Fixes below CVEs: * CVE-2020-15257 * CVE-2021-21334 * CVE-2021-32760 * CVE-2021-41103 * CVE-2022-23648
Based on commit cd6feb72b84aab9655af6c8c0774a180ea2a4f60 Signed-off-by: Hugo SIMELIERE <[email protected]> --- .../containerd/containerd-docker_git.bb | 10 ++- .../0001-Add-build-option-GODEBUG-1.patch | 28 +++----- ...1-build-use-oe-provided-GO-and-flags.patch | 42 ----------- .../containerd-opencontainers_git.bb | 20 ++---- recipes-containers/containerd/containerd.inc | 9 ++- ...1-build-use-oe-provided-GO-and-flags.patch | 70 +++++++++++++++++++ 6 files changed, 100 insertions(+), 79 deletions(-) delete mode 100644 recipes-containers/containerd/containerd-opencontainers/0001-build-use-oe-provided-GO-and-flags.patch create mode 100644 recipes-containers/containerd/files/0001-build-use-oe-provided-GO-and-flags.patch diff --git a/recipes-containers/containerd/containerd-docker_git.bb b/recipes-containers/containerd/containerd-docker_git.bb index f6b0e28..8d1a27a 100644 --- a/recipes-containers/containerd/containerd-docker_git.bb +++ b/recipes-containers/containerd/containerd-docker_git.bb @@ -1,8 +1,11 @@ SRCREV = "3addd840653146c90a254301d6c3a663c7fd6429" SRC_URI = "\ - git://github.com/docker/containerd.git;branch=v0.2.x;destsuffix=git/src/github.com/containerd/containerd;protocol=https \ + git://github.com/docker/containerd.git;branch=v0.2.x;destsuffix=git/src/github.com/containerd/containerd \ " + +LIC_FILES_CHKSUM = "file://LICENSE.code;md5=aadc30f9c14d876ded7bedc0afd2d3d7" + include containerd.inc CONTAINERD_VERSION = "v0.2.x" @@ -12,3 +15,8 @@ PROVIDES += "virtual/containerd" RPROVIDES_${PN} = "virtual/containerd" DEPENDS += "btrfs-tools" + +do_compile_prepend() { + bberror "${PN} is depreciated and will be removed in the future" + bbfatal "use container-opencontainers for a working configuration" +} diff --git a/recipes-containers/containerd/containerd-opencontainers/0001-Add-build-option-GODEBUG-1.patch b/recipes-containers/containerd/containerd-opencontainers/0001-Add-build-option-GODEBUG-1.patch index fec9ea6..8b43c8a 100644 --- a/recipes-containers/containerd/containerd-opencontainers/0001-Add-build-option-GODEBUG-1.patch +++ b/recipes-containers/containerd/containerd-opencontainers/0001-Add-build-option-GODEBUG-1.patch @@ -15,28 +15,18 @@ Signed-off-by: Hongxu Jia <[email protected]> src/import/Makefile | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) -diff --git a/src/import/Makefile b/src/import/Makefile -index 4355395..4fb5d3b 100644 ---- a/src/import/Makefile -+++ b/src/import/Makefile -@@ -75,11 +75,15 @@ TEST_REQUIRES_ROOT_PACKAGES=$(filter \ +Index: git/src/import/Makefile +=================================================================== +--- git.orig/src/import/Makefile 2020-10-12 08:09:41.638977052 -0700 ++++ git/src/import/Makefile 2020-10-12 08:10:49.783074373 -0700 +@@ -72,6 +72,10 @@ COMMANDS=ctr containerd containerd-stress - MANPAGES=ctr.1 containerd.1 containerd-config.1 containerd-config.toml.5 + MANPAGES=ctr.8 containerd.8 containerd-config.8 containerd-config.toml.5 +ifndef GODEBUG + EXTRA_LDFLAGS += -s -w +endif + - # Build tags seccomp and apparmor are needed by CRI plugin. - BUILDTAGS ?