From 4907b4d726d325ca7ecbc3c780adcb5e22198e10 Mon Sep 17 00:00:00 2001 From: Austin Vazquez Date: Mon, 24 Oct 2022 22:33:16 +0000 Subject: [PATCH 01/39] Migrate away from GitHub actions set-output Migrate from set-output call to write to new GITHUB_OUTPUT environment file. Signed-off-by: Austin Vazquez --- .github/workflows/release.yml | 2 +- .github/workflows/windows-periodic.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3626f6668..9b5c3d21c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -38,7 +38,7 @@ jobs: id: contentrel run: | RELEASEVER=${{ github.ref }} - echo "::set-output name=stringver::${RELEASEVER#refs/tags/v}" + echo "stringver=${RELEASEVER#refs/tags/v}" >> $GITHUB_OUTPUT git tag -l ${RELEASEVER#refs/tags/} -n20000 | tail -n +3 | cut -c 5- >release-notes.md working-directory: src/github.com/containerd/containerd diff --git a/.github/workflows/windows-periodic.yml b/.github/workflows/windows-periodic.yml index 3e375bf78..7134f9d57 100644 --- a/.github/workflows/windows-periodic.yml +++ b/.github/workflows/windows-periodic.yml @@ -217,8 +217,8 @@ jobs: - name: AssignGcpCreds id: AssignGcpCreds run: | - echo '::set-output name=GCP_SERVICE_ACCOUNT::${{ secrets.GCP_SERVICE_ACCOUNT }}' - echo '::set-output name=GCP_WORKLOAD_IDENTITY_PROVIDER::${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}' + echo 'GCP_SERVICE_ACCOUNT=${{ secrets.GCP_SERVICE_ACCOUNT }}' >> $GITHUB_OUTPUT + echo 'GCP_WORKLOAD_IDENTITY_PROVIDER=${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}' >> $GITHUB_OUTPUT - name: AuthGcp uses: google-github-actions/auth@v0 From 658490b78689d8404baffdf1e0020d4f2247d721 Mon Sep 17 00:00:00 2001 From: Gavin Inglis Date: Fri, 6 May 2022 22:26:21 +0000 Subject: [PATCH 02/39] ctr import: strictly match platform Currently, ctr import will use loose matching as defined by platforms.Only(), meaning in the case of platform linux/amd64 as in issue#6441, importing will also match linux/386 platform on the image-to-be-imported's index. However, that image-to-be-imported may not have both the linux/amd64 and linux/386 platform contents, resulting in a failure to unpack the image. This change makes that check strict such that the requested platform to import for is the only platform content imported. Both ctr pull and ctr export will treat the platform option as strict, so this change makes ctr import consistent with those. resolves #6441 Signed-off-by: Gavin Inglis (cherry picked from commit 2c98a7b099b00316c0331a91927e54f85d4ec187) Signed-off-by: Gavin Inglis --- cmd/ctr/commands/images/import.go | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/cmd/ctr/commands/images/import.go b/cmd/ctr/commands/images/import.go index bb5f2bee3..850b8a27c 100644 --- a/cmd/ctr/commands/images/import.go +++ b/cmd/ctr/commands/images/import.go @@ -89,9 +89,9 @@ If foobar.tar contains an OCI ref named "latest" and anonymous ref "sha256:deadb Action: func(context *cli.Context) error { var ( - in = context.Args().First() - opts []containerd.ImportOpt - platformMacher platforms.MatchComparer + in = context.Args().First() + opts []containerd.ImportOpt + platformMatcher platforms.MatchComparer ) prefix := context.String("base-name") @@ -126,8 +126,8 @@ If foobar.tar contains an OCI ref named "latest" and anonymous ref "sha256:deadb if err != nil { return err } - platformMacher = platforms.Only(platSpec) - opts = append(opts, containerd.WithImportPlatform(platformMacher)) + platformMatcher = platforms.OnlyStrict(platSpec) + opts = append(opts, containerd.WithImportPlatform(platformMatcher)) } opts = append(opts, containerd.WithAllPlatforms(context.Bool("all-platforms"))) @@ -160,10 +160,10 @@ If foobar.tar contains an OCI ref named "latest" and anonymous ref "sha256:deadb log.G(ctx).Debugf("unpacking %d images", len(imgs)) for _, img := range imgs { - if platformMacher == nil { // if platform not specified use default. - platformMacher = platforms.Default() + if platformMatcher == nil { // if platform not specified use default. + platformMatcher = platforms.Default() } - image := containerd.NewImageWithPlatform(client, img, platformMacher) + image := containerd.NewImageWithPlatform(client, img, platformMatcher) // TODO: Show unpack status fmt.Printf("unpacking %s (%s)...", img.Name, img.Target.Digest) From df73acad508a3877d6ff7f0e454e28a79c458c04 Mon Sep 17 00:00:00 2001 From: Kathryn Baldauf Date: Mon, 31 Oct 2022 16:49:08 -0700 Subject: [PATCH 03/39] [release/1.6] go.mod: Bump hcsshim to v0.9.5 Signed-off-by: Kathryn Baldauf --- go.mod | 2 +- go.sum | 4 ++-- integration/client/go.mod | 2 +- integration/client/go.sum | 4 ++-- vendor/github.com/Microsoft/hcsshim/internal/hcs/errors.go | 6 +++--- vendor/modules.txt | 2 +- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/go.mod b/go.mod index 77f07d3ae..fb575324a 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.17 require ( github.com/AdaLogics/go-fuzz-headers v0.0.0-20210715213245-6c3934b029d8 github.com/Microsoft/go-winio v0.5.2 - github.com/Microsoft/hcsshim v0.9.4 + github.com/Microsoft/hcsshim v0.9.5 github.com/containerd/aufs v1.0.0 github.com/containerd/btrfs v1.0.0 github.com/containerd/cgroups v1.0.3 diff --git a/go.sum b/go.sum index eefcc88f7..3e123f5ae 100644 --- a/go.sum +++ b/go.sum @@ -83,8 +83,8 @@ github.com/Microsoft/hcsshim v0.8.20/go.mod h1:+w2gRZ5ReXQhFOrvSQeNfhrYB/dg3oDwT github.com/Microsoft/hcsshim v0.8.21/go.mod h1:+w2gRZ5ReXQhFOrvSQeNfhrYB/dg3oDwTOcER2fw4I4= github.com/Microsoft/hcsshim v0.8.23/go.mod h1:4zegtUJth7lAvFyc6cH2gGQ5B3OFQim01nnU2M8jKDg= github.com/Microsoft/hcsshim v0.9.2/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc= -github.com/Microsoft/hcsshim v0.9.4 h1:mnUj0ivWy6UzbB1uLFqKR6F+ZyiDc7j4iGgHTpO+5+I= -github.com/Microsoft/hcsshim v0.9.4/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc= +github.com/Microsoft/hcsshim v0.9.5 h1:AbV+VPfTrIVffukazHcpxmz/sRiE6YaMDzHWR9BXZHo= +github.com/Microsoft/hcsshim v0.9.5/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc= github.com/Microsoft/hcsshim/test v0.0.0-20201218223536-d3e5debf77da/go.mod h1:5hlzMzRKMLyo42nCZ9oml8AdTlq/0cvIaBv6tK1RehU= github.com/Microsoft/hcsshim/test v0.0.0-20210227013316-43a75bb4edd3/go.mod h1:mw7qgWloBUl75W/gVH3cQszUg1+gUITj7D6NY7ywVnY= github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= diff --git a/integration/client/go.mod b/integration/client/go.mod index f49dca653..179dd8c6f 100644 --- a/integration/client/go.mod +++ b/integration/client/go.mod @@ -3,7 +3,7 @@ module github.com/containerd/containerd/integration/client go 1.15 require ( - github.com/Microsoft/hcsshim v0.9.4 + github.com/Microsoft/hcsshim v0.9.5 github.com/Microsoft/hcsshim/test v0.0.0-20210408205431-da33ecd607e1 github.com/containerd/cgroups v1.0.3 // the actual version of containerd is replaced with the code at the root of this repository diff --git a/integration/client/go.sum b/integration/client/go.sum index 9ca7044a8..76c84a6df 100644 --- a/integration/client/go.sum +++ b/integration/client/go.sum @@ -55,8 +55,8 @@ github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v github.com/Microsoft/hcsshim v0.8.15/go.mod h1:x38A4YbHbdxJtc0sF6oIz+RG0npwSCAvn69iY6URG00= github.com/Microsoft/hcsshim v0.8.20/go.mod h1:+w2gRZ5ReXQhFOrvSQeNfhrYB/dg3oDwTOcER2fw4I4= github.com/Microsoft/hcsshim v0.9.2/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc= -github.com/Microsoft/hcsshim v0.9.4 h1:mnUj0ivWy6UzbB1uLFqKR6F+ZyiDc7j4iGgHTpO+5+I= -github.com/Microsoft/hcsshim v0.9.4/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc= +github.com/Microsoft/hcsshim v0.9.5 h1:AbV+VPfTrIVffukazHcpxmz/sRiE6YaMDzHWR9BXZHo= +github.com/Microsoft/hcsshim v0.9.5/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc= github.com/Microsoft/hcsshim/test v0.0.0-20210408205431-da33ecd607e1 h1:pVKfKyPkXna29XlGjxSr9J0A7vNucOUHZ/2ClcTWalw= github.com/Microsoft/hcsshim/test v0.0.0-20210408205431-da33ecd607e1/go.mod h1:Cmvnhlie15Ha2UYrJs9EhgSx76Bq9RV2FgfEiT78GhI= github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= diff --git a/vendor/github.com/Microsoft/hcsshim/internal/hcs/errors.go b/vendor/github.com/Microsoft/hcsshim/internal/hcs/errors.go index e21354ffd..295d4b849 100644 --- a/vendor/github.com/Microsoft/hcsshim/internal/hcs/errors.go +++ b/vendor/github.com/Microsoft/hcsshim/internal/hcs/errors.go @@ -154,7 +154,7 @@ func (e *HcsError) Error() string { func (e *HcsError) Temporary() bool { err, ok := e.Err.(net.Error) - return ok && err.Temporary() + return ok && err.Temporary() //nolint:staticcheck } func (e *HcsError) Timeout() bool { @@ -193,7 +193,7 @@ func (e *SystemError) Error() string { func (e *SystemError) Temporary() bool { err, ok := e.Err.(net.Error) - return ok && err.Temporary() + return ok && err.Temporary() //nolint:staticcheck } func (e *SystemError) Timeout() bool { @@ -224,7 +224,7 @@ func (e *ProcessError) Error() string { func (e *ProcessError) Temporary() bool { err, ok := e.Err.(net.Error) - return ok && err.Temporary() + return ok && err.Temporary() //nolint:staticcheck } func (e *ProcessError) Timeout() bool { diff --git a/vendor/modules.txt b/vendor/modules.txt index e8bd4111c..d8e6a3a4d 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -11,7 +11,7 @@ github.com/Microsoft/go-winio/pkg/fs github.com/Microsoft/go-winio/pkg/guid github.com/Microsoft/go-winio/pkg/security github.com/Microsoft/go-winio/vhd -# github.com/Microsoft/hcsshim v0.9.4 +# github.com/Microsoft/hcsshim v0.9.5 ## explicit; go 1.13 github.com/Microsoft/hcsshim github.com/Microsoft/hcsshim/cmd/containerd-shim-runhcs-v1/options From 3f9f9508df849d5b41eae4f7fe5051554ba403f7 Mon Sep 17 00:00:00 2001 From: Yasin Turan Date: Tue, 1 Nov 2022 16:24:52 +0000 Subject: [PATCH 04/39] ctr export strictly match default platform Signed-off-by: Yasin Turan (cherry picked from commit 78ac0046a7af3ff5beeb53d56ba627ec0cf7b32d) Signed-off-by: Yasin Turan --- cmd/ctr/commands/images/export.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/ctr/commands/images/export.go b/cmd/ctr/commands/images/export.go index 0a1394cb0..5050ff4fd 100644 --- a/cmd/ctr/commands/images/export.go +++ b/cmd/ctr/commands/images/export.go @@ -80,7 +80,7 @@ When '--all-platforms' is given all images in a manifest list must be available. } exportOpts = append(exportOpts, archive.WithPlatform(platforms.Ordered(all...))) } else { - exportOpts = append(exportOpts, archive.WithPlatform(platforms.Default())) + exportOpts = append(exportOpts, archive.WithPlatform(platforms.DefaultStrict())) } if context.Bool("all-platforms") { From 303f608ddf06ec256507b1a78f89da769d3f384c Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Sat, 5 Nov 2022 18:00:59 +0100 Subject: [PATCH 05/39] [release/1.6] update to Go 1.18.8 to address CVE-2022-41716 On Windows, syscall.StartProcess and os/exec.Cmd did not properly check for invalid environment variable values. A malicious environment variable value could exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" set the variables "A=B" and "C=D". Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue. This is CVE-2022-41716 and Go issue https://go.dev/issue/56284. This Go release also fixes https://github.com/golang/go/issues/56309, a runtime bug which can cause random memory corruption when a goroutine exits with runtime.LockOSThread() set. This fix is necessary to unblock work to replace certain uses of pkg/reexec with unshared OS threads. Signed-off-by: Sebastiaan van Stijn --- .github/workflows/build-test-images.yml | 2 +- .github/workflows/ci.yml | 18 +++++++++--------- .github/workflows/codeql.yml | 2 +- .github/workflows/images.yml | 2 +- .github/workflows/nightly.yml | 4 ++-- .github/workflows/release.yml | 2 +- Vagrantfile | 2 +- contrib/Dockerfile.test | 2 +- script/setup/prepare_env_windows.ps1 | 2 +- 9 files changed, 18 insertions(+), 18 deletions(-) diff --git a/.github/workflows/build-test-images.yml b/.github/workflows/build-test-images.yml index d8c21fcfe..7818b7d73 100644 --- a/.github/workflows/build-test-images.yml +++ b/.github/workflows/build-test-images.yml @@ -39,7 +39,7 @@ jobs: steps: - uses: actions/setup-go@v2 with: - go-version: '1.18.7' + go-version: '1.18.8' - uses: actions/checkout@v2 with: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4561eb2d9..317bc2abe 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,7 +20,7 @@ jobs: strategy: matrix: - go-version: [1.18.7] + go-version: [1.18.8] os: [ubuntu-18.04, macos-12, windows-2019] steps: @@ -46,7 +46,7 @@ jobs: steps: - uses: actions/setup-go@v2 with: - go-version: '1.18.7' + go-version: '1.18.8' - uses: actions/checkout@v2 with: @@ -78,7 +78,7 @@ jobs: steps: - uses: actions/setup-go@v2 with: - go-version: '1.18.7' + go-version: '1.18.8' - uses: actions/checkout@v2 with: @@ -110,7 +110,7 @@ jobs: steps: - uses: actions/setup-go@v2 with: - go-version: '1.18.7' + go-version: '1.18.8' - uses: actions/checkout@v2 - run: go install github.com/cpuguy83/go-md2man/v2@v2.0.1 - run: make man @@ -148,7 +148,7 @@ jobs: steps: - uses: actions/setup-go@v2 with: - go-version: '1.18.7' + go-version: '1.18.8' - uses: actions/checkout@v2 - run: | set -e -x @@ -215,7 +215,7 @@ jobs: strategy: matrix: os: [ubuntu-18.04, macos-12, windows-2019, windows-2022] - go-version: ['1.17.13', '1.18.7'] + go-version: ['1.17.13', '1.18.8'] steps: - uses: actions/setup-go@v2 @@ -262,7 +262,7 @@ jobs: steps: - uses: actions/setup-go@v2 with: - go-version: '1.18.7' + go-version: '1.18.8' - uses: actions/checkout@v2 with: @@ -352,7 +352,7 @@ jobs: steps: - uses: actions/setup-go@v2 with: - go-version: '1.18.7' + go-version: '1.18.8' - uses: actions/checkout@v2 @@ -475,7 +475,7 @@ jobs: steps: - uses: actions/setup-go@v2 with: - go-version: '1.18.7' + go-version: '1.18.8' - uses: actions/checkout@v2 - run: sudo -E PATH=$PATH script/setup/install-gotestsum - name: Tests diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index f3a12dcd0..5cdb1a801 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -26,7 +26,7 @@ jobs: - uses: actions/setup-go@v2 with: - go-version: 1.18.7 + go-version: 1.18.8 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/images.yml b/.github/workflows/images.yml index f497af083..32cdca34c 100644 --- a/.github/workflows/images.yml +++ b/.github/workflows/images.yml @@ -24,7 +24,7 @@ jobs: steps: - uses: actions/setup-go@v2 with: - go-version: '1.18.7' + go-version: '1.18.8' - uses: actions/checkout@v2 with: diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index f07184237..4fb7c70aa 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -18,7 +18,7 @@ jobs: steps: - uses: actions/setup-go@v2 with: - go-version: '1.18.7' + go-version: '1.18.8' - uses: actions/checkout@v2 with: @@ -155,7 +155,7 @@ jobs: steps: - uses: actions/setup-go@v2 with: - go-version: '1.18.7' + go-version: '1.18.8' - uses: actions/checkout@v2 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9b5c3d21c..effb89daa 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -111,7 +111,7 @@ jobs: find ./releases/ -maxdepth 1 -type l | xargs rm working-directory: src/github.com/containerd/containerd env: - GO_VERSION: '1.18.7' + GO_VERSION: '1.18.8' PLATFORM: ${{ matrix.platform }} - name: Save Artifacts uses: actions/upload-artifact@v2 diff --git a/Vagrantfile b/Vagrantfile index 9f8259970..8e2dac146 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -91,7 +91,7 @@ EOF config.vm.provision "install-golang", type: "shell", run: "once" do |sh| sh.upload_path = "/tmp/vagrant-install-golang" sh.env = { - 'GO_VERSION': ENV['GO_VERSION'] || "1.18.7", + 'GO_VERSION': ENV['GO_VERSION'] || "1.18.8", } sh.inline = <<~SHELL #!