Resolve merge conflicts.

docker · Mar 18, 2022 · 63811a5 · 63811a5
2 parents 0cc736d + 1d3d1e9
commit 63811a5
Show file tree

Hide file tree

Showing 23 changed files with 225 additions and 116 deletions.
diff --git a/Jenkinsfile b/Jenkinsfile
@@ -8,27 +8,25 @@
 def images = [
     [image: "docker.io/library/amazonlinux:2",          arches: ["aarch64"]],
     [image: "docker.io/library/centos:7",               arches: ["amd64", "aarch64"]],
-    [image: "docker.io/dockereng/rhel:7-s390x",         arches: ["s390x"]],
-    [image: "docker.io/library/centos:8",               arches: ["amd64", "aarch64"]],
+    [image: "quay.io/centos/centos:stream8",            arches: ["amd64", "aarch64"]],
     [image: "docker.io/library/debian:buster",          arches: ["amd64", "aarch64", "armhf"]], // Debian 10 (EOL: 2024)
     [image: "docker.io/library/debian:bullseye",        arches: ["amd64", "aarch64", "armhf"]], // Debian 11 (Next stable)
-    [image: "docker.io/library/fedora:32",              arches: ["amd64", "aarch64"]],          // Fedora 32 (EOL: 18 May 2021)
-    [image: "docker.io/library/fedora:33",              arches: ["amd64", "aarch64"]],
-    [image: "docker.io/library/fedora:34",              arches: ["amd64", "aarch64"]],
+    [image: "docker.io/library/fedora:34",              arches: ["amd64", "aarch64"]],          // EOL: May 17, 2022
+    [image: "docker.io/library/fedora:35",              arches: ["amd64", "aarch64"]],          // EOL: November 30, 2022
     [image: "docker.io/library/fedora:rawhide",         arches: ["amd64"]],                     // Rawhide is the name given to the current development version of Fedora
     [image: "docker.io/opensuse/leap:15",               arches: ["amd64"]],
     [image: "docker.io/balenalib/rpi-raspbian:buster",  arches: ["armhf"]],
     [image: "docker.io/balenalib/rpi-raspbian:bullseye",arches: ["armhf"]],
-    [image: "docker.io/library/ubuntu:xenial",          arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 16.04 LTS (End of support: April, 2021. EOL: April, 2024)
-    [image: "docker.io/library/ubuntu:bionic",          arches: ["amd64", "aarch64", "armhf", "s390x"]], // Ubuntu 18.04 LTS (End of support: April, 2023. EOL: April, 2028)
-    [image: "docker.io/library/ubuntu:focal",           arches: ["amd64", "aarch64"]],          // Ubuntu 20.04 LTS (End of support: April, 2025. EOL: April, 2030)
-    [image: "docker.io/library/ubuntu:groovy",          arches: ["amd64", "aarch64"]],          // Ubuntu 20.10 (EOL: July, 2021)
-    [image: "docker.io/library/ubuntu:hirsute",         arches: ["amd64", "aarch64"]],          // Ubuntu 21.04 (EOL: January, 2022)
+    [image: "docker.io/library/ubuntu:bionic",          arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 18.04 LTS (End of support: April, 2023. EOL: April, 2028)
+    [image: "docker.io/library/ubuntu:focal",           arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 20.04 LTS (End of support: April, 2025. EOL: April, 2030)
+    [image: "docker.io/library/ubuntu:hirsute",         arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 21.04 (EOL: January, 2022)
+    [image: "docker.io/library/ubuntu:impish",          arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 21.10 (EOL: July, 2022)
+    [image: "docker.io/library/ubuntu:jammy",           arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 22.04 LTS (End of support: April, 2027. EOL: April, 2032)
 ]
 
 def generatePackageStep(opts, arch) {
     return {
-        wrappedNode(label: "linux&&${arch}") {
+        wrappedNode(label: "ubuntu-2004 && ${arch}") {
             stage("${opts.image}-${arch}") {
                 try {
                     sh 'docker version'
@@ -77,7 +75,7 @@ pipeline {
     agent none
     stages {
         stage('Check file headers') {
-            agent { label 'linux&&amd64' }
+            agent { label 'ubuntu-2004 && amd64' }
             steps{
                 script{
                     checkout scm

diff --git a/Makefile b/Makefile
@@ -1,4 +1,4 @@
-#   Copyright 2018-2020 Docker Inc.
+#   Copyright 2018-2022 Docker Inc.
 
