Update fork/master to release 1.5 #34
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
converter: use OpenWriter helper function
Fix backword-compatibility issue of non-versioned config file
Signed-off-by: Shiming Zhang <wzshiming@foxmail.com>
runtime/v1: Add lock for ListPids
Optimize content/local/store.Writer backoff
ci: upload junit formatted test results
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
To ease code readability Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
This has some problems, namely that it gets confused as to what workflow run to add results to. Related issue: EnricoMi/publish-unit-test-result-action#12 This seems to be a shortcoming of the github API: https://github.community/t/specify-check-suite-when-creating-a-checkrun/118380/7 Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Remove junit test result processor
Deleting a non-empty namespace fails with > namespace must be empty: failed precondition This change improves the error message by listing the types of the objects in the namespace that prevent deletion. Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
Signed-off-by: Samuel Karp <me@samuelkarp.com>
fork/exec can fail and log a warning like this in containerd's log: failed to clean up after shim disconnected error=": fork/exec /usr/local/bin/containerd-shim-[my-shim]: no such file or directory" id=test namespace=default Passing the bundle path on the command line allows the shim delete command to run successfully. Signed-off-by: Samuel Karp <me@samuelkarp.com>
freebsd: runtime support
Signed-off-by: Samuel Karp <me@samuelkarp.com>
Signed-off-by: Iceber Gu <wei.cai-nat@daocloud.io>
Runtime cleanup
metadata: improve deleting a non-empty namespace's error message
Signed-off-by: Samuel Karp <me@samuelkarp.com>
Signed-off-by: Samuel Karp <me@samuelkarp.com>
Current implementation of seccomp.IsEnabled (rooted in runc) is not too good. First, it parses the whole /proc/self/status, adding each key: value pair into the map (lots of allocations and future work for garbage collector), when using a single key from that map. Second, the presence of "Seccomp" key in /proc/self/status merely means that kernel option CONFIG_SECCOMP is set, but there is a need to _also_ check for CONFIG_SECCOMP_FILTER (the code for which exists but never executed in case /proc/self/status has Seccomp key). Replace all this with a single call to prctl; see the long comment in the code for details. While at it, improve the IsEnabled documentation. NOTE historically, parsing /proc/self/status was added after a concern was raised in opencontainers/runc#471 that prctl(PR_GET_SECCOMP, ...) can result in the calling process being killed with SIGKILL. This is a valid concern, so the new code here does not use PR_GET_SECCOMP at all. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
It does not make sense to check if seccomp is supported by the kernel more than once per runtime, so let's use sync.Once to speed it up. A quick benchmark (old implementation, before this commit, after): BenchmarkIsEnabledOld-4 37183 27971 ns/op BenchmarkIsEnabled-4 1252161 947 ns/op BenchmarkIsEnabledOnce-4 666274008 2.14 ns/op Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
full diff: google/uuid@v1.1.2...v1.2.0 I did not switch to us the `uuid.NewString()` function; we are not currently using `uuid.New()`, probably because it can `panic` in case an invalid UUID is produced; in stead we are using `uuid.NewRandom()`, which is equivalent, but returns an error instead. Changes: - v1.2.0: Add NewString() This release introduces the NewString() function which is the equivalent of uuid.New().String(). - v1.1.5: Syntactic cleanup There are no code changes. A missing period was add to a godoc comment and the linter was told to not complain that the results of hash.Write() are ignored (the function cannot fail) - v1.1.4: Further error optimizations Do not allocate memory for errors (it is only one word) - v1.1.3: Optimize error reporting Optimize length of time it takes to discover an input is bad by no longer using fmt.Errorf, which is quite slow. It now uses a custom error type that formats the string when the Error method is called rather than when generating the error. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
freebsd: add zfs to the default plugins
runtime/shim: check the namespace flag first
go.mod: github.com/google/uuid v1.2.0
Commit writable WCOW layers as read-only parent layers
full diff: containerd/fifo@115abcc...v1.0.0 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Includes updated protos with the gogo/protobuf fixes for CVE-2021-3121 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3121) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Derek McGowan <derek@mcg.dev>
