mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-19 09:52:49 +00:00
vendor: bump runc to 1.1.1
Release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.1 Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This commit is contained in:
parent
1ea07d482a
commit
79c17cf44e
4
go.mod
4
go.mod
@ -63,7 +63,7 @@ require (
|
||||
github.com/mvdan/xurls v1.1.0
|
||||
github.com/onsi/ginkgo v1.14.0
|
||||
github.com/onsi/gomega v1.10.1
|
||||
github.com/opencontainers/runc v1.1.0
|
||||
github.com/opencontainers/runc v1.1.1
|
||||
github.com/opencontainers/selinux v1.10.0
|
||||
github.com/pkg/errors v0.9.1
|
||||
github.com/pmezard/go-difflib v1.0.0
|
||||
@ -337,7 +337,7 @@ replace (
|
||||
github.com/onsi/gomega => github.com/onsi/gomega v1.10.1
|
||||
github.com/opencontainers/go-digest => github.com/opencontainers/go-digest v1.0.0
|
||||
github.com/opencontainers/image-spec => github.com/opencontainers/image-spec v1.0.2
|
||||
github.com/opencontainers/runc => github.com/opencontainers/runc v1.1.0
|
||||
github.com/opencontainers/runc => github.com/opencontainers/runc v1.1.1
|
||||
github.com/opencontainers/runtime-spec => github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
|
||||
github.com/opencontainers/selinux => github.com/opencontainers/selinux v1.10.0
|
||||
github.com/opentracing/opentracing-go => github.com/opentracing/opentracing-go v1.1.0
|
||||
|
4
go.sum
4
go.sum
@ -343,8 +343,8 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
|
||||
github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
|
||||
github.com/opencontainers/image-spec v1.0.2 h1:9yCKha/T5XdGtO0q9Q9a6T5NUCsTn/DrBg0D7ufOcFM=
|
||||
github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
|
||||
github.com/opencontainers/runc v1.1.0 h1:O9+X96OcDjkmmZyfaG996kV7yq8HsoU2h1XRRQcefG8=
|
||||
github.com/opencontainers/runc v1.1.0/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc=
|
||||
github.com/opencontainers/runc v1.1.1 h1:PJ9DSs2sVwE0iVr++pAHE6QkS9tzcVWozlPifdwMgrU=
|
||||
github.com/opencontainers/runc v1.1.1/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc=
|
||||
github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 h1:3snG66yBm59tKhhSPQrQ/0bCrv1LQbKt40LnUPiUxdc=
|
||||
github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
|
||||
github.com/opencontainers/selinux v1.10.0 h1:rAiKF8hTcgLI3w0DHm6i0ylVVcOrlgR1kK99DRLDhyU=
|
||||
|
2
vendor/github.com/opencontainers/runc/libcontainer/README.md
generated
vendored
2
vendor/github.com/opencontainers/runc/libcontainer/README.md
generated
vendored
@ -1,6 +1,6 @@
|
||||
# libcontainer
|
||||
|
||||
[](https://godoc.org/github.com/opencontainers/runc/libcontainer)
|
||||
[](https://pkg.go.dev/github.com/opencontainers/runc/libcontainer)
|
||||
|
||||
Libcontainer provides a native Go implementation for creating containers
|
||||
with namespaces, cgroups, capabilities, and filesystem access controls.
|
||||
|
36
vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/v2.go
generated
vendored
36
vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/v2.go
generated
vendored
@ -2,6 +2,7 @@ package systemd
|
||||
|
||||
import (
|
||||
"bufio"
|
||||
"errors"
|
||||
"fmt"
|
||||
"math"
|
||||
"os"
|
||||
@ -292,6 +293,12 @@ func (m *unifiedManager) Apply(pid int) error {
|
||||
}
|
||||
|
||||
if c.OwnerUID != nil {
|
||||
// The directory itself must be chowned.
