cri: pull on fix for selinux relabel of /dev/shm (#2485)

see https://github.com/rancher/cri/pull/7 addresses https://github.com/rancher/k3s/issues/2240 for 1.18 backport of https://github.com/rancher/k3s/pull/2478 to 1.3.x Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
2020-11-09 10:19:37 -07:00 · 2020-11-09 10:19:37 -07:00 · f92c04868f
parent a095b455f6
commit f92c04868f
20 changed files with 368 additions and 177 deletions
--- a/go.mod
+++ b/go.mod
@ -9,7 +9,7 @@ replace (
 	github.com/containerd/console => github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50
 	github.com/containerd/containerd => github.com/rancher/containerd v1.3.3-k3s2
 	github.com/containerd/continuity => github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02
-	github.com/containerd/cri => github.com/rancher/cri v1.3.0-k3s.6
+	github.com/containerd/cri => github.com/rancher/cri v1.3.0-k3s.8 // k3s-release/1.3
 	github.com/containerd/fifo => github.com/containerd/fifo v0.0.0-20190816180239-bda0ff6ed73c
 	github.com/containerd/go-runc => github.com/containerd/go-runc v0.0.0-20190911050354-e029b79d8cda
 	github.com/containerd/typeurl => github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd
--- a/go.sum
+++ b/go.sum
@ -410,7 +410,9 @@ github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 h1:Ovs26xHkKqVztRpIrF/92Bcuy
 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
 github.com/grpc-ecosystem/grpc-gateway v1.9.5 h1:UImYN5qQ8tuGpGE16ZmjvcTtTw24zw1QAp/SlnNrZhI=
 github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
+github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce h1:prjrVgOk2Yg6w+PflHoszQNLTUh4kaByUcEWM/9uin4=
 github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874 h1:cAv7ZbSmyb1wjn6T4TIiyFCkpcfgpbcNNC3bM2srLaI=
 github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874/go.mod h1:JMRHfdO9jKNzS/+BTlxCjKNQHg/jZAft8U7LloJvN7I=
 github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4=
 github.com/hashicorp/golang-lru v0.0.0-20180201235237-0fb14efe8c47/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
@ -622,8 +624,8 @@ github.com/rakelkar/gonetsh v0.0.0-20190719023240-501daadcadf8 h1:83l9gPhYtgxODl
 github.com/rakelkar/gonetsh v0.0.0-20190719023240-501daadcadf8/go.mod h1:4XHkfaUj+URzGO9sohoAgt2V9Y8nIW7fugpu0E6gShk=
 github.com/rancher/containerd v1.3.3-k3s2 h1:RZr+TqFt7+YsrSYkyytlhW4HmneWeFNM7IymNOoGW6A=
 github.com/rancher/containerd v1.3.3-k3s2/go.mod h1:ZMfzmqce2Z+QSEqdHMfeJs1TZ/UeJ1aDrazjpQT4ehM=
-github.com/rancher/cri v1.3.0-k3s.6 h1:jeom53pNYUJHlZBHpax8vpQeBoW19vSVGAQn9jPyIcc=
-github.com/rancher/cri v1.3.0-k3s.6/go.mod h1:Ht5T1dIKzm+4NExmb7wDVG6qR+j0xeXIjjhCv1d9geY=
+github.com/rancher/cri v1.3.0-k3s.8 h1:qUdbZ6n3hAg3ImloQ6FMOtG8CG/JMNZ8vSuL47BCABA=
+github.com/rancher/cri v1.3.0-k3s.8/go.mod h1:Ht5T1dIKzm+4NExmb7wDVG6qR+j0xeXIjjhCv1d9geY=
 github.com/rancher/cri-tools v1.18.0-k3s1 h1:pLYthxpSu6k3Up9tNAMA0MK2ERqB6FC1sZQPRSW1qSg=
 github.com/rancher/cri-tools v1.18.0-k3s1/go.mod h1:Ij/GWNRcEDP6zVN6eQpvN/s0nhuJVtPQFy7RAdl+Wu8=
 github.com/rancher/dynamiclistener v0.2.0 h1:KucYwJXVVGhZ/NndfMCeQoCafT/VN7kvqSGgmlX8Lxk=
--- a/vendor/github.com/containerd/cri/Makefile
+++ b/vendor/github.com/containerd/cri/Makefile
@ -1,23 +1,27 @@
-# Copyright 2018 The containerd Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+#   Copyright The containerd Authors.
+
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+
+#       http://www.apache.org/licenses/LICENSE-2.0
+
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.

 GO := go
 GOOS := $(shell $(GO) env GOOS)
 GOARCH := $(shell $(GO) env GOARCH)
-WHALE = "🇩"
-ONI = "👹"
-EPOCH_TEST_COMMIT := f9e02affccd51702191e5312665a16045ffef8ab
+WHALE := "🇩"
+ONI := "👹"
+ifeq ($(GOOS),windows)
+	WHALE = "+"
+	ONI = "-"
+endif
+EPOCH_TEST_COMMIT := 67de3e4ccf2b2a69b8398798af7cfca01abf7a7e
 PROJECT := github.com/containerd/cri
 BINDIR := ${DESTDIR}/usr/local/bin
 BUILD_DIR := _output
@ -26,35 +30,39 @@ BUILD_DIR := _output
 VERSION := $(shell git rev-parse --short HEAD)
 TARBALL_PREFIX := cri-containerd
 TARBALL := $(TARBALL_PREFIX)-$(VERSION).$(GOOS)-$(GOARCH).tar.gz
-BUILD_TAGS := seccomp apparmor
+ifneq ($(GOOS),windows)
+	BUILD_TAGS := seccomp apparmor selinux no_btrfs
+endif
+export BUILDTAGS := $(BUILD_TAGS)
 # Add `-TEST` suffix to indicate that all binaries built from this repo are for test.
 GO_LDFLAGS := -X $(PROJECT)/vendor/github.com/containerd/containerd/version.Version=$(VERSION)-TEST
 SOURCES := $(shell find cmd/ pkg/ vendor/ -name '*.go')
 PLUGIN_SOURCES := $(shell ls *.go)
 INTEGRATION_SOURCES := $(shell find integration/ -name '*.go')

