Merge pull request #45371 from thaJeztah/23.0_backport_runc_binary_1.1.6
[23.0 backport] update runc binary to v1.1.7
diff --git a/Dockerfile b/Dockerfile
index f198293..1f8e647 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -192,7 +192,7 @@
# When updating the binary version you may also need to update the vendor
# version to pick up bug fixes or new APIs, however, usually the Go packages
# are built from a commit from the master branch.
-ARG CONTAINERD_VERSION=v1.6.20
+ARG CONTAINERD_VERSION=v1.6.21
RUN git fetch -q --depth 1 origin "${CONTAINERD_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD
FROM base AS containerd-build
diff --git a/Dockerfile.windows b/Dockerfile.windows
index 1469a40..a33c220 100644
--- a/Dockerfile.windows
+++ b/Dockerfile.windows
@@ -168,7 +168,7 @@
ARG GO_VERSION=1.19.9
ARG GOTESTSUM_VERSION=v1.8.2
ARG GOWINRES_VERSION=v0.3.0
-ARG CONTAINERD_VERSION=v1.6.20
+ARG CONTAINERD_VERSION=v1.6.21
# Environment variable notes:
# - GO_VERSION must be consistent with 'Dockerfile' used by Linux.
diff --git a/hack/dockerfile/install/containerd.installer b/hack/dockerfile/install/containerd.installer
index ed8b61a..fecf2b0 100755
--- a/hack/dockerfile/install/containerd.installer
+++ b/hack/dockerfile/install/containerd.installer
@@ -15,7 +15,7 @@
# the binary version you may also need to update the vendor version to pick up
# bug fixes or new APIs, however, usually the Go packages are built from a
# commit from the master branch.
-: "${CONTAINERD_VERSION:=v1.6.20}"
+: "${CONTAINERD_VERSION:=v1.6.21}"
install_containerd() (
echo "Install containerd version $CONTAINERD_VERSION"
diff --git a/vendor.mod b/vendor.mod
index 2af4407..4b85171 100644
--- a/vendor.mod
+++ b/vendor.mod
@@ -12,14 +12,14 @@
github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1
github.com/Graylog2/go-gelf v0.0.0-20191017102106-1550ee647df0
github.com/Microsoft/go-winio v0.5.2
- github.com/Microsoft/hcsshim v0.9.7
+ github.com/Microsoft/hcsshim v0.9.8
github.com/RackSec/srslog v0.0.0-20180709174129-a4725f04ec91
github.com/armon/go-radix v1.0.1-0.20221118154546-54df44f2176c
github.com/aws/aws-sdk-go v1.37.0
github.com/bsphere/le_go v0.0.0-20200109081728-fc06dab2caa8
github.com/cloudflare/cfssl v0.0.0-20180323000720-5d63dbd981b5
github.com/containerd/cgroups v1.0.4
- github.com/containerd/containerd v1.6.19
+ github.com/containerd/containerd v1.6.21
github.com/containerd/continuity v0.3.0
github.com/containerd/fifo v1.1.0
github.com/containerd/typeurl v1.0.2
@@ -64,7 +64,7 @@
github.com/moby/term v0.0.0-20221120202655-abb19827d345
github.com/morikuni/aec v1.0.0
github.com/opencontainers/go-digest v1.0.0
- github.com/opencontainers/image-spec v1.0.3-0.20220303224323-02efb9a75ee1
+ github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b
github.com/opencontainers/runc v1.1.5
github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
github.com/opencontainers/selinux v1.10.2
@@ -105,7 +105,7 @@
github.com/containerd/console v1.0.3 // indirect
github.com/containerd/go-runc v1.0.0 // indirect
github.com/containerd/stargz-snapshotter/estargz v0.11.3 // indirect
- github.com/containerd/ttrpc v1.1.0 // indirect
+ github.com/containerd/ttrpc v1.1.1 // indirect
github.com/cyphar/filepath-securejoin v0.2.3 // indirect
github.com/dustin/go-humanize v1.0.0 // indirect
github.com/felixge/httpsnoop v1.0.2 // indirect
diff --git a/vendor.sum b/vendor.sum
index 9509b7d..f88b784 100644
--- a/vendor.sum
+++ b/vendor.sum
@@ -100,8 +100,8 @@
github.com/Microsoft/hcsshim v0.8.15/go.mod h1:x38A4YbHbdxJtc0sF6oIz+RG0npwSCAvn69iY6URG00=
github.com/Microsoft/hcsshim v0.8.16/go.mod h1:o5/SZqmR7x9JNKsW3pu+nqHm0MF8vbA+VxGOoXdC600=
github.com/Microsoft/hcsshim v0.8.21/go.mod h1:+w2gRZ5ReXQhFOrvSQeNfhrYB/dg3oDwTOcER2fw4I4=
-github.com/Microsoft/hcsshim v0.9.7 h1:mKNHW/Xvv1aFH87Jb6ERDzXTJTLPlmzfZ28VBFD/bfg=
-github.com/Microsoft/hcsshim v0.9.7/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc=
+github.com/Microsoft/hcsshim v0.9.8 h1:lf7xxK2+Ikbj9sVf2QZsouGjRjEp2STj1yDHgoVtU5k=
+github.com/Microsoft/hcsshim v0.9.8/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc=
github.com/Microsoft/hcsshim/test v0.0.0-20201218223536-d3e5debf77da/go.mod h1:5hlzMzRKMLyo42nCZ9oml8AdTlq/0cvIaBv6tK1RehU=
github.com/Microsoft/hcsshim/test v0.0.0-20210227013316-43a75bb4edd3/go.mod h1:mw7qgWloBUl75W/gVH3cQszUg1+gUITj7D6NY7ywVnY=
github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
@@ -243,8 +243,8 @@
github.com/containerd/containerd v1.5.0-rc.0/go.mod h1:V/IXoMqNGgBlabz3tHD2TWDoTJseu1FGOKuoA4nNb2s=
github.com/containerd/containerd v1.5.1/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTVn7dJnIOwtYR4g=
github.com/containerd/containerd v1.5.7/go.mod h1:gyvv6+ugqY25TiXxcZC3L5yOeYgEw0QMhscqVp1AR9c=
-github.com/containerd/containerd v1.6.19 h1:F0qgQPrG0P2JPgwpxWxYavrVeXAG0ezUIB9Z/4FTUAU=
-github.com/containerd/containerd v1.6.19/go.mod h1:HZCDMn4v/Xl2579/MvtOC2M206i+JJ6VxFWU/NetrGY=
+github.com/containerd/containerd v1.6.21 h1:eSTAmnvDKRPWan+MpSSfNyrtleXd86ogK9X8fMWpe/Q=
+github.com/containerd/containerd v1.6.21/go.mod h1:apei1/i5Ux2FzrK6+DM/suEsGuK/MeVOfy8tR2q7Wnw=
github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
github.com/containerd/continuity v0.0.0-20191127005431-f65d91d395eb/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
@@ -285,8 +285,9 @@
github.com/containerd/ttrpc v0.0.0-20191028202541-4f1b8fe65a5c/go.mod h1:LPm1u0xBw8r8NOKoOdNMeVHSawSsltak+Ihv+etqsE8=
github.com/containerd/ttrpc v1.0.1/go.mod h1:UAxOpgT9ziI0gJrmKvgcZivgxOp8iFPSk8httJEt98Y=
github.com/containerd/ttrpc v1.0.2/go.mod h1:UAxOpgT9ziI0gJrmKvgcZivgxOp8iFPSk8httJEt98Y=
-github.com/containerd/ttrpc v1.1.0 h1:GbtyLRxb0gOLR0TYQWt3O6B0NvT8tMdorEHqIQo/lWI=
github.com/containerd/ttrpc v1.1.0/go.mod h1:XX4ZTnoOId4HklF4edwc4DcqskFZuvXB1Evzy5KFQpQ=
+github.com/containerd/ttrpc v1.1.1 h1:NoRHS/z8UiHhpY1w0xcOqoJDGf2DHyzXrF0H4l5AE8c=
+github.com/containerd/ttrpc v1.1.1/go.mod h1:XX4ZTnoOId4HklF4edwc4DcqskFZuvXB1Evzy5KFQpQ=
github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd/go.mod h1:Cm3kwCdlkCfMSHURc+r6fwoGH6/F1hH3S4sg0rLFWPc=
github.com/containerd/typeurl v0.0.0-20190911142611-5eb25027c9fd/go.mod h1:GeKYzf2pQcqv7tJ0AoCuuhtnqhva5LNU3U+OyKxxJpk=
github.com/containerd/typeurl v1.0.1/go.mod h1:TB1hUtrpaiO88KEK56ijojHS1+NeF0izUACaJW2mdXg=
@@ -802,8 +803,8 @@
github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
github.com/opencontainers/image-spec v1.0.0/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
