerd.io/snapshot/readonly.mount` something like that. -func tryReadonlyMounts(mounts []mount.Mount) []mount.Mount { - if len(mounts) == 1 && mounts[0].Type == "overlay" { - mounts[0].Options = append(mounts[0].Options, "ro") - } - return mounts -} diff --git a/vendor/github.com/containerd/containerd/oci/spec_opts_windows.go b/vendor/github.com/containerd/containerd/oci/spec_opts_windows.go index 4ddb13d3f7b23..602d40e4a9cef 100644 --- a/vendor/github.com/containerd/containerd/oci/spec_opts_windows.go +++ b/vendor/github.com/containerd/containerd/oci/spec_opts_windows.go @@ -68,6 +68,16 @@ func WithWindowNetworksAllowUnqualifiedDNSQuery() SpecOpts { } } +// WithProcessCommandLine replaces the command line on the generated spec +func WithProcessCommandLine(cmdLine string) SpecOpts { + return func(_ context.Context, _ Client, _ *containers.Container, s *Spec) error { + setProcess(s) + s.Process.Args = nil + s.Process.CommandLine = cmdLine + return nil + } +} + // WithHostDevices adds all the hosts device nodes to the container's spec // // Not supported on windows diff --git a/vendor/github.com/containerd/containerd/task.go b/vendor/github.com/containerd/containerd/task.go index 105d4fbc31436..9be1394cf4643 100644 --- a/vendor/github.com/containerd/containerd/task.go +++ b/vendor/github.com/containerd/containerd/task.go @@ -139,6 +139,11 @@ type TaskInfo struct { RootFS []mount.Mount // Options hold runtime specific settings for task creation Options interface{} + // RuntimePath is an absolute path that can be used to overwrite path + // to a shim runtime binary. + RuntimePath string + + // runtime is the runtime name for the container, and cannot be changed. runtime string } diff --git a/vendor/github.com/containerd/containerd/task_opts.go b/vendor/github.com/containerd/containerd/task_opts.go index 56f3cbad60dcc..67e6527325231 100644 --- a/vendor/github.com/containerd/containerd/task_opts.go +++ b/vendor/github.com/containerd/containerd/task_opts.go @@ -49,7 +49,7 @@ func WithRootFS(mounts []mount.Mount) NewTaskOpts { // instead of resolving it from runtime name. func WithRuntimePath(absRuntimePath string) NewTaskOpts { return func(ctx context.Context, client *Client, info *TaskInfo) error { - info.runtime = absRuntimePath + info.RuntimePath = absRuntimePath return nil } } diff --git a/vendor/github.com/containerd/containerd/version/version.go b/vendor/github.com/containerd/containerd/version/version.go index e0593912a668f..2fee285ac1bc9 100644 --- a/vendor/github.com/containerd/containerd/version/version.go +++ b/vendor/github.com/containerd/containerd/version/version.go @@ -23,7 +23,7 @@ var ( Package = "github.com/containerd/containerd" // Version holds the complete version number. Filled in at linking time. - Version = "1.6.20+unknown" + Version = "1.6.21+unknown" // Revision is filled with the VCS (e.g. git) revision being used to build // the program at linking time. diff --git a/vendor/modules.txt b/vendor/modules.txt index d47b48e929668..144a7cd3c8c56 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -215,7 +215,7 @@ github.com/containerd/cgroups/stats/v1 # github.com/containerd/console v1.0.3 ## explicit; go 1.13 github.com/containerd/console -# github.com/containerd/containerd v1.6.20 +# github.com/containerd/containerd v1.6.21 ## explicit; go 1.17 github.com/containerd/containerd github.com/containerd/containerd/api/services/containers/v1