/usr/bin/env bash diff --git a/contrib/Dockerfile.test b/contrib/Dockerfile.test index 3da88a82d..86e76fc43 100644 --- a/contrib/Dockerfile.test +++ b/contrib/Dockerfile.test @@ -10,7 +10,7 @@ # # docker build -t containerd-test --build-arg RUNC_VERSION=v1.0.0-rc94 -f Dockerfile.test ../ -ARG GOLANG_VERSION=1.18.7 +ARG GOLANG_VERSION=1.18.8 ARG GOLANG_IMAGE=golang FROM ${GOLANG_IMAGE}:${GOLANG_VERSION} AS golang diff --git a/script/setup/prepare_env_windows.ps1 b/script/setup/prepare_env_windows.ps1 index 412705a20..858969af5 100644 --- a/script/setup/prepare_env_windows.ps1 +++ b/script/setup/prepare_env_windows.ps1 @@ -1,6 +1,6 @@ # Prepare windows environment for building and running containerd tests -$PACKAGES= @{ mingw = "10.2.0"; git = ""; golang = "1.18.7"; make = ""; nssm = "" } +$PACKAGES= @{ mingw = "10.2.0"; git = ""; golang = "1.18.8"; make = ""; nssm = "" } Write-Host "Downloading chocolatey package" curl.exe -L "https://packages.chocolatey.org/chocolatey.0.10.15.nupkg" -o 'c:\choco.zip' From 5af8d89cea78cb71dfb717b1c2819ee2563fa4cd Mon Sep 17 00:00:00 2001 From: Danny Canter Date: Mon, 31 Oct 2022 17:09:09 -0700 Subject: [PATCH 06/39] overlayutils: Add fastpath for userxattr check Cleaning up TODO's. If we're on >= 5.11 we need userxattr so check the kernel version to skip the manual check via mounting. It feels odd to use contrib/seccomp here but the alternative is pulling that kernel parsing code out into the main pkgs. Another is using the moby parser but that's in moby/moby which is also a dep we don't want here.. Signed-off-by: Danny Canter (cherry picked from commit 4b2a23e7ea4bd324aa345b4b5ffbba638d3b9d81) Signed-off-by: Danny Canter --- snapshots/overlay/overlayutils/check.go | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/snapshots/overlay/overlayutils/check.go b/snapshots/overlay/overlayutils/check.go index c5b93fc57..2faaea35f 100644 --- a/snapshots/overlay/overlayutils/check.go +++ b/snapshots/overlay/overlayutils/check.go @@ -24,6 +24,7 @@ import ( "os" "path/filepath" + kernel "github.com/containerd/containerd/contrib/seccomp/kernelversion" "github.com/containerd/containerd/log" "github.com/containerd/containerd/mount" "github.com/containerd/containerd/pkg/userns" @@ -113,10 +114,14 @@ func NeedsUserXAttr(d string) (bool, error) { return false, nil } - // TODO: add fast path for kernel >= 5.11 . + // Fast path on kernels >= 5.11 // - // Keep in mind that distro vendors might be going to backport the patch to older kernels. - // So we can't completely remove the check. + // Keep in mind that distro vendors might be going to backport the patch to older kernels + // so we can't completely remove the "slow path". + fiveDotEleven := kernel.KernelVersion{Kernel: 5, Major: 11} + if ok, err := kernel.GreaterEqualThan(fiveDotEleven); err == nil && ok { + return true, nil + } tdRoot := filepath.Join(d, "userxattr-check") if err := os.RemoveAll(tdRoot); err != nil { From e639ecd7c038cf19e371b7b4d7d3b6209f4feb8d Mon Sep 17 00:00:00 2001 From: Danny Canter Date: Fri, 11 Nov 2022 17:29:33 -0800 Subject: [PATCH 07/39] Prepare release notes for v1.6.10 Signed-off-by: Danny Canter --- releases/v1.6.10.toml | 22 ++++++++++++++++++++++ version/version.go | 2 +- 2 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 releases/v1.6.10.toml diff --git a/releases/v1.6.10.toml b/releases/v1.6.10.toml new file mode 100644 index 000000000..3a89a6c6f --- /dev/null +++ b/releases/v1.6.10.toml @@ -0,0 +1,22 @@ +# commit to be tagged for new release +commit = "HEAD" + +project_name = "containerd" +github_repo = "containerd/containerd" +match_deps = "^github.com/(containerd/[a-zA-Z0-9-]+)$" + +# previous release +previous = "v1.6.9" + +pre_release = false + +preface = """\ +The tenth patch release for containerd 1.6 contains various fixes, including a CVE fix for Windows platforms. + +### Notable Updates + +* **Always check userxattr for overlay on kernels >= 5.11** ([#7646](https://github.com/containerd/containerd/pull/7646)) +* **Bump hcsshim to 0.9.5 to fix container shutdown bug on Windows** ([#7610](https://github.com/containerd/containerd/pull/7610) +* **Bump Go version to 1.18.8 to address CVE-2022-41716** ([#7634](https://github.com/containerd/containerd/pull/7634)) + +See the changelog for complete list of changes""" diff --git a/version/version.go b/version/version.go index 2e05f65bd..cf804ade4 100644 --- a/version/version.go +++ b/version/version.go @@ -23,7 +23,7 @@ var ( Package = "github.com/containerd/containerd" // Version holds the complete version number. Filled in at linking time. - Version = "1.6.9+unknown" + Version = "1.6.10+unknown" // Revision is filled with the VCS (e.g. git) revision being used to build // the program at linking time. From 8ec051a6b569f9e9d279c4c303ee83ccbfef75e5 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 25 Nov 2022 15:10:45 +0100 Subject: [PATCH 08/39] [release/1.6] go.mod: use golang_protobuf_extensions v1.0.4 This module made a whoopsie, and updated to `google.golang.org/protobuf` in a patch release, but `google.golang.org/protobuf` is not backward compatible with `github.com/golang/protobuf`. Updating the minimum version to v1.0.4 which corrects this, to prevent users of containerd as a module from accidentally pulling in the wrong version: - v1.0.3 switched to use `google.golang.org/protobuf`; https://github.com/matttproud/golang_protobuf_extensions/compare/v1.0.2..v1.0.3 - This was reverted in v1.0.4 (which is the same as v1.0.2); https://github.com/matttproud/golang_protobuf_extensions/compare/v1.0.3..v1.0.4 - And a `v2` was created instead; https://github.com/matttproud/golang_protobuf_extensions/releases/tag/v2.0.0 Signed-off-by: Sebastiaan van Stijn --- go.mod | 2 +- go.sum | 3 ++- integration/client/go.sum | 1 + vendor/modules.txt | 2 +- 4 files changed, 5 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index fb575324a..63ec6282b 100644 --- a/go.mod +++ b/go.mod @@ -95,7 +95,7 @@ require ( github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/json-iterator/go v1.1.12 // indirect - github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect + github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect github.com/miekg/pkcs11 v1.1.1 // indirect github.com/mistifyio/go-zfs v2.1.2-0.20190413222219-f784269be439+incompatible // indirect github.com/moby/spdystream v0.2.0 // indirect diff --git a/go.sum b/go.sum index 3e123f5ae..c9bc48fc5 100644 --- a/go.sum +++ b/go.sum @@ -623,8 +623,9 @@ github.com/mattn/go-shellwords v1.0.3/go.mod h1:3xCvwCdWdlDJUrvuMn7Wuy9eWs4pE8vq github.com/mattn/go-shellwords v1.0.6/go.mod h1:3xCvwCdWdlDJUrvuMn7Wuy9eWs4pE8vqg+NOMyg4B2o= github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= -github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 h1:I0XW9+e1XWDxdcEniV4rQAIOPUGDq67JSCiRCgGCZLI= github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= +github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo= +github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= github.com/maxbrunsfeld/counterfeiter/v6 v6.2.2/go.mod h1:eD9eIE7cdwcMi9rYluz88Jz2VyhSmden33/aXg4oVIY= github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= github.com/miekg/pkcs11 v1.0.3/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= diff --git a/integration/client/go.sum b/integration/client/go.sum index 76c84a6df..ce783e99d 100644 --- a/integration/client/go.sum +++ b/integration/client/go.sum @@ -422,6 +422,7 @@ github.com/mattn/go-shellwords v1.0.6/go.mod h1:3xCvwCdWdlDJUrvuMn7Wuy9eWs4pE8vq github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= +github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= github.com/maxbrunsfeld/counterfeiter/v6 v6.2.2/go.mod h1:eD9eIE7cdwcMi9rYluz88Jz2VyhSmden33/aXg4oVIY= github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= github.com/miekg/pkcs11 v1.1.1/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= diff --git a/vendor/modules.txt b/vendor/modules.txt index d8e6a3a4d..e5a3ce449 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -288,7 +288,7 @@ github.com/klauspost/compress/huff0 github.com/klauspost/compress/snappy github.com/klauspost/compress/zstd github.com/klauspost/compress/zstd/internal/xxhash -# github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 +# github.com/matttproud/golang_protobuf_extensions v1.0.4 ## explicit; go 1.9 github.com/matttproud/golang_protobuf_extensions/pbutil # github.com/miekg/pkcs11 v1.1.1 From 56593cca5905218bd622b60de36b4c74ab76f7db Mon Sep 17 00:00:00 2001 From: Qasim Sarfraz Date: Fri, 18 Nov 2022 17:35:18 +0100 Subject: [PATCH 09/39] cri: add pod uid annotation Signed-off-by: Qasim Sarfraz (cherry picked from commit 0c4d32c131058480a310241f3b1d329f7829e305) Signed-off-by: Qasim Sarfraz --- pkg/cri/annotations/annotations.go | 5 +++++ pkg/cri/server/container_create_linux.go | 1 + pkg/cri/server/container_create_linux_test.go | 3 +++ pkg/cri/server/container_create_windows.go | 1 + pkg/cri/server/container_create_windows_test.go | 3 +++ pkg/cri/server/sandbox_run_linux.go | 1 + pkg/cri/server/sandbox_run_linux_test.go | 3 +++ pkg/cri/server/sandbox_run_windows.go | 1 + pkg/cri/server/sandbox_run_windows_test.go | 3 +++ 9 files changed, 21 insertions(+) diff --git a/pkg/cri/annotations/annotations.go b/pkg/cri/annotations/annotations.go index 181eb05c7..59624b52f 100644 --- a/pkg/cri/annotations/annotations.go +++ b/pkg/cri/annotations/annotations.go @@ -58,6 +58,11 @@ const ( // SandboxNamespace is the name of the namespace of the sandbox (pod) SandboxNamespace = "io.kubernetes.cri.sandbox-namespace" + // SandboxUID is the uid of the sandbox (pod) passed to CRI via RunPodSanbox, + // this field is useful for linking the uid created by the CRI client (e.g. kubelet) + // to the internal Sandbox.ID created by the containerd sandbox service + SandboxUID = "io.kubernetes.cri.sandbox-uid" + // SandboxName is the name of the sandbox (pod) SandboxName = "io.kubernetes.cri.sandbox-name" diff --git a/pkg/cri/server/container_create_linux.go b/pkg/cri/server/container_create_linux.go index 8fb41e210..c9851b175 100644 --- a/pkg/cri/server/container_create_linux.go +++ b/pkg/cri/server/container_create_linux.go @@ -301,6 +301,7 @@ func (c *criService) containerSpec( customopts.WithAnnotation(annotations.ContainerType, annotations.ContainerTypeContainer), customopts.WithAnnotation(annotations.SandboxID, sandboxID), customopts.WithAnnotation(annotations.SandboxNamespace, sandboxConfig.GetMetadata().GetNamespace()), + customopts.WithAnnotation(annotations.SandboxUID, sandboxConfig.GetMetadata().GetUid()), customopts.WithAnnotation(annotations.SandboxName, sandboxConfig.GetMetadata().GetName()), customopts.WithAnnotation(annotations.ContainerName, containerName), customopts.WithAnnotation(annotations.ImageName, imageName), diff --git a/pkg/cri/server/container_create_linux_test.go b/pkg/cri/server/container_create_linux_test.go index b000616ad..9b1463455 100644 --- a/pkg/cri/server/container_create_linux_test.go +++ b/pkg/cri/server/container_create_linux_test.go @@ -179,6 +179,9 @@ func getCreateContainerTestData() (*runtime.ContainerConfig, *runtime.PodSandbox assert.Contains(t, spec.Annotations, annotations.SandboxNamespace) assert.EqualValues(t, spec.Annotations[annotations.SandboxNamespace], "test-sandbox-ns") + assert.Contains(t, spec.Annotations, annotations.SandboxUID) + assert.EqualValues(t, spec.Annotations[annotations.SandboxUID], "test-sandbox-uid") + assert.Contains(t, spec.Annotations, annotations.SandboxName) assert.EqualValues(t, spec.Annotations[annotations.SandboxName], "test-sandbox-name") diff --git a/pkg/cri/server/container_create_windows.go b/pkg/cri/server/container_create_windows.go index 05c2b8771..6a18952cc 100644 --- a/pkg/cri/server/container_create_windows.go +++ b/pkg/cri/server/container_create_windows.go @@ -128,6 +128,7 @@ func (c *criService) containerSpec( customopts.WithAnnotation(annotations.ContainerType, annotations.ContainerTypeContainer), customopts.WithAnnotation(annotations.SandboxID, sandboxID), customopts.WithAnnotation(annotations.SandboxNamespace, sandboxConfig.GetMetadata().GetNamespace()), + customopts.WithAnnotation(annotations.SandboxUID, sandboxConfig.GetMetadata().GetUid()), customopts.WithAnnotation(annotations.SandboxName, sandboxConfig.GetMetadata().GetName()), customopts.WithAnnotation(annotations.ContainerName, containerName), customopts.WithAnnotation(annotations.ImageName, imageName), diff --git a/pkg/cri/server/container_create_windows_test.go b/pkg/cri/server/container_create_windows_test.go index 476d14b7f..684d45bf5 100644 --- a/pkg/cri/server/container_create_windows_test.go +++ b/pkg/cri/server/container_create_windows_test.go @@ -130,6 +130,9 @@ func getCreateContainerTestData() (*runtime.ContainerConfig, *runtime.PodSandbox assert.Contains(t, spec.Annotations, annotations.SandboxNamespace) assert.EqualValues(t, spec.Annotations[annotations.SandboxNamespace], "test-sandbox-ns") + assert.Contains(t, spec.Annotations, annotations.SandboxUID) + assert.EqualValues(t, spec.Annotations[annotations.SandboxUID], "test-sandbox-uid") + assert.Contains(t, spec.Annotations, annotations.SandboxName) assert.EqualValues(t, spec.Annotations[annotations.SandboxName], "test-sandbox-name") diff --git a/pkg/cri/server/sandbox_run_linux.go b/pkg/cri/server/sandbox_run_linux.go index 63e60d59c..577d25e05 100644 --- a/pkg/cri/server/sandbox_run_linux.go +++ b/pkg/cri/server/sandbox_run_linux.go @@ -175,6 +175,7 @@ func (c *criService) sandboxContainerSpec(id string, config *runtime.PodSandboxC customopts.WithAnnotation(annotations.ContainerType, annotations.ContainerTypeSandbox), customopts.WithAnnotation(annotations.SandboxID, id), customopts.WithAnnotation(annotations.SandboxNamespace, config.GetMetadata().GetNamespace()), + customopts.WithAnnotation(annotations.SandboxUID, config.GetMetadata().GetUid()), customopts.WithAnnotation(annotations.SandboxName, config.GetMetadata().GetName()), customopts.WithAnnotation(annotations.SandboxLogDir, config.GetLogDirectory()), ) diff --git a/pkg/cri/server/sandbox_run_linux_test.go b/pkg/cri/server/sandbox_run_linux_test.go index 22509b379..6bb2f07a7 100644 --- a/pkg/cri/server/sandbox_run_linux_test.go +++ b/pkg/cri/server/sandbox_run_linux_test.go @@ -78,6 +78,9 @@ func getRunPodSandboxTestData() (*runtime.PodSandboxConfig, *imagespec.ImageConf assert.Contains(t, spec.Annotations, annotations.SandboxNamespace) assert.EqualValues(t, spec.Annotations[annotations.SandboxNamespace], "test-ns") + assert.Contains(t, spec.Annotations, annotations.SandboxUID) + assert.EqualValues(t, spec.Annotations[annotations.SandboxUID], "test-uid") + assert.Contains(t, spec.Annotations, annotations.SandboxName) assert.EqualValues(t, spec.Annotations[annotations.SandboxName], "test-name") diff --git a/pkg/cri/server/sandbox_run_windows.go b/pkg/cri/server/sandbox_run_windows.go index 1a103db1e..10c8e5c57 100644 --- a/pkg/cri/server/sandbox_run_windows.go +++ b/pkg/cri/server/sandbox_run_windows.go @@ -84,6 +84,7 @@ func (c *criService) sandboxContainerSpec(id string, config *runtime.PodSandboxC customopts.WithAnnotation(annotations.ContainerType, annotations.ContainerTypeSandbox), customopts.WithAnnotation(annotations.SandboxID, id), customopts.WithAnnotation(annotations.SandboxNamespace, config.GetMetadata().GetNamespace()), + customopts.WithAnnotation(annotations.SandboxUID, config.GetMetadata().GetUid()), customopts.WithAnnotation(annotations.SandboxName, config.GetMetadata().GetName()), customopts.WithAnnotation(annotations.SandboxLogDir, config.GetLogDirectory()), customopts.WithAnnotation(annotations.WindowsHostProcess, strconv.FormatBool(config.GetWindows().GetSecurityContext().GetHostProcess())), diff --git a/pkg/cri/server/sandbox_run_windows_test.go b/pkg/cri/server/sandbox_run_windows_test.go index 475beefe3..358f2eacb 100644 --- a/pkg/cri/server/sandbox_run_windows_test.go +++ b/pkg/cri/server/sandbox_run_windows_test.go @@ -80,6 +80,9 @@ func getRunPodSandboxTestData() (*runtime.PodSandboxConfig, *imagespec.ImageConf assert.Contains(t, spec.Annotations, annotations.SandboxNamespace) assert.EqualValues(t, spec.Annotations[annotations.SandboxNamespace], "test-ns") + assert.Contains(t, spec.Annotations, annotations.SandboxUID) + assert.EqualValues(t, spec.Annotations[annotations.SandboxUID], "test-uid") + assert.Contains(t, spec.Annotations, annotations.SandboxName) assert.EqualValues(t, spec.Annotations[annotations.SandboxName], "test-name") From 9fdf713e5c7c12759fca07ba8781f271e999768b Mon Sep 17 00:00:00 2001 From: Kirtana Ashok Date: Wed, 23 Nov 2022 17:04:57 -0800 Subject: [PATCH 10/39] Added nullptr checks to pkg/cri/server and sbserver Signed-off-by: Kirtana Ashok (cherry picked from commit 08d5879f3215e6484a82d39633bd5d57228202dc) Signed-off-by: Kirtana Ashok --- .../sandbox_clean_remove_windows_test.go | 179 ++++++++++++++++++ pkg/cri/server/helpers.go | 4 + 2 files changed, 183 insertions(+) create mode 100644 integration/sandbox_clean_remove_windows_test.go diff --git a/integration/sandbox_clean_remove_windows_test.go b/integration/sandbox_clean_remove_windows_test.go new file mode 100644 index 000000000..af8950e17 --- /dev/null +++ b/integration/sandbox_clean_remove_windows_test.go @@ -0,0 +1,179 @@ +//go:build windows +// +build windows + +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package integration + +import ( + "context" + "fmt" + "strconv" + "testing" + + "github.com/Microsoft/hcsshim/osversion" + "github.com/stretchr/testify/require" + "golang.org/x/sys/windows/registry" + runtime "k8s.io/cri-api/pkg/apis/runtime/v1" +) + +// Returns what nanoserver image version to use according to the build number +func getTestImage() (string, error) { + k, err := registry.OpenKey(registry.LOCAL_MACHINE, `SOFTWARE\Microsoft\Windows NT\CurrentVersion`, registry.QUERY_VALUE) + if err != nil { + return "", err + } + defer k.Close() + + b, _, _ := k.GetStringValue("CurrentBuild") + buildNum, _ := strconv.Atoi(b) + + switch buildNum { + case osversion.RS1: + return "mcr.microsoft.com/windows/nanoserver:sac2016", nil + case osversion.RS3: + return "mcr.microsoft.com/windows/nanoserver:1709", nil + case osversion.RS4: + return "mcr.microsoft.com/windows/nanoserver:1803", nil + case osversion.RS5: + return "mcr.microsoft.com/windows/nanoserver:1809", nil + case osversion.V19H1: + return "mcr.microsoft.com/windows/nanoserver:1903", nil + case osversion.V19H2: + return "mcr.microsoft.com/windows/nanoserver:1909", nil + case osversion.V20H1: + return "mcr.microsoft.com/windows/nanoserver:2004", nil + case osversion.V20H2: + return "mcr.microsoft.com/windows/nanoserver:20H2", nil + case osversion.V21H2Server: + return "mcr.microsoft.com/windows/nanoserver:ltsc2022", nil + default: + // Due to some efforts in improving down-level compatibility for Windows containers (see + // https://techcommunity.microsoft.com/t5/containers/windows-server-2022-and-beyond-for-containers/ba-p/2712487) + // the ltsc2022 image should continue to work on builds ws2022 and onwards (Windows 11 for example). With this in mind, + // if there's no mapping for the host build just use the Windows Server 2022 image. + if buildNum > osversion.V21H2Server { + return "mcr.microsoft.com/windows/nanoserver:ltsc2022", nil + } + return "", fmt.Errorf("No test image defined for Windows build version: %s", b) + } +} + +func removePodSandbox(ctx context.Context, t *testing.T, client runtime.RuntimeServiceClient, podID string) { + t.Helper() + _, err := client.RemovePodSandbox(ctx, &runtime.RemovePodSandboxRequest{ + PodSandboxId: podID, + }) + require.NoError(t, err, "failed RemovePodSandbox for sandbox: %s", podID) +} + +func stopPodSandbox(ctx context.Context, t *testing.T, client runtime.RuntimeServiceClient, podID string) { + t.Helper() + _, err := client.StopPodSandbox(ctx, &runtime.StopPodSandboxRequest{ + PodSandboxId: podID, + }) + require.NoError(t, err, "failed StopPodSandbox for sandbox: %s", podID) +} + +func stopContainer(ctx context.Context, t *testing.T, client runtime.RuntimeServiceClient, containerID string) { + t.Helper() + _, err := client.StopContainer(ctx, &runtime.StopContainerRequest{ + ContainerId: containerID, + Timeout: 0, + }) + require.NoError(t, err, "failed StopContainer request for container: %s", containerID) +} + +func startContainer(ctx context.Context, t *testing.T, client runtime.RuntimeServiceClient, containerID string) { + t.Helper() + _, err := client.StartContainer(ctx, &runtime.StartContainerRequest{ + ContainerId: containerID, + }) + require.NoError(t, err, "failed StartContainer request for container: %s", containerID) +} + +func removeContainer(ctx context.Context, t *testing.T, client runtime.RuntimeServiceClient, containerID string) { + t.Helper() + _, err := client.RemoveContainer(ctx, &runtime.RemoveContainerRequest{ + ContainerId: containerID, + }) + require.NoError(t, err, "failed RemoveContainer request for container: %s", containerID) +} + +// This test checks if create/stop and remove pods and containers work as expected +func TestCreateContainer(t *testing.T) { + testImage, err := getTestImage() + if err != nil { + t.Skip("skipping test, error: ", err) + } + client, err := RawRuntimeClient() + require.NoError(t, err, "failed to get raw grpc runtime service client") + ctx, cancel := context.WithCancel(context.Background()) + t.Cleanup(func() { cancel() }) + + t.Log("Create a pod sandbox") + sbConfig := &runtime.PodSandboxConfig{ + Metadata: &runtime.PodSandboxMetadata{ + Name: t.Name(), + }, + } + sandboxRequest := &runtime.RunPodSandboxRequest{ + Config: sbConfig, + RuntimeHandler: "runhcs-wcow-process", + } + sandBoxResponse, err := client.RunPodSandbox(ctx, sandboxRequest) + require.NoError(t, err, "failed RunPodSandbox request") + // Make sure the sandbox is cleaned up. + t.Cleanup(func() { removePodSandbox(ctx, t, client, sandBoxResponse.PodSandboxId) }) + t.Cleanup(func() { stopPodSandbox(ctx, t, client, sandBoxResponse.PodSandboxId) }) + + EnsureImageExists(t, testImage) + + t.Log("Create a container") + createCtrRequest := &runtime.CreateContainerRequest{ + Config: &runtime.ContainerConfig{ + Metadata: &runtime.ContainerMetadata{ + Name: t.Name() + "-CreateContainerTest", + }, + Image: &runtime.ImageSpec{ + Image: testImage, + }, + Command: []string{ + "cmd", + "/c", + "ping", + "-t", + "127.0.0.1", + }, + Windows: &runtime.WindowsContainerConfig{ + Resources: &runtime.WindowsContainerResources{ + CpuShares: 500, + }, + }, + }, + PodSandboxId: sandBoxResponse.PodSandboxId, + SandboxConfig: sandboxRequest.Config, + } + + createCtrResponse, err := client.CreateContainer(ctx, createCtrRequest) + require.NoError(t, err, "failed CreateContainer request in sandbox: %s", sandBoxResponse.PodSandboxId) + // Make sure the container is cleaned up. + t.Cleanup(func() { removeContainer(ctx, t, client, createCtrResponse.ContainerId) }) + + startContainer(ctx, t, client, createCtrResponse.ContainerId) + stopContainer(ctx, t, client, createCtrResponse.ContainerId) +} diff --git a/pkg/cri/server/helpers.go b/pkg/cri/server/helpers.go index a8498116d..f5a778189 100644 --- a/pkg/cri/server/helpers.go +++ b/pkg/cri/server/helpers.go @@ -494,7 +494,11 @@ func copyResourcesToStatus(spec *runtimespec.Spec, status containerstore.Status) if spec.Windows.Resources.CPU != nil { if spec.Windows.Resources.CPU.Shares != nil { status.Resources.Windows.CpuShares = int64(*spec.Windows.Resources.CPU.Shares) + } + if spec.Windows.Resources.CPU.Count != nil { status.Resources.Windows.CpuCount = int64(*spec.Windows.Resources.CPU.Count) + } + if spec.Windows.Resources.CPU.Maximum != nil { status.Resources.Windows.CpuMaximum = int64(*spec.Windows.Resources.CPU.Maximum) } } From 15b5412387b73ffc660ce7d37f025cb4bedeeed2 Mon Sep 17 00:00:00 2001 From: Austin Vazquez Date: Sat, 19 Nov 2022 09:55:01 +0000 Subject: [PATCH 11/39] Fix order of operations when setting lease labels Fixes an edge case where `WithLabels` would overwrite `WithExpiration` on a lease when using client options. (cherry picked from commit c4dee237f57a7f7895aaaf32cae6ab312019014a) Signed-off-by: Austin Vazquez --- leases/lease.go | 9 +++-- leases/lease_test.go | 83 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 90 insertions(+), 2 deletions(-) create mode 100644 leases/lease_test.go diff --git a/leases/lease.go b/leases/lease.go index 058d06559..fc0ca3491 100644 --- a/leases/lease.go +++ b/leases/lease.go @@ -65,10 +65,15 @@ func SynchronousDelete(ctx context.Context, o *DeleteOptions) error { return nil } -// WithLabels sets labels on a lease +// WithLabels merges labels on a lease func WithLabels(labels map[string]string) Opt { return func(l *Lease) error { - l.Labels = labels + if l.Labels == nil { + l.Labels = map[string]string{} + } + for k, v := range labels { + l.Labels[k] = v + } return nil } } diff --git a/leases/lease_test.go b/leases/lease_test.go new file mode 100644 index 000000000..2c92e697b --- /dev/null +++ b/leases/lease_test.go @@ -0,0 +1,83 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package leases + +import ( + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +func TestWithLabels(t *testing.T) { + type unitTest struct { + name string + uut *Lease + labels map[string]string + expected map[string]string + } + + addLabelsToEmptyMap := &unitTest{ + name: "AddLabelsToEmptyMap", + uut: &Lease{}, + labels: map[string]string{ + "containerd.io/gc.root": "2015-12-04T00:00:00Z", + }, + expected: map[string]string{ + "containerd.io/gc.root": "2015-12-04T00:00:00Z", + }, + } + + addLabelsToNonEmptyMap := &unitTest{ + name: "AddLabelsToNonEmptyMap", + uut: &Lease{ + Labels: map[string]string{ + "containerd.io/gc.expire": "2015-12-05T00:00:00Z", + }, + }, + labels: map[string]string{ + "containerd.io/gc.root": "2015-12-04T00:00:00Z", + "containerd.io/gc.ref.snapshot.overlayfs": "sha256:87806a591ce894ff5c699c28fe02093d6cdadd6b1ad86819acea05ccb212ff3d", + }, + expected: map[string]string{ + "containerd.io/gc.root": "2015-12-04T00:00:00Z", + "containerd.io/gc.ref.snapshot.overlayfs": "sha256:87806a591ce894ff5c699c28fe02093d6cdadd6b1ad86819acea05ccb212ff3d", + "containerd.io/gc.expire": "2015-12-05T00:00:00Z", + }, + } + + testcases := []*unitTest{ + addLabelsToEmptyMap, + addLabelsToNonEmptyMap, + } + + for _, testcase := range testcases { + testcase := testcase + + t.Run(testcase.name, func(t *testing.T) { + f := WithLabels(testcase.labels) + + err := f(testcase.uut) + require.NoError(t, err) + + for k, v := range testcase.expected { + assert.Contains(t, testcase.uut.Labels, k) + assert.Equal(t, v, testcase.uut.Labels[k]) + } + }) + } +} From bb96b21e59dcc92b7ed116447dfe17317c3597a8 Mon Sep 17 00:00:00 2001 From: cosmoer Date: Sat, 23 Jul 2022 23:57:53 +0800 Subject: [PATCH 12/39] fix: support simultaneous create diff for same parent snapshot MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Qian Zhang (cherry picked from commit 344431cdd48ec19b73fdc5d36f056eb7bee5154b) Signed-off-by: Paweł Gronowski --- rootfs/diff.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rootfs/diff.go b/rootfs/diff.go index f396c73ab..226cebccf 100644 --- a/rootfs/diff.go +++ b/rootfs/diff.go @@ -44,7 +44,7 @@ func CreateDiff(ctx context.Context, snapshotID string, sn snapshots.Snapshotter return ocispec.Descriptor{}, err } - lowerKey := fmt.Sprintf("%s-parent-view", info.Parent) + lowerKey := fmt.Sprintf("%s-parent-view-%s", info.Parent, uniquePart()) lower, err := sn.View(ctx, lowerKey, info.Parent) if err != nil { return ocispec.Descriptor{}, err @@ -58,7 +58,7 @@ func CreateDiff(ctx context.Context, snapshotID string, sn snapshots.Snapshotter return ocispec.Descriptor{}, err } } else { - upperKey := fmt.Sprintf("%s-view", snapshotID) + upperKey := fmt.Sprintf("%s-view-%s", snapshotID, uniquePart()) upper, err = sn.View(ctx, upperKey, snapshotID) if err != nil { return ocispec.Descriptor{}, err From 3d24d97ba0487f3279a3c2d05e99ae190a7f95a9 Mon Sep 17 00:00:00 2001 From: Derek McGowan Date: Thu, 1 Dec 2022 15:58:02 -0800 Subject: [PATCH 13/39] Prepare release notes for v1.6.11 Signed-off-by: Derek McGowan --- releases/v1.6.11.toml | 22 ++++++++++++++++++++++ version/version.go | 2 +- 2 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 releases/v1.6.11.toml diff --git a/releases/v1.6.11.toml b/releases/v1.6.11.toml new file mode 100644 index 000000000..a852e9602 --- /dev/null +++ b/releases/v1.6.11.toml @@ -0,0 +1,22 @@ +# commit to be tagged for new release +commit = "HEAD" + +project_name = "containerd" +github_repo = "containerd/containerd" +match_deps = "^github.com/(containerd/[a-zA-Z0-9-]+)$" + +# previous release +previous = "v1.6.10" + +pre_release = false + +preface = """\ +The eleventh patch release for containerd 1.6 contains a various fixes and updates. + +### Notable Updates +* **Add pod UID annotation in CRI plugin** ([#7735](https://github.com/containerd/containerd/pull/7735)) +* **Fix nil pointer deference for Windows containers in CRI plugin** ([#7737](https://github.com/containerd/containerd/pull/7737)) +* **Fix lease labels unexpectedly overwriting expiration** ([#7745](https://github.com/containerd/containerd/pull/7745)) +* **Fix for simultaneous diff creation using the same parent snapshot** ([#7756](https://github.com/containerd/containerd/pull/7756)) + +See the changelog for complete list of changes""" diff --git a/version/version.go b/version/version.go index cf804ade4..476c6c4b2 100644 --- a/version/version.go +++ b/version/version.go @@ -23,7 +23,7 @@ var ( Package = "github.com/containerd/containerd" // Version holds the complete version number. Filled in at linking time. - Version = "1.6.10+unknown" + Version = "1.6.11+unknown" // Revision is filled with the VCS (e.g. git) revision being used to build // the program at linking time. From 9743dbae8b442527647a387b61f5fe52742992c6 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 6 Dec 2022 22:54:16 +0100 Subject: [PATCH 14/39] [release/1.6] update to go1.18.9 Includes security fixes for net/http (CVE-2022-41717, CVE-2022-41720), and os (CVE-2022-41720). These minor releases include 2 security fixes following the security policy: - os, net/http: avoid escapes from os.DirFS and http.Dir on Windows The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permitted access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") would open the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access. In addition, on Windows, an os.DirFS for the directory \(the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system. The behavior of os.DirFS("") has changed. Previously, an empty root was treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path "/tmp". This now returns an error. This is CVE-2022-41720 and Go issue https://go.dev/issue/56694. - net/http: limit canonical header cache by bytes, not entries An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection. This issue is also fixed in golang.org/x/net/http2 vX.Y.Z, for users manually configuring HTTP/2. Thanks to Josselin Costanzi for reporting this issue. This is CVE-2022-41717 and Go issue https://go.dev/issue/56350. View the release notes for more information: https://go.dev/doc/devel/release#go1.18.9 And the milestone on the issue tracker: https://github.com/golang/go/issues?q=milestone%3AGo1.18.9+label%3ACherryPickApproved Full diff: https://github.com/golang/go/compare/go1.18.8...go1.18.9 The golang.org/x/net fix is in https://github.com/golang/net/commit/1e63c2f08a10a150fa02c50ece89b340ae64efe4 Signed-off-by: Sebastiaan van Stijn --- .github/workflows/build-test-images.yml | 2 +- .github/workflows/ci.yml | 18 +++++++++--------- .github/workflows/codeql.yml | 2 +- .github/workflows/images.yml | 2 +- .github/workflows/nightly.yml | 4 ++-- .github/workflows/release.yml | 2 +- Vagrantfile | 2 +- contrib/Dockerfile.test | 2 +- script/setup/prepare_env_windows.ps1 | 2 +- 9 files changed, 18 insertions(+), 18 deletions(-) diff --git a/.github/workflows/build-test-images.yml b/.github/workflows/build-test-images.yml index 7818b7d73..909795a61 100644 --- a/.github/workflows/build-test-images.yml +++ b/.github/workflows/build-test-images.yml @@ -39,7 +39,7 @@ jobs: steps: - uses: actions/setup-go@v2 with: - go-version: '1.18.8' + go-version: '1.18.9' - uses: actions/checkout@v2 with: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 317bc2abe..5f3934651 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,7 +20,7 @@ jobs: strategy: matrix: - go-version: [1.18.8] + go-version: [1.18.9] os: [ubuntu-18.04, macos-12, windows-2019] steps: @@ -46,7 +46,7 @@ jobs: steps: - uses: actions/setup-go@v2 with: - go-version: '1.18.8' + go-version: '1.18.9' - uses: actions/checkout@v2 with: @@ -78,7 +78,7 @@ jobs: steps: - uses: actions/setup-go@v2 with: - go-version: '1.18.8' + go-version: '1.18.9' - uses: actions/checkout@v2 with: @@ -110,7 +110,7 @@ jobs: steps: - uses: actions/setup-go@v2 with: - go-version: '1.18.8' + go-version: '1.18.9' - uses: actions/checkout@v2 - run: go install github.com/cpuguy83/go-md2man/v2@v2.0.1 - run: make man @@ -148,7 +148,7 @@ jobs: steps: - uses: actions/setup-go@v2 with: - go-version: '1.18.8' + go-version: '1.18.9' - uses: actions/checkout@v2 - run: | set -e -x @@ -215,7 +215,7 @@ jobs: strategy: matrix: os: [ubuntu-18.04, macos-12, windows-2019, windows-2022] - go-version: ['1.17.13', '1.18.8'] + go-version: ['1.17.13', '1.18.9'] steps: - uses: actions/setup-go@v2 @@ -262,7 +262,7 @@ jobs: steps: - uses: actions/setup-go@v2 with: - go-version: '1.18.8' + go-version: '1.18.9' - uses: actions/checkout@v2 with: @@ -352,7 +352,7 @@ jobs: steps: - uses: actions/setup-go@v2 with: - go-version: '1.18.8' + go-version: '1.18.9' - uses: actions/checkout@v2 @@ -475,7 +475,7 @@ jobs: steps: - uses: actions/setup-go@v2 with: - go-version: '1.18.8' + go-version: '1.18.9' - uses: actions/checkout@v2 - run: sudo -E PATH=$PATH script/setup/install-gotestsum - name: Tests diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 5cdb1a801..78117154c 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -26,7 +26,7 @@ jobs: - uses: actions/setup-go@v2 with: - go-version: 1.18.8 + go-version: 1.18.9 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/images.yml b/.github/workflows/images.yml index 32cdca34c..06cbfc9f1 100644 --- a/.github/workflows/images.yml +++ b/.github/workflows/images.yml @@ -24,7 +24,7 @@ jobs: steps: - uses: actions/setup-go@v2 with: - go-version: '1.18.8' + go-version: '1.18.9' - uses: actions/checkout@v2 with: diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 4fb7c70aa..f0a24b7ff 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -18,7 +18,7 @@ jobs: steps: - uses: actions/setup-go@v2 with: - go-version: '1.18.8' + go-version: '1.18.9' - uses: actions/checkout@v2 with: @@ -155,7 +155,7 @@ jobs: steps: - uses: actions/setup-go@v2 with: - go-version: '1.18.8' + go-version: '1.18.9' - uses: actions/checkout@v2 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index effb89daa..5609d4d9e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -111,7 +111,7 @@ jobs: find ./releases/ -maxdepth 1 -type l | xargs rm working-directory: src/github.com/containerd/containerd env: - GO_VERSION: '1.18.8' + GO_VERSION: '1.18.9' PLATFORM: ${{ matrix.platform }} - name: Save Artifacts uses: actions/upload-artifact@v2 diff --git a/Vagrantfile b/Vagrantfile index 8e2dac146..24056127b 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -91,7 +91,7 @@ EOF config.vm.provision "install-golang", type: "shell", run: "once" do |sh| sh.upload_path = "/tmp/vagrant-install-golang" sh.env = { - 'GO_VERSION': ENV['GO_VERSION'] || "1.18.8", + 'GO_VERSION': ENV['GO_VERSION'] || "1.18.9", } sh.inline = <<~SHELL #!