mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-08-10 12:32:03 +00:00
vendor: bump runc to 1.1.6
Signed-off-by: Peter Hunt <pehunt@redhat.com>
This commit is contained in:
parent
afcc207feb
commit
b4c384ebfb
2
go.mod
2
go.mod
@ -52,7 +52,7 @@ require (
|
||||
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
|
||||
github.com/onsi/ginkgo/v2 v2.9.1
|
||||
github.com/onsi/gomega v1.27.4
|
||||
github.com/opencontainers/runc v1.1.5
|
||||
github.com/opencontainers/runc v1.1.6
|
||||
github.com/opencontainers/selinux v1.10.0
|
||||
github.com/pkg/errors v0.9.1
|
||||
github.com/pmezard/go-difflib v1.0.0
|
||||
|
4
go.sum
4
go.sum
@ -545,8 +545,8 @@ github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3I
|
||||
github.com/opencontainers/image-spec v1.0.2 h1:9yCKha/T5XdGtO0q9Q9a6T5NUCsTn/DrBg0D7ufOcFM=
|
||||
github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
|
||||
github.com/opencontainers/runc v1.1.4/go.mod h1:1J5XiS+vdZ3wCyZybsuxXZWGrgSr8fFJHLXuG2PsnNg=
|
||||
github.com/opencontainers/runc v1.1.5 h1:L44KXEpKmfWDcS02aeGm8QNTFXTo2D+8MYGDIJ/GDEs=
|
||||
github.com/opencontainers/runc v1.1.5/go.mod h1:1J5XiS+vdZ3wCyZybsuxXZWGrgSr8fFJHLXuG2PsnNg=
|
||||
github.com/opencontainers/runc v1.1.6 h1:XbhB8IfG/EsnhNvZtNdLB0GBw92GYEFvKlhaJk9jUgA=
|
||||
github.com/opencontainers/runc v1.1.6/go.mod h1:CbUumNnWCuTGFukNXahoo/RFBZvDAgRh/smNYNOhA50=
|
||||
github.com/opencontainers/runtime-spec v1.0.2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
|
||||
github.com/opencontainers/runtime-spec v1.0.3-0.20200929063507-e6143ca7d51d/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
|
||||
github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
|
||||
|
2
vendor/github.com/opencontainers/runc/libcontainer/cgroups/ebpf/ebpf_linux.go
generated
vendored
2
vendor/github.com/opencontainers/runc/libcontainer/cgroups/ebpf/ebpf_linux.go
generated
vendored
@ -93,7 +93,7 @@ var (
|
||||
)
|
||||
|
||||
// Loosely based on the BPF_F_REPLACE support check in
|
||||
// <https://github.com/cilium/ebpf/blob/v0.6.0/link/syscalls.go>.
|
||||
// https://github.com/cilium/ebpf/blob/v0.6.0/link/syscalls.go.
|
||||
//
|
||||
// TODO: move this logic to cilium/ebpf
|
||||
func haveBpfProgReplace() bool {
|
||||
|
1
vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/fs.go
generated
vendored
1
vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/fs.go
generated
vendored
@ -28,6 +28,7 @@ var subsystems = []subsystem{
|
||||
&FreezerGroup{},
|
||||
&RdmaGroup{},
|
||||
&NameGroup{GroupName: "name=systemd", Join: true},
|
||||
&NameGroup{GroupName: "misc", Join: true},
|
||||
}
|
||||
|
||||
var errSubsystemDoesNotExist = errors.New("cgroup: subsystem does not exist")
|
||||
|
54
vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/common.go
generated
vendored
54
vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/common.go
generated
vendored
@ -353,32 +353,52 @@ func isUnitExists(err error) bool {
|
||||
return isDbusError(err, "org.freedesktop.systemd1.UnitExists")
|
||||
}
|
||||
|
||||
func startUnit(cm *dbusConnManager, unitName string, properties []systemdDbus.Property) error {
|
||||
func startUnit(cm *dbusConnManager, unitName string, properties []systemdDbus.Property, ignoreExist bool) error {
|
||||
statusChan := make(chan string, 1)
|
||||
retry := true
|
||||
|
||||
retry:
|
||||
err := cm.retryOnDisconnect(func(c *systemdDbus.Conn) error {
|
||||
_, err := c.StartTransientUnitContext(context.TODO(), unitName, "replace", properties, statusChan)
|
||||
return err
|
||||
})
|
||||
if err == nil {
|
||||
timeout := time.NewTimer(30 * time.Second)
|
||||
defer timeout.Stop()
|
||||
|
||||
select {
|
||||
case s := <-statusChan:
|
||||
close(statusChan)
|
||||
// Please refer to https://pkg.go.dev/github.com/coreos/go-systemd/v22/dbus#Conn.StartUnit
|
||||
if s != "done" {
|
||||
resetFailedUnit(cm, unitName)
|
||||
return fmt.Errorf("error creating systemd unit `%s`: got `%s`", unitName, s)
|
||||
}
|
||||
case <-timeout.C:
|
||||
resetFailedUnit(cm, unitName)
|
||||
return errors.New("Timeout waiting for systemd to create " + unitName)
|
||||
if err != nil {
|
||||
if !isUnitExists(err) {
|
||||
return err
|
||||
}
|
||||
if ignoreExist {
|
||||
// TODO: remove this hack.