|
||||
err := os.Chown(m.path, *c.OwnerUID, -1)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
filesToChown, err := cgroupFilesToChown()
|
||||
if err != nil {
|
||||
return err
|
||||
@ -299,7 +306,8 @@ func (m *unifiedManager) Apply(pid int) error {
|
||||
|
||||
for _, v := range filesToChown {
|
||||
err := os.Chown(m.path+"/"+v, *c.OwnerUID, -1)
|
||||
if err != nil {
|
||||
// Some files might not be present.
|
||||
if err != nil && !errors.Is(err, os.ErrNotExist) {
|
||||
return err
|
||||
}
|
||||
}
|
||||
@ -312,21 +320,23 @@ func (m *unifiedManager) Apply(pid int) error {
|
||||
// uid in /sys/kernel/cgroup/delegate. If the file is not present
|
||||
// (Linux < 4.15), use the initial values mentioned in cgroups(7).
|
||||
func cgroupFilesToChown() ([]string, error) {
|
||||
filesToChown := []string{"."} // the directory itself must be chowned
|
||||
const cgroupDelegateFile = "/sys/kernel/cgroup/delegate"
|
||||
|
||||
f, err := os.Open(cgroupDelegateFile)
|
||||
if err == nil {
|
||||
defer f.Close()
|
||||
scanner := bufio.NewScanner(f)
|
||||
for scanner.Scan() {
|
||||
filesToChown = append(filesToChown, scanner.Text())
|
||||
}
|
||||
if err := scanner.Err(); err != nil {
|
||||
return nil, fmt.Errorf("error reading %s: %w", cgroupDelegateFile, err)
|
||||
}
|
||||
} else {
|
||||
filesToChown = append(filesToChown, "cgroup.procs", "cgroup.subtree_control", "cgroup.threads")
|
||||
if err != nil {
|
||||
return []string{"cgroup.procs", "cgroup.subtree_control", "cgroup.threads"}, nil
|
||||
}
|
||||
defer f.Close()
|
||||
|
||||
filesToChown := []string{}
|
||||
scanner := bufio.NewScanner(f)
|
||||
for scanner.Scan() {
|
||||
filesToChown = append(filesToChown, scanner.Text())
|
||||
}
|
||||
if err := scanner.Err(); err != nil {
|
||||
return nil, fmt.Errorf("error reading %s: %w", cgroupDelegateFile, err)
|
||||
}
|
||||
|
||||
return filesToChown, nil
|
||||
}
|
||||
|
||||
|
10
vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go
generated
vendored
10
vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go
generated
vendored
@ -55,12 +55,12 @@ func IsCgroup2HybridMode() bool {
|
||||
var st unix.Statfs_t
|
||||
err := unix.Statfs(hybridMountpoint, &st)
|
||||
if err != nil {
|
||||
if os.IsNotExist(err) {
|
||||
// ignore the "not found" error
|
||||
isHybrid = false
|
||||
return
|
||||
isHybrid = false
|
||||
if !os.IsNotExist(err) {
|
||||
// Report unexpected errors.
|
||||
logrus.WithError(err).Debugf("statfs(%q) failed", hybridMountpoint)
|
||||
}
|
||||
panic(fmt.Sprintf("cannot statfs cgroup root: %s", err))
|
||||
return
|
||||
}
|
||||
isHybrid = st.Type == unix.CGROUP2_SUPER_MAGIC
|
||||
})
|
||||
|
4
vendor/github.com/opencontainers/runc/libcontainer/configs/validate/validator.go
generated
vendored
4
vendor/github.com/opencontainers/runc/libcontainer/configs/validate/validator.go
generated
vendored
@ -229,10 +229,6 @@ func (v *ConfigValidator) sysctl(config *configs.Config) error {
|
||||
|
||||
func (v *ConfigValidator) intelrdt(config *configs.Config) error {
|
||||
if config.IntelRdt != nil {
|
||||
if !intelrdt.IsCATEnabled() && !intelrdt.IsMBAEnabled() {
|
||||
return errors.New("intelRdt is specified in config, but Intel RDT is not supported or enabled")
|
||||
}
|
||||
|
||||
if config.IntelRdt.ClosID == "." || config.IntelRdt.ClosID == ".." || strings.Contains(config.IntelRdt.ClosID, "/") {
|
||||
return fmt.Errorf("invalid intelRdt.ClosID %q", config.IntelRdt.ClosID)
|
||||
}
|
||||
|
12
vendor/github.com/opencontainers/runc/libcontainer/container_linux.go
generated
vendored
12
vendor/github.com/opencontainers/runc/libcontainer/container_linux.go
generated
vendored
@ -636,7 +636,11 @@ func (c *linuxContainer) newSetnsProcess(p *Process, cmd *exec.Cmd, messageSockP
|
||||
// cgroup v1: using the same path for all controllers.
|
||||
// cgroup v2: the only possible way.
|
||||
for k := range proc.cgroupPaths {
|
||||
proc.cgroupPaths[k] = path.Join(proc.cgroupPaths[k], add)
|
||||
subPath := path.Join(proc.cgroupPaths[k], add)
|
||||
if !strings.HasPrefix(subPath, proc.cgroupPaths[k]) {
|
||||
return nil, fmt.Errorf("%s is not a sub cgroup path", add)
|
||||
}
|
||||
proc.cgroupPaths[k] = subPath
|
||||
}
|
||||
// cgroup v2: do not try to join init process's cgroup
|
||||
// as a fallback (see (*setnsProcess).start).
|
||||
@ -645,7 +649,11 @@ func (c *linuxContainer) newSetnsProcess(p *Process, cmd *exec.Cmd, messageSockP
|
||||
// Per-controller paths.
|
||||
for ctrl, add := range p.SubCgroupPaths {
|
||||
if val, ok := proc.cgroupPaths[ctrl]; ok {
|
||||
proc.cgroupPaths[ctrl] = path.Join(val, add)
|
||||
subPath := path.Join(val, add)
|
||||
if !strings.HasPrefix(subPath, val) {
|
||||
return nil, fmt.Errorf("%s is not a sub cgroup path", add)
|
||||
}
|
||||
proc.cgroupPaths[ctrl] = subPath
|
||||
} else {
|
||||
return nil, fmt.Errorf("unknown controller %s in SubCgroupPaths", ctrl)
|
||||
}
|
||||
|
31
vendor/github.com/opencontainers/runc/libcontainer/init_linux.go
generated
vendored
31
vendor/github.com/opencontainers/runc/libcontainer/init_linux.go
generated
vendored
@ -8,7 +8,6 @@ import (
|
||||
"io"
|
||||
"net"
|
||||
"os"
|
||||
"strconv"
|
||||
"strings"
|
||||
"unsafe"
|
||||
|
||||
@ -406,40 +405,36 @@ func fixStdioPermissions(u *user.ExecUser) error {
|
||||
if err := unix.Stat("/dev/null", &null); err != nil {
|
||||
return &os.PathError{Op: "stat", Path: "/dev/null", Err: err}
|
||||
}
|
||||
for _, fd := range []uintptr{
|
||||
os.Stdin.Fd(),
|
||||
os.Stderr.Fd(),
|
||||
os.Stdout.Fd(),
|
||||
} {
|
||||
for _, file := range []*os.File{os.Stdin, os.Stdout, os.Stderr} {
|
||||
var s unix.Stat_t
|
||||
if err := unix.Fstat(int(fd), &s); err != nil {
|
||||
return &os.PathError{Op: "fstat", Path: "fd " + strconv.Itoa(int(fd)), Err: err}
|
||||
if err := unix.Fstat(int(file.Fd()), &s); err != nil {
|
||||
return &os.PathError{Op: "fstat", Path: file.Name(), Err: err}
|
||||
}
|
||||
|
||||
// Skip chown of /dev/null if it was used as one of the STDIO fds.
|
||||
if s.Rdev == null.Rdev {
|
||||
// Skip chown if uid is already the one we want.
|
||||
if int(s.Uid) == u.Uid {
|
||||
continue
|
||||
}
|
||||
|
||||
// We only change the uid owner (as it is possible for the mount to
|
||||
// We only change the uid (as it is possible for the mount to
|
||||
// prefer a different gid, and there's no reason for us to change it).
|
||||
// The reason why we don't just leave the default uid=X mount setup is
|
||||
// that users expect to be able to actually use their console. Without
|
||||
// this code, you couldn't effectively run as a non-root user inside a
|
||||
// container and also have a console set up.
|
||||
if err := unix.Fchown(int(fd), u.Uid, int(s.Gid)); err != nil {
|
||||
if err := file.Chown(u.Uid, int(s.Gid)); err != nil {
|
||||
// If we've hit an EINVAL then s.Gid isn't mapped in the user
|
||||
// namespace. If we've hit an EPERM then the inode's current owner
|
||||
// is not mapped in our user namespace (in particular,
|
||||
// privileged_wrt_inode_uidgid() has failed). In either case, we
|
||||
// are in a configuration where it's better for us to just not
|
||||
// touch the stdio rather than bail at this point.
|
||||
// privileged_wrt_inode_uidgid() has failed). Read-only
|
||||
// /dev can result in EROFS error. In any case, it's
|
||||
// better for us to just not touch the stdio rather
|
||||
// than bail at this point.
|
||||
|
||||
// nolint:errorlint // unix errors are bare
|
||||
if err == unix.EINVAL || err == unix.EPERM {
|
||||
if errors.Is(err, unix.EINVAL) || errors.Is(err, unix.EPERM) || errors.Is(err, unix.EROFS) {
|
||||
continue
|
||||
}
|
||||
return &os.PathError{Op: "fchown", Path: "fd " + strconv.Itoa(int(fd)), Err: err}
|
||||
return err
|
||||
}
|
||||
}
|
||||
return nil
|
||||
|
4
vendor/modules.txt
vendored
4
vendor/modules.txt
vendored
@ -596,7 +596,7 @@ github.com/onsi/gomega/matchers/support/goraph/util
|
||||
github.com/onsi/gomega/types
|
||||
# github.com/opencontainers/go-digest v1.0.0 => github.com/opencontainers/go-digest v1.0.0
|
||||
github.com/opencontainers/go-digest
|
||||
# github.com/opencontainers/runc v1.1.0 => github.com/opencontainers/runc v1.1.0
|
||||
# github.com/opencontainers/runc v1.1.1 => github.com/opencontainers/runc v1.1.1
|
||||
## explicit
|
||||
github.com/opencontainers/runc/libcontainer
|
||||
github.com/opencontainers/runc/libcontainer/apparmor
|
||||
@ -2615,7 +2615,7 @@ sigs.k8s.io/yaml
|
||||
# github.com/onsi/gomega => github.com/onsi/gomega v1.10.1
|
||||
# github.com/opencontainers/go-digest => github.com/opencontainers/go-digest v1.0.0
|
||||
# github.com/opencontainers/image-spec => github.com/opencontainers/image-spec v1.0.2
|
||||
# github.com/opencontainers/runc => github.com/opencontainers/runc v1.1.0
|
||||
# github.com/opencontainers/runc => github.com/opencontainers/runc v1.1.1
|
||||
# github.com/opencontainers/runtime-spec => github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
|
||||
# github.com/opencontainers/selinux => github.com/opencontainers/selinux v1.10.0
|
||||
# github.com/opentracing/opentracing-go => github.com/opentracing/opentracing-go v1.1.0
|
||||
|
Loading…
Reference in New Issue
Block a user