From 371bee82f99c4236fd7e60e615b25c2c90eedad0 Mon Sep 17 00:00:00 2001 From: Jacob Blain Christen Date: Fri, 24 Jul 2020 14:23:56 -0700 Subject: [PATCH] containerd: bump to v1.3.6 Remove $NOTIFY_SOCKET, if present, from env when invoking containerd to prevent gratuitous notifications sent to systemd. Signed-off-by: Jacob Blain Christen --- go.mod | 13 +- go.sum | 21 +- pkg/agent/containerd/containerd.go | 8 + .../containerd/containerd/.appveyor.yml | 2 +- .../containerd/containerd/.golangci.yml | 2 +- .../github.com/containerd/containerd/.mailmap | 53 ++- .../containerd/containerd/.travis.yml | 19 +- .../containerd/containerd/BUILDING.md | 2 +- .../github.com/containerd/containerd/Makefile | 12 +- .../containerd/cmd/containerd/command/main.go | 4 + .../cmd/containerd/command/main_unix.go | 4 + .../cmd/containerd/command/main_windows.go | 5 + .../cmd/containerd/command/notify_linux.go | 62 +++ .../containerd/command/notify_unsupported.go | 31 ++ .../cmd/containerd/command/service_windows.go | 3 - .../containerd/containerd/codecov.yml | 1 + .../containerd/containerd/container.go | 39 +- .../containerd/containerd/containerd.service | 1 + .../github.com/containerd/containerd/image.go | 36 +- .../containerd/containerd/pkg/process/io.go | 190 ++++++---- .../containerd/remotes/docker/fetcher.go | 30 +- .../containerd/remotes/docker/pusher.go | 1 + .../containerd/remotes/docker/resolver.go | 6 +- .../containerd/runtime/v1/linux/runtime.go | 8 +- .../runtime/v1/shim/client/client.go | 20 +- .../containerd/runtime/v2/runc/container.go | 38 ++ .../containerd/runtime/v2/runc/v2/service.go | 11 +- .../containerd/containerd/sys/filesys.go | 35 ++ .../containerd/containerd/sys/mount_linux.go | 52 ++- .../containerd/containerd/vendor.conf | 172 ++++----- .../containerd/containerd/version/version.go | 2 +- vendor/github.com/containerd/cri/Makefile | 99 +++-- vendor/github.com/containerd/cri/cri.go | 8 +- .../containerd/cri/pkg/config/config.go | 7 +- .../cri/pkg/server/container_create.go | 15 +- .../cri/pkg/server/container_remove.go | 13 +- .../containerd/cri/pkg/server/events.go | 6 + .../containerd/cri/pkg/server/helpers.go | 23 +- .../containerd/cri/pkg/server/image_pull.go | 48 +-- .../containerd/cri/pkg/server/restart.go | 4 +- .../cri/pkg/server/sandbox_remove.go | 6 +- .../containerd/cri/pkg/server/sandbox_run.go | 8 +- .../containerd/cri/pkg/server/sandbox_stop.go | 47 ++- .../cri/pkg/store/container/status.go | 6 + vendor/github.com/containerd/cri/vendor.conf | 121 +++--- .../containerd/go-cni/namespace_opts.go | 8 - vendor/github.com/containerd/go-cni/opts.go | 18 - vendor/github.com/containerd/go-cni/types.go | 10 - vendor/github.com/hashicorp/errwrap/LICENSE | 354 ++++++++++++++++++ vendor/github.com/hashicorp/errwrap/README.md | 89 +++++ .../github.com/hashicorp/errwrap/errwrap.go | 169 +++++++++ .../hashicorp/go-multierror/.travis.yml | 12 + .../hashicorp/go-multierror/LICENSE | 353 +++++++++++++++++ .../hashicorp/go-multierror/Makefile | 31 ++ .../hashicorp/go-multierror/README.md | 97 +++++ .../hashicorp/go-multierror/append.go | 41 ++ .../hashicorp/go-multierror/flatten.go | 26 ++ .../hashicorp/go-multierror/format.go | 27 ++ .../hashicorp/go-multierror/multierror.go | 51 +++ .../hashicorp/go-multierror/prefix.go | 37 ++ .../selinux/go-selinux/label/label.go | 148 ++++---- .../selinux/go-selinux/label/label_selinux.go | 150 ++------ .../selinux/go-selinux/label/label_stub.go | 50 +++ .../selinux/go-selinux/selinux_linux.go | 299 ++++++++++----- .../selinux/go-selinux/selinux_stub.go | 32 +- .../selinux/go-selinux/xattrs.go | 74 +--- .../selinux/pkg/pwalk/README.md | 42 +++ .../opencontainers/selinux/pkg/pwalk/pwalk.go | 99 +++++ vendor/modules.txt | 15 +- 69 files changed, 2696 insertions(+), 830 deletions(-) create mode 100644 vendor/github.com/containerd/containerd/cmd/containerd/command/notify_linux.go create mode 100644 vendor/github.com/containerd/containerd/cmd/containerd/command/notify_unsupported.go create mode 100644 vendor/github.com/containerd/containerd/codecov.yml create mode 100644 vendor/github.com/containerd/containerd/sys/filesys.go create mode 100644 vendor/github.com/hashicorp/errwrap/LICENSE create mode 100644 vendor/github.com/hashicorp/errwrap/README.md create mode 100644 vendor/github.com/hashicorp/errwrap/errwrap.go create mode 100644 vendor/github.com/hashicorp/go-multierror/.travis.yml create mode 100644 vendor/github.com/hashicorp/go-multierror/LICENSE create mode 100644 vendor/github.com/hashicorp/go-multierror/Makefile create mode 100644 vendor/github.com/hashicorp/go-multierror/README.md create mode 100644 vendor/github.com/hashicorp/go-multierror/append.go create mode 100644 vendor/github.com/hashicorp/go-multierror/flatten.go create mode 100644 vendor/github.com/hashicorp/go-multierror/format.go create mode 100644 vendor/github.com/hashicorp/go-multierror/multierror.go create mode 100644 vendor/github.com/hashicorp/go-multierror/prefix.go create mode 100644 vendor/github.com/opencontainers/selinux/go-selinux/label/label_stub.go create mode 100644 vendor/github.com/opencontainers/selinux/pkg/pwalk/README.md create mode 100644 vendor/github.com/opencontainers/selinux/pkg/pwalk/pwalk.go diff --git a/go.mod b/go.mod index 57a656ef9c..065f360b6d 100644 --- a/go.mod +++ b/go.mod @@ -8,11 +8,10 @@ replace ( github.com/containerd/btrfs => github.com/containerd/btrfs v0.0.0-20181101203652-af5082808c83 github.com/containerd/cgroups => github.com/containerd/cgroups v0.0.0-20190717030353-c4b9ac5c7601 github.com/containerd/console => github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50 - github.com/containerd/containerd => github.com/rancher/containerd v1.3.3-k3s2 + github.com/containerd/containerd => github.com/rancher/containerd v1.3.6-k3s1 github.com/containerd/continuity => github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02 - github.com/containerd/cri => github.com/rancher/cri v1.3.0-k3s.6 + github.com/containerd/cri => github.com/rancher/cri v1.3.0-k3s.7 github.com/containerd/fifo => github.com/containerd/fifo v0.0.0-20190816180239-bda0ff6ed73c - github.com/containerd/go-runc => github.com/containerd/go-runc v0.0.0-20190911050354-e029b79d8cda github.com/containerd/typeurl => github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd github.com/coreos/flannel => github.com/rancher/flannel v0.12.0-k3s1 github.com/coreos/go-systemd => github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e @@ -67,12 +66,12 @@ require ( github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect github.com/bronze1man/goStrongswanVici v0.0.0-20190828090544-27d02f80ba40 // indirect github.com/containerd/cgroups v0.0.0-00010101000000-000000000000 // indirect - github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69 + github.com/containerd/containerd v1.3.6 github.com/containerd/continuity v0.0.0-20190827140505-75bee3e2ccb6 // indirect github.com/containerd/cri v0.0.0-00010101000000-000000000000 github.com/containerd/fifo v0.0.0-20190816180239-bda0ff6ed73c // indirect - github.com/containerd/go-cni v0.0.0-20190904155053-d20b7eebc7ee // indirect - github.com/containerd/go-runc v0.0.0-20190923131748-a2952bc25f51 // indirect + github.com/containerd/go-cni v0.0.0-20190813230227-49fbd9b210f3 // indirect + github.com/containerd/go-runc v0.0.0-20190911050354-e029b79d8cda // indirect github.com/containerd/ttrpc v0.0.0-20190828172938-92c8520ef9f8 // indirect github.com/containernetworking/plugins v0.8.2 // indirect github.com/coreos/flannel v0.11.0 @@ -92,7 +91,7 @@ require ( github.com/mattn/go-sqlite3 v1.13.0 github.com/natefinch/lumberjack v2.0.0+incompatible github.com/opencontainers/runc v1.0.0-rc10 - github.com/opencontainers/selinux v1.3.1-0.20190929122143-5215b1806f52 + github.com/opencontainers/selinux v1.5.3-0.20200613095409-bb88c45a3863 github.com/pkg/errors v0.9.1 github.com/rancher/dynamiclistener v0.2.0 github.com/rancher/helm-controller v0.6.3 diff --git a/go.sum b/go.sum index 7646d3fb14..d0197cf1ee 100644 --- a/go.sum +++ b/go.sum @@ -117,8 +117,9 @@ github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02 h1:tN9D97v5A github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= github.com/containerd/fifo v0.0.0-20190816180239-bda0ff6ed73c h1:KFbqHhDeaHM7IfFtXHfUHMDaUStpM2YwBR+iJCIOsKk= github.com/containerd/fifo v0.0.0-20190816180239-bda0ff6ed73c/go.mod h1:ODA38xgv3Kuk8dQz2ZQXpnv/UZZUHUCL7pnLehbXgQI= -github.com/containerd/go-cni v0.0.0-20190904155053-d20b7eebc7ee h1:fV37ZKnYs79fSyI3mu/XZFJVezrVsXBLbfojcTPpdXM= -github.com/containerd/go-cni v0.0.0-20190904155053-d20b7eebc7ee/go.mod h1:2wlRxCQdiBY+OcjNg5x8kI+5mEL1fGt25L4IzQHYJsM= +github.com/containerd/go-cni v0.0.0-20190813230227-49fbd9b210f3 h1:owkX+hC6Inv1XUep/pAjF7qJpnZWjbtETw5r1DVYFPo= +github.com/containerd/go-cni v0.0.0-20190813230227-49fbd9b210f3/go.mod h1:2wlRxCQdiBY+OcjNg5x8kI+5mEL1fGt25L4IzQHYJsM= +github.com/containerd/go-runc v0.0.0-20180907222934-5a6d9f37cfa3/go.mod h1:IV7qH3hrUgRmyYrtgEeGWJfWbgcHL9CSRruz2Vqcph0= github.com/containerd/go-runc v0.0.0-20190911050354-e029b79d8cda h1:3LYDkJtHAZGbWD75PoTBJuxldc+njsz9uSfjwIoOR6c= github.com/containerd/go-runc v0.0.0-20190911050354-e029b79d8cda/go.mod h1:IV7qH3hrUgRmyYrtgEeGWJfWbgcHL9CSRruz2Vqcph0= github.com/containerd/ttrpc v0.0.0-20190828154514-0e0f228740de/go.mod h1:PvCDdDGpgqzQIzDW1TphrGLssLDZp2GuS+X5DkEJB8o= @@ -405,7 +406,9 @@ github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 h1:Ovs26xHkKqVztRpIrF/92Bcuy github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= github.com/grpc-ecosystem/grpc-gateway v1.9.5 h1:UImYN5qQ8tuGpGE16ZmjvcTtTw24zw1QAp/SlnNrZhI= github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= +github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce h1:prjrVgOk2Yg6w+PflHoszQNLTUh4kaByUcEWM/9uin4= github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874 h1:cAv7ZbSmyb1wjn6T4TIiyFCkpcfgpbcNNC3bM2srLaI= github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874/go.mod h1:JMRHfdO9jKNzS/+BTlxCjKNQHg/jZAft8U7LloJvN7I= github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4= github.com/hashicorp/golang-lru v0.0.0-20180201235237-0fb14efe8c47/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= @@ -443,7 +446,6 @@ github.com/json-iterator/go v1.1.8 h1:QiWkFLKq0T7mpzwOTu6BzNDbfTE8OLrYhVKYMLF46O github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= -github.com/juju/loggo v0.0.0-20190526231331-6e530bcce5d8 h1:UUHMLvzt/31azWTN/ifGWef4WUqvXk0iRqdhdy/2uzI= github.com/juju/loggo v0.0.0-20190526231331-6e530bcce5d8/go.mod h1:vgyd7OREkbtVEN/8IXZe5Ooef3LQePvuBm9UWj6ZL8U= github.com/juju/testing v0.0.0-20190613124551-e81189438503/go.mod h1:63prj8cnj0tU0S9OHjGJn+b1h0ZghCndfnbQolrYTwA= github.com/jung-kurt/gofpdf v1.0.3-0.20190309125859-24315acbbda5/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+r32jIOes= @@ -584,6 +586,8 @@ github.com/opencontainers/runtime-spec v0.0.0-20180911193056-5684b8af48c1/go.mod github.com/opencontainers/runtime-tools v0.0.0-20181011054405-1d69bd0f9c39/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs= github.com/opencontainers/selinux v1.3.1-0.20190929122143-5215b1806f52 h1:B8hYj3NxHmjsC3T+tnlZ1UhInqUgnyF1zlGPmzNg2Qk= github.com/opencontainers/selinux v1.3.1-0.20190929122143-5215b1806f52/go.mod h1:+BLncwf63G4dgOzykXAxcmnFlUaOlkDdmw/CqsW6pjs= +github.com/opencontainers/selinux v1.5.3-0.20200613095409-bb88c45a3863 h1:pAUx/lkmegJdgEH27YJImvNLOs/ydx/NbKJ2vIJ2PHY= +github.com/opencontainers/selinux v1.5.3-0.20200613095409-bb88c45a3863/go.mod h1:yTcKuYAh6R95iDpefGLQaPaRwJFwyzAJufJyiTt7s0g= github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= github.com/pelletier/go-toml v1.1.