Hello community, here is the log from the commit of package containerd for openSUSE:Factory checked in at 2019-06-30 10:19:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/containerd (Old) and /work/SRC/openSUSE:Factory/.containerd.new.4615 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "containerd" Sun Jun 30 10:19:04 2019 rev:32 rq:712297 version:1.2.6 Changes: -------- --- /work/SRC/openSUSE:Factory/containerd/containerd.changes 2019-05-06 21:13:12.860412771 +0200 +++ /work/SRC/openSUSE:Factory/.containerd.new.4615/containerd.changes 2019-06-30 10:19:06.819397635 +0200 @@ -1,0 +2,7 @@ +Fri Jun 28 01:45:50 UTC 2019 - Aleksa Sarai <[email protected]> + +- Update to containerd v1.2.6, which is required for Docker v18.09.7-ce. + bsc#1139649 +- Remove containerd-test (it's not useful for actual testing). + +------------------------------------------------------------------- Old: ---- containerd-1.2.5_bb71b10fd8f5.tar.xz New: ---- containerd-1.2.6_894b81a4b802.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ containerd.spec ++++++ --- /var/tmp/diff_new_pack.ouNVah/_old 2019-06-30 10:19:07.259398319 +0200 +++ /var/tmp/diff_new_pack.ouNVah/_new 2019-06-30 10:19:07.259398319 +0200 @@ -34,11 +34,11 @@ %endif # MANUAL: Update the git_version. -%define git_version bb71b10fd8f58240ca47fbb579b9d1028eea7c84 -%define git_short bb71b10fd8f5 +%define git_version 894b81a4b802e4eb2a91d1ce216b8817763c29fb +%define git_short 894b81a4b802 Name: %{realname}%{name_suffix} -Version: 1.2.5 +Version: 1.2.6 Release: 0 Summary: Standalone OCI Container Daemon License: Apache-2.0 @@ -106,25 +106,6 @@ Standalone client for containerd, which allows management of containerd containers separately from Docker. -%package test -Summary: Test package for containerd -Group: System/Management -BuildArch: noarch -# KUBIC-SPECIFIC: This was required when upgrading from the original kubic -# packaging, when everything was renamed to -kubic. It also is -# used to ensure that nothing complains too much when using -# -kubic packages. Hopfully it can be removed one day. -%if "%flavour" == "kubic" -# Obsolete older package without -kubic suffix: v2 -> v3 -Obsoletes: %{realname}-test = 0.2.5+gitr569_2a5e70c -# Conflict with non-kubic package, and provide equivalent -Conflicts: %{realname}-test > 0.2.5+gitr569_2a5e70c -Provides: %{realname}-test = %{version} -%endif - -%description test -Test package for containerd. It contains the source code and the tests. - %prep %setup -q -n %{realname}-%{version}_%{git_short} %patch1 -p1 @@ -181,12 +162,6 @@ done ln -s ctr.1 %{buildroot}/%{_mandir}/man1/%{realname}-ctr.1 -# Source tree for containerd-test. -install -d -m755 %{buildroot}/usr/src/containerd/ -cp -ar $HOME/go/src/github.com/containerd/containerd/* %{buildroot}/usr/src/containerd/ -# Remove files we don't want to ship - exclude is the wrong usage here. -rm -rf %{buildroot}/usr/src/containerd/bin - %fdupes %{buildroot} %files @@ -206,8 +181,4 @@ %{_sbindir}/%{realname}-ctr %{_mandir}/man1/*ctr.1* -%files test -%defattr(-,root,root) -/usr/src/containerd/ - %changelog ++++++ _service ++++++ --- /var/tmp/diff_new_pack.ouNVah/_old 2019-06-30 10:19:07.295398375 +0200 +++ /var/tmp/diff_new_pack.ouNVah/_new 2019-06-30 10:19:07.295398375 +0200 @@ -3,8 +3,8 @@ <param name="url">https://github.com/containerd/containerd.git</param> <param name="scm">git</param> <param name="filename">containerd</param> - <param name="versionformat">1.2.5_%h</param> - <param name="revision">v1.2.5</param> + <param name="versionformat">1.2.6_%h</param> + <param name="revision">v1.2.6</param> <param name="exclude">.git</param> </service> <service name="recompress" mode="disabled"> ++++++ containerd-1.2.5_bb71b10fd8f5.tar.xz -> containerd-1.2.6_894b81a4b802.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/Makefile new/containerd-1.2.6_894b81a4b802/Makefile --- old/containerd-1.2.5_bb71b10fd8f5/Makefile 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/Makefile 2019-04-05 20:39:47.000000000 +0200 @@ -22,6 +22,7 @@ # Used to populate variables in version package. VERSION=$(shell git describe --match 'v[0-9]*' --dirty='.m' --always) REVISION=$(shell git rev-parse HEAD)$(shell if ! git diff --no-ext-diff --quiet --exit-code; then echo .m; fi) +PACKAGE=github.com/containerd/containerd ifneq "$(strip $(shell command -v go 2>/dev/null))" "" GOOS ?= $(shell go env GOOS) @@ -77,8 +78,8 @@ # Build tags seccomp and apparmor are needed by CRI plugin. BUILDTAGS ?= seccomp apparmor GO_TAGS=$(if $(BUILDTAGS),-tags "$(BUILDTAGS)",) -GO_LDFLAGS=-ldflags '-s -w -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -X $(PKG)/version.Package=$(PKG) $(EXTRA_LDFLAGS)' -SHIM_GO_LDFLAGS=-ldflags '-s -w -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -X $(PKG)/version.Package=$(PKG) -extldflags "-static"' +GO_LDFLAGS=-ldflags '-s -w -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -X $(PKG)/version.Package=$(PACKAGE) $(EXTRA_LDFLAGS)' +SHIM_GO_LDFLAGS=-ldflags '-s -w -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -X $(PKG)/version.Package=$(PACKAGE) -extldflags "-static"' #Replaces ":" (*nix), ";" (windows) with newline for easy parsing GOPATHS=$(shell echo ${GOPATH} | tr ":" "\n" | tr ";" "\n") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/contrib/seccomp/seccomp_default.go new/containerd-1.2.6_894b81a4b802/contrib/seccomp/seccomp_default.go --- old/containerd-1.2.5_bb71b10fd8f5/contrib/seccomp/seccomp_default.go 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/contrib/seccomp/seccomp_default.go 2019-04-05 20:39:47.000000000 +0200 @@ -161,6 +161,7 @@ "ioctl", "io_destroy", "io_getevents", + "io_pgetevents", "ioprio_get", "ioprio_set", "io_setup", @@ -319,6 +320,7 @@ "stat64", "statfs", "statfs64", + "statx", "symlink", "symlinkat", "sync", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/mount/mountinfo_linux.go new/containerd-1.2.6_894b81a4b802/mount/mountinfo_linux.go --- old/containerd-1.2.5_bb71b10fd8f5/mount/mountinfo_linux.go 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/mount/mountinfo_linux.go 2019-04-05 20:39:47.000000000 +0200 @@ -25,6 +25,8 @@ "os" "strconv" "strings" + + "github.com/pkg/errors" ) // Self retrieves a list of mounts for the current running process. @@ -41,13 +43,15 @@ func parseInfoFile(r io.Reader) ([]Info, error) { s := bufio.NewScanner(r) out := []Info{} - + var err error for s.Scan() { - if err := s.Err(); err != nil { + if err = s.Err(); err != nil { return nil, err } /* + See http://man7.org/linux/man-pages/man5/proc.5.html + 36 35 98:0 /mnt1 /mnt2 rw,noatime master:1 - ext3 /dev/root rw,errors=continue (1)(2)(3) (4) (5) (6) (7) (8) (9) (10) (11) (1) mount ID: unique identifier of the mount (may be reused after umount) @@ -68,7 +72,7 @@ numFields := len(fields) if numFields < 10 { // should be at least 10 fields - return nil, fmt.Errorf("parsing '%s' failed: not enough fields (%d)", text, numFields) + return nil, errors.Errorf("parsing '%s' failed: not enough fields (%d)", text, numFields) } p := Info{} // ignore any numbers parsing errors, as there should not be any @@ -76,13 +80,19 @@ p.Parent, _ = strconv.Atoi(fields[1]) mm := strings.Split(fields[2], ":") if len(mm) != 2 { - return nil, fmt.Errorf("parsing '%s' failed: unexpected minor:major pair %s", text, mm) + return nil, errors.Errorf("parsing '%s' failed: unexpected minor:major pair %s", text, mm) } p.Major, _ = strconv.Atoi(mm[0]) p.Minor, _ = strconv.Atoi(mm[1]) - p.Root = fields[3] - p.Mountpoint = fields[4] + p.Root, err = strconv.Unquote(`"` + fields[3] + `"`) + if err != nil { + return nil, errors.Wrapf(err, "parsing '%s' failed: unable to unquote root field", fields[3]) + } + p.Mountpoint, err = strconv.Unquote(`"` + fields[4] + `"`) + if err != nil { + return nil, errors.Wrapf(err, "parsing '%s' failed: unable to unquote mount point field", fields[4]) + } p.Options = fields[5] // one or more optional fields, when a separator (-) @@ -101,11 +111,11 @@ } } if i == numFields { - return nil, fmt.Errorf("parsing '%s' failed: missing separator ('-')", text) + return nil, errors.Errorf("parsing '%s' failed: missing separator ('-')", text) } // There should be 3 fields after the separator... if i+4 > numFields { - return nil, fmt.Errorf("parsing '%s' failed: not enough fields after a separator", text) + return nil, errors.Errorf("parsing '%s' failed: not enough fields after a separator", text) } // ... but in Linux <= 3.9 mounting a cifs with spaces in a share name // (like "//serv/My Documents") _may_ end up having a space in the last field diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/mount/mountinfo_linux_test.go new/containerd-1.2.6_894b81a4b802/mount/mountinfo_linux_test.go --- old/containerd-1.2.5_bb71b10fd8f5/mount/mountinfo_linux_test.go 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/mount/mountinfo_linux_test.go 2019-04-05 20:39:47.000000000 +0200 @@ -436,6 +436,9 @@ 286 15 0:3631 / /var/lib/docker/aufs/mnt/ff28c27d5f894363993622de26d5dd352dba072f219e4691d6498c19bbbc15a9 rw,relatime - aufs none rw,si=9b4a7642265b339c 289 15 0:3634 / /var/lib/docker/aufs/mnt/aa128fe0e64fdede333aa48fd9de39530c91a9244a0f0649a3c411c61e372daa rw,relatime - aufs none rw,si=9b4a764012ada39c 99 15 8:33 / /media/REMOVE\040ME rw,nosuid,nodev,relatime - fuseblk /dev/sdc1 rw,user_id=0,group_id=0,allow_other,blksize=4096` + + mountInfoWithSpaces = `486 28 252:1 / /mnt/foo\040bar rw,relatime shared:243 - ext4 /dev/vda1 rw,data=ordered +31 21 0:23 / /DATA/foo_bla_bla rw,relatime - cifs //foo/BLA\040BLA\040BLA/ rw,sec=ntlm,cache=loose,unc=\\foo\BLA BLA BLA,username=my_login,domain=mydomain.com,uid=12345678,forceuid,gid=12345678,forcegid,addr=10.1.30.10,file_mode=0755,dir_mode=0755,nounix,rsize=61440,wsize=65536,actimeo=1` ) func TestParseFedoraMountinfo(t *testing.T) { @@ -490,3 +493,48 @@ t.Fatalf("expected %#v, got %#v", mi, infos[0]) } } + +func TestParseMountinfoWithSpaces(t *testing.T) { + r := bytes.NewBuffer([]byte(mountInfoWithSpaces)) + infos, err := parseInfoFile(r) + if err != nil { + t.Fatal(err) + } + expected := []Info{ + { + ID: 486, + Parent: 28, + Major: 252, + Minor: 1, + Root: "/", + Mountpoint: "/mnt/foo bar", + Options: "rw,relatime", + Optional: "shared:243", + FSType: "ext4", + Source: "/dev/vda1", + VFSOptions: "rw,data=ordered", + }, + { + ID: 31, + Parent: 