|
||||
// This is kubelet making sure a slice exists (see
|
||||
// https://github.com/opencontainers/runc/pull/1124).
|
||||
return nil
|
||||
}
|
||||
if retry {
|
||||
// In case a unit with the same name exists, this may
|
||||
// be a leftover failed unit. Reset it, so systemd can
|
||||
// remove it, and retry once.
|
||||
resetFailedUnit(cm, unitName)
|
||||
retry = false
|
||||
goto retry
|
||||
}
|
||||
} else if !isUnitExists(err) {
|
||||
return err
|
||||
}
|
||||
|
||||
timeout := time.NewTimer(30 * time.Second)
|
||||
defer timeout.Stop()
|
||||
|
||||
select {
|
||||
case s := <-statusChan:
|
||||
close(statusChan)
|
||||
// Please refer to https://pkg.go.dev/github.com/coreos/go-systemd/v22/dbus#Conn.StartUnit
|
||||
if s != "done" {
|
||||
resetFailedUnit(cm, unitName)
|
||||
return fmt.Errorf("error creating systemd unit `%s`: got `%s`", unitName, s)
|
||||
}
|
||||
case <-timeout.C:
|
||||
resetFailedUnit(cm, unitName)
|
||||
return errors.New("Timeout waiting for systemd to create " + unitName)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
|
5
vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/cpuset.go
generated
vendored
5
vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/cpuset.go
generated
vendored
@ -51,5 +51,10 @@ func RangeToBits(str string) ([]byte, error) {
|
||||
// do not allow empty values
|
||||
return nil, errors.New("empty value")
|
||||
}
|
||||
|
||||
// fit cpuset parsing order in systemd
|
||||
for l, r := 0, len(ret)-1; l < r; l, r = l+1, r-1 {
|
||||
ret[l], ret[r] = ret[r], ret[l]
|
||||
}
|
||||
return ret, nil
|
||||
}
|
||||
|
12
vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/v1.go
generated
vendored
12
vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/v1.go
generated
vendored
@ -71,6 +71,7 @@ var legacySubsystems = []subsystem{
|
||||
&fs.NetClsGroup{},
|
||||
&fs.NameGroup{GroupName: "name=systemd"},
|
||||
&fs.RdmaGroup{},
|
||||
&fs.NameGroup{GroupName: "misc"},
|
||||
}
|
||||
|
||||
func genV1ResourcesProperties(r *configs.Resources, cm *dbusConnManager) ([]systemdDbus.Property, error) {
|
||||
@ -206,7 +207,7 @@ func (m *legacyManager) Apply(pid int) error {
|
||||
|
||||
properties = append(properties, c.SystemdProps...)
|
||||
|
||||
if err := startUnit(m.dbus, unitName, properties); err != nil {
|
||||
if err := startUnit(m.dbus, unitName, properties, pid == -1); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
@ -273,14 +274,7 @@ func getSubsystemPath(slice, unit, subsystem string) (string, error) {
|
||||
return "", err
|
||||
}
|
||||
|
||||
initPath, err := cgroups.GetInitCgroup(subsystem)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
// if pid 1 is systemd 226 or later, it will be in init.scope, not the root
|
||||
initPath = strings.TrimSuffix(filepath.Clean(initPath), "init.scope")
|
||||
|
||||
return filepath.Join(mountpoint, initPath, slice, unit), nil
|
||||
return filepath.Join(mountpoint, slice, unit), nil
|
||||
}
|
||||
|
||||
func (m *legacyManager) Freeze(state configs.FreezerState) error {
|
||||
|
2
vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/v2.go
generated
vendored
2
vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/v2.go
generated
vendored
@ -284,7 +284,7 @@ func (m *unifiedManager) Apply(pid int) error {
|
||||
|
||||
properties = append(properties, c.SystemdProps...)