+CONTAINERD_BIN := containerd
+ifeq ($(GOOS),windows)
+	CONTAINERD_BIN := $(CONTAINERD_BIN).exe
+endif
+
 all: binaries

 help: ## this help
 	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z0-9._-]+:.*?## / {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST) | sort

-verify: lint gofmt boiler check-vendor ## execute the source code verification tools
+verify: lint gofmt check-vendor ## execute the source code verification tools

 version: ## print current cri plugin release version
 	@echo $(VERSION)

 lint:
 	@echo "$(WHALE) $@"
-	golangci-lint run --skip-files .*_test.go
+	golangci-lint run

 gofmt:
 	@echo "$(WHALE) $@"
 	@./hack/verify-gofmt.sh

-boiler:
-	@echo "$(WHALE) $@"
-	@./hack/verify-boilerplate.sh
-
 check-vendor:
 	@echo "$(WHALE) $@"
 	@./hack/verify-vendor.sh
@ -72,7 +80,7 @@ sync-vendor:
 update-vendor: sync-vendor sort-vendor ## Syncs containerd/vendor.conf -> vendor.conf and sorts vendor.conf
 	@echo "$(WHALE) $@"

-$(BUILD_DIR)/containerd: $(SOURCES) $(PLUGIN_SOURCES)
+$(BUILD_DIR)/$(CONTAINERD_BIN): $(SOURCES) $(PLUGIN_SOURCES)
 	@echo "$(WHALE) $@"
 	$(GO) build -o $@ \
 		-tags '$(BUILD_TAGS)' \
@ -84,7 +92,7 @@ test: ## unit test
 	@echo "$(WHALE) $@"
 	$(GO) test -timeout=10m -race ./pkg/... \
 		-tags '$(BUILD_TAGS)' \
-	        -ldflags '$(GO_LDFLAGS)' \
+		-ldflags '$(GO_LDFLAGS)' \
 		-gcflags '$(GO_GCFLAGS)'

 $(BUILD_DIR)/integration.test: $(INTEGRATION_SOURCES)
@ -107,29 +115,34 @@ clean: ## cleanup binaries
 	@echo "$(WHALE) $@"
 	@rm -rf $(BUILD_DIR)/*

-binaries: $(BUILD_DIR)/containerd ## build a customized containerd (same result as make containerd)
+binaries: $(BUILD_DIR)/$(CONTAINERD_BIN) ## build a customized containerd (same result as make containerd)
 	@echo "$(WHALE) $@"

 static-binaries: GO_LDFLAGS += -extldflags "-fno-PIC -static"
-static-binaries: $(BUILD_DIR)/containerd ## build static containerd
+static-binaries: $(BUILD_DIR)/$(CONTAINERD_BIN) ## build static containerd
 	@echo "$(WHALE) $@"

-containerd: $(BUILD_DIR)/containerd ## build a customized containerd with CRI plugin for testing
+containerd: $(BUILD_DIR)/$(CONTAINERD_BIN) ## build a customized containerd with CRI plugin for testing
 	@echo "$(WHALE) $@"

 install-containerd: containerd ## installs customized containerd to system location
 	@echo "$(WHALE) $@"
-	@install -D -m 755 $(BUILD_DIR)/containerd $(BINDIR)/containerd
+	@install -D -m 755 $(BUILD_DIR)/$(CONTAINERD_BIN) "$(BINDIR)/$(CONTAINERD_BIN)"

 install: install-containerd ## installs customized containerd to system location
 	@echo "$(WHALE) $@"

 uninstall: ## remove containerd from system location
 	@echo "$(WHALE) $@"
-	@rm -f $(BINDIR)/containerd
+	@rm -f "$(BINDIR)/$(CONTAINERD_BIN)"

+ifeq ($(GOOS),windows)
+$(BUILD_DIR)/$(TARBALL): static-binaries vendor.conf
+	@BUILD_DIR=$(BUILD_DIR) TARBALL=$(TARBALL) VERSION=$(VERSION) ./hack/release-windows.sh
+else
 $(BUILD_DIR)/$(TARBALL): static-binaries vendor.conf
 	@BUILD_DIR=$(BUILD_DIR) TARBALL=$(TARBALL) VERSION=$(VERSION) ./hack/release.sh
+endif

 release: $(BUILD_DIR)/$(TARBALL) ## build release tarball

@ -142,22 +155,29 @@ proto: ## update protobuf of the cri plugin api
 	@API_PATH=pkg/api/v1 hack/update-proto.sh
 	@API_PATH=pkg/api/runtimeoptions/v1 hack/update-proto.sh

-.PHONY: install.deps
+.PHONY: install.deps .install.deps.linux .install.deps.windows

-install.deps: ## install dependencies of cri (default 'seccomp apparmor' BUILDTAGS for runc build)
+ifeq ($(GOOS),windows)
+install.deps: .install.deps.windows ## install windows deps on windows
+else
+install.deps: .install.deps.linux ## install windows deps on linux
+endif
+
+.install.deps.linux: ## install dependencies of cri
 	@echo "$(WHALE) $@"
 	@./hack/install/install-deps.sh

+.install.deps.windows: ## install dependencies of cri on windows
+	@echo "$(WHALE) $@"
+	@./hack/install/windows/install-deps.sh
+
 .PHONY: .gitvalidation
-# When this is running in travis, it will only check the travis commit range.
-# When running outside travis, it will check from $(EPOCH_TEST_COMMIT)..HEAD.
+# make .gitvalidation is only used localy for manual testing
+# requires a clone of github.com/containerd/project
+# containerd/project DCO validation runs automatically with github actions in ci.yml for each pull
 .gitvalidation:
 	@echo "$(WHALE) $@"
-ifeq ($(TRAVIS),true)
-	git-validation -q -run DCO,short-subject
-else
-	git-validation -v -run DCO,short-subject -range $(EPOCH_TEST_COMMIT)..HEAD
-endif
+	DCO_VERBOSITY=-v DCO_RANGE=$(EPOCH_TEST_COMMIT)..HEAD ../project/script/validate/dco

 .PHONY: install.tools .install.gitvalidation .install.golangci-lint .install.vndr