 #   Licensed under the Apache License, Version 2.0 (the "License");
 #   you may not use this file except in compliance with the License.
@@ -14,25 +14,24 @@
 
 include common/common.mk
 
-BUILD_IMAGE=centos:7
+BUILD_IMAGE=ubuntu:focal
 BUILD_TYPE=$(shell ./scripts/deb-or-rpm $(BUILD_IMAGE))
 BUILD_BASE=$(shell ./scripts/determine-base $(BUILD_IMAGE))
 
 # The PROGRESS variable allows overriding the docker build --progress option.
 # For example, use "make PROGRESS=plain ..." to show build progress in plain test
 PROGRESS=auto
 TARGET=packages
-CONTAINERD_COMMIT=$(shell git -C "src/github.com/containerd/containerd" log -1 --pretty='%h')
-RUNC_COMMIT=$(shell git -C "src/github.com/opencontainers/runc" log -1 --pretty='%h')
 
 all: build
 
 .PHONY: clean
 clean:
-	-$(RM) -r build/
-	-$(RM) common/containerd.service
+	-$(RM) -r archive
 	-$(RM) -r artifacts
+	-$(RM) -r build
 	-$(RM) -r src
+	-$(RM) common/containerd.service
 	-docker builder prune -f --filter until=24h
 
 .PHONY: src
@@ -65,25 +64,26 @@ endif
 # This targets allows building multiple distros at once, for example:
 #
 #     make docker.io/library/ubuntu:bionic docker.io/library/centos:7
+#     make quay.io/centos/centos:stream8
 #
 # It is a shorthand for "make BUILD_IMAGE=mydistro:version build"
-.PHONY: docker.io/%
-docker.io/%:
+.PHONY: docker.io/% quay.io/%
+docker.io/% quay.io/%:
 	$(MAKE) BUILD_IMAGE="$@" build
 
 .PHONY: checkout
 checkout: src
 	./scripts/checkout.sh src/github.com/containerd/containerd "$(REF)"
-	./scripts/checkout.sh src/github.com/opencontainers/runc "$(RUNC_REF)"
+	./scripts/checkout.sh src/github.com/opencontainers/runc "$$(./scripts/determine-runc-version)"
 
 .PHONY: build
 build: checkout common/containerd.service
 build:
 	@echo "--------------------------------------------------------------------"
 	@echo "Building $(TARGET) on $(BUILD_IMAGE)"
 	@echo ""
-	@echo "containerd   : $(REF) (commit: $(CONTAINERD_COMMIT))"
-	@echo "runc         : $(RUNC_REF) (commit: $(RUNC_COMMIT))"
+	@echo "containerd   : $(REF) (commit: $(shell git -C "src/github.com/containerd/containerd" log -1 --pretty='%h'))"
+	@echo "runc         : $$(./scripts/determine-runc-version) (commit: $$(git -C "src/github.com/opencontainers/runc" log -1 --pretty='%h'))"
 	@echo "architecture : $(shell uname -m)"
 	@echo "build image  : $(BUILD_IMAGE)"
 	@echo "golang image : $(GOLANG_IMAGE)"

diff --git a/Makefile.win b/Makefile.win
@@ -1,4 +1,4 @@
-#   Copyright 2018-2020 Docker Inc.
+#   Copyright 2018-2022 Docker Inc.
 
 #   Licensed under the Apache License, Version 2.0 (the "License");
 #   you may not use this file except in compliance with the License.

diff --git a/NOTICE b/NOTICE
@@ -1,5 +1,5 @@
 Docker containerd-packaging
-Copyright 2018-2020 Docker Inc.
+Copyright 2018-2022 Docker Inc.
 