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= @@ -612,10 +616,10 @@ github.com/quasilyte/go-consistent v0.0.0-20190521200055-c6f3937de18c/go.mod h1: github.com/quobyte/api v0.1.2/go.mod h1:jL7lIHrmqQ7yh05OJ+eEEdHr0u/kmT1Ff9iHd+4H6VI= github.com/rakelkar/gonetsh v0.0.0-20190930180311-e5c5ffe4bdf0 h1:iXE9kmlAqhusXxzkXictdNgWS7p4ZBnmv9SdyMgTf6E= github.com/rakelkar/gonetsh v0.0.0-20190930180311-e5c5ffe4bdf0/go.mod h1:4XHkfaUj+URzGO9sohoAgt2V9Y8nIW7fugpu0E6gShk= -github.com/rancher/containerd v1.3.3-k3s2 h1:RZr+TqFt7+YsrSYkyytlhW4HmneWeFNM7IymNOoGW6A= -github.com/rancher/containerd v1.3.3-k3s2/go.mod h1:ZMfzmqce2Z+QSEqdHMfeJs1TZ/UeJ1aDrazjpQT4ehM= -github.com/rancher/cri v1.3.0-k3s.6 h1:jeom53pNYUJHlZBHpax8vpQeBoW19vSVGAQn9jPyIcc= -github.com/rancher/cri v1.3.0-k3s.6/go.mod h1:Ht5T1dIKzm+4NExmb7wDVG6qR+j0xeXIjjhCv1d9geY= +github.com/rancher/containerd v1.3.6-k3s1 h1:wSGjKMQM3TRCsgWAd+lA9zy/JM4/A9MuUxZFGIxt0+0= +github.com/rancher/containerd v1.3.6-k3s1/go.mod h1:ZMfzmqce2Z+QSEqdHMfeJs1TZ/UeJ1aDrazjpQT4ehM= +github.com/rancher/cri v1.3.0-k3s.7 h1:5V/AVFLCpYIsJMavJKjKpwrQU92e87dhWSX43N4q8Gg= +github.com/rancher/cri v1.3.0-k3s.7/go.mod h1:Ht5T1dIKzm+4NExmb7wDVG6qR+j0xeXIjjhCv1d9geY= github.com/rancher/cri-tools v1.18.0-k3s1 h1:pLYthxpSu6k3Up9tNAMA0MK2ERqB6FC1sZQPRSW1qSg= github.com/rancher/cri-tools v1.18.0-k3s1/go.mod h1:Ij/GWNRcEDP6zVN6eQpvN/s0nhuJVtPQFy7RAdl+Wu8= github.com/rancher/dynamiclistener v0.2.0 h1:KucYwJXVVGhZ/NndfMCeQoCafT/VN7kvqSGgmlX8Lxk= @@ -674,7 +678,6 @@ github.com/rancher/kubernetes/staging/src/k8s.io/metrics v1.18.6-k3s1 h1:eUs9gsR github.com/rancher/kubernetes/staging/src/k8s.io/metrics v1.18.6-k3s1/go.mod h1:xZM9EdJpWjqIWPvLiCP7vYKUEMwIgc0S8nc/MlLVK3Y= github.com/rancher/kubernetes/staging/src/k8s.io/sample-apiserver v1.18.6-k3s1/go.mod h1:p8OmVbdzpawdZ/r9E1qcdJpzRirEg4OcSg8aZVWqvJo= github.com/rancher/moq v0.0.0-20190404221404-ee5226d43009/go.mod h1:wpITyDPTi/Na5h73XkbuEf2AP9fbgrIGqqxVzFhYD6U= -github.com/rancher/nocode v0.0.0-20200630202308-cb097102c09f h1:mX6kuT3Ah9v1iEO3rgCQ7ZH9heVh67r3a9l94ua8P7U= github.com/rancher/nocode v0.0.0-20200630202308-cb097102c09f/go.mod h1:iAAt6Amgbysi6srDJs9SxGSbG2j/JSRb/xCrnEtA69g= github.com/rancher/remotedialer v0.2.0 h1:xD7t3K6JYwTdAsxmGtTHQMkEkFgKouQ1foLxVW424Dc= github.com/rancher/remotedialer v0.2.0/go.mod h1:tkU8ZvrR5lRgaKWaX71nAy6daeqvPFx/lJEnbW7tXSI= @@ -796,6 +799,7 @@ github.com/vishvananda/netlink v0.0.0-20181108222139-023a6dafdcdf/go.mod h1:+SR5 github.com/vishvananda/netlink v1.0.0 h1:bqNY2lgheFIu1meHUFSH3d7vG93AFyqg3oGbJCOJgSM= github.com/vishvananda/netlink v1.0.0/go.mod h1:+SR5DhBJrl6ZM7CoCKvpw5BKroDKQ+PJqOg65H/2ktk= github.com/vishvananda/netns v0.0.0-20170219233438-54f0e4339ce7/go.mod h1:ZjcWmFBXmLKZu9Nxj3WKYEafiSqer2rnvPr0en9UNpI= +github.com/vishvananda/netns v0.0.0-20171111001504-be1fbeda1936 h1:J9gO8RJCAFlln1jsvRba/CWVUnMHwObklfxxjErl1uk= github.com/vishvananda/netns v0.0.0-20171111001504-be1fbeda1936/go.mod h1:ZjcWmFBXmLKZu9Nxj3WKYEafiSqer2rnvPr0en9UNpI= github.com/vishvananda/netns v0.0.0-20180720170159-13995c7128cc h1:R83G5ikgLMxrBvLh22JhdfI8K6YXEPHx5P03Uu3DRs4= github.com/vishvananda/netns v0.0.0-20180720170159-13995c7128cc/go.mod h1:ZjcWmFBXmLKZu9Nxj3WKYEafiSqer2rnvPr0en9UNpI= @@ -929,6 +933,7 @@ golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191022100944-742c48ecaeb7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e h1:9vRrk9YW2BTzLP0VCB9ZDjU4cPqkg+IDWL7XgxA1yxQ= golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= diff --git a/pkg/agent/containerd/containerd.go b/pkg/agent/containerd/containerd.go index b7bfd94467..0a0eac83f8 100644 --- a/pkg/agent/containerd/containerd.go +++ b/pkg/agent/containerd/containerd.go @@ -69,6 +69,14 @@ func Run(ctx context.Context, cfg *config.Node) error { cmd := exec.Command(args[0], args[1:]...) cmd.Stdout = stdOut cmd.Stderr = stdErr + cmd.Env = os.Environ() + // elide NOTIFY_SOCKET to prevent spurious notifications to systemd + for i := range cmd.Env { + if strings.HasPrefix(cmd.Env[i], "NOTIFY_SOCKET=") { + cmd.Env = append(cmd.Env[:i], cmd.Env[i+1:]...) + break + } + } addDeathSig(cmd) if err := cmd.Run(); err != nil { fmt.Fprintf(os.Stderr, "containerd: %s\n", err) diff --git a/vendor/github.com/containerd/containerd/.appveyor.yml b/vendor/github.com/containerd/containerd/.appveyor.yml index c23ded278f..86a7e3457b 100644 --- a/vendor/github.com/containerd/containerd/.appveyor.yml +++ b/vendor/github.com/containerd/containerd/.appveyor.yml @@ -13,7 +13,7 @@ environment: GOPATH: C:\gopath CGO_ENABLED: 1 matrix: - - GO_VERSION: 1.12.15 + - GO_VERSION: 1.13.12 before_build: - choco install -y mingw --version 5.3.0 diff --git a/vendor/github.com/containerd/containerd/.golangci.yml b/vendor/github.com/containerd/containerd/.golangci.yml index 940e3a1956..ded222c933 100644 --- a/vendor/github.com/containerd/containerd/.golangci.yml +++ b/vendor/github.com/containerd/containerd/.golangci.yml @@ -15,7 +15,7 @@ linters: - errcheck run: - deadline: 2m + deadline: 3m skip-dirs: - api - design diff --git a/vendor/github.com/containerd/containerd/.mailmap b/vendor/github.com/containerd/containerd/.mailmap index 9fa2a26564..f2a4b24efe 100644 --- a/vendor/github.com/containerd/containerd/.mailmap +++ b/vendor/github.com/containerd/containerd/.mailmap @@ -1,38 +1,76 @@ Abhinandan Prativadi Abhinandan Prativadi +Ace-Tang Akihiro Suda Akihiro Suda +Allen Sun +Alexander Morozov +Amit Krishnan Andrei Vagin Andrey Kolomentsev +Arnaud Porterie +Arnaud Porterie +Bob Mader +Boris Popovschi Brent Baude +Cao Zhihao +Cao Zhihao Carlos Eduardo +Cristian Staretu +Cristian Staretu +Daniel Dao +Edgar Lee Eric Ren +Fahed Dorgaa Frank Yang +Fupan Li Georgia Panoutsakopoulou Guangming Wang Haiyan Meng +Harry Zhang +Hu Shuai +Hu Shuai +Jaana Burcu Dogan +Jess Valarezo +Jess Valarezo Jian Liao Jian Liao Ji'an Liu Jie Zhang -John Howard -John Howard +John Howard +John Howard +John Howard +John Howard +Luc Perkins Julien Balestra Justin Cormack Justin Terry Justin Terry Kenfe-Mickaël Laventure +Kevin Kern Kevin Xu +Kohei Tokunaga +Krasi Georgiev +Lantao Liu Lantao Liu Lifubang Lu Jingxiao Maksym Pavlenko +Mario Hros +Mario Hros Mark Gordon Michael Katsoulis Mike Brown Nishchay Kumar +Oliver Stenbom Phil Estes +Reid Li +Ross Boucher +Ruediger Maass Rui Cao +Sakeven Jiang +Seth Pellegrino <30441101+sethp-nr@users.noreply.github.com> +Shengbo Song Stephen J Day Stephen J Day Stephen J Day @@ -42,8 +80,11 @@ Tõnis Tiigi Wei Fu Xiaodong Zhang Xuean Yan +Yue Zhang Yuxing Liu -zhenguang zhu -zhongming chang -zhoulin xie -zhoulin xie <42261994+JoeWrightss@users.noreply.github.com> +Zhang Wei +Zhenguang Zhu +Zhongming Chang +Zhoulin Xie +Zhoulin Xie <42261994+JoeWrightss@users.noreply.github.com> +张潇 diff --git a/vendor/github.com/containerd/containerd/.travis.yml b/vendor/github.com/containerd/containerd/.travis.yml index 0481a1022c..f3defaf5c8 100644 --- a/vendor/github.com/containerd/containerd/.travis.yml +++ b/vendor/github.com/containerd/containerd/.travis.yml @@ -4,19 +4,24 @@ sudo: required services: - docker +branches: + except: + - master + - release/1.3 + language: go os: - linux go: - - "1.12.15" + - "1.13.12" env: - - TRAVIS_GOOS=linux TEST_RUNTIME=io.containerd.runc.v1 TRAVIS_CGO_ENABLED=1 TRAVIS_DISTRO=bionic - - TRAVIS_GOOS=linux TEST_RUNTIME=io.containerd.runc.v2 TRAVIS_CGO_ENABLED=1 TRAVIS_DISTRO=bionic TRAVIS_RELEASE=yes - - TRAVIS_GOOS=linux TEST_RUNTIME=io.containerd.runtime.v1.linux TRAVIS_CGO_ENABLED=1 TRAVIS_DISTRO=bionic - - TRAVIS_GOOS=darwin TRAVIS_CGO_ENABLED=0 + - TRAVIS_GOOS=linux TEST_RUNTIME=io.containerd.runc.v1 TRAVIS_CGO_ENABLED=1 TRAVIS_DISTRO=bionic GOPROXY=direct + - TRAVIS_GOOS=linux TEST_RUNTIME=io.containerd.runc.v2 TRAVIS_CGO_ENABLED=1 TRAVIS_DISTRO=bionic TRAVIS_RELEASE=yes GOPROXY=direct + - TRAVIS_GOOS=linux TEST_RUNTIME=io.containerd.runtime.v1.linux TRAVIS_CGO_ENABLED=1 TRAVIS_DISTRO=bionic GOPROXY=direct + - TRAVIS_GOOS=darwin TRAVIS_CGO_ENABLED=0 GOPROXY=direct matrix: include: @@ -24,7 +29,7 @@ matrix: - if: type != pull_request os: linux dist: xenial - env: TRAVIS_GOOS=linux TEST_RUNTIME=io.containerd.runc.v2 TRAVIS_CGO_ENABLED=1 TRAVIS_DISTRO=xenial + env: TRAVIS_GOOS=linux TEST_RUNTIME=io.containerd.runc.v2 TRAVIS_CGO_ENABLED=1 TRAVIS_DISTRO=xenial GOPROXY=direct go_import_path: github.com/containerd/containerd @@ -73,7 +78,7 @@ script: - DCO_VERBOSITY=-q ../project/script/validate/dco - ../project/script/validate/fileheader ../project/ - travis_wait ../project/script/validate/vendor - - GOOS=linux script/setup/install-dev-tools + - GOOS=linux GO111MODULE=off script/setup/install-dev-tools - go build -i . - make check - if [ "$GOOS" = "linux" ]; then make check-protos check-api-descriptors; fi diff --git a/vendor/github.com/containerd/containerd/BUILDING.md b/vendor/github.com/containerd/containerd/BUILDING.md index dd8573bb23..07420a04b4 100644 --- a/vendor/github.com/containerd/containerd/BUILDING.md +++ b/vendor/github.com/containerd/containerd/BUILDING.md @@ -207,7 +207,7 @@ Next, let's build `runc`: ```sh cd /go/src/github.com/opencontainers/runc -make BUILDTAGS='seccomp apparmor' && make install +make BUILDTAGS='seccomp apparmor selinux' && make install ``` When working with `ctr`, the simple test client we just built, don't forget to start the daemon! diff --git a/vendor/github.com/containerd/containerd/Makefile b/vendor/github.com/containerd/containerd/Makefile index 37012e8c52..c1ea1dde9b 100644 --- a/vendor/github.com/containerd/containerd/Makefile +++ b/vendor/github.com/containerd/containerd/Makefile @@ -87,7 +87,7 @@ endif # Project binaries. COMMANDS=ctr containerd containerd-stress -MANPAGES=ctr.1 containerd.1 containerd-config.1 containerd-config.toml.5 +MANPAGES=ctr.8 containerd.8 containerd-config.8 containerd-config.toml.5 ifdef BUILDTAGS GO_BUILDTAGS = ${BUILDTAGS} @@ -209,15 +209,15 @@ mandir: @mkdir -p man # Kept for backwards compatability -genman: man/containerd.1 man/ctr.1 +genman: man/containerd.8 man/ctr.8 -man/containerd.1: FORCE +man/containerd.8: FORCE @echo "$(WHALE) $@" - go run cmd/gen-manpages/main.go containerd man/ + go run cmd/gen-manpages/main.go $(@F) $(@D) -man/ctr.1: FORCE +man/ctr.8: FORCE @echo "$(WHALE) $@" - go run cmd/gen-manpages/main.go ctr man/ + go run cmd/gen-manpages/main.go $(@F) $(@D) man/%: docs/man/%.md FORCE @echo "$(WHALE) $@" diff --git a/vendor/github.com/containerd/containerd/cmd/containerd/command/main.go b/vendor/github.com/containerd/containerd/cmd/containerd/command/main.go index 9bde46b476..1974ba8623 100644 --- a/vendor/github.com/containerd/containerd/cmd/containerd/command/main.go +++ b/vendor/github.com/containerd/containerd/cmd/containerd/command/main.go @@ -227,6 +227,10 @@ can be used and modified as necessary as a custom configuration.