-github.com/opencontainers/image-spec v1.0.3-0.20220303224323-02efb9a75ee1 h1:9iFHD5Kt9hkOfeawBNiEeEaV7bmC4/Z5wJp8E9BptMs=
-github.com/opencontainers/image-spec v1.0.3-0.20220303224323-02efb9a75ee1/go.mod h1:K/JAU0m27RFhDRX4PcFdIKntROP6y5Ed6O91aZYDQfs=
+github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b h1:YWuSjZCQAPM8UUBLkYUk1e+rZcvWHJmFb6i6rM44Xs8=
+github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b/go.mod h1:3OVijpioIKYWTqjiG0zfF6wvoJ4fAXGbjdZuI2NgsRQ=
github.com/opencontainers/runc v0.0.0-20190115041553-12f6a991201f/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
github.com/opencontainers/runc v0.1.1/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
github.com/opencontainers/runc v1.0.0-rc8.0.20190926000215-3e425f80a8c9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
@@ -899,7 +900,6 @@
github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
github.com/rootless-containers/rootlesskit v1.1.0 h1:cRaRIYxY8oce4eE/zeAUZhgKu/4tU1p9YHN4+suwV7M=
github.com/rootless-containers/rootlesskit v1.1.0/go.mod h1:H+o9ndNe7tS91WqU0/+vpvc+VaCd7TCIWaJjnV0ujUo=
-github.com/russross/blackfriday v1.6.0/go.mod h1:ti0ldHuxg49ri4ksnFxlkCfN+hvslNlmVHqNRXXJNAY=
github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
@@ -1001,7 +1001,6 @@
github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
github.com/xeipuuv/gojsonschema v0.0.0-20180618132009-1d523034197f/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs=
-github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
diff --git a/vendor/github.com/containerd/containerd/.golangci.yml b/vendor/github.com/containerd/containerd/.golangci.yml
index 4bf8459..e162f0a 100644
--- a/vendor/github.com/containerd/containerd/.golangci.yml
+++ b/vendor/github.com/containerd/containerd/.golangci.yml
@@ -1,27 +1,55 @@
linters:
enable:
- - structcheck
- - varcheck
- - staticcheck
- - unconvert
+ - exportloopref # Checks for pointers to enclosing loop variables
- gofmt
- goimports
- - revive
+ - gosec
- ineffassign
- - vet
- - unused
- misspell
+ - nolintlint
+ - revive
+ - staticcheck
+ - tenv # Detects using os.Setenv instead of t.Setenv since Go 1.17
+ - unconvert
+ - unused
+ - vet
+ - dupword # Checks for duplicate words in the source code
disable:
- errcheck
issues:
include:
- EXC0002
+ max-issues-per-linter: 0
+ max-same-issues: 0
+
+ # Only using / doesn't work due to https://github.com/golangci/golangci-lint/issues/1398.
+ exclude-rules:
+ - path: 'archive[\\/]tarheader[\\/]'
+ # conversion is necessary on Linux, unnecessary on macOS
+ text: "unnecessary conversion"
+
+linters-settings:
+ gosec:
+ # The following issues surfaced when `gosec` linter
+ # was enabled. They are temporarily excluded to unblock
+ # the existing workflow, but still to be addressed by
+ # future works.
+ excludes:
+ - G204
+ - G305
+ - G306
+ - G402
+ - G404
run:
timeout: 8m
skip-dirs:
- api
+ - cluster
- design
- docs
- docs/man
+ - releases
+ - reports
+ - test # e2e scripts
diff --git a/vendor/github.com/containerd/containerd/Vagrantfile b/vendor/github.com/containerd/containerd/Vagrantfile
index e81bfc2..f706788 100644
--- a/vendor/github.com/containerd/containerd/Vagrantfile
+++ b/vendor/github.com/containerd/containerd/Vagrantfile
@@ -93,7 +93,7 @@
config.vm.provision "install-golang", type: "shell", run: "once" do |sh|
sh.upload_path = "/tmp/vagrant-install-golang"
sh.env = {
- 'GO_VERSION': ENV['GO_VERSION'] || "1.19.6",
+ 'GO_VERSION': ENV['GO_VERSION'] || "1.19.9",
}
sh.inline = <<~SHELL
#!/usr/bin/env bash
diff --git a/vendor/github.com/containerd/containerd/api/services/containers/v1/containers.pb.go b/vendor/github.com/containerd/containerd/api/services/containers/v1/containers.pb.go
index af56c7d..8c84d9c 100644
--- a/vendor/github.com/containerd/containerd/api/services/containers/v1/containers.pb.go
+++ b/vendor/github.com/containerd/containerd/api/services/containers/v1/containers.pb.go
@@ -246,7 +246,7 @@
// filters. Expanded, containers that match the following will be
// returned:
//
- // filters[0] or filters[1] or ... or filters[n-1] or filters[n]
+ // filters[0] or filters[1] or ... or filters[n-1] or filters[n]
//
// If filters is zero-length or nil, all items will be returned.
Filters []string `protobuf:"bytes,1,rep,name=filters,proto3" json:"filters,omitempty"`
diff --git a/vendor/github.com/containerd/containerd/api/services/containers/v1/containers.proto b/vendor/github.com/containerd/containerd/api/services/containers/v1/containers.proto
index 36ab177..eb4068e 100644
--- a/vendor/github.com/containerd/containerd/api/services/containers/v1/containers.proto
+++ b/vendor/github.com/containerd/containerd/api/services/containers/v1/containers.proto
@@ -132,7 +132,7 @@
// filters. Expanded, containers that match the following will be
// returned:
//
- // filters[0] or filters[1] or ... or filters[n-1] or filters[n]
+ // filters[0] or filters[1] or ... or filters[n-1] or filters[n]
//
// If filters is zero-length or nil, all items will be returned.
repeated string filters = 1;
diff --git a/vendor/github.com/containerd/containerd/api/services/content/v1/content.proto b/vendor/github.com/containerd/containerd/api/services/content/v1/content.proto
index b33ea5b..f43b649 100644
--- a/vendor/github.com/containerd/containerd/api/services/content/v1/content.proto
+++ b/vendor/github.com/containerd/containerd/api/services/content/v1/content.proto
@@ -141,7 +141,7 @@
// filters. Expanded, containers that match the following will be
// returned:
//
- // filters[0] or filters[1] or ... or filters[n-1] or filters[n]
+ // filters[0] or filters[1] or ... or filters[n-1] or filters[n]
//
// If filters is zero-length or nil, all items will be returned.
repeated string filters = 1;
diff --git a/vendor/github.com/containerd/containerd/api/services/images/v1/images.pb.go b/vendor/github.com/containerd/containerd/api/services/images/v1/images.pb.go
index de08cc0..ee170f2 100644
--- a/vendor/github.com/containerd/containerd/api/services/images/v1/images.pb.go
+++ b/vendor/github.com/containerd/containerd/api/services/images/v1/images.pb.go
@@ -336,7 +336,7 @@
// filters. Expanded, images that match the following will be
// returned:
//
- // filters[0] or filters[1] or ... or filters[n-1] or filters[n]
+ // filters[0] or filters[1] or ... or filters[n-1] or filters[n]
//
// If filters is zero-length or nil, all items will be returned.