@ -186,7 +206,6 @@ install.tools: .install.gitvalidation .install.golangci-lint .install.vndr ## in
 	install-containerd \
 	release \
 	push \
-	boiler \
 	clean \
 	default \
 	gofmt \
--- a/vendor/github.com/containerd/cri/cri.go
+++ b/vendor/github.com/containerd/cri/cri.go
@ -63,6 +63,10 @@ func initCRIService(ic *plugin.InitContext) (interface{}, error) {
 	ic.Meta.Exports = map[string]string{"CRIVersion": constants.CRIVersion}
 	ctx := ic.Context
 	pluginConfig := ic.Config.(*criconfig.PluginConfig)
+	if err := criconfig.ValidatePluginConfig(ctx, pluginConfig); err != nil {
+		return nil, errors.Wrap(err, "invalid plugin config")
+	}
+
 	c := criconfig.Config{
 		PluginConfig:       *pluginConfig,
 		ContainerdRootDir:  filepath.Dir(ic.Root),
@ -72,10 +76,6 @@ func initCRIService(ic *plugin.InitContext) (interface{}, error) {
 	}
 	log.G(ctx).Infof("Start cri plugin with config %+v", c)

-	if err := criconfig.ValidatePluginConfig(ctx, pluginConfig); err != nil {
-		return nil, errors.Wrap(err, "invalid plugin config")
-	}
-
 	if err := setGLogLevel(); err != nil {
 		return nil, errors.Wrap(err, "failed to set glog level")
 	}
--- a/vendor/github.com/containerd/cri/pkg/config/config.go
+++ b/vendor/github.com/containerd/cri/pkg/config/config.go
@ -122,9 +122,10 @@ type AuthConfig struct {

 // TLSConfig contains the CA/Cert/Key used for a registry
 type TLSConfig struct {
-	CAFile   string `toml:"ca_file" json:"caFile"`
-	CertFile string `toml:"cert_file" json:"certFile"`
-	KeyFile  string `toml:"key_file" json:"keyFile"`
+	InsecureSkipVerify bool   `toml:"insecure_skip_verify" json:"insecure_skip_verify"`
+	CAFile             string `toml:"ca_file" json:"caFile"`
+	CertFile           string `toml:"cert_file" json:"certFile"`
+	KeyFile            string `toml:"key_file" json:"keyFile"`
 }

 // Registry is registry settings configured
--- a/vendor/github.com/containerd/cri/pkg/seccomp/seccomp_linux.go
+++ b/vendor/github.com/containerd/cri/pkg/seccomp/seccomp_linux.go
@ -0,0 +1,88 @@
+/*
+Copyright The containerd Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+/*
+   Copyright The runc Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package seccomp
+
+import (
+	"bufio"
+	"os"
+	"strings"
+
+	"golang.org/x/sys/unix"
+)
+
+// IsEnabled returns if the kernel has been configured to support seccomp.
+// From https://github.com/opencontainers/runc/blob/v1.0.0-rc91/libcontainer/seccomp/seccomp_linux.go#L86-L102
+func IsEnabled() bool {
+	// Try to read from /proc/self/status for kernels > 3.8
+	s, err := parseStatusFile("/proc/self/status")
+	if err != nil {
+		// Check if Seccomp is supported, via CONFIG_SECCOMP.
+		if err := unix.Prctl(unix.PR_GET_SECCOMP, 0, 0, 0, 0); err != unix.EINVAL {
+			// Make sure the kernel has CONFIG_SECCOMP_FILTER.
+			if err := unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0); err != unix.EINVAL {
+				return true
+			}
+		}
+		return false
+	}
+	_, ok := s["Seccomp"]
+	return ok
+}
+
+// parseStatusFile is from https://github.com/opencontainers/runc/blob/v1.0.0-rc91/libcontainer/seccomp/seccomp_linux.go#L243-L268
+func parseStatusFile(path string) (map[string]string, error) {
+	f, err := os.Open(path)
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+
+	s := bufio.NewScanner(f)
+	status := make(map[string]string)
+
+	for s.Scan() {
+		text := s.Text()
+		parts := strings.Split(text, ":")
+
+		if len(parts) <= 1 {
+			continue
+		}
+
+		status[parts[0]] = parts[1]
+	}
+	if err := s.Err(); err != nil {
+		return nil, err
+	}
+
+	return status, nil
+}
--- a/vendor/github.com/containerd/cri/pkg/seccomp/seccomp_unsupported.go
+++ b/vendor/github.com/containerd/cri/pkg/seccomp/seccomp_unsupported.go
@ -0,0 +1,23 @@
+// +build !linux
+
+/*
+Copyright The containerd Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package seccomp
+
+func IsEnabled() bool {
+	return false
+}
--- a/vendor/github.com/containerd/cri/pkg/server/container_create.go
+++ b/vendor/github.com/containerd/cri/pkg/server/container_create.go
@ -39,6 +39,7 @@ import (
 	"github.com/davecgh/go-spew/spew"
 	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
 	runtimespec "github.com/opencontainers/runtime-spec/specs-go"
+	selinux "github.com/opencontainers/selinux/go-selinux"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
 	"golang.org/x/net/context"
@ -182,7 +183,7 @@ func (c *criService) CreateContainer(ctx context.Context, r *runtime.CreateConta
 	}
 	defer func() {
 		if retErr != nil {
-			_ = label.ReleaseLabel(spec.Process.SelinuxLabel)
+			selinux.ReleaseLabel(spec.Process.SelinuxLabel)
 		}
 	}()

@ -379,11 +380,13 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP
 	specOpts = append(specOpts, oci.WithEnv(env))

 	securityContext := config.GetLinux().GetSecurityContext()
-	labelOptions := toLabel(securityContext.GetSelinuxOptions())
-	if len(labelOptions) == 0 {
-		// Use pod level SELinux config
+	labelOptions, err := toLabel(securityContext.GetSelinuxOptions())
+	if err != nil {
+		return nil, err
+	}
+	if len(labelOptions) == 0 { // Use pod level SELinux config
 		if sandbox, err := c.sandboxStore.Get(sandboxID); err == nil {
-			labelOptions, err = label.DupSecOpt(sandbox.ProcessLabel)
+			labelOptions, err = selinux.DupSecOpt(sandbox.ProcessLabel)
 			if err != nil {
 				return nil, err
 			}
@ -396,7 +399,7 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP
 	}
 	defer func() {
 		if retErr != nil {
-			_ = label.ReleaseLabel(processLabel)
+			selinux.ReleaseLabel(processLabel)
 		}
 	}()

