From f92c04868fab50e8b6a9fdd81396a6a8235c1c00 Mon Sep 17 00:00:00 2001 From: Jacob Blain Christen Date: Mon, 9 Nov 2020 10:19:37 -0700 Subject: [PATCH] cri: pull on fix for selinux relabel of /dev/shm (#2485) see https://github.com/rancher/cri/pull/7 addresses https://github.com/rancher/k3s/issues/2240 for 1.18 backport of https://github.com/rancher/k3s/pull/2478 to 1.3.x Signed-off-by: Jacob Blain Christen --- go.mod | 2 +- go.sum | 6 +- vendor/github.com/containerd/cri/Makefile | 99 ++++++++------ vendor/github.com/containerd/cri/cri.go | 8 +- .../containerd/cri/pkg/config/config.go | 7 +- .../cri/pkg/seccomp/seccomp_linux.go | 88 +++++++++++++ .../cri/pkg/seccomp/seccomp_unsupported.go | 23 ++++ .../cri/pkg/server/container_create.go | 22 ++-- .../cri/pkg/server/container_remove.go | 13 +- .../containerd/cri/pkg/server/events.go | 6 + .../containerd/cri/pkg/server/helpers.go | 23 +++- .../containerd/cri/pkg/server/image_pull.go | 48 +++---- .../containerd/cri/pkg/server/restart.go | 4 +- .../cri/pkg/server/sandbox_remove.go | 6 +- .../containerd/cri/pkg/server/sandbox_run.go | 8 +- .../containerd/cri/pkg/server/sandbox_stop.go | 47 ++++--- .../containerd/cri/pkg/server/service.go | 4 +- .../cri/pkg/store/container/status.go | 6 + vendor/github.com/containerd/cri/vendor.conf | 122 +++++++++--------- vendor/modules.txt | 3 +- 20 files changed, 368 insertions(+), 177 deletions(-) create mode 100644 vendor/github.com/containerd/cri/pkg/seccomp/seccomp_linux.go create mode 100644 vendor/github.com/containerd/cri/pkg/seccomp/seccomp_unsupported.go diff --git a/go.mod b/go.mod index f423399aca..db80fbfd21 100644 --- a/go.mod +++ b/go.mod @@ -9,7 +9,7 @@ replace ( github.com/containerd/console => github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50 github.com/containerd/containerd => github.com/rancher/containerd v1.3.3-k3s2 github.com/containerd/continuity => github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02 - github.com/containerd/cri => github.com/rancher/cri v1.3.0-k3s.6 + github.com/containerd/cri => github.com/rancher/cri v1.3.0-k3s.8 // k3s-release/1.3 github.com/containerd/fifo => github.com/containerd/fifo v0.0.0-20190816180239-bda0ff6ed73c github.com/containerd/go-runc => github.com/containerd/go-runc v0.0.0-20190911050354-e029b79d8cda github.com/containerd/typeurl => github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd diff --git a/go.sum b/go.sum index ff77f0282c..16d620bf4f 100644 --- a/go.sum +++ b/go.sum @@ -410,7 +410,9 @@ github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 h1:Ovs26xHkKqVztRpIrF/92Bcuy github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= github.com/grpc-ecosystem/grpc-gateway v1.9.5 h1:UImYN5qQ8tuGpGE16ZmjvcTtTw24zw1QAp/SlnNrZhI= github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= +github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce h1:prjrVgOk2Yg6w+PflHoszQNLTUh4kaByUcEWM/9uin4= github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874 h1:cAv7ZbSmyb1wjn6T4TIiyFCkpcfgpbcNNC3bM2srLaI= github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874/go.mod h1:JMRHfdO9jKNzS/+BTlxCjKNQHg/jZAft8U7LloJvN7I= github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4= github.com/hashicorp/golang-lru v0.0.0-20180201235237-0fb14efe8c47/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= @@ -622,8 +624,8 @@ github.com/rakelkar/gonetsh v0.0.0-20190719023240-501daadcadf8 h1:83l9gPhYtgxODl github.com/rakelkar/gonetsh v0.0.0-20190719023240-501daadcadf8/go.mod h1:4XHkfaUj+URzGO9sohoAgt2V9Y8nIW7fugpu0E6gShk= github.com/rancher/containerd v1.3.3-k3s2 h1:RZr+TqFt7+YsrSYkyytlhW4HmneWeFNM7IymNOoGW6A= github.com/rancher/containerd v1.3.3-k3s2/go.mod h1:ZMfzmqce2Z+QSEqdHMfeJs1TZ/UeJ1aDrazjpQT4ehM= -github.com/rancher/cri v1.3.0-k3s.6 h1:jeom53pNYUJHlZBHpax8vpQeBoW19vSVGAQn9jPyIcc= -github.com/rancher/cri v1.3.0-k3s.6/go.mod h1:Ht5T1dIKzm+4NExmb7wDVG6qR+j0xeXIjjhCv1d9geY= +github.com/rancher/cri v1.3.0-k3s.8 h1:qUdbZ6n3hAg3ImloQ6FMOtG8CG/JMNZ8vSuL47BCABA= +github.com/rancher/cri v1.3.0-k3s.8/go.mod h1:Ht5T1dIKzm+4NExmb7wDVG6qR+j0xeXIjjhCv1d9geY= github.com/rancher/cri-tools v1.18.0-k3s1 h1:pLYthxpSu6k3Up9tNAMA0MK2ERqB6FC1sZQPRSW1qSg= github.com/rancher/cri-tools v1.18.0-k3s1/go.mod h1:Ij/GWNRcEDP6zVN6eQpvN/s0nhuJVtPQFy7RAdl+Wu8= github.com/rancher/dynamiclistener v0.2.0 h1:KucYwJXVVGhZ/NndfMCeQoCafT/VN7kvqSGgmlX8Lxk= diff --git a/vendor/github.com/containerd/cri/Makefile b/vendor/github.com/containerd/cri/Makefile index 4d6788e9a4..1be851f404 100644 --- a/vendor/github.com/containerd/cri/Makefile +++ b/vendor/github.com/containerd/cri/Makefile @@ -1,23 +1,27 @@ -# Copyright 2018 The containerd Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. +# Copyright The containerd Authors. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. GO := go GOOS := $(shell $(GO) env GOOS) GOARCH := $(shell $(GO) env GOARCH) -WHALE = "🇩" -ONI = "👹" -EPOCH_TEST_COMMIT := f9e02affccd51702191e5312665a16045ffef8ab +WHALE := "🇩" +ONI := "👹" +ifeq ($(GOOS),windows) + WHALE = "+" + ONI = "-" +endif +EPOCH_TEST_COMMIT := 67de3e4ccf2b2a69b8398798af7cfca01abf7a7e PROJECT := github.com/containerd/cri BINDIR := ${DESTDIR}/usr/local/bin BUILD_DIR := _output @@ -26,35 +30,39 @@ BUILD_DIR := _output VERSION := $(shell git rev-parse --short HEAD) TARBALL_PREFIX := cri-containerd TARBALL := $(TARBALL_PREFIX)-$(VERSION).