diff --git a/go.mod b/go.mod index 852737d7fd..b69dcc3e61 100644 --- a/go.mod +++ b/go.mod @@ -27,7 +27,7 @@ replace ( github.com/kubernetes-sigs/cri-tools => github.com/k3s-io/cri-tools v1.21.0-k3s1 github.com/matryer/moq => github.com/rancher/moq v0.0.0-20190404221404-ee5226d43009 // LOOK TO scripts/download FOR THE VERSION OF runc THAT WE ARE BUILDING/SHIPPING - github.com/opencontainers/runc => github.com/opencontainers/runc v1.0.2 + github.com/opencontainers/runc => github.com/opencontainers/runc v1.0.3 github.com/opencontainers/runtime-spec => github.com/opencontainers/runtime-spec v1.0.3-0.20210316141917-a8c4a9ee0f6b github.com/rancher/k3s/pkg/data => ./pkg/data go.etcd.io/etcd => github.com/k3s-io/etcd v0.5.0-alpha.5.0.20201208200253-50621aee4aea @@ -110,7 +110,7 @@ require ( github.com/onsi/ginkgo v1.16.4 github.com/onsi/gomega v1.11.0 // LOOK TO scripts/download FOR THE VERSION OF runc THAT WE ARE BUILDING/SHIPPING - github.com/opencontainers/runc v1.0.2 + github.com/opencontainers/runc v1.0.3 github.com/opencontainers/selinux v1.8.2 github.com/otiai10/copy v1.6.0 github.com/pkg/errors v0.9.1 diff --git a/go.sum b/go.sum index cbc4f741b4..f1d109dd8c 100644 --- a/go.sum +++ b/go.sum @@ -822,8 +822,8 @@ github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3I github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= github.com/opencontainers/image-spec v1.0.2-0.20210730191737-8e42a01fb1b7 h1:axgApq2XShTLwQii2zAnIkMPlhGVHbAXHUcHezu5G/k= github.com/opencontainers/image-spec v1.0.2-0.20210730191737-8e42a01fb1b7/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= -github.com/opencontainers/runc v1.0.2 h1:opHZMaswlyxz1OuGpBE53Dwe4/xF7EZTY0A2L/FpCOg= -github.com/opencontainers/runc v1.0.2/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0= +github.com/opencontainers/runc v1.0.3 h1:1hbqejyQWCJBvtKAfdO0b1FmaEf2z/bxnjqbARass5k= +github.com/opencontainers/runc v1.0.3/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0= github.com/opencontainers/runtime-spec v1.0.3-0.20210316141917-a8c4a9ee0f6b h1:ZDY8P/luqXqGJSNCux8+9GeKmBDS+JVgVuIwKTauiwM= github.com/opencontainers/runtime-spec v1.0.3-0.20210316141917-a8c4a9ee0f6b/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-tools v0.0.0-20181011054405-1d69bd0f9c39/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs= diff --git a/scripts/download b/scripts/download index 6bb5fb81d7..07b297e55e 100755 --- a/scripts/download +++ b/scripts/download @@ -4,7 +4,7 @@ cd $(dirname $0)/.. . ./scripts/version.sh -RUNC_VERSION=v1.0.0 +RUNC_VERSION=v1.0.3 ROOT_VERSION=v0.9.1 TRAEFIK_VERSION=9.18.2 # appVersion: 2.4.8 CHARTS_DIR=build/static/charts diff --git a/vendor/github.com/opencontainers/runc/.cirrus.yml b/vendor/github.com/opencontainers/runc/.cirrus.yml index 74b7deae4e..5fe7086f3c 100644 --- a/vendor/github.com/opencontainers/runc/.cirrus.yml +++ b/vendor/github.com/opencontainers/runc/.cirrus.yml @@ -106,7 +106,7 @@ task: yum config-manager --set-enabled powertools ;; esac - yum install -y -q gcc git iptables jq glibc-static libseccomp-devel make criu + yum install -y -q gcc git iptables jq glibc-static libseccomp-devel make criu fuse-sshfs # install Go curl -fsSL "https://dl.google.com/go/go${GO_VERSION}.linux-amd64.tar.gz" | tar Cxz /usr/local # install bats @@ -118,6 +118,12 @@ task: cd - # Add a user for rootless tests useradd -u2000 -m -d/home/rootless -s/bin/bash rootless + # Allow root and rootless itself to execute `ssh rootless@localhost` in tests/rootless.sh + ssh-keygen -t ecdsa -N "" -f /root/rootless.key + mkdir -m 0700 -p /home/rootless/.ssh + cp /root/rootless.key /home/rootless/.ssh/id_ecdsa + cat /root/rootless.key.pub >> /home/rootless/.ssh/authorized_keys + chown -R rootless.rootless /home/rootless # set PATH echo 'export PATH=/usr/local/go/bin:/usr/local/bin:$PATH' >> /root/.bashrc # Setup ssh localhost for terminal emulation (script -e did not work) diff --git a/vendor/github.com/opencontainers/runc/Dockerfile b/vendor/github.com/opencontainers/runc/Dockerfile index 2266903ced..7a56ff45da 100644 --- a/vendor/github.com/opencontainers/runc/Dockerfile +++ b/vendor/github.com/opencontainers/runc/Dockerfile @@ -32,6 +32,7 @@ RUN echo 'deb https://download.opensuse.org/repositories/devel:/tools:/criu/Debi libseccomp2 \ pkg-config \ python-minimal \ + sshfs \ sudo \ uidmap \ && apt-get clean \ diff --git a/vendor/github.com/opencontainers/runc/VERSION b/vendor/github.com/opencontainers/runc/VERSION index 6d7de6e6ab..21e8796a09 100644 --- a/vendor/github.com/opencontainers/runc/VERSION +++ b/vendor/github.com/opencontainers/runc/VERSION @@ -1 +1 @@ -1.0.2 +1.0.3 diff --git a/vendor/github.com/opencontainers/runc/Vagrantfile.fedora34 b/vendor/github.com/opencontainers/runc/Vagrantfile.fedora34 index 2c1f049a51..3841e5df80 100644 --- a/vendor/github.com/opencontainers/runc/Vagrantfile.fedora34 +++ b/vendor/github.com/opencontainers/runc/Vagrantfile.fedora34 @@ -21,7 +21,7 @@ Vagrant.configure("2") do |config| config exclude kernel,kernel-core config install_weak_deps false update -install iptables gcc make golang-go glibc-static libseccomp-devel bats jq git-core criu +install iptables gcc make golang-go glibc-static libseccomp-devel bats jq git-core criu fuse-sshfs ts run EOF done @@ -30,9 +30,10 @@ EOF # Add a user for rootless tests useradd -u2000 -m -d/home/rootless -s/bin/bash rootless - # Allow root to execute `ssh rootless@localhost` in tests/rootless.sh + # Allow root and rootless itself to execute `ssh rootless@localhost` in tests/rootless.sh ssh-keygen -t ecdsa -N "" -f /root/rootless.key mkdir -m 0700 -p /home/rootless/.ssh + cp /root/rootless.key /home/rootless/.ssh/id_ecdsa cat /root/rootless.key.pub >> /home/rootless/.ssh/authorized_keys chown -R rootless.rootless /home/rootless diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs2/hugetlb.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs2/hugetlb.go index 3f513975bd..96390a224f 100644 --- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs2/hugetlb.go +++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs2/hugetlb.go @@ -30,10 +30,7 @@ func setHugeTlb(dirPath string, r *configs.Resources) error { } func statHugeTlb(dirPath string, stats *cgroups.Stats) error { - hugePageSizes, err := cgroups.GetHugePageSize() - if err != nil { - return errors.Wrap(err, "failed to fetch hugetlb info") - } + hugePageSizes, _ := cgroups.GetHugePageSize() hugetlbStats := cgroups.HugetlbStats{} for _, pagesize := range hugePageSizes { diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/dbus.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/dbus.go index a70a9df43e..0690564556 100644 --- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/dbus.go +++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/dbus.go @@ -4,6 +4,7 @@ package systemd import ( "context" + "fmt" "sync" systemdDbus "github.com/coreos/go-systemd/v22/dbus" @@ -54,7 +55,10 @@ func (d *dbusConnManager) getConnection() (*systemdDbus.Conn, error) { conn, err := d.newConnection() if err != nil { - return nil, err + // When dbus-user-session is not installed, we can't detect whether we should try to connect to user dbus or system dbus, so d.dbusRootless is set to false. + // This may fail with a cryptic error "read unix @->/run/systemd/private: read: connection reset by peer: unknown." + // https://github.com/moby/moby/issues/42793 + return nil, fmt.Errorf("failed to connect to dbus (hint: for rootless containers, maybe you need to install dbus-user-session package, see https://github.com/opencontainers/runc/blob/master/docs/cgroup-v2.md): %w", err) } dbusC = conn return conn, nil diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/v2.