@ -544,9 +547,10 @@ func (c *criService) generateContainerMounts(sandboxID string, config *runtime.C
 			sandboxDevShm = devShm
 		}
 		mounts = append(mounts, &runtime.Mount{
-			ContainerPath: devShm,
-			HostPath:      sandboxDevShm,
-			Readonly:      false,
+			ContainerPath:  devShm,
+			HostPath:       sandboxDevShm,
+			Readonly:       false,
+			SelinuxRelabel: true,
 		})
 	}
 	return mounts
--- a/vendor/github.com/containerd/cri/pkg/server/container_remove.go
+++ b/vendor/github.com/containerd/cri/pkg/server/container_remove.go
@ -22,6 +22,7 @@ import (
 	"github.com/containerd/containerd/log"
 	"github.com/docker/docker/pkg/system"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 	"golang.org/x/net/context"
 	runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"

@ -30,7 +31,6 @@ import (
 )

 // RemoveContainer removes the container.
-// TODO(random-liu): Forcibly stop container if it's running.
 func (c *criService) RemoveContainer(ctx context.Context, r *runtime.RemoveContainerRequest) (_ *runtime.RemoveContainerResponse, retErr error) {
 	container, err := c.containerStore.Get(r.GetContainerId())
 	if err != nil {
@ -43,6 +43,17 @@ func (c *criService) RemoveContainer(ctx context.Context, r *runtime.RemoveConta
 	}
 	id := container.ID

+	// Forcibly stop the containers if they are in running or unknown state
+	state := container.Status.Get().State()
+	if state == runtime.ContainerState_CONTAINER_RUNNING ||
+		state == runtime.ContainerState_CONTAINER_UNKNOWN {
+		logrus.Infof("Forcibly stopping container %q", id)
+		if err := c.stopContainer(ctx, container, 0); err != nil {
+			return nil, errors.Wrapf(err, "failed to forcibly stop container %q", id)
+		}
+
+	}
+
 	// Set removing state to prevent other start/remove operations against this container
 	// while it's being removed.
 	if err := setContainerRemoving(container); err != nil {
--- a/vendor/github.com/containerd/cri/pkg/server/events.go
+++ b/vendor/github.com/containerd/cri/pkg/server/events.go
@ -333,6 +333,12 @@ func handleContainerExit(ctx context.Context, e *eventtypes.TaskExit, cntr conta
 		status.Pid = 0
 		status.FinishedAt = e.ExitedAt.UnixNano()
 		status.ExitCode = int32(e.ExitStatus)
+		// Unknown state can only transit to EXITED state, so we need
+		// to handle unknown state here.
+		if status.Unknown {
+			logrus.Debugf("Container %q transited from UNKNOWN to EXITED", cntr.ID)
+			status.Unknown = false
+		}
 		return status, nil
 	})
 	if err != nil {
--- a/vendor/github.com/containerd/cri/pkg/server/helpers.go
+++ b/vendor/github.com/containerd/cri/pkg/server/helpers.go
@ -298,11 +298,15 @@ func (c *criService) ensureImageExists(ctx context.Context, ref string, config *
 	return &newImage, nil
 }

-func toLabel(selinuxOptions *runtime.SELinuxOption) (labels []string) {
-	if selinuxOptions == nil {
-		return nil
-	}
+func toLabel(selinuxOptions *runtime.SELinuxOption) ([]string, error) {
+	var labels []string

+	if selinuxOptions == nil {
+		return nil, nil
+	}
+	if err := checkSelinuxLevel(selinuxOptions.Level); err != nil {
+		return nil, err
+	}
 	if selinuxOptions.User != "" {
 		labels = append(labels, "user:"+selinuxOptions.User)
 	}
@ -316,11 +320,15 @@ func toLabel(selinuxOptions *runtime.SELinuxOption) (labels []string) {
 		labels = append(labels, "level:"+selinuxOptions.Level)
 	}

-	return
+	return labels, nil
 }

 func initLabelsFromOpt(selinuxOpts *runtime.SELinuxOption) (string, string, error) {
-	return initLabels(toLabel(selinuxOpts))
+	labels, err := toLabel(selinuxOpts)
+	if err != nil {
+		return "", "", err
+	}
+	return label.InitLabels(labels)
 }

 func initLabels(options []string) (string, string, error) {
@ -339,7 +347,7 @@ func checkSelinuxLevel(level string) error {
 		return nil
 	}

-	matched, err := regexp.MatchString(`^s\d(-s\d)??(:c\d{1,4}((.c\d{1,4})?,c\d{1,4})*(.c\d{1,4})?(,c\d{1,4}(.c\d{1,4})?)*)?$`, level)
+	matched, err := regexp.MatchString(`^s\d(-s\d)??(:c\d{1,4}(\.c\d{1,4})?(,c\d{1,4}(\.c\d{1,4})?)*)?$`, level)
 	if err != nil {
 		return errors.Wrapf(err, "the format of 'level' %q is not correct", level)
 	}
@ -473,6 +481,7 @@ func unknownContainerStatus() containerstore.Status {
 		FinishedAt: 0,
 		ExitCode:   unknownExitCode,
 		Reason:     unknownExitReason,
+		Unknown:    true,
 	}
 }