` } serve(ctx, l, server.ServeGRPC) + if err := notifyReady(ctx); err != nil { + log.G(ctx).WithError(err).Warn("notify ready failed") + } + log.G(ctx).Infof("containerd successfully booted in %fs", time.Since(start).Seconds()) <-done return nil diff --git a/vendor/github.com/containerd/containerd/cmd/containerd/command/main_unix.go b/vendor/github.com/containerd/containerd/cmd/containerd/command/main_unix.go index c9081eeef3..7bc9b1cf96 100644 --- a/vendor/github.com/containerd/containerd/cmd/containerd/command/main_unix.go +++ b/vendor/github.com/containerd/containerd/cmd/containerd/command/main_unix.go @@ -52,6 +52,10 @@ func handleSignals(ctx context.Context, signals chan os.Signal, serverC chan *se case unix.SIGPIPE: continue default: + if err := notifyStopping(ctx); err != nil { + log.G(ctx).WithError(err).Error("notify stopping failed") + } + if server == nil { close(done) return diff --git a/vendor/github.com/containerd/containerd/cmd/containerd/command/main_windows.go b/vendor/github.com/containerd/containerd/cmd/containerd/command/main_windows.go index 2cd5a91221..612cb40d4f 100644 --- a/vendor/github.com/containerd/containerd/cmd/containerd/command/main_windows.go +++ b/vendor/github.com/containerd/containerd/cmd/containerd/command/main_windows.go @@ -51,6 +51,11 @@ func handleSignals(ctx context.Context, signals chan os.Signal, serverC chan *se server = s case s := <-signals: log.G(ctx).WithField("signal", s).Debug("received signal") + + if err := notifyStopping(ctx); err != nil { + log.G(ctx).WithError(err).Error("notify stopping failed") + } + if server == nil { close(done) return diff --git a/vendor/github.com/containerd/containerd/cmd/containerd/command/notify_linux.go b/vendor/github.com/containerd/containerd/cmd/containerd/command/notify_linux.go new file mode 100644 index 0000000000..9dd0a66648 --- /dev/null +++ b/vendor/github.com/containerd/containerd/cmd/containerd/command/notify_linux.go @@ -0,0 +1,62 @@ +// +build linux + +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package command + +import ( + "context" + "os" + + sd "github.com/coreos/go-systemd/daemon" + + "github.com/containerd/containerd/log" +) + +const ( + // SdNotifyReady tells the service manager that service startup is finished + // or the service finished loading its configuration. + SdNotifyReady = "READY=1" + + // SdNotifyStopping tells the service manager that the service is beginning + // its shutdown. + SdNotifyStopping = "STOPPING=1" +) + +// notifyReady notifies systemd that the daemon is ready to serve requests +func notifyReady(ctx context.Context) error { + return sdNotify(ctx, SdNotifyReady) +} + +// notifyStopping notifies systemd that the daemon is about to be stopped +func notifyStopping(ctx context.Context) error { + return sdNotify(ctx, SdNotifyStopping) +} + +func sdNotify(ctx context.Context, state string) error { + if os.Getenv("NOTIFY_SOCKET") != "" { + notified, err := sd.SdNotify(false, state) + log.G(ctx). + WithError(err). + WithField("notified", notified). + WithField("state", state). + Debug("sd notification") + return err + } + + return nil +} diff --git a/vendor/github.com/containerd/containerd/cmd/containerd/command/notify_unsupported.go b/vendor/github.com/containerd/containerd/cmd/containerd/command/notify_unsupported.go new file mode 100644 index 0000000000..3a05137399 --- /dev/null +++ b/vendor/github.com/containerd/containerd/cmd/containerd/command/notify_unsupported.go @@ -0,0 +1,31 @@ +// +build !linux + +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package command + +import ( + "context" +) + +func notifyReady(ctx context.Context) error { + return nil +} + +func notifyStopping(ctx context.Context) error { + return nil +} diff --git a/vendor/github.com/containerd/containerd/cmd/containerd/command/service_windows.go b/vendor/github.com/containerd/containerd/cmd/containerd/command/service_windows.go index 6973459109..655295fc89 100644 --- a/vendor/github.com/containerd/containerd/cmd/containerd/command/service_windows.go +++ b/vendor/github.com/containerd/containerd/cmd/containerd/command/service_windows.go @@ -49,8 +49,6 @@ var ( allocConsole = kernel32.NewProc("AllocConsole") oldStderr windows.Handle panicFile *os.File - - service *handler ) const defaultServiceName = "containerd" @@ -282,7 +280,6 @@ func launchService(s *server.Server, done chan struct{}) error { return err } - service = h go func() { if interactive { err = debug.Run(serviceNameFlag, h) diff --git a/vendor/github.com/containerd/containerd/codecov.yml b/vendor/github.com/containerd/containerd/codecov.yml new file mode 100644 index 0000000000..69cb76019a --- /dev/null +++ b/vendor/github.com/containerd/containerd/codecov.yml @@ -0,0 +1 @@ +comment: false diff --git a/vendor/github.com/containerd/containerd/container.go b/vendor/github.com/containerd/containerd/container.go index 187934eadd..a893364c56 100644 --- a/vendor/github.com/containerd/containerd/container.go +++ b/vendor/github.com/containerd/containerd/container.go @@ -32,6 +32,7 @@ import ( "github.com/containerd/containerd/images" "github.com/containerd/containerd/oci" "github.com/containerd/containerd/runtime/v2/runc/options" + "github.com/containerd/containerd/sys" "github.com/containerd/typeurl" prototypes "github.com/gogo/protobuf/types" ver "github.com/opencontainers/image-spec/specs-go" @@ -422,14 +423,33 @@ func attachExistingIO(response *tasks.GetResponse, ioAttach cio.Attach) (cio.IO, // loadFifos loads the containers fifos func loadFifos(response *tasks.GetResponse) *cio.FIFOSet { - path := getFifoDir([]string{ + fifos := []string{ response.Process.Stdin, response.Process.Stdout, response.Process.Stderr, - }) - closer := func() error { - return os.RemoveAll(path) } + closer := func() error { + var ( + err error + dirs = map[string]struct{}{} + ) + for _, fifo := range fifos { + if isFifo, _ := sys.IsFifo(fifo); isFifo { + if rerr := os.Remove(fifo); err == nil { + err = rerr + } + dirs[filepath.Dir(fifo)] = struct{}{} + } + } + for dir := range dirs { + // we ignore errors here because we don't + // want to remove the directory if it isn't + // empty + os.Remove(dir) + } + return err + } + return cio.NewFIFOSet(cio.Config{ Stdin: response.Process.Stdin, Stdout: response.Process.Stdout, @@ -437,14 +457,3 @@ func loadFifos(response *tasks.GetResponse) *cio.FIFOSet { Terminal: response.Process.Terminal, }, closer) } - -// getFifoDir looks for any non-empty path for a stdio fifo -// and returns the dir for where it is located -func getFifoDir(paths []string) string { - for _, p := range paths { - if p != "" { - return filepath.Dir(p) - } - } - return "" -} diff --git a/vendor/github.com/containerd/containerd/containerd.service b/vendor/github.com/containerd/containerd/containerd.service index 5452ea1f68..cae30ec7ce 100644 --- a/vendor/github.com/containerd/containerd/containerd.service +++ b/vendor/github.com/containerd/containerd/containerd.service @@ -7,6 +7,7 @@ After=network.target local-fs.target ExecStartPre=-/sbin/modprobe overlay ExecStart=/usr/local/bin/containerd +Type=notify Delegate=yes KillMode=process Restart=always diff --git a/vendor/github.com/containerd/containerd/image.go b/vendor/github.com/containerd/containerd/image.go index 9ef09ac2f8..6b72ed4b8d 100644 --- a/vendor/github.com/containerd/containerd/image.go +++ b/vendor/github.com/containerd/containerd/image.go @@ -197,24 +197,26 @@ func (i *image) Usage(ctx context.Context, opts ...UsageOpt) (int64, error) { desc.Size = info.Size } - for k, v := range info.Labels { - const prefix = "containerd.io/gc.ref.snapshot." - if !strings.HasPrefix(k, prefix) { - continue - } - - sn := i.client.SnapshotService(k[len(prefix):]) - if sn == nil { - continue - } - - u, err := sn.Usage(ctx, v) - if err != nil { - if !errdefs.IsNotFound(err) && !errdefs.IsInvalidArgument(err) { - return nil, err + if config.snapshots { + for k, v := range info.Labels { + const prefix = "containerd.io/gc.ref.snapshot." + if !strings.HasPrefix(k, prefix) { + continue + } + + sn := i.client.SnapshotService(k[len(prefix):]) + if sn == nil { + continue + } + + u, err := sn.Usage(ctx, v) + if err != nil { + if !errdefs.IsNotFound(err) && !errdefs.IsInvalidArgument(err) { + return nil, err + } + } else { + usage += u.Size } - } else { - usage += u.Size } } } diff --git a/vendor/github.com/containerd/containerd/pkg/process/io.go b/vendor/github.com/containerd/containerd/pkg/process/io.go index 28a94a5ecd..9b5503497a 100644 --- a/vendor/github.com/containerd/containerd/pkg/process/io.go +++ b/vendor/github.com/containerd/containerd/pkg/process/io.go @@ -29,15 +29,20 @@ import ( "sync" "sync/atomic" "syscall" + "time" "github.com/containerd/containerd/log" "github.com/containerd/containerd/namespaces" "github.com/containerd/containerd/pkg/stdio" + "github.com/containerd/containerd/sys" "github.com/containerd/fifo" runc "github.com/containerd/go-runc" + "github.com/hashicorp/go-multierror" "github.com/pkg/errors" ) +const binaryIOProcTermTimeout = 12 * time.Second // Give logger process solid 10 seconds for cleanup + var bufPool = sync.Pool{ New: func() interface{} { // setting to 4096 to align with PIPE_BUF @@ -174,7 +179,7 @@ func copyPipes(ctx context.Context, rio runc.IO, stdin, stdout, stderr string, w }, }, } { - ok, err := isFifo(i.name) + ok, err := sys.IsFifo(i.name) if err != nil { return err } @@ -240,28 +245,13 @@ func (c *countingWriteCloser) Close() error { return c.WriteCloser.Close() } -// isFifo checks if a file is a fifo -// if the file does not exist then it returns false -func isFifo(path string) (bool, error) { - stat, err := os.Stat(path) - if err != nil { - if os.IsNotExist(err) { - return false, nil - } - return false, err - } - if stat.Mode()&os.ModeNamedPipe == os.ModeNamedPipe { - return true, nil - } - return false, nil -} - // NewBinaryIO runs a custom binary process for pluggable shim logging -func NewBinaryIO(ctx context.Context, id string, uri *url.URL) (runc.IO, error) { +func NewBinaryIO(ctx context.Context, id string, uri *url.URL) (_ runc.IO, err error) { ns, err := namespaces.NamespaceRequired(ctx) if err != nil { return nil, err } + var args []string for k, vs := range uri.Query() { args = append(args, k) @@ -269,86 +259,146 @@ func NewBinaryIO(ctx context.Context, id string, uri *url.URL) (runc.IO, error) args = append(args, vs[0]) } } - ctx, cancel := context.WithCancel(ctx) - cmd := exec.CommandContext(ctx, uri.Path, args...) + + var closers []func() error + defer func() { + if err == nil { + return + } + result := multierror.Append(err) + for _, fn := range closers { + result = multierror.Append(result, fn()) + } + err = multierror.Flatten(result) + }() + + out, err := newPipe() + if err != nil { + return nil, errors.Wrap(err, "failed to create stdout pipes") + } + closers = append(closers, out.Close) + + serr, err := newPipe() + if err != nil { + return nil, errors.Wrap(err, "failed to create stderr pipes") + } + closers = append(closers, serr.Close) + + r, w, err := os.Pipe() + if err != nil { + return nil, err + } + closers = append(closers, r.Close, w.Close) + + cmd := exec.Command(uri.Path, args...) cmd.Env = append(cmd.Env, "CONTAINER_ID="+id, "CONTAINER_NAMESPACE="+ns, ) - out, err := newPipe() - if err != nil { - cancel() - return nil, err - } - serr, err := newPipe() - if err != nil { - cancel() - return nil, err - } - r, w, err := os.Pipe() - if err != nil { - cancel() - return nil, err - } + cmd.ExtraFiles = append(cmd.ExtraFiles, out.r, serr.r, w) // don't need to register this with the reaper or wait when // running inside a shim if err := cmd.Start(); err != nil { - cancel() - return nil, err + return nil, errors.Wrap(err, "failed to start binary process") } + closers = append(closers, func() error { return cmd.Process.Kill() }) + // close our side of the pipe after start if err := w.Close(); err != nil { - cancel() - return nil, err + return nil, errors.Wrap(err, "failed to close write pipe after start") } + // wait for the logging binary to be ready b := make([]byte, 1) if _, err := r.Read(b); err != nil && err != io.EOF { - cancel() - return nil, err + return nil, errors.Wrap(err, "failed to read from logging binary") } + return &binaryIO{ - cmd: cmd, - cancel: cancel, - out: out, - err: serr, + cmd: cmd, + out: out, + err: serr, }, nil } type binaryIO struct { cmd *exec.Cmd - cancel func() out, err *pipe } -func (b *binaryIO) CloseAfterStart() (err error) { - for _, v := range []*pipe{ - b.out, - b.err, - } { +func (b *binaryIO) CloseAfterStart() error { + var ( + result *multierror.Error + ) + + for _, v := range []*pipe{b.out, b.err} { if v != nil { - if cerr := v.r.Close(); err == nil { - err = cerr + if err := v.r.Close(); err != nil { + result = multierror.Append(result, err) } } } - return err + + return result.ErrorOrNil() } -func (b *binaryIO) Close() (err error) { - b.cancel() - for _, v := range []*pipe{ - b.out, - b.err, - } { +func (b *binaryIO) Close() error { + var ( + result *multierror.Error + ) + + for _, v := range []*pipe{b.out, b.err} { if v != nil { - if cerr := v.Close(); err == nil { - err = cerr + if err := v.Close(); err != nil { + result = multierror.Append(result, err) } } } - return err + + if err := b.cancel(); err != nil { + result = multierror.Append(result, err) + } + + return result.ErrorOrNil() +} + +func (b *binaryIO) cancel() error { + if b.cmd == nil || b.cmd.Process == nil { + return nil + } + + // Send SIGTERM first, so logger process has a chance to flush and exit properly + if err := b.cmd.Process.Signal(syscall.SIGTERM); err != nil { + result := multierror.Append(errors.Wrap(err, "failed to send SIGTERM")) + + log.L.WithError(err).Warn("failed to send SIGTERM signal, killing logging shim") + + if err := b.cmd.Process.Kill(); err != nil { + result = multierror.Append(result, errors.Wrap(err, "failed to kill process after faulty SIGTERM")) + } + + return result.ErrorOrNil() + } + + done := make(chan error) + go func() { + done <- b.cmd.Wait() + }() + + select { + case err := <-done: + return err + case <-time.After(binaryIOProcTermTimeout): + log.L.Warn("failed to wait for shim logger process to exit, killing") + + err := b.cmd.Process.Kill() + if err != nil { + return errors.Wrap(err, "failed to kill shim logger process") + } + + return nil + } } func (b *binaryIO) Stdin() io.WriteCloser { @@ -389,9 +439,15 @@ type pipe struct { } func (p *pipe) Close() error { - err := p.w.Close() - if rerr := p.r.Close(); err == nil { - err = rerr + var result *multierror.Error + + if err := p.w.Close(); err != nil { + result = multierror.Append(result, errors.Wrap(err, "failed to close write pipe")) } - return err + + if err := p.r.Close(); err != nil { + result = multierror.Append(result, errors.Wrap(err, "failed to close read pipe")) + } + + return multierror.Prefix(result.ErrorOrNil(), "pipe:") } diff --git a/vendor/github.com/containerd/containerd/remotes/docker/fetcher.go b/vendor/github.com/containerd/containerd/remotes/docker/fetcher.go index ad8482fa39..0896eea92a 100644 --- a/vendor/github.com/containerd/containerd/remotes/docker/fetcher.go +++ b/vendor/github.com/containerd/containerd/remotes/docker/fetcher.go @@ -96,41 +96,49 @@ func (r dockerFetcher) Fetch(ctx context.Context, desc ocispec.Descriptor) (io.R images.MediaTypeDockerSchema1Manifest, ocispec.MediaTypeImageManifest, ocispec.MediaTypeImageIndex: + var firstErr error for _, host := range r.hosts { req := r.request(host, http.MethodGet, "manifests", desc.Digest.String()) rc, err := r.open(ctx, req, desc.MediaType, offset) if err != nil { - if errdefs.IsNotFound(err) { - continue // try another host + // Store the error for referencing later + if firstErr == nil { + firstErr = err } - - return nil, err + continue // try another host } return rc, nil } + + return nil, firstErr } // Finally use blobs endpoints + var firstErr error for _, host := range r.hosts { req := r.request(host, http.MethodGet, "blobs", desc.Digest.String()) rc, err := r.open(ctx, req, desc.MediaType, offset) if err != nil { - if errdefs.IsNotFound(err) { - continue // try another host + // Store the error for referencing later + if firstErr == nil { + firstErr = err } - - return nil, err + continue // try another host } return rc, nil } - return nil, errors.Wrapf(errdefs.ErrNotFound, - "could not fetch content descriptor %v (%v) from remote", - desc.Digest, desc.MediaType) + if errdefs.IsNotFound(firstErr) { + firstErr = errors.Wrapf(errdefs.ErrNotFound, + "could not fetch content descriptor %v (%v) from remote", + desc.Digest, desc.MediaType) + } + + return nil, firstErr }) } diff --git a/vendor/github.com/containerd/containerd/remotes/docker/pusher.go b/vendor/github.com/containerd/containerd/remotes/docker/pusher.go index a96fe5a956..a89ecefba6 100644 --- a/vendor/github.com/containerd/containerd/remotes/docker/pusher.go +++ b/vendor/github.com/containerd/containerd/remotes/docker/pusher.go @@ -204,6 +204,7 @@ func (p dockerPusher) Push(ctx context.Context, desc ocispec.Descriptor) (conten q.Add("digest", desc.Digest.String()) req = p.request(lhost, http.MethodPut) + req.header.Set("Content-Type", "application/octet-stream") req.path = lurl.Path + "?" + q.Encode() } p.tracker.SetStatus(ref, Status{ diff --git a/vendor/github.com/containerd/containerd/remotes/docker/resolver.go b/vendor/github.com/containerd/containerd/remotes/docker/resolver.go index f126449c3e..90a0e34de6 100644 --- a/vendor/github.com/containerd/containerd/remotes/docker/resolver.go +++ b/vendor/github.com/containerd/containerd/remotes/docker/resolver.go @@ -286,7 +286,11 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp if errors.Cause(err) == ErrInvalidAuthorization { err = errors.Wrapf(err, "pull access denied, repository does not exist or may require authorization") } - return "", ocispec.Descriptor{}, err + // Store the error for referencing later + if lastErr == nil { + lastErr = err + } + continue // try another host } resp.Body.Close() // don't care about body contents. diff --git a/vendor/github.com/containerd/containerd/runtime/v1/linux/runtime.go b/vendor/github.com/containerd/containerd/runtime/v1/linux/runtime.go index fdaff5f9e4..b2101f3262 100644 --- a/vendor/github.com/containerd/containerd/runtime/v1/linux/runtime.go +++ b/vendor/github.com/containerd/containerd/runtime/v1/linux/runtime.go @@ -62,6 +62,9 @@ const ( configFilename = "config.json" defaultRuntime = "runc" defaultShim = "containerd-shim" + + // cleanupTimeout is default timeout for cleanup operations + cleanupTimeout = 1 * time.Minute ) func init() { @@ -212,7 +215,10 @@ func (r *Runtime) Create(ctx context.Context, id string, opts runtime.CreateOpts } defer func() { if err != nil { - if kerr := s.KillShim(ctx); kerr != nil { + deferCtx, deferCancel := context.WithTimeout( + namespaces.WithNamespace(context.TODO(), namespace), cleanupTimeout) + defer deferCancel() + if kerr := s.KillShim(deferCtx); kerr != nil { log.G(ctx).WithError(err).Error("failed to kill shim") } } diff --git a/vendor/github.com/containerd/containerd/runtime/v1/shim/client/client.go b/vendor/github.com/containerd/containerd/runtime/v1/shim/client/client.go index 7c68248c52..72f6cc8d4f 100644 --- a/vendor/github.com/containerd/containerd/runtime/v1/shim/client/client.go +++ b/vendor/github.com/containerd/containerd/runtime/v1/shim/client/client.go @@ -323,21 +323,31 @@ func (c *Client) signalShim(ctx context.Context, sig syscall.Signal) error { select { case <-ctx.Done(): return ctx.Err() - case <-c.waitForExit(pid): + case <-c.waitForExit(ctx, pid): return nil } } -func (c *Client) waitForExit(pid int) <-chan struct{} { - c.exitOnce.Do(func() { +func (c *Client) waitForExit(ctx context.Context, pid int) <-chan struct{} { + go c.exitOnce.Do(func() { + defer close(c.exitCh) + + ticker := time.NewTicker(10 * time.Millisecond) + defer ticker.Stop() + for { // use kill(pid, 0) here because the shim could have been reparented // and we are no longer able to waitpid(pid, ...) on the shim if err := unix.Kill(pid, 0); err == unix.ESRCH { - close(c.exitCh) return } - time.Sleep(10 * time.Millisecond) + + select { + case <-ticker.C: + case <-ctx.Done(): + log.G(ctx).WithField("pid", pid).Warn("timed out while waiting for shim to exit") + return + } } }) return c.exitCh diff --git a/vendor/github.com/containerd/containerd/runtime/v2/runc/container.go b/vendor/github.com/containerd/containerd/runtime/v2/runc/container.go index c9c540065d..189f004e80 100644 --- a/vendor/github.com/containerd/containerd/runtime/v2/runc/container.go +++ b/vendor/github.com/containerd/containerd/runtime/v2/runc/container.go @@ -20,6 +20,7 @@ package runc import ( "context" + "encoding/json" "io/ioutil" "os" "path/filepath" @@ -87,6 +88,10 @@ func NewContainer(ctx context.Context, platform stdio.Platform, r *task.CreateTa Options: r.Options, } + if err := WriteOptions(r.Bundle, opts); err != nil { + return nil, err + } + // For historical reason, we write opts.BinaryName as well as the entire opts if err := WriteRuntime(r.Bundle, opts.BinaryName); err != nil { return nil, err } @@ -142,6 +147,39 @@ func NewContainer(ctx context.Context, platform stdio.Platform, r *task.CreateTa return container, nil } +const optionsFilename = "options.json" + +// ReadOptions reads the option information from the path. +// When the file does not exist, ReadOptions returns nil without an error. +func ReadOptions(path string) (*options.Options, error) { + filePath := filepath.Join(path, optionsFilename) + if _, err := os.Stat(filePath); err != nil { + if os.IsNotExist(err) { + return nil, nil + } + return nil, err + } + + data, err := ioutil.ReadFile(filePath) + if err != nil { + return nil, err + } + var opts options.Options + if err := json.Unmarshal(data, &opts); err != nil { + return nil, err + } + return &opts, nil +} + +// WriteOptions writes the options information into the path +func WriteOptions(path string, opts options.Options) error { + data, err := json.Marshal(opts) + if err != nil { + return err + } + return ioutil.WriteFile(filepath.Join(path, optionsFilename), data, 0600) +} + // ReadRuntime reads the runtime information from the path func ReadRuntime(path string) (string, error) { data, err := ioutil.ReadFile(filepath.Join(path, "runtime")) diff --git a/vendor/github.com/containerd/containerd/runtime/v2/runc/v2/service.go b/vendor/github.com/containerd/containerd/runtime/v2/runc/v2/service.go index fef2b1e8ce..40484a96b2 100644 --- a/vendor/github.com/containerd/containerd/runtime/v2/runc/v2/service.go +++ b/vendor/github.com/containerd/containerd/runtime/v2/runc/v2/service.go @@ -256,7 +256,16 @@ func (s *service) Cleanup(ctx context.Context) (*taskAPI.DeleteResponse, error) if err != nil { return nil, err } - r := process.NewRunc(process.RuncRoot, path, ns, runtime, "", false) + opts, err := runc.ReadOptions(path) + if err != nil { + return nil, err + } + root := process.RuncRoot + if opts != nil && opts.Root != "" { + root = opts.Root + } + + r := process.NewRunc(root, path, ns, runtime, "", false) if err := r.Delete(ctx, s.id, &runcC.DeleteOpts{ Force: true, }); err != nil { diff --git a/vendor/github.com/containerd/containerd/sys/filesys.go b/vendor/github.com/containerd/containerd/sys/filesys.go new file mode 100644 index 0000000000..825d21d19a --- /dev/null +++ b/vendor/github.com/containerd/containerd/sys/filesys.go @@ -0,0 +1,35 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package sys + +import "os" + +// IsFifo checks if a file is a (named pipe) fifo +// if the file does