diff --git a/go.mod b/go.mod index 0d1740ffb2c2..cf4c02973236 100644 --- a/go.mod +++ b/go.mod @@ -9,8 +9,7 @@ require ( github.com/Microsoft/hcsshim v0.8.10 github.com/codahale/hdrhistogram v0.0.0-20160425231609-f8ad88b59a58 // indirect github.com/containerd/console v1.0.1 - // containerd: the actual version is replaced in replace() - github.com/containerd/containerd v1.4.1-0.20201117152358-0edc412565dc + github.com/containerd/containerd v1.4.1-0.20201117152358-0edc412565dc // the actual version is replaced in replace() github.com/containerd/continuity v0.0.0-20200710164510-efbc4488d8fe github.com/containerd/go-cni v1.0.1 github.com/containerd/go-runc v0.0.0-20201020171139-16b287bc67d0 @@ -72,11 +71,16 @@ require ( ) replace ( - // containerd: Forked from 0edc412565dcc6e3d6125ff9e4b009ad4b89c638 (20201117) with: + // containerd: vendoring from the docker/20.10 branch in https://github.com/moby/containerd + // + // Forked from 0edc412565dcc6e3d6125ff9e4b009ad4b89c638 (20201117) with: + // - `images: validate document type before unmarshal` (eb9ba7ed8d46d48fb22362f9d91fff6fb837e37e) + // - `schema1: reject ambiguous documents` (70c88f507579277ab7af23b06666e3b57d4b4f2d) + // - `Fix the Inheritable capability defaults` (6906b57c721f9114377ceb069662b196876915c0) // - `Adjust overlay tests to expect "index=off"` (#4719, for ease of cherry-picking #5076) // - `overlay: support "userxattr" option (kernel 5.11)` (#5076) // - `docker: avoid concurrent map access panic` (#4855) - github.com/containerd/containerd => github.com/AkihiroSuda/containerd v1.1.1-0.20210312044057-48f85a131bb8 + github.com/containerd/containerd => github.com/moby/containerd v0.0.0-20220901192706-96c5ae04b678 // protobuf: corresponds to containerd github.com/golang/protobuf => github.com/golang/protobuf v1.3.5 github.com/hashicorp/go-immutable-radix => github.com/tonistiigi/go-immutable-radix v0.0.0-20170803185627-826af9ccf0fe diff --git a/go.sum b/go.sum index 512ea79901ef..f6c4a16f3744 100644 --- a/go.sum +++ b/go.sum @@ -44,8 +44,6 @@ contrib.go.opencensus.io/resource v0.1.1/go.mod h1:F361eGI91LCmW1I/Saf+rX0+OFcig dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= git.apache.org/thrift.git v0.0.0-20180902110319-2566ecd5d999/go.mod h1:fPE2ZNJGynbRyZ4dJvy6G277gSllfV2HJqblrnkyeyg= git.apache.org/thrift.git v0.12.0/go.mod h1:fPE2ZNJGynbRyZ4dJvy6G277gSllfV2HJqblrnkyeyg= -github.com/AkihiroSuda/containerd v1.1.1-0.20210312044057-48f85a131bb8 h1:YqSRKDiQLq/NKLrhiEoxQMvNMDJG49WYf4crjJ1i6Y8= -github.com/AkihiroSuda/containerd v1.1.1-0.20210312044057-48f85a131bb8/go.mod h1:5IBP++IFtudvjLCXBrBPdXGu8s/AL9xiPCjz0K9psr4= github.com/AkihiroSuda/containerd-fuse-overlayfs v1.0.0 h1:LhS8BiMh7ULa6zkkF5XI6piLV5XVTR7mSm9j3hTUB/k= github.com/AkihiroSuda/containerd-fuse-overlayfs v1.0.0/go.mod h1:0mMDvQFeLbbn1Wy8P2j3hwFhqBq+FKn8OZPno8WLmp8= github.com/Azure/azure-amqp-common-go/v2 v2.1.0/go.mod h1:R8rea+gJRuJR6QxTir/XuEd+YuKoUiazDC/N96FiDEU= @@ -622,6 +620,8 @@ github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:F github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mitchellh/mapstructure v1.3.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/mitchellh/osext v0.0.0-20151018003038-5e2d6d41470f/go.mod h1:OkQIRizQZAeMln+1tSwduZz7+Af5oFlKirV/MSYes2A= +github.com/moby/containerd v0.0.0-20220901192706-96c5ae04b678 h1:eDq3voeTd6v6bmQi/gaA/gEMDHGqZ7//yisQlgfkkvM= +github.com/moby/containerd v0.0.0-20220901192706-96c5ae04b678/go.mod h1:F+mq0u1LuleSUA1uQ74yceU7zJEg15FOIAovIkRiC08= github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg= github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc= github.com/moby/sys/mount v0.1.0/go.mod h1:FVQFLDRWwyBjDTBNQXDlWnSFREqOo3OKX9aqhmeoo74= diff --git