Filters []string `protobuf:"bytes,1,rep,name=filters,proto3" json:"filters,omitempty"`
diff --git a/vendor/github.com/containerd/containerd/api/services/images/v1/images.proto b/vendor/github.com/containerd/containerd/api/services/images/v1/images.proto
index 338f4fb..dee4503 100644
--- a/vendor/github.com/containerd/containerd/api/services/images/v1/images.proto
+++ b/vendor/github.com/containerd/containerd/api/services/images/v1/images.proto
@@ -119,7 +119,7 @@
// filters. Expanded, images that match the following will be
// returned:
//
- // filters[0] or filters[1] or ... or filters[n-1] or filters[n]
+ // filters[0] or filters[1] or ... or filters[n-1] or filters[n]
//
// If filters is zero-length or nil, all items will be returned.
repeated string filters = 1;
diff --git a/vendor/github.com/containerd/containerd/api/services/introspection/v1/introspection.pb.go b/vendor/github.com/containerd/containerd/api/services/introspection/v1/introspection.pb.go
index d23c8b6..65e015d 100644
--- a/vendor/github.com/containerd/containerd/api/services/introspection/v1/introspection.pb.go
+++ b/vendor/github.com/containerd/containerd/api/services/introspection/v1/introspection.pb.go
@@ -115,7 +115,7 @@
// filters. Expanded, plugins that match the following will be
// returned:
//
- // filters[0] or filters[1] or ... or filters[n-1] or filters[n]
+ // filters[0] or filters[1] or ... or filters[n-1] or filters[n]
//
// If filters is zero-length or nil, all items will be returned.
Filters []string `protobuf:"bytes,1,rep,name=filters,proto3" json:"filters,omitempty"`
diff --git a/vendor/github.com/containerd/containerd/api/services/introspection/v1/introspection.proto b/vendor/github.com/containerd/containerd/api/services/introspection/v1/introspection.proto
index 65a8bc2..8427a06 100644
--- a/vendor/github.com/containerd/containerd/api/services/introspection/v1/introspection.proto
+++ b/vendor/github.com/containerd/containerd/api/services/introspection/v1/introspection.proto
@@ -89,7 +89,7 @@
// filters. Expanded, plugins that match the following will be
// returned:
//
- // filters[0] or filters[1] or ... or filters[n-1] or filters[n]
+ // filters[0] or filters[1] or ... or filters[n-1] or filters[n]
//
// If filters is zero-length or nil, all items will be returned.
repeated string filters = 1;
diff --git a/vendor/github.com/containerd/containerd/api/services/snapshots/v1/snapshots.pb.go b/vendor/github.com/containerd/containerd/api/services/snapshots/v1/snapshots.pb.go
index 046c97b..e8c6664 100644
--- a/vendor/github.com/containerd/containerd/api/services/snapshots/v1/snapshots.pb.go
+++ b/vendor/github.com/containerd/containerd/api/services/snapshots/v1/snapshots.pb.go
@@ -620,7 +620,7 @@
// filters. Expanded, images that match the following will be
// returned:
//
- // filters[0] or filters[1] or ... or filters[n-1] or filters[n]
+ // filters[0] or filters[1] or ... or filters[n-1] or filters[n]
//
// If filters is zero-length or nil, all items will be returned.
Filters []string `protobuf:"bytes,2,rep,name=filters,proto3" json:"filters,omitempty"`
diff --git a/vendor/github.com/containerd/containerd/api/services/snapshots/v1/snapshots.proto b/vendor/github.com/containerd/containerd/api/services/snapshots/v1/snapshots.proto
index dfb8ff1..9bbef14 100644
--- a/vendor/github.com/containerd/containerd/api/services/snapshots/v1/snapshots.proto
+++ b/vendor/github.com/containerd/containerd/api/services/snapshots/v1/snapshots.proto
@@ -158,7 +158,7 @@
// filters. Expanded, images that match the following will be
// returned:
//
- // filters[0] or filters[1] or ... or filters[n-1] or filters[n]
+ // filters[0] or filters[1] or ... or filters[n-1] or filters[n]
//
// If filters is zero-length or nil, all items will be returned.
repeated string filters = 2;
diff --git a/vendor/github.com/containerd/containerd/archive/tar.go b/vendor/github.com/containerd/containerd/archive/tar.go
index 44b7949..cff0edc 100644
--- a/vendor/github.com/containerd/containerd/archive/tar.go
+++ b/vendor/github.com/containerd/containerd/archive/tar.go
@@ -30,6 +30,7 @@
"syscall"
"time"
+ "github.com/containerd/containerd/archive/tarheader"
"github.com/containerd/containerd/log"
"github.com/containerd/containerd/pkg/userns"
"github.com/containerd/continuity/fs"
@@ -554,7 +555,8 @@
}
}
- hdr, err := tar.FileInfoHeader(f, link)
+ // Use FileInfoHeaderNoLookups to avoid propagating user names and group names from the host
+ hdr, err := tarheader.FileInfoHeaderNoLookups(f, link)
if err != nil {
return err
}
diff --git a/vendor/github.com/containerd/containerd/archive/tar_unix.go b/vendor/github.com/containerd/containerd/archive/tar_unix.go
index 854afcf..d84dfd8 100644
--- a/vendor/github.com/containerd/containerd/archive/tar_unix.go
+++ b/vendor/github.com/containerd/containerd/archive/tar_unix.go
@@ -62,8 +62,7 @@
return errors.New("unsupported stat type")
}
- // Rdev is int32 on darwin/bsd, int64 on linux/solaris
- rdev := uint64(s.Rdev) //nolint:unconvert
+ rdev := uint64(s.Rdev) //nolint:nolintlint,unconvert // rdev is int32 on darwin/bsd, int64 on linux/solaris
// Currently go does not fill in the major/minors
if s.Mode&syscall.S_IFBLK != 0 ||
diff --git a/vendor/github.com/containerd/containerd/archive/tarheader/tarheader.go b/vendor/github.com/containerd/containerd/archive/tarheader/tarheader.go
new file mode 100644
index 0000000..2f93842
--- /dev/null
+++ b/vendor/github.com/containerd/containerd/archive/tarheader/tarheader.go
@@ -0,0 +1,82 @@
+/*
+ Copyright The containerd Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+*/
+
+/*
+ Portions from https://github.com/moby/moby/blob/v23.0.1/pkg/archive/archive.go#L419-L464
+ Copyright (C) Docker/Moby authors.
+ Licensed under the Apache License, Version 2.0
+ NOTICE: https://github.com/moby/moby/blob/v23.0.1/NOTICE
+*/
+
+package tarheader
+
+import (
+ "archive/tar"
+ "os"
+)
+
+// nosysFileInfo hides the system-dependent info of the wrapped FileInfo to
+// prevent tar.FileInfoHeader from introspecting it and potentially calling into
+// glibc.
+//
+// From https://github.com/moby/moby/blob/v23.0.1/pkg/archive/archive.go#L419-L434 .
+type nosysFileInfo struct {
+ os.FileInfo
+}
+
+func (fi nosysFileInfo) Sys() interface{} {
+ // A Sys value of type *tar.Header is safe as it is system-independent.
+ // The tar.FileInfoHeader function copies the fields into the returned
+ // header without performing any OS lookups.
+ if sys, ok := fi.FileInfo.Sys().(*tar.Header); ok {
+ return sys
+ }
+ return nil
+}
+
+// sysStat, if non-nil, populates hdr from system-dependent fields of fi.
+//
+// From https://github.com/moby/moby/blob/v23.0.1/pkg/archive/archive.go#L436-L437 .
+var sysStat func(fi os.FileInfo, hdr *tar.Header) error
+
+// FileInfoHeaderNoLookups creates a partially-populated tar.Header from fi.
+//
+// Compared to the archive/tar.FileInfoHeader function, this function is safe to
+// call from a chrooted process as it does not populate fields which would
+// require operating system lookups. It behaves identically to
+// tar.FileInfoHeader when fi is a FileInfo value returned from
+// tar.Header.FileInfo().
+//
+// When fi is a FileInfo for a native file, such as returned from os.Stat() and
+// os.Lstat(), the returned Header value differs from one returned from
+// tar.FileInfoHeader in the following ways. The Uname and Gname fields are not
+// set as OS lookups would be required to populate them. The AccessTime and
+// ChangeTime fields are not currently set (not yet implemented) although that
+// is subject to change. Callers which require the AccessTime or ChangeTime
+// fields to be zeroed should explicitly zero them out in the returned Header
+// value to avoid any compatibility issues in the future.