21, + Major: 0, + Minor: 23, + Root: "/", + Mountpoint: "/DATA/foo_bla_bla", + Options: "rw,relatime", + Optional: "", + FSType: "cifs", + Source: `//foo/BLA\040BLA\040BLA/`, + VFSOptions: `rw,sec=ntlm,cache=loose,unc=\\foo\BLA`, + }, + } + + if len(infos) != len(expected) { + t.Fatalf("expected %d entries, got %d", len(expected), len(infos)) + } + for i, mi := range expected { + if infos[i] != mi { + t.Fatalf("expected %#v, got %#v", mi, infos[i]) + } + } +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/oci/spec_opts.go new/containerd-1.2.6_894b81a4b802/oci/spec_opts.go --- old/containerd-1.2.5_bb71b10fd8f5/oci/spec_opts.go 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/oci/spec_opts.go 2019-04-05 20:39:47.000000000 +0200 @@ -733,7 +733,9 @@ } // WithAllCapabilities sets all linux capabilities for the process -var WithAllCapabilities = WithCapabilities(getAllCapabilities()) +var WithAllCapabilities = func(ctx context.Context, client Client, c *containers.Container, s *Spec) error { + return WithCapabilities(getAllCapabilities())(ctx, client, c, s) +} func getAllCapabilities() []string { last := capability.CAP_LAST_CAP diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/oci/spec_opts_test.go new/containerd-1.2.6_894b81a4b802/oci/spec_opts_test.go --- old/containerd-1.2.5_bb71b10fd8f5/oci/spec_opts_test.go 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/oci/spec_opts_test.go 2019-04-05 20:39:47.000000000 +0200 @@ -39,25 +39,25 @@ Env: []string{"DEFAULT=test"}, } - WithEnv([]string{"env=1"})(nil, nil, nil, &s) + WithEnv([]string{"env=1"})(context.Background(), nil, nil, &s) if len(s.Process.Env) != 2 { t.Fatal("didn't append") } - WithEnv([]string{"env2=1"})(nil, nil, nil, &s) + WithEnv([]string{"env2=1"})(context.Background(), nil, nil, &s) if len(s.Process.Env) != 3 { t.Fatal("didn't append") } - WithEnv([]string{"env2=2"})(nil, nil, nil, &s) + WithEnv([]string{"env2=2"})(context.Background(), nil, nil, &s) if s.Process.Env[2] != "env2=2" { t.Fatal("couldn't update") } - WithEnv([]string{"env2"})(nil, nil, nil, &s) + WithEnv([]string{"env2"})(context.Background(), nil, nil, &s) if len(s.Process.Env) != 2 { t.Fatal("couldn't unset") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/releases/v1.2.6.toml new/containerd-1.2.6_894b81a4b802/releases/v1.2.6.toml --- old/containerd-1.2.5_bb71b10fd8f5/releases/v1.2.6.toml 1970-01-01 01:00:00.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/releases/v1.2.6.toml 2019-04-05 20:39:47.000000000 +0200 @@ -0,0 +1,39 @@ +# commit to be tagged for new release +commit = "HEAD" + +project_name = "containerd" +github_repo = "containerd/containerd" +match_deps = "^github.com/(containerd/[a-zA-Z0-9-]+)$" + +# previous release +previous = "v1.2.5" + +pre_release = false + +preface = """\ +The sixth patch release for `containerd` 1.2 contains fixes +for the containerd client, the CRI plugin and containerd io +and mount handling. + +It whitelists 2 new syscalls in the default seccomp profile, +and also updates CNI to v0.7.5 to include the fix for [CVE-2019-9946](https://nvd.nist.gov/vuln/detail/CVE-2019-9946). + +All these changes are noted below. +### Notable Updates +* Allow overriding package name in `containerd --version` output. [#3098](https://github.com/containerd/containerd/pull/3098) +* Add 2 new syscalls `io_pgetevents` and `statx` in the default seccomp whitelist. [#3113](https://github.com/containerd/containerd/pull/3113) [#3115](https://github.com/containerd/containerd/pull/3115) +* Fix a bug that custom containerd cgroup path does not work in containerd 1.2.5. [#3143](https://github.com/containerd/containerd/pull/3143) +* Fix a bug in the containerd client that `WithAllCapabilities` applies incomplete capability list. [#3147](https://github.com/containerd/containerd/pull/3147) +* Fix a bug that container output can be incomplete when stdout and stderr are pointed to the same file. [#3118](https://github.com/containerd/containerd/issues/3118) +* Fix a bug that containerd can't properly handle space in mount point path. [3161](https://github.com/containerd/containerd/pull/3161) +* cri: fix a bug that containers being gracefully stopped are SIGKILLed when kubelet is restarted. [cri#1098](https://github.com/containerd/cri/issues/1098) +* cri: Fix a bug that pod UTS namespace is used for host network. [cri#1111](https://github.com/containerd/cri/pull/1111) +* cri: Update CNI plugins to v0.7.5 for [CVE-2019-9946](https://nvd.nist.gov/vuln/detail/CVE-2019-9946). +* Update cri to eb926cd79d3bac188dcc4ed7694fc9298f8831be. [#3174](https://github.com/containerd/containerd/pull/3174) +* Update runc to v1.0.0-rc7-6-g029124da [#3183](https://github.com/containerd/containerd/pull/3183) to fix potential container start failure on non-SELinux system. [runc#2030](https://github.com/opencontainers/runc/issues/2030) +""" + +# notable prs to include in the release notes, 1234 is the pr number +[notes] + +[breaking] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/runtime/v1/linux/proc/io.go new/containerd-1.2.6_894b81a4b802/runtime/v1/linux/proc/io.go --- old/containerd-1.2.5_bb71b10fd8f5/runtime/v1/linux/proc/io.go 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/runtime/v1/linux/proc/io.go 2019-04-05 20:39:47.000000000 +0200 @@ -24,8 +24,10 @@ "io" "os" "sync" + "sync/atomic" "syscall" + "github.com/containerd/containerd/log" "github.com/containerd/fifo" runc "github.com/containerd/go-runc" ) @@ -38,7 +40,7 @@ } func copyPipes(ctx context.Context, rio runc.IO, stdin, stdout, stderr string, wg, cwg *sync.WaitGroup) error { - var sameFile io.WriteCloser + var sameFile *countingWriteCloser for _, i := range []struct { name string dest func(wc io.WriteCloser, rc io.Closer) @@ -52,7 +54,9 @@ cwg.Done() p := bufPool.Get().(*[]byte) defer bufPool.Put(p) - io.CopyBuffer(wc, rio.Stdout(), *p) + if _, err := io.CopyBuffer(wc, rio.Stdout(), *p); err != nil { + log.G(ctx).Warn("error copying stdout") + } wg.Done() wc.Close() if rc != nil { @@ -69,7 +73,9 @@ cwg.Done() p := bufPool.Get().(*[]byte) defer bufPool.Put(p) - io.CopyBuffer(wc, rio.Stderr(), *p) + if _, err := io.CopyBuffer(wc, rio.Stderr(), *p); err != nil { + log.G(ctx).Warn("error copying stderr") + } wg.Done() wc.Close() if rc != nil { @@ -96,6 +102,7 @@ } } else { if sameFile != nil { + sameFile.count++ i.dest(sameFile, nil) continue } @@ -103,7 +110,10 @@ return fmt.Errorf("containerd-shim: opening %s failed: %s", i.name, err) } if stdout == stderr { - sameFile = fw + sameFile = &countingWriteCloser{ + WriteCloser: fw, + count: 1, + } } } i.dest(fw, fr) @@ -128,6 +138,19 @@ return nil } +// countingWriteCloser masks io.Closer() until close has been invoked a certain number of times. +type countingWriteCloser struct { + io.WriteCloser + count int64 +} + +func (c *countingWriteCloser) Close() error { + if atomic.AddInt64(&c.count, -1) > 0 { + return nil + } + return c.WriteCloser.Close() +} + // isFifo checks if a file is a fifo // if the file does not exist then it returns false func isFifo(path string) (bool, error) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/containerd/cgroups/cgroup.go new/containerd-1.2.6_894b81a4b802/vendor/github.com/containerd/cgroups/cgroup.go --- old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/containerd/cgroups/cgroup.go 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/vendor/github.com/containerd/cgroups/cgroup.go 2019-04-05 20:39:47.000000000 +0200 @@ -105,6 +105,10 @@ } activeSubsystems = append(activeSubsystems, s) } + // if we do not have any active systems then the cgroup is deleted + if len(activeSubsystems) == 0 { + return nil, ErrCgroupDeleted + } return &cgroup{ path: path, subsystems: activeSubsystems, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/containerd/cri/pkg/server/container_stop.go new/containerd-1.2.6_894b81a4b802/vendor/github.com/containerd/cri/pkg/server/container_stop.go --- old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/containerd/cri/pkg/server/container_stop.go 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/vendor/github.com/containerd/cri/pkg/server/container_stop.go 2019-04-05 20:39:47.000000000 +0200 @@ -143,8 +143,9 @@ return errors.Wrapf(err, "failed to stop container %q", id) } - if err = c.waitContainerStop(ctx, container, timeout); err == nil { - return nil + if err = c.waitContainerStop(ctx, container, timeout); err == nil || errors.Cause(err) == ctx.Err() { + // Do not SIGKILL container if the context is cancelled. + return err } logrus.WithError(err).Errorf("An error occurs during waiting for container %q to be stopped", id) } @@ -167,7 +168,7 @@ defer timeoutTimer.Stop() select { case <-ctx.Done(): - return errors.Errorf("wait container %q is cancelled", container.ID) + return errors.Wrapf(ctx.Err(), "wait container %q is cancelled", container.ID) case <-timeoutTimer.C: return errors.Errorf("wait container %q stop timeout", container.ID) case <-container.Stopped(): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/containerd/cri/pkg/server/helpers.go new/containerd-1.2.6_894b81a4b802/vendor/github.com/containerd/cri/pkg/server/helpers.go --- old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/containerd/cri/pkg/server/helpers.go 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/vendor/github.com/containerd/cri/pkg/server/helpers.go 2019-04-05 20:39:47.000000000 +0200 @@ -37,7 +37,6 @@ imagedigest "github.com/opencontainers/go-digest" runtimespec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-tools/generate" - "github.com/opencontainers/selinux/go-selinux" "github.com/opencontainers/selinux/go-selinux/label" "github.com/pkg/errors" "golang.org/x/net/context" @@ -355,7 +354,12 @@ selinuxOpt.GetRole(), selinuxOpt.GetType(), selinuxOpt.GetLevel()) - return label.InitLabels(selinux.DupSecOpt(labelOpts)) + + options, err := label.DupSecOpt(labelOpts) + if err != nil { + return "", "", err + } + return label.InitLabels(options) } func checkSelinuxLevel(level string) (bool, error) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/containerd/cri/pkg/server/sandbox_run.go new/containerd-1.2.6_894b81a4b802/vendor/github.com/containerd/cri/pkg/server/sandbox_run.go --- old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/containerd/cri/pkg/server/sandbox_run.go 