Update to 20 10 14 #3
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
We have upgraded runc to rc93 and added CI for cgroup 2. So we can move cgroup v2 out of experimental. Fix issue 41916 Signed-off-by: Akihiro Suda <[email protected]> (cherry picked from commit 1d2a660) Signed-off-by: Akihiro Suda <[email protected]>
…nspect [20.10 backport] Fix TestInspect(), and pin arm64 machines to a specific Ubuntu version
[20.10 backport] Use docker media type for plugin layers
…ed-20.10 [20.10 backport] btrfs: Allow unprivileged user to delete subvolumes (kernel >= 4.18)
[20.10 backport] dockerd-rootless-setuptool.sh: create CLI context "rootless"
…perimental-20.10 [20.10 backport] Move cgroup v2 out of experimental
Signed-off-by: Brian Goff <[email protected]>
Installation of yamllint started failing, on non-amd64 builds, which could
be if the version we were using wasn't specific enough about a dependency
to install.
copying Cython/Utility/CppSupport.cpp -> build/lib.linux-aarch64-3.7/Cython/Utility
running build_ext
building 'Cython.Plex.Scanners' extension
creating build/temp.linux-aarch64-3.7
creating build/temp.linux-aarch64-3.7/tmp
creating build/temp.linux-aarch64-3.7/tmp/pip-install-jasgbmp7
creating build/temp.linux-aarch64-3.7/tmp/pip-install-jasgbmp7/Cython
creating build/temp.linux-aarch64-3.7/tmp/pip-install-jasgbmp7/Cython/Cython
creating build/temp.linux-aarch64-3.7/tmp/pip-install-jasgbmp7/Cython/Cython/Plex
aarch64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -I/usr/include/python3.7m -c /tmp/pip-install-jasgbmp7/Cython/Cython/Plex/Scanners.c -o build/temp.linux-aarch64-3.7/tmp/pip-install-jasgbmp7/Cython/Cython/Plex/Scanners.o
/tmp/pip-install-jasgbmp7/Cython/Cython/Plex/Scanners.c:21:10: fatal error: Python.h: No such file or directory
#include "Python.h"
^~~~~~~~~~
compilation terminated.
error: command 'aarch64-linux-gnu-gcc' failed with exit status 1
----------------------------------------
Command "/usr/bin/python3 -u -c "import setuptools, tokenize;__file__='/tmp/pip-install-jasgbmp7/Cython/setup.py';f=getattr(tokenize, 'open', open)(__file__);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, __file__, 'exec'))" install --record /tmp/pip-record-if5qclwe/install-record.txt --single-version-externally-managed --prefix /tmp/pip-build-env-_dtiuyfw --compile" failed with error code 1 in /tmp/pip-install-jasgbmp7/Cython/
----------------------------------------
Command "/usr/bin/python3 -m pip install --ignore-installed --no-user --prefix /tmp/pip-build-env-_dtiuyfw --no-warn-script-location --no-binary :none: --only-binary :none: -i https://pypi.org/simple -- setuptools wheel Cython" failed with error code 1 in None
moby#22 ERROR: executor failed running [/bin/sh -c pip3 install yamllint==1.16.0]: exit code: 1
Trying if updating to the latest version fixes this.
Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit c35cefb)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
Fix `Timed out proxy starting the userland proxy.` error with `DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=slirp4netns`. (rootless-containers/rootlesskit#250) Full changes: rootless-containers/rootlesskit@v0.14.1...v0.14.2 Signed-off-by: Akihiro Suda <[email protected]> (cherry picked from commit 11bddf330d4fec818e17333c360c25e8641f221d) Signed-off-by: Akihiro Suda <[email protected]>
…mllint [20.10 backport] Dockerfile: update yamllint to v1.26.1 to fix build
`which` binary is often missing Signed-off-by: Akihiro Suda <[email protected]> (cherry picked from commit e928692) Signed-off-by: Akihiro Suda <[email protected]>
[20.10 backport] dockerd-rootless.sh: use `command -v` instead of `which`
Whether or not the command path is in the error message is a an implementation detail. For example, on Windows the only reason this ever matched was because it dumped the entire container config into the error message, but this had nothing to do with the actual error. Signed-off-by: Brian Goff <[email protected]> (cherry picked from commit 225e046) Signed-off-by: Brian Goff <[email protected]>
Evacuate all the processes in `/sys/fs/cgroup/cgroup.procs`, not just PID 1. Before: ```console $ docker run --rm --privileged --init $(docker build -q .) cat /sys/fs/cgroup/cgroup.subtree_control sed: couldn't flush stdout: Device or resource busy ``` After: ```console $ docker run --rm --privileged --init $(docker build -q .) cat /sys/fs/cgroup/cgroup.subtree_control cpuset cpu io memory hugetlb pids rdma ``` Fix docker-library/docker issue 308 Signed-off-by: Akihiro Suda <[email protected]> (cherry picked from commit 42b1175) Signed-off-by: Akihiro Suda <[email protected]>
…2010 [20.10 backport] hack/dind: fix cgroup v2 evacuation with `docker run --init`
[20.10 backport] bump up rootlesskit to v0.14.2 (Fix `Timed out proxy starting the userland proxy.` error with `DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=slirp4netns`)
When building images in a user-namespaced container, v3 capabilities are stored including the root UID of the creator of the user-namespace. This UID does not make sense outside the build environment however. If the image is run in a non-user-namespaced runtime, or if a user-namespaced runtime uses a different UID, the capabilities requested by the effective bit will not be honoured by `execve(2)` due to this mismatch. Instead, we convert v3 capabilities to v2, dropping the root UID on the fly. Signed-off-by: Eric Mountain <[email protected]> (cherry picked from commit 95eb490) Signed-off-by: Akihiro Suda <[email protected]>
…tails [20.10] Bump hcsshim for error details fix
release notes: https://github.com/containerd/containerd/releases/tag/v1.4.5 - Update runc to rc94 - Fix leaking socket path in runc shim v2 - Fix cleanup logic in new container in runc shim v2 - Fix registry mirror authorization logic in CRI plugin - Add support for userxattr in overlay snapshotter for kernel 5.11+ (Note that the update to runc is done separately) Signed-off-by: Sebastiaan van Stijn <[email protected]>
[20.10] update containerd binary to v1.4.5
Schema1 images can not have a config based cache key before the layers are pulled. Avoid validation and reuse manifest digest as a second key. Signed-off-by: Tonis Tiigi <[email protected]> (cherry picked from commit 85167fc) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Needed for runc >= 1.0.0-rc94. See runc issue 2928. Signed-off-by: Akihiro Suda <[email protected]> Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit 9303376) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Jintao Zhang <[email protected]> (cherry picked from commit 8c019e8) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Starting with runc v1.0.0-rc94, runc no longer supports KernelMemory. opencontainers/runc@52390d6 Signed-off-by: Akihiro Suda <[email protected]> (cherry picked from commit 2f0d666) Signed-off-by: Sebastiaan van Stijn <[email protected]>
[20.10 backport] Update runc binary to v1.0.0-rc94
full diff: opencontainers/runc@v1.0.0-rc94...v1.0.0-rc95 Release notes: This release of runc contains a fix for CVE-2021-30465, and users are strongly recommended to update (especially if you are providing semi-limited access to spawn containers to untrusted users). Aside from this security fix, only a few other changes were made since v1.0.0-rc94 (the only user-visible change was the addition of support for defaultErrnoRet in seccomp profiles). Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit efec2bb) Signed-off-by: Sebastiaan van Stijn <[email protected]>
full diff: containerd/containerd@v1.4.5...v1.4.6 The sixth patch release for containerd 1.4 is a security release to update runc for CVE-2021-30465 Signed-off-by: Sebastiaan van Stijn <[email protected]>
[20.10 backport] update runc binary to v1.0.0-rc95
Do not handle SIGURG on Linux, as in go1.14+, the go runtime issues
SIGURG as an interrupt to support preemptable system calls on Linux.
This issue was caught in TestCatchAll, which could fail when updating to Go 1.14 or above;
=== Failed
=== FAIL: pkg/signal TestCatchAll (0.01s)
signal_linux_test.go:32: assertion failed: urgent I/O condition (string) != continued (string)
signal_linux_test.go:32: assertion failed: continued (string) != hangup (string)
signal_linux_test.go:32: assertion failed: hangup (string) != child exited (string)
signal_linux_test.go:32: assertion failed: child exited (string) != illegal instruction (string)
signal_linux_test.go:32: assertion failed: illegal instruction (string) != floating point exception (string)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit b7ebf32)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
…1.4.6 [20.10] update containerd binary to v1.4.6
Signed-off-by: Thomas LEDOS <[email protected]> (cherry picked from commit 1a933e1) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Thomas LEDOS <[email protected]> (cherry picked from commit 834272f) Signed-off-by: Sebastiaan van Stijn <[email protected]>
This takes the changes from 1a933e1 and 834272f, and applies them to older API versions in the docs directory (which are used for the actual documentation). Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit 2145f3b) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Commit 3b5fac4 / docker 1.10 removed support for the LXC runtime, and removed the corresponding fields from the API (v1.22). This patch removes the `HostConfig.LxcConf` field from the swagger definition. Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit 75a1ad0) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Commit 3b5fac4 / docker 1.10 removed support for the LXC runtime, and removed the corresponding fields from the API (v1.22). This patch removes the `HostConfig.LxcConf` field from the API documentation. Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit 839e2ec) Signed-off-by: Sebastiaan van Stijn <[email protected]>
[20.10 backport] docs: assorted docs and swagger fixes
[20.10 backport] vendor: bump etcd v3.3.27
Addresses [CVE-2022-24921](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24921) go1.16.15 (released 2022-03-03) includes a security fix to the regexp/syntax package, as well as bug fixes to the compiler, runtime, the go command, and to the net package. See the Go 1.16.15 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.16.15+label%3ACherryPickApproved full diff: golang/go@go1.16.14...go1.16.15 Signed-off-by: Sebastiaan van Stijn <[email protected]>
Welcome to the v1.5.10 release of containerd! The tenth patch release for containerd 1.5 includes a fix for [CVE-2022-23648][1] and other issues. Notable Updates - Use fs.RootPath when mounting volumes (GHSA-crp2-qrr5-8pq7) - Return init pid when clean dead shim in runc.v1/v2 shims - Handle sigint/sigterm in shimv2 - Use readonly mount to read user/group info [1]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23648 [2]: GHSA-crp2-qrr5-8pq7 Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit 2c8f0a0) Signed-off-by: Sebastiaan van Stijn <[email protected]>
…ntainerd_binary_1.5.10 [20.10 backport] update containerd binary to v1.5.10
fixes moby#43267 Signed-off-by: Pete Woods <[email protected]> # Conflicts: # distribution/pull_v2.go # distribution/pull_v2_test.go # distribution/xfer/transfer.go
…hema-download-retry [20.10 backport] distribution: retry downloading schema config on retryable error
The Linux kernel never sets the Inheritable capability flag to anything other than empty. Moby should have the same behavior, and leave it to userspace code within the container to set a non-empty value if desired. Reported-by: Andrew G. Morgan <[email protected]> Signed-off-by: Samuel Karp <[email protected]> (cherry picked from commit 0d9a37d) Signed-off-by: Samuel Karp <[email protected]>
updates the vendoring from the latest commit of the ambiguous-manifest-moby-20.10 branch in our fork. Signed-off-by: Sebastiaan van Stijn <[email protected]>
[20.10] vendor: containerd 7cfa023d95d37076d5ab035003d4839f4b6ba791
[20.10] oci: inheritable capability set should be empty
The eleventh patch release for containerd 1.5 includes a fix for [CVE-2022-24769](GHSA-c9cp-9c75-9v8c). Notable Updates: - **Fix the inheritable capability defaults** ([GHSA-c9cp-9c75-9v8c](GHSA-c9cp-9c75-9v8c)) Signed-off-by: Sebastiaan van Stijn <[email protected]>
…binary_1.5.11 [20.10] update containerd binary to 1.5.11
Backport native dependencies to debian stretch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
checked out tag v20.10.14 from upstream
cherrypicked commits for