|
||||
|
||||
if err := startUnit(m.dbus, unitName, properties); err != nil {
|
||||
if err := startUnit(m.dbus, unitName, properties, pid == -1); err != nil {
|
||||
return fmt.Errorf("unable to start unit %q (properties %+v): %w", unitName, properties, err)
|
||||
}
|
||||
|
||||
|
6
vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go
generated
vendored
6
vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go
generated
vendored
@ -162,8 +162,10 @@ func readProcsFile(dir string) ([]int, error) {
|
||||
|
||||
// ParseCgroupFile parses the given cgroup file, typically /proc/self/cgroup
|
||||
// or /proc/<pid>/cgroup, into a map of subsystems to cgroup paths, e.g.
|
||||
// "cpu": "/user.slice/user-1000.slice"
|
||||
// "pids": "/user.slice/user-1000.slice"
|
||||
//
|
||||
// "cpu": "/user.slice/user-1000.slice"
|
||||
// "pids": "/user.slice/user-1000.slice"
|
||||
//
|
||||
// etc.
|
||||
//
|
||||
// Note that for cgroup v2 unified hierarchy, there are no per-controller
|
||||
|
5
vendor/github.com/opencontainers/runc/libcontainer/configs/validate/validator.go
generated
vendored
5
vendor/github.com/opencontainers/runc/libcontainer/configs/validate/validator.go
generated
vendored
@ -131,9 +131,8 @@ func (v *ConfigValidator) cgroupnamespace(config *configs.Config) error {
|
||||
// convertSysctlVariableToDotsSeparator can return sysctl variables in dots separator format.
|
||||
// The '/' separator is also accepted in place of a '.'.
|
||||
// Convert the sysctl variables to dots separator format for validation.
|
||||
// More info:
|
||||
// https://man7.org/linux/man-pages/man8/sysctl.8.html
|
||||
// https://man7.org/linux/man-pages/man5/sysctl.d.5.html
|
||||
// More info: sysctl(8), sysctl.d(5).
|
||||
//
|
||||
// For example:
|
||||
// Input sysctl variable "net/ipv4/conf/eno2.100.rp_filter"
|
||||
// will return the converted value "net.ipv4.conf.eno2/100.rp_filter"
|
||||
|
2
vendor/github.com/opencontainers/runc/libcontainer/container_linux.go
generated
vendored
2
vendor/github.com/opencontainers/runc/libcontainer/container_linux.go
generated
vendored
@ -926,7 +926,7 @@ func (c *linuxContainer) criuSupportsExtNS(t configs.NamespaceType) bool {
|
||||
}
|
||||
|
||||
func criuNsToKey(t configs.NamespaceType) string {
|
||||
return "extRoot" + strings.Title(configs.NsName(t)) + "NS"
|
||||
return "extRoot" + strings.Title(configs.NsName(t)) + "NS" //nolint:staticcheck // SA1019: strings.Title is deprecated
|
||||
}
|
||||
|
||||
func (c *linuxContainer) handleCheckpointingExternalNamespaces(rpcOpts *criurpc.CriuOpts, t configs.NamespaceType) error {
|
||||
|
17
vendor/github.com/opencontainers/runc/libcontainer/eaccess_go119.go
generated
vendored
Normal file
17
vendor/github.com/opencontainers/runc/libcontainer/eaccess_go119.go
generated
vendored
Normal file
@ -0,0 +1,17 @@
|
||||
//go:build !go1.20
|
||||
// +build !go1.20
|
||||
|
||||
package libcontainer
|
||||
|
||||
import "golang.org/x/sys/unix"
|
||||
|
||||
func eaccess(path string) error {
|
||||
// This check is similar to access(2) with X_OK except for
|
||||
// setuid/setgid binaries where it checks against the effective
|
||||
// (rather than real) uid and gid. It is not needed in go 1.20
|
||||
// and beyond and will be removed later.