 This product includes software developed at
 Docker Inc. (http://www.docker.com/).
diff --git a/common/common.mk b/common/common.mk
@@ -1,4 +1,4 @@
-#   Copyright 2018-2020 Docker Inc.
+#   Copyright 2018-2022 Docker Inc.
 
 #   Licensed under the Apache License, Version 2.0 (the "License");
 #   you may not use this file except in compliance with the License.
@@ -19,13 +19,16 @@ RUNC_REMOTE       ?=https://github.com/opencontainers/runc.git
 REF?=HEAD
 
 # Select the default version of Golang and runc based on the containerd source.
-GOVERSION?=$(shell grep "ARG GOLANG_VERSION" src/github.com/containerd/containerd/contrib/Dockerfile.test | awk -F'=' '{print $$2}')
-RUNC_REF?=$(shell scripts/determine-runc-version)
+GOLANG_VERSION?=$(shell grep "ARG GOLANG_VERSION" src/github.com/containerd/containerd/contrib/Dockerfile.test | awk -F'=' '{print $$2}')
 
-GOLANG_IMAGE=golang:$(GOVERSION)
-ifeq ($(OS),Windows_NT)
-       GOLANG_IMAGE=docker.io/library/golang:$(GOVERSION)
-else
-       GOLANG_IMAGE=docker.io/library/golang:$(GOVERSION)-buster
+# Allow GOLANG_VERSION to be overridden through GOVERSION.
+#
+# We're using a separate variable for this to account for make being called as
+# either `GOVERSION=x make foo` or `make GOVERSION=x foo`, while also accounting
+# for `GOVERSION` to be an empty string (which may happen when triggered by some
+# Jenkins jobs in our pipeline).
+ifneq ($(strip $(GOVERSION)),)
+	GOLANG_VERSION=$(GOVERSION)
 endif
-GOARCH=$(shell docker run --rm $(GOLANG_IMAGE) go env GOARCH 2>/dev/null)
+
+GOLANG_IMAGE=golang:$(GOLANG_VERSION)
diff --git a/scripts/gen-go-dl-url → common/containerd.toml b/scripts/gen-go-dl-url → common/containerd.toml
@@ -1,6 +1,4 @@
-#!/usr/bin/env sh
-
-#   Copyright 2018-2020 Docker Inc.
+#   Copyright 2018-2022 Docker Inc.
 
 #   Licensed under the Apache License, Version 2.0 (the "License");
 #   you may not use this file except in compliance with the License.
@@ -14,22 +12,20 @@
 #   See the License for the specific language governing permissions and
 #   limitations under the License.
 
-GOVERSION=${GOVERSION:-1.12.16}
-HOST_ARCH=${HOST_ARCH:-$(uname -m)}
-DL_ARCH=${HOST_ARCH}
+disabled_plugins = ["cri"]
+
+#root = "/var/lib/containerd"
+#state = "/run/containerd"
+#subreaper = true
+#oom_score = 0
 
-# Why do they name them differently than their `uname -m` counterparts?
-# ¯\_(ツ)_/¯
-case $HOST_ARCH in
-	x86_64)
-		DL_ARCH="amd64"
-		;;
-	aarch64)
-		DL_ARCH="arm64"
-		;;
-	armv7l)
-		DL_ARCH="armv6l"
-		;;
-esac
+#[grpc]
+#  address = "/run/containerd/containerd.sock"
+#  uid = 0
+#  gid = 0
 
-echo "https://dl.google.com/go/go${GOVERSION}.linux-${DL_ARCH}.tar.gz"
+#[debug]
+#  address = "/run/containerd/debug.sock"
+#  uid = 0
+#  gid = 0
+#  level = "info"
diff --git a/debian/changelog b/debian/changelog
@@ -1,3 +1,73 @@
+containerd.io (1.5.10-1) release; urgency=medium
+
+  * Update containerd to v1.5.10
+
+ -- Sebastiaan van Stijn <thajeztah@docker.com>  Fri, 04 Mar 2022 17:47:48 +0000
+
+containerd.io (1.4.13-1) release; urgency=high
+
+  * Update containerd to v1.4.13 to address CVE-2022-23648
+  * Update runc to v1.0.3
+  * Update Golang runtime to 1.16.15
+
+ -- Sebastiaan van Stijn <thajeztah@docker.com>  Thu, 03 Mar 2022 21:09:12 +0000
+
+containerd.io (1.4.12-1) release; urgency=high
+
+  * Update containerd to v1.4.12 to address CVE-2021-41190
+  * Update Golang runtime to 1.16.10
+
+ -- Sebastiaan van Stijn <thajeztah@docker.com>  Wed, 17 Nov 2021 18:48:28 +0000
+
+containerd.io (1.4.11-1) release; urgency=high
+
+  * Update to containerd 1.4.11 to address CVE-2021-41103
+
+ -- Sebastiaan van Stijn <thajeztah@docker.com>  Mon, 04 Oct 2021 11:20:49 +0000
+
+containerd.io (1.4.10-1) release; urgency=medium
+
+  * Update to containerd 1.4.10
+  * Update runc to v1.0.2
+  * Update Golang runtime to 1.16.8
+
+ -- Sebastiaan van Stijn <thajeztah@docker.com>  Thu, 30 Sep 2021 15:21:28 +0000
+
+containerd.io (1.4.9-1) release; urgency=medium
+
+  * Update to containerd 1.4.9
+  * Update runc to v1.0.1
+
+ -- Sebastiaan van Stijn <thajeztah@docker.com>  Thu, 29 Jul 2021 20:43:55 +0000
+
+containerd.io (1.4.8-1) release; urgency=high
+
+  * Update to containerd 1.4.8 to address CVE-2021-32760
+
+ -- Sebastiaan van Stijn <thajeztah@docker.com>  Mon, 19 Jul 2021 19:03:08 +0000
+
+containerd.io (1.4.7-1) release; urgency=medium
+
+  * Update to containerd 1.4.7
+  * Update runc to v1.0.0
+  * Update Golang runtime to 1.15.14
+
+ -- Sebastiaan van Stijn <thajeztah@docker.com>  Mon, 19 Jul 2021 09:30:34 +0000
+
+containerd.io (1.4.6-1) release; urgency=high
+
+  * Update to containerd 1.4.6
+  * Update runc to v1.0.0-rc95 to address CVE-2021-30465.
+
+ -- Sebastiaan van Stijn <thajeztah@docker.com>  Fri, 21 May 2021 07:30:42 +0000
+
+containerd.io (1.4.5-1) release; urgency=medium
+
+  * Update to containerd 1.4.5
+  * Update runc to v1.0.0-rc94
+
+ -- Sebastiaan van Stijn <thajeztah@docker.com>  Wed, 12 May 2021 08:29:50 +0000
+
 containerd.io (1.4.4-1) release; urgency=high
 
   * Update to containerd 1.4.4 to address CVE-2021-21334.

diff --git a/debian/rules b/debian/rules
@@ -1,6 +1,6 @@
 #!/usr/bin/make -f
 
-#   Copyright 2018-2020 Docker Inc.
+#   Copyright 2018-2022 Docker Inc.
 
 #   Licensed under the Apache License, Version 2.0 (the "License");
 #   you may not use this file except in compliance with the License.
@@ -19,9 +19,12 @@
 
 # GO_SRC_PATH and PACKAGE are defined in the dockerfile
 # VERSION and REF are defined in scripts/build-deb
+# TODO remove custom PREFIX variable once containerd release/1.4 and release/1.5
+#      are obsolete. See https://github.com/containerd/containerd/commit/b5f530a157
 binaries: ## Create containerd binaries
-	@set -x; GO111MODULE=off make -C $(GO_SRC_PATH) --no-print-directory \
+	@set -x; GO111MODULE=auto make -C $(GO_SRC_PATH) --no-print-directory \
 		DESTDIR="$$(pwd)" \
+		PREFIX="" \
 		VERSION=$${VERSION} \
 		REVISION=$${REF} \
 		PACKAGE=$${PACKAGE} \
@@ -31,19 +34,24 @@ binaries: ## Create containerd binaries
 	rm -f bin/containerd-stress
 
 bin/runc:
-	@set -x; GO111MODULE=off make -C /go/src/github.com/opencontainers/runc  --no-print-directory \
+	@set -x; GO111MODULE=auto make -C /go/src/github.com/opencontainers/runc  --no-print-directory \
 		BINDIR="$$(pwd)/bin" \
 		BUILDTAGS='seccomp apparmor selinux' \
 		runc install
 
 man: ## Create containerd man pages
-	@set -x; GO111MODULE=off make -C $(GO_SRC_PATH) --no-print-directory man
+	@set -x; GO111MODULE=auto make -C $(GO_SRC_PATH) --no-print-directory man
 
 	# copy the generated man pages instead of using "make install-man" to allow
 	# dh_installman doing its magic
 	install -d man
 	install -D -m 0644 $(GO_SRC_PATH)/man/* man
 
+# force packages to be built with xz compression, as Ubuntu 21.10 and up use
+# zstd compression, which is non-standard, and breaks 'dpkg-sig --verify'
+override_dh_builddeb:
+	dh_builddeb -- -Zxz
+
 override_dh_auto_build: binaries bin/runc man
 
 override_dh_systemd_start:
@@ -54,3 +62,4 @@ override_dh_auto_install: binaries bin/runc man
 	mkdir -p debian/containerd.io/usr/bin
 	install -D -m 0755 bin/* debian/containerd.io/usr/bin
 	install -D -m 0644 /root/common/containerd.service debian/containerd.io/lib/systemd/system/containerd.service
+	install -D -m 0644 /root/common/containerd.toml    debian/containerd.io/etc/containerd/config.toml
diff --git a/dockerfiles/deb.dockerfile b/dockerfiles/deb.dockerfile
@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:experimental
 
 
-#   Copyright 2018-2020 Docker Inc.
+#   Copyright 2018-2022 Docker Inc.
 
 #   Licensed under the Apache License, Version 2.0 (the "License");
 #   you may not use this file except in compliance with the License.
@@ -15,7 +15,7 @@
 #   See the License for the specific language governing permissions and
 #   limitations under the License.
 
-ARG BUILD_IMAGE=ubuntu:bionic
+ARG BUILD_IMAGE=ubuntu:focal
 ARG GOLANG_IMAGE=golang:latest
 
 # Install golang from the official image, since the package managed
@@ -25,7 +25,7 @@ FROM ${GOLANG_IMAGE} AS golang
 FROM golang AS go-md2man
 ARG GOPROXY=direct
 ARG GO111MODULE=on
-ARG MD2MAN_VERSION=v2.0.0
+ARG MD2MAN_VERSION=v2.0.1
 RUN go get github.com/cpuguy83/go-md2man/v2/@${MD2MAN_VERSION}
 
 FROM ${BUILD_IMAGE} AS distro-image
@@ -97,7 +97,7 @@ ENV PACKAGE=${PACKAGE:-containerd.io}
 
 FROM build-env AS build-packages
 RUN mkdir -p /archive /build
-COPY common/containerd.service /root/common/
+COPY common/containerd.service common/containerd.toml /root/common/
 ARG CREATE_ARCHIVE
 # NOTE: not using a cache-mount for /root/.cache/go-build, to prevent issues
 #       with CGO when building multiple distros on the same machine / build-cache
@@ -131,4 +131,4 @@ COPY --from=verify-packages /build   /build
 # This stage is mainly for debugging (running the build interactively with mounted source)
 FROM build-env AS runtime
 COPY --from=golang /usr/local/go/ /usr/local/go/
-COPY common/containerd.service /root/common/
+COPY common/containerd.service common/containerd.toml /root/common/