not exist then it returns false +func IsFifo(path string) (bool, error) { + stat, err := os.Stat(path) + if err != nil { + if os.IsNotExist(err) { + return false, nil + } + return false, err + } + if stat.Mode()&os.ModeNamedPipe == os.ModeNamedPipe { + return true, nil + } + return false, nil +} diff --git a/vendor/github.com/containerd/containerd/sys/mount_linux.go b/vendor/github.com/containerd/containerd/sys/mount_linux.go index a9eee9b73a..a21045529a 100644 --- a/vendor/github.com/containerd/containerd/sys/mount_linux.go +++ b/vendor/github.com/containerd/containerd/sys/mount_linux.go @@ -21,6 +21,7 @@ import ( "syscall" "unsafe" + "github.com/containerd/containerd/log" "github.com/pkg/errors" "golang.org/x/sys/unix" ) @@ -30,9 +31,8 @@ func FMountat(dirfd uintptr, source, target, fstype string, flags uintptr, data var ( sourceP, targetP, fstypeP, dataP *byte pid uintptr - ws unix.WaitStatus err error - errno syscall.Errno + errno, status syscall.Errno ) sourceP, err = syscall.BytePtrFromString(source) @@ -60,37 +60,62 @@ func FMountat(dirfd uintptr, source, target, fstype string, flags uintptr, data runtime.LockOSThread() defer runtime.UnlockOSThread() + var pipefds [2]int + if err := syscall.Pipe2(pipefds[:], syscall.O_CLOEXEC); err != nil { + return errors.Wrap(err, "failed to open pipe") + } + + defer func() { + // close both ends of the pipe in a deferred function, since open file + // descriptor table is shared with child + syscall.Close(pipefds[0]) + syscall.Close(pipefds[1]) + }() + pid, errno = forkAndMountat(dirfd, uintptr(unsafe.Pointer(sourceP)), uintptr(unsafe.Pointer(targetP)), uintptr(unsafe.Pointer(fstypeP)), flags, - uintptr(unsafe.Pointer(dataP))) + uintptr(unsafe.Pointer(dataP)), + pipefds[1], + ) if errno != 0 { return errors.Wrap(errno, "failed to fork thread") } - _, err = unix.Wait4(int(pid), &ws, 0, nil) - for err == syscall.EINTR { - _, err = unix.Wait4(int(pid), &ws, 0, nil) - } + defer func() { + _, err := unix.Wait4(int(pid), nil, 0, nil) + for err == syscall.EINTR { + _, err = unix.Wait4(int(pid), nil, 0, nil) + } - if err != nil { - return errors.Wrapf(err, "failed to find pid=%d process", pid) - } + if err != nil { + log.L.WithError(err).Debugf("failed to find pid=%d process", pid) + } + }() - errno = syscall.Errno(ws.ExitStatus()) + _, _, errno = syscall.RawSyscall(syscall.SYS_READ, + uintptr(pipefds[0]), + uintptr(unsafe.Pointer(&status)), + unsafe.Sizeof(status)) if errno != 0 { - return errors.Wrap(errno, "failed to mount") + return errors.Wrap(errno, "failed to read pipe") } + + if status != 0 { + return errors.Wrap(status, "failed to mount") + } + return nil } // forkAndMountat will fork thread, change working dir and mount. // // precondition: the runtime OS thread must be locked. -func forkAndMountat(dirfd uintptr, source, target, fstype, flags, data uintptr) (pid uintptr, errno syscall.Errno) { +func forkAndMountat(dirfd uintptr, source, target, fstype, flags, data uintptr, pipefd int) (pid uintptr, errno syscall.Errno) { + // block signal during clone beforeFork() @@ -114,6 +139,7 @@ func forkAndMountat(dirfd uintptr, source, target, fstype, flags, data uintptr) _, _, errno = syscall.RawSyscall6(syscall.SYS_MOUNT, source, target, fstype, flags, data, 0) childerr: + _, _, errno = syscall.RawSyscall(syscall.SYS_WRITE, uintptr(pipefd), uintptr(unsafe.Pointer(&errno)), unsafe.Sizeof(errno)) syscall.RawSyscall(syscall.SYS_EXIT, uintptr(errno), 0, 0) panic("unreachable") } diff --git a/vendor/github.com/containerd/containerd/vendor.conf b/vendor/github.com/containerd/containerd/vendor.conf index 92ef3ef9c2..3288f53b10 100644 --- a/vendor/github.com/containerd/containerd/vendor.conf +++ b/vendor/github.com/containerd/containerd/vendor.conf @@ -1,91 +1,93 @@ -github.com/containerd/go-runc e029b79d8cda8374981c64eba71f28ec38e5526f -github.com/containerd/console 0650fd9eeb50bab4fc99dceb9f2e14cf58f36e7f -github.com/containerd/cgroups c4b9ac5c7601384c965b9646fc515884e091ebb9 -github.com/containerd/typeurl a93fcdb778cd272c6e9b3028b2f42d813e785d40 -github.com/containerd/fifo bda0ff6ed73c67bfb5e62bc9c697f146b7fd7f13 -github.com/containerd/btrfs af5082808c833de0e79c1e72eea9fea239364877 -github.com/containerd/continuity f2a389ac0a02ce21c09edd7344677a601970f41c -github.com/coreos/go-systemd 48702e0da86bd25e76cfef347e2adeb434a0d0a6 -github.com/docker/go-metrics 4ea375f7759c82740c893fc030bc37088d2ec098 -github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9 -github.com/docker/go-units v0.4.0 -github.com/godbus/dbus c7fdd8b5cd55e87b4e1f4e372cdb1db61dd6c66f -github.com/prometheus/client_golang f4fb1b73fb099f396a7f0036bf86aa8def4ed823 -github.com/prometheus/client_model 99fa1f4be8e564e8a6b613da7fa6f46c9edafc6c -github.com/prometheus/common 89604d197083d4781071d3c65855d24ecfb0a563 -github.com/prometheus/procfs cb4147076ac75738c9a7d279075a253c0cc5acbd -github.com/beorn7/perks 4c0e84591b9aa9e6dcfdf3e020114cd81f89d5f9 -github.com/matttproud/golang_protobuf_extensions v1.0.1 -github.com/gogo/protobuf v1.2.1 -github.com/gogo/googleapis v1.2.0 -github.com/golang/protobuf v1.2.0 -github.com/opencontainers/runtime-spec 29686dbc5559d93fb1ef402eeda3e35c38d75af4 # v1.0.1-59-g29686db -github.com/opencontainers/runc d736ef14f0288d6993a1845745d6756cfc9ddd5a # v1.0.0-rc9 -github.com/konsorten/go-windows-terminal-sequences v1.0.1 -github.com/sirupsen/logrus v1.4.1 -github.com/urfave/cli v1.22.0 -golang.org/x/net f3200d17e092c607f615320ecaad13d87ad9a2b3 -google.golang.org/grpc 6eaf6f47437a6b4e2153a190160ef39a92c7eceb # v1.23.0 -github.com/pkg/errors v0.8.1 -github.com/opencontainers/go-digest c9281466c8b2f606084ac71339773efd177436e7 -golang.org/x/sys 9eafafc0a87e0fd0aeeba439a4573537970c44c7 https://github.com/golang/sys -github.com/opencontainers/image-spec v1.0.1 -golang.org/x/sync 42b317875d0fa942474b76e1b46a6060d720ae6e -github.com/BurntSushi/toml v0.3.1 -github.com/grpc-ecosystem/go-grpc-prometheus 6b7015e65d366bf3f19b2b2a000a831940f0f7e0 -github.com/Microsoft/go-winio v0.4.14 -github.com/Microsoft/hcsshim 9e921883ac929bbe515b39793ece99ce3a9d7706 -google.golang.org/genproto d80a6e20e776b0b17a324d0ba1ab50a39c8e8944 -golang.org/x/text 19e51611da83d6be54ddafce4a4af510cb3e9ea4 -github.com/containerd/ttrpc 92c8520ef9f86600c650dd540266a007bf03670f -github.com/syndtr/gocapability d98352740cb2c55f81556b63d4a1ec64c5a319c2 -gotest.tools v2.3.0 -github.com/google/go-cmp v0.2.0 -go.etcd.io/bbolt v1.3.3 -github.com/hashicorp/errwrap v1.0.0 -github.com/hashicorp/go-multierror v1.0.0 -github.com/hashicorp/golang-lru v0.5.3 -go.opencensus.io v0.22.0 -github.com/imdario/mergo v0.3.7 -github.com/cpuguy83/go-md2man v1.0.10 -github.com/russross/blackfriday v1.5.2 +github.com/beorn7/perks 4c0e84591b9aa9e6dcfdf3e020114cd81f89d5f9 +github.com/BurntSushi/toml v0.3.1 +github.com/containerd/btrfs af5082808c833de0e79c1e72eea9fea239364877 +github.com/containerd/cgroups 9f1c62dddf4bc7cc72822ebe353bae7006141b1b +github.com/containerd/console v1.0.0 +github.com/containerd/continuity f2a389ac0a02ce21c09edd7344677a601970f41c +github.com/containerd/fifo bda0ff6ed73c67bfb5e62bc9c697f146b7fd7f13 +github.com/containerd/go-runc e029b79d8cda8374981c64eba71f28ec38e5526f +github.com/containerd/ttrpc v1.0.0 +github.com/containerd/typeurl v1.0.0 +github.com/coreos/go-systemd 48702e0da86bd25e76cfef347e2adeb434a0d0a6 +github.com/cpuguy83/go-md2man v1.0.10 +github.com/docker/go-events e31b211e4f1cd09aa76fe4ac244571fab96ae47f +github.com/docker/go-metrics 4ea375f7759c82740c893fc030bc37088d2ec098 +github.com/docker/go-units v0.4.0 +github.com/godbus/dbus v3 +github.com/gogo/googleapis v1.2.0 +github.com/gogo/protobuf v1.2.1 +github.com/golang/protobuf v1.2.0 +github.com/google/go-cmp v0.2.0 +github.com/google/uuid v1.1.1 +github.com/grpc-ecosystem/go-grpc-prometheus 6b7015e65d366bf3f19b2b2a000a831940f0f7e0 +github.com/hashicorp/errwrap v1.0.0 +github.com/hashicorp/go-multierror v1.0.0 +github.com/hashicorp/golang-lru v0.5.3 +github.com/imdario/mergo v0.3.7 +github.com/konsorten/go-windows-terminal-sequences v1.0.1 +github.com/matttproud/golang_protobuf_extensions v1.0.1 +github.com/Microsoft/go-winio v0.4.14 +github.com/Microsoft/hcsshim 9e921883ac929bbe515b39793ece99ce3a9d7706 +github.com/opencontainers/go-digest c9281466c8b2f606084ac71339773efd177436e7 +github.com/opencontainers/image-spec v1.0.1 +github.com/opencontainers/runc v1.0.0-rc10 +github.com/opencontainers/runtime-spec 29686dbc5559d93fb1ef402eeda3e35c38d75af4 # v1.0.1-59-g29686db +github.com/pkg/errors v0.8.1 +github.com/prometheus/client_golang f4fb1b73fb099f396a7f0036bf86aa8def4ed823 +github.com/prometheus/client_model 99fa1f4be8e564e8a6b613da7fa6f46c9edafc6c +github.com/prometheus/common 89604d197083d4781071d3c65855d24ecfb0a563 +github.com/prometheus/procfs cb4147076ac75738c9a7d279075a253c0cc5acbd +github.com/russross/blackfriday v1.5.2 +github.com/sirupsen/logrus v1.4.1 +github.com/syndtr/gocapability d98352740cb2c55f81556b63d4a1ec64c5a319c2 +github.com/urfave/cli v1.22.0 +go.etcd.io/bbolt v1.3.3 +go.opencensus.io v0.22.0 +golang.org/x/net f3200d17e092c607f615320ecaad13d87ad9a2b3 +golang.org/x/sync 42b317875d0fa942474b76e1b46a6060d720ae6e +golang.org/x/sys 9eafafc0a87e0fd0aeeba439a4573537970c44c7 +golang.org/x/text 19e51611da83d6be54ddafce4a4af510cb3e9ea4 +google.golang.org/genproto d80a6e20e776b0b17a324d0ba1ab50a39c8e8944 +google.golang.org/grpc v1.23.0 +gotest.tools v2.3.0 # cri dependencies -github.com/containerd/cri b1bef15fbeb6c6f0569b67322acfa74ca3597755 # release/1.3 -github.com/containerd/go-cni 49fbd9b210f3c8ee3b7fd3cd797aabaf364627c1 -github.com/containernetworking/cni v0.7.1 -github.com/containernetworking/plugins v0.7.6 -github.com/davecgh/go-spew v1.1.1 -github.com/docker/distribution 0d3efadf0154c2b8a4e7b6621fff9809655cc580 -github.com/docker/docker 86f080cff0914e9694068ed78d503701667c4c00 -github.com/docker/spdystream 449fdfce4d962303d702fec724ef0ad181c92528 -github.com/emicklei/go-restful v2.9.5 -github.com/google/gofuzz v1.0.0 -github.com/json-iterator/go v1.1.7 -github.com/modern-go/reflect2 1.0.1 -github.com/modern-go/concurrent 1.0.3 -github.com/opencontainers/selinux v1.2.2 -github.com/seccomp/libseccomp-golang v0.9.1 -github.com/tchap/go-patricia v2.2.6 -golang.org/x/crypto 5c40567a22f818bd14a1ea7245dad9f8ef0691aa -golang.org/x/oauth2 0f29369cfe4552d0e4bcddc57cc75f4d7e672a33 -golang.org/x/time 85acf8d2951cb2a3bde7632f9ff273ef0379bcbd -gopkg.in/inf.v0 v0.9.0 -gopkg.in/yaml.v2 v2.2.2 -k8s.io/api kubernetes-1.16.0-rc.2 -k8s.io/apimachinery kubernetes-1.16.0-rc.2 -k8s.io/apiserver kubernetes-1.16.0-rc.2 -k8s.io/cri-api kubernetes-1.16.0-rc.2 -k8s.io/client-go kubernetes-1.16.0-rc.2 -k8s.io/klog v0.4.0 -k8s.io/kubernetes v1.16.0-rc.2 -k8s.io/utils c2654d5206da6b7b6ace12841e8f359bb89b443c -sigs.k8s.io/yaml v1.1.0 +github.com/containerd/cri f864905c93b97db15503c217dc9a43eb65670b53 # release/1.3 branch +github.com/davecgh/go-spew v1.1.1 +github.com/docker/distribution 0d3efadf0154c2b8a4e7b6621fff9809655cc580 +github.com/docker/docker 86f080cff0914e9694068ed78d503701667c4c00 +github.com/docker/spdystream 449fdfce4d962303d702fec724ef0ad181c92528 +github.com/emicklei/go-restful v2.9.5 +github.com/google/gofuzz v1.0.0 +github.com/json-iterator/go v1.1.8 +github.com/modern-go/concurrent 1.0.3 +github.com/modern-go/reflect2 1.0.1 +github.com/opencontainers/selinux 5215b1806f52b1fcc2070a8826c542c9d33cd3cf +github.com/seccomp/libseccomp-golang v0.9.1 +github.com/tchap/go-patricia v2.2.6 +golang.org/x/crypto 69ecbb4d6d5dab05e49161c6e77ea40a030884e1 +golang.org/x/oauth2 0f29369cfe4552d0e4bcddc57cc75f4d7e672a33 +golang.org/x/time 9d24e82272b4f38b78bc8cff74fa936d31ccd8ef +gopkg.in/inf.v0 v0.9.1 +gopkg.in/yaml.v2 v2.2.8 +k8s.io/api v0.16.6 +k8s.io/apimachinery v0.16.6 +k8s.io/apiserver v0.16.6 +k8s.io/client-go v0.16.6 +k8s.io/cri-api v0.16.6 +k8s.io/klog v1.0.0 +k8s.io/kubernetes v1.16.6 +k8s.io/utils e782cd3c129fc98ee807f3c889c0f26eb7c9daf5 +sigs.k8s.io/yaml v1.1.0 + +# cni dependencies +github.com/containerd/go-cni 49fbd9b210f3c8ee3b7fd3cd797aabaf364627c1 +github.com/containernetworking/cni v0.7.1 +github.com/containernetworking/plugins v0.7.6 # zfs dependencies -github.com/containerd/zfs 2ceb2dbb8154202ed1b8fd32e4ea25b491d7b251 -github.com/mistifyio/go-zfs f784269be439d704d3dfa1906f45dd848fed2beb -github.com/google/uuid v1.1.1 +github.com/containerd/zfs 2ceb2dbb8154202ed1b8fd32e4ea25b491d7b251 +github.com/mistifyio/go-zfs f784269be439d704d3dfa1906f45dd848fed2beb # aufs dependencies -github.com/containerd/aufs f894a800659b6e11c1a13084abd1712f346e349c +github.com/containerd/aufs f894a800659b6e11c1a13084abd1712f346e349c diff --git a/vendor/github.com/containerd/containerd/version/version.go b/vendor/github.com/containerd/containerd/version/version.go index 76c57c5089..687978b249 100644 --- a/vendor/github.com/containerd/containerd/version/version.go +++ b/vendor/github.com/containerd/containerd/version/version.go @@ -21,7 +21,7 @@ var ( Package = "github.com/containerd/containerd" // Version holds the complete version number. Filled in at linking time. - Version = "1.3.2+unknown" + Version = "1.3.6+unknown" // Revision is filled with the VCS (e.g. git) revision being used to build // the program at linking time. diff --git a/vendor/github.com/containerd/cri/Makefile b/vendor/github.com/containerd/cri/Makefile index 4d6788e9a4..1be851f404 100644 --- a/vendor/github.com/containerd/cri/Makefile +++ b/vendor/github.com/containerd/cri/Makefile @@ -1,23 +1,27 @@ -# Copyright 2018 The containerd Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. +# Copyright The containerd Authors. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. GO := go GOOS := $(shell $(GO) env GOOS) GOARCH := $(shell $(GO) env GOARCH) -WHALE = "🇩" -ONI = "👹" -EPOCH_TEST_COMMIT := f9e02affccd51702191e5312665a16045ffef8ab +WHALE := "🇩" +ONI := "👹" +ifeq ($(GOOS),windows) + WHALE = "+" + ONI = "-" +endif +EPOCH_TEST_COMMIT := 67de3e4ccf2b2a69b8398798af7cfca01abf7a7e PROJECT := github.com/containerd/cri BINDIR := ${DESTDIR}/usr/local/bin BUILD_DIR := _output @@ -26,35 +30,39 @@ BUILD_DIR := _output VERSION := $(shell git rev-parse --short HEAD) TARBALL_PREFIX := cri-containerd TARBALL := $(TARBALL_PREFIX)-$(VERSION).$(GOOS)-$(GOARCH).tar.gz -BUILD_TAGS := seccomp apparmor +ifneq ($(GOOS),windows) + BUILD_TAGS := seccomp apparmor selinux no_btrfs +endif +export BUILDTAGS := $(BUILD_TAGS) # Add `-TEST` suffix to indicate that all binaries built from this repo are for test. GO_LDFLAGS := -X $(PROJECT)/vendor/github.com/containerd/containerd/version.Version=$(VERSION)-TEST SOURCES := $(shell find cmd/ pkg/ vendor/ -name '*.go') PLUGIN_SOURCES := $(shell ls *.go) INTEGRATION_SOURCES := $(shell find integration/ -name '*.go') +CONTAINERD_BIN := containerd +ifeq ($(GOOS),windows) + CONTAINERD_BIN := $(CONTAINERD_BIN).exe +endif + all: binaries help: ## this help @awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z0-9._-]+:.*?## / {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST) | sort -verify: lint gofmt boiler check-vendor ## execute the source code verification tools +verify: lint gofmt check-vendor ## execute the source code verification tools version: ## print current cri plugin release version @echo $(VERSION) lint: @echo "$(WHALE) $@" - golangci-lint run --skip-files .*_test.go + golangci-lint run gofmt: @echo "$(WHALE) $@" @./hack/verify-gofmt.sh -boiler: - @echo "$(WHALE) $@" - @./hack/verify-boilerplate.sh - check-vendor: @echo "$(WHALE) $@" @./hack/verify-vendor.sh @@ -72,7 +80,7 @@ sync-vendor: update-vendor: sync-vendor sort-vendor ## Syncs containerd/vendor.conf -> vendor.conf and sorts vendor.conf @echo "$(WHALE) $@" -$(BUILD_DIR)/containerd: $(SOURCES) $(PLUGIN_SOURCES) +$(BUILD_DIR)/$(CONTAINERD_BIN): $(SOURCES) $(PLUGIN_SOURCES) @echo "$(WHALE) $@" $(GO) build -o $@ \ -tags '$(BUILD_TAGS)' \ @@ -84,7 +92,7 @@ test: ## unit test @echo "$(WHALE) $@" $(GO) test -timeout=10m -race ./pkg/... \ -tags '$(BUILD_TAGS)' \ - -ldflags '$(GO_LDFLAGS)' \ + -ldflags '$(GO_LDFLAGS)' \ -gcflags '$(GO_GCFLAGS)' $(BUILD_DIR)/integration.test: $(INTEGRATION_SOURCES) @@ -107,29 +115,34 @@ clean: ## cleanup binaries @echo "$(WHALE) $@" @rm -rf $(BUILD_DIR)/* -binaries: $(BUILD_DIR)/containerd ## build a customized containerd (same result as make containerd) +binaries: $(BUILD_DIR)/$(CONTAINERD_BIN) ## build a customized containerd (same result as make containerd) @echo "$(WHALE) $@" static-binaries: GO_LDFLAGS += -extldflags "-fno-PIC -static" -static-binaries: $(BUILD_DIR)/containerd ## build static containerd +static-binaries: $(BUILD_DIR)/$(CONTAINERD_BIN) ## build static containerd @echo "$(WHALE) $@" -containerd: $(BUILD_DIR)/containerd ## build a customized containerd with CRI plugin for testing +containerd: $(BUILD_DIR)/$(CONTAINERD_BIN) ## build a customized containerd with CRI plugin for testing @echo "$(WHALE) $@" install-containerd: containerd ## installs customized containerd to system location @echo "$(WHALE) $@" - @install -D -m 755 $(BUILD_DIR)/containerd $(BINDIR)/containerd + @install -D -m 755 $(BUILD_DIR)/$(CONTAINERD_BIN) "$(BINDIR)/$(CONTAINERD_BIN)" install: install-containerd ## installs customized containerd to system location @echo "$(WHALE) $@" uninstall: ## remove containerd from system location @echo "$(WHALE) $@" - @rm -f $(BINDIR)/containerd + @rm -f "$(BINDIR)/$(CONTAINERD_BIN)" +ifeq ($(GOOS),windows) +$(BUILD_DIR)/$(TARBALL): static-binaries vendor.conf + @BUILD_DIR=$(BUILD_DIR) TARBALL=$(TARBALL) VERSION=$(VERSION) ./hack/release-windows.sh +else $(BUILD_DIR)/$(TARBALL): static-binaries vendor.conf @BUILD_DIR=$(BUILD_DIR) TARBALL=$(TARBALL) VERSION=$(VERSION) ./hack/release.sh +endif release: $(BUILD_DIR)/$(TARBALL) ## build release tarball @@ -142,22 +155,29 @@ proto: ## update protobuf of the cri plugin api @API_PATH=pkg/api/v1 hack/update-proto.sh @API_PATH=pkg/api/runtimeoptions/v1 hack/update-proto.sh -.PHONY: install.deps +.PHONY: install.deps .install.deps.linux .install.deps.windows -install.deps: ## install dependencies of cri (default 'seccomp apparmor' BUILDTAGS for runc build) +ifeq ($(GOOS),windows) +install.deps: .install.deps.windows ## install windows deps on windows +else +install.deps: .install.deps.linux ## install windows deps on linux +endif + +.install.deps.linux: ## install dependencies of cri @echo "$(WHALE) $@" @./hack/install/install-deps.sh +.install.deps.windows: ## install dependencies of cri on windows + @echo "$(WHALE) $@" + @./hack/install/windows/install-deps.sh + .PHONY: .gitvalidation -# When this is running in travis, it will only check the travis commit range. -# When running outside travis, it will check from $(EPOCH_TEST_COMMIT)..HEAD. +# make .gitvalidation is only used localy for manual testing +# requires a clone of github.com/containerd/project +# containerd/project DCO validation runs automatically with github actions in ci.yml for each pull .gitvalidation: @echo "$(WHALE) $@" -ifeq ($(TRAVIS),true) - git-validation -q -run DCO,short-subject -else - git-validation -v -run DCO,short-subject -range $(EPOCH_TEST_COMMIT)..HEAD -endif + DCO_VERBOSITY=-v DCO_RANGE=$(EPOCH_TEST_COMMIT)..HEAD ../project/script/validate/dco .PHONY: install.tools .install.gitvalidation .install.golangci-lint .install.vndr @@ -186,7 +206,6 @@ install.tools: .install.gitvalidation .install.golangci-lint .install.vndr ## in install-containerd \ release \ push \ - boiler \ clean \ default \ gofmt \ diff --git a/vendor/github.com/containerd/cri/cri.go b/vendor/github.com/containerd/cri/cri.go index d477c1efbc..a74413ea65 100644 --- a/vendor/github.com/containerd/cri/cri.go +++ b/vendor/github.com/containerd/cri/cri.go @@ -63,6 +63,10 @@ func initCRIService(ic *plugin.InitContext) (interface{}, error) { ic.Meta.Exports = map[string]string{"CRIVersion": constants.CRIVersion} ctx := ic.Context pluginConfig := ic.Config.(*criconfig.PluginConfig) + if err := criconfig.ValidatePluginConfig(ctx, pluginConfig); err != nil { + return nil, errors.Wrap(err, "invalid plugin config") + } + c := criconfig.Config{ PluginConfig: *pluginConfig, ContainerdRootDir: filepath.Dir(ic.Root), @@ -72,10 +76,6 @@ func initCRIService(ic *plugin.InitContext) (interface{}, error) { } log.G(ctx).Infof("Start cri plugin with config %+v", c) - if err := criconfig.ValidatePluginConfig(ctx, pluginConfig); err != nil { - return nil, errors.Wrap(err, "invalid plugin config") - } - if err := setGLogLevel(); err != nil { return nil, errors.Wrap(err, "failed to set glog level") } diff --git a/vendor/github.com/containerd/cri/pkg/config/config.go b/vendor/github.com/containerd/cri/pkg/config/config.go index 97d4fe6be2..7c5f9ebea1 100644 --- a/vendor/github.com/containerd/cri/pkg/config/config.go +++ b/vendor/github.com/containerd/cri/pkg/config/config.go @@ -122,9 +122,10 @@ type AuthConfig struct { // TLSConfig contains the CA/Cert/Key used for a registry type TLSConfig struct { - CAFile string `toml:"ca_file" json:"caFile"` - CertFile string `toml:"cert_file" json:"certFile"` - KeyFile string `toml:"key_file" json:"keyFile"` + InsecureSkipVerify bool `toml:"insecure_skip_verify" json:"insecure_skip_verify"` + CAFile string `toml:"ca_file" json:"caFile"` + CertFile string `toml:"cert_file" json:"certFile"` + KeyFile string `toml:"key_file" json:"keyFile"` } // Registry is registry settings configured diff --git a/vendor/github.com/containerd/cri/pkg/server/container_create.go b/vendor/github.com/containerd/cri/pkg/server/container_create.go index c7e44fdbf2..878cd13e3a 100644 --- a/vendor/github.com/containerd/cri/pkg/server/container_create.go +++ b/vendor/github.com/containerd/cri/pkg/server/container_create.go @@ -39,6 +39,7 @@ import ( "github.com/davecgh/go-spew/spew" imagespec "github.com/opencontainers/image-spec/specs-go/v1" runtimespec "github.com/opencontainers/runtime-spec/specs-go" + selinux "github.com/opencontainers/selinux/go-selinux" "github.com/opencontainers/selinux/go-selinux/label" "github.com/pkg/errors" "golang.org/x/net/context" @@ -182,7 +183,7 @@ func (c *criService) CreateContainer(ctx context.Context, r *runtime.CreateConta } defer func() { if retErr != nil { - _ = label.ReleaseLabel(spec.Process.SelinuxLabel) + selinux.ReleaseLabel(spec.Process.SelinuxLabel) } }() @@ -379,11 +380,13 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP specOpts = append(specOpts, oci.WithEnv(env)) securityContext := config.GetLinux().GetSecurityContext() - labelOptions := toLabel(securityContext.GetSelinuxOptions()) - if len(labelOptions) == 0 { - // Use pod level SELinux config + labelOptions, err := toLabel(securityContext.GetSelinuxOptions()) + if err != nil { + return nil, err + } + if len(labelOptions) == 0 { // Use pod level SELinux config if sandbox, err := c.sandboxStore.Get(sandboxID); err == nil { - labelOptions, err = label.DupSecOpt(sandbox.ProcessLabel) + labelOptions, err = selinux.DupSecOpt(sandbox.ProcessLabel) if err != nil { return nil, err } @@ -396,7 +399,7 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP } defer func() { if retErr != nil { - _ = label.ReleaseLabel(processLabel) + selinux.ReleaseLabel(processLabel) } }() diff --git a/vendor/github.com/containerd/cri/pkg/server/container_remove.go b/vendor/github.com/containerd/cri/pkg/server/container_remove.go index e5d9ef2d09..8f39cf9a22 100644 --- a/vendor/github.com/containerd/cri/pkg/server/container_remove.go +++ b/vendor/github.com/containerd/cri/pkg/server/container_remove.go @@ -22,6 +22,7 @@ import ( "github.com/containerd/containerd/log" "github.com/docker/docker/pkg/system" "github.com/pkg/errors" + "github.com/sirupsen/logrus" "golang.org/x/net/context" runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2" @@ -30,7 +31,6 @@ import ( ) // RemoveContainer removes the container. -// TODO(random-liu): Forcibly stop container if it's running. func (c *criService) RemoveContainer(ctx context.Context, r *runtime.RemoveContainerRequest) (_ *runtime.RemoveContainerResponse, retErr error) { container, err := c.containerStore.Get(r.GetContainerId()) if err != nil { @@ -43,6 +43,17 @@ func (c *criService) RemoveContainer(ctx context.Context, r *runtime.RemoveConta } id := container.ID + // Forcibly stop the containers if they are in running or unknown state + state := container.Status.Get().State() + if state == runtime.ContainerState_CONTAINER_RUNNING || + state == runtime.ContainerState_CONTAINER_UNKNOWN { + logrus.Infof("Forcibly stopping container %q", id) + if err := c.stopContainer(ctx, container, 0); err != nil { + return nil, errors.Wrapf(err, "failed to forcibly stop container %q", id) + } + + } + // Set removing state to prevent other start/remove operations against this container // while it's being removed. if err := setContainerRemoving(container); err != nil { diff --git a/vendor/github.com/containerd/cri/pkg/server/events.go b/vendor/github.com/containerd/cri/pkg/server/events.go index e4536a5599..fcbf0a3cab 100644 --- a/vendor/github.com/containerd/cri/pkg/server/events.go +++ b/vendor/github.com/containerd/cri/pkg/server/events.go @@ -333,6 +333,12 @@ func handleContainerExit(ctx context.Context, e *eventtypes.TaskExit, cntr conta status.Pid = 0 status.FinishedAt = e.ExitedAt.UnixNano() status.ExitCode = int32(e.ExitStatus) + // Unknown state can only transit to EXITED state, so we need + // to handle unknown state here. + if status.Unknown { + logrus.Debugf("Container %q transited from UNKNOWN to EXITED", cntr.ID) + status.Unknown = false + } return status, nil }) if err != nil { diff --git a/vendor/github.com/containerd/cri/pkg/server/helpers.go b/vendor/github.com/containerd/cri/pkg/server/helpers.go index 4ec03ca33c..e8e8c501dd 100644 --- a/vendor/github.com/containerd/cri/pkg/server/helpers.go +++ b/vendor/github.com/containerd/cri/pkg/server/helpers.go @@ -298,11 +298,15 @@ func (c *criService) ensureImageExists(ctx context.Context, ref string, config * return &newImage, nil } -func toLabel(selinuxOptions *runtime.SELinuxOption) (labels []string) { - if selinuxOptions == nil { - return nil - } +func toLabel(selinuxOptions *runtime.SELinuxOption) ([]string, error) { + var labels []string + if selinuxOptions == nil { + return nil, nil + } + if err := checkSelinuxLevel(selinuxOptions.Level); err != nil { + return nil, err + } if selinuxOptions.User != "" { labels = append(labels, "user:"+selinuxOptions.User) } @@ -316,11 +320,15 @@ func toLabel(selinuxOptions *runtime.SELinuxOption) (labels []string) { labels = append(labels, "level:"+selinuxOptions.Level) } - return + return labels, nil } func initLabelsFromOpt(selinuxOpts *runtime.SELinuxOption) (string, string, error) { - return initLabels(toLabel(selinuxOpts)) + labels, err := toLabel(selinuxOpts) + if err != nil { + return "", "", err + } + return label.InitLabels(labels) } func initLabels(options []string) (string, string, error) { @@ -339,7 +347,7 @@ func checkSelinuxLevel(level string) error { return nil } - matched, err := regexp.MatchString(`^s\d(-s\d)??(:c\d{1,4}((.c\d{1,4})?,c\d{1,4})*(.c\d{1,4})?(,c\d{1,4}(.c\d{1,4})?)*)?$`, level) + matched, err := regexp.MatchString(`^s\d(-s\d)??(:c\d{1,4}(\.c\d{1,4})?(,c\d{1,4}(\.c\d{1,4})?)*)?$`, level) if err != nil { return errors.Wrapf(err, "the format of 'level' %q is not correct", level) } @@ -473,6 +481,7 @@ func unknownContainerStatus() containerstore.Status { FinishedAt: 0, ExitCode: unknownExitCode, Reason: unknownExitReason, + Unknown: true, } } diff --git a/vendor/github.com/containerd/cri/pkg/server/image_pull.go b/vendor/github.com/containerd/cri/pkg/server/image_pull.go index 196bfbf378..d12caf5674 100644 --- a/vendor/github.com/containerd/cri/pkg/server/image_pull.go +++ b/vendor/github.com/containerd/cri/pkg/server/image_pull.go @@ -253,39 +253,41 @@ func (c *criService) updateImage(ctx context.Context, r string) error { // getTLSConfig returns a TLSConfig configured with a CA/Cert/Key specified by registryTLSConfig func (c *criService) getTLSConfig(registryTLSConfig criconfig.TLSConfig) (*tls.Config, error) { var ( - cert tls.Certificate - err error + tlsConfig = &tls.Config{} + cert tls.Certificate + err error ) - if registryTLSConfig.CertFile != "" && registryTLSConfig.KeyFile != "" { - cert, err = tls.LoadX509KeyPair(registryTLSConfig.CertFile, registryTLSConfig.KeyFile) - if err != nil { - return nil, errors.Wrap(err, "failed to load cert file") - } - } if registryTLSConfig.CertFile != "" && registryTLSConfig.KeyFile == "" { return nil, errors.Errorf("cert file %q was specified, but no corresponding key file was specified", registryTLSConfig.CertFile) } if registryTLSConfig.CertFile == "" && registryTLSConfig.KeyFile != "" { return nil, errors.Errorf("key file %q was specified, but no corresponding cert file was specified", registryTLSConfig.KeyFile) } + if registryTLSConfig.CertFile != "" && registryTLSConfig.KeyFile != "" { + cert, err = tls.LoadX509KeyPair(registryTLSConfig.CertFile, registryTLSConfig.KeyFile) + if err != nil { + return nil, errors.Wrap(err, "failed to load cert file") + } + if len(cert.Certificate) != 0 { + tlsConfig.Certificates = []tls.Certificate{cert} + } + tlsConfig.BuildNameToCertificate() + } - caCertPool, err := x509.SystemCertPool() - if err != nil { - return nil, errors.Wrap(err, "failed to get system cert pool") + if registryTLSConfig.CAFile != "" { + caCertPool, err := x509.SystemCertPool() + if err != nil { + return nil, errors.Wrap(err, "failed to get system cert pool") + } + caCert, err := ioutil.ReadFile(registryTLSConfig.CAFile) + if err != nil { + return nil, errors.Wrap(err, "failed to load CA file") + } + caCertPool.AppendCertsFromPEM(caCert) + tlsConfig.RootCAs = caCertPool } - caCert, err := ioutil.ReadFile(registryTLSConfig.CAFile) - if err != nil { - return nil, errors.Wrap(err, "failed to load CA file") - } - caCertPool.AppendCertsFromPEM(caCert) - tlsConfig := &tls.Config{ - RootCAs: caCertPool, - } - if len(cert.Certificate) != 0 { - tlsConfig.Certificates = []tls.Certificate{cert} - } - tlsConfig.BuildNameToCertificate() + tlsConfig.InsecureSkipVerify = registryTLSConfig.InsecureSkipVerify return tlsConfig, nil } diff --git a/vendor/github.com/containerd/cri/pkg/server/restart.go b/vendor/github.com/containerd/cri/pkg/server/restart.go index 30b1fa625b..75cbb7f319 100644 --- a/vendor/github.com/containerd/cri/pkg/server/restart.go +++ b/vendor/github.com/containerd/cri/pkg/server/restart.go @@ -307,7 +307,9 @@ func (c *criService) loadContainer(ctx context.Context, cntr containerd.Containe }() if err != nil { log.G(ctx).WithError(err).Errorf("Failed to load container status for %q", id) - status = unknownContainerStatus() + // Only set the unknown field in this case, because other fields may + // contain useful information loaded from the checkpoint. + status.Unknown = true } opts := []containerstore.Opts{ containerstore.WithStatus(status, containerDir), diff --git a/vendor/github.com/containerd/cri/pkg/server/sandbox_remove.go b/vendor/github.com/containerd/cri/pkg/server/sandbox_remove.go index 017c56cefb..c0ef5c04b5 100644 --- a/vendor/github.com/containerd/cri/pkg/server/sandbox_remove.go +++ b/vendor/github.com/containerd/cri/pkg/server/sandbox_remove.go @@ -22,6 +22,7 @@ import ( "github.com/containerd/containerd/log" "github.com/docker/docker/pkg/system" "github.com/pkg/errors" + "github.com/sirupsen/logrus" "golang.org/x/net/context" runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2" @@ -49,7 +50,10 @@ func (c *criService) RemovePodSandbox(ctx context.Context, r *runtime.RemovePodS // Return error if sandbox container is still running or unknown. state := sandbox.Status.Get().State if state == sandboxstore.StateReady || state == sandboxstore.StateUnknown { - return nil, errors.Errorf("sandbox container %q is not fully stopped", id) + logrus.Infof("Forcibly stopping sandbox %q", id) + if err := c.stopPodSandbox(ctx, sandbox); err != nil { + return nil, errors.Wrapf(err, "failed to forcibly stop sandbox %q", id) + } } // Return error if sandbox network namespace is not closed yet. diff --git a/vendor/github.com/containerd/cri/pkg/server/sandbox_run.go b/vendor/github.com/containerd/cri/pkg/server/sandbox_run.go index 24cdf5f03a..d229d14a70 100644 --- a/vendor/github.com/containerd/cri/pkg/server/sandbox_run.go +++ b/vendor/github.com/containerd/cri/pkg/server/sandbox_run.go @@ -34,7 +34,7 @@ import ( "github.com/davecgh/go-spew/spew" imagespec "github.com/opencontainers/image-spec/specs-go/v1" runtimespec "github.com/opencontainers/runtime-spec/specs-go" - "github.com/opencontainers/selinux/go-selinux/label" + selinux "github.com/opencontainers/selinux/go-selinux" "github.com/pkg/errors" "github.com/sirupsen/logrus" "golang.org/x/net/context" @@ -162,7 +162,7 @@ func (c *criService) RunPodSandbox(ctx context.Context, r *runtime.RunPodSandbox sandbox.ProcessLabel = spec.Process.SelinuxLabel defer func() { if retErr != nil { - _ = label.ReleaseLabel(sandbox.ProcessLabel) + selinux.ReleaseLabel(sandbox.ProcessLabel) } }() @@ -284,7 +284,7 @@ func (c *criService) RunPodSandbox(ctx context.Context, r *runtime.RunPodSandbox var taskOpts []containerd.NewTaskOpts // TODO(random-liu): Remove this after shim v1 is deprecated. - if c.config.NoPivot && ociRuntime.Type == plugin.RuntimeRuncV1 { + if c.config.NoPivot && (ociRuntime.Type == plugin.RuntimeRuncV1 || ociRuntime.Type == plugin.RuntimeRuncV2) { taskOpts = append(taskOpts, containerd.WithNoPivotRoot) } // We don't need stdio for sandbox container. @@ -422,7 +422,7 @@ func (c *criService) generateSandboxContainerSpec(id string, config *runtime.Pod } defer func() { if retErr != nil && processLabel != "" { - _ = label.ReleaseLabel(processLabel) + selinux.ReleaseLabel(processLabel) } }() diff --git a/vendor/github.com/containerd/cri/pkg/server/sandbox_stop.go b/vendor/github.com/containerd/cri/pkg/server/sandbox_stop.go index aab6a73013..e8fc981cc5 100644 --- a/vendor/github.com/containerd/cri/pkg/server/sandbox_stop.go +++ b/vendor/github.com/containerd/cri/pkg/server/sandbox_stop.go @@ -1,17 +1,17 @@ /* -Copyright 2017 The Kubernetes Authors. + Copyright The containerd Authors. -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at - http://www.apache.org/licenses/LICENSE-2.0 + http://www.apache.org/licenses/LICENSE-2.0 -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. */ package server @@ -40,6 +40,15 @@ func (c *criService) StopPodSandbox(ctx context.Context, r *runtime.StopPodSandb return nil, errors.Wrapf(err, "an error occurred when try to