/usr/bin/env bash diff --git a/contrib/Dockerfile.test b/contrib/Dockerfile.test index 86e76fc43..972311a6f 100644 --- a/contrib/Dockerfile.test +++ b/contrib/Dockerfile.test @@ -10,7 +10,7 @@ # # docker build -t containerd-test --build-arg RUNC_VERSION=v1.0.0-rc94 -f Dockerfile.test ../ -ARG GOLANG_VERSION=1.18.8 +ARG GOLANG_VERSION=1.18.9 ARG GOLANG_IMAGE=golang FROM ${GOLANG_IMAGE}:${GOLANG_VERSION} AS golang diff --git a/script/setup/prepare_env_windows.ps1 b/script/setup/prepare_env_windows.ps1 index 858969af5..5251f41a0 100644 --- a/script/setup/prepare_env_windows.ps1 +++ b/script/setup/prepare_env_windows.ps1 @@ -1,6 +1,6 @@ # Prepare windows environment for building and running containerd tests -$PACKAGES= @{ mingw = "10.2.0"; git = ""; golang = "1.18.8"; make = ""; nssm = "" } +$PACKAGES= @{ mingw = "10.2.0"; git = ""; golang = "1.18.9"; make = ""; nssm = "" } Write-Host "Downloading chocolatey package" curl.exe -L "https://packages.chocolatey.org/chocolatey.0.10.15.nupkg" -o 'c:\choco.zip' From ec5acd4c15e87be6af97a33b78e3fdb77c555ad4 Mon Sep 17 00:00:00 2001 From: Danny Canter Date: Mon, 28 Nov 2022 14:45:34 -0800 Subject: [PATCH 15/39] CRI stream server: Fix goroutine leak in Exec In the CRI streaming server, a goroutine (`handleResizeEvents`) is launched to handle terminal resize events if a TTY is asked for with an exec; this is the sender of terminal resize events. Another goroutine is launched shortly after successful process startup to actually do something with these events, however the issue arises if the exec process fails to start for any reason that would have `process.Start` return non-nil. The receiver goroutine never gets launched so the sender is stuck blocked on a channel send infinitely. This could be used in a malicious manner by repeatedly launching execs with a command that doesn't exist in the image, as a single goroutine will get leaked on every invocation which will slowly grow containerd's memory usage. Signed-off-by: Danny Canter (cherry picked from commit f012617edfd887a29345888d65640a7ccd7c72ce) --- pkg/cri/streaming/remotecommand/httpstream.go | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/pkg/cri/streaming/remotecommand/httpstream.go b/pkg/cri/streaming/remotecommand/httpstream.go index 0417a1a9e..9177fa794 100644 --- a/pkg/cri/streaming/remotecommand/httpstream.go +++ b/pkg/cri/streaming/remotecommand/httpstream.go @@ -33,6 +33,7 @@ limitations under the License. package remotecommand import ( + gocontext "context" "encoding/json" "errors" "fmt" @@ -132,7 +133,7 @@ func createStreams(req *http.Request, w http.ResponseWriter, opts *Options, supp if ctx.resizeStream != nil { ctx.resizeChan = make(chan remotecommand.TerminalSize) - go handleResizeEvents(ctx.resizeStream, ctx.resizeChan) + go handleResizeEvents(req.Context(), ctx.resizeStream, ctx.resizeChan) } return ctx, true @@ -425,7 +426,7 @@ WaitForStreams: // supportsTerminalResizing returns false because v1ProtocolHandler doesn't support it. func (*v1ProtocolHandler) supportsTerminalResizing() bool { return false } -func handleResizeEvents(stream io.Reader, channel chan<- remotecommand.TerminalSize) { +func handleResizeEvents(ctx gocontext.Context, stream io.Reader, channel chan<- remotecommand.TerminalSize) { defer runtime.HandleCrash() defer close(channel) @@ -435,7 +436,15 @@ func handleResizeEvents(stream io.Reader, channel chan<- remotecommand.TerminalS if err := decoder.Decode(&size); err != nil { break } - channel <- size + + select { + case channel <- size: + case <-ctx.Done(): + // To avoid leaking this routine, exit if the http request finishes. This path + // would generally be hit if starting the process fails and nothing is started to + // ingest these resize events. + return + } } } From 1899ebcd8aa5d534d830c1b28008749351f0c92c Mon Sep 17 00:00:00 2001 From: Derek McGowan Date: Thu, 1 Dec 2022 15:58:02 -0800 Subject: [PATCH 16/39] Prepare release notes for v1.6.12 Signed-off-by: Derek McGowan --- releases/v1.6.12.toml | 19 +++++++++++++++++++ version/version.go | 2 +- 2 files changed, 20 insertions(+), 1 deletion(-) create mode 100644 releases/v1.6.12.toml diff --git a/releases/v1.6.12.toml b/releases/v1.6.12.toml new file mode 100644 index 000000000..cdd0819a8 --- /dev/null +++ b/releases/v1.6.12.toml @@ -0,0 +1,19 @@ +# commit to be tagged for new release +commit = "HEAD" + +project_name = "containerd" +github_repo = "containerd/containerd" +match_deps = "^github.com/(containerd/[a-zA-Z0-9-]+)$" + +# previous release +previous = "v1.6.11" + +pre_release = false + +preface = """\ +The twelfth patch release for containerd 1.6 contains a fix for CVE-2022-23471. + +### Notable Updates +* **Fix goroutine leak during Exec in CRI plugin** ([GHSA-2qjp-425j-52j9](https://github.com/containerd/containerd/security/advisories/GHSA-2qjp-425j-52j9)) + +See the changelog for complete list of changes""" diff --git a/version/version.go b/version/version.go index 476c6c4b2..6e76097d2 100644 --- a/version/version.go +++ b/version/version.go @@ -23,7 +23,7 @@ var ( Package = "github.com/containerd/containerd" // Version holds the complete version number. Filled in at linking time. - Version = "1.6.11+unknown" + Version = "1.6.12+unknown" // Revision is filled with the VCS (e.g. git) revision being used to build // the program at linking time. From 3595dd04b0ee7c0b84f98bf0634ff9166440f514 Mon Sep 17 00:00:00 2001 From: mathis-m Date: Wed, 7 Dec 2022 18:55:38 +0100 Subject: [PATCH 17/39] fix: check for tmpfs when evaluating if userxattr should be used Signed-off-by: mathis-m (cherry picked from commit 2eabcf7026816c46cfc5be03402716138f4c3332) Signed-off-by: Akihiro Suda --- snapshots/overlay/overlayutils/check.go | 26 +++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/snapshots/overlay/overlayutils/check.go b/snapshots/overlay/overlayutils/check.go index 2faaea35f..17e7547fe 100644 --- a/snapshots/overlay/overlayutils/check.go +++ b/snapshots/overlay/overlayutils/check.go @@ -23,6 +23,7 @@ import ( "fmt" "os" "path/filepath" + "syscall" kernel "github.com/containerd/containerd/contrib/seccomp/kernelversion" "github.com/containerd/containerd/log" @@ -31,6 +32,11 @@ import ( "github.com/containerd/continuity/fs" ) +const ( + // see https://man7.org/linux/man-pages/man2/statfs.2.html + tmpfsMagic = 0x01021994 +) + // SupportsMultipleLowerDir checks if the system supports multiple lowerdirs, // which is required for the overlay snapshotter. On 4.x kernels, multiple lowerdirs // are always available (so this check isn't needed), and backported to RHEL and @@ -88,6 +94,21 @@ func Supported(root string) error { return SupportsMultipleLowerDir(root) } +// IsPathOnTmpfs returns whether the path is on a tmpfs or not. +// +// It uses statfs to check if the fs type is TMPFS_MAGIC (0x01021994) +// see https://man7.org/linux/man-pages/man2/statfs.2.html +func IsPathOnTmpfs(d string) bool { + stat := syscall.Statfs_t{} + err := syscall.Statfs(d, &stat) + if err != nil { + log.L.WithError(err).Warnf("Could not retrieve statfs for %v", d) + return false + } + + return stat.Type == tmpfsMagic +} + // NeedsUserXAttr returns whether overlayfs should be mounted with the "userxattr" mount option. // // The "userxattr" option is needed for mounting overlayfs inside a user namespace with kernel >= 5.11. @@ -114,6 +135,11 @@ func NeedsUserXAttr(d string) (bool, error) { return false, nil } + // userxattr not permitted on tmpfs https://man7.org/linux/man-pages/man5/tmpfs.5.html + if IsPathOnTmpfs(d) { + return false, nil + } + // Fast path on kernels >= 5.11 // // Keep in mind that distro vendors might be going to backport the patch to older kernels From 206f987b19664613a265627af1b601cc8e54309e Mon Sep 17 00:00:00 2001 From: Shinichi Morimoto Date: Thu, 14 Apr 2022 09:55:29 +0900 Subject: [PATCH 18/39] fix pool_device_test.go While executing mke2fs, 'Not enough space to build proposed filesystem while setting up superblock' error is happend on Ubuntu20.04 Signed-off-by: Shinichi Morimoto (cherry picked from commit 942af120327d2f4dcb115dfe62202d937094d1a2) Signed-off-by: Austin Vazquez --- snapshots/devmapper/pool_device_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/snapshots/devmapper/pool_device_test.go b/snapshots/devmapper/pool_device_test.go index f68d41609..041178473 100644 --- a/snapshots/devmapper/pool_device_test.go +++ b/snapshots/devmapper/pool_device_test.go @@ -40,8 +40,8 @@ const ( thinDevice1 = "thin-1" thinDevice2 = "thin-2" snapDevice1 = "snap-1" - device1Size = 100000 - device2Size = 200000 + device1Size = 1000000 + device2Size = 2000000 testsPrefix = "devmapper-snapshotter-tests-" ) From c791229e3b2aa0f6fe42444e31826f3a516e4b2e Mon Sep 17 00:00:00 2001 From: Maksym Pavlenko Date: Fri, 5 Aug 2022 17:05:36 -0700 Subject: [PATCH 19/39] Rework permission handling in scripts Signed-off-by: Maksym Pavlenko (cherry picked from commit 8add7e5d3927f83cd19ed2a4e720840f0c5ad971) Signed-off-by: Austin Vazquez --- .github/workflows/ci.yml | 18 +++++++----------- script/setup/install-cni | 10 ++++++++-- script/setup/install-critools | 10 ++++++++-- script/setup/install-runc | 14 +++++++++++--- script/setup/install-seccomp | 4 ++-- 5 files changed, 36 insertions(+), 20 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5f3934651..d80827666 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -359,13 +359,13 @@ jobs: - name: Install containerd dependencies env: RUNC_FLAVOR: ${{ matrix.runc }} - GOFLAGS: -modcacherw run: | sudo apt-get install -y gperf - sudo -E PATH=$PATH script/setup/install-seccomp - sudo -E PATH=$PATH script/setup/install-runc - sudo -E PATH=$PATH script/setup/install-cni $(grep containernetworking/plugins go.mod | awk '{print $2}') - sudo -E PATH=$PATH script/setup/install-critools + script/setup/install-seccomp + script/setup/install-runc + script/setup/install-cni $(grep containernetworking/plugins go.mod | awk '{print $2}') + script/setup/install-critools + script/setup/install-failpoint-binaries - name: Install criu run: | @@ -373,10 +373,6 @@ jobs: sudo apt-get update sudo apt-get install -y criu - - name: Install failpoint binaries - run: | - script/setup/install-failpoint-binaries - - name: Install containerd env: CGO_ENABLED: 1 @@ -384,7 +380,7 @@ jobs: make binaries GO_BUILD_FLAGS="-mod=vendor" sudo -E PATH=$PATH make install - - run: sudo -E PATH=$PATH script/setup/install-gotestsum + - run: script/setup/install-gotestsum - name: Tests env: GOTESTSUM_JUNITFILE: ${{github.workspace}}/test-unit-root-junit.xml @@ -477,7 +473,7 @@ jobs: with: go-version: '1.18.9' - uses: actions/checkout@v2 - - run: sudo -E PATH=$PATH script/setup/install-gotestsum + - run: script/setup/install-gotestsum - name: Tests env: GOTESTSUM_JUNITFILE: "${{ github.workspace }}/macos-test-junit.xml" diff --git a/script/setup/install-cni b/script/setup/install-cni index ebbfd248f..321373ccb 100755 --- a/script/setup/install-cni +++ b/script/setup/install-cni @@ -25,6 +25,12 @@ CNI_COMMIT=${1:-$(grep containernetworking/plugins "$GOPATH"/src/github.com/cont CNI_DIR=${DESTDIR:=''}/opt/cni CNI_CONFIG_DIR=${DESTDIR}/etc/cni/net.d +# e2e and Cirrus will fail with "sudo: command not found" +SUDO='' +if (( $EUID != 0 )); then + SUDO='sudo' +fi + TMPROOT=$(mktemp -d) git clone https://github.com/containernetworking/plugins.git "${TMPROOT}"/plugins pushd "${TMPROOT}"/plugins @@ -32,8 +38,8 @@ git checkout "$CNI_COMMIT" ./build_linux.sh mkdir -p $CNI_DIR cp -r ./bin $CNI_DIR -mkdir -p $CNI_CONFIG_DIR -cat << EOF | tee $CNI_CONFIG_DIR/10-containerd-net.conflist +$SUDO mkdir -p $CNI_CONFIG_DIR +$SUDO cat << EOF | $SUDO tee $CNI_CONFIG_DIR/10-containerd-net.conflist { "cniVersion": "1.0.0", "name": "containerd-net", diff --git a/script/setup/install-critools b/script/setup/install-critools index 251a83e0b..3a8374c44 100755 --- a/script/setup/install-critools +++ b/script/setup/install-critools @@ -22,6 +22,12 @@ set -eu -o pipefail script_dir="$(cd -- "$(dirname -- "$0")" > /dev/null 2>&1; pwd -P)" +# e2e will fail with "sudo: command not found" +SUDO='' +if (( $EUID != 0 )); then + SUDO='sudo' +fi + cd "$(go env GOPATH)" go install github.com/onsi/ginkgo/v2/ginkgo@v2.1.4 @@ -33,10 +39,10 @@ git clone https://github.com/kubernetes-sigs/cri-tools.git "${TMPROOT}/cri-tools pushd "${TMPROOT}"/cri-tools git checkout "$CRITEST_COMMIT" make -make install -e DESTDIR="${DESTDIR}" BINDIR=/usr/local/bin +$SUDO make install -e DESTDIR="${DESTDIR}" BINDIR=/usr/local/bin mkdir -p "${DESTDIR}/etc/" -cat << EOF | tee "${DESTDIR}/etc/crictl.yaml" +$SUDO cat << EOF | $SUDO tee "${DESTDIR}/etc/crictl.yaml" runtime-endpoint: unix:///run/containerd/containerd.sock EOF diff --git a/script/setup/install-runc b/script/setup/install-runc index 7e0437c9b..5c314e1a5 100755 --- a/script/setup/install-runc +++ b/script/setup/install-runc @@ -20,6 +20,14 @@ # set -eu -o pipefail +script_dir="$(cd -- "$(dirname -- "$0")" > /dev/null 2>&1; pwd -P)" + +# e2e and Cirrus will fail with "sudo: command not found" +SUDO='' +if (( $EUID != 0 )); then + SUDO='sudo' +fi + function install_runc() { script_dir="$(cd -- "$(dirname -- "$0")" > /dev/null 2>&1; pwd -P)" @@ -31,15 +39,15 @@ function install_runc() { pushd "${TMPROOT}"/runc git checkout "${RUNC_VERSION}" make BUILDTAGS='seccomp' runc - make install + $SUDO make install popd rm -fR "${TMPROOT}" } function install_crun() { CRUN_VERSION=1.3 - curl -o /usr/local/sbin/runc -L https://github.com/containers/crun/releases/download/"${CRUN_VERSION}"/crun-"${CRUN_VERSION}"-linux-"$(go env GOARCH)" - chmod +x /usr/local/sbin/runc + $SUDO curl -S -o /usr/local/sbin/runc -L https://github.com/containers/crun/releases/download/"${CRUN_VERSION}"/crun-"${CRUN_VERSION}"-linux-"$(go env GOARCH)" + $SUDO chmod +x /usr/local/sbin/runc } : "${RUNC_FLAVOR:=runc}" diff --git a/script/setup/install-seccomp b/script/setup/install-seccomp index a9681562b..8a9dfb462 100755 --- a/script/setup/install-seccomp +++ b/script/setup/install-seccomp @@ -30,8 +30,8 @@ curl -fsSL "https://github.com/seccomp/libseccomp/releases/download/v${SECCOMP_V cd "$SECCOMP_PATH" ./configure --prefix=/usr/local make - make install - ldconfig + sudo make install + sudo ldconfig ) rm -rf "$SECCOMP_PATH" From 69fd029679306dfc752f330ab10c3cb51a01d7fe Mon Sep 17 00:00:00 2001 From: Maksym Pavlenko Date: Thu, 4 Aug 2022 14:50:29 -0700 Subject: [PATCH 20/39] Use global env variable to specify Go version on CI Signed-off-by: Maksym Pavlenko (cherry picked from commit 7787168ccc5f8d30614b1cb4b6572ac95c705f08) Signed-off-by: Austin Vazquez --- .github/workflows/ci.yml | 22 +++++++++++++--------- .github/workflows/nightly.yml | 7 +++++-- .github/workflows/release.yml | 8 +++++++- 3 files changed, 25 insertions(+), 12 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d80827666..59a8ade55 