$(GOOS)-$(GOARCH).tar.gz -BUILD_TAGS := seccomp apparmor +ifneq ($(GOOS),windows) + BUILD_TAGS := seccomp apparmor selinux no_btrfs +endif +export BUILDTAGS := $(BUILD_TAGS) # Add `-TEST` suffix to indicate that all binaries built from this repo are for test. GO_LDFLAGS := -X $(PROJECT)/vendor/github.com/containerd/containerd/version.Version=$(VERSION)-TEST SOURCES := $(shell find cmd/ pkg/ vendor/ -name '*.go') PLUGIN_SOURCES := $(shell ls *.go) INTEGRATION_SOURCES := $(shell find integration/ -name '*.go') +CONTAINERD_BIN := containerd +ifeq ($(GOOS),windows) + CONTAINERD_BIN := $(CONTAINERD_BIN).exe +endif + all: binaries help: ## this help @awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z0-9._-]+:.*?## / {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST) | sort -verify: lint gofmt boiler check-vendor ## execute the source code verification tools +verify: lint gofmt check-vendor ## execute the source code verification tools version: ## print current cri plugin release version @echo $(VERSION) lint: @echo "$(WHALE) $@" - golangci-lint run --skip-files .*_test.go + golangci-lint run gofmt: @echo "$(WHALE) $@" @./hack/verify-gofmt.sh -boiler: - @echo "$(WHALE) $@" - @./hack/verify-boilerplate.sh - check-vendor: @echo "$(WHALE) $@" @./hack/verify-vendor.sh @@ -72,7 +80,7 @@ sync-vendor: update-vendor: sync-vendor sort-vendor ## Syncs containerd/vendor.conf -> vendor.conf and sorts vendor.conf @echo "$(WHALE) $@" -$(BUILD_DIR)/containerd: $(SOURCES) $(PLUGIN_SOURCES) +$(BUILD_DIR)/$(CONTAINERD_BIN): $(SOURCES) $(PLUGIN_SOURCES) @echo "$(WHALE) $@" $(GO) build -o $@ \ -tags '$(BUILD_TAGS)' \ @@ -84,7 +92,7 @@ test: ## unit test @echo "$(WHALE) $@" $(GO) test -timeout=10m -race ./pkg/... \ -tags '$(BUILD_TAGS)' \ - -ldflags '$(GO_LDFLAGS)' \ + -ldflags '$(GO_LDFLAGS)' \ -gcflags '$(GO_GCFLAGS)' $(BUILD_DIR)/integration.test: $(INTEGRATION_SOURCES) @@ -107,29 +115,34 @@ clean: ## cleanup binaries @echo "$(WHALE) $@" @rm -rf $(BUILD_DIR)/* -binaries: $(BUILD_DIR)/containerd ## build a customized containerd (same result as make containerd) +binaries: $(BUILD_DIR)/$(CONTAINERD_BIN) ## build a customized containerd (same result as make containerd) @echo "$(WHALE) $@" static-binaries: GO_LDFLAGS += -extldflags "-fno-PIC -static" -static-binaries: $(BUILD_DIR)/containerd ## build static containerd +static-binaries: $(BUILD_DIR)/$(CONTAINERD_BIN) ## build static containerd @echo "$(WHALE) $@" -containerd: $(BUILD_DIR)/containerd ## build a customized containerd with CRI plugin for testing +containerd: $(BUILD_DIR)/$(CONTAINERD_BIN) ## build a customized containerd with CRI plugin for testing @echo "$(WHALE) $@" install-containerd: containerd ## installs customized containerd to system location @echo "$(WHALE) $@" - @install -D -m 755 $(BUILD_DIR)/containerd $(BINDIR)/containerd + @install -D -m 755 $(BUILD_DIR)/$(CONTAINERD_BIN) "$(BINDIR)/$(CONTAINERD_BIN)" install: install-containerd ## installs customized containerd to system location @echo "$(WHALE) $@" uninstall: ## remove containerd from system location @echo "$(WHALE) $@" - @rm -f $(BINDIR)/containerd + @rm -f "$(BINDIR)/$(CONTAINERD_BIN)" +ifeq ($(GOOS),windows) +$(BUILD_DIR)/$(TARBALL): static-binaries vendor.conf + @BUILD_DIR=$(BUILD_DIR) TARBALL=$(TARBALL) VERSION=$(VERSION) ./hack/release-windows.sh +else $(BUILD_DIR)/$(TARBALL): static-binaries vendor.conf @BUILD_DIR=$(BUILD_DIR) TARBALL=$(TARBALL) VERSION=$(VERSION) ./hack/release.sh +endif release: $(BUILD_DIR)/$(TARBALL) ## build release tarball @@ -142,22 +155,29 @@ proto: ## update protobuf of the cri plugin api @API_PATH=pkg/api/v1 hack/update-proto.sh @API_PATH=pkg/api/runtimeoptions/v1 hack/update-proto.sh -.PHONY: install.deps +.PHONY: install.deps .install.deps.linux .install.deps.windows -install.deps: ## install dependencies of cri (default 'seccomp apparmor' BUILDTAGS for runc build) +ifeq ($(GOOS),windows) +install.deps: .install.deps.windows ## install windows deps on windows +else +install.deps: .install.deps.linux ## install windows deps on linux +endif + +.install.deps.linux: ## install dependencies of cri @echo "$(WHALE) $@" @./hack/install/install-deps.sh +.install.deps.windows: ## install dependencies of cri on windows + @echo "$(WHALE) $@" + @./hack/install/windows/install-deps.sh + .PHONY: .gitvalidation -# When this is running in travis, it will only check the travis commit range. -# When running outside travis, it will check from $(EPOCH_TEST_COMMIT)..HEAD. +# make .gitvalidation is only used localy for manual testing +# requires a clone of github.com/containerd/project +# containerd/project DCO validation runs automatically with github actions in ci.yml for each pull .gitvalidation: @echo "$(WHALE) $@" -ifeq ($(TRAVIS),true) - git-validation -q -run DCO,short-subject -else - git-validation -v -run DCO,short-subject -range $(EPOCH_TEST_COMMIT)..HEAD -endif + DCO_VERBOSITY=-v DCO_RANGE=$(EPOCH_TEST_COMMIT)..HEAD ../project/script/validate/dco .PHONY: install.tools .install.gitvalidation .install.golangci-lint .install.vndr @@ -186,7 +206,6 @@ install.tools: .install.gitvalidation .install.golangci-lint .install.vndr ## in install-containerd \ release \ push \ - boiler \ clean \ default \ gofmt \ diff --git a/vendor/github.com/containerd/cri/cri.go b/vendor/github.com/containerd/cri/cri.go index d477c1efbc..a74413ea65 100644 --- a/vendor/github.com/containerd/cri/cri.go +++ b/vendor/github.com/containerd/cri/cri.go @@ -63,6 +63,10 @@ func initCRIService(ic *plugin.InitContext) (interface{}, error) { ic.Meta.Exports = map[string]string{"CRIVersion": constants.CRIVersion} ctx := ic.Context pluginConfig := ic.Config.