sync with containerd v1.6.18#10
Open
jepio wants to merge 204 commits intoconfidential-containers:CC-mainfrom
Open
sync with containerd v1.6.18#10jepio wants to merge 204 commits intoconfidential-containers:CC-mainfrom
jepio wants to merge 204 commits intoconfidential-containers:CC-mainfrom
Conversation
A container should not have access to tun/tap device, unless it is explicitly specified in configuration. This device was already removed from docker's default, and runc's default; - opencontainers/runc@2ce40b6 - https://github.com/moby/moby//commit/9c4570a958df42d1ad19364b1a8da55b891d850a Per the commit message in runc, this should also fix these messages; > Apr 26 03:46:56 foo.bar systemd[1]: Couldn't stat device /dev/char/10:200: No such file or directory coming from systemd on every container start, when the systemd cgroup driver is used, and the system runs an old (< v240) version of systemd (the message was presumably eliminated by [1]). [1]: systemd/systemd@d5aecba Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit a3ac156) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
[release/1.6 backport] oci: WithDefaultUnixDevices(): remove tun/tap from the default devices
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
Signed-off-by: Andrey Klimentyev <andrey.klimentyev@flant.com> (cherry picked from commit 5f3ce95) Signed-off-by: Andrey Klimentyev <andrey.klimentyev@flant.com>
Signed-off-by: Samuel Karp <samuelkarp@google.com> (cherry picked from commit 396d2a7) Signed-off-by: Samuel Karp <samuelkarp@google.com>
…y/1.6 [release/1.6] ci: remove GOPROXY environment variable due to https://github.com/go-…
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> (cherry picked from commit ad59701) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
[release/1.6 backport] update runc binary to v1.1.4
full diff: golang/crypto@32db794...3147a52 This version contains a fix for CVE-2022-27191 (not sure if it affects us). From the golang mailing list: Hello gophers, Version v0.0.0-20220315160706-3147a52a75dd of golang.org/x/crypto/ssh implements client authentication support for signature algorithms based on SHA-2 for use with existing RSA keys. Previously, a client would fail to authenticate with RSA keys to servers that reject signature algorithms based on SHA-1. This includes OpenSSH 8.8 by default and—starting today March 15, 2022 for recently uploaded keys. We are providing this announcement as the error (“ssh: unable to authenticate”) might otherwise be difficult to troubleshoot. Version v0.0.0-20220314234659-1baeb1ce4c0b (included in the version above) also fixes a potential security issue where an attacker could cause a crash in a golang.org/x/crypto/ssh server under these conditions: - The server has been configured by passing a Signer to ServerConfig.AddHostKey. - The Signer passed to AddHostKey does not also implement AlgorithmSigner. - The Signer passed to AddHostKey does return a key of type “ssh-rsa” from its PublicKey method. Servers that only use Signer implementations provided by the ssh package are unaffected. This is CVE-2022-27191. Alla prossima, Filippo for the Go Security team Signed-off-by: Sebastiaan van Stijn <github@gone.nl> Signed-off-by: Dan Čermák <dcermak@suse.com> (cherry picked from commit 9aadef1)
…pto-vendor [release/1.6] backport: vendor: golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd
Signed-off-by: ruiwen-zhao <ruiwen@google.com>
Signed-off-by: ruiwen-zhao <ruiwen@google.com>
Signed-off-by: zounengren <zouyee1989@gmail.com>
Signed-off-by: zounengren <zouyee1989@gmail.com>
…e_1.6 [release/1.6] cherry-pick: ContainerStatus to return container resources
Signed-off-by: ruiwen-zhao <ruiwen@google.com>
[release/1.6] cherry-pick: Set grpc code for unimplemented cri-api methods
The [Openlab][1] has deprecated zuul jobs. We don't see any active the zuul jobs in PR. Remove it and we need to seek new solution for ARM64 CI test. [1]: <https://github.com/theopenlab> Signed-off-by: Wei Fu <fuweid89@gmail.com> (cherry picked from commit f9166aa) Signed-off-by: Wei Fu <fuweid89@gmail.com>
previously PR 7369 removed .zuul jobs directory as zuul jobs are deprecated in openlab Signed-off-by: Benjamin Elder <bentheelder@google.com> (cherry picked from commit dcb0d8f) Signed-off-by: Wei Fu <fuweid89@gmail.com>
[release/1.6] .zuul: remove the zull because it is offline
Signed-off-by: Iceber Gu <wei.cai-nat@daocloud.io> (cherry picked from commit 3cfde73) Signed-off-by: Iceber Gu <wei.cai-nat@daocloud.io>
Signed-off-by: Ye Sijun <junnplus@gmail.com> (cherry picked from commit 68a55fe) Signed-off-by: Phil Estes <estesp@amazon.com>
[release/1.6] cherry-pick: make xattr EPERM non-fatal in createTarFile
Failpoint is used to control the fail during API call when testing, especially the API is complicated like CRI-RunPodSandbox. It can help us to test the unexpected behavior without mock. The control design is based on freebsd fail(9), but simpler. REF: https://www.freebsd.org/cgi/man.cgi?query=fail&sektion=9&apropos=0&manpath=FreeBSD%2B10.0-RELEASE Signed-off-by: Wei Fu <fuweid89@gmail.com> (cherry picked from commit ffd59ba) Signed-off-by: Qiutong Song <songqt01@gmail.com>
Currently, the runc shimv2 commandline manager doesn't support ttrpc server's customized option, for example, the ttrpc server interceptor. This commit is to allow the task plugin can return the `UnaryServerInterceptor` option to the manager so that the task plugin can do enhancement before handling the incoming request, like API-level failpoint control. Signed-off-by: Wei Fu <fuweid89@gmail.com> (cherry picked from commit 822cc51) Signed-off-by: Qiutong Song <songqt01@gmail.com>
Added new runc shim binary in integration testing.
The shim is named by io.containerd.runc-fp.v1, which allows us to use
additional OCI annotation `io.containerd.runtime.v2.shim.failpoint.*` to
setup shim task API's failpoint. Since the shim can be shared with
multiple container, like what kubernetes pod does, the failpoint will be
initialized during setup the shim server. So, the following the
container's OCI failpoint's annotation will not work.
This commit also updates the ctr tool that we can use `--annotation` to
specify annotations when run container. For example:
```bash
➜ ctr run -d --runtime runc-fp.v1 \
--annotation "io.containerd.runtime.v2.shim.failpoint.Kill=1*error(sorry)" \
docker.io/library/alpine:latest testing sleep 1d
➜ ctr t ls
TASK PID STATUS
testing 147304 RUNNING
➜ ctr t kill -s SIGKILL testing
ctr: sorry: unknown
➜ ctr t kill -s SIGKILL testing
➜ sudo ctr t ls
TASK PID STATUS
testing 147304 STOPPED
```
The runc-fp.v1 shim is based on core runc.v2. We can use it to inject
failpoint during testing complicated or big transcation API, like
kubernetes PodRunPodsandbox.
