Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

host-ctr: Upgrades go-restful dependency used by containerd #2813

Merged
merged 1 commit into from
Feb 17, 2023
Merged

host-ctr: Upgrades go-restful dependency used by containerd #2813

merged 1 commit into from
Feb 17, 2023

Conversation

jpmcb
Copy link
Contributor

@jpmcb jpmcb commented Feb 16, 2023
edited

Issue number:

N/a related to: emicklei/go-restful#489

⚠️ Note: The above CVE does not affect bottlerocket since it cannot be executed against host-ctr or containerd. The containerd code does not use CORS in it's restful API which is the main avenue for the go-restful CVE. For more information: containerd/containerd#7117

Description of changes:

Upgrades the go-restful library to the most recent v2

In the diff, the most important piece is this in the go.sum. This effectively removes the v2.9.5 dependency used by containerd in favor of v2.16.0:

- github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
github.com/emicklei/go-restful v2.16.0+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=

Testing done:

❯ go mod tidy
❯ go mod vendor
❯ go build ./...
❯ ./host-ctr --help
NAME:
   host-ctr - manage host containers
   ...

More in depth testing incoming!

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@jpmcb
host-ctr: Upgrades go-restful dependency used by containerd
26c3c0a 
Signed-off-by: John McBride <jpmmcb@amazon.com>
@jpmcb
Copy link
Contributor Author

jpmcb commented Feb 16, 2023

Tests look good! 😄

ECS variant:

Built a ECS variant off this branch and deployed a machine that attached to my default ECS cluster.

Host containers status:

bash-5.1# systemctl status host-containers@admin
● host-containers@admin.service - Host container: admin
     Loaded: loaded (/x86_64-bottlerocket-linux-gnu/sys-root/usr/lib/systemd/system/host-containers@.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2023-02-16 22:09:07 UTC; 40s ago
   Main PID: 2197 (host-ctr)
      Tasks: 9 (limit: 9162)
     Memory: 19.3M
     CGroup: /system.slice/system-host\x2dcontainers.slice/host-containers@admin.service
             └─ 2197 /usr/bin/host-ctr run --container-id=admin --source=328549459982.dkr.ecr.us-west-2.amazonaws.com/bottlerocket-admin:v0.9.4 --superpowered=true --registry-config=/etc/host-containers/host-ctr.toml

Starting a workload manually:

bash-5.1# ctr images pull docker.io/docker/whalesay:latest
docker.io/docker/whalesay:latest: 
...

bash-5.1# ctr run --rm -t docker.io/docker/whalesay:latest my-whale-say cowsay "Hello bottlerocket!"
 _____________________
< Hello bottlerocket! >
 ---------------------
    \
     \
      \
                    ##        .
              ## ## ##       ==
           ## ## ## ##      ===
       /""""""""""""""""___/ ===
  ~~~ {~~ ~~~~ ~~~ ~~~~ ~~ ~ /  ===- ~~~
       \______ o          __/
        \    \        __/
          \____\______/
bash-5.1#

K8s variant

Built and deployed an AMI to my existing cluster's launch group.

Host-containers status:

bash-5.1# systemctl status host-containers@admin
● host-containers@admin.service - Host container: admin
     Loaded: loaded (/x86_64-bottlerocket-linux-gnu/sys-root/usr/lib/systemd/system/host-containers@.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2023-02-16 22:32:37 UTC; 26s ago
   Main PID: 2620 (host-ctr)
      Tasks: 9 (limit: 9265)
     Memory: 17.7M
     CGroup: /system.slice/system-host\x2dcontainers.slice/host-containers@admin.service
             └─ 2620 /usr/bin/host-ctr run --container-id=admin --source=328549459982.dkr.ecr.us-west-2.amazonaws.com/bottlerocket-admin:v0.9.4 --superpowered=true --registry-config=/etc/host-containers/host-ctr.toml

Launching a container:

bash-5.1# ctr images pull docker.io/docker/whalesay:latest
docker.io/docker/whalesay:latest: 
...

bash-5.1# ctr run --rm -t docker.io/docker/whalesay:latest my-whale-say cowsay "Howdy Kubernetes!"
 ___________________
< Howdy Kubernetes! >
 -------------------
    \
     \
      \
                    ##        .
              ## ## ##       ==
           ## ## ## ##      ===
       /""""""""""""""""___/ ===
  ~~~ {~~ ~~~~ ~~~ ~~~~ ~~ ~ /  ===- ~~~
       \______ o          __/
        \    \        __/
          \____\______/
bash-5.1#

@jpmcb jpmcb merged commit 113b49b into bottlerocket-os:develop Feb 17, 2023
@jpmcb jpmcb deleted the host-ctr-go-restful-dependency branch February 17, 2023 18:45
@gazal-k
Copy link

gazal-k commented Mar 31, 2023

Looks like the replace could be removed when updating containerd to the latest 1.6.x version: https://github.com/containerd/containerd/releases/tag/v1.6.20

@gazal-k gazal-k mentioned this pull request Apr 20, 2023
Merged
8 tasks
@gazal-k
Copy link

gazal-k commented Apr 27, 2023

Looks like the replace could be removed when updating containerd to the latest 1.6.x version: https://github.com/containerd/containerd/releases/tag/v1.6.20

Gave it a go: #3062

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cbgbt cbgbt cbgbt approved these changes

@stmcginnis stmcginnis stmcginnis approved these changes

@etungsten etungsten etungsten approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@jpmcb @gazal-k @cbgbt @stmcginnis @etungsten