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,6 +9,11 @@ on: - main - 'release/**' +env: + # Go version we currently use to build containerd across all CI. + # Note: don't forget to update `Binaries` step, as it contains the matrix of all supported Go versions. + GO_VERSION: '1.18.9' + jobs: # # golangci-lint @@ -20,13 +25,12 @@ jobs: strategy: matrix: - go-version: [1.18.9] os: [ubuntu-18.04, macos-12, windows-2019] steps: - uses: actions/setup-go@v2 with: - go-version: ${{ matrix.go-version }} + go-version: ${{ env.GO_VERSION }} - uses: actions/checkout@v2 - uses: golangci/golangci-lint-action@v3 @@ -46,7 +50,7 @@ jobs: steps: - uses: actions/setup-go@v2 with: - go-version: '1.18.9' + go-version: ${{ env.GO_VERSION }} - uses: actions/checkout@v2 with: @@ -78,7 +82,7 @@ jobs: steps: - uses: actions/setup-go@v2 with: - go-version: '1.18.9' + go-version: ${{ env.GO_VERSION }} - uses: actions/checkout@v2 with: @@ -110,7 +114,7 @@ jobs: steps: - uses: actions/setup-go@v2 with: - go-version: '1.18.9' + go-version: ${{ env.GO_VERSION }} - uses: actions/checkout@v2 - run: go install github.com/cpuguy83/go-md2man/v2@v2.0.1 - run: make man @@ -148,7 +152,7 @@ jobs: steps: - uses: actions/setup-go@v2 with: - go-version: '1.18.9' + go-version: ${{ env.GO_VERSION }} - uses: actions/checkout@v2 - run: | set -e -x @@ -262,7 +266,7 @@ jobs: steps: - uses: actions/setup-go@v2 with: - go-version: '1.18.9' + go-version: ${{ env.GO_VERSION }} - uses: actions/checkout@v2 with: @@ -352,7 +356,7 @@ jobs: steps: - uses: actions/setup-go@v2 with: - go-version: '1.18.9' + go-version: ${{ env.GO_VERSION }} - uses: actions/checkout@v2 @@ -471,7 +475,7 @@ jobs: steps: - uses: actions/setup-go@v2 with: - go-version: '1.18.9' + go-version: ${{ env.GO_VERSION }} - uses: actions/checkout@v2 - run: script/setup/install-gotestsum - name: Tests diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index f0a24b7ff..e8344bd56 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -6,6 +6,9 @@ on: paths: - '.github/workflows/nightly.yml' +env: + GO_VERSION: '1.18.9' + jobs: linux: name: Linux @@ -18,7 +21,7 @@ jobs: steps: - uses: actions/setup-go@v2 with: - go-version: '1.18.9' + go-version: ${{ env.GO_VERSION }} - uses: actions/checkout@v2 with: @@ -155,7 +158,7 @@ jobs: steps: - uses: actions/setup-go@v2 with: - go-version: '1.18.9' + go-version: ${{ env.GO_VERSION }} - uses: actions/checkout@v2 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5609d4d9e..90d56a498 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,6 +5,9 @@ on: name: Containerd Release +env: + GO_VERSION: '1.18.9' + jobs: check: name: Check Signed Tag @@ -69,6 +72,10 @@ jobs: - ubuntu: 18.04 platform: windows/amd64 steps: + - name: Install Go + uses: actions/setup-go@v2 + with: + go-version: ${{ env.GO_VERSION }} - name: Set env shell: bash env: @@ -111,7 +118,6 @@ jobs: find ./releases/ -maxdepth 1 -type l | xargs rm working-directory: src/github.com/containerd/containerd env: - GO_VERSION: '1.18.9' PLATFORM: ${{ matrix.platform }} - name: Save Artifacts uses: actions/upload-artifact@v2 From 7e62ec10031defbe9d510ef07b0cc6adfc66fcbb Mon Sep 17 00:00:00 2001 From: Akihiro Suda Date: Fri, 7 Oct 2022 14:07:25 +0900 Subject: [PATCH 21/39] CI: update GHA instances from Ubuntu 18.04 to 20.04 The release binaries are built using Ubuntu 18.04 in Docker on Ubuntu 20.04 for glibc compatibility reason (issue 7255). Fix issue 7297 Signed-off-by: Akihiro Suda (cherry picked from commit ea53e52fc0afe156d9da665f68429033cab72d28) Signed-off-by: Austin Vazquez --- .github/workflows/ci.yml | 33 ++++++++++++++++++++++----------- .github/workflows/release.yml | 32 ++++++++++++++++---------------- 2 files changed, 38 insertions(+), 27 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 59a8ade55..a718c6f1f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -25,10 +25,16 @@ jobs: strategy: matrix: - os: [ubuntu-18.04, macos-12, windows-2019] + os: [ubuntu-20.04, macos-12, windows-2019] steps: - - uses: actions/setup-go@v2 + - name: Install dependencies + if: matrix.os == 'ubuntu-20.04' + run: | + sudo apt-get update + sudo apt-get install -y libbtrfs-dev + + - uses: actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} @@ -44,7 +50,7 @@ jobs: # project: name: Project Checks - runs-on: ubuntu-18.04 + runs-on: ubuntu-20.04 timeout-minutes: 5 steps: @@ -72,7 +78,7 @@ jobs: # protos: name: Protobuf - runs-on: ubuntu-18.04 + runs-on: ubuntu-20.04 timeout-minutes: 5 defaults: @@ -108,7 +114,7 @@ jobs: man: name: Manpages - runs-on: ubuntu-18.04 + runs-on: ubuntu-20.04 timeout-minutes: 5 steps: @@ -218,11 +224,16 @@ jobs: strategy: matrix: - os: [ubuntu-18.04, macos-12, windows-2019, windows-2022] - go-version: ['1.17.13', '1.18.9'] - + os: [ubuntu-20.04, macos-12, windows-2019, windows-2022] + go-version: ["1.17.13", "1.18.9"] steps: - - uses: actions/setup-go@v2 + - name: Install dependencies + if: matrix.os == 'ubuntu-20.04' + run: | + sudo apt-get update + sudo apt-get install -y libbtrfs-dev + + - uses: actions/setup-go@v3 with: go-version: ${{ matrix.go-version }} @@ -336,7 +347,7 @@ jobs: integration-linux: name: Linux Integration - runs-on: ubuntu-18.04 + runs-on: ubuntu-20.04 timeout-minutes: 40 needs: [project, linters, protos, man] @@ -364,7 +375,7 @@ jobs: env: RUNC_FLAVOR: ${{ matrix.runc }} run: | - sudo apt-get install -y gperf + sudo apt-get install -y gperf libbtrfs-dev script/setup/install-seccomp script/setup/install-runc script/setup/install-cni $(grep containernetworking/plugins go.mod | awk '{print $2}') diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 90d56a498..987696b68 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,7 +11,7 @@ env: jobs: check: name: Check Signed Tag - runs-on: ubuntu-18.04 + runs-on: ubuntu-20.04 timeout-minutes: 5 outputs: stringver: ${{ steps.contentrel.outputs.stringver }} @@ -53,24 +53,24 @@ jobs: build: name: Build Release Binaries - runs-on: ubuntu-${{ matrix.ubuntu }} + runs-on: ubuntu-20.04 needs: [check] timeout-minutes: 30 strategy: matrix: include: # Choose an old release of Ubuntu to avoid glibc issue https://github.com/containerd/containerd/issues/7255 - - ubuntu: 18.04 - platform: linux/amd64 - - ubuntu: 18.04 - platform: linux/arm64 - - ubuntu: 18.04 - platform: linux/ppc64le + - dockerfile-ubuntu: 18.04 + dockerfile-platform: linux/amd64 + - dockerfile-ubuntu: 18.04 + dockerfile-platform: linux/arm64 + - dockerfile-ubuntu: 18.04 + dockerfile-platform: linux/ppc64le # riscv64 isn't supported by Ubuntu 18.04 - - ubuntu: 22.04 - platform: linux/riscv64 - - ubuntu: 18.04 - platform: windows/amd64 + - dockerfile-ubuntu: 22.04 + dockerfile-platform: linux/riscv64 + - dockerfile-ubuntu: 18.04 + dockerfile-platform: windows/amd64 steps: - name: Install Go uses: actions/setup-go@v2 @@ -79,7 +79,7 @@ jobs: - name: Set env shell: bash env: - MOS: ubuntu-${{ matrix.ubuntu }} + MOS: ubuntu-20.04 run: | releasever=${{ github.ref }} releasever="${releasever#refs/tags/}" @@ -111,14 +111,14 @@ jobs: export PREFIX_LEN=12 BUILD_ARGS="--build-arg GATEWAY --build-arg PREFIX_LEN" fi - docker buildx build ${cache} --build-arg RELEASE_VER --build-arg UBUNTU_VERSION=${{ matrix.ubuntu }} --build-arg GO_VERSION ${BUILD_ARGS} -f .github/workflows/release/Dockerfile --platform=${PLATFORM} -o releases/ . + docker buildx build ${cache} --build-arg RELEASE_VER --build-arg UBUNTU_VERSION=${{ matrix.dockerfile-ubuntu }} --build-arg GO_VERSION ${BUILD_ARGS} -f .github/workflows/release/Dockerfile --platform=${PLATFORM} -o releases/ . echo PLATFORM_CLEAN=${PLATFORM/\//-} >> $GITHUB_ENV # Remove symlinks since we don't want these in the release Artifacts find ./releases/ -maxdepth 1 -type l | xargs rm working-directory: src/github.com/containerd/containerd env: - PLATFORM: ${{ matrix.platform }} + PLATFORM: ${{ matrix.dockerfile-platform }} - name: Save Artifacts uses: actions/upload-artifact@v2 with: @@ -127,7 +127,7 @@ jobs: release: name: Create containerd Release - runs-on: ubuntu-18.04 + runs-on: ubuntu-20.04 timeout-minutes: 10 needs: [build, check] steps: From 02076e5e9f8e57e9f48d72ef7e16985c08012ab2 Mon Sep 17 00:00:00 2001 From: Phil Estes Date: Wed, 12 Oct 2022 15:17:27 -0400 Subject: [PATCH 22/39] Move up actions versions to prep for deprecation Signed-off-by: Phil Estes (cherry picked from commit e7c8a5ab08ae6ff862b4421d145ff9fe73581a2c) Signed-off-by: Austin Vazquez --- .github/workflows/build-test-images.yml | 4 +-- .github/workflows/ci.yml | 42 ++++++++++++------------- .github/workflows/codeql.yml | 4 +-- .github/workflows/images.yml | 4 +-- .github/workflows/nightly.yml | 8 ++--- .github/workflows/release.yml | 8 ++--- .github/workflows/windows-periodic.yml | 2 +- 7 files changed, 36 insertions(+), 36 deletions(-) diff --git a/.github/workflows/build-test-images.yml b/.github/workflows/build-test-images.yml index 909795a61..79f280bc1 100644 --- a/.github/workflows/build-test-images.yml +++ b/.github/workflows/build-test-images.yml @@ -37,11 +37,11 @@ jobs: working-directory: src/github.com/containerd/containerd steps: - - uses: actions/setup-go@v2 + - uses: actions/setup-go@v3 with: go-version: '1.18.9' - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: path: src/github.com/containerd/containerd diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a718c6f1f..10b64eaa6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -38,7 +38,7 @@ jobs: with: go-version: ${{ env.GO_VERSION }} - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: golangci/golangci-lint-action@v3 with: version: v1.49.0 @@ -54,11 +54,11 @@ jobs: timeout-minutes: 5 steps: - - uses: actions/setup-go@v2 + - uses: actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: path: src/github.com/containerd/containerd fetch-depth: 100 @@ -86,11 +86,11 @@ jobs: working-directory: src/github.com/containerd/containerd steps: - - uses: actions/setup-go@v2 + - uses: actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: path: src/github.com/containerd/containerd @@ -118,10 +118,10 @@ jobs: timeout-minutes: 5 steps: - - uses: actions/setup-go@v2 + - uses: actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - run: go install github.com/cpuguy83/go-md2man/v2@v2.0.1 - run: make man @@ -156,10 +156,10 @@ jobs: goarm: "7" steps: - - uses: actions/setup-go@v2 + - uses: actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - run: | set -e -x @@ -243,7 +243,7 @@ jobs: echo "GOPATH=${{ github.workspace }}" >> $GITHUB_ENV echo "${{ github.workspace }}/bin" >> $GITHUB_PATH - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: path: src/github.com/containerd/containerd @@ -275,15 +275,15 @@ jobs: working-directory: src/github.com/containerd/containerd steps: - - uses: actions/setup-go@v2 + - uses: actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: path: src/github.com/containerd/containerd - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: repository: Microsoft/hcsshim path: src/github.com/Microsoft/hcsshim @@ -365,11 +365,11 @@ jobs: env: GOTEST: gotestsum -- steps: - - uses: actions/setup-go@v2 + - uses: actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Install containerd dependencies env: @@ -484,10 +484,10 @@ jobs: GOTEST: gotestsum -- steps: - - uses: actions/setup-go@v2 + - uses: actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - run: script/setup/install-gotestsum - name: Tests env: @@ -517,10 +517,10 @@ jobs: env: GOTEST: gotestsum -- steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: "Cache ~/.vagrant.d/boxes" - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: ~/.vagrant.d/boxes key: vagrant-${{ hashFiles('Vagrantfile*') }} @@ -578,10 +578,10 @@ jobs: timeout-minutes: 45 needs: [project, linters, protos, man] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: "Cache ~/.vagrant.d/boxes" - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: ~/.vagrant.d/boxes key: vagrant-${{ hashFiles('Vagrantfile*') }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 78117154c..7bf9a5018 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -22,9 +22,9 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 - - uses: actions/setup-go@v2 + - uses: actions/setup-go@v3 with: go-version: 1.18.9 diff --git a/.github/workflows/images.yml b/.github/workflows/images.yml index 06cbfc9f1..f497b7db2 100644 --- a/.github/workflows/images.yml +++ b/.github/workflows/images.yml @@ -22,11 +22,11 @@ jobs: working-directory: src/github.com/containerd/containerd steps: - - uses: actions/setup-go@v2 + - uses: actions/setup-go@v3 with: go-version: '1.18.9' - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: path: src/github.com/containerd/containerd diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index e8344bd56..d903bc656 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -19,11 +19,11 @@ jobs: working-directory: src/github.com/containerd/containerd steps: - - uses: actions/setup-go@v2 + - uses: actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: path: src/github.com/containerd/containerd @@ -156,11 +156,11 @@ jobs: working-directory: src/github.com/containerd/containerd steps: - - uses: actions/setup-go@v2 + - uses: actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: path: src/github.com/containerd/containerd diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 987696b68..fab49352d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -18,7 +18,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: ref: ${{ github.ref }} path: src/github.com/containerd/containerd @@ -73,7 +73,7 @@ jobs: dockerfile-platform: windows/amd64 steps: - name: Install Go - uses: actions/setup-go@v2 + uses: actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} - name: Set env @@ -86,7 +86,7 @@ jobs: echo "RELEASE_VER=${releasever}" >> $GITHUB_ENV echo "GOPATH=${{ github.workspace }}" >> $GITHUB_ENV - name: Checkout containerd - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: # Intentionally use github.repository instead of containerd/containerd to # make this action runnable on forks. @@ -132,7 +132,7 @@ jobs: needs: [build, check] steps: - name: Download builds and release notes - uses: actions/download-artifact@v2 + uses: actions/download-artifact@v3 with: path: builds - name: Create Release diff --git a/.github/workflows/windows-periodic.yml b/.github/workflows/windows-periodic.yml index 7134f9d57..20c2ad6f8 100644 --- a/.github/workflows/windows-periodic.yml +++ b/.github/workflows/windows-periodic.yml @@ -48,7 +48,7 @@ jobs: GOOGLE_BUCKET: "containerd-integration/logs/windows-ltsc2022/" runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Install required packages run: | From 64a42283b2b43b2b6899508e2844e1ffb7592661 Mon Sep 17 00:00:00 2001 From: Kazuyoshi Kato Date: Fri, 14 Oct 2022 17:24:46 +0000 Subject: [PATCH 23/39] Upgrade actions/upload-artifact from v2 to v3 v2 uses Node.js 12.x which is EOL. Signed-off-by: Kazuyoshi Kato (cherry picked from commit 878dbc7afa30006f83bd1a053986a3b59471ad2a) Signed-off-by: Austin Vazquez --- .github/workflows/ci.yml | 8 ++++---- .github/workflows/release.yml | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 10b64eaa6..d66dd5b87 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -338,7 +338,7 @@ jobs: CGO_ENABLED: 1 GOTESTSUM_JUNITFILE: ${{github.workspace}}/test-integration-parallel-junit.xml run: mingw32-make.exe integration - - uses: actions/upload-artifact@v2 + - uses: actions/upload-artifact@v3 if: always() with: name: TestResults Windows @@ -467,7 +467,7 @@ jobs: mount df losetup -l - - uses: actions/upload-artifact@v2 + - uses: actions/upload-artifact@v3 if: always() with: name: TestResults ${{ matrix.runtime }} ${{matrix.runc}} @@ -493,7 +493,7 @@ jobs: env: GOTESTSUM_JUNITFILE: "${{ github.workspace }}/macos-test-junit.xml" run: make test - - uses: actions/upload-artifact@v2 + - uses: actions/upload-artifact@v3 if: always() with: name: TestResults MacOS @@ -562,7 +562,7 @@ jobs: vagrant plugin install vagrant-scp vagrant scp :/tmp/test-integration-junit.xml "${{ github.workspace }}/" vagrant scp :/tmp/critestreport "${{ github.workspace }}/critestreport" - - uses: actions/upload-artifact@v2 + - uses: actions/upload-artifact@v3 if: always() with: # ${{ matrix.box }} cannot be used here due to character limitation diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fab49352d..c09a915e4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -46,7 +46,7 @@ jobs: working-directory: src/github.com/containerd/containerd - name: Save release notes - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: containerd-release-notes path: src/github.com/containerd/containerd/release-notes.md @@ -120,7 +120,7 @@ jobs: env: PLATFORM: ${{ matrix.dockerfile-platform }} - name: Save Artifacts - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: release-tars-${{env.PLATFORM_CLEAN}} path: src/github.com/containerd/containerd/releases/*.tar.gz* From b52df344fa13c8ae9a98e4097a38930c4cbda7e3 Mon Sep 17 00:00:00 2001 From: Akhil Mohan Date: Fri, 21 Oct 2022 11:47:31 +0530 Subject: [PATCH 24/39] update codeql-action to v2 updating codeql github actions to v2, as v1 version will be deprecated in Dec'22. Signed-off-by: Akhil Mohan (cherry picked from commit ddb8a65be2c186af7789f8d3e1ba3af2dd6b65c1) Signed-off-by: Austin Vazquez --- .github/workflows/codeql.