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/v2.go index 8176ce5b2e..55273b722c 100644 --- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/v2.go +++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/v2.go @@ -5,7 +5,6 @@ package systemd import ( "fmt" "math" - "os" "path/filepath" "strconv" "strings" @@ -307,9 +306,10 @@ func (m *unifiedManager) Destroy() error { return err } - // XXX this is probably not needed, systemd should handle it - err := os.Remove(m.path) - if err != nil && !os.IsNotExist(err) { + // systemd 239 do not remove sub-cgroups. + err := cgroups.RemovePath(m.path) + // cgroups.RemovePath has handled ErrNotExist + if err != nil { return err } diff --git a/vendor/github.com/opencontainers/runc/libcontainer/container_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/container_linux.go index 6ce1854f68..1484703b0c 100644 --- a/vendor/github.com/opencontainers/runc/libcontainer/container_linux.go +++ b/vendor/github.com/opencontainers/runc/libcontainer/container_linux.go @@ -2028,16 +2028,34 @@ func encodeIDMapping(idMap []configs.IDMap) ([]byte, error) { return data.Bytes(), nil } +// netlinkError is an error wrapper type for use by custom netlink message +// types. Panics with errors are wrapped in netlinkError so that the recover +// in bootstrapData can distinguish intentional panics. +type netlinkError struct{ error } + // bootstrapData encodes the necessary data in netlink binary format // as a io.Reader. // Consumer can write the data to a bootstrap program // such as one that uses nsenter package to bootstrap the container's // init process correctly, i.e. with correct namespaces, uid/gid // mapping etc. -func (c *linuxContainer) bootstrapData(cloneFlags uintptr, nsMaps map[configs.NamespaceType]string) (io.Reader, error) { +func (c *linuxContainer) bootstrapData(cloneFlags uintptr, nsMaps map[configs.NamespaceType]string) (_ io.Reader, Err error) { // create the netlink message r := nl.NewNetlinkRequest(int(InitMsg), 0) + // Our custom messages cannot bubble up an error using returns, instead + // they will panic with the specific error type, netlinkError. In that + // case, recover from the panic and return that as an error. + defer func() { + if r := recover(); r != nil { + if e, ok := r.(netlinkError); ok { + Err = e.error + } else { + panic(r) + } + } + }() + // write cloneFlags r.AddData(&Int32msg{ Type: CloneFlagsAttr, diff --git a/vendor/github.com/opencontainers/runc/libcontainer/message_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/message_linux.go index 1d4f5033aa..e4107ce39f 100644 --- a/vendor/github.com/opencontainers/runc/libcontainer/message_linux.go +++ b/vendor/github.com/opencontainers/runc/libcontainer/message_linux.go @@ -3,6 +3,9 @@ package libcontainer import ( + "fmt" + "math" + "github.com/vishvananda/netlink/nl" "golang.org/x/sys/unix" ) @@ -54,6 +57,12 @@ type Bytemsg struct { func (msg *Bytemsg) Serialize() []byte { l := msg.Len() + if l > math.MaxUint16 { + // We cannot return nil nor an error here, so we panic with + // a specific type instead, which is handled via recover in + // bootstrapData. + panic(netlinkError{fmt.Errorf("netlink: cannot serialize bytemsg of length %d (larger than UINT16_MAX)", l)}) + } buf := make([]byte, (l+unix.NLA_ALIGNTO-1) & ^(unix.NLA_ALIGNTO-1)) native := nl.NativeEndian() native.PutUint16(buf[0:2], uint16(l)) diff --git a/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go index 430f490dec..f962681947 100644 --- a/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go +++ b/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go @@ -22,7 +22,6 @@ import ( "github.com/opencontainers/runc/libcontainer/devices" "github.com/opencontainers/runc/libcontainer/userns" "github.com/opencontainers/runc/libcontainer/utils" - libcontainerUtils "github.com/opencontainers/runc/libcontainer/utils" "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/selinux/go-selinux/label" "github.com/sirupsen/logrus" @@ -42,7 +41,7 @@ type mountConfig struct { // needsSetupDev returns true if /dev needs to be set up. func needsSetupDev(config *configs.Config) bool { for _, m := range config.Mounts { - if m.Device == "bind" && libcontainerUtils.CleanPath(m.Destination) == "/dev" { + if m.Device == "bind" && utils.CleanPath(m.Destination) == "/dev" { return false } } @@ -154,15 +153,16 @@ func prepareRootfs(pipe io.ReadWriter, iConfig *initConfig) (err error) { // finalizeRootfs sets anything to ro if necessary. You must call // prepareRootfs first. func finalizeRootfs(config *configs.Config) (err error) { - // remount dev as ro if specified + // All tmpfs mounts and /dev were previously mounted as rw + // by mountPropagate. Remount them read-only as requested. for _, m := range config.Mounts { - if libcontainerUtils.CleanPath(m.Destination) == "/dev" { - if m.Flags&unix.MS_RDONLY == unix.MS_RDONLY { - if err := remountReadonly(m); err != nil { - return newSystemErrorWithCausef(err, "remounting %q as readonly", m.Destination) - } + if m.Flags&unix.MS_RDONLY != unix.MS_RDONLY { + continue + } + if m.Device == "tmpfs" || utils.CleanPath(m.Destination) == "/dev" { + if err := remountReadonly(m); err != nil { + return newSystemErrorWithCausef(err, "remounting %q as readonly", m.Destination) } - break } } @@ -432,12 +432,6 @@ func mountToRootfs(m *configs.Mount, c *mountConfig) error { return err } } - // Initially mounted rw in mountPropagate, remount to ro if flag set. - if m.Flags&unix.MS_RDONLY != 0 { - if err := remount(m, rootfs); err != nil { - return err - } - } return nil case "bind": if err := prepareBindMount(m, rootfs); err != nil { @@ -1035,7 +1029,22 @@ func writeSystemProperty(key, value string) error { func remount(m *configs.Mount, rootfs string) error { return utils.WithProcfd(rootfs, m.Destination, func(procfd string) error { - return unix.Mount(m.Source, procfd, m.Device, uintptr(m.Flags|unix.MS_REMOUNT), "") + flags := uintptr(m.Flags | unix.MS_REMOUNT) + err := unix.Mount(m.Source, procfd, m.Device, flags, "") + if err == nil { + return nil + } + // Check if the source has ro flag... + var s unix.Statfs_t + if err := unix.Statfs(m.Source, &s); err != nil { + return &os.PathError{Op: "statfs", Path: m.Source, Err: err} + } + if s.Flags&unix.MS_RDONLY != unix.MS_RDONLY { + return err + } + // ... and retry the mount with ro flag set. + flags |= unix.MS_RDONLY + return unix.Mount(m.Source, procfd, m.Device, flags, "") }) } @@ -1047,10 +1056,10 @@ func mountPropagate(m *configs.Mount, rootfs string, mountLabel string) error { flags = m.Flags ) // Delay mounting the filesystem read-only if we need to do further - // operations on it. We need to set up files in "/dev" and tmpfs mounts may - // need to be chmod-ed after mounting. The mount will be remounted ro later - // in finalizeRootfs() if necessary. - if libcontainerUtils.CleanPath(m.Destination) == "/dev" || m.Device == "tmpfs" { + // operations on it. We need to set up files in "/dev", and other tmpfs + // mounts may need to be chmod-ed after mounting. These mounts will be + // remounted ro later in finalizeRootfs(), if necessary. + if m.Device == "tmpfs" || utils.CleanPath(m.Destination) == "/dev" { flags &= ^unix.MS_RDONLY } diff --git a/vendor/modules.txt b/vendor/modules.txt index bb7a262d7b..724e7f6f9e 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -891,7 +891,7 @@ github.com/opencontainers/go-digest/digestset github.com/opencontainers/image-spec/identity github.com/opencontainers/image-spec/specs-go github.com/opencontainers/image-spec/specs-go/v1 -# github.com/opencontainers/runc v1.0.2 => github.com/opencontainers/runc v1.0.2 +# github.com/opencontainers/runc v1.0.3 => github.com/opencontainers/runc v1.0.3 ## explicit github.com/opencontainers/runc github.com/opencontainers/runc/contrib/cmd/recvtty @@ -3315,7 +3315,7 @@ sigs.k8s.io/yaml # github.com/juju/errors => github.com/k3s-io/nocode v0.0.0-20200630202308-cb097102c09f # github.com/kubernetes-sigs/cri-tools => github.com/k3s-io/cri-tools v1.21.0-k3s1 # github.com/matryer/moq => github.com/rancher/moq v0.0.0-20190404221404-ee5226d43009 -# github.com/opencontainers/runc => github.com/opencontainers/runc v1.0.2 +# github.com/opencontainers/runc => github.com/opencontainers/runc v1.0.3 # github.com/opencontainers/runtime-spec => github.com/opencontainers/runtime-spec v1.0.3-0.20210316141917-a8c4a9ee0f6b # github.com/rancher/k3s/pkg/data => ./pkg/data # go.etcd.io/etcd => github.com/k3s-io/etcd v0.5.0-alpha.5.0.20201208200253-50621aee4aea