Signed-off-by: Kevin Parsons <kevpar@microsoft.com>
[release/1.5] mailmap: Add Kevin Parsons
[release/1.5] Prepare release notes for v1.5.8
go1.16.11 (released 2021-12-02) includes fixes to the compiler, runtime, and the net/http, net/http/httptest, and time packages. See the Go 1.16.11 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.16.11+label%3ACherryPickApproved Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
[release/1.5] Update Go to 1.16.11
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> (cherry picked from commit 44995d4) Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
[release/1.5] update runc binary to v1.0.3
Co-authored-by: Samuel Karp <skarp@amazon.com> Signed-off-by: Michael Crosby <michael@thepasture.io> Signed-off-by: Samuel Karp <skarp@amazon.com> (cherry picked from commit 9b03039) Signed-off-by: Samuel Karp <skarp@amazon.com>
- Bring mediaType out of reserved status - specs-go: adding mediaType to the index and manifest structures full diff: opencontainers/image-spec@v1.0.1...v1.0.2 This also contains the local changes from commit fc81384, which fix conflicts between the types that were used locally (which added MediaType) and the re-introduced MediaType field in the image-spec. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
[release/1.5] go.mod github.com/opencontainers/image-spec v1.0.2
go1.16.12 (released 2021-12-09) includes security fixes to the syscall and net/http packages. See the Go 1.16.12 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.16.12+label%3ACherryPickApproved Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
[release/1.5] Update Go to 1.16.12
The ability to handle KVM based runtimes with SELinux has been added as part of d715d00. However, that commit introduced some logic to check whether the "container_kvm_t" label would or not be present in the system, and while the intentions were good, there's two major issues with the approach: 1. Inspecting "/etc/selinux/targeted/contexts/customizable_types" is not the way to go, as it doesn't list the "container_kvm_t" at all. 2. There's no need to check for the label, as if the label is invalid an "Invalid Label" error will be returned and that's it. With those two in mind, let's simplify the logic behind setting the "container_kvm_t" label, removing all the unnecessary code. Here's an output of VMM process running, considering: * The state before this patch: ``` $ containerd --version containerd github.com/containerd/containerd v1.6.0-beta.3-88-g7fa44fc98 7fa44fc $ kubectl apply -f ~/simple-pod.yaml pod/nginx created $ ps -auxZ | grep cloud-hypervisor system_u:system_r:container_runtime_t:s0 root 609717 4.0 0.5 2987512 83588 ? Sl 08:32 0:00 /usr/bin/cloud-hypervisor --api-socket /run/vc/vm/be9d5cbabf440510d58d89fc8a8e77c27e96ddc99709ecaf5ab94c6b6b0d4c89/clh-api.sock ``` * The state after this patch: ``` $ containerd --version containerd github.com/containerd/containerd v1.6.0-beta.3-89-ga5f2113c9 a5f2113c9fc15b19b2c364caaedb99c22de4eb32 $ kubectl apply -f ~/simple-pod.yaml pod/nginx created $ ps -auxZ | grep cloud-hypervisor system_u:system_r:container_kvm_t:s0:c638,c999 root 614842 14.0 0.5 2987512 83228 ? Sl 08:40 0:00 /usr/bin/cloud-hypervisor --api-socket /run/vc/vm/f8ff838afdbe0a546f6995fe9b08e0956d0d0cdfe749705d7ce4618695baa68c/clh-api.sock ``` Note, the tests were performed using the following configuration snippet: ``` [plugins] [plugins.cri] enable_selinux = true [plugins.cri.containerd] [plugins.cri.containerd.runtimes] [plugins.cri.containerd.runtimes.kata] runtime_type = "io.containerd.kata.v2" privileged_without_host_devices = true ``` And using the following pod yaml: ``` apiVersion: v1 kind: Pod metadata: name: nginx spec: runtimeClassName: kata containers: - name: nginx image: nginx:1.14.2 ports: - containerPort: 80 ``` Fixes: containerd#6371 Backports: containerd#6372 Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com> (cherry picked from commit f1c7993)
…fix-container_kvm_t-type-detection-to-release-1.5 [release/1.5] seutil: Fix setting the "container_kvm_t" label
Signed-off-by: Derek McGowan <derek@mcg.dev>
[release/1.5] only relabel cri managed host mounts
katiewasnothere
force-pushed
the
update_to_release_1.5
branch
4 times, most recently
from
3279969 to
8b8f5c7
Compare
katiewasnothere
force-pushed
the
update_to_release_1.5
branch
from
8b8f5c7 to
c74238c
Compare
Collaborator
Author
|
@kevpar ptal when you can, upstream doesn't have a branch tag for 1.6 yet so I updated to 1.5 for now. |
Owner
|
Should this be undrafted? |
Owner
|
Merging in |
Collaborator
Author
|
@kevpar sounds good, closing this then in favor of that. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR merges containerd/containerd at release/1.5 into fork/master