find sandbox %q", r.GetPodSandboxId()) } + + if err := c.stopPodSandbox(ctx, sandbox); err != nil { + return nil, err + } + + return &runtime.StopPodSandboxResponse{}, nil +} + +func (c *criService) stopPodSandbox(ctx context.Context, sandbox sandboxstore.Sandbox) error { // Use the full sandbox id. id := sandbox.ID @@ -53,20 +62,20 @@ func (c *criService) StopPodSandbox(ctx context.Context, r *runtime.StopPodSandb } // Forcibly stop the container. Do not use `StopContainer`, because it introduces a race // if a container is removed after list. - if err = c.stopContainer(ctx, container, 0); err != nil { - return nil, errors.Wrapf(err, "failed to stop container %q", container.ID) + if err := c.stopContainer(ctx, container, 0); err != nil { + return errors.Wrapf(err, "failed to stop container %q", container.ID) } } if err := c.unmountSandboxFiles(id, sandbox.Config); err != nil { - return nil, errors.Wrap(err, "failed to unmount sandbox files") + return errors.Wrap(err, "failed to unmount sandbox files") } // Only stop sandbox container when it's running or unknown. state := sandbox.Status.Get().State if state == sandboxstore.StateReady || state == sandboxstore.StateUnknown { if err := c.stopSandboxContainer(ctx, sandbox); err != nil { - return nil, errors.Wrapf(err, "failed to stop sandbox container %q in %q state", id, state) + return errors.Wrapf(err, "failed to stop sandbox container %q in %q state", id, state) } } @@ -75,21 +84,21 @@ func (c *criService) StopPodSandbox(ctx context.Context, r *runtime.StopPodSandb // Use empty netns path if netns is not available. This is defined in: // https://github.com/containernetworking/cni/blob/v0.7.0-alpha1/SPEC.md if closed, err := sandbox.NetNS.Closed(); err != nil { - return nil, errors.Wrap(err, "failed to check network namespace closed") + return errors.Wrap(err, "failed to check network namespace closed") } else if closed { sandbox.NetNSPath = "" } if err := c.teardownPodNetwork(ctx, sandbox); err != nil { - return nil, errors.Wrapf(err, "failed to destroy network for sandbox %q", id) + return errors.Wrapf(err, "failed to destroy network for sandbox %q", id) } - if err = sandbox.NetNS.Remove(); err != nil { - return nil, errors.Wrapf(err, "failed to remove network namespace for sandbox %q", id) + if err := sandbox.NetNS.Remove(); err != nil { + return errors.Wrapf(err, "failed to remove network namespace for sandbox %q", id) } } log.G(ctx).Infof("TearDown network for sandbox %q successfully", id) - return &runtime.StopPodSandboxResponse{}, nil + return nil } // stopSandboxContainer kills the sandbox container. diff --git a/vendor/github.com/containerd/cri/pkg/store/container/status.go b/vendor/github.com/containerd/cri/pkg/store/container/status.go index c46325bbe0..9aaef6970f 100644 --- a/vendor/github.com/containerd/cri/pkg/store/container/status.go +++ b/vendor/github.com/containerd/cri/pkg/store/container/status.go @@ -94,10 +94,16 @@ type Status struct { // Removing indicates that the container is in removing state. // This field doesn't need to be checkpointed. Removing bool `json:"-"` + // Unknown indicates that the container status is not fully loaded. + // This field doesn't need to be checkpointed. + Unknown bool `json:"-"` } // State returns current state of the container based on the container status. func (s Status) State() runtime.ContainerState { + if s.Unknown { + return runtime.ContainerState_CONTAINER_UNKNOWN + } if s.FinishedAt != 0 { return runtime.ContainerState_CONTAINER_EXITED } diff --git a/vendor/github.com/containerd/cri/vendor.conf b/vendor/github.com/containerd/cri/vendor.conf index 9a785d077f..9080ba8931 100644 --- a/vendor/github.com/containerd/cri/vendor.conf +++ b/vendor/github.com/containerd/cri/vendor.conf @@ -1,75 +1,80 @@ # cri dependencies github.com/tchap/go-patricia v2.2.6 -github.com/opencontainers/selinux v1.2.2 +github.com/opencontainers/selinux bb88c45a3863dc4c38320d71b890bb30ef9feba4 github.com/docker/docker 86f080cff0914e9694068ed78d503701667c4c00 github.com/docker/distribution 0d3efadf0154c2b8a4e7b6621fff9809655cc580 # containerd dependencies -go.etcd.io/bbolt 2eb7227adea1d5cf85f0bc2a82b7059b13c2fa68 -google.golang.org/grpc 25c4f928eaa6d96443009bd842389fb4fa48664e # v1.20.1 -google.golang.org/genproto d80a6e20e776b0b17a324d0ba1ab50a39c8e8944 -golang.org/x/text 19e51611da83d6be54ddafce4a4af510cb3e9ea4 -golang.org/x/sys 4c4f7f33c9ed00de01c4c741d2177abfcfe19307 https://github.com/golang/sys -golang.org/x/sync 42b317875d0fa942474b76e1b46a6060d720ae6e -golang.org/x/net f3200d17e092c607f615320ecaad13d87ad9a2b3 -github.com/urfave/cli 7bc6a0acffa589f415f88aca16cc1de5ffd66f9c -github.com/syndtr/gocapability d98352740cb2c55f81556b63d4a1ec64c5a319c2 -github.com/sirupsen/logrus v1.4.1 -github.com/prometheus/procfs cb4147076ac75738c9a7d279075a253c0cc5acbd -github.com/prometheus/common 89604d197083d4781071d3c65855d24ecfb0a563 -github.com/prometheus/client_model 99fa1f4be8e564e8a6b613da7fa6f46c9edafc6c -github.com/prometheus/client_golang f4fb1b73fb099f396a7f0036bf86aa8def4ed823 -github.com/pkg/errors v0.8.1 -github.com/opencontainers/runtime-spec 29686dbc5559d93fb1ef402eeda3e35c38d75af4 # v1.0.1-59-g29686db -github.com/opencontainers/runc f4982d86f7fde0b6f953cc62ccc4022c519a10a9 # v1.0.0-rc8-32-gf4982d86 -github.com/opencontainers/image-spec v1.0.1 -github.com/opencontainers/go-digest c9281466c8b2f606084ac71339773efd177436e7 -github.com/matttproud/golang_protobuf_extensions v1.0.1 -github.com/grpc-ecosystem/go-grpc-prometheus v1.1 -github.com/google/uuid v1.1.1 -github.com/golang/protobuf v1.2.0 -github.com/gogo/protobuf v1.2.1 -github.com/gogo/googleapis v1.2.0 -github.com/godbus/dbus v3 -github.com/docker/go-units v0.4.0 -github.com/docker/go-metrics 4ea375f7759c82740c893fc030bc37088d2ec098 -github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9 -github.com/coreos/go-systemd v14 -github.com/containerd/typeurl a93fcdb778cd272c6e9b3028b2f42d813e785d40 -github.com/containerd/ttrpc 92c8520ef9f86600c650dd540266a007bf03670f -github.com/containerd/go-runc e029b79d8cda8374981c64eba71f28ec38e5526f -github.com/containerd/fifo bda0ff6ed73c67bfb5e62bc9c697f146b7fd7f13 -github.com/containerd/continuity f2a389ac0a02ce21c09edd7344677a601970f41c -github.com/containerd/containerd d4802a64f9737f02db3426751f380d97fc878dec -github.com/containerd/console 0650fd9eeb50bab4fc99dceb9f2e14cf58f36e7f -github.com/containerd/cgroups c4b9ac5c7601384c965b9646fc515884e091ebb9 -github.com/beorn7/perks 4c0e84591b9aa9e6dcfdf3e020114cd81f89d5f9 -github.com/Microsoft/hcsshim 9e921883ac929bbe515b39793ece99ce3a9d7706 -github.com/Microsoft/go-winio v0.4.14 github.com/BurntSushi/toml v0.3.1 -github.com/imdario/mergo v0.3.7 +github.com/Microsoft/go-winio v0.4.14 +github.com/Microsoft/hcsshim 9e921883ac929bbe515b39793ece99ce3a9d7706 +github.com/beorn7/perks 4c0e84591b9aa9e6dcfdf3e020114cd81f89d5f9 +github.com/containerd/cgroups c4b9ac5c7601384c965b9646fc515884e091ebb9 +github.com/containerd/console 0650fd9eeb50bab4fc99dceb9f2e14cf58f36e7f +github.com/containerd/containerd v1.3.6 +github.com/containerd/continuity f2a389ac0a02ce21c09edd7344677a601970f41c +github.com/containerd/fifo bda0ff6ed73c67bfb5e62bc9c697f146b7fd7f13 +github.com/containerd/go-runc e029b79d8cda8374981c64eba71f28ec38e5526f +github.com/containerd/ttrpc 92c8520ef9f86600c650dd540266a007bf03670f +github.com/containerd/typeurl a93fcdb778cd272c6e9b3028b2f42d813e785d40 +github.com/coreos/go-systemd 48702e0da86bd25e76cfef347e2adeb434a0d0a6 # v14 +github.com/cpuguy83/go-md2man 7762f7e404f8416dfa1d9bb6a8c192aa9acb4d19 # v1.0.10 +github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9 +github.com/docker/go-metrics 4ea375f7759c82740c893fc030bc37088d2ec098 +github.com/docker/go-units v0.4.0 +github.com/godbus/dbus c7fdd8b5cd55e87b4e1f4e372cdb1db61dd6c66f # v3 +github.com/gogo/googleapis v1.2.0 +github.com/gogo/protobuf v1.2.1 +github.com/golang/protobuf v1.2.0 +github.com/google/uuid 0cd6bf5da1e1c83f8b45653022c74f71af0538a4 # v1.1.1 +github.com/grpc-ecosystem/go-grpc-prometheus 6b7015e65d366bf3f19b2b2a000a831940f0f7e0 # v1.1 +github.com/hashicorp/golang-lru v0.5.3 +github.com/imdario/mergo 7c29201646fa3de8506f701213473dd407f19646 # v0.3.7 +github.com/matttproud/golang_protobuf_extensions v1.0.1 +github.com/opencontainers/go-digest c9281466c8b2f606084ac71339773efd177436e7 +github.com/opencontainers/image-spec v1.0.1 +github.com/opencontainers/runc d736ef14f0288d6993a1845745d6756cfc9ddd5a # v1.0.0-rc9 +github.com/opencontainers/runtime-spec 29686dbc5559d93fb1ef402eeda3e35c38d75af4 # v1.0.1-59-g29686db +github.com/pkg/errors v0.8.1 +github.com/prometheus/client_golang f4fb1b73fb099f396a7f0036bf86aa8def4ed823 +github.com/prometheus/client_model 99fa1f4be8e564e8a6b613da7fa6f46c9edafc6c +github.com/prometheus/common 89604d197083d4781071d3c65855d24ecfb0a563 +github.com/prometheus/procfs cb4147076ac75738c9a7d279075a253c0cc5acbd +github.com/russross/blackfriday 05f3235734ad95d0016f6a23902f06461fcf567a # v1.5.2 +github.com/sirupsen/logrus v1.4.1 +github.com/syndtr/gocapability d98352740cb2c55f81556b63d4a1ec64c5a319c2 +github.com/urfave/cli v1.22.0 +go.etcd.io/bbolt v1.3.3 +go.opencensus.io v0.22.0 +golang.org/x/net f3200d17e092c607f615320ecaad13d87ad9a2b3 +golang.org/x/sync 42b317875d0fa942474b76e1b46a6060d720ae6e +golang.org/x/sys 9eafafc0a87e0fd0aeeba439a4573537970c44c7 https://github.com/golang/sys +golang.org/x/text 19e51611da83d6be54ddafce4a4af510cb3e9ea4 +google.golang.org/appengine v1.5.0 +google.golang.org/genproto d80a6e20e776b0b17a324d0ba1ab50a39c8e8944 +google.golang.org/grpc 6eaf6f47437a6b4e2153a190160ef39a92c7eceb # v1.23.0 # kubernetes dependencies sigs.k8s.io/yaml v1.1.0 -k8s.io/utils c2654d5206da6b7b6ace12841e8f359bb89b443c -k8s.io/kubernetes v1.16.0-rc.2 -k8s.io/klog v0.4.0 -k8s.io/cri-api kubernetes-1.16.0-rc.2 -k8s.io/client-go kubernetes-1.16.0-rc.2 -k8s.io/api kubernetes-1.16.0-rc.2 -k8s.io/apiserver kubernetes-1.16.0-rc.2 -k8s.io/apimachinery kubernetes-1.16.0-rc.2 -gopkg.in/yaml.v2 v2.2.2 -gopkg.in/inf.v0 v0.9.0 -golang.org/x/time 85acf8d2951cb2a3bde7632f9ff273ef0379bcbd +k8s.io/utils e782cd3c129fc98ee807f3c889c0f26eb7c9daf5 +k8s.io/kubernetes v1.16.6 +k8s.io/klog v1.0.0 +k8s.io/cri-api kubernetes-1.16.6 +k8s.io/client-go kubernetes-1.16.6 +k8s.io/api kubernetes-1.16.6 +k8s.io/apiserver kubernetes-1.16.6 +k8s.io/apimachinery kubernetes-1.16.6 +gopkg.in/yaml.v2 53403b58ad1b561927d19068c655246f2db79d48 # v2.2.8 +gopkg.in/inf.v0 v0.9.1 +golang.org/x/time 9d24e82272b4f38b78bc8cff74fa936d31ccd8ef golang.org/x/oauth2 0f29369cfe4552d0e4bcddc57cc75f4d7e672a33 -golang.org/x/crypto 5c40567a22f818bd14a1ea7245dad9f8ef0691aa -github.com/stretchr/testify v1.3.0 +golang.org/x/crypto 60c769a6c58655dab1b9adac0d58967dd517cfba +github.com/stretchr/testify v1.4.0 github.com/seccomp/libseccomp-golang v0.9.1 github.com/pmezard/go-difflib v1.0.0 -github.com/modern-go/reflect2 1.0.1 +github.com/modern-go/reflect2 v1.0.1 github.com/modern-go/concurrent 1.0.3 -github.com/json-iterator/go v1.1.7 +github.com/json-iterator/go v1.1.8 github.com/google/gofuzz v1.0.0 github.com/emicklei/go-restful v2.9.5 github.com/docker/spdystream 449fdfce4d962303d702fec724ef0ad181c92528 diff --git a/vendor/github.com/containerd/go-cni/namespace_opts.go b/vendor/github.com/containerd/go-cni/namespace_opts.go index 1fad5f69a5..e8092e85ec 100644 --- a/vendor/github.com/containerd/go-cni/namespace_opts.go +++ b/vendor/github.com/containerd/go-cni/namespace_opts.go @@ -42,14 +42,6 @@ func WithCapabilityBