Commit Graph

355 Commits

Author SHA1 Message Date
ningmingxiao
0dcdc1ffa7 bump:update cni to v1.7.1
Signed-off-by: ningmingxiao <ning.mingxiao@zte.com.cn>
2025-04-27 12:25:28 +08:00
Akhil Mohan
5629e9fff7 update to go 1.24.2, 1.23.8
- go1.23.8 (released 2025-04-01) includes security fixes to the net/http
  package, as well as bug fixes to the runtime and the go command.
  Ref: https://github.com/golang/go/issues?q=milestone%3AGo1.23.8+label%3ACherryPickApproved
- go1.24.2 (released 2025-04-01) includes security fixes to the net/http
  package, as well as bug fixes to the compiler, the runtime, the go
  command, and the crypto/tls, go/types, net/http, and testing packages.
  Ref: https://github.com/golang/go/issues?q=milestone%3AGo1.24.2+label%3ACherryPickApproved

Signed-off-by: Akhil Mohan <akhilerm@gmail.com>
2025-04-17 11:49:22 +05:30
Akhil Mohan
8e6c93b6b0 add option to skip tests in critest
Signed-off-by: Akhil Mohan <akhilerm@gmail.com>
(cherry picked from commit 4ba3d82ca2)
2025-04-16 16:23:40 -04:00
yylt
cffb6d4250 downgrade cni version in CI test
Signed-off-by: yang yang <yang8518296@163.com>
2025-03-28 15:37:50 +08:00
Austin Vazquez
3e96f1a51c Update runc binary to v1.2.6
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2025-03-19 17:07:23 +00:00
Akhil Mohan
4f090fe772 update to go1.23.7 / go1.24.1
- go1.23.7 (released 2025-03-04) includes security fixes to the net/http
package, as well as bug fixes to cgo, the compiler, and the reflect,
runtime, and syscall packages. See the Go 1.23.7 milestone on our issue
tracker for details

- go1.24.1 (released 2025-03-04) includes security fixes to the net/http
package, as well as bug fixes to cgo, the compiler, the go command, and
the reflect, runtime, and syscall packages. See the Go 1.24.1 milestone
on our issue tracker for details.

Signed-off-by: Akhil Mohan <akhilerm@gmail.com>
2025-03-09 18:58:28 +05:30
Kirtana Ashok
6c02321f6e Merge pull request #11179 from ambarve/blocked_cim
Support for importing layers in the block CIM format.
2025-02-24 22:21:10 +00:00
Austin Vazquez
938775864a Update runc binary to v1.2.5
This is the fifth patch release in the 1.2.z series of runc. It
primarily fixes an issue caused by an upstream systemd bug.

There was a regression in systemd v230 which made the way we define device
rule restrictions require a systemctl daemon-reload for our transient
units. This caused issues for workloads using NVIDIA GPUs. Workaround the
upstream regression by re-arranging how the unit properties are defined.
Dependency github.com/cyphar/filepath-securejoin is updated to v0.4.1,
to allow projects that vendor runc to bump it as well.
CI: fixed criu-dev compilation.
Dependency golang.org/x/net is updated to 0.33.0.

diff: opencontainers/runc@v1.2.4...v1.2.5

Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2025-02-14 03:53:06 +00:00
Akihiro Suda
df99aa321a update to go 1.24.0 / go1.23.6
https://go.dev/doc/go1.24

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2025-02-13 03:20:15 +09:00
Amit Barve
a1c540085f Support for importing layers in the block CIM format.
Adds a new diff plugin that can import image layers in the block CIM format using the new
block CIM layer writer added in hcsshim repo.

This commit also makes another important change in the way a diff is applied when using
CimFS based layer writers. Currently, the diff plugins call archive.Apply to apply a diff
and pass a function (that can actually apply the diff) as an argument (via
archive.ApplyOptions). This allows the callers to call archive.Apply with either a custom
applier function or if the caller doesn't pass such a function archive.Apply uses the
default naive diff applier.
However, there is drawback to this approach. The applier function passed to the
`archive.Apply` call needs to follow a specific signature. This signature expects it that
all parent layers are represented as an array of strings. In cases like CimFS, we can't
easily represent a set of layers as strings (unless we encode extra data in those strings
in a hacky way). To get around this problem, the diff plugins for CimFS based layers, skip
the archive.Apply call and directly call the layer writer instead.

Signed-off-by: Amit Barve <ambarve@microsoft.com>
2025-02-10 14:10:37 -05:00
Fu Wei
306c47f6e1 Merge pull request #10033 from ambarve/cimfs_layer_refactor
Update cimfs snapshotter & differ for new hcsshim interface
2025-01-22 19:49:36 +00:00
Akhil Mohan
157faf65c5 update to go1.23.5 / go1.22.11
- go1.23.5 (released 2025-01-16) includes security fixes to the
crypto/x509 and net/http packages, as well as bug fixes to the compiler,
the runtime, and the net package. See the Go 1.23.5 milestone on our
issue tracker for details.

- go1.22.11 (released 2025-01-16) includes security fixes to the
crypto/x509 and net/http packages, as well as bug fixes to the runtime.
See the Go 1.22.11 milestone on our issue tracker for details.

Signed-off-by: Akhil Mohan <akhilerm@gmail.com>
2025-01-18 14:19:11 +05:30
Amit Barve
b81ace8724 Update cimfs snapshotter & differ for new hcsshim interface
hcsshim recently [updated](microsoft/hcsshim@1d406d0) the interface of APIs that are used
for importing OCI layers. It now expects that the CimFS snapshotter mounts contain the
full cim paths for parent layers. This change updates the cimfs differ & snapshotter to
use that new interface.

Signed-off-by: Amit Barve <ambarve@microsoft.com>
2025-01-10 17:06:57 -05:00
Maksym Pavlenko
82cb7d4be3 Merge pull request #11240 from lifupan/main_fix_ci
ci: fix the issue of config_file unset
2025-01-10 03:35:16 +00:00
Kazuyoshi Kato
5ad6a150b6 Merge pull request #11189 from djdongjin/move-to-go-native-fuzz
Move fuzz tests to go native fuzz [part1]
2025-01-10 01:27:14 +00:00
Fupan Li
e1aeb37cdf ci: fix the issue of config_file unset
The config_file var wasn't set when CONTAINERD_CONFIG_FILE
env was passed, thus it should use  CONTAINERD_CONFIG_FILE
instead of config_file to access the containerd conf file.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
2025-01-09 17:34:21 +08:00
Akhil Mohan
54ed595e1d update runc binary to v1.2.4
This is the fourth patch release of the 1.2.z release branch of runc. It
includes a fix for a regression introduced in 1.2.0 related to the
default device list.

- Re-add tun/tap devices to built-in allowed devices lists.

  In runc 1.2.0 we removed these devices from the default allow-list
(which were added seemingly by accident early in Docker's history) as
a precaution in order to try to reduce the attack surface of device
inodes available to most containers. At the time we thought
that the vast majority of users using tun/tap would already be
specifying what devices they need (such as by using --device with
Docker/Podman) as opposed to doing the mknod manually, and thus
there would've been no user-visible change.

  Unfortunately, it seems that this regressed a noticeable number of
users (and not all higher-level tools provide easy ways to specify
devices to allow) and so this change needed to be reverted. Users
that do not need these devices are recommended to explicitly disable
them by adding deny rules in their container configuration.

diff: https://github.com/opencontainers/runc/compare/v1.2.3...v1.2.4

Signed-off-by: Akhil Mohan <akhilerm@gmail.com>
2025-01-08 08:26:44 +05:30
mahmut
4f2f12be6d Bump seccomp version to be the same as one in runc repo
runc-seccomp: d48d9cfefc/script/seccomp.sh (L10)

Signed-off-by: mahmut <mahmut@uniontech.com>
2024-12-26 11:18:54 +08:00
Jin Dong
2de1030299 Move fuzz tests to go native fuzz [part1]
Signed-off-by: Jin Dong <djdongjin95@gmail.com>
2024-12-24 22:48:20 +00:00
David Son
fa531f808b Update golangci-lint version in dev tools script
Signed-off-by: David Son <davbson@amazon.com>
2024-12-18 22:30:32 +00:00
Sebastiaan van Stijn
981414521b update runc binary to v1.2.3
This is the third patch release of the 1.2.z release branch of runc. It
primarily fixes some minor regressions introduced in 1.2.0.

- Fixed a regression in use of securejoin.MkdirAll, where multiple
  runc processes racing to create the same mountpoint in a shared rootfs
  would result in spurious EEXIST errors. In particular, this regression
  caused issues with BuildKit.
- Fixed a regression in eBPF support for pre-5.6 kernels after upgrading
  Cilium's eBPF library version to 0.16 in runc.

full diff: https://github.com/opencontainers/runc/compare/v1.2.2...v1.2.3
release notes: https://github.com/opencontainers/runc/releases/tag/v1.2.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-12-11 21:30:06 +01:00
Akhil Mohan
81780a5dd3 update to go1.23.4 / go1.22.10
- go1.23.4 (released 2024-12-03) includes fixes to the compiler, the runtime,
the trace command, and the syscall package. See the Go 1.23.4 milestone on
our issue tracker for details.
https://github.com/golang/go/issues?q=milestone%3AGo1.23.4+label%3ACherryPickApproved

- go1.22.10 (released 2024-12-03) includes fixes to the runtime and the
syscall package. See the Go 1.22.10 milestone on our issue tracker for details.
https://github.com/golang/go/issues?q=milestone%3AGo1.22.10+label%3ACherryPickApproved

Signed-off-by: Akhil Mohan <akhilerm@gmail.com>
2024-12-05 11:56:10 +05:30
Sameer
34284c5075 Add tests for CNI v2 loopback options
Signed-off-by: Sameer <sameer.saeed@live.ca>
2024-11-19 18:43:31 -05:00
Samuel Karp
50bdcb0d81 Merge pull request #11019 from jingxu97/patch-3
Update install-imgcrypt to allow change install repo
2024-11-18 18:13:23 +00:00
Austin Vazquez
9a7bc5423e update runc binary to 1.2.2
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2024-11-18 16:21:14 +00:00
Jing Xu
f8819df7c4 Update install-imgcrypt to allow change install repo
Add repo env similar to other install script

Signed-off-by: Jing Xu <jinxu@google.com>
2024-11-17 18:16:12 -08:00
Akhil Mohan
bcc3cc968a update to go1.23.3 / go1.22.9
- go1.23.3 (released 2024-11-06) includes fixes to the linker, the
runtime, and the net/http, os, and syscall packages. See the
Go 1.23.3 milestone on our issue tracker for details.

- go1.22.9 (released 2024-11-06) includes fixes to the linker. See
the Go 1.22.9 milestone on our issue tracker for details

Signed-off-by: Akhil Mohan <akhilerm@gmail.com>
2024-11-08 00:00:46 +05:30
Akihiro Suda
edb980ac0f update runc binary to 1.2.1
https://github.com/opencontainers/runc/releases/tag/v1.2.0
https://github.com/opencontainers/runc/releases/tag/v1.2.1

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-11-02 07:34:02 +09:00
Kirtana Ashok
77d783e2ce Update hcsshim to v0.12.9
Signed-off-by: Kirtana Ashok <kiashok@microsoft.com>
2024-10-30 07:22:06 -07:00
Akihiro Suda
0208cb58ca go.mod: github.com/containerd/imgcrypt v2.0.0-rc-1
https://github.com/containerd/imgcrypt/compare/v1.2.0-rc1...v2.0.0-rc.1

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-10-29 01:21:57 +09:00
Mike Brown
ce3acc4692 Merge pull request #10878 from AkihiroSuda/crun-1.17
CI: bump up crun to 1.17
2024-10-22 13:44:16 +00:00
Akihiro Suda
a1ce18816d CI: bump up crun to 1.17
https://github.com/containers/crun/releases/tag/1.17

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-10-22 19:56:25 +09:00
Kirtana Ashok
0218959859 Update hcsshim version to v0.12.8
Signed-off-by: Kirtana Ashok <kiashok@microsoft.com>
2024-10-22 02:43:29 -07:00
Samuel Karp
b7c333ce24 Revert "update runc binary to 1.1.15"
This reverts commit f0f1bfca07.

runc 1.1.15 appears to have incresed chances for causing OOMs for
containers with small memory limits.  Revert the change in containerd
to unblock CI while the upstream runc issue is resolved.

Dependency-issue: https://github.com/opencontainers/runc/issues/4427
Signed-off-by: Samuel Karp <samuelkarp@google.com>
2024-10-15 09:28:04 -07:00
Akihiro Suda
179b8d9b3c Merge pull request #10772 from austinvazquez/update-golang-1.23.2
update to go1.23.2,go1.22.8
2024-10-08 06:41:34 +00:00
Samuel Karp
f0f1bfca07 update runc binary to 1.1.15
diff: https://github.com/opencontainers/runc/compare/v1.1.14...v1.1.15

Release notes:

- The -ENOSYS seccomp stub is now always generated for the native
  architecture that runc is running on. This is needed to work around some
  arguably specification-incompliant behaviour from Docker on architectures
  such as ppc64le, where the allowed architecture list is set to null. This
  ensures that we always generate at least one -ENOSYS stub for the native
  architecture even with these weird configs. (#4391)
- On a system with older kernel, reading /proc/self/mountinfo may skip some
  entries, as a consequence runc may not properly set mount propagation,
  causing container mounts leak onto the host mount namespace. (#2404, #4425)
- In order to fix performance issues in the "lightweight" bindfd protection
  against [CVE-2019-5736], the temporary ro bind-mount of /proc/self/exe
  has been removed. runc now creates a binary copy in all cases. (#4392, #2532)

Signed-off-by: Samuel Karp <samuelkarp@google.com>
2024-10-07 15:41:26 -07:00
Austin Vazquez
46f5a0d939 update to go1.23.2,go1.22.8
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2024-10-07 15:09:53 +00:00
Derek McGowan
f1c70e83ae Merge pull request #9470 from lengrongfu/feat/add-e2e-for-systemdcgroup
add use systemd cgroup e2e
2024-10-03 13:13:44 +00:00
Gabriela Cervantes
24fe444eb6 script/setup/install-runc: Add trap statement to clean up tmp files
This PR adds the trap statement in the install runc script to clean
up the temporary files and ensure we are not leaving them.

Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
2024-10-02 19:52:02 +00:00
lengrongfu
095131abf9 add use systemd cgroup e2e
Signed-off-by: lengrongfu <lenronfu@gmail.com>
Signed-off-by: rongfu.leng <lenronfu@gmail.com>
2024-10-03 00:37:29 +08:00
Kirtana Ashok
0d4e606bbc Update hcsshim to v0.12.7
Signed-off-by: Kirtana Ashok <kiashok@microsoft.com>
2024-09-30 17:38:28 -07:00
Shiming Zhang
d72051036a Enable the selinux on cri test
Signed-off-by: Shiming Zhang <wzshiming@hotmail.com>
2024-09-21 16:22:25 +08:00
Sebastiaan van Stijn
9037069da8 update to go1.23.1, go1.22.7
- https://github.com/golang/go/issues?q=milestone%3AGo1.23.1+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.23.0...go1.23.1

These minor releases include 3 security fixes following the security policy:

- go/parser: stack exhaustion in all Parse* functions

    Calling any of the Parse functions on Go source code which contains
    deeply nested literals can cause a panic due to stack exhaustion.

    This is CVE-2024-34155 and Go issue https://go.dev/issue/69138.

- encoding/gob: stack exhaustion in Decoder.Decode

    Calling Decoder.Decode on a message which contains deeply nested
    structures can cause a panic due to stack exhaustion.

    This is a follow-up to CVE-2022-30635.

    Thanks to Md Sakib Anwar of The Ohio State University for reporting
    this issue.

    This is CVE-2024-34156 and Go issue https://go.dev/issue/69139.

- go/build/constraint: stack exhaustion in Parse

    Calling Parse on a "// +build" build tag line with deeply nested
    expressions can cause a panic due to stack exhaustion.

    This is CVE-2024-34158 and Go issue https://go.dev/issue/69141.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.23.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-09-06 16:12:28 +02:00
Akhil Mohan
299a9717fe update runc binary to 1.1.14
diff: https://github.com/opencontainers/runc/compare/v1.1.13...v1.1.14

Release Notes:

- Fix CVE-2024-45310, a low-severity attack that allowed
  maliciously configured containers to create empty files and directories on
  the host.
- Add support for Go 1.23.
- Revert "allow overriding VERSION value in Makefile" and add EXTRA_VERSION.
- rootfs: consolidate mountpoint creation logic.

Signed-off-by: Akhil Mohan <akhilerm@gmail.com>
2024-09-03 10:15:17 +05:30
bo.jiang
def477b07f Bump crun to 1.16
Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
2024-09-02 16:46:20 +08:00
Kirtana Ashok
93abc2fdda Update hcsshim to v0.12.6
Signed-off-by: Kirtana Ashok <kiashok@microsoft.com>
2024-08-19 15:30:51 -07:00
Phil Estes
219df0e7a2 Merge pull request #10604 from thaJeztah/openssf_happiness
script/setup/install-dev-tools: update protoc-gen-go-ttrpc to v1.2.5, specify patch versions
2024-08-16 13:44:20 +00:00
Sebastiaan van Stijn
66817fccc3 script/setup/install-dev-tools: include patch version in versions
The OpenSSF scorecard is complaining about these two dependencies being
installed without a patch version specified;

    Warn: goCommand not pinned by hash: script/setup/install-dev-tools:27
    Warn: goCommand not pinned by hash: script/setup/install-dev-tools:28

While the error indicates it expects a hash, it looks like it's fine
with other modules in the same file, the difference being that those
specify a full version, including path version, e.g.;
919beb1cf7/script/setup/install-dev-tools (L26)

This patch updates `protoc-gen-go` and `protoc-gen-go-grpc` to the latest
patch release for the specified versions.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-08-16 10:54:17 +02:00
Sebastiaan van Stijn
cd4e24ef71 script/setup/install-dev-tools: update protoc-gen-go-ttrpc to v1.2.5
The current version was updated in 65031eadec,
and looks to be

- 1 commit ahead of v1.2.3; https://github.com/containerd/ttrpc/compare/v1.2.3...faba5896a9c4d7b65495cb9b2c02531feb1434d6
- slightly behind of v1.2.4; faba5896a9...v1.2.4

This patch upstreas it to the current (v1.2.5) version, aligning it with
the version used in `go.mod`;
faba5896a9...v1.2.5

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-08-16 10:53:37 +02:00
Akhil Mohan
fb8cd045b8 add go1.23.0
Signed-off-by: Akhil Mohan <akhilerm@gmail.com>
2024-08-14 12:30:37 +05:30