(*criconfig.PluginConfig) + if err := criconfig.ValidatePluginConfig(ctx, pluginConfig); err != nil { + return nil, errors.Wrap(err, "invalid plugin config") + } + c := criconfig.Config{ PluginConfig: *pluginConfig, ContainerdRootDir: filepath.Dir(ic.Root), @@ -72,10 +76,6 @@ func initCRIService(ic *plugin.InitContext) (interface{}, error) { } log.G(ctx).Infof("Start cri plugin with config %+v", c) - if err := criconfig.ValidatePluginConfig(ctx, pluginConfig); err != nil { - return nil, errors.Wrap(err, "invalid plugin config") - } - if err := setGLogLevel(); err != nil { return nil, errors.Wrap(err, "failed to set glog level") } diff --git a/vendor/github.com/containerd/cri/pkg/config/config.go b/vendor/github.com/containerd/cri/pkg/config/config.go index 97d4fe6be2..7c5f9ebea1 100644 --- a/vendor/github.com/containerd/cri/pkg/config/config.go +++ b/vendor/github.com/containerd/cri/pkg/config/config.go @@ -122,9 +122,10 @@ type AuthConfig struct { // TLSConfig contains the CA/Cert/Key used for a registry type TLSConfig struct { - CAFile string `toml:"ca_file" json:"caFile"` - CertFile string `toml:"cert_file" json:"certFile"` - KeyFile string `toml:"key_file" json:"keyFile"` + InsecureSkipVerify bool `toml:"insecure_skip_verify" json:"insecure_skip_verify"` + CAFile string `toml:"ca_file" json:"caFile"` + CertFile string `toml:"cert_file" json:"certFile"` + KeyFile string `toml:"key_file" json:"keyFile"` } // Registry is registry settings configured diff --git a/vendor/github.com/containerd/cri/pkg/seccomp/seccomp_linux.go b/vendor/github.com/containerd/cri/pkg/seccomp/seccomp_linux.go new file mode 100644 index 0000000000..a7682c89bf --- /dev/null +++ b/vendor/github.com/containerd/cri/pkg/seccomp/seccomp_linux.go @@ -0,0 +1,88 @@ +/* +Copyright The containerd Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +/* + Copyright The runc Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package seccomp + +import ( + "bufio" + "os" + "strings" + + "golang.org/x/sys/unix" +) + +// IsEnabled returns if the kernel has been configured to support seccomp. +// From https://github.com/opencontainers/runc/blob/v1.0.0-rc91/libcontainer/seccomp/seccomp_linux.go#L86-L102 +func IsEnabled() bool { + // Try to read from /proc/self/status for kernels > 3.8 + s, err := parseStatusFile("/proc/self/status") + if err != nil { + // Check if Seccomp is supported, via CONFIG_SECCOMP. + if err := unix.Prctl(unix.PR_GET_SECCOMP, 0, 0, 0, 0); err != unix.EINVAL { + // Make sure the kernel has CONFIG_SECCOMP_FILTER. + if err := unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0); err != unix.EINVAL { + return true + } + } + return false + } + _, ok := s["Seccomp"] + return ok +} + +// parseStatusFile is from https://github.com/opencontainers/runc/blob/v1.0.0-rc91/libcontainer/seccomp/seccomp_linux.go#L243-L268 +func parseStatusFile(path string) (map[string]string, error) { + f, err := os.Open(path) + if err != nil { + return nil, err + } + defer f.Close() + + s := bufio.NewScanner(f) + status := make(map[string]string) + + for s.Scan() { + text := s.Text() + parts := strings.Split(text, ":") + + if len(parts) <= 1 { + continue + } + + status[parts[0]] = parts[1] + } + if err := s.Err(); err != nil { + return nil, err + } + + return status, nil +} diff --git a/vendor/github.com/containerd/cri/pkg/seccomp/seccomp_unsupported.go b/vendor/github.com/containerd/cri/pkg/seccomp/seccomp_unsupported.go new file mode 100644 index 0000000000..9544faacdd --- /dev/null +++ b/vendor/github.com/containerd/cri/pkg/seccomp/seccomp_unsupported.go @@ -0,0 +1,23 @@ +// +build !linux + +/* +Copyright The containerd Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package seccomp + +func IsEnabled() bool { + return false +} diff --git a/vendor/github.com/containerd/cri/pkg/server/container_create.go b/vendor/github.com/containerd/cri/pkg/server/container_create.go index c7e44fdbf2..ab87dcc158 100644 --- a/vendor/github.com/containerd/cri/pkg/server/container_create.go +++ b/vendor/github.com/containerd/cri/pkg/server/container_create.go @@ -39,6 +39,7 @@ import ( "github.com/davecgh/go-spew/spew" imagespec "github.com/opencontainers/image-spec/specs-go/v1" runtimespec "github.com/opencontainers/runtime-spec/specs-go" + selinux "github.com/opencontainers/selinux/go-selinux" "github.com/opencontainers/selinux/go-selinux/label" "github.com/pkg/errors" "golang.org/x/net/context" @@ -182,7 +183,7 @@ func (c *criService) CreateContainer(ctx context.Context, r *runtime.CreateConta } defer func() { if retErr != nil { - _ = label.ReleaseLabel(spec.Process.SelinuxLabel) + selinux.ReleaseLabel(spec.Process.SelinuxLabel) } }() @@ -379,11 +380,13 