--- a/vendor/github.com/containerd/cri/pkg/server/image_pull.go
+++ b/vendor/github.com/containerd/cri/pkg/server/image_pull.go
@ -253,39 +253,41 @@ func (c *criService) updateImage(ctx context.Context, r string) error {
 // getTLSConfig returns a TLSConfig configured with a CA/Cert/Key specified by registryTLSConfig
 func (c *criService) getTLSConfig(registryTLSConfig criconfig.TLSConfig) (*tls.Config, error) {
 	var (
-		cert tls.Certificate
-		err  error
+		tlsConfig = &tls.Config{}
+		cert      tls.Certificate
+		err       error
 	)
-	if registryTLSConfig.CertFile != "" && registryTLSConfig.KeyFile != "" {
-		cert, err = tls.LoadX509KeyPair(registryTLSConfig.CertFile, registryTLSConfig.KeyFile)
-		if err != nil {
-			return nil, errors.Wrap(err, "failed to load cert file")
-		}
-	}
 	if registryTLSConfig.CertFile != "" && registryTLSConfig.KeyFile == "" {
 		return nil, errors.Errorf("cert file %q was specified, but no corresponding key file was specified", registryTLSConfig.CertFile)
 	}
 	if registryTLSConfig.CertFile == "" && registryTLSConfig.KeyFile != "" {
 		return nil, errors.Errorf("key file %q was specified, but no corresponding cert file was specified", registryTLSConfig.KeyFile)
 	}
+	if registryTLSConfig.CertFile != "" && registryTLSConfig.KeyFile != "" {
+		cert, err = tls.LoadX509KeyPair(registryTLSConfig.CertFile, registryTLSConfig.KeyFile)
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to load cert file")
+		}
+		if len(cert.Certificate) != 0 {
+			tlsConfig.Certificates = []tls.Certificate{cert}
+		}
+		tlsConfig.BuildNameToCertificate() // nolint:staticcheck
+	}

-	caCertPool, err := x509.SystemCertPool()
-	if err != nil {
-		return nil, errors.Wrap(err, "failed to get system cert pool")
+	if registryTLSConfig.CAFile != "" {
+		caCertPool, err := x509.SystemCertPool()
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to get system cert pool")
+		}
+		caCert, err := ioutil.ReadFile(registryTLSConfig.CAFile)
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to load CA file")
+		}
+		caCertPool.AppendCertsFromPEM(caCert)
+		tlsConfig.RootCAs = caCertPool
 	}
-	caCert, err := ioutil.ReadFile(registryTLSConfig.CAFile)
-	if err != nil {
-		return nil, errors.Wrap(err, "failed to load CA file")
-	}
-	caCertPool.AppendCertsFromPEM(caCert)

-	tlsConfig := &tls.Config{
-		RootCAs: caCertPool,
-	}
-	if len(cert.Certificate) != 0 {
-		tlsConfig.Certificates = []tls.Certificate{cert}
-	}
-	tlsConfig.BuildNameToCertificate()
+	tlsConfig.InsecureSkipVerify = registryTLSConfig.InsecureSkipVerify
 	return tlsConfig, nil
 }

--- a/vendor/github.com/containerd/cri/pkg/server/restart.go
+++ b/vendor/github.com/containerd/cri/pkg/server/restart.go
@ -307,7 +307,9 @@ func (c *criService) loadContainer(ctx context.Context, cntr containerd.Containe
 	}()
 	if err != nil {
 		log.G(ctx).WithError(err).Errorf("Failed to load container status for %q", id)
-		status = unknownContainerStatus()
+		// Only set the unknown field in this case, because other fields may
+		// contain useful information loaded from the checkpoint.
+		status.Unknown = true
 	}
 	opts := []containerstore.Opts{
 		containerstore.WithStatus(status, containerDir),
--- a/vendor/github.com/containerd/cri/pkg/server/sandbox_remove.go
+++ b/vendor/github.com/containerd/cri/pkg/server/sandbox_remove.go
@ -22,6 +22,7 @@ import (
 	"github.com/containerd/containerd/log"
 	"github.com/docker/docker/pkg/system"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 	"golang.org/x/net/context"
 	runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"

@ -49,7 +50,10 @@ func (c *criService) RemovePodSandbox(ctx context.Context, r *runtime.RemovePodS
 	// Return error if sandbox container is still running or unknown.
 	state := sandbox.Status.Get().State
 	if state == sandboxstore.StateReady || state == sandboxstore.StateUnknown {
-		return nil, errors.Errorf("sandbox container %q is not fully stopped", id)
+		logrus.Infof("Forcibly stopping sandbox %q", id)
+		if err := c.stopPodSandbox(ctx, sandbox); err != nil {
+			return nil, errors.Wrapf(err, "failed to forcibly stop sandbox %q", id)
+		}
 	}

 	// Return error if sandbox network namespace is not closed yet.
--- a/vendor/github.com/containerd/cri/pkg/server/sandbox_run.go
+++ b/vendor/github.com/containerd/cri/pkg/server/sandbox_run.go
@ -34,7 +34,7 @@ import (
 	"github.com/davecgh/go-spew/spew"
 	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
 	runtimespec "github.com/opencontainers/runtime-spec/specs-go"
-	"github.com/opencontainers/selinux/go-selinux/label"
+	selinux "github.com/opencontainers/selinux/go-selinux"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/net/context"
@ -162,7 +162,7 @@ func (c *criService) RunPodSandbox(ctx context.Context, r *runtime.RunPodSandbox
 	sandbox.ProcessLabel = spec.Process.SelinuxLabel
 	defer func() {
 		if retErr != nil {
-			_ = label.ReleaseLabel(sandbox.ProcessLabel)
+			selinux.ReleaseLabel(sandbox.ProcessLabel)
 		}
 	}()

@ -284,7 +284,7 @@ func (c *criService) RunPodSandbox(ctx context.Context, r *runtime.RunPodSandbox

 	var taskOpts []containerd.NewTaskOpts
 	// TODO(random-liu): Remove this after shim v1 is deprecated.
-	if c.config.NoPivot && ociRuntime.Type == plugin.RuntimeRuncV1 {
+	if c.config.NoPivot && (ociRuntime.Type == plugin.RuntimeRuncV1 || ociRuntime.Type == plugin.RuntimeRuncV2) {
 		taskOpts = append(taskOpts, containerd.WithNoPivotRoot)
 	}
 	// We don't need stdio for sandbox container.
@ -422,7 +422,7 @@ func (c *criService) generateSandboxContainerSpec(id string, config *runtime.Pod
 	}
 	defer func() {
 		if retErr != nil && processLabel != "" {
-			_ = label.ReleaseLabel(processLabel)
+			selinux.ReleaseLabel(processLabel)
 		}
 	}()

--- a/vendor/github.com/containerd/cri/pkg/server/sandbox_stop.go
+++ b/vendor/github.com/containerd/cri/pkg/server/sandbox_stop.go
@ -1,17 +1,17 @@
 /*
-Copyright 2017 The Kubernetes Authors.
+   Copyright The containerd Authors.