Signed-off-by: Wei Fu <fuweid89@gmail.com>
(cherry picked from commit 5f9b318)
Signed-off-by: Qiutong Song <songqt01@gmail.com>
If there is any unskipable error during setuping shim plugins, we should fail return error to prevent from leaky shim instance. For example, there is error during init task plugin, the shim ttrpc server will not contain any shim API method. The any call to the shim will receive that failed to create shim task: service containerd.task.v2.Task: not implemented Then containerd can't use `Shutdown` to let the shim close. The shim will be leaky. And also fail return if there is no ttrpc service. Signed-off-by: Wei Fu <fuweid89@gmail.com> (cherry picked from commit b297775) Signed-off-by: Qiutong Song <songqt01@gmail.com>
[1.6] Backport default registry hosts config
Signed-off-by: Derek McGowan <derek@mcg.dev>
Signed-off-by: Ye Sijun <junnplus@gmail.com> (cherry picked from commit 5bf7052) Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Signed-off-by: Ye Sijun <junnplus@gmail.com> (cherry picked from commit 72b87ad) Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Signed-off-by: Ye Sijun <junnplus@gmail.com> (cherry picked from commit 1ab42be) Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Signed-off-by: Ye Sijun <junnplus@gmail.com> (cherry picked from commit 2dbff1d) Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> (cherry picked from commit ef2560d) Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Test suite:
```yaml
---
apiVersion: v1
kind: Pod
metadata:
name: test-no-option
annotations:
description: "Equivalent of `docker run` (no option)"
spec:
restartPolicy: Never
containers:
- name: main
image: ghcr.io/containerd/busybox:1.28
args: ['sh', '-euxc',
'[ "$(id)" = "uid=0(root) gid=0(root) groups=0(root),10(wheel)" ]']
---
apiVersion: v1
kind: Pod
metadata:
name: test-group-add-1-group-add-1234
annotations:
description: "Equivalent of `docker run --group-add 1 --group-add 1234`"
spec:
restartPolicy: Never
containers:
- name: main
image: ghcr.io/containerd/busybox:1.28
args: ['sh', '-euxc',
'[ "$(id)" = "uid=0(root) gid=0(root) groups=0(root),1(daemon),10(wheel),1234" ]']
securityContext:
supplementalGroups: [1, 1234]
---
apiVersion: v1
kind: Pod
metadata:
name: test-user-1234
annotations:
description: "Equivalent of `docker run --user 1234`"
spec:
restartPolicy: Never
containers:
- name: main
image: ghcr.io/containerd/busybox:1.28
args: ['sh', '-euxc',
'[ "$(id)" = "uid=1234 gid=0(root) groups=0(root)" ]']
securityContext:
runAsUser: 1234
---
apiVersion: v1
kind: Pod
metadata:
name: test-user-1234-1234
annotations:
description: "Equivalent of `docker run --user 1234:1234`"
spec:
restartPolicy: Never
containers:
- name: main
image: ghcr.io/containerd/busybox:1.28
args: ['sh', '-euxc',
'[ "$(id)" = "uid=1234 gid=1234 groups=1234" ]']
securityContext:
runAsUser: 1234
runAsGroup: 1234
---
apiVersion: v1
kind: Pod
metadata:
name: test-user-1234-group-add-1234
annotations:
description: "Equivalent of `docker run --user 1234 --group-add 1234`"
spec:
restartPolicy: Never
containers:
- name: main
image: ghcr.io/containerd/busybox:1.28
args: ['sh', '-euxc',
'[ "$(id)" = "uid=1234 gid=0(root) groups=0(root),1234" ]']
securityContext:
runAsUser: 1234
supplementalGroups: [1234]
```
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 3eda46a)
> Conflicts:
> integration/addition_gids_test.go
> pkg/cri/sbserver/container_create_linux.go
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
For running CI in a non-upstream repo Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> (cherry picked from commit fe0116e) > Conflicts: > .github/workflows/codeql.yml > .github/workflows/fuzz.yml Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
[release/1.6] Prepare release notes for v1.6.17
[release/1.6] CI: skip some jobs when `repo != containerd/containerd`
This reverts commit 1acca8b. As stated in the Godoc, this function is intended to check for presence of `apparmor_parser`. Changing this regressed the public API of containerd, and directly contradicts the way that this function is consumed inside of containerd itself: * https://github.com/containerd/containerd/blob/fdfdc9bfc0f865a43c88171110615d1510fad3bc/pkg/apparmor/apparmor.go#L20 * https://github.com/containerd/containerd/blob/fdfdc9bfc0f865a43c88171110615d1510fad3bc/pkg/cri/sbserver/helpers_linux.go#L85 * https://github.com/containerd/containerd/blob/fdfdc9bfc0f865a43c88171110615d1510fad3bc/pkg/cri/server/helpers_linux.go#L144 This has lead to a number of painful regressions and attempted fixes in Moby: * moby/moby#44900 * moby/moby#44902 * moby/moby#44970 While reverting this late into the life of 1.6 and at the start of the life of 1.7 is likely painful, I think this is ultimately the best path to take, as containerd is subject to the same failure to start containers with an AppArmor kernel when `apparmor_parser` is missing as Moby. Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com> (cherry picked from commit a326510) Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com> (cherry picked from commit d33a43c) Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
Signed-off-by: Swagat Bora <sbora@amazon.com> (cherry picked from commit 6ae3e5d) Signed-off-by: Swagat Bora <sbora@amazon.com>
…egression_1.6 [release/1.6 backport] Revert `apparmor_parser` regression
Signed-off-by: Iceber Gu <wei.cai-nat@daocloud.io> (cherry picked from commit 0b9313c) Signed-off-by: Iceber Gu <wei.cai-nat@daocloud.io>
The background for this change: 1. Windows host-process containers do not have an OS version set 2. Buildx v0.10 started pushing manifest lists by default, but it never has the OSVersion in the platform data (not that there is any way to specify what particular OS version you want). The change means that containerd cannot run images created with the new buildx on Windows because there is no matching OSVersion in the list of manifests. Signed-off-by: Brian Goff <cpuguy83@gmail.com> (cherry picked from commit 8442521) Signed-off-by: Brian Goff <cpuguy83@gmail.com>
…latform_matching [1.6] Add fallback for windows platforms without osversion
[release/1.6] importer: stream oci-layout and manifest.json
[release/1.6] oci: fix additional GIDs
Signed-off-by: Derek McGowan <derek@mcg.dev>
[release/1.6] Prepare release notes for v1.6.18
containerd 1.6.18 Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
miz060
pushed a commit
to microsoft/confidential-containers-containerd
that referenced
this pull request
Oct 15, 2024
Update the dependency and the indirect golang.org/x/net version to align
with containerd itself, and to prevent a vulnerability being detected.
We should keep the versions <= versions used by containerd 1.7 to prevent
forcing users of containerd 1.7 in combination with the latest version
of the API module from having to update all their dependencies, but
this update should likely be fine (and aligns with 1.7).
Before this:
Scanning your code and 254 packages across 15 dependent modules for known vulnerabilities...
=== Symbol Results ===
Vulnerability #1: GO-2024-2687
HTTP/2 CONTINUATION flood in net/http
More info: https://pkg.go.dev/vuln/GO-2024-2687
Module: golang.org/x/net
Found in: golang.org/x/net@v0.21.0
Fixed in: golang.org/x/net@v0.23.0
Example traces found:
#1: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.ConnectionError.Error
#2: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.ErrCode.String
#3: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.FrameHeader.String
confidential-containers#4: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.FrameType.String
confidential-containers#5: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.Setting.String
confidential-containers#6: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.SettingID.String
confidential-containers#7: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.StreamError.Error
confidential-containers#8: services/content/v1/content_ttrpc.pb.go:272:35: content.ttrpccontentClient.Write calls ttrpc.Client.NewStream, which eventually calls http2.chunkWriter.Write
confidential-containers#9: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.connError.Error
confidential-containers#10: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.duplicatePseudoHeaderError.Error
confidential-containers#11: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.headerFieldNameError.Error
confidential-containers#12: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.headerFieldValueError.Error
confidential-containers#13: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.pseudoHeaderError.Error
confidential-containers#14: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.writeData.String
Your code is affected by 1 vulnerability from 1 module.
This scan also found 0 vulnerabilities in packages you import and 3
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
After this:
govulncheck ./...
Scanning your code and 251 packages across 13 dependent modules for known vulnerabilities...
=== Symbol Results ===
No vulnerabilities found.
Your code is affected by 0 vulnerabilities.
This scan also found 0 vulnerabilities in packages you import and 3
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.