|
||||
|
||||
// Relies on code added in https://go-review.googlesource.com/c/sys/+/468877
|
||||
// and older CLs linked from there.
|
||||
return unix.Faccessat(unix.AT_FDCWD, path, unix.X_OK, unix.AT_EACCESS)
|
||||
}
|
10
vendor/github.com/opencontainers/runc/libcontainer/eaccess_stub.go
generated
vendored
Normal file
10
vendor/github.com/opencontainers/runc/libcontainer/eaccess_stub.go
generated
vendored
Normal file
@ -0,0 +1,10 @@
|
||||
//go:build go1.20
|
||||
|
||||
package libcontainer
|
||||
|
||||
func eaccess(path string) error {
|
||||
// Not needed in Go 1.20+ as the functionality is already in there
|
||||
// (added by https://go.dev/cl/416115, https://go.dev/cl/414824,
|
||||
// and fixed in Go 1.20.2 by https://go.dev/cl/469956).
|
||||
return nil
|
||||
}
|
11
vendor/github.com/opencontainers/runc/libcontainer/factory_linux.go
generated
vendored
11
vendor/github.com/opencontainers/runc/libcontainer/factory_linux.go
generated
vendored
@ -179,6 +179,12 @@ func (l *LinuxFactory) Create(id string, config *configs.Config) (Container, err
|
||||
return nil, fmt.Errorf("unable to get cgroup PIDs: %w", err)
|
||||
}
|
||||
if len(pids) != 0 {
|
||||
if config.Cgroups.Systemd {
|
||||
// systemd cgroup driver can't add a pid to an
|
||||
// existing systemd unit and will return an
|
||||
// error anyway, so let's error out early.
|
||||
return nil, fmt.Errorf("container's cgroup is not empty: %d process(es) found", len(pids))
|
||||
}
|
||||
// TODO: return an error.
|
||||
logrus.Warnf("container's cgroup is not empty: %d process(es) found", len(pids))
|
||||
logrus.Warn("DEPRECATED: running container in a non-empty cgroup won't be supported in runc 1.2; https://github.com/opencontainers/runc/issues/3132")
|
||||
@ -338,10 +344,9 @@ func (l *LinuxFactory) StartInitialization() (err error) {
|
||||
|
||||
defer func() {
|
||||
if e := recover(); e != nil {
|
||||
if e, ok := e.(error); ok {
|
||||
err = fmt.Errorf("panic from initialization: %w, %s", e, debug.Stack())
|
||||
if ee, ok := e.(error); ok {
|
||||
err = fmt.Errorf("panic from initialization: %w, %s", ee, debug.Stack())
|
||||
} else {
|
||||
//nolint:errorlint // here e is not of error type
|
||||
err = fmt.Errorf("panic from initialization: %v, %s", e, debug.Stack())
|
||||
}
|
||||
}
|
||||
|
11
vendor/github.com/opencontainers/runc/libcontainer/standard_init_linux.go
generated
vendored
11
vendor/github.com/opencontainers/runc/libcontainer/standard_init_linux.go
generated
vendored
@ -198,11 +198,12 @@ func (l *linuxStandardInit) Init() error {
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
// exec.LookPath might return no error for an executable residing on a
|
||||
// file system mounted with noexec flag, so perform this extra check
|
||||
// now while we can still return a proper error.
|
||||
if err := system.Eaccess(name); err != nil {
|
||||
return &os.PathError{Op: "exec", Path: name, Err: err}
|
||||
// exec.LookPath in Go < 1.20 might return no error for an executable
|
||||
// residing on a file system mounted with noexec flag, so perform this
|
||||
// extra check now while we can still return a proper error.
|
||||
// TODO: remove this once go < 1.20 is not supported.
|
||||
if err := eaccess(name); err != nil {
|
||||
return &os.PathError{Op: "eaccess", Path: name, Err: err}
|
||||
}
|
||||
|
||||
// Set seccomp as close to execve as possible, so as few syscalls take
|
||||
|
14
vendor/github.com/opencontainers/runc/libcontainer/sync.go
generated
vendored
14
vendor/github.com/opencontainers/runc/libcontainer/sync.go
generated
vendored
@ -15,16 +15,16 @@ type syncType string
|
||||
// during container setup. They come in pairs (with procError being a generic
|
||||
// response which is followed by an &initError).
|
||||
//
|
||||
// [ child ] <-> [ parent ]
|
||||
// [ child ] <-> [ parent ]
|
||||
//
|
||||
// procHooks --> [run hooks]
|
||||
// <-- procResume
|
||||
// procHooks --> [run hooks]
|
||||
// <-- procResume
|
||||
//
|
||||
// procReady --> [final setup]
|
||||
// <-- procRun
|
||||
// procReady --> [final setup]
|
||||
// <-- procRun
|
||||
//
|
||||
// procSeccomp --> [pick up seccomp fd with pidfd_getfd()]
|
||||
// <-- procSeccompDone
|
||||
// procSeccomp --> [pick up seccomp fd with pidfd_getfd()]
|
||||
// <-- procSeccompDone
|
||||
const (
|
||||
procError syncType = "procError"
|
||||
procReady syncType = "procReady"
|
||||
|
19
vendor/github.com/opencontainers/runc/libcontainer/system/linux.go
generated
vendored
19
vendor/github.com/opencontainers/runc/libcontainer/system/linux.go
generated
vendored
@ -31,25 +31,6 @@ func (p ParentDeathSignal) Set() error {
|
||||
return SetParentDeathSignal(uintptr(p))
|
||||
}
|
||||
|
||||
// Eaccess is similar to unix.Access except for setuid/setgid binaries
|
||||
// it checks against the effective (rather than real) uid and gid.
|
||||
func Eaccess(path string) error {
|
||||
err := unix.Faccessat2(unix.AT_FDCWD, path, unix.X_OK, unix.AT_EACCESS)
|
||||
if err != unix.ENOSYS && err != unix.EPERM { //nolint:errorlint // unix errors are bare
|
||||
return err
|
||||
}
|
||||
|
||||
// Faccessat2() not available; check if we are a set[ug]id binary.
|
||||
if os.Getuid() == os.Geteuid() && os.Getgid() == os.Getegid() {
|
||||
// For a non-set[ug]id binary, use access(2).
|
||||
return unix.Access(path, unix.X_OK)
|
||||
}
|
||||
|
||||
// For a setuid/setgid binary, there is no fallback way
|
||||
// so assume we can execute the binary.
|
||||
return nil
|
||||
}
|
||||
|
||||
func Execv(cmd string, args []string, env []string) error {
|
||||
name, err := exec.LookPath(cmd)
|
||||
if err != nil {
|
||||
|
14
vendor/github.com/opencontainers/runc/libcontainer/user/user.go
generated
vendored
14
vendor/github.com/opencontainers/runc/libcontainer/user/user.go
generated
vendored
@ -280,13 +280,13 @@ func GetExecUserPath(userSpec string, defaults *ExecUser, passwdPath, groupPath
|
||||
// found in any entry in passwd and group respectively.
|
||||
//
|
||||
// Examples of valid user specifications are:
|
||||
// * ""
|
||||
// * "user"
|
||||
// * "uid"
|
||||
// * "user:group"
|
||||
// * "uid:gid
|
||||
// * "user:gid"
|
||||
// * "uid:group"
|
||||
// - ""
|
||||
// - "user"
|
||||
// - "uid"
|
||||
// - "user:group"
|
||||
// - "uid:gid
|
||||
// - "user:gid"
|
||||
// - "uid:group"
|
||||
//
|
||||
// It should be noted that if you specify a numeric user or group id, they will
|
||||
// not be evaluated as usernames (only the metadata will be filled). So attempting
|
||||
|
4
vendor/modules.txt
vendored
4
vendor/modules.txt
vendored
@ -552,8 +552,8 @@ github.com/onsi/gomega/types
|
||||
# github.com/opencontainers/go-digest v1.0.0
|
||||
## explicit; go 1.13
|
||||
github.com/opencontainers/go-digest
|
||||
# github.com/opencontainers/runc v1.1.5
|
||||
## explicit; go 1.16
|
||||
# github.com/opencontainers/runc v1.1.6
|
||||
## explicit; go 1.17
|
||||
github.com/opencontainers/runc/libcontainer
|
||||
github.com/opencontainers/runc/libcontainer/apparmor
|
||||
github.com/opencontainers/runc/libcontainer/capabilities
|
||||
|
Loading…
Reference in New Issue
Block a user