a/vendor/github.com/containerd/containerd/images/image.go b/vendor/github.com/containerd/containerd/images/image.go index 1868ee88dd1f..2e42ca09a64f 100644 --- a/vendor/github.com/containerd/containerd/images/image.go +++ b/vendor/github.com/containerd/containerd/images/image.go @@ -19,6 +19,7 @@ package images import ( "context" "encoding/json" + "fmt" "sort" "time" @@ -154,6 +155,10 @@ func Manifest(ctx context.Context, provider content.Provider, image ocispec.Desc return nil, err } + if err := validateMediaType(p, desc.MediaType); err != nil { + return nil, errors.Wrapf(err, "manifest: invalid desc %s", desc.Digest) + } + var manifest ocispec.Manifest if err := json.Unmarshal(p, &manifest); err != nil { return nil, err @@ -194,6 +199,10 @@ func Manifest(ctx context.Context, provider content.Provider, image ocispec.Desc return nil, err } + if err := validateMediaType(p, desc.MediaType); err != nil { + return nil, errors.Wrapf(err, "manifest: invalid desc %s", desc.Digest) + } + var idx ocispec.Index if err := json.Unmarshal(p, &idx); err != nil { return nil, err @@ -336,6 +345,10 @@ func Children(ctx context.Context, provider content.Provider, desc ocispec.Descr return nil, err } + if err := validateMediaType(p, desc.MediaType); err != nil { + return nil, errors.Wrapf(err, "children: invalid desc %s", desc.Digest) + } + // TODO(stevvooe): We just assume oci manifest, for now. There may be // subtle differences from the docker version. var manifest ocispec.Manifest @@ -351,6 +364,10 @@ func Children(ctx context.Context, provider content.Provider, desc ocispec.Descr return nil, err } + if err := validateMediaType(p, desc.MediaType); err != nil { + return nil, errors.Wrapf(err, "children: invalid desc %s", desc.Digest) + } + var index ocispec.Index if err := json.Unmarshal(p, &index); err != nil { return nil, err @@ -368,6 +385,44 @@ func Children(ctx context.Context, provider content.Provider, desc ocispec.Descr return descs, nil } +// unknownDocument represents a manifest, manifest list, or index that has not +// yet been validated. +type unknownDocument struct { + MediaType string `json:"mediaType,omitempty"` + Config json.RawMessage `json:"config,omitempty"` + Layers json.RawMessage `json:"layers,omitempty"` + Manifests json.RawMessage `json:"manifests,omitempty"` + FSLayers json.RawMessage `json:"fsLayers,omitempty"` // schema 1 +} + +// validateMediaType returns an error if the byte slice is invalid JSON or if +// the media type identifies the blob as one format but it contains elements of +// another format. +func validateMediaType(b []byte, mt string) error { + var doc unknownDocument + if err := json.Unmarshal(b, &doc); err != nil { + return err + } + if len(doc.FSLayers) != 0 { + return fmt.Errorf("media-type: schema 1 not supported") + } + switch mt { + case MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest: + if len(doc.Manifests) != 0 || + doc.MediaType == MediaTypeDockerSchema2ManifestList || + doc.MediaType == ocispec.MediaTypeImageIndex { + return fmt.Errorf("media-type: expected manifest but found index (%s)", mt) + } + case MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex: + if len(doc.Config) != 0 || len(doc.Layers) != 0 || + doc.MediaType == MediaTypeDockerSchema2Manifest || + doc.MediaType == ocispec.MediaTypeImageManifest { + return fmt.Errorf("media-type: expected index but found manifest (%s)", mt) + } + } + return nil +} + // RootFS returns the unpacked diffids that make up and images rootfs. // // These are used to verify that a set of layers unpacked to the expected diff --git a/vendor/github.com/containerd/containerd/oci/spec.go b/vendor/github.com/containerd/containerd/oci/spec.go index 035bb7e7d83d..ff25ddfd2359 