-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at

-    http://www.apache.org/licenses/LICENSE-2.0
+       http://www.apache.org/licenses/LICENSE-2.0

-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
 */

 package server
@ -40,6 +40,15 @@ func (c *criService) StopPodSandbox(ctx context.Context, r *runtime.StopPodSandb
 		return nil, errors.Wrapf(err, "an error occurred when try to find sandbox %q",
 			r.GetPodSandboxId())
 	}
+
+	if err := c.stopPodSandbox(ctx, sandbox); err != nil {
+		return nil, err
+	}
+
+	return &runtime.StopPodSandboxResponse{}, nil
+}
+
+func (c *criService) stopPodSandbox(ctx context.Context, sandbox sandboxstore.Sandbox) error {
 	// Use the full sandbox id.
 	id := sandbox.ID

@ -53,20 +62,20 @@ func (c *criService) StopPodSandbox(ctx context.Context, r *runtime.StopPodSandb
 		}
 		// Forcibly stop the container. Do not use `StopContainer`, because it introduces a race
 		// if a container is removed after list.
-		if err = c.stopContainer(ctx, container, 0); err != nil {
-			return nil, errors.Wrapf(err, "failed to stop container %q", container.ID)
+		if err := c.stopContainer(ctx, container, 0); err != nil {
+			return errors.Wrapf(err, "failed to stop container %q", container.ID)
 		}
 	}

 	if err := c.unmountSandboxFiles(id, sandbox.Config); err != nil {
-		return nil, errors.Wrap(err, "failed to unmount sandbox files")
+		return errors.Wrap(err, "failed to unmount sandbox files")
 	}

 	// Only stop sandbox container when it's running or unknown.
 	state := sandbox.Status.Get().State
 	if state == sandboxstore.StateReady || state == sandboxstore.StateUnknown {
 		if err := c.stopSandboxContainer(ctx, sandbox); err != nil {
-			return nil, errors.Wrapf(err, "failed to stop sandbox container %q in %q state", id, state)
+			return errors.Wrapf(err, "failed to stop sandbox container %q in %q state", id, state)
 		}
 	}

@ -75,21 +84,21 @@ func (c *criService) StopPodSandbox(ctx context.Context, r *runtime.StopPodSandb
 		// Use empty netns path if netns is not available. This is defined in:
 		// https://github.com/containernetworking/cni/blob/v0.7.0-alpha1/SPEC.md
 		if closed, err := sandbox.NetNS.Closed(); err != nil {
-			return nil, errors.Wrap(err, "failed to check network namespace closed")
+			return errors.Wrap(err, "failed to check network namespace closed")
 		} else if closed {
 			sandbox.NetNSPath = ""
 		}
 		if err := c.teardownPodNetwork(ctx, sandbox); err != nil {
-			return nil, errors.Wrapf(err, "failed to destroy network for sandbox %q", id)
+			return errors.Wrapf(err, "failed to destroy network for sandbox %q", id)
 		}
-		if err = sandbox.NetNS.Remove(); err != nil {
-			return nil, errors.Wrapf(err, "failed to remove network namespace for sandbox %q", id)
+		if err := sandbox.NetNS.Remove(); err != nil {
+			return errors.Wrapf(err, "failed to remove network namespace for sandbox %q", id)
 		}
 	}

 	log.G(ctx).Infof("TearDown network for sandbox %q successfully", id)

-	return &runtime.StopPodSandboxResponse{}, nil
+	return nil
 }

 // stopSandboxContainer kills the sandbox container.
--- a/vendor/github.com/containerd/cri/pkg/server/service.go
+++ b/vendor/github.com/containerd/cri/pkg/server/service.go
@ -28,7 +28,6 @@ import (
 	"github.com/containerd/cri/pkg/store/label"
 	cni "github.com/containerd/go-cni"
 	runcapparmor "github.com/opencontainers/runc/libcontainer/apparmor"
-	runcseccomp "github.com/opencontainers/runc/libcontainer/seccomp"
 	runcsystem "github.com/opencontainers/runc/libcontainer/system"
 	"github.com/opencontainers/selinux/go-selinux"
 	"github.com/pkg/errors"
@ -42,6 +41,7 @@ import (
 	ctrdutil "github.com/containerd/cri/pkg/containerd/util"
 	osinterface "github.com/containerd/cri/pkg/os"
 	"github.com/containerd/cri/pkg/registrar"
+	"github.com/containerd/cri/pkg/seccomp"
 	containerstore "github.com/containerd/cri/pkg/store/container"
 	imagestore "github.com/containerd/cri/pkg/store/image"
 	sandboxstore "github.com/containerd/cri/pkg/store/sandbox"
@ -110,7 +110,7 @@ func NewCRIService(config criconfig.Config, client *containerd.Client) (CRIServi
 		config:             config,
 		client:             client,
 		apparmorEnabled:    runcapparmor.IsEnabled() && !config.DisableApparmor,
-		seccompEnabled:     runcseccomp.IsEnabled(),
+		seccompEnabled:     seccomp.IsEnabled(),
 		os:                 osinterface.RealOS{},
 		sandboxStore:       sandboxstore.NewStore(labels),
 		containerStore:     containerstore.NewStore(labels),
--- a/vendor/github.com/containerd/cri/pkg/store/container/status.go
+++ b/vendor/github.com/containerd/cri/pkg/store/container/status.go
@ -94,10 +94,16 @@ type Status struct {
 	// Removing indicates that the container is in removing state.
 	// This field doesn't need to be checkpointed.
 	Removing bool `json:"-"`
+	// Unknown indicates that the container status is not fully loaded.
+	// This field doesn't need to be checkpointed.
+	Unknown bool `json:"-"`
 }