= seccomp apparmor - GO_TAGS=$(if $(BUILDTAGS),-tags "$(BUILDTAGS)",) --GO_LDFLAGS=-ldflags '-s -w -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -X $(PKG)/version.Package=$(PACKAGE) $(EXTRA_LDFLAGS)' --SHIM_GO_LDFLAGS=-ldflags '-s -w -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -X $(PKG)/version.Package=$(PACKAGE) -extldflags "-static"' -+GO_LDFLAGS=-ldflags '-X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -X $(PKG)/version.Package=$(PACKAGE) $(EXTRA_LDFLAGS)' -+SHIM_GO_LDFLAGS=-ldflags '-X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -X $(PKG)/version.Package=$(PACKAGE) -extldflags "-static $(EXTRA_EXTLDFLAGS)" $(EXTRA_LDFLAGS)' - - #Replaces ":" (*nix), ";" (windows) with newline for easy parsing - GOPATHS=$(shell echo ${GOPATH} | tr ":" "\n" | tr ";" "\n") --- -2.7.4 - + ifdef BUILDTAGS + GO_BUILDTAGS = ${BUILDTAGS} + endif diff --git a/recipes-containers/containerd/containerd-opencontainers/0001-build-use-oe-provided-GO-and-flags.patch b/recipes-containers/containerd/containerd-opencontainers/0001-build-use-oe-provided-GO-and-flags.patch deleted file mode 100644 index d4d5973..0000000 --- a/recipes-containers/containerd/containerd-opencontainers/0001-build-use-oe-provided-GO-and-flags.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 408e8b526d490af817a64b7220e8e2c3789de58f Mon Sep 17 00:00:00 2001 -From: Bruce Ashfield <[email protected]> -Date: Sun, 10 Feb 2019 23:46:06 +0000 -Subject: [PATCH] build: use oe provided GO and flags - -We want to use the go compiler as defined in the oe-enviroment, not the -generic call to 'go'. Without changing this, we'll get things like cgo -errors and invalid flag combos. - -Signed-off-by: Bruce Ashfield <[email protected]> ---- - Makefile | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -Index: git/src/import/Makefile -=================================================================== ---- git.orig/src/import/Makefile -+++ git/src/import/Makefile -@@ -166,19 +166,19 @@ - # Build a binary from a cmd. - bin/%: cmd/% FORCE - @echo "$(WHALE) $@${BINARY_SUFFIX}" -- @go build ${GO_GCFLAGS} ${GO_BUILD_FLAGS} -o $@${BINARY_SUFFIX} ${GO_LDFLAGS} ${GO_TAGS} ./$< -+ @$(GO) build ${GO_GCFLAGS} ${GO_BUILD_FLAGS} -o $@${BINARY_SUFFIX} ${GO_LDFLAGS} ${GO_TAGS} ./$< - - bin/containerd-shim: cmd/containerd-shim FORCE # set !cgo and omit pie for a static shim build: https://github.com/golang/go/issues/17789#issuecomment-258542220 - @echo "$(WHALE) bin/containerd-shim" -- @CGO_ENABLED=0 go build ${GO_BUILD_FLAGS} -o bin/containerd-shim ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim -+ @$(GO) build ${GO_BUILD_FLAGS} -o bin/containerd-shim ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim - - bin/containerd-shim-runc-v1: cmd/containerd-shim-runc-v1 FORCE # set !cgo and omit pie for a static shim build: https://github.com/golang/go/issues/17789#issuecomment-258542220 - @echo "$(WHALE) bin/containerd-shim-runc-v1" -- @CGO_ENABLED=0 go build ${GO_BUILD_FLAGS} -o bin/containerd-shim-runc-v1 ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim-runc-v1 -+ @$(GO) build ${GO_BUILD_FLAGS} -o bin/containerd-shim-runc-v1 ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim-runc-v1 - - bin/containerd-shim-runhcs-v1: cmd/containerd-shim-runhcs-v1 FORCE # set !cgo and omit pie for a static shim build: https://github.com/golang/go/issues/17789#issuecomment-258542220 - @echo "$(WHALE) bin/containerd-shim-runhcs-v1${BINARY_SUFFIX}" -- @CGO_ENABLED=0 go build ${GO_BUILD_FLAGS} -o bin/containerd-shim-runhcs-v1${BINARY_SUFFIX} ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim-runhcs-v1 -+ @$(GO) build ${GO_BUILD_FLAGS} -o bin/containerd-shim-runhcs-v1${BINARY_SUFFIX} ${SHIM_GO_LDFLAGS} $(GOBUILDFLAGS) ${GO_TAGS} ./cmd/containerd-shim-runhcs-v1 - - binaries: $(BINARIES) ## build binaries - @echo "$(WHALE) $@" diff --git a/recipes-containers/containerd/containerd-opencontainers_git.bb b/recipes-containers/containerd/containerd-opencontainers_git.bb index 5f697ed..19a1e60 100644 --- a/recipes-containers/containerd/containerd-opencontainers_git.bb +++ b/recipes-containers/containerd/containerd-opencontainers_git.bb @@ -1,5 +1,5 @@ -SRCREV = "3b3e9d5f62a114153829f9fbe2781d27b0a2ddac" -SRC_URI = "git://github.com/containerd/containerd;branch=release/1.2;protocol=https \ +SRCREV = "9cc61520f4cd876b86e77edfeb88fbcd536d1f9d" +SRC_URI = "git://github.com/containerd/containerd;branch=release/1.4 \ file://0001-build-use-oe-provided-GO-and-flags.patch \ file://0001-Add-build-option-GODEBUG-1.patch \ " @@ -8,20 +8,10 @@ include containerd.inc LIC_FILES_CHKSUM = "file://src/import/LICENSE;md5=1269f40c0d099c21a871163984590d89" -CONTAINERD_VERSION = "v1.2.14" +CONTAINERD_VERSION = "v1.4.13" +CVE_VERSION = "1.4.13" -# Work around internal error in gold triggered due to DWARF-5 by forcing to use bfd even with ld-is-gold: -# _/OE/lge/build/webosose/dunfell/BUILD/work/qemux86_64-webos-linux/containerd-opencontainers/v1.2.14+gitAUTOINC+3b3e9d5f62-r0/git/src/import/cmd/containerd-shim -# /OE/lge/build/webosose/dunfell/BUILD/work/qemux86_64-webos-linux/containerd-opencontainers/v1.2.14+gitAUTOINC+3b3e9d5f62-r0/recipe-sysroot-native/usr/lib/x86_64-webos-linux/go/pkg/tool/linux_amd64/link: running x86_64-webos-linux-gcc failed: exit status 1 -# /OE/lge/build/webosose/dunfell/BUILD/work/qemux86_64-webos-linux/containerd-opencontainers/v1.2.14+gitAUTOINC+3b3e9d5f62-r0/recipe-sysroot-native/usr/bin/x86_64-webos-linux/../../libexec/x86_64-webos-linux/gcc/x86_64-webos-linux/9.3.0/ld: internal error in read_header_prolog, at ../../gold/dwarf_reader.cc:1678 -# collect2: error: ld returned 1 exit status -# alternatively we can backport DWARF-5 support to binutils-2.34 used in dunfell like in: -# https://git.openembedded.org/openembedded-core/commit/?id=d07d4d739ae17787017f771dd2068fda0e836722 -EXTRA_EXTLDFLAGS = "${@bb.utils.contains('DISTRO_FEATURES', 'ld-is-gold', ' -fuse-ld=bfd ', '', d)}" - -EXTRA_OEMAKE += "GODEBUG=1 EXTRA_EXTLDFLAGS='${EXTRA_EXTLDFLAGS}'" +EXTRA_OEMAKE += "GODEBUG=1" PROVIDES += "virtual/containerd" RPROVIDES_${PN} = "virtual/containerd" - -CVE_PRODUCT = "containerd" diff --git a/recipes-containers/containerd/containerd.inc b/recipes-containers/containerd/containerd.inc index e226edf..2a14a44 100644 --- a/recipes-containers/containerd/containerd.inc +++ b/recipes-containers/containerd/containerd.inc @@ -6,7 +6,7 @@ DESCRIPTION = "containerd is a daemon to control runC, built for performance and # Apache-2.0 for containerd LICENSE = "Apache-2.0" -LIC_FILES_CHKSUM = "file://src/import/LICENSE.code;md5=aadc30f9c14d876ded7bedc0afd2d3d7" +LIC_FILES_CHKSUM ?