100644 --- a/vendor/github.com/containerd/containerd/oci/spec.go +++ b/vendor/github.com/containerd/containerd/oci/spec.go @@ -148,10 +148,9 @@ func populateDefaultUnixSpec(ctx context.Context, s *Spec, id string) error { GID: 0, }, Capabilities: &specs.LinuxCapabilities{ - Bounding: defaultUnixCaps(), - Permitted: defaultUnixCaps(), - Inheritable: defaultUnixCaps(), - Effective: defaultUnixCaps(), + Bounding: defaultUnixCaps(), + Permitted: defaultUnixCaps(), + Effective: defaultUnixCaps(), }, Rlimits: []specs.POSIXRlimit{ { diff --git a/vendor/github.com/containerd/containerd/oci/spec_opts.go b/vendor/github.com/containerd/containerd/oci/spec_opts.go index 89346fe8bf3b..1372584aa842 100644 --- a/vendor/github.com/containerd/containerd/oci/spec_opts.go +++ b/vendor/github.com/containerd/containerd/oci/spec_opts.go @@ -770,7 +770,6 @@ func WithCapabilities(caps []string) SpecOpts { s.Process.Capabilities.Bounding = caps s.Process.Capabilities.Effective = caps s.Process.Capabilities.Permitted = caps - s.Process.Capabilities.Inheritable = caps return nil } @@ -828,7 +827,6 @@ func WithAddedCapabilities(caps []string) SpecOpts { &s.Process.Capabilities.Bounding, &s.Process.Capabilities.Effective, &s.Process.Capabilities.Permitted, - &s.Process.Capabilities.Inheritable, } { if !capsContain(*cl, c) { *cl = append(*cl, c) @@ -848,7 +846,6 @@ func WithDroppedCapabilities(caps []string) SpecOpts { &s.Process.Capabilities.Bounding, &s.Process.Capabilities.Effective, &s.Process.Capabilities.Permitted, - &s.Process.Capabilities.Inheritable, } { removeCap(cl, c) } @@ -863,7 +860,7 @@ func WithDroppedCapabilities(caps []string) SpecOpts { func WithAmbientCapabilities(caps []string) SpecOpts { return func(_ context.Context, _ Client, _ *containers.Container, s *Spec) error { setCapabilities(s) - + s.Process.Capabilities.Inheritable = caps s.Process.Capabilities.Ambient = caps return nil } diff --git a/vendor/github.com/containerd/containerd/remotes/docker/schema1/converter.go b/vendor/github.com/containerd/containerd/remotes/docker/schema1/converter.go index 8314c01d5a6f..f15a9acf3e81 100644 --- a/vendor/github.com/containerd/containerd/remotes/docker/schema1/converter.go +++ b/vendor/github.com/containerd/containerd/remotes/docker/schema1/converter.go @@ -256,6 +256,9 @@ func (c *Converter) fetchManifest(ctx context.Context, desc ocispec.Descriptor) if err := json.Unmarshal(b, &m); err != nil { return err } + if len(m.Manifests) != 0 || len(m.Layers) != 0 { + return errors.New("converter: expected schema1 document but found extra keys") + } c.pulledManifest = &m return nil @@ -472,8 +475,10 @@ type history struct { } type manifest struct { - FSLayers []fsLayer `json:"fsLayers"` - History []history `json:"history"` + FSLayers []fsLayer `json:"fsLayers"` + History []history `json:"history"` + Layers json.RawMessage `json:"layers,omitempty"` // OCI manifest + Manifests json.RawMessage `json:"manifests,omitempty"` // OCI index } type v1History struct { diff --git a/vendor/modules.txt b/vendor/modules.txt index 4f99e5295e9e..02663f1a53ab 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -37,7 +37,7 @@ github.com/Microsoft/hcsshim/osversion github.com/containerd/cgroups/stats/v1 # github.com/containerd/console v1.0.1 github.com/containerd/console -# github.com/containerd/containerd v1.4.1-0.20201117152358-0edc412565dc => github.com/AkihiroSuda/containerd v1.1.1-0.20210312044057-48f85a131bb8 +# github.com/containerd/containerd v1.4.1-0.20201117152358-0edc412565dc => github.com/moby/containerd v0.0.0-20220901192706-96c5ae04b678 github.com/containerd/containerd github.com/containerd/containerd/api/services/containers/v1 github.com/containerd/containerd/api/services/content/v1