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 7bf9a5018..ea0fc5c08 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -30,7 +30,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v1 + uses: github/codeql-action/init@v2 # Override language selection by uncommenting this and choosing your languages # with: # languages: go, javascript, csharp, python, cpp, java @@ -40,4 +40,4 @@ jobs: make - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 + uses: github/codeql-action/analyze@v2 From ffc16f5562768745965bda11ae61d93e2328f566 Mon Sep 17 00:00:00 2001 From: Kirtana Ashok Date: Tue, 13 Dec 2022 13:42:51 -0800 Subject: [PATCH 25/39] Bump hcsshim to v0.9.6 Signed-off-by: Kirtana Ashok --- go.mod | 2 +- go.sum | 4 ++-- integration/client/go.mod | 2 +- integration/client/go.sum | 4 ++-- .../github.com/Microsoft/hcsshim/internal/cow/cow.go | 6 ++++++ .../Microsoft/hcsshim/internal/hcs/system.go | 12 ++++++++++-- vendor/modules.txt | 2 +- 7 files changed, 23 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index 63ec6282b..9b4e65e23 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.17 require ( github.com/AdaLogics/go-fuzz-headers v0.0.0-20210715213245-6c3934b029d8 github.com/Microsoft/go-winio v0.5.2 - github.com/Microsoft/hcsshim v0.9.5 + github.com/Microsoft/hcsshim v0.9.6 github.com/containerd/aufs v1.0.0 github.com/containerd/btrfs v1.0.0 github.com/containerd/cgroups v1.0.3 diff --git a/go.sum b/go.sum index c9bc48fc5..47832e81d 100644 --- a/go.sum +++ b/go.sum @@ -83,8 +83,8 @@ github.com/Microsoft/hcsshim v0.8.20/go.mod h1:+w2gRZ5ReXQhFOrvSQeNfhrYB/dg3oDwT github.com/Microsoft/hcsshim v0.8.21/go.mod h1:+w2gRZ5ReXQhFOrvSQeNfhrYB/dg3oDwTOcER2fw4I4= github.com/Microsoft/hcsshim v0.8.23/go.mod h1:4zegtUJth7lAvFyc6cH2gGQ5B3OFQim01nnU2M8jKDg= github.com/Microsoft/hcsshim v0.9.2/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc= -github.com/Microsoft/hcsshim v0.9.5 h1:AbV+VPfTrIVffukazHcpxmz/sRiE6YaMDzHWR9BXZHo= -github.com/Microsoft/hcsshim v0.9.5/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc= +github.com/Microsoft/hcsshim v0.9.6 h1:VwnDOgLeoi2du6dAznfmspNqTiwczvjv4K7NxuY9jsY= +github.com/Microsoft/hcsshim v0.9.6/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc= github.com/Microsoft/hcsshim/test v0.0.0-20201218223536-d3e5debf77da/go.mod h1:5hlzMzRKMLyo42nCZ9oml8AdTlq/0cvIaBv6tK1RehU= github.com/Microsoft/hcsshim/test v0.0.0-20210227013316-43a75bb4edd3/go.mod h1:mw7qgWloBUl75W/gVH3cQszUg1+gUITj7D6NY7ywVnY= github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= diff --git a/integration/client/go.mod b/integration/client/go.mod index 179dd8c6f..7cae31ddf 100644 --- a/integration/client/go.mod +++ b/integration/client/go.mod @@ -3,7 +3,7 @@ module github.com/containerd/containerd/integration/client go 1.15 require ( - github.com/Microsoft/hcsshim v0.9.5 + github.com/Microsoft/hcsshim v0.9.6 github.com/Microsoft/hcsshim/test v0.0.0-20210408205431-da33ecd607e1 github.com/containerd/cgroups v1.0.3 // the actual version of containerd is replaced with the code at the root of this repository diff --git a/integration/client/go.sum b/integration/client/go.sum index ce783e99d..b59a28f7a 100644 --- a/integration/client/go.sum +++ b/integration/client/go.sum @@ -55,8 +55,8 @@ github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v github.com/Microsoft/hcsshim v0.8.15/go.mod h1:x38A4YbHbdxJtc0sF6oIz+RG0npwSCAvn69iY6URG00= github.com/Microsoft/hcsshim v0.8.20/go.mod h1:+w2gRZ5ReXQhFOrvSQeNfhrYB/dg3oDwTOcER2fw4I4= github.com/Microsoft/hcsshim v0.9.2/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc= -github.com/Microsoft/hcsshim v0.9.5 h1:AbV+VPfTrIVffukazHcpxmz/sRiE6YaMDzHWR9BXZHo= -github.com/Microsoft/hcsshim v0.9.5/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc= +github.com/Microsoft/hcsshim v0.9.6 h1:VwnDOgLeoi2du6dAznfmspNqTiwczvjv4K7NxuY9jsY= +github.com/Microsoft/hcsshim v0.9.6/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc= github.com/Microsoft/hcsshim/test v0.0.0-20210408205431-da33ecd607e1 h1:pVKfKyPkXna29XlGjxSr9J0A7vNucOUHZ/2ClcTWalw= github.com/Microsoft/hcsshim/test v0.0.0-20210408205431-da33ecd607e1/go.mod h1:Cmvnhlie15Ha2UYrJs9EhgSx76Bq9RV2FgfEiT78GhI= github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= diff --git a/vendor/github.com/Microsoft/hcsshim/internal/cow/cow.go b/vendor/github.com/Microsoft/hcsshim/internal/cow/cow.go index 27a62a723..f46af33bb 100644 --- a/vendor/github.com/Microsoft/hcsshim/internal/cow/cow.go +++ b/vendor/github.com/Microsoft/hcsshim/internal/cow/cow.go @@ -86,6 +86,12 @@ type Container interface { // container to be terminated by some error condition (including calling // Close). Wait() error + // WaitChannel returns the wait channel of the container + WaitChannel() <-chan struct{} + // WaitError returns the container termination error. + // This function should only be called after the channel in WaitChannel() + // is closed. Otherwise it is not thread safe. + WaitError() error // Modify sends a request to modify container resources Modify(ctx context.Context, config interface{}) error } diff --git a/vendor/github.com/Microsoft/hcsshim/internal/hcs/system.go b/vendor/github.com/Microsoft/hcsshim/internal/hcs/system.go index 1d45a703b..a76f6b253 100644 --- a/vendor/github.com/Microsoft/hcsshim/internal/hcs/system.go +++ b/vendor/github.com/Microsoft/hcsshim/internal/hcs/system.go @@ -287,11 +287,19 @@ func (computeSystem *System) waitBackground() { oc.SetSpanStatus(span, err) } +func (computeSystem *System) WaitChannel() <-chan struct{} { + return computeSystem.waitBlock +} + +func (computeSystem *System) WaitError() error { + return computeSystem.waitError +} + // Wait synchronously waits for the compute system to shutdown or terminate. If // the compute system has already exited returns the previous error (if any). func (computeSystem *System) Wait() error { - <-computeSystem.waitBlock - return computeSystem.waitError + <-computeSystem.WaitChannel() + return computeSystem.WaitError() } // ExitError returns an error describing the reason the compute system terminated. diff --git a/vendor/modules.txt b/vendor/modules.txt index e5a3ce449..af74ddbd9 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -11,7 +11,7 @@ github.com/Microsoft/go-winio/pkg/fs github.com/Microsoft/go-winio/pkg/guid github.com/Microsoft/go-winio/pkg/security github.com/Microsoft/go-winio/vhd -# github.com/Microsoft/hcsshim v0.9.5 +# github.com/Microsoft/hcsshim v0.9.6 ## explicit; go 1.13 github.com/Microsoft/hcsshim github.com/Microsoft/hcsshim/cmd/containerd-shim-runhcs-v1/options From be6ef225478765922c2cddf40fb902c0b128aabe Mon Sep 17 00:00:00 2001 From: Qasim Sarfraz Date: Wed, 7 Dec 2022 16:22:41 +0100 Subject: [PATCH 26/39] cri: make swapping disabled with memory limit OCI runtime spec defines memory.swap as 'limit of memory+Swap usage' so setting them to equal should disable the swap. Also, this change should make containerd behaviour same as other runtimes e.g 'cri-dockerd/dockershim' and won't be impacted when user turn on 'NodeSwap' (https://github.com/kubernetes/enhancements/issues/2400) feature. Signed-off-by: Qasim Sarfraz (cherry picked from commit 69975b92bb7285e9228b93a184e5493481581f30) Signed-off-by: Qasim Sarfraz --- .../container_update_resources_test.go | 14 +++++++++++++ pkg/cri/opts/spec_linux.go | 4 ++++ .../container_update_resources_linux_test.go | 20 +++++++++++++++---- 3 files changed, 34 insertions(+), 4 deletions(-) diff --git a/integration/container_update_resources_test.go b/integration/container_update_resources_test.go index bcf8e414d..7096f5020 100644 --- a/integration/container_update_resources_test.go +++ b/integration/container_update_resources_test.go @@ -234,6 +234,13 @@ func TestUpdateContainerResources_MemoryLimit(t *testing.T) { EnsureImageExists(t, pauseImage) + expectedSwapLimit := func(memoryLimit int64) *int64 { + if cgroups.Mode() == cgroups.Unified { + memoryLimit = 0 + } + return &memoryLimit + } + t.Log("Create a container with memory limit") cnConfig := ContainerConfig( "container", @@ -251,6 +258,7 @@ func TestUpdateContainerResources_MemoryLimit(t *testing.T) { spec, err := container.Spec(context.Background()) require.NoError(t, err) checkMemoryLimit(t, spec, 200*1024*1024) + checkMemorySwapLimit(t, spec, expectedSwapLimit(200*1024*1024)) t.Log("Update container memory limit after created") err = runtimeService.UpdateContainerResources(cn, &runtime.LinuxContainerResources{ @@ -262,6 +270,7 @@ func TestUpdateContainerResources_MemoryLimit(t *testing.T) { spec, err = container.Spec(context.Background()) require.NoError(t, err) checkMemoryLimit(t, spec, 400*1024*1024) + checkMemorySwapLimit(t, spec, expectedSwapLimit(400*1024*1024)) t.Log("Start the container") require.NoError(t, runtimeService.StartContainer(cn)) @@ -274,6 +283,8 @@ func TestUpdateContainerResources_MemoryLimit(t *testing.T) { stat, err := cgroup.Stat(cgroups.IgnoreNotExist) require.NoError(t, err) assert.Equal(t, uint64(400*1024*1024), stat.Memory.Usage.Limit) + swapLimit := getCgroupSwapLimitForTask(t, task) + assert.Equal(t, uint64(400*1024*1024), swapLimit) t.Log("Update container memory limit after started") err = runtimeService.UpdateContainerResources(cn, &runtime.LinuxContainerResources{ @@ -285,11 +296,14 @@ func TestUpdateContainerResources_MemoryLimit(t *testing.T) { spec, err = container.Spec(context.Background()) require.NoError(t, err) checkMemoryLimit(t, spec, 800*1024*1024) + checkMemorySwapLimit(t, spec, expectedSwapLimit(800*1024*1024)) t.Log("Check memory limit in cgroup") stat, err = cgroup.Stat(cgroups.IgnoreNotExist) require.NoError(t, err) assert.Equal(t, uint64(800*1024*1024), stat.Memory.Usage.Limit) + swapLimit = getCgroupSwapLimitForTask(t, task) + assert.Equal(t, uint64(800*1024*1024), swapLimit) } func TestUpdateContainerResources_StatusUpdated(t *testing.T) { diff --git a/pkg/cri/opts/spec_linux.go b/pkg/cri/opts/spec_linux.go index 9306d42b6..17147020c 100644 --- a/pkg/cri/opts/spec_linux.go +++ b/pkg/cri/opts/spec_linux.go @@ -447,6 +447,10 @@ func WithResources(resources *runtime.LinuxContainerResources, tolerateMissingHu } if limit != 0 { s.Linux.Resources.Memory.Limit = &limit + // swap/memory limit should be equal to prevent container from swapping by default + if swapLimit == 0 { + s.Linux.Resources.Memory.Swap = &limit + } } if swapLimit != 0 { s.Linux.Resources.Memory.Swap = &swapLimit diff --git a/pkg/cri/server/container_update_resources_linux_test.go b/pkg/cri/server/container_update_resources_linux_test.go index 1f68e3dbc..6a026e9c3 100644 --- a/pkg/cri/server/container_update_resources_linux_test.go +++ b/pkg/cri/server/container_update_resources_linux_test.go @@ -70,7 +70,10 @@ func TestUpdateOCILinuxResource(t *testing.T) { Process: &runtimespec.Process{OOMScoreAdj: oomscoreadj}, Linux: &runtimespec.Linux{ Resources: &runtimespec.LinuxResources{ - Memory: &runtimespec.LinuxMemory{Limit: proto.Int64(54321)}, + Memory: &runtimespec.LinuxMemory{ + Limit: proto.Int64(54321), + Swap: proto.Int64(54321), + }, CPU: &runtimespec.LinuxCPU{ Shares: proto.Uint64(4444), Quota: proto.Int64(5555), @@ -113,7 +116,10 @@ func TestUpdateOCILinuxResource(t *testing.T) { Process: &runtimespec.Process{OOMScoreAdj: oomscoreadj}, Linux: &runtimespec.Linux{ Resources: &runtimespec.LinuxResources{ - Memory: &runtimespec.LinuxMemory{Limit: proto.Int64(54321)}, + Memory: &runtimespec.LinuxMemory{ + Limit: proto.Int64(54321), + Swap: proto.Int64(54321), + }, CPU: &runtimespec.LinuxCPU{ Shares: proto.Uint64(4444), Quota: proto.Int64(5555), @@ -151,7 +157,10 @@ func TestUpdateOCILinuxResource(t *testing.T) { Process: &runtimespec.Process{OOMScoreAdj: oomscoreadj}, Linux: &runtimespec.Linux{ Resources: &runtimespec.LinuxResources{ - Memory: &runtimespec.LinuxMemory{Limit: proto.Int64(54321)}, + Memory: &runtimespec.LinuxMemory{ + Limit: proto.Int64(54321), + Swap: proto.Int64(54321), + }, CPU: &runtimespec.LinuxCPU{ Shares: proto.Uint64(4444), Quota: proto.Int64(5555), @@ -197,7 +206,10 @@ func TestUpdateOCILinuxResource(t *testing.T) { Process: &runtimespec.Process{OOMScoreAdj: oomscoreadj}, Linux: &runtimespec.Linux{ Resources: &runtimespec.LinuxResources{ - Memory: &runtimespec.LinuxMemory{Limit: proto.Int64(54321)}, + Memory: &runtimespec.LinuxMemory{ + Limit: proto.Int64(54321), + Swap: proto.Int64(54321), + }, CPU: &runtimespec.LinuxCPU{ Shares: proto.Uint64(4444), Quota: proto.Int64(5555), From d659a4fec91917104878939d8970bc790019c577 Mon Sep 17 00:00:00 2001 From: Gavin Inglis Date: Thu, 8 Dec 2022 22:04:24 +0000 Subject: [PATCH 27/39] allow client to remove created tasks with PID 0 Fixes #7357 If a container is restored from a checkpoint that has a configuration error, the task for the restored container is created, but fails to start and is left in the state CREATED with a PID of 0. Before this change, the only way to remove this task was to find the PID of the shim monitoring the task and kill that process. Now, ctr t rm will work on tasks that result in the CREATED state with PID 0. Signed-off-by: Gavin Inglis (cherry picked from commit 80839f11e2ea6759eed4b5e616d65cb59258a5f3) Signed-off-by: Gavin Inglis --- task.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/task.go b/task.go index 692d92c1d..105d4fbc3 100644 --- a/task.go +++ b/task.go @@ -310,6 +310,11 @@ func (t *task) Delete(ctx context.Context, opts ...ProcessDeleteOpts) (*ExitStat // On windows Created is akin to Stopped break } + if t.pid == 0 { + // allow for deletion of created tasks with PID 0 + // https://github.com/containerd/containerd/issues/7357 + break + } fallthrough default: return nil, fmt.Errorf("task must be stopped before deletion: %s: %w", status.Status, errdefs.ErrFailedPrecondition) From 0e8f5e275da12534dd4cf53f79f73c8cf1b20427 Mon Sep 17 00:00:00 2001 From: chaunceyjiang Date: Tue, 13 Dec 2022 20:08:23 +0800 Subject: [PATCH 28/39] fatal error: concurrent map iteration and map write Signed-off-by: chaunceyjiang (cherry picked from commit 5a3a9baec96cb674406eeecf93da6e5e1fb201d6) Signed-off-by: Derek McGowan --- pkg/cri/streaming/portforward/httpstream.