 // State returns current state of the container based on the container status.
 func (s Status) State() runtime.ContainerState {
+	if s.Unknown {
+		return runtime.ContainerState_CONTAINER_UNKNOWN
+	}
 	if s.FinishedAt != 0 {
 		return runtime.ContainerState_CONTAINER_EXITED
 	}
--- a/vendor/github.com/containerd/cri/vendor.conf
+++ b/vendor/github.com/containerd/cri/vendor.conf
@ -1,75 +1,79 @@
 # cri dependencies
 github.com/tchap/go-patricia v2.2.6
-github.com/opencontainers/selinux v1.2.2
+github.com/opencontainers/selinux bb88c45a3863dc4c38320d71b890bb30ef9feba4
 github.com/docker/docker 86f080cff0914e9694068ed78d503701667c4c00
 github.com/docker/distribution 0d3efadf0154c2b8a4e7b6621fff9809655cc580

 # containerd dependencies
-go.etcd.io/bbolt 2eb7227adea1d5cf85f0bc2a82b7059b13c2fa68
-google.golang.org/grpc 25c4f928eaa6d96443009bd842389fb4fa48664e # v1.20.1
-google.golang.org/genproto d80a6e20e776b0b17a324d0ba1ab50a39c8e8944
-golang.org/x/text 19e51611da83d6be54ddafce4a4af510cb3e9ea4
-golang.org/x/sys 4c4f7f33c9ed00de01c4c741d2177abfcfe19307 https://github.com/golang/sys
-golang.org/x/sync 42b317875d0fa942474b76e1b46a6060d720ae6e
-golang.org/x/net f3200d17e092c607f615320ecaad13d87ad9a2b3
-github.com/urfave/cli 7bc6a0acffa589f415f88aca16cc1de5ffd66f9c
-github.com/syndtr/gocapability d98352740cb2c55f81556b63d4a1ec64c5a319c2
-github.com/sirupsen/logrus v1.4.1
-github.com/prometheus/procfs cb4147076ac75738c9a7d279075a253c0cc5acbd
-github.com/prometheus/common 89604d197083d4781071d3c65855d24ecfb0a563
-github.com/prometheus/client_model 99fa1f4be8e564e8a6b613da7fa6f46c9edafc6c
-github.com/prometheus/client_golang f4fb1b73fb099f396a7f0036bf86aa8def4ed823
-github.com/pkg/errors v0.8.1
-github.com/opencontainers/runtime-spec 29686dbc5559d93fb1ef402eeda3e35c38d75af4 # v1.0.1-59-g29686db
-github.com/opencontainers/runc f4982d86f7fde0b6f953cc62ccc4022c519a10a9 # v1.0.0-rc8-32-gf4982d86
-github.com/opencontainers/image-spec v1.0.1
-github.com/opencontainers/go-digest c9281466c8b2f606084ac71339773efd177436e7
-github.com/matttproud/golang_protobuf_extensions v1.0.1
-github.com/grpc-ecosystem/go-grpc-prometheus v1.1
-github.com/google/uuid v1.1.1
-github.com/golang/protobuf v1.2.0
-github.com/gogo/protobuf v1.2.1
-github.com/gogo/googleapis v1.2.0
-github.com/godbus/dbus v3
-github.com/docker/go-units v0.4.0
-github.com/docker/go-metrics 4ea375f7759c82740c893fc030bc37088d2ec098
-github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9
-github.com/coreos/go-systemd v14
-github.com/containerd/typeurl a93fcdb778cd272c6e9b3028b2f42d813e785d40
-github.com/containerd/ttrpc 92c8520ef9f86600c650dd540266a007bf03670f
-github.com/containerd/go-runc e029b79d8cda8374981c64eba71f28ec38e5526f
-github.com/containerd/fifo bda0ff6ed73c67bfb5e62bc9c697f146b7fd7f13
-github.com/containerd/continuity f2a389ac0a02ce21c09edd7344677a601970f41c
-github.com/containerd/containerd d4802a64f9737f02db3426751f380d97fc878dec
-github.com/containerd/console 0650fd9eeb50bab4fc99dceb9f2e14cf58f36e7f
-github.com/containerd/cgroups c4b9ac5c7601384c965b9646fc515884e091ebb9
-github.com/beorn7/perks 4c0e84591b9aa9e6dcfdf3e020114cd81f89d5f9
-github.com/Microsoft/hcsshim 9e921883ac929bbe515b39793ece99ce3a9d7706
-github.com/Microsoft/go-winio v0.4.14
 github.com/BurntSushi/toml v0.3.1
-github.com/imdario/mergo v0.3.7
+github.com/Microsoft/go-winio v0.4.14
+github.com/Microsoft/hcsshim 9e921883ac929bbe515b39793ece99ce3a9d7706
+github.com/beorn7/perks 4c0e84591b9aa9e6dcfdf3e020114cd81f89d5f9
+github.com/containerd/cgroups c4b9ac5c7601384c965b9646fc515884e091ebb9
+github.com/containerd/console 0650fd9eeb50bab4fc99dceb9f2e14cf58f36e7f
+github.com/containerd/containerd v1.3.6
+github.com/containerd/continuity f2a389ac0a02ce21c09edd7344677a601970f41c
+github.com/containerd/fifo bda0ff6ed73c67bfb5e62bc9c697f146b7fd7f13
+github.com/containerd/go-runc e029b79d8cda8374981c64eba71f28ec38e5526f
+github.com/containerd/ttrpc 92c8520ef9f86600c650dd540266a007bf03670f
+github.com/containerd/typeurl a93fcdb778cd272c6e9b3028b2f42d813e785d40
+github.com/coreos/go-systemd 48702e0da86bd25e76cfef347e2adeb434a0d0a6 # v14
+github.com/cpuguy83/go-md2man 7762f7e404f8416dfa1d9bb6a8c192aa9acb4d19 # v1.0.10
+github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9
+github.com/docker/go-metrics 4ea375f7759c82740c893fc030bc37088d2ec098
+github.com/docker/go-units v0.4.0
+github.com/godbus/dbus c7fdd8b5cd55e87b4e1f4e372cdb1db61dd6c66f # v3
+github.com/gogo/googleapis v1.2.0
+github.com/gogo/protobuf v1.2.1
+github.com/golang/protobuf v1.2.0
+github.com/google/uuid 0cd6bf5da1e1c83f8b45653022c74f71af0538a4 # v1.1.1
+github.com/grpc-ecosystem/go-grpc-prometheus 6b7015e65d366bf3f19b2b2a000a831940f0f7e0 # v1.1
+github.com/hashicorp/golang-lru v0.5.3
+github.com/imdario/mergo 7c29201646fa3de8506f701213473dd407f19646 # v0.3.7
+github.com/matttproud/golang_protobuf_extensions v1.0.1
+github.com/opencontainers/go-digest c9281466c8b2f606084ac71339773efd177436e7
+github.com/opencontainers/image-spec v1.0.1
+github.com/opencontainers/runc d736ef14f0288d6993a1845745d6756cfc9ddd5a # v1.0.0-rc9
+github.com/opencontainers/runtime-spec 29686dbc5559d93fb1ef402eeda3e35c38d75af4 # v1.0.1-59-g29686db
+github.com/pkg/errors v0.8.1
+github.com/prometheus/client_golang f4fb1b73fb099f396a7f0036bf86aa8def4ed823
+github.com/prometheus/client_model 99fa1f4be8e564e8a6b613da7fa6f46c9edafc6c
+github.com/prometheus/common 89604d197083d4781071d3c65855d24ecfb0a563
+github.com/prometheus/procfs cb4147076ac75738c9a7d279075a253c0cc5acbd
+github.com/russross/blackfriday 05f3235734ad95d0016f6a23902f06461fcf567a # v1.5.2
+github.com/sirupsen/logrus v1.4.1
+github.com/syndtr/gocapability d98352740cb2c55f81556b63d4a1ec64c5a319c2
+github.com/urfave/cli v1.22.0
+go.etcd.io/bbolt v1.3.3
+go.opencensus.io v0.22.0
+golang.org/x/net f3200d17e092c607f615320ecaad13d87ad9a2b3
+golang.org/x/sync 42b317875d0fa942474b76e1b46a6060d720ae6e
+golang.org/x/sys 9eafafc0a87e0fd0aeeba439a4573537970c44c7 https://github.com/golang/sys
+golang.org/x/text 19e51611da83d6be54ddafce4a4af510cb3e9ea4
+google.golang.org/appengine v1.5.0
+google.golang.org/genproto d80a6e20e776b0b17a324d0ba1ab50a39c8e8944
+google.golang.org/grpc 6eaf6f47437a6b4e2153a190160ef39a92c7eceb # v1.23.0