= "file://src/import/LICENSE.code;md5=aadc30f9c14d876ded7bedc0afd2d3d7" SRC_URI += "file://containerd.service" @@ -38,7 +38,7 @@ do_compile() { # without this, the stress test parts of the build fail cp ${S}/src/import/*.go ${S}/src/import/vendor/src/github.com/containerd/containerd - for c in content errdefs fs images mount snapshots linux api runtimes defaults progress \ + for c in content timeout ttrpcutil oom stdio process errdefs fs images mount snapshots linux api runtimes defaults progress \ protobuf reference diff platforms runtime remotes version archive dialer gc metadata \ metrics filters identifiers labels leases plugin server services \ cmd cio containers namespaces oci events log reaper sys rootfs nvidia seed apparmor seccomp; do @@ -64,6 +64,7 @@ do_compile() { export BUILDTAGS="no_btrfs static_build netgo" export CFLAGS="${CFLAGS}" export LDFLAGS="${LDFLAGS}" + export SHIM_CGO_ENABLED="${CGO_ENABLED}" cd ${S}/src/import oe_runmake binaries @@ -79,12 +80,16 @@ do_install() { cp ${S}/src/import/bin/containerd ${D}/${bindir}/containerd cp ${S}/src/import/bin/containerd-shim ${D}/${bindir}/containerd-shim + cp ${S}/src/import/bin/containerd-shim-runc-v1 ${D}/${bindir}/containerd-shim-runc-v1 + cp ${S}/src/import/bin/containerd-shim-runc-v2 ${D}/${bindir}/containerd-shim-runc-v2 cp ${S}/src/import/bin/ctr ${D}/${bindir}/containerd-ctr ln -sf containerd ${D}/${bindir}/docker-containerd ln -sf containerd-shim ${D}/${bindir}/docker-containerd-shim ln -sf containerd-ctr ${D}/${bindir}/docker-containerd-ctr + ln -sf containerd-ctr ${D}/${bindir}/ctr + if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then install -d ${D}${systemd_unitdir}/system install -m 644 ${WORKDIR}/containerd.service ${D}/${systemd_unitdir}/system diff --git a/recipes-containers/containerd/files/0001-build-use-oe-provided-GO-and-flags.patch b/recipes-containers/containerd/files/0001-build-use-oe-provided-GO-and-flags.patch new file mode 100644 index 0000000..a58feed --- /dev/null +++ b/recipes-containers/containerd/files/0001-build-use-oe-provided-GO-and-flags.patch @@ -0,0 +1,70 @@ +From 408e8b526d490af817a64b7220e8e2c3789de58f Mon Sep 17 00:00:00 2001 +From: Bruce Ashfield <[email protected]> +Date: Sun, 10 Feb 2019 23:46:06 +0000 +Subject: [PATCH] build: use oe provided GO and flags + +We want to use the go compiler as defined in the oe-enviroment, not the +generic call to 'go'. Without changing this, we'll get things like cgo +errors and invalid flag combos. + +Signed-off-by: Bruce Ashfield <[email protected]> +--- + Makefile | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +Index: git/src/import/Makefile +=================================================================== +--- git.orig/src/import/Makefile 2020-10-12 07:36:18.775820388 -0700 ++++ git/src/import/Makefile 2020-10-12 08:00:05.134151221 -0700 +@@ -163,19 +163,19 @@ + + build: ## build the go packages + @echo "$(WHALE) $@" +- @go build ${DEBUG_GO_GCFLAGS} ${GO_GCFLAGS} ${GO_BUILD_FLAGS} ${EXTRA_FLAGS} ${GO_LDFLAGS} ${PACKAGES} ++ @$(GO) build ${DEBUG_GO_GCFLAGS} ${GO_GCFLAGS} ${GO_BUILD_FLAGS} ${EXTRA_FLAGS} ${GO_LDFLAGS} ${PACKAGES} + + test: ## run tests, except integration tests and tests that require root + @echo "$(WHALE) $@" +- @go test ${TESTFLAGS} $(filter-out ${INTEGRATION_PACKAGE},${PACKAGES}) ++ @$(GO) test ${TESTFLAGS} $(filter-out ${INTEGRATION_PACKAGE},${PACKAGES}) + + root-test: ## run tests, except integration tests + @echo "$(WHALE) $@" +- @go test ${TESTFLAGS} $(filter-out ${INTEGRATION_PACKAGE},${TEST_REQUIRES_ROOT_PACKAGES}) -test.root ++ @$(GO) test ${TESTFLAGS} $(filter-out ${INTEGRATION_PACKAGE},${TEST_REQUIRES_ROOT_PACKAGES}) -test.root + + integration: ## run integration tests + @echo "$(WHALE) $@" +- @go test ${TESTFLAGS} -test.root -parallel ${TESTFLAGS_PARALLEL} ++ @$(GO) test ${TESTFLAGS} -test.root -parallel ${TESTFLAGS_PARALLEL} + + benchmark: ## run benchmarks tests + @echo "$(WHALE) $@" +@@ -185,7 +185,7 @@ + + define BUILD_BINARY = + @echo "$(WHALE) $@" +-@go build ${DEBUG_GO_GCFLAGS} ${GO_GCFLAGS} ${GO_BUILD_FLAGS} -o $@ ${GO_LDFLAGS} ${GO_TAGS} ./$< ++@$(GO) build ${DEBUG_GO_GCFLAGS} ${GO_GCFLAGS} ${GO_BUILD_FLAGS} -o $@ ${GO_LDFLAGS} ${GO_TAGS} ./$< + endef + + # Build a binary from a cmd. +@@ -194,15 +194,15 @@ + + bin/containerd-shim: cmd/containerd-shim FORCE # set !cgo and omit pie for a static shim build: https://github.com/golang/go/issues/17789#issuecomment-258542220 + @echo "$(WHALE) bin/containerd-shim" +- @CGO_ENABLED=${SHIM_CGO_ENABLED} go build ${GO_BUILD_FLAGS} -o bin/containerd-shim ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim ++ @CGO_ENABLED=${SHIM_CGO_ENABLED} $(GO) build -a -pkgdir dontusecurrentpkgs ${GO_BUILD_FLAGS} -o bin/containerd-shim ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim + + bin/containerd-shim-runc-v1: cmd/containerd-shim-runc-v1 FORCE # set !cgo and omit pie for a static shim build: https://github.com/golang/go/issues/17789#issuecomment-258542220 + @echo "$(WHALE) bin/containerd-shim-runc-v1" +- @CGO_ENABLED=${SHIM_CGO_ENABLED} go build ${GO_BUILD_FLAGS} -o bin/containerd-shim-runc-v1 ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim-runc-v1 ++ @CGO_ENABLED=${SHIM_CGO_ENABLED} $(GO) build -a -pkgdir dontusecurrentpkgs ${GO_BUILD_FLAGS} -o bin/containerd-shim-runc-v1 ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim-runc-v1 + + bin/containerd-shim-runc-v2: cmd/containerd-shim-runc-v2 FORCE # set !cgo and omit pie for a static shim build: https://github.com/golang/go/issues/17789#issuecomment-258542220 + @echo "$(WHALE) bin/containerd-shim-runc-v2" +- @CGO_ENABLED=${SHIM_CGO_ENABLED} go build ${GO_BUILD_FLAGS} -o bin/containerd-shim-runc-v2 ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim-runc-v2 ++ @CGO_ENABLED=${SHIM_CGO_ENABLED} $(GO) build -a -pkgdir dontusecurrentpkgs ${GO_BUILD_FLAGS} -o bin/containerd-shim-runc-v2 ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim-runc-v2 + + binaries: $(BINARIES) ## build binaries + @echo "$(WHALE) $@" -- 2.39.2
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#7892): https://lists.yoctoproject.org/g/meta-virtualization/message/7892 Mute This Topic: https://lists.yoctoproject.org/mt/97157111/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