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/vendor/github.com/containerd/cri/pkg/server/sandbox_run.go 2019-04-05 20:39:47.000000000 +0200 @@ -385,6 +385,7 @@ nsOptions := securityContext.GetNamespaceOptions() if nsOptions.GetNetwork() == runtime.NamespaceMode_NODE { g.RemoveLinuxNamespace(string(runtimespec.NetworkNamespace)) // nolint: errcheck + g.RemoveLinuxNamespace(string(runtimespec.UTSNamespace)) // nolint: errcheck } else { //TODO(Abhi): May be move this to containerd spec opts (WithLinuxSpaceOption) g.AddOrReplaceLinuxNamespace(string(runtimespec.NetworkNamespace), nsPath) // nolint: errcheck diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/containerd/cri/pkg/server/sandbox_stop.go new/containerd-1.2.6_894b81a4b802/vendor/github.com/containerd/cri/pkg/server/sandbox_stop.go --- old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/containerd/cri/pkg/server/sandbox_stop.go 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/vendor/github.com/containerd/cri/pkg/server/sandbox_stop.go 2019-04-05 20:39:47.000000000 +0200 @@ -144,7 +144,7 @@ defer timeoutTimer.Stop() select { case <-ctx.Done(): - return errors.Errorf("wait sandbox container %q is cancelled", sandbox.ID) + return errors.Wrapf(ctx.Err(), "wait sandbox container %q is cancelled", sandbox.ID) case <-timeoutTimer.C: return errors.Errorf("wait sandbox container %q stop timeout", sandbox.ID) case <-sandbox.Stopped(): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/containerd/cri/vendor.conf new/containerd-1.2.6_894b81a4b802/vendor/github.com/containerd/cri/vendor.conf --- old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/containerd/cri/vendor.conf 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/vendor/github.com/containerd/cri/vendor.conf 2019-04-05 20:39:47.000000000 +0200 @@ -1,9 +1,9 @@ github.com/beorn7/perks 4c0e84591b9aa9e6dcfdf3e020114cd81f89d5f9 github.com/blang/semver v3.1.0 github.com/BurntSushi/toml a368813c5e648fee92e5f6c30e3944ff9d5e8895 -github.com/containerd/cgroups 5e610833b72089b37d0e615de9a92dfc043757c2 +github.com/containerd/cgroups dbea6f2bd41658b84b00417ceefa416b979cbf10 github.com/containerd/console c12b1e7919c14469339a5d38f2f8ed9b64a9de23 -github.com/containerd/containerd 583472f67a3d7c258f874347339688de05802790 +github.com/containerd/containerd v1.2.5 github.com/containerd/continuity bd77b46c8352f74eb12c85bdc01f4b90f69d66b4 github.com/containerd/fifo 3d5202aec260678c48179c56f40e6f38a095738c github.com/containerd/go-cni 40bcf8ec8acd7372be1d77031d585d5d8e561c90 @@ -11,7 +11,7 @@ github.com/containerd/ttrpc 2a805f71863501300ae1976d29f0454ae003e85a github.com/containerd/typeurl a93fcdb778cd272c6e9b3028b2f42d813e785d40 github.com/containernetworking/cni v0.6.0 -github.com/containernetworking/plugins v0.7.0 +github.com/containernetworking/plugins v0.7.5 github.com/coreos/go-systemd v14 github.com/davecgh/go-spew v1.1.0 github.com/docker/distribution 0d3efadf0154c2b8a4e7b6621fff9809655cc580 @@ -39,10 +39,10 @@ github.com/modern-go/reflect2 1.0.1 github.com/opencontainers/go-digest c9281466c8b2f606084ac71339773efd177436e7 github.com/opencontainers/image-spec v1.0.1 -github.com/opencontainers/runc 6635b4f0c6af3810594d2770f662f34ddc15b40d +github.com/opencontainers/runc 2b18fe1d885ee5083ef9f0838fee39b62d653e30 github.com/opencontainers/runtime-spec eba862dc2470385a233c7507392675cbeadf7353 github.com/opencontainers/runtime-tools v0.6.0 -github.com/opencontainers/selinux b6fa367ed7f534f9ba25391cc2d467085dbb445a +github.com/opencontainers/selinux v1.2.1 github.com/pkg/errors v0.8.0 github.com/pmezard/go-difflib v1.0.0 github.com/prometheus/client_golang f4fb1b73fb099f396a7f0036bf86aa8def4ed823 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/opencontainers/runc/libcontainer/nsenter/cloned_binary.c new/containerd-1.2.6_894b81a4b802/vendor/github.com/opencontainers/runc/libcontainer/nsenter/cloned_binary.c --- old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/opencontainers/runc/libcontainer/nsenter/cloned_binary.c 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/vendor/github.com/opencontainers/runc/libcontainer/nsenter/cloned_binary.c 2019-04-05 20:39:47.000000000 +0200 @@ -249,7 +249,7 @@ { int fd = -1; char template[PATH_MAX] = {0}; - char *prefix = secure_getenv("_LIBCONTAINER_STATEDIR"); + char *prefix = getenv("_LIBCONTAINER_STATEDIR"); if (!prefix || *prefix != '/') prefix = "/tmp"; @@ -351,7 +351,7 @@ { int fd, ret = -1; char template[PATH_MAX] = {0}; - char *prefix = secure_getenv("_LIBCONTAINER_STATEDIR"); + char *prefix = getenv("_LIBCONTAINER_STATEDIR"); if (!prefix || *prefix != '/') prefix = "/tmp"; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/opencontainers/runc/vendor.conf new/containerd-1.2.6_894b81a4b802/vendor/github.com/opencontainers/runc/vendor.conf --- old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/opencontainers/runc/vendor.conf 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/vendor/github.com/opencontainers/runc/vendor.conf 2019-04-05 20:39:47.000000000 +0200 @@ -5,7 +5,7 @@ # Core libcontainer functionality. github.com/checkpoint-restore/go-criu v3.11 github.com/mrunalp/fileutils ed869b029674c0e9ce4c0dfa781405c2d9946d08 -github.com/opencontainers/selinux v1.0.0-rc1 +github.com/opencontainers/selinux v1.2.1 github.com/seccomp/libseccomp-golang 84e90a91acea0f4e51e62bc1a75de18b1fc0790f github.com/sirupsen/logrus a3f95b5c423586578a4e099b11a46c2479628cac github.com/syndtr/gocapability db04d3cc01c8b54962a58ec7e491717d06cfcc16 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/opencontainers/selinux/README.md new/containerd-1.2.6_894b81a4b802/vendor/github.com/opencontainers/selinux/README.md --- old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/opencontainers/selinux/README.md 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/vendor/github.com/opencontainers/selinux/README.md 2019-04-05 20:39:47.000000000 +0200 @@ -5,3 +5,14 @@ Common SELinux package used across the container ecosystem. Please see the [godoc](https://godoc.org/github.com/opencontainers/selinux) for more information. + +## Code of Conduct + +Participation in the OpenContainers community is governed by [OpenContainer's Code of Conduct][code-of-conduct]. + +## Security + +If you find an issue, please follow the [security][security] protocol to report it. + +[security]: https://github.com/opencontainers/org/blob/master/security +[code-of-conduct]: https://github.com/opencontainers/org/blob/master/CODE_OF_CONDUCT.md diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go new/containerd-1.2.6_894b81a4b802/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go --- old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go 2019-04-05 20:39:47.000000000 +0200 @@ -9,7 +9,7 @@ return "", "", nil } -func GetROMountLabel() string { +func ROMountLabel() string { return "" } @@ -25,7 +25,27 @@ return nil } -func GetFileLabel(path string) (string, error) { +func ProcessLabel() (string, error) { + return "", nil +} + +func SetSocketLabel(processLabel string) error { + return nil +} + +func SocketLabel() (string, error) { + return "", nil +} + +func SetKeyLabel(processLabel string) error { + return nil +} + +func KeyLabel() (string, error) { + return "", nil +} + +func FileLabel(path string) (string, error) { return "", nil } @@ -41,13 +61,18 @@ return nil } -func GetPidLabel(pid int) (string, error) { +func PidLabel(pid int) (string, error) { return "", nil } func Init() { } +// ClearLabels clears all reserved labels +func ClearLabels() { + return +} + func ReserveLabel(label string) error { return nil } @@ -58,8 +83,8 @@ // DupSecOpt takes a process label and returns security options that // can be used to set duplicate labels on future container processes -func DupSecOpt(src string) []string { - return nil +func DupSecOpt(src string) ([]string, error) { + return nil, nil } // DisableSecOpt returns a security opt that can disable labeling diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go new/containerd-1.2.6_894b81a4b802/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go --- old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go 2019-04-05 20:39:47.000000000 +0200 @@ -4,6 +4,8 @@ import ( "fmt" + "os" + "os/user" "strings" "github.com/opencontainers/selinux/go-selinux" @@ -24,17 +26,29 @@ // the container. A list of options can be passed into this function to alter // the labels. The labels returned will include a random MCS String, that is // guaranteed to be unique. -func InitLabels(options []string) (string, string, error) { +func InitLabels(options []string) (plabel string, mlabel string, Err error) { if !selinux.GetEnabled() { return "", "", nil } processLabel, mountLabel := selinux.ContainerLabels() if processLabel != "" { - pcon := selinux.NewContext(processLabel) - mcon := selinux.NewContext(mountLabel) + defer func() { + if Err != nil { + ReleaseLabel(mountLabel) + } + }() + pcon, err := selinux.NewContext(processLabel) + if err != nil { + return "", "", err + } + + mcon, err := selinux.NewContext(mountLabel) + if err != nil { + return "", "", err + } for _, opt := range options { if opt == "disable" { - return "", "", nil + return "", mountLabel, nil } if i := strings.Index(opt, ":"); i == -1 { return "", "", fmt.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type' followed by ':' and a value", opt) @@ -90,6 +104,28 @@ return selinux.SetExecLabel(processLabel) } +// SetSocketLabel takes a process label and tells the kernel to assign the +// label to the next socket that gets created +func SetSocketLabel(processLabel string) error { + return selinux.SetSocketLabel(processLabel) +} + +// SocketLabel retrieves the current default socket label setting +func SocketLabel() (string, error) { + return selinux.SocketLabel() +} + +// SetKeyLabel takes a process label and tells the kernel to assign the +// label to the next kernel keyring that gets created +func SetKeyLabel(processLabel string) error { + return selinux.SetKeyLabel(processLabel) +} + +// KeyLabel retrieves the current default kernel keyring label setting +func KeyLabel() (string, error) { + return selinux.KeyLabel() +} + // ProcessLabel returns the process label that the kernel will assign // to the next program executed by the current process. If "" is returned // this indicates that the default labeling will happen for the process. @@ -97,7 +133,7 @@ return selinux.ExecLabel() } -// GetFileLabel returns the label for specified path +// FileLabel returns the label for specified path func FileLabel(path string) (string, error) { return selinux.FileLabel(path) } @@ -130,13 +166,56 @@ return nil } - exclude_paths := map[string]bool{"/": true, "/usr": true, "/etc": true, "/tmp": true, "/home": true, "/run": true, "/var": true, "/root": true} + exclude_paths := map[string]bool{ + "/": true, + "/bin": true, + "/boot": true, + "/dev": true, + "/etc": true, + "/etc/passwd": true, + "/etc/pki": true, + "/etc/shadow": true, + "/home": true, + "/lib": true, + "/lib64": true, + "/media": true, + "/opt": true, + "/proc": true, + "/root": true, + "/run": true, + "/sbin": true, + "/srv": true, + "/sys": true, + "/tmp": true, + "/usr": true, + "/var": true, + "/var/lib": true, + "/var/log": true, + } + + if home := os.Getenv("HOME"); home != "" { + exclude_paths[home] = true + } + + if sudoUser := os.Getenv("SUDO_USER"); sudoUser != "" { + if usr, err := user.Lookup(sudoUser); err == nil { + exclude_paths[usr.HomeDir] = true + } + } + + if path != "/" { + path = strings.TrimSuffix(path, "/") + } if exclude_paths[path] { return fmt.Errorf("SELinux relabeling of %s is not allowed", path) } if shared { - c := selinux.NewContext(fileLabel) + c, err := selinux.NewContext(fileLabel) + if err != nil { + return err + } + c["level"] = "s0" fileLabel = c.Get() } @@ -156,6 +235,11 @@ selinux.GetEnabled() } +// ClearLabels will clear all reserved labels +func ClearLabels() { + selinux.ClearLabels() +} + // ReserveLabel will record the fact that the MCS label has already been used. // This will prevent InitLabels from using the MCS label in a newly created // container @@ -174,7 +258,7 @@ // DupSecOpt takes a process label and returns security options that // can be used to set duplicate labels on future container processes -func DupSecOpt(src string) []string { +func DupSecOpt(src string) ([]string, error) { return selinux.DupSecOpt(src) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go new/containerd-1.2.6_894b81a4b802/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go --- old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go 2019-04-05 20:39:47.000000000 +0200 @@ -52,6 +52,8 @@ ErrMCSAlreadyExists = errors.New("MCS label already exists") // ErrEmptyPath is returned when an empty path has been specified. ErrEmptyPath = errors.New("empty path") + // InvalidLabel is returned when an invalid label is specified. + InvalidLabel = errors.New("Invalid Label") assignRegex = regexp.MustCompile(`^([^=]+)=(.*)$`) roFileLabel string @@ -331,6 +333,11 @@ if fpath == "" { return ErrEmptyPath } + if val == "" { + if !GetEnabled() { + return nil + } + } out, err := os.OpenFile(fpath, os.O_WRONLY, 0) if err != nil { @@ -385,6 +392,28 @@ return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/exec", syscall.Gettid()), label) } +// SetSocketLabel takes a process label and tells the kernel to assign the +// label to the next socket that gets created +func SetSocketLabel(label string) error { + return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/sockcreate", syscall.Gettid()), label) +} + +// SocketLabel retrieves the current socket label setting +func SocketLabel() (string, error) { + return readCon(fmt.Sprintf("/proc/self/task/%d/attr/sockcreate", syscall.Gettid())) +} + +// SetKeyLabel takes a process label and tells the kernel to assign the +// label to the next kernel keyring that gets created +func SetKeyLabel(label string) error { + return writeCon("/proc/self/attr/keycreate", label) +} + +// KeyLabel retrieves the current kernel keyring label setting +func KeyLabel() (string, error) { + return readCon("/proc/self/attr/keycreate") +} + // Get returns the Context as a string func (c Context) Get() string { if c["level"] != "" { @@ -394,11 +423,14 @@ } // NewContext creates a new Context struct from the specified label -func NewContext(label string) Context { +func NewContext(label string) (Context, error) { c := make(Context) if len(label) != 0 { con := strings.SplitN(label, ":", 4) + if len(con) < 3 { + return c, InvalidLabel + } c["user"] = con[0] c["role"] = con[1] c["type"] = con[2] @@ -406,7 +438,14 @@ c["level"] = con[3] } } - return c + return c, nil +} + +// ClearLabels clears all reserved labels +func ClearLabels() { + state.Lock() + state.mcsList = make(map[string]bool) + state.Unlock() } // ReserveLabel reserves the MLS/MCS level component of the specified label @@ -612,12 +651,12 @@ roFileLabel = fileLabel } exit: - scon := NewContext(processLabel) + scon, _ := NewContext(processLabel) if scon["level"] != "" { mcs := uniqMcs(1024) scon["level"] = mcs processLabel = scon.Get() - scon = NewContext(fileLabel) + scon, _ = NewContext(fileLabel) scon["level"] = mcs fileLabel = scon.Get() } @@ -643,8 +682,14 @@ if err := SecurityCheckContext(dest); err != nil { return "", err } - scon := NewContext(src) - tcon := NewContext(dest) + scon, err := NewContext(src) + if err != nil { + return "", err + } + tcon, err := NewContext(dest) + if err != nil { + return "", err + } mcsDelete(tcon["level"]) mcsAdd(scon["level"]) tcon["level"] = scon["level"] @@ -680,7 +725,11 @@ return err } callback := func(p string, info os.FileInfo, err error) error { - return SetFileLabel(p, label) + e := SetFileLabel(p, label) + if os.IsNotExist(e) { + return nil + } + return e } if recurse { @@ -692,15 +741,18 @@ // DupSecOpt takes an SELinux process label and returns security options that // can be used to set the SELinux Type and Level for future container processes. -func DupSecOpt(src string) []string { +func DupSecOpt(src string) ([]string, error) { if src == "" { - return nil + return nil, nil + } + con, err := NewContext(src) + if err != nil { + return nil, err } - con := NewContext(src) if con["user"] == "" || con["role"] == "" || con["type"] == "" { - return nil + return nil, nil } dup := []string{"user:" + con["user"], "role:" + con["role"], @@ -711,7 +763,7 @@ dup = append(dup, "level:"+con["level"]) } - return dup + return dup, nil } // DisableSecOpt returns a security opt that can be used to disable SELinux diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go new/containerd-1.2.6_894b81a4b802/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go --- old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go 2019-04-05 20:39:47.000000000 +0200 @@ -96,15 +96,44 @@ return nil } +/* +SetSocketLabel sets the SELinux label that the kernel will use for any programs +that are executed by the current process thread, or an error. +*/ +func SetSocketLabel(label string) error { + return nil +} + +// SocketLabel retrieves the current socket label setting +func SocketLabel() (string, error) { + return "", nil +} + +// SetKeyLabel takes a process label and tells the kernel to assign the +// label to the next kernel keyring that gets created +func SetKeyLabel(label string) error { + return nil +} + +// KeyLabel retrieves the current kernel keyring label setting +func KeyLabel() (string, error) { + return "", nil +} + // Get returns the Context as a string func (c Context) Get() string { return "" } // NewContext creates a new Context struct from the specified label -func NewContext(label string) Context { +func NewContext(label string) (Context, error) { c := make(Context) - return c + return c, nil +} + +// ClearLabels clears all reserved MLS/MCS levels +func ClearLabels() { + return } // ReserveLabel reserves the MLS/MCS level component of the specified label @@ -177,8 +206,8 @@ // DupSecOpt takes an SELinux process label and returns security options that // can be used to set the SELinux Type and Level for future container processes. -func DupSecOpt(src string) []string { - return nil +func DupSecOpt(src string) ([]string, error) { + return nil, nil } // DisableSecOpt returns a security opt that can be used to disable SELinux diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/vendor.conf new/containerd-1.2.6_894b81a4b802/vendor.conf --- old/containerd-1.2.5_bb71b10fd8f5/vendor.conf 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/vendor.conf 2019-04-05 20:39:47.000000000 +0200 @@ -1,6 +1,6 @@ github.com/containerd/go-runc 5a6d9f37cfa36b15efba46dc7ea349fa9b7143c3 github.com/containerd/console c12b1e7919c14469339a5d38f2f8ed9b64a9de23 -github.com/containerd/cgroups dbea6f2bd41658b84b00417ceefa416b979cbf10 +github.com/containerd/cgroups 4994991857f9b0ae8dc439551e8bebdbb4bf66c1 github.com/containerd/typeurl a93fcdb778cd272c6e9b3028b2f42d813e785d40 github.com/containerd/fifo 3d5202aec260678c48179c56f40e6f38a095738c github.com/containerd/btrfs 2e1aa0ddf94f91fa282b6ed87c23bf0d64911244 @@ -20,7 +20,7 @@ github.com/gogo/googleapis 08a7655d27152912db7aaf4f983275eaf8d128ef github.com/golang/protobuf v1.1.0 github.com/opencontainers/runtime-spec eba862dc2470385a233c7507392675cbeadf7353 # v1.0.1-45-geba862d -github.com/opencontainers/runc 2b18fe1d885ee5083ef9f0838fee39b62d653e30 +github.com/opencontainers/runc 029124da7af7360afa781a0234d1b083550f797c # v1.0.0-rc7-6-g029124da github.com/sirupsen/logrus v1.0.0 github.com/urfave/cli 7bc6a0acffa589f415f88aca16cc1de5ffd66f9c golang.org/x/net b3756b4b77d7b13260a0a2ec658753cf48922eac @@ -43,11 +43,11 @@ go.etcd.io/bbolt v1.3.1-etcd.8 # cri dependencies -github.com/containerd/cri a92c40017473cbe0239ce180125f12669757e44f # release/1.2 branch +github.com/containerd/cri eb926cd79d3bac188dcc4ed7694fc9298f8831be # release/1.2 branch github.com/containerd/go-cni 40bcf8ec8acd7372be1d77031d585d5d8e561c90 github.com/blang/semver v3.1.0 github.com/containernetworking/cni v0.6.0 -github.com/containernetworking/plugins v0.7.0 +github.com/containernetworking/plugins v0.7.5 github.com/davecgh/go-spew v1.1.0 github.com/docker/distribution 0d3efadf0154c2b8a4e7b6621fff9809655cc580 github.com/docker/docker 86f080cff0914e9694068ed78d503701667c4c00 @@ -62,7 +62,7 @@ github.com/modern-go/reflect2 1.0.1 github.com/modern-go/concurrent 1.0.3 github.com/opencontainers/runtime-tools v0.6.0 -github.com/opencontainers/selinux b6fa367ed7f534f9ba25391cc2d467085dbb445a +github.com/opencontainers/selinux v1.2.1 github.com/seccomp/libseccomp-golang 32f571b70023028bd57d9288c20efbcb237f3ce0 github.com/tchap/go-patricia v2.2.6 github.com/xeipuuv/gojsonpointer 4e3ac2762d5f479393488629ee9370b50873b3a6