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/cri/streaming/portforward/httpstream.go b/pkg/cri/streaming/portforward/httpstream.go index f961cdb6f..685cd8b5d 100644 --- a/pkg/cri/streaming/portforward/httpstream.go +++ b/pkg/cri/streaming/portforward/httpstream.go @@ -155,11 +155,11 @@ func (h *httpStreamHandler) getStreamPair(requestID string) (*httpStreamPair, bo func (h *httpStreamHandler) monitorStreamPair(p *httpStreamPair, timeout <-chan time.Time) { select { case <-timeout: - err := fmt.Errorf("(conn=%v, request=%s) timed out waiting for streams", h.conn, p.requestID) + err := fmt.Errorf("(conn=%p, request=%s) timed out waiting for streams", h.conn, p.requestID) utilruntime.HandleError(err) p.printError(err.Error()) case <-p.complete: - klog.V(5).Infof("(conn=%v, request=%s) successfully received error and data streams", h.conn, p.requestID) + klog.V(5).Infof("(conn=%p, request=%s) successfully received error and data streams", h.conn, p.requestID) } h.removeStreamPair(p.requestID) } From c8889dfec9647b264ec93eb6903e2aa8a0843573 Mon Sep 17 00:00:00 2001 From: Mike Brown Date: Tue, 13 Dec 2022 16:18:18 -0600 Subject: [PATCH 29/39] nil check to avoid panic on upgrade Signed-off-by: Mike Brown (cherry picked from commit ce3a7327092b98e0287f24b73534d2e16acbf162) Signed-off-by: Derek McGowan --- pkg/cri/store/container/status.go | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/pkg/cri/store/container/status.go b/pkg/cri/store/container/status.go index 1cf9a204e..0dedb6f6b 100644 --- a/pkg/cri/store/container/status.go +++ b/pkg/cri/store/container/status.go @@ -222,10 +222,12 @@ func deepCopyOf(s Status) Status { if s.Resources != nil && s.Resources.Linux != nil { hugepageLimits := make([]*runtime.HugepageLimit, len(s.Resources.Linux.HugepageLimits)) for _, l := range s.Resources.Linux.HugepageLimits { - hugepageLimits = append(hugepageLimits, &runtime.HugepageLimit{ - PageSize: l.PageSize, - Limit: l.Limit, - }) + if l != nil { + hugepageLimits = append(hugepageLimits, &runtime.HugepageLimit{ + PageSize: l.PageSize, + Limit: l.Limit, + }) + } } copy.Resources = &runtime.ContainerResources{ Linux: &runtime.LinuxContainerResources{ From e260e8ab739081d43d35054bd587111a25efb3fc Mon Sep 17 00:00:00 2001 From: Derek McGowan Date: Wed, 14 Dec 2022 12:22:05 -0800 Subject: [PATCH 30/39] Prepare release notes for v1.6.13 Signed-off-by: Derek McGowan --- releases/v1.6.13.toml | 26 ++++++++++++++++++++++++++ version/version.go | 2 +- 2 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 releases/v1.6.13.toml diff --git a/releases/v1.6.13.toml b/releases/v1.6.13.toml new file mode 100644 index 000000000..b32a38463 --- /dev/null +++ b/releases/v1.6.13.toml @@ -0,0 +1,26 @@ +# commit to be tagged for new release +commit = "HEAD" + +project_name = "containerd" +github_repo = "containerd/containerd" +match_deps = "^github.com/(containerd/[a-zA-Z0-9-]+)$" + +# previous release +previous = "v1.6.12" + +pre_release = false + +preface = """\ +The thirteenth patch release for containerd 1.6 contains various fixes and updates. + +### Notable Updates + +* **Update overlay snapshotter to check for tmpfs when evaluating usage of userxattr** ([#7788](https://github.com/containerd/containerd/pull/7788)) +* **Update hcsschim to v0.9.6 to fix resource leak on exec** ([#7808](https://github.com/containerd/containerd/pull/7808)) +* **Make swapping disabled with memory limit in CRI plugin** ([#7815](https://github.com/containerd/containerd/pull/7815)) +* **Allow clients to remove created tasks with PID 0** ([#7816](https://github.com/containerd/containerd/pull/7816)) +* **Fix concurrent map iteration and map write in CRI port forwarding** ([#7819](https://github.com/containerd/containerd/pull/7819)) +* **Check for nil `HugepageLimits` to avoid panic in CRI plugin** ([#7820](https://github.com/containerd/containerd/pull/7820)) + + +See the changelog for complete list of changes""" diff --git a/version/version.go b/version/version.go index 6e76097d2..6938279ee 100644 --- a/version/version.go +++ b/version/version.go @@ -23,7 +23,7 @@ var ( Package = "github.com/containerd/containerd" // Version holds the complete version number. Filled in at linking time. - Version = "1.6.12+unknown" + Version = "1.6.13+unknown" // Revision is filled with the VCS (e.g. git) revision being used to build // the program at linking time. From 1a5e26e7760b9ec429ca552a56b61067a0468316 Mon Sep 17 00:00:00 2001 From: Akhil Mohan Date: Fri, 25 Nov 2022 13:34:36 +0530 Subject: [PATCH 31/39] support fetching containerd from non public GCS buckets - add support to fetch and download containerd tarball from GCS buckets that require authentication. GCS_BUCKET_TOKEN should have read access to the bucket from which artifacts are to be fetched. The token is expected to be present in the instance metadata of the VM, similar to other node environment variables Signed-off-by: Akhil Mohan (cherry picked from commit 9df96dc46acf2108b2e299553cceaa3dac1ee2ad) Signed-off-by: Akhil Mohan --- contrib/gce/configure.sh | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/contrib/gce/configure.sh b/contrib/gce/configure.sh index 3ac717e4a..5721f0553 100755 --- a/contrib/gce/configure.sh +++ b/contrib/gce/configure.sh @@ -104,6 +104,15 @@ if [ -f "${CONTAINERD_HOME}/${CONTAINERD_ENV_METADATA}" ]; then source "${CONTAINERD_HOME}/${CONTAINERD_ENV_METADATA}" fi +# GCS_BUCKET_TOKEN_METADATA is the metadata key for the GCS bucket token +GCS_BUCKET_TOKEN_METADATA="GCS_BUCKET_TOKEN" +# GCS_BUCKET_TOKEN should have read access to the bucket from which +# containerd artifacts need to be downloaded +GCS_BUCKET_TOKEN=$(fetch_metadata "${GCS_BUCKET_TOKEN_METADATA}") +if [[ -n "${GCS_BUCKET_TOKEN}" ]]; then + HEADERS=(-H "Authorization: Bearer ${GCS_BUCKET_TOKEN}") +fi + # CONTAINERD_PKG_PREFIX is the prefix of the cri-containerd tarball name. # By default use the release tarball with cni built in. pkg_prefix=${CONTAINERD_PKG_PREFIX:-"cri-containerd-cni"} @@ -126,7 +135,7 @@ else # TODO(random-liu): Put version into the metadata instead of # deciding it in cloud init. This may cause issue to reboot test. - version=$(curl -f --ipv4 --retry 6 --retry-delay 3 --silent --show-error \ + version=$(curl -X GET "${HEADERS[@]}" -f --ipv4 --retry 6 --retry-delay 3 --silent --show-error \ https://storage.googleapis.com/${deploy_path}/latest) fi @@ -152,7 +161,7 @@ else echo "${TARBALL_GCS_NAME} is preloaded" else # Download and untar the release tar ball. - curl -f --ipv4 -Lo "${TARBALL}" --connect-timeout 20 --max-time 300 --retry 6 --retry-delay 10 "${TARBALL_GCS_PATH}" + curl -X GET "${HEADERS[@]}" -f --ipv4 -Lo "${TARBALL}" --connect-timeout 20 --max-time 300 --retry 6 --retry-delay 10 "${TARBALL_GCS_PATH}" tar xvf "${TARBALL}" rm -f "${TARBALL}" fi From bd7db859d8951d93fcd21c152089e0b2147b747b Mon Sep 17 00:00:00 2001 From: Akhil Mohan Date: Thu, 8 Dec 2022 12:01:05 +0530 Subject: [PATCH 32/39] disable tracing while handling token Signed-off-by: Akhil Mohan (cherry picked from commit b94c1018af9d1fbb3f350cb639636e72d61d4468) Signed-off-by: Akhil Mohan --- contrib/gce/configure.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/contrib/gce/configure.sh b/contrib/gce/configure.sh index 5721f0553..7830cc6f6 100755 --- a/contrib/gce/configure.sh +++ b/contrib/gce/configure.sh @@ -104,6 +104,7 @@ if [ -f "${CONTAINERD_HOME}/${CONTAINERD_ENV_METADATA}" ]; then source "${CONTAINERD_HOME}/${CONTAINERD_ENV_METADATA}" fi +set +x # GCS_BUCKET_TOKEN_METADATA is the metadata key for the GCS bucket token GCS_BUCKET_TOKEN_METADATA="GCS_BUCKET_TOKEN" # GCS_BUCKET_TOKEN should have read access to the bucket from which @@ -112,6 +113,7 @@ GCS_BUCKET_TOKEN=$(fetch_metadata "${GCS_BUCKET_TOKEN_METADATA}") if [[ -n "${GCS_BUCKET_TOKEN}" ]]; then HEADERS=(-H "Authorization: Bearer ${GCS_BUCKET_TOKEN}") fi +set -x # CONTAINERD_PKG_PREFIX is the prefix of the cri-containerd tarball name. # By default use the release tarball with cni built in. @@ -135,7 +137,7 @@ else # TODO(random-liu): Put version into the metadata instead of # deciding it in cloud init. This may cause issue to reboot test. - version=$(curl -X GET "${HEADERS[@]}" -f --ipv4 --retry 6 --retry-delay 3 --silent --show-error \ + version=$(set +x; curl -X GET "${HEADERS[@]}" -f --ipv4 --retry 6 --retry-delay 3 --silent --show-error \ https://storage.googleapis.com/${deploy_path}/latest) fi @@ -161,7 +163,8 @@ else echo "${TARBALL_GCS_NAME} is preloaded" else # Download and untar the release tar ball. - curl -X GET "${HEADERS[@]}" -f --ipv4 -Lo "${TARBALL}" --connect-timeout 20 --max-time 300 --retry 6 --retry-delay 10 "${TARBALL_GCS_PATH}" + $(set +x; curl -X GET "${HEADERS[@]}" -f --ipv4 -Lo "${TARBALL}" --connect-timeout 20 --max-time 300 --retry 6 \ + --retry-delay 10 "${TARBALL_GCS_PATH}") tar xvf "${TARBALL}" rm -f "${TARBALL}" fi From e8b22c100b33e4f9eab68050a2b75deb7f0fadf1 Mon Sep 17 00:00:00 2001 From: Akhil Mohan Date: Fri, 16 Dec 2022 22:29:48 +0530 Subject: [PATCH 33/39] Revert "[release/1.6] support fetching containerd from non public GCS buckets" Signed-off-by: Akhil Mohan --- contrib/gce/configure.sh | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) diff --git a/contrib/gce/configure.sh b/contrib/gce/configure.sh index 7830cc6f6..3ac717e4a 100755 --- a/contrib/gce/configure.sh +++ b/contrib/gce/configure.sh @@ -104,17 +104,6 @@ if [ -f "${CONTAINERD_HOME}/${CONTAINERD_ENV_METADATA}" ]; then source "${CONTAINERD_HOME}/${CONTAINERD_ENV_METADATA}" fi -set +x -# GCS_BUCKET_TOKEN_METADATA is the metadata key for the GCS bucket token -GCS_BUCKET_TOKEN_METADATA="GCS_BUCKET_TOKEN" -# GCS_BUCKET_TOKEN should have read access to the bucket from which -# containerd artifacts need to be downloaded -GCS_BUCKET_TOKEN=$(fetch_metadata "${GCS_BUCKET_TOKEN_METADATA}") -if [[ -n "${GCS_BUCKET_TOKEN}" ]]; then - HEADERS=(-H "Authorization: Bearer ${GCS_BUCKET_TOKEN}") -fi -set -x - # CONTAINERD_PKG_PREFIX is the prefix of the cri-containerd tarball name. # By default use the release tarball with cni built in. pkg_prefix=${CONTAINERD_PKG_PREFIX:-"cri-containerd-cni"} @@ -137,7 +126,7 @@ else # TODO(random-liu): Put version into the metadata instead of # deciding it in cloud init. This may cause issue to reboot test. - version=$(set +x; curl -X GET "${HEADERS[@]}" -f --ipv4 --retry 6 --retry-delay 3 --silent --show-error \ + version=$(curl -f --ipv4 --retry 6 --retry-delay 3 --silent --show-error \ https://storage.googleapis.com/${deploy_path}/latest) fi @@ -163,8 +152,7 @@ else echo "${TARBALL_GCS_NAME} is preloaded" else # Download and untar the release tar ball. - $(set +x; curl -X GET "${HEADERS[@]}" -f --ipv4 -Lo "${TARBALL}" --connect-timeout 20 --max-time 300 --retry 6 \ - --retry-delay 10 "${TARBALL_GCS_PATH}") + curl -f --ipv4 -Lo "${TARBALL}" --connect-timeout 20 --max-time 300 --retry 6 --retry-delay 10 "${TARBALL_GCS_PATH}" tar xvf "${TARBALL}" rm -f "${TARBALL}" fi From 1347d7c87b01fb27b44a8c3f16b1e8c18ca656bc Mon Sep 17 00:00:00 2001 From: Derek McGowan Date: Sun, 18 Dec 2022 22:23:59 -0800 Subject: [PATCH 34/39] Prepare release notes for v1.6.14 Signed-off-by: Derek McGowan --- releases/v1.6.14.toml | 20 ++++++++++++++++++++ version/version.go | 2 +- 2 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 releases/v1.6.14.toml diff --git a/releases/v1.6.14.toml b/releases/v1.6.14.toml new file mode 100644 index 000000000..8afb02e6a --- /dev/null +++ b/releases/v1.6.14.toml @@ -0,0 +1,20 @@ +# commit to be tagged for new release +commit = "HEAD" + +project_name = "containerd" +github_repo = "containerd/containerd" +match_deps = "^github.com/(containerd/[a-zA-Z0-9-]+)$" + +# previous release +previous = "v1.6.13" + +pre_release = false + +preface = """\ +The fourteenth patch release for containerd 1.6 fixes a regression in the CRI plugin related to swap + +### Notable Updates + +* **Fix `memory.memsw.limit_in_bytes: no such file or directory` error in CRI plugin** ([#7838](https://github.com/containerd/containerd/pull/7838)) + +See the changelog for complete list of changes""" diff --git a/version/version.go b/version/version.go index 6938279ee..531af7953 100644 --- a/version/version.go +++ b/version/version.go @@ -23,7 +23,7 @@ var ( Package = "github.com/containerd/containerd" // Version holds the complete version number. Filled in at linking time. - Version = "1.6.13+unknown" + Version = "1.6.14+unknown" // Revision is filled with the VCS (e.g. git) revision being used to build // the program at linking time. From 53c733e0bacd44d52cbe58a31dbc1ff2ca0d5403 Mon Sep 17 00:00:00 2001 From: Akihiro Suda Date: Mon, 19 Dec 2022 10:50:18 +0900 Subject: [PATCH 35/39] cri: fix `memory.memsw.limit_in_bytes: no such file or directory` Skip automatic `if swapLimit == 0 { s.Linux.Resources.Memory.Swap = &limit }` when the swap controller is missing. (default on Ubuntu 20.04) Fix issue 7828 (regression in PR 7783 "cri: make swapping disabled with memory limit") Cherry-Pick was not cleaned, required updated cgroups library from v1.0.3 to v1.0.4 Signed-off-by: Akihiro Suda (cherry picked from commit 41575038819551c255ea2385dfe6c63cb7048dca) Signed-off-by: Derek McGowan --- go.mod | 2 +- go.sum | 3 +- integration/client/go.mod | 2 +- integration/client/go.sum | 4 +- pkg/cri/opts/spec_linux.go | 33 ++++++++++++- .../github.com/containerd/cgroups/README.md | 2 +- .../github.com/containerd/cgroups/Vagrantfile | 8 ++-- vendor/github.com/containerd/cgroups/utils.go | 29 ++++++++---- .../containerd/cgroups/v2/manager.go | 46 +++++++++++++++++-- .../containerd/cgroups/v2/memory.go | 7 +++ .../github.com/containerd/cgroups/v2/utils.go | 2 +- vendor/modules.txt | 4 +- 12 files changed, 113 insertions(+), 29 deletions(-) diff --git a/go.mod b/go.mod index 9b4e65e23..e208c17df 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ require ( github.com/Microsoft/hcsshim v0.9.6 github.com/containerd/aufs v1.0.0 github.com/containerd/btrfs v1.0.0 - github.com/containerd/cgroups v1.0.3 + github.com/containerd/cgroups v1.0.4 github.com/containerd/console v1.0.3 github.com/containerd/continuity v0.3.0 github.com/containerd/fifo v1.0.0 diff --git a/go.sum b/go.sum index 47832e81d..a9d1902af 100644 --- a/go.sum +++ b/go.sum @@ -183,8 +183,9 @@ github.com/containerd/cgroups v0.0.0-20200710171044-318312a37340/go.mod h1:s5q4S github.com/containerd/cgroups v0.0.0-20200824123100-0b889c03f102/go.mod h1:s5q4SojHctfxANBDvMeIaIovkq29IP48TKAxnhYRxvo= github.com/containerd/cgroups v0.0.0-20210114181951-8a68de567b68/go.mod h1:ZJeTFisyysqgcCdecO57Dj79RfL0LNeGiFUqLYQRYLE= github.com/containerd/cgroups v1.0.1/go.mod h1:0SJrPIenamHDcZhEcJMNBB85rHcUsw4f25ZfBiPYRkU= -github.com/containerd/cgroups v1.0.3 h1:ADZftAkglvCiD44c77s5YmMqaP2pzVCFZvBmAlBdAP4= github.com/containerd/cgroups v1.0.3/go.mod h1:/ofk34relqNjSGyqPrmEULrO4Sc8LJhvJmWbUCUKqj8= +github.com/containerd/cgroups v1.0.4 h1:jN/mbWBEaz+T1pi5OFtnkQ+8qnmEbAr1Oo1FRm5B0dA= +github.com/containerd/cgroups v1.0.4/go.mod h1:nLNQtsF7Sl2HxNebu77i1R0oDlhiTG+kO4JTrUzo6IA= github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw= github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw= github.com/containerd/console v0.0.0-20191206165004-02ecf6a7291e/go.mod h1:8Pf4gM6VEbTNRIT26AyyU7hxdQU3MvAvxVI0sc00XBE= diff --git a/integration/client/go.mod b/integration/client/go.mod index 7cae31ddf..2cd10f341 100644 --- a/integration/client/go.mod +++ b/integration/client/go.mod @@ -5,7 +5,7 @@ go 1.15 require ( github.com/Microsoft/hcsshim v0.9.6 github.com/Microsoft/hcsshim/test v0.0.0-20210408205431-da33ecd607e1 - github.com/containerd/cgroups v1.0.3 + github.com/containerd/cgroups v1.0.4 // the actual version of containerd is replaced with the code at the root of this repository github.com/containerd/containerd v1.6.1 github.com/containerd/go-runc v1.0.0 diff --git a/integration/client/go.sum b/integration/client/go.sum index b59a28f7a..dbad78fc1 100644 --- a/integration/client/go.sum +++ b/integration/client/go.sum @@ -121,8 +121,8 @@ github.com/containerd/aufs v1.0.0/go.mod h1:kL5kd6KM5TzQjR79jljyi4olc1Vrx6XBlcyj github.com/containerd/btrfs v1.0.0/go.mod h1:zMcX3qkXTAi9GI50+0HOeuV8LU2ryCE/V2vG/ZBiTss= github.com/containerd/cgroups v0.0.0-20200824123100-0b889c03f102/go.mod h1:s5q4SojHctfxANBDvMeIaIovkq29IP48TKAxnhYRxvo= github.com/containerd/cgroups v1.0.1/go.mod h1:0SJrPIenamHDcZhEcJMNBB85rHcUsw4f25ZfBiPYRkU= -github.com/containerd/cgroups v1.0.3 h1:ADZftAkglvCiD44c77s5YmMqaP2pzVCFZvBmAlBdAP4= -github.com/containerd/cgroups v1.0.3/go.mod h1:/ofk34relqNjSGyqPrmEULrO4Sc8LJhvJmWbUCUKqj8= +github.com/containerd/cgroups v1.0.4 h1:jN/mbWBEaz+T1pi5OFtnkQ+8qnmEbAr1Oo1FRm5B0dA= +github.com/containerd/cgroups v1.0.4/go.mod h1:nLNQtsF7Sl2HxNebu77i1R0oDlhiTG+kO4JTrUzo6IA= github.com/containerd/console v0.0.0-20191206165004-02ecf6a7291e/go.mod h1:8Pf4gM6VEbTNRIT26AyyU7hxdQU3MvAvxVI0sc00XBE= github.com/containerd/console v1.0.1/go.mod h1:XUsP6YE/mKtz6bxc+I8UiKKTP04qjQL4qcS3XoQ5xkw= github.com/containerd/console v1.0.2/go.mod h1:ytZPjGgY2oeTkAONYafi2kSj0aYggsf8acV1PGKCbzQ= diff --git a/pkg/cri/opts/spec_linux.go b/pkg/cri/opts/spec_linux.go index 17147020c..1baf5f30a 100644 --- a/pkg/cri/opts/spec_linux.go +++ b/pkg/cri/opts/spec_linux.go @@ -28,6 +28,7 @@ import ( "sync" "syscall" + "github.com/containerd/cgroups" "github.com/containerd/containerd/containers" "github.com/containerd/containerd/log" "github.com/containerd/containerd/mount" @@ -403,6 +404,36 @@ func WithSelinuxLabels(process, mount string) oci.SpecOpts { } } +var ( + swapControllerAvailability bool + swapControllerAvailabilityOnce sync.Once +) + +func swapControllerAvailable() bool { + swapControllerAvailabilityOnce.Do(func() { + const warn = "Failed to detect the availability of the swap controller, assuming not available" + p := "/sys/fs/cgroup/memory/memory.memsw.limit_in_bytes" + if cgroups.Mode() == cgroups.Unified { + // memory.swap.max does not exist in the cgroup root, so we check /sys/fs/cgroup//memory.swap.max + _, unified, err := cgroups.ParseCgroupFileUnified("/proc/self/cgroup") + if err != nil { + err = fmt.Errorf("failed to parse /proc/self/cgroup: %w", err) + logrus.WithError(err).Warn(warn) + return + } + p = filepath.Join("/sys/fs/cgroup", unified, "memory.swap.max") + } + if _, err := os.Stat(p); err != nil { + if !errors.Is(err, os.ErrNotExist) { + logrus.WithError(err).Warn(warn) + } + return + } + swapControllerAvailability = true + }) + return swapControllerAvailability +} + // WithResources sets the provided resource restrictions func WithResources(resources *runtime.LinuxContainerResources, tolerateMissingHugetlbController, disableHugetlbController bool) oci.SpecOpts { return func(ctx context.Context, client oci.Client, c *containers.Container, s *runtimespec.Spec) (err error) { @@ -448,7 +479,7 @@ func WithResources(resources *runtime.LinuxContainerResources, tolerateMissingHu if limit != 0 { s.Linux.Resources.Memory.Limit = &limit // swap/memory limit should be equal to prevent container from swapping by default - if swapLimit == 0 { + if swapLimit == 0 && swapControllerAvailable() { s.Linux.Resources.Memory.Swap = &limit } } diff --git a/vendor/github.com/containerd/cgroups/README.md b/vendor/github.com/containerd/cgroups/README.md index fc2c7a9be..eccb9d984 100644 --- a/vendor/github.com/containerd/cgroups/README.md +++ b/vendor/github.com/containerd/cgroups/README.md @@ -26,7 +26,7 @@ uses the v1 implementation of cgroups. ```go shares := uint64(100) control, err := cgroups.New(cgroups.V1, cgroups.StaticPath("/test"), &specs.LinuxResources{ - CPU: &specs.CPU{ + CPU: &specs.LinuxCPU{ Shares: &shares, }, }) diff --git a/vendor/github.com/containerd/cgroups/Vagrantfile b/vendor/github.com/containerd/cgroups/Vagrantfile index 4596ad8a7..9a4aac8cb 100644 --- a/vendor/github.com/containerd/cgroups/Vagrantfile +++ b/vendor/github.com/containerd/cgroups/Vagrantfile @@ -3,19 +3,19 @@ Vagrant.configure("2") do |config| # Fedora box is used for testing cgroup v2 support - config.vm.box = "fedora/32-cloud-base" + config.vm.box = "fedora/35-cloud-base" config.vm.provider :virtualbox do |v| - v.memory = 2048 + v.memory = 4096 v.cpus = 2 end config.vm.provider :libvirt do |v| - v.memory = 2048 + v.memory = 4096 v.cpus = 2 end config.vm.provision "shell", inline: <<-SHELL set -eux -o pipefail # configuration - GO_VERSION="1.15" + GO_VERSION="1.17.7" # install gcc and Golang dnf -y install gcc diff --git a/vendor/github.com/containerd/cgroups/utils.go b/vendor/github.com/containerd/cgroups/utils.go index 2297980d9..217138975 100644 --- a/vendor/github.com/containerd/cgroups/utils.go +++ b/vendor/github.com/containerd/cgroups/utils.go @@ -261,21 +261,28 @@ func parseKV(raw string) (string, uint64, error) { // "pids": "/user.slice/user-1000.slice" // etc. // -// Note that for cgroup v2 unified hierarchy, there are no per-controller -// cgroup paths, so the resulting map will have a single element where the key -// is empty string ("") and the value is the cgroup path the is in. +// The resulting map does not have an element for cgroup v2 unified hierarchy. +// Use ParseCgroupFileUnified to get the unified path. func ParseCgroupFile(path string) (map[string]string, error) { + x, _, err := ParseCgroupFileUnified(path) + return x, err +} + +// ParseCgroupFileUnified returns legacy subsystem paths as the first value, +// and returns the unified path as the second value. +func ParseCgroupFileUnified(path string) (map[string]string, string, error) { f, err := os.Open(path) if err != nil { - return nil, err + return nil, "", err } defer f.Close() - return parseCgroupFromReader(f) + return parseCgroupFromReaderUnified(f) } -func parseCgroupFromReader(r io.Reader) (map[string]string, error) { +func parseCgroupFromReaderUnified(r io.Reader) (map[string]string, string, error) { var ( cgroups = make(map[string]string) + unified = "" s = bufio.NewScanner(r) ) for s.Scan() { @@ -284,18 +291,20 @@ func parseCgroupFromReader(r io.Reader) (map[string]string, error) { parts = strings.SplitN(text, ":", 3) ) if len(parts) < 3 { - return nil, fmt.Errorf("invalid cgroup entry: %q", text) + return nil, unified, fmt.Errorf("invalid cgroup entry: %q", text) } for _, subs := range strings.Split(parts[1], ",") { - if subs != "" { + if subs == "" { + unified = parts[2] + } else { cgroups[subs] = parts[2] } } } if err := s.Err(); err != nil { - return nil, err + return nil, unified, err } - return cgroups, nil + return cgroups, unified, nil } func getCgroupDestination(subsystem string) (string, error) { diff --git a/vendor/github.com/containerd/cgroups/v2/manager.go b/vendor/github.com/containerd/cgroups/v2/manager.go index afed14c6e..1f017509f 100644 --- a/vendor/github.com/containerd/cgroups/v2/manager.go +++ b/vendor/github.com/containerd/cgroups/v2/manager.go @@ -240,6 +240,10 @@ func (c *Manager) Controllers() ([]string, error) { return strings.Fields(string(b)), nil } +func (c *Manager) Update(resources *Resources) error { + return setResources(c.path, resources) +} + type ControllerToggle int const ( @@ -701,12 +705,39 @@ func setDevices(path string, devices []specs.LinuxDeviceCgroup) error { return nil } +// getSystemdFullPath returns the full systemd path when creating a systemd slice group. +// the reason this is necessary is because the "-" character has a special meaning in +// systemd slice. For example, when creating a slice called "my-group-112233.slice", +// systemd will create a hierarchy like this: +// /sys/fs/cgroup/my.slice/my-group.slice/my-group-112233.slice +func getSystemdFullPath(slice, group string) string { + return filepath.Join(defaultCgroup2Path, dashesToPath(slice), dashesToPath(group)) +} + +// dashesToPath converts a slice name with dashes to it's corresponding systemd filesystem path. +func dashesToPath(in string) string { + path := "" + if strings.HasSuffix(in, ".slice") && strings.Contains(in, "-") { + parts := strings.Split(in, "-") + for i := range parts { + s := strings.Join(parts[0:i+1], "-") + if !strings.HasSuffix(s, ".slice") { + s += ".slice" + } + path = filepath.Join(path, s) + } + } else { + path = filepath.Join(path, in) + } + return path +} + func NewSystemd(slice, group string, pid int, resources *Resources) (*Manager, error) { if slice == "" { slice = defaultSlice } ctx := context.TODO() - path := filepath.Join(defaultCgroup2Path, slice, group) + path := getSystemdFullPath(slice, group) conn, err := systemdDbus.NewWithContext(ctx) if err != nil { return &Manager{}, err @@ -734,12 +765,17 @@ func NewSystemd(slice, group string, pid int, resources *Resources) (*Manager, e properties = append(properties, newSystemdProperty("PIDs", []uint32{uint32(pid)})) } - if resources.Memory != nil && *resources.Memory.Max != 0 { + if resources.Memory != nil && resources.Memory.Min != nil && *resources.Memory.Min != 0 { + properties = append(properties, + newSystemdProperty("MemoryMin", uint64(*resources.Memory.Min))) + } + + if resources.Memory != nil && resources.Memory.Max != nil && *resources.Memory.Max != 0 { properties = append(properties, newSystemdProperty("MemoryMax", uint64(*resources.Memory.Max))) } - if resources.CPU != nil && *resources.CPU.Weight != 0 { + if resources.CPU != nil && resources.CPU.Weight != nil && *resources.CPU.Weight != 0 { properties = append(properties, newSystemdProperty("CPUWeight", *resources.CPU.Weight)) } @@ -796,9 +832,9 @@ func LoadSystemd(slice, group string) (*Manager, error) { if slice == "" { slice = defaultSlice } - group = filepath.Join(defaultCgroup2Path, slice, group) + path := getSystemdFullPath(slice, group) return &Manager{ - path: group, + path: path, }, nil } diff --git a/vendor/github.com/containerd/cgroups/v2/memory.go b/vendor/github.com/containerd/cgroups/v2/memory.go index 72f94b738..6f4733be6 100644 --- a/vendor/github.com/containerd/cgroups/v2/memory.go +++ b/vendor/github.com/containerd/cgroups/v2/memory.go @@ -18,6 +18,7 @@ package v2 type Memory struct { Swap *int64 + Min *int64 Max *int64 Low *int64 High *int64 @@ -30,6 +31,12 @@ func (r *Memory) Values() (o []Value) { value: *r.Swap, }) } + if r.Min != nil { + o = append(o, Value{ + filename: "memory.min", + value: *r.Min, + }) + } if r.Max != nil { o = append(o, Value{ filename: "memory.max", diff --git a/vendor/github.com/containerd/cgroups/v2/utils.go b/vendor/github.com/containerd/cgroups/v2/utils.go index 902466f51..240c92677 100644 --- a/vendor/github.com/containerd/cgroups/v2/utils.go +++ b/vendor/github.com/containerd/cgroups/v2/utils.go @@ -227,7 +227,7 @@ func ToResources(spec *specs.LinuxResources) *Resources { if i := spec.Rdma; i != nil { resources.RDMA = &RDMA{} for device, value := range spec.Rdma { - if device != "" && (value.HcaHandles != nil || value.HcaObjects != nil) { + if device != "" && (value.HcaHandles != nil && value.HcaObjects != nil) { resources.RDMA.Limit = append(resources.RDMA.Limit, RDMAEntry{ Device: device, HcaHandles: *value.HcaHandles, diff --git a/vendor/modules.txt b/vendor/modules.txt index af74ddbd9..2eb01b616 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -74,8 +74,8 @@ github.com/containerd/aufs/plugin # github.com/containerd/btrfs v1.0.0 ## explicit; go 1.15 github.com/containerd/btrfs -# github.com/containerd/cgroups v1.0.3 -## explicit; go 1.16 +# github.com/containerd/cgroups v1.0.4 +## explicit; go 1.17 github.com/containerd/cgroups github.com/containerd/cgroups/stats/v1 github.com/containerd/cgroups/v2 From f16447e2d495d77c03c6644e78877cd3596ef523 Mon Sep 17 00:00:00 2001 From: Danny Canter Date: Tue, 20 Dec 2022 02:04:34 -0800 Subject: [PATCH 36/39] CRI: Fix no CNI info for pod sandbox on restart Due to when we were updating the pod sandboxes underlying container object, the pointer to the sandbox would have the right info, but the on-disk representation of the data was behind. This would cause the data returned from loading any sandboxes after a restart to have no CNI result or IP information for the pod. This change does an additional update to the on-disk container info right after we invoke the CNI plugin so the metadata for the CNI result and other networking information is properly flushed to disk. Signed-off-by: Danny Canter (cherry picked from commit 3ee6dd5c1bca441d1ec4988cbaebadbfbcfde525) Signed-off-by: Danny Canter --- integration/restart_test.go | 15 +++++++++++++++ pkg/cri/server/sandbox_run.go | 11 ++++++++++- 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/integration/restart_test.go b/integration/restart_test.go index 9cb660252..767752ca0 100644 --- a/integration/restart_test.go +++ b/integration/restart_test.go @@ -191,6 +191,21 @@ func TestContainerdRestart(t *testing.T) { if s.id == loaded.Id { t.Logf("Checking sandbox state for '%s'", s.name) assert.Equal(t, s.state, loaded.State) + + // See https://github.com/containerd/containerd/issues/7843 for details. + // Test that CNI result and sandbox IPs are still present after restart. + if loaded.State == runtime.PodSandboxState_SANDBOX_READY { + status, info, err := SandboxInfo(loaded.Id) + require.NoError(t, err) + + // Check that the NetNS didn't close on us, that we still have + // the CNI result, and that we still have the IP we were given + // for this pod. + require.False(t, info.NetNSClosed) + require.NotNil(t, info.CNIResult) + require.NotNil(t, status.Network) + require.NotEmpty(t, status.Network.Ip) + } break } } diff --git a/pkg/cri/server/sandbox_run.go b/pkg/cri/server/sandbox_run.go index 18657a51d..082344022 100644 --- a/pkg/cri/server/sandbox_run.go +++ b/pkg/cri/server/sandbox_run.go @@ -295,7 +295,8 @@ func (c *criService) RunPodSandbox(ctx context.Context, r *runtime.RunPodSandbox // Update spec of the container containerd.UpdateContainerOpts(containerd.WithSpec(spec)), // Update sandbox metadata to include NetNS info - containerd.UpdateContainerOpts(containerd.WithContainerExtension(sandboxMetadataExtension, &sandbox.Metadata))); err != nil { + containerd.UpdateContainerOpts(containerd.WithContainerExtension(sandboxMetadataExtension, &sandbox.Metadata)), + ); err != nil { return nil, fmt.Errorf("failed to update the network namespace for the sandbox container %q: %w", id, err) } @@ -325,6 +326,14 @@ func (c *criService) RunPodSandbox(ctx context.Context, r *runtime.RunPodSandbox return nil, fmt.Errorf("failed to setup network for sandbox %q: %w", id, err) } + // Update metadata here to save CNI result and pod IPs to disk. + if err := container.Update(ctx, + // Update sandbox metadata to include NetNS info + containerd.UpdateContainerOpts(containerd.WithContainerExtension(sandboxMetadataExtension, &sandbox.Metadata)), + ); err != nil { + return nil, fmt.Errorf("failed to update the network namespace for the sandbox container %q: %w", id, err) + } + sandboxCreateNetworkTimer.UpdateSince(netStart) } From 0f4062c9be0155861a1907dd1e1fe54b38c1d5ac Mon Sep 17 00:00:00 2001 From: Akihiro Suda Date: Mon, 2 Jan 2023 05:47:32 +0900 Subject: [PATCH 37/39] integration/images: switch away from Docker Hub to avoid rate limit Signed-off-by: Akihiro Suda (cherry picked from commit a5ea5935b7e65b189f893eca1e95e501a7aeb716) Signed-off-by: Derek McGowan --- integration/common.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/integration/common.go b/integration/common.go index edcb462a4..2501267cd 100644 --- a/integration/common.go +++ b/integration/common.go @@ -47,8 +47,8 @@ var ( func initImages(imageListFile string) { imageList = ImageList{ - Alpine: "docker.io/library/alpine:latest", - BusyBox: "docker.io/library/busybox:latest", + Alpine: "ghcr.io/containerd/alpine:3.14.0", + BusyBox: "ghcr.io/containerd/busybox:1.28", Pause: "registry.k8s.io/pause:3.6", ResourceConsumer: "registry.k8s.io/e2e-test-images/resource-consumer:1.10", VolumeCopyUp: "ghcr.io/containerd/volume-copy-up:2.1", From b57367020abc53f6e757b9eaadfe96ae7cf7e695 Mon Sep 17 00:00:00 2001 From: Kevin Parsons Date: Tue, 3 Jan 2023 15:45:49 -0800 Subject: [PATCH 38/39] CI: Pass GITHUB_TOKEN to containerd/project-checks Previously the project-checks action was failing sometimes due to hitting GitHub API rate limits. Since no token was supplied, the rate limits were only 60 requests/hour keyed off the IP address of the runner. Now, passing GITHUB_TOKEN secret through to project-checks, we have a limit of 1000 requests/hour for the whole repo. This should alleviate the rate limits that were being seen. I believe it is safe to pass this secret as project-checks is also owned by the containerd organization. The secret is also scoped to the actions run, and is invalidated upon completion. project-checks version is also updated to the version that supports repo-access-token input. Signed-off-by: Kevin Parsons (cherry picked from commit 79d09c69b4e4799e35b1d97718ab70351fe82164) Signed-off-by: Derek McGowan --- .github/workflows/ci.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d66dd5b87..71d9062fb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -63,9 +63,10 @@ jobs: path: src/github.com/containerd/containerd fetch-depth: 100 - - uses: containerd/project-checks@v1 + - uses: containerd/project-checks@v1.1.0 with: working-directory: src/github.com/containerd/containerd + repo-access-token: ${{ secrets.GITHUB_TOKEN }} - name: verify go modules and vendor directory run: | From 883899eaed4ab95e3c415b5937438b4439796bfc Mon Sep 17 00:00:00 2001 From: Derek McGowan Date: Wed, 4 Jan 2023 11:19:04 -0800 Subject: [PATCH 39/39] Prepare release notes for v1.6.15 Signed-off-by: Derek McGowan --- releases/v1.6.15.toml | 20 ++++++++++++++++++++ version/version.go | 2 +- 2 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 releases/v1.6.15.toml diff --git a/releases/v1.6.15.toml b/releases/v1.6.15.toml new file mode 100644 index 000000000..7798e8153 --- /dev/null +++ b/releases/v1.6.15.toml @@ -0,0 +1,20 @@ +# commit to be tagged for new release +commit = "HEAD" + +project_name = "containerd" +github_repo = "containerd/containerd" +match_deps = "^github.com/(containerd/[a-zA-Z0-9-]+)$" + +# previous release +previous = "v1.6.14" + +pre_release = false + +preface = """\ +The fifteenth patch release for containerd 1.6 fixes an issue with CNI in the CRI plugin + +### Notable Updates + +* **Fix no CNI info for pod sandbox on restart in CRI plugin** ([#7848](https://github.com/containerd/containerd/pull/7848)) + +See the changelog for complete list of changes""" diff --git a/version/version.go b/version/version.go index 531af7953..7246cc0b1 100644 --- a/version/version.go +++ b/version/version.go @@ -23,7 +23,7 @@ var ( Package = "github.com/containerd/containerd" // Version holds the complete version number. Filled in at linking time. - Version = "1.6.14+unknown" + Version = "1.6.15+unknown" // Revision is filled with the VCS (e.g. git) revision being used to build // the program at linking time.