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP specOpts = append(specOpts, oci.WithEnv(env)) securityContext := config.GetLinux().GetSecurityContext() - labelOptions := toLabel(securityContext.GetSelinuxOptions()) - if len(labelOptions) == 0 { - // Use pod level SELinux config + labelOptions, err := toLabel(securityContext.GetSelinuxOptions()) + if err != nil { + return nil, err + } + if len(labelOptions) == 0 { // Use pod level SELinux config if sandbox, err := c.sandboxStore.Get(sandboxID); err == nil { - labelOptions, err = label.DupSecOpt(sandbox.ProcessLabel) + labelOptions, err = selinux.DupSecOpt(sandbox.ProcessLabel) if err != nil { return nil, err } @@ -396,7 +399,7 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP } defer func() { if retErr != nil { - _ = label.ReleaseLabel(processLabel) + selinux.ReleaseLabel(processLabel) } }() @@ -544,9 +547,10 @@ func (c *criService) generateContainerMounts(sandboxID string, config *runtime.C sandboxDevShm = devShm } mounts = append(mounts, &runtime.Mount{ - ContainerPath: devShm, - HostPath: sandboxDevShm, - Readonly: false, + ContainerPath: devShm, + HostPath: sandboxDevShm, + Readonly: false, + SelinuxRelabel: true, }) } return mounts diff --git a/vendor/github.com/containerd/cri/pkg/server/container_remove.go b/vendor/github.com/containerd/cri/pkg/server/container_remove.go index e5d9ef2d09..8f39cf9a22 100644 --- a/vendor/github.com/containerd/cri/pkg/server/container_remove.go +++ b/vendor/github.com/containerd/cri/pkg/server/container_remove.go @@ -22,6 +22,7 @@ import ( "github.com/containerd/containerd/log" "github.com/docker/docker/pkg/system" "github.com/pkg/errors" + "github.com/sirupsen/logrus" "golang.org/x/net/context" runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2" @@ -30,7 +31,6 @@ import ( ) // RemoveContainer removes the container. -// TODO(random-liu): Forcibly stop container if it's running. func (c *criService) RemoveContainer(ctx context.Context, r *runtime.RemoveContainerRequest) (_ *runtime.RemoveContainerResponse, retErr error) { container, err := c.containerStore.Get(r.GetContainerId()) if err != nil { @@ -43,6 +43,17 @@ func (c *criService) RemoveContainer(ctx context.Context, r *runtime.RemoveConta } id := container.ID + // Forcibly stop the containers if they are in running or unknown state + state := container.Status.Get().State() + if state == runtime.ContainerState_CONTAINER_RUNNING || + state == runtime.ContainerState_CONTAINER_UNKNOWN { + logrus.Infof("Forcibly stopping container %q", id) + if err := c.stopContainer(ctx, container, 0); err != nil { + return nil, errors.Wrapf(err, "failed to forcibly stop container %q", id) + } + + } + // Set removing state to prevent other start/remove operations against this container // while it's being removed. if err := setContainerRemoving(container); err != nil { diff --git a/vendor/github.com/containerd/cri/pkg/server/events.go b/vendor/github.com/containerd/cri/pkg/server/events.go index e4536a5599..fcbf0a3cab 100644 --- a/vendor/github.com/containerd/cri/pkg/server/events.go +++ b/vendor/github.com/containerd/cri/pkg/server/events.go @@ -333,6 +333,12 @@ func handleContainerExit(ctx context.Context, e *eventtypes.TaskExit, cntr conta status.Pid = 0 status.FinishedAt = e.ExitedAt.UnixNano() status.ExitCode = int32(e.ExitStatus) + // Unknown state can only transit to EXITED state, so we need + // to handle unknown state here. + if status.Unknown { + logrus.Debugf("Container %q transited from UNKNOWN to EXITED", cntr.ID) + status.Unknown = false + } return status, nil }) if err != nil { diff --git a/vendor/github.com/containerd/cri/pkg/server/helpers.go b/vendor/github.com/containerd/cri/pkg/server/helpers.go index 4ec03ca33c..e8e8c501dd 100644 --- a/vendor/github.com/containerd/cri/pkg/server/helpers.go +++ b/vendor/github.com/containerd/cri/pkg/server/helpers.go @@ -298,11 +298,15 @@ func (c *criService) ensureImageExists(ctx context.Context, ref string, config * return &newImage, nil } -func toLabel(selinuxOptions *runtime.SELinuxOption) (labels []string) { - if selinuxOptions == nil { - return nil - } +func toLabel(selinuxOptions *runtime.SELinuxOption) ([]string, error) { + var labels []string + if selinuxOptions == nil { + return nil, nil + } + if err := checkSelinuxLevel(selinuxOptions.Level); err != nil { + return nil, err + } if selinuxOptions.User != "" { labels = append(labels, "user:"+selinuxOptions.User) } @@ -316,11 +320,15 @@ func toLabel(selinuxOptions *runtime.SELinuxOption) (labels []string) { labels = append(labels, "level:"+selinuxOptions.Level) } - return + return labels, nil } func initLabelsFromOpt(selinuxOpts *runtime.SELinuxOption) (string, string, error) { - return initLabels(toLabel(selinuxOpts)) + labels, err := toLabel(selinuxOpts) + if err != nil { + return "", "", err + } + return label.InitLabels(labels) } func initLabels(options []string) (string, string, error) { @@ -339,7 +347,7 @@ func checkSelinuxLevel(level string) error { return nil } - matched, err := regexp.MatchString(`^s\d(-s\d)??(:c\d{1,4}((.c\d{1,4})?,c\d{1,4})*(.c\d{1,4})?(,c\d{1,4}(.c\d{1,4})?)*)?$`, level) + matched, err := regexp.MatchString(`^s\d(-s\d)??(:c\d{1,4}(\.c\d{1,4})?(,c\d{1,4}(\.c\d{1,4})?)