+//
+// From https://github.com/moby/moby/blob/v23.0.1/pkg/archive/archive.go#L439-L464 .
+func FileInfoHeaderNoLookups(fi os.FileInfo, link string) (*tar.Header, error) {
+ hdr, err := tar.FileInfoHeader(nosysFileInfo{fi}, link)
+ if err != nil {
+ return nil, err
+ }
+ if sysStat != nil {
+ return hdr, sysStat(fi, hdr)
+ }
+ return hdr, nil
+}
diff --git a/vendor/github.com/containerd/containerd/archive/tarheader/tarheader_unix.go b/vendor/github.com/containerd/containerd/archive/tarheader/tarheader_unix.go
new file mode 100644
index 0000000..98ad8f9
--- /dev/null
+++ b/vendor/github.com/containerd/containerd/archive/tarheader/tarheader_unix.go
@@ -0,0 +1,59 @@
+//go:build !windows
+
+/*
+ Copyright The containerd Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+*/
+
+/*
+ Portions from https://github.com/moby/moby/blob/v23.0.1/pkg/archive/archive_unix.go#L52-L70
+ Copyright (C) Docker/Moby authors.
+ Licensed under the Apache License, Version 2.0
+ NOTICE: https://github.com/moby/moby/blob/v23.0.1/NOTICE
+*/
+
+package tarheader
+
+import (
+ "archive/tar"
+ "os"
+ "syscall"
+
+ "golang.org/x/sys/unix"
+)
+
+func init() {
+ sysStat = statUnix
+}
+
+// statUnix populates hdr from system-dependent fields of fi without performing
+// any OS lookups.
+// From https://github.com/moby/moby/blob/v23.0.1/pkg/archive/archive_unix.go#L52-L70
+func statUnix(fi os.FileInfo, hdr *tar.Header) error {
+ s, ok := fi.Sys().(*syscall.Stat_t)
+ if !ok {
+ return nil
+ }
+
+ hdr.Uid = int(s.Uid)
+ hdr.Gid = int(s.Gid)
+
+ if s.Mode&unix.S_IFBLK != 0 ||
+ s.Mode&unix.S_IFCHR != 0 {
+ hdr.Devmajor = int64(unix.Major(uint64(s.Rdev)))
+ hdr.Devminor = int64(unix.Minor(uint64(s.Rdev)))
+ }
+
+ return nil
+}
diff --git a/vendor/github.com/containerd/containerd/container.go b/vendor/github.com/containerd/containerd/container.go
index 7d8d674..2cf1566 100644
--- a/vendor/github.com/containerd/containerd/container.go
+++ b/vendor/github.com/containerd/containerd/container.go
@@ -279,6 +279,7 @@
})
}
}
+ request.RuntimePath = info.RuntimePath
if info.Options != nil {
any, err := typeurl.MarshalAny(info.Options)
if err != nil {
diff --git a/vendor/github.com/containerd/containerd/containerstore.go b/vendor/github.com/containerd/containerd/containerstore.go
index 2756e2a..bdd1c60 100644
--- a/vendor/github.com/containerd/containerd/containerstore.go
+++ b/vendor/github.com/containerd/containerd/containerstore.go
@@ -189,6 +189,7 @@
var containers []containers.Container
for _, container := range containerspb {
+ container := container
containers = append(containers, containerFromProto(&container))
}
diff --git a/vendor/github.com/containerd/containerd/content/local/store.go b/vendor/github.com/containerd/containerd/content/local/store.go
index f41a92d..0220028 100644
--- a/vendor/github.com/containerd/containerd/content/local/store.go
+++ b/vendor/github.com/containerd/containerd/content/local/store.go
@@ -34,7 +34,7 @@
"github.com/containerd/containerd/log"
"github.com/sirupsen/logrus"
- digest "github.com/opencontainers/go-digest"
+ "github.com/opencontainers/go-digest"
ocispec "github.com/opencontainers/image-spec/specs-go/v1"
)
@@ -505,6 +505,7 @@
return status, fmt.Errorf("provided total differs from status: %v != %v", total, status.Total)
}
+ //nolint:dupword
// TODO(stevvooe): slow slow slow!!, send to goroutine or use resumable hashes
fp, err := os.Open(data)
if err != nil {
diff --git a/vendor/github.com/containerd/containerd/diff/walking/differ.go b/vendor/github.com/containerd/containerd/diff/walking/differ.go
index a24c722..7bfa6b8 100644
--- a/vendor/github.com/containerd/containerd/diff/walking/differ.go
+++ b/vendor/github.com/containerd/containerd/diff/walking/differ.go
@@ -87,7 +87,7 @@
var ocidesc ocispec.Descriptor
if err := mount.WithTempMount(ctx, lower, func(lowerRoot string) error {
- return mount.WithTempMount(ctx, upper, func(upperRoot string) error {
+ return mount.WithReadonlyTempMount(ctx, upper, func(upperRoot string) error {
var newReference bool
if config.Reference == "" {
newReference = true
diff --git a/vendor/github.com/containerd/containerd/image_store.go b/vendor/github.com/containerd/containerd/image_store.go
index fd79e89..a970282 100644
--- a/vendor/github.com/containerd/containerd/image_store.go
+++ b/vendor/github.com/containerd/containerd/image_store.go
@@ -129,6 +129,7 @@
var images []images.Image
for _, image := range imagespb {
+ image := image
images = append(images, imageFromProto(&image))
}
diff --git a/vendor/github.com/containerd/containerd/images/archive/exporter.go b/vendor/github.com/containerd/containerd/images/archive/exporter.go
index 40a0a33..6943a7f 100644
--- a/vendor/github.com/containerd/containerd/images/archive/exporter.go
+++ b/vendor/github.com/containerd/containerd/images/archive/exporter.go
@@ -176,7 +176,7 @@
}
name := desc.Annotations[images.AnnotationImageName]
- if name != "" && !eo.skipDockerManifest {
+ if name != "" {
mt.names = append(mt.names, name)
}
case images.MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex:
@@ -215,26 +215,24 @@
records = append(records, r...)
}
- if !eo.skipDockerManifest {
- if len(manifests) >= 1 {
- if len(manifests) > 1 {
- sort.SliceStable(manifests, func(i, j int) bool {
- if manifests[i].Platform == nil {
- return false
- }
- if manifests[j].Platform == nil {
- return true
- }
- return eo.platform.Less(*manifests[i].Platform, *manifests[j].Platform)
- })
- }
- d = manifests[0].Digest
- dManifests[d] = &exportManifest{
- manifest: manifests[0],
- }
- } else if eo.platform != nil {
- return fmt.Errorf("no manifest found for platform: %w", errdefs.ErrNotFound)
+ if len(manifests) >= 1 {
+ if len(manifests) > 1 {
+ sort.SliceStable(manifests, func(i, j int) bool {
+ if manifests[i].Platform == nil {
+ return false
+ }
+ if manifests[j].Platform == nil {
+ return true
+ }
+ return eo.platform.Less(*manifests[i].Platform, *manifests[j].Platform)
+ })
}
+ d = manifests[0].Digest
+ dManifests[d] = &exportManifest{
+ manifest: manifests[0],
+ }
+ } else if eo.platform != nil {
+ return fmt.Errorf("no manifest found for platform: %w", errdefs.ErrNotFound)
}
resolvedIndex[desc.Digest] = d
}
@@ -250,7 +248,7 @@
}
}
- if len(dManifests) > 0 {
+ if !eo.skipDockerManifest && len(dManifests) > 0 {
tr, err := manifestsRecord(ctx, store, dManifests)
if err != nil {
return fmt.Errorf("unable to create manifests file: %w", err)
diff --git a/vendor/github.com/containerd/containerd/images/converter/default.go b/vendor/github.com/containerd/containerd/images/converter/default.go
index f4e944b..65224bd 100644
--- a/vendor/github.com/containerd/containerd/images/converter/default.go
+++ b/vendor/github.com/containerd/containerd/images/converter/default.go
@@ -132,7 +132,7 @@
return &descCopy
}
-// convertLayer converts image image layers if c.layerConvertFunc is set.
+// convertLayer converts image layers if c.layerConvertFunc is set.