 # kubernetes dependencies
 sigs.k8s.io/yaml v1.1.0
-k8s.io/utils c2654d5206da6b7b6ace12841e8f359bb89b443c
-k8s.io/kubernetes v1.16.0-rc.2
-k8s.io/klog v0.4.0
-k8s.io/cri-api kubernetes-1.16.0-rc.2
-k8s.io/client-go kubernetes-1.16.0-rc.2
-k8s.io/api kubernetes-1.16.0-rc.2
-k8s.io/apiserver kubernetes-1.16.0-rc.2
-k8s.io/apimachinery kubernetes-1.16.0-rc.2
-gopkg.in/yaml.v2 v2.2.2
-gopkg.in/inf.v0 v0.9.0
-golang.org/x/time 85acf8d2951cb2a3bde7632f9ff273ef0379bcbd
+k8s.io/utils e782cd3c129fc98ee807f3c889c0f26eb7c9daf5
+k8s.io/kubernetes v1.16.6
+k8s.io/klog v1.0.0
+k8s.io/cri-api kubernetes-1.16.6
+k8s.io/client-go kubernetes-1.16.6
+k8s.io/api kubernetes-1.16.6
+k8s.io/apiserver kubernetes-1.16.6
+k8s.io/apimachinery kubernetes-1.16.6
+gopkg.in/yaml.v2 53403b58ad1b561927d19068c655246f2db79d48 # v2.2.8
+gopkg.in/inf.v0 v0.9.1
+golang.org/x/time 9d24e82272b4f38b78bc8cff74fa936d31ccd8ef
 golang.org/x/oauth2 0f29369cfe4552d0e4bcddc57cc75f4d7e672a33
-golang.org/x/crypto 5c40567a22f818bd14a1ea7245dad9f8ef0691aa
-github.com/stretchr/testify v1.3.0
-github.com/seccomp/libseccomp-golang v0.9.1
+golang.org/x/crypto 60c769a6c58655dab1b9adac0d58967dd517cfba
+github.com/stretchr/testify v1.4.0
 github.com/pmezard/go-difflib v1.0.0
-github.com/modern-go/reflect2 1.0.1
+github.com/modern-go/reflect2 v1.0.1
 github.com/modern-go/concurrent 1.0.3
-github.com/json-iterator/go v1.1.7
+github.com/json-iterator/go v1.1.8
 github.com/google/gofuzz v1.0.0
 github.com/emicklei/go-restful v2.9.5
 github.com/docker/spdystream 449fdfce4d962303d702fec724ef0ad181c92528
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@ -297,7 +297,7 @@ github.com/containerd/continuity/pathdriver
 github.com/containerd/continuity/proto
 github.com/containerd/continuity/syscallx
 github.com/containerd/continuity/sysx
-# github.com/containerd/cri v0.0.0-00010101000000-000000000000 => github.com/rancher/cri v1.3.0-k3s.6
+# github.com/containerd/cri v0.0.0-00010101000000-000000000000 => github.com/rancher/cri v1.3.0-k3s.8
 github.com/containerd/cri
 github.com/containerd/cri/pkg/annotations
 github.com/containerd/cri/pkg/api/runtimeoptions/v1
@ -310,6 +310,7 @@ github.com/containerd/cri/pkg/ioutil
 github.com/containerd/cri/pkg/netns
 github.com/containerd/cri/pkg/os
 github.com/containerd/cri/pkg/registrar
+github.com/containerd/cri/pkg/seccomp
 github.com/containerd/cri/pkg/server
 github.com/containerd/cri/pkg/server/io
 github.com/containerd/cri/pkg/store