*)?$`, level) if err != nil { return errors.Wrapf(err, "the format of 'level' %q is not correct", level) } @@ -473,6 +481,7 @@ func unknownContainerStatus() containerstore.Status { FinishedAt: 0, ExitCode: unknownExitCode, Reason: unknownExitReason, + Unknown: true, } } diff --git a/vendor/github.com/containerd/cri/pkg/server/image_pull.go b/vendor/github.com/containerd/cri/pkg/server/image_pull.go index 196bfbf378..7af42bc4e0 100644 --- a/vendor/github.com/containerd/cri/pkg/server/image_pull.go +++ b/vendor/github.com/containerd/cri/pkg/server/image_pull.go @@ -253,39 +253,41 @@ func (c *criService) updateImage(ctx context.Context, r string) error { // getTLSConfig returns a TLSConfig configured with a CA/Cert/Key specified by registryTLSConfig func (c *criService) getTLSConfig(registryTLSConfig criconfig.TLSConfig) (*tls.Config, error) { var ( - cert tls.Certificate - err error + tlsConfig = &tls.Config{} + cert tls.Certificate + err error ) - if registryTLSConfig.CertFile != "" && registryTLSConfig.KeyFile != "" { - cert, err = tls.LoadX509KeyPair(registryTLSConfig.CertFile, registryTLSConfig.KeyFile) - if err != nil { - return nil, errors.Wrap(err, "failed to load cert file") - } - } if registryTLSConfig.CertFile != "" && registryTLSConfig.KeyFile == "" { return nil, errors.Errorf("cert file %q was specified, but no corresponding key file was specified", registryTLSConfig.CertFile) } if registryTLSConfig.CertFile == "" && registryTLSConfig.KeyFile != "" { return nil, errors.Errorf("key file %q was specified, but no corresponding cert file was specified", registryTLSConfig.KeyFile) } + if registryTLSConfig.CertFile != "" && registryTLSConfig.KeyFile != "" { + cert, err = tls.LoadX509KeyPair(registryTLSConfig.CertFile, registryTLSConfig.KeyFile) + if err != nil { + return nil, errors.Wrap(err, "failed to load cert file") + } + if len(cert.Certificate) != 0 { + tlsConfig.Certificates = []tls.Certificate{cert} + } + tlsConfig.BuildNameToCertificate() // nolint:staticcheck + } - caCertPool, err := x509.SystemCertPool() - if err != nil { - return nil, errors.Wrap(err, "failed to get system cert pool") + if registryTLSConfig.CAFile != "" { + caCertPool, err := x509.SystemCertPool() + if err != nil { + return nil, errors.Wrap(err, "failed to get system cert pool") + } + caCert, err := ioutil.ReadFile(registryTLSConfig.CAFile) + if err != nil { + return nil, errors.Wrap(err, "failed to load CA file") + } + caCertPool.AppendCertsFromPEM(caCert) + tlsConfig.RootCAs = caCertPool } - caCert, err := ioutil.ReadFile(registryTLSConfig.CAFile) - if err != nil { - return nil, errors.Wrap(err, "failed to load CA file") - } - caCertPool.AppendCertsFromPEM(caCert) - tlsConfig := &tls.Config{ - RootCAs: caCertPool, - } - if len(cert.Certificate) != 0 { - tlsConfig.Certificates = []tls.Certificate{cert} - } - tlsConfig.BuildNameToCertificate() + tlsConfig.InsecureSkipVerify = registryTLSConfig.InsecureSkipVerify return tlsConfig, nil } diff --git a/vendor/github.com/containerd/cri/pkg/server/restart.go b/vendor/github.com/containerd/cri/pkg/server/restart.go index 30b1fa625b..75cbb7f319 100644 --- a/vendor/github.com/containerd/cri/pkg/server/restart.go +++ b/vendor/github.com/containerd/cri/pkg/server/restart.go @@ -307,7 +307,9 @@ func (c *criService) loadContainer(ctx context.Context, cntr containerd.Containe }() if err != nil { log.G(ctx).WithError(err).Errorf("Failed to load container status for %q", id) - status = unknownContainerStatus() + // Only set the unknown field in this case, because other fields may + // contain useful information loaded from the checkpoint. + status.Unknown = true } opts := []containerstore.Opts{ containerstore.WithStatus(status, containerDir), diff --git a/vendor/github.com/containerd/cri/pkg/server/sandbox_remove.go b/vendor/github.com/containerd/cri/pkg/server/sandbox_remove.go index 017c56cefb..c0ef5c04b5 100644 --- a/vendor/github.com/containerd/cri/pkg/server/sandbox_remove.go +++ b/vendor/github.com/containerd/cri/pkg/server/sandbox_remove.go @@ -22,6 +22,7 @@ import ( "github.com/containerd/containerd/log" "github.com/docker/docker/pkg/system" "github.com/pkg/errors" + "github.com/sirupsen/logrus" "golang.org/x/net/context" runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2" @@ -49,7 +50,10 @@ func (c *criService) RemovePodSandbox(ctx context.Context, r *runtime.RemovePodS // Return error if sandbox container is still running or unknown. state := sandbox.Status.Get().State if state == sandboxstore.StateReady || state == sandboxstore.StateUnknown { - return nil, errors.Errorf("sandbox container %q is not fully stopped", id) + logrus.Infof("Forcibly stopping sandbox %q", id) + if err := c.stopPodSandbox(ctx, sandbox); err != nil { + return nil, errors.Wrapf(err, "failed to forcibly stop sandbox %q", id) + } } // Return error if sandbox network namespace is not closed yet. diff --git a/vendor/github.com/containerd/cri/pkg/server/sandbox_run.go b/vendor/github.com/containerd/cri/pkg/server/sandbox_run.go index 24cdf5f03a..d229d14a70 100644 --- a/vendor/github.com/containerd/cri/pkg/server/sandbox_run.go +++ b/vendor/github.com/containerd/cri/pkg/server/sandbox_run.go @@ -34,7 +34,7 @@ import ( "github.com/davecgh/go-spew/spew" imagespec "github.com/opencontainers/image-spec/specs-go/v1" runtimespec "github.com/opencontainers/runtime-spec/specs-go" - "github.com/opencontainers/selinux/go-selinux/label" + selinux "github.com/opencontainers/selinux/go-selinux" "github.com/pkg/errors" "github.com/sirupsen/logrus" "golang.org/x/net/context" @@ -162,7 +162,7 @@ func (c *criService) RunPodSandbox(ctx context.Context, r *runtime.RunPodSandbox sandbox.ProcessLabel = spec.Process.SelinuxLabel defer func() { if retErr != nil { - _ = label.ReleaseLabel(sandbox.ProcessLabel) + selinux.ReleaseLabel(sandbox.ProcessLabel) } }() @@ -284,7 +284,7 @@ func (c *criService) RunPodSandbox(ctx context.Context, r *runtime.RunPodSandbox var taskOpts []containerd.NewTaskOpts // TODO(random-liu): Remove this after shim v1 is deprecated. - if c.config.NoPivot && ociRuntime.Type == plugin.RuntimeRuncV1 { + if c.config.NoPivot && (ociRuntime.Type == plugin.RuntimeRuncV1 || ociRuntime.Type == plugin.RuntimeRuncV2) { taskOpts = append(taskOpts, containerd.WithNoPivotRoot) } // We don't need stdio for sandbox container. @@ -422,7 +422,7 @@ func (c *criService) generateSandboxContainerSpec(id string, config *runtime.Pod } defer func() { if retErr != nil && processLabel != "" { - _ = label.ReleaseLabel(processLabel) + selinux.ReleaseLabel(processLabel) } }() diff --git a/vendor/github.com/containerd/cri/pkg/server/sandbox_stop.go b/vendor/github.com/containerd/cri/pkg/server/sandbox_stop.go index aab6a73013..e8fc981cc5 100644 --- a/vendor/github.com/containerd/cri/pkg/server/sandbox_stop.go +++ b/vendor/github.com/containerd/cri/pkg/server/sandbox_stop.go @@ -1,17 +1,17 @@ /* -Copyright 2017 The Kubernetes Authors. + Copyright The containerd Authors. -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at - http://www.apache.org/licenses/LICENSE-2.0 + http://www.apache.org/licenses/LICENSE-2.0 -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. */ package server @@ -40,6 +40,15 @@ func (c *criService) StopPodSandbox(ctx context.Context, r *runtime.StopPodSandb return nil, errors.Wrapf(err, "an error occurred when try to find sandbox %q", r.GetPodSandboxId()) } + + if err := c.stopPodSandbox(ctx, sandbox); err != nil { + return nil, err + } + + return &runtime.StopPodSandboxResponse{}, nil +} + +func (c *criService) stopPodSandbox(ctx context.Context, sandbox sandboxstore.Sandbox) error { // Use the full sandbox id. id := sandbox.ID @@ -53,20 +62,20 @@ func (c *criService) StopPodSandbox(ctx context.Context, r *runtime.StopPodSandb } // Forcibly stop the container. Do not use `StopContainer`, because it introduces a race // if a container is removed after list. - if err = c.stopContainer(ctx, container, 0); err != nil { - return nil, errors.Wrapf(err, "failed to stop container %q", container.ID) + if err := c.stopContainer(ctx, container, 0); err != nil { + return errors.Wrapf(err, "failed to stop container %q", container.ID) } } if err := c.unmountSandboxFiles(id, sandbox.Config); err != nil { - return nil, errors.Wrap(err, "failed to unmount sandbox files") + return errors.Wrap(err, "failed to unmount sandbox files") } // Only stop sandbox container when it's running or unknown. state := sandbox.Status.Get().State if state == sandboxstore.StateReady || state == sandboxstore.StateUnknown { if err := c.stopSandboxContainer(ctx, sandbox); err != nil { - return nil, errors.Wrapf(err, "failed to stop sandbox container %q in %q state", id, state) + return errors.Wrapf(err, "failed to stop sandbox container %q in %q state", id, state) } } @@ -75,21 +84,21 @@ func (c *criService) StopPodSandbox(ctx context.Context, r *runtime.StopPodSandb // Use empty netns path if netns is not available. This is defined in: // https://github.com/containernetworking/cni/blob/v0.7.0-alpha1/SPEC.md if closed, err := sandbox.NetNS.Closed(); err != nil { - return nil, errors.Wrap(err, "failed to check network namespace closed") + return errors.Wrap(err, "failed to check network namespace closed") } else if closed { sandbox.NetNSPath = "" } if err := c.teardownPodNetwork(ctx, sandbox); err != nil { - return nil, errors.Wrapf(err, "failed to destroy network for sandbox %q", id) + return errors.Wrapf(err, "failed to destroy network for sandbox %q", id) } - if err = sandbox.NetNS.Remove(); err != nil { - return nil, errors.Wrapf(err, "failed to remove network namespace for sandbox %q", id) + if err := sandbox.NetNS.Remove(); err != nil { + return errors.Wrapf(err, "failed to remove network namespace for sandbox %q", id) } } log.G(ctx).Infof("TearDown network for sandbox %q successfully", id) - return &runtime.StopPodSandboxResponse{}, nil + return nil } // stopSandboxContainer kills the sandbox container. diff --git a/vendor/github.com/containerd/cri/pkg/server/service.go b/vendor/github.com/containerd/cri/pkg/server/service.go index 5b4d826a08..a4cf5787a5 100644 --- a/vendor/github.com/containerd/cri/pkg/server/service.go +++ b/vendor/github.com/containerd/cri/pkg/server/service.go @@ -28,7 +28,6 @@ import ( "github.com/containerd/cri/pkg/store/label" cni "github.com/containerd/go-cni" runcapparmor "github.com/opencontainers/runc/libcontainer/apparmor" - runcseccomp "github.com/opencontainers/runc/libcontainer/seccomp" runcsystem "github.com/opencontainers/runc/libcontainer/system" "github.com/opencontainers/selinux/go-selinux" "github.com/pkg/errors" @@ -42,6 +41,7 @@ import ( ctrdutil "github.com/containerd/cri/pkg/containerd/util" osinterface "github.com/containerd/cri/pkg/os" "github.com/containerd/cri/pkg/registrar" + "github.com/containerd/cri/pkg/seccomp" containerstore "github.com/containerd/cri/pkg/store/container" imagestore "github.com/containerd/cri/pkg/store/image" sandboxstore "github.com/containerd/cri/pkg/store/sandbox" @@ -110,7 +110,7 @@ func NewCRIService(config criconfig.Config, client *containerd.Client) (CRIServi config: config, client: client, apparmorEnabled: runcapparmor.IsEnabled() && !config.DisableApparmor, - seccompEnabled: runcseccomp.IsEnabled(), + seccompEnabled: seccomp.IsEnabled(), os: osinterface.RealOS{}, sandboxStore: sandboxstore.NewStore(labels), containerStore: containerstore.NewStore(labels), diff --git a/vendor/github.com/containerd/cri/pkg/store/container/status.go b/vendor/github.com/containerd/cri/pkg/store/container/status.go index c46325bbe0..9aaef6970f 100644 --- a/vendor/github.com/containerd/cri/pkg/store/container/status.go +++ b/vendor/github.com/containerd/cri/pkg/store/container/status.go @@ -94,10 +94,16 @@ type Status struct { // Removing indicates that the container is in removing state. // This field doesn't need to be checkpointed. Removing bool `json:"-"` + // Unknown indicates that the container status is not fully loaded. + // This field doesn't need to be checkpointed. + Unknown bool `json:"-"` } // State returns current state of the container based on the container status. func (s Status) State() runtime.ContainerState { + if s.Unknown { + return runtime.ContainerState_CONTAINER_UNKNOWN + } if s.FinishedAt != 0 { return runtime.ContainerState_CONTAINER_EXITED } diff --git a/vendor/github.com/containerd/cri/vendor.conf b/vendor/github.com/containerd/cri/vendor.conf index 9a785d077f..fe34450936 100644 --- a/vendor/github.com/containerd/cri/vendor.conf +++ b/vendor/github.com/containerd/cri/vendor.conf @@ -1,75 +1,79 @@ # cri dependencies github.com/tchap/go-patricia v2.2.6 -github.com/opencontainers/selinux v1.2.2 +github.com/opencontainers/selinux bb88c45a3863dc4c38320d71b890bb30ef9feba4 github.com/docker/docker 86f080cff0914e9694068ed78d503701667c4c00 github.com/docker/distribution 0d3efadf0154c2b8a4e7b6621fff9809655cc580 # containerd dependencies -go.etcd.io/bbolt 2eb7227adea1d5cf85f0bc2a82b7059b13c2fa68 -google.golang.org/grpc 25c4f928eaa6d96443009bd842389fb4fa48664e # v1.20.1 -google.golang.org/genproto d80a6e20e776b0b17a324d0ba1ab50a39c8e8944 -golang.org/x/text 19e51611da83d6be54ddafce4a4af510cb3e9ea4 -golang.org/x/sys 4c4f7f33c9ed00de01c4c741d2177abfcfe19307 https://github.com/golang/sys -golang.org/x/sync 42b317875d0fa942474b76e1b46a6060d720ae6e -golang.org/x/net f3200d17e092c607f615320ecaad13d87ad9a2b3 -github.com/urfave/cli 7bc6a0acffa589f415f88aca16cc1de5ffd66f9c -github.com/syndtr/gocapability d98352740cb2c55f81556b63d4a1ec64c5a319c2 -github.com/sirupsen/logrus v1.4.1 -github.com/prometheus/procfs cb4147076ac75738c9a7d279075a253c0cc5acbd -github.com/prometheus/common 89604d197083d4781071d3c65855d24ecfb0a563 -github.com/prometheus/client_model 99fa1f4be8e564e8a6b613da7fa6f46c9edafc6c -github.com/prometheus/client_golang f4fb1b73fb099f396a7f0036bf86aa8def4ed823 -github.com/pkg/errors v0.8.1 -github.com/opencontainers/runtime-spec 29686dbc5559d93fb1ef402eeda3e35c38d75af4 # v1.0.1-59-g29686db -github.com/opencontainers/runc f4982d86f7fde0b6f953cc62ccc4022c519a10a9 # v1.0.0-rc8-32-gf4982d86 -github.com/opencontainers/image-spec v1.0.1 -github.com/opencontainers/go-digest c9281466c8b2f606084ac71339773efd177436e7 -github.com/matttproud/golang_protobuf_extensions v1.0.1 -github.com/grpc-ecosystem/go-grpc-prometheus v1.1 -github.com/google/uuid v1.1.1 -github.com/golang/protobuf v1.2.0 -github.com/gogo/protobuf v1.2.1 -github.com/gogo/googleapis v1.2.0 -github.com/godbus/dbus v3 -github.com/docker/go-units v0.4.0 -github.com/docker/go-metrics 4ea375f7759c82740c893fc030bc37088d2ec098 -github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9 -github.com/coreos/go-systemd v14 -github.com/containerd/typeurl a93fcdb778cd272c6e9b3028b2f42d813e785d40 -github.com/containerd/ttrpc 92c8520ef9f86600c650dd540266a007bf03670f -github.com/containerd/go-runc e029b79d8cda8374981c64eba71f28ec38e5526f -github.com/containerd/fifo bda0ff6ed73c67bfb5e62bc9c697f146b7fd7f13 -github.com/containerd/continuity f2a389ac0a02ce21c09edd7344677a601970f41c -github.com/containerd/containerd d4802a64f9737f02db3426751f380d97fc878dec -github.com/containerd/console 0650fd9eeb50bab4fc99dceb9f2e14cf58f36e7f -github.com/containerd/cgroups c4b9ac5c7601384c965b9646fc515884e091ebb9 -github.com/beorn7/perks 4c0e84591b9aa9e6dcfdf3e020114cd81f89d5f9 -github.com/Microsoft/hcsshim 9e921883ac929bbe515b39793ece99ce3a9d7706 -github.com/Microsoft/go-winio v0.4.14 github.com/BurntSushi/toml v0.3.1 -github.com/imdario/mergo v0.3.7 +github.com/Microsoft/go-winio v0.4.14 +github.com/Microsoft/hcsshim 9e921883ac929bbe515b39793ece99ce3a9d7706 +github.com/beorn7/perks 4c0e84591b9aa9e6dcfdf3e020114cd81f89d5f9 +github.com/containerd/cgroups c4b9ac5c7601384c965b9646fc515884e091ebb9 +github.com/containerd/console 0650fd9eeb50bab4fc99dceb9f2e14cf58f36e7f +github.com/containerd/containerd v1.3.6 +github.com/containerd/continuity f2a389ac0a02ce21c09edd7344677a601970f41c +github.com/containerd/fifo bda0ff6ed73c67bfb5e62bc9c697f146b7fd7f13 +github.com/containerd/go-runc e029b79d8cda8374981c64eba71f28ec38e5526f +github.com/containerd/ttrpc 92c8520ef9f86600c650dd540266a007bf03670f +github.com/containerd/typeurl a93fcdb778cd272c6e9b3028b2f42d813e785d40 +github.com/coreos/go-systemd 48702e0da86bd25e76cfef347e2adeb434a0d0a6 # v14 +github.com/cpuguy83/go-md2man 7762f7e404f8416dfa1d9bb6a8c192aa9acb4d19 # v1.0.10 +github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9 +github.com/docker/go-metrics 4ea375f7759c82740c893fc030bc37088d2ec098 +github.com/docker/go-units v0.4.0 +github.com/godbus/dbus c7fdd8b5cd55e87b4e1f4e372cdb1db61dd6c66f # v3 +github.com/gogo/googleapis v1.2.0 +github.com/gogo/protobuf v1.2.1 +github.com/golang/protobuf v1.2.0 +github.com/google/uuid 0cd6bf5da1e1c83f8b45653022c74f71af0538a4 # v1.1.1 +github.com/grpc-ecosystem/go-grpc-prometheus 6b7015e65d366bf3f19b2b2a000a831940f0f7e0 # v1.1 +github.com/hashicorp/golang-lru v0.5.3 +github.com/imdario/mergo 7c29201646fa3de8506f701213473dd407f19646 # v0.3.7 +github.com/matttproud/golang_protobuf_extensions v1.0.1 +github.com/opencontainers/go-digest c9281466c8b2f606084ac71339773efd177436e7 +github.com/opencontainers/image-spec v1.0.1 +github.com/opencontainers/runc d736ef14f0288d6993a1845745d6756cfc9ddd5a # v1.0.0-rc9 +github.com/opencontainers/runtime-spec 29686dbc5559d93fb1ef402eeda3e35c38d75af4 # v1.0.1-59-g29686db +github.com/pkg/errors v0.8.1 +github.com/prometheus/client_golang f4fb1b73fb099f396a7f0036bf86aa8def4ed823 +github.com/prometheus/client_model 99fa1f4be8e564e8a6b613da7fa6f46c9edafc6c +github.com/prometheus/common 89604d197083d4781071d3c65855d24ecfb0a563 +github.com/prometheus/procfs cb4147076ac75738c9a7d279075a253c0cc5acbd +github.com/russross/blackfriday 05f3235734ad95d0016f6a23902f06461fcf567a # v1.5.2 +github.com/sirupsen/logrus v1.4.1 +github.com/syndtr/gocapability d98352740cb2c55f81556b63d4a1ec64c5a319c2 +github.com/urfave/cli v1.22.0 +go.etcd.io/bbolt v1.3.3 +go.opencensus.io v0.22.0 +golang.org/x/net f3200d17e092c607f615320ecaad13d87ad9a2b3 +golang.org/x/sync 42b317875d0fa942474b76e1b46a6060d720ae6e +golang.org/x/sys 9eafafc0a87e0fd0aeeba439a4573537970c44c7 https://github.com/golang/sys +golang.org/x/text 19e51611da83d6be54ddafce4a4af510cb3e9ea4 +google.golang.org/appengine v1.5.0 +google.golang.org/genproto d80a6e20e776b0b17a324d0ba1ab50a39c8e8944 +google.golang.org/grpc 6eaf6f47437a6b4e2153a190160ef39a92c7eceb # v1.23.0 # kubernetes dependencies sigs.k8s.io/yaml v1.1.0 -k8s.io/utils c2654d5206da6b7b6ace12841e8f359bb89b443c -k8s.io/kubernetes v1.16.0-rc.2 -k8s.io/klog v0.4.0 -k8s.io/cri-api kubernetes-1.16.0-rc.2 -k8s.io/client-go kubernetes-1.16.0-rc.2 -k8s.io/api kubernetes-1.16.0-rc.2 -k8s.io/apiserver kubernetes-1.16.0-rc.2 -k8s.io/apimachinery kubernetes-1.16.0-rc.2 -gopkg.in/yaml.v2 v2.2.2 -gopkg.in/inf.v0 v0.9.0 -golang.org/x/time 85acf8d2951cb2a3bde7632f9ff273ef0379bcbd +k8s.io/utils e782cd3c129fc98ee807f3c889c0f26eb7c9daf5 +k8s.io/kubernetes v1.16.6 +k8s.io/klog v1.0.0 +k8s.io/cri-api kubernetes-1.16.6 +k8s.io/client-go kubernetes-1.16.6 +k8s.io/api kubernetes-1.16.6 +k8s.io/apiserver kubernetes-1.16.6 +k8s.io/apimachinery kubernetes-1.16.6 +gopkg.in/yaml.v2 53403b58ad1b561927d19068c655246f2db79d48 # v2.2.8 +gopkg.in/inf.v0 v0.9.1 +golang.org/x/time 9d24e82272b4f38b78bc8cff74fa936d31ccd8ef golang.org/x/oauth2 0f29369cfe4552d0e4bcddc57cc75f4d7e672a33 -golang.org/x/crypto 5c40567a22f818bd14a1ea7245dad9f8ef0691aa -github.com/stretchr/testify v1.3.0 -github.com/seccomp/libseccomp-golang v0.9.1 +golang.org/x/crypto 60c769a6c58655dab1b9adac0d58967dd517cfba +github.com/stretchr/testify v1.4.0 github.com/pmezard/go-difflib v1.0.0 -github.com/modern-go/reflect2 1.0.1 +github.com/modern-go/reflect2 v1.0.1 github.com/modern-go/concurrent 1.0.3 -github.com/json-iterator/go v1.1.7 +github.com/json-iterator/go v1.1.8 github.com/google/gofuzz v1.0.0 github.com/emicklei/go-restful v2.9.5 github.com/docker/spdystream 449fdfce4d962303d702fec724ef0ad181c92528 diff --git a/vendor/modules.txt b/vendor/modules.txt index 2b4347a9ce..da9cb35c95 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -297,7 +297,7 @@ github.com/containerd/continuity/pathdriver github.com/containerd/continuity/proto github.com/containerd/continuity/syscallx github.com/containerd/continuity/sysx -# github.com/containerd/cri v0.0.0-00010101000000-000000000000 => github.com/rancher/cri v1.3.0-k3s.6 +# github.com/containerd/cri v0.0.0-00010101000000-000000000000 => github.com/rancher/cri v1.3.0-k3s.8 github.com/containerd/cri github.com/containerd/cri/pkg/annotations github.com/containerd/cri/pkg/api/runtimeoptions/v1 @@ -310,6 +310,7 @@ github.com/containerd/cri/pkg/ioutil github.com/containerd/cri/pkg/netns github.com/containerd/cri/pkg/os github.com/containerd/cri/pkg/registrar +github.com/containerd/cri/pkg/seccomp github.com/containerd/cri/pkg/server github.com/containerd/cri/pkg/server/io github.com/containerd/cri/pkg/store