//
// c.layerConvertFunc can be nil, e.g., for converting Docker media types to OCI ones.
func (c *defaultConverter) convertLayer(ctx context.Context, cs content.Store, desc ocispec.Descriptor) (*ocispec.Descriptor, error) {
diff --git a/vendor/github.com/containerd/containerd/metadata/boltutil/helpers.go b/vendor/github.com/containerd/containerd/metadata/boltutil/helpers.go
index 4722a52..4201d7b 100644
--- a/vendor/github.com/containerd/containerd/metadata/boltutil/helpers.go
+++ b/vendor/github.com/containerd/containerd/metadata/boltutil/helpers.go
@@ -162,6 +162,7 @@
}
for name, ext := range extensions {
+ ext := ext
p, err := proto.Marshal(&ext)
if err != nil {
return err
diff --git a/vendor/github.com/containerd/containerd/mount/mount.go b/vendor/github.com/containerd/containerd/mount/mount.go
index b25556b..9dd4f32 100644
--- a/vendor/github.com/containerd/containerd/mount/mount.go
+++ b/vendor/github.com/containerd/containerd/mount/mount.go
@@ -16,6 +16,10 @@
package mount
+import (
+ "strings"
+)
+
// Mount is the lingua franca of containerd. A mount represents a
// serialized mount syscall. Components either emit or consume mounts.
type Mount struct {
@@ -38,3 +42,46 @@
}
return nil
}
+
+// readonlyMounts modifies the received mount options
+// to make them readonly
+func readonlyMounts(mounts []Mount) []Mount {
+ for i, m := range mounts {
+ if m.Type == "overlay" {
+ mounts[i].Options = readonlyOverlay(m.Options)
+ continue
+ }
+ opts := make([]string, 0, len(m.Options))
+ for _, opt := range m.Options {
+ if opt != "rw" && opt != "ro" { // skip `ro` too so we don't append it twice
+ opts = append(opts, opt)
+ }
+ }
+ opts = append(opts, "ro")
+ mounts[i].Options = opts
+ }
+ return mounts
+}
+
+// readonlyOverlay takes mount options for overlay mounts and makes them readonly by
+// removing workdir and upperdir (and appending the upperdir layer to lowerdir) - see:
+// https://www.kernel.org/doc/html/latest/filesystems/overlayfs.html#multiple-lower-layers
+func readonlyOverlay(opt []string) []string {
+ out := make([]string, 0, len(opt))
+ upper := ""
+ for _, o := range opt {
+ if strings.HasPrefix(o, "upperdir=") {
+ upper = strings.TrimPrefix(o, "upperdir=")
+ } else if !strings.HasPrefix(o, "workdir=") {
+ out = append(out, o)
+ }
+ }
+ if upper != "" {
+ for i, o := range out {
+ if strings.HasPrefix(o, "lowerdir=") {
+ out[i] = "lowerdir=" + upper + ":" + strings.TrimPrefix(o, "lowerdir=")
+ }
+ }
+ }
+ return out
+}
diff --git a/vendor/github.com/containerd/containerd/mount/temp.go b/vendor/github.com/containerd/containerd/mount/temp.go
index 13eedaf..889d49c 100644
--- a/vendor/github.com/containerd/containerd/mount/temp.go
+++ b/vendor/github.com/containerd/containerd/mount/temp.go
@@ -67,6 +67,13 @@
return nil
}
+// WithReadonlyTempMount mounts the provided mounts to a temp dir as readonly,
+// and pass the temp dir to f. The mounts are valid during the call to the f.
+// Finally we will unmount and remove the temp dir regardless of the result of f.
+func WithReadonlyTempMount(ctx context.Context, mounts []Mount, f func(root string) error) (err error) {
+ return WithTempMount(ctx, readonlyMounts(mounts), f)
+}
+
func getTempDir() string {
if xdg := os.Getenv("XDG_RUNTIME_DIR"); xdg != "" {
return xdg
diff --git a/vendor/github.com/containerd/containerd/oci/spec_opts.go b/vendor/github.com/containerd/containerd/oci/spec_opts.go
index 3330ad1..65811fc 100644
--- a/vendor/github.com/containerd/containerd/oci/spec_opts.go
+++ b/vendor/github.com/containerd/containerd/oci/spec_opts.go
@@ -76,7 +76,6 @@
}
}
-// nolint
func setResources(s *Spec) {
if s.Linux != nil {
if s.Linux.Resources == nil {
@@ -90,7 +89,7 @@
}
}
-// nolint
+//nolint:nolintlint,unused // not used on all platforms
func setCPU(s *Spec) {
setResources(s)
if s.Linux != nil {
@@ -229,6 +228,7 @@
return func(_ context.Context, _ Client, _ *containers.Container, s *Spec) error {
setProcess(s)
s.Process.Args = args
+ s.Process.CommandLine = ""
return nil
}
}
@@ -358,17 +358,19 @@
return err
}
var (
- ociimage v1.Image
- config v1.ImageConfig
+ imageConfigBytes []byte
+ ociimage v1.Image
+ config v1.ImageConfig
)
switch ic.MediaType {
case v1.MediaTypeImageConfig, images.MediaTypeDockerSchema2Config:
- p, err := content.ReadBlob(ctx, image.ContentStore(), ic)
+ var err error
+ imageConfigBytes, err = content.ReadBlob(ctx, image.ContentStore(), ic)
if err != nil {
return err
}
- if err := json.Unmarshal(p, &ociimage); err != nil {
+ if err := json.Unmarshal(imageConfigBytes, &ociimage); err != nil {
return err
}
config = ociimage.Config
@@ -405,11 +407,55 @@
return WithAdditionalGIDs("root")(ctx, client, c, s)
} else if s.Windows != nil {
s.Process.Env = replaceOrAppendEnvValues(config.Env, s.Process.Env)
+
+ // To support Docker ArgsEscaped on Windows we need to combine the
+ // image Entrypoint & (Cmd Or User Args) while taking into account
+ // if Docker has already escaped them in the image config. When
+ // Docker sets `ArgsEscaped==true` in the config it has pre-escaped
+ // either Entrypoint or Cmd or both. Cmd should always be treated as
+ // arguments appended to Entrypoint unless:
+ //
+ // 1. Entrypoint does not exist, in which case Cmd[0] is the
+ // executable.
+ //
+ // 2. The user overrides the Cmd with User Args when activating the
+ // container in which case those args should be appended to the
+ // Entrypoint if it exists.
+ //
+ // To effectively do this we need to know if the arguments came from
+ // the user or if the arguments came from the image config when
+ // ArgsEscaped==true. In this case we only want to escape the
+ // additional user args when forming the complete CommandLine. This
+ // is safe in both cases of Entrypoint or Cmd being set because
+ // Docker will always escape them to an array of length one. Thus in
+ // both cases it is the "executable" portion of the command.
+ //
+ // In the case ArgsEscaped==false, Entrypoint or Cmd will contain
+ // any number of entries that are all unescaped and can simply be
+ // combined (potentially overwriting Cmd with User Args if present)
+ // and forwarded the container start as an Args array.
cmd := config.Cmd
+ cmdFromImage := true
if len(args) > 0 {
cmd = args
+ cmdFromImage = false
}
- s.Process.Args = append(config.Entrypoint, cmd...)
+
+ cmd = append(config.Entrypoint, cmd...)
+ if len(cmd) == 0 {
+ return errors.New("no arguments specified")
+ }
+
+ if config.ArgsEscaped && (len(config.Entrypoint) > 0 || cmdFromImage) {
+ s.Process.Args = nil
+ s.Process.CommandLine = cmd[0]
+ if len(cmd) > 1 {
+ s.Process.CommandLine += " " + escapeAndCombineArgs(cmd[1:])
+ }
+ } else {
+ s.Process.Args = cmd
+ s.Process.CommandLine = ""
+ }
s.Process.Cwd = config.WorkingDir
s.Process.User = specs.User{
@@ -617,8 +663,11 @@
return err
}
- mounts = tryReadonlyMounts(mounts)
- return mount.WithTempMount(ctx, mounts, f)
+ // Use a read-only mount when trying to get user/group information
+ // from the container's rootfs. Since the option does read operation
+ // only, we append ReadOnly mount option to prevent the Linux kernel
+ // from syncing whole filesystem in umount syscall.
+ return mount.WithReadonlyTempMount(ctx, mounts, f)
default:
return fmt.Errorf("invalid USER value %s", userstr)
}
@@ -678,8 +727,11 @@
return err
}
- mounts = tryReadonlyMounts(mounts)
- return mount.WithTempMount(ctx, mounts, setUser)
+ // Use a read-only mount when trying to get user/group information
+ // from the container's rootfs. Since the option does read operation
+ // only, we append ReadOnly mount option to prevent the Linux kernel
+ // from syncing whole filesystem in umount syscall.
+ return mount.WithReadonlyTempMount(ctx, mounts, setUser)
}
}
@@ -723,8 +775,11 @@
return err
}
- mounts = tryReadonlyMounts(mounts)
- return mount.WithTempMount(ctx, mounts, setUser)
+ // Use a read-only mount when trying to get user/group information
+ // from the container's rootfs. Since the option does read operation
+ // only, we append ReadOnly mount option to prevent the Linux kernel
+ // from syncing whole filesystem in umount syscall.
+ return mount.WithReadonlyTempMount(ctx, mounts, setUser)
} else if s.Windows != nil {
s.Process.User.Username = username
} else {
@@ -802,8 +857,11 @@
return err
}
- mounts = tryReadonlyMounts(mounts)
- return mount.WithTempMount(ctx, mounts, setAdditionalGids)
+ // Use a read-only mount when trying to get user/group information
+ // from the container's rootfs. Since the option does read operation
+ // only, we append ReadOnly mount option to prevent the Linux kernel
+ // from syncing whole filesystem in umount syscall.
+ return mount.WithReadonlyTempMount(ctx, mounts, setAdditionalGids)
}
}
@@ -864,8 +922,11 @@
return err
}
- mounts = tryReadonlyMounts(mounts)
- return mount.WithTempMount(ctx, mounts, setAdditionalGids)
+ // Use a read-only mount when trying to get user/group information
+ // from the container's rootfs. Since the option does read operation
+ // only, we append ReadOnly mount option to prevent the Linux kernel
+ // from syncing whole filesystem in umount syscall.
+ return mount.WithReadonlyTempMount(ctx, mounts, setAdditionalGids)
}
}
@@ -1343,21 +1404,3 @@
return ErrNoShmMount
}
}
-
-// tryReadonlyMounts is used by the options which are trying to get user/group
-// information from container's rootfs. Since the option does read operation
-// only, this helper will append ReadOnly mount option to prevent linux kernel
-// from syncing whole filesystem in umount syscall.
-//
-// TODO(fuweid):
-//
-// Currently, it only works for overlayfs. I think we can apply it to other
-// kinds of filesystem. Maybe we can return `ro` option by `snapshotter.Mount`
-// API, when the caller passes that experimental annotation
-// `containerd.io/snapshot/readonly.mount` something like that.
-func tryReadonlyMounts(mounts []mount.Mount) []mount.Mount {
- if len(mounts) == 1 && mounts[0].Type == "overlay" {
- mounts[0].Options = append(mounts[0].Options, "ro")
- }
- return mounts
-}
diff --git a/vendor/github.com/containerd/containerd/oci/spec_opts_linux.go b/vendor/github.com/containerd/containerd/oci/spec_opts_linux.go
index 4d8841e..34651d1 100644
--- a/vendor/github.com/containerd/containerd/oci/spec_opts_linux.go
+++ b/vendor/github.com/containerd/containerd/oci/spec_opts_linux.go
@@ -131,7 +131,7 @@
return WithCapabilities(caps)(ctx, client, c, s)
}
-// WithAllKnownCapabilities sets all the the known linux capabilities for the container process
+// WithAllKnownCapabilities sets all the known linux capabilities for the container process
var WithAllKnownCapabilities = func(ctx context.Context, client Client, c *containers.Container, s *Spec) error {
caps := cap.Known()
return WithCapabilities(caps)(ctx, client, c, s)
@@ -153,3 +153,7 @@
return nil
}
}
+
+func escapeAndCombineArgs(args []string) string {
+ panic("not supported")
+}
diff --git a/vendor/github.com/containerd/containerd/oci/spec_opts_nonlinux.go b/vendor/github.com/containerd/containerd/oci/spec_opts_nonlinux.go
index ec91492..ad1faa4 100644
--- a/vendor/github.com/containerd/containerd/oci/spec_opts_nonlinux.go
+++ b/vendor/github.com/containerd/containerd/oci/spec_opts_nonlinux.go
@@ -28,22 +28,16 @@
// WithAllCurrentCapabilities propagates the effective capabilities of the caller process to the container process.
// The capability set may differ from WithAllKnownCapabilities when running in a container.
-//
-//nolint:deadcode,unused
var WithAllCurrentCapabilities = func(ctx context.Context, client Client, c *containers.Container, s *Spec) error {
return WithCapabilities(nil)(ctx, client, c, s)
}
-// WithAllKnownCapabilities sets all the the known linux capabilities for the container process
-//
-//nolint:deadcode,unused
+// WithAllKnownCapabilities sets all the known linux capabilities for the container process
var WithAllKnownCapabilities = func(ctx context.Context, client Client, c *containers.Container, s *Spec) error {
return WithCapabilities(nil)(ctx, client, c, s)
}
// WithCPUShares sets the container's cpu shares
-//
-//nolint:deadcode,unused
func WithCPUShares(shares uint64) SpecOpts {
return func(ctx context.Context, _ Client, c *containers.Container, s *Spec) error {
return nil
diff --git a/vendor/github.com/containerd/containerd/oci/spec_opts_unix.go b/vendor/github.com/containerd/containerd/oci/spec_opts_unix.go
index 9d03091..a616577 100644
--- a/vendor/github.com/containerd/containerd/oci/spec_opts_unix.go
+++ b/vendor/github.com/containerd/containerd/oci/spec_opts_unix.go
@@ -57,3 +57,7 @@
return nil
}
}
+
+func escapeAndCombineArgs(args []string) string {
+ panic("not supported")
+}
diff --git a/vendor/github.com/containerd/containerd/oci/spec_opts_windows.go b/vendor/github.com/containerd/containerd/oci/spec_opts_windows.go
index 5502257..602d40e 100644
--- a/vendor/github.com/containerd/containerd/oci/spec_opts_windows.go
+++ b/vendor/github.com/containerd/containerd/oci/spec_opts_windows.go
@@ -19,9 +19,12 @@
import (
"context"
"errors"
+ "strings"
"github.com/containerd/containerd/containers"
+
specs "github.com/opencontainers/runtime-spec/specs-go"
+ "golang.org/x/sys/windows"
)
// WithWindowsCPUCount sets the `Windows.Resources.CPU.Count` section to the
@@ -65,6 +68,16 @@
}
}
+// WithProcessCommandLine replaces the command line on the generated spec
+func WithProcessCommandLine(cmdLine string) SpecOpts {
+ return func(_ context.Context, _ Client, _ *containers.Container, s *Spec) error {
+ setProcess(s)
+ s.Process.Args = nil
+ s.Process.CommandLine = cmdLine
+ return nil
+ }
+}
+
// WithHostDevices adds all the hosts device nodes to the container's spec
//
// Not supported on windows
@@ -89,3 +102,11 @@
return nil
}
}
+
+func escapeAndCombineArgs(args []string) string {
+ escaped := make([]string, len(args))
+ for i, a := range args {
+ escaped[i] = windows.EscapeArg(a)
+ }
+ return strings.Join(escaped, " ")
+}
diff --git a/vendor/github.com/containerd/containerd/oci/utils_unix.go b/vendor/github.com/containerd/containerd/oci/utils_unix.go
index db75b0b..306f098 100644
--- a/vendor/github.com/containerd/containerd/oci/utils_unix.go
+++ b/vendor/github.com/containerd/containerd/oci/utils_unix.go
@@ -127,7 +127,7 @@
// TODO consider adding these consts to the OCI runtime-spec.
const (
- wildcardDevice = "a" //nolint // currently unused, but should be included when upstreaming to OCI runtime-spec.
+ wildcardDevice = "a" //nolint:nolintlint,unused,varcheck // currently unused, but should be included when upstreaming to OCI runtime-spec.
blockDevice = "b"
charDevice = "c" // or "u"
fifoDevice = "p"
@@ -148,7 +148,7 @@
}
var (
- devNumber = uint64(stat.Rdev) //nolint: unconvert // the type is 32bit on mips.
+ devNumber = uint64(stat.Rdev) //nolint:nolintlint,unconvert // the type is 32bit on mips.
major = unix.Major(devNumber)
minor = unix.Minor(devNumber)
)
diff --git a/vendor/github.com/containerd/containerd/reference/docker/reference.go b/vendor/github.com/containerd/containerd/reference/docker/reference.go
index 25436b6..1ef223d 100644
--- a/vendor/github.com/containerd/containerd/reference/docker/reference.go
+++ b/vendor/github.com/containerd/containerd/reference/docker/reference.go
@@ -683,7 +683,7 @@
}
// familiarizeName returns a shortened version of the name familiar
-// to to the Docker UI. Familiar names have the default domain
+// to the Docker UI. Familiar names have the default domain
// "docker.io" and "library/" repository prefix removed.
// For example, "docker.io/library/redis" will have the familiar
// name "redis" and "docker.io/dmcgowan/myapp" will be "dmcgowan/myapp".
diff --git a/vendor/github.com/containerd/containerd/runtime/v2/shim/shim.go b/vendor/github.com/containerd/containerd/runtime/v2/shim/shim.go
index 4ad964e..e5822cd 100644
--- a/vendor/github.com/containerd/containerd/runtime/v2/shim/shim.go
+++ b/vendor/github.com/containerd/containerd/runtime/v2/shim/shim.go
@@ -52,6 +52,7 @@
ContainerdBinary string
Address string
TTRPCAddress string
+ Debug bool
}
type StopStatus struct {
@@ -175,7 +176,7 @@
l.Logger.SetLevel(logrus.DebugLevel)
}
f, err := openLog(ctx, id)
- if err != nil { //nolint:staticcheck // Ignore SA4023 as some platforms always return error
+ if err != nil { //nolint:nolintlint,staticcheck // Ignore SA4023 as some platforms always return error
return ctx, err
}
l.Logger.SetOutput(f)
@@ -261,12 +262,12 @@
setRuntime()
signals, err := setupSignals(config)
- if err != nil { //nolint:staticcheck // Ignore SA4023 as some platforms always return error
+ if err != nil { //nolint:nolintlint,staticcheck // Ignore SA4023 as some platforms always return error
return err
}
if !config.NoSubreaper {
- if err := subreaper(); err != nil { //nolint:staticcheck // Ignore SA4023 as some platforms always return error
+ if err := subreaper(); err != nil { //nolint:nolintlint,staticcheck // Ignore SA4023 as some platforms always return error
return err
}
}
@@ -333,6 +334,7 @@
ContainerdBinary: containerdBinaryFlag,
Address: addressFlag,
TTRPCAddress: ttrpcAddress,
+ Debug: debugFlag,
}
address, err := manager.Start(ctx, id, opts)
@@ -395,14 +397,14 @@
initContext.TTRPCAddress = ttrpcAddress
// load the plugin specific configuration if it is provided
- //TODO: Read configuration passed into shim, or from state directory?
- //if p.Config != nil {
+ // TODO: Read configuration passed into shim, or from state directory?
+ // if p.Config != nil {
// pc, err := config.Decode(p)
// if err != nil {
// return nil, err
// }
// initContext.Config = pc
- //}
+ // }
result := p.Init(initContext)
if err := initialized.Add(result); err != nil {
@@ -445,7 +447,7 @@
}
}
- if err := serve(ctx, server, signals, sd.Shutdown); err != nil { //nolint:staticcheck // Ignore SA4023 as some platforms always return error
+ if err := serve(ctx, server, signals, sd.Shutdown); err != nil { //nolint:nolintlint,staticcheck // Ignore SA4023 as some platforms always return error
if err != shutdown.ErrShutdown {
return err
}
@@ -477,7 +479,7 @@
}
l, err := serveListener(socketFlag)
- if err != nil { //nolint:staticcheck // Ignore SA4023 as some platforms always return error
+ if err != nil { //nolint:nolintlint,staticcheck // Ignore SA4023 as some platforms always return error
return err
}
go func() {
diff --git a/vendor/github.com/containerd/containerd/task.go b/vendor/github.com/containerd/containerd/task.go
index 105d4fb..9be1394 100644
--- a/vendor/github.com/containerd/containerd/task.go
+++ b/vendor/github.com/containerd/containerd/task.go
@@ -139,6 +139,11 @@
RootFS []mount.Mount
// Options hold runtime specific settings for task creation
Options interface{}
+ // RuntimePath is an absolute path that can be used to overwrite path
+ // to a shim runtime binary.
+ RuntimePath string
+
+ // runtime is the runtime name for the container, and cannot be changed.
runtime string
}
diff --git a/vendor/github.com/containerd/containerd/task_opts.go b/vendor/github.com/containerd/containerd/task_opts.go
index 56f3cba..67e6527 100644
--- a/vendor/github.com/containerd/containerd/task_opts.go
+++ b/vendor/github.com/containerd/containerd/task_opts.go
@@ -49,7 +49,7 @@
// instead of resolving it from runtime name.
func WithRuntimePath(absRuntimePath string) NewTaskOpts {
return func(ctx context.Context, client *Client, info *TaskInfo) error {
- info.runtime = absRuntimePath
+ info.RuntimePath = absRuntimePath
return nil
}
}
diff --git a/vendor/github.com/containerd/containerd/version/version.go b/vendor/github.com/containerd/containerd/version/version.go
index 6bc3ed1..2fee285 100644
--- a/vendor/github.com/containerd/containerd/version/version.go
+++ b/vendor/github.com/containerd/containerd/version/version.go
@@ -23,7 +23,7 @@
Package = "github.com/containerd/containerd"
// Version holds the complete version number. Filled in at linking time.
- Version = "1.6.19+unknown"
+ Version = "1.6.21+unknown"
// Revision is filled with the VCS (e.g. git) revision being used to build
// the program at linking time.
diff --git a/vendor/github.com/containerd/ttrpc/server.go b/vendor/github.com/containerd/ttrpc/server.go
index b0e4807..e4c07b6 100644
--- a/vendor/github.com/containerd/ttrpc/server.go
+++ b/vendor/github.com/containerd/ttrpc/server.go
@@ -24,6 +24,7 @@
"net"
"sync"
"sync/atomic"
+ "syscall"
"time"
"github.com/sirupsen/logrus"
@@ -467,14 +468,12 @@
// branch. Basically, it means that we are no longer receiving
// requests due to a terminal error.
recvErr = nil // connection is now "closing"
- if err == io.EOF || err == io.ErrUnexpectedEOF {
+ if err == io.EOF || err == io.ErrUnexpectedEOF || errors.Is(err, syscall.ECONNRESET) {
// The client went away and we should stop processing
// requests, so that the client connection is closed
return
}
- if err != nil {
- logrus.WithError(err).Error("error receiving message")
- }
+ logrus.WithError(err).Error("error receiving message")
case <-shutdown:
return
}
diff --git a/vendor/github.com/opencontainers/image-spec/specs-go/v1/annotations.go b/vendor/github.com/opencontainers/image-spec/specs-go/v1/annotations.go
index 581cf7c..6f9e6fd 100644
--- a/vendor/github.com/opencontainers/image-spec/specs-go/v1/annotations.go
+++ b/vendor/github.com/opencontainers/image-spec/specs-go/v1/annotations.go
@@ -59,4 +59,13 @@
// AnnotationBaseImageName is the annotation key for the image reference of the image's base image.
AnnotationBaseImageName = "org.opencontainers.image.base.name"
+
+ // AnnotationArtifactCreated is the annotation key for the date and time on which the artifact was built, conforming to RFC 3339.
+ AnnotationArtifactCreated = "org.opencontainers.artifact.created"
+
+ // AnnotationArtifactDescription is the annotation key for the human readable description for the artifact.
+ AnnotationArtifactDescription = "org.opencontainers.artifact.description"
+
+ // AnnotationReferrersFiltersApplied is the annotation key for the comma separated list of filters applied by the registry in the referrers listing.
+ AnnotationReferrersFiltersApplied = "org.opencontainers.referrers.filtersApplied"
)
diff --git a/vendor/github.com/opencontainers/image-spec/specs-go/v1/artifact.go b/vendor/github.com/opencontainers/image-spec/specs-go/v1/artifact.go
new file mode 100644
index 0000000..03d76ce
--- /dev/null
+++ b/vendor/github.com/opencontainers/image-spec/specs-go/v1/artifact.go
@@ -0,0 +1,34 @@
+// Copyright 2022 The Linux Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package v1
+
+// Artifact describes an artifact manifest.
+// This structure provides `application/vnd.oci.artifact.manifest.v1+json` mediatype when marshalled to JSON.
+type Artifact struct {
+ // MediaType is the media type of the object this schema refers to.
+ MediaType string `json:"mediaType"`
+
+ // ArtifactType is the IANA media type of the artifact this schema refers to.
+ ArtifactType string `json:"artifactType"`
+
+ // Blobs is a collection of blobs referenced by this manifest.
+ Blobs []Descriptor `json:"blobs,omitempty"`
+
+ // Subject (reference) is an optional link from the artifact to another manifest forming an association between the artifact and the other manifest.
+ Subject *Descriptor `json:"subject,omitempty"`
+
+ // Annotations contains arbitrary metadata for the artifact manifest.
+ Annotations map[string]string `json:"annotations,omitempty"`
+}
diff --git a/vendor/github.com/opencontainers/image-spec/specs-go/v1/config.go b/vendor/github.com/opencontainers/image-spec/specs-go/v1/config.go
index ffff4b6..e6aa113 100644
--- a/vendor/github.com/opencontainers/image-spec/specs-go/v1/config.go
+++ b/vendor/github.com/opencontainers/image-spec/specs-go/v1/config.go
@@ -48,6 +48,15 @@
// StopSignal contains the system call signal that will be sent to the container to exit.
StopSignal string `json:"StopSignal,omitempty"`
+
+ // ArgsEscaped `[Deprecated]` - This field is present only for legacy
+ // compatibility with Docker and should not be used by new image builders.
+ // It is used by Docker for Windows images to indicate that the `Entrypoint`
+ // or `Cmd` or both, contains only a single element array, that is a
+ // pre-escaped, and combined into a single string `CommandLine`. If `true`
+ // the value in `Entrypoint` or `Cmd` should be used as-is to avoid double
+ // escaping.
+ ArgsEscaped bool `json:"ArgsEscaped,omitempty"`
}
// RootFS describes a layer content addresses
diff --git a/vendor/github.com/opencontainers/image-spec/specs-go/v1/descriptor.go b/vendor/github.com/opencontainers/image-spec/specs-go/v1/descriptor.go
index 94f19be..9654aa5 100644
--- a/vendor/github.com/opencontainers/image-spec/specs-go/v1/descriptor.go
+++ b/vendor/github.com/opencontainers/image-spec/specs-go/v1/descriptor.go
@@ -1,4 +1,4 @@
-// Copyright 2016 The Linux Foundation
+// Copyright 2016-2022 The Linux Foundation
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
@@ -44,6 +44,9 @@
//
// This should only be used when referring to a manifest.
Platform *Platform `json:"platform,omitempty"`
+
+ // ArtifactType is the IANA media type of this artifact.
+ ArtifactType string `json:"artifactType,omitempty"`
}
// Platform describes the platform which the image in the manifest runs on.
diff --git a/vendor/github.com/opencontainers/image-spec/specs-go/v1/manifest.go b/vendor/github.com/opencontainers/image-spec/specs-go/v1/manifest.go
index 8212d52..730a093 100644
--- a/vendor/github.com/opencontainers/image-spec/specs-go/v1/manifest.go
+++ b/vendor/github.com/opencontainers/image-spec/specs-go/v1/manifest.go
@@ -1,4 +1,4 @@
-// Copyright 2016 The Linux Foundation
+// Copyright 2016-2022 The Linux Foundation
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
@@ -30,6 +30,9 @@
// Layers is an indexed list of layers referenced by the manifest.
Layers []Descriptor `json:"layers"`
+ // Subject is an optional link from the image manifest to another manifest forming an association between the image manifest and the other manifest.
+ Subject *Descriptor `json:"subject,omitempty"`
+
// Annotations contains arbitrary metadata for the image manifest.
Annotations map[string]string `json:"annotations,omitempty"`
}
diff --git a/vendor/github.com/opencontainers/image-spec/specs-go/v1/mediatype.go b/vendor/github.com/opencontainers/image-spec/specs-go/v1/mediatype.go
index 4f35ac1..935b481 100644
--- a/vendor/github.com/opencontainers/image-spec/specs-go/v1/mediatype.go
+++ b/vendor/github.com/opencontainers/image-spec/specs-go/v1/mediatype.go
@@ -54,4 +54,7 @@
// MediaTypeImageConfig specifies the media type for the image configuration.
MediaTypeImageConfig = "application/vnd.oci.image.config.v1+json"
+
+ // MediaTypeArtifactManifest specifies the media type for a content descriptor.
+ MediaTypeArtifactManifest = "application/vnd.oci.artifact.manifest.v1+json"
)
diff --git a/vendor/github.com/opencontainers/image-spec/specs-go/version.go b/vendor/github.com/opencontainers/image-spec/specs-go/version.go
index 31f99cf..1afd590 100644
--- a/vendor/github.com/opencontainers/image-spec/specs-go/version.go
+++ b/vendor/github.com/opencontainers/image-spec/specs-go/version.go
@@ -20,9 +20,9 @@
// VersionMajor is for an API incompatible changes
VersionMajor = 1
// VersionMinor is for functionality in a backwards-compatible manner
- VersionMinor = 0
+ VersionMinor = 1
// VersionPatch is for backwards-compatible bug fixes
- VersionPatch = 2
+ VersionPatch = 0
// VersionDev indicates development branch. Releases will be empty string.
VersionDev = "-dev"
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 35e7c23..fc5980e 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -30,7 +30,7 @@
github.com/Microsoft/go-winio/pkg/guid
github.com/Microsoft/go-winio/pkg/security
github.com/Microsoft/go-winio/vhd
-# github.com/Microsoft/hcsshim v0.9.7
+# github.com/Microsoft/hcsshim v0.9.8
## explicit; go 1.13
github.com/Microsoft/hcsshim
github.com/Microsoft/hcsshim/cmd/containerd-shim-runhcs-v1/options
@@ -160,7 +160,7 @@
# github.com/containerd/console v1.0.3
## explicit; go 1.13
github.com/containerd/console
-# github.com/containerd/containerd v1.6.19
+# github.com/containerd/containerd v1.6.21
## explicit; go 1.17
github.com/containerd/containerd
github.com/containerd/containerd/api/events
@@ -180,6 +180,7 @@
github.com/containerd/containerd/api/types/task
github.com/containerd/containerd/archive
github.com/containerd/containerd/archive/compression
+github.com/containerd/containerd/archive/tarheader
github.com/containerd/containerd/cio
github.com/containerd/containerd/containers
github.com/containerd/containerd/content
@@ -257,7 +258,7 @@
## explicit; go 1.16
github.com/containerd/stargz-snapshotter/estargz
github.com/containerd/stargz-snapshotter/estargz/errorutil
-# github.com/containerd/ttrpc v1.1.0
+# github.com/containerd/ttrpc v1.1.1
## explicit; go 1.13
github.com/containerd/ttrpc
# github.com/containerd/typeurl v1.0.2
@@ -706,8 +707,8 @@
## explicit; go 1.13
github.com/opencontainers/go-digest
github.com/opencontainers/go-digest/digestset
-# github.com/opencontainers/image-spec v1.0.3-0.20220303224323-02efb9a75ee1
-## explicit; go 1.16
+# github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b
+## explicit; go 1.17
github.com/opencontainers/image-spec/identity
github.com/opencontainers/image-spec/specs-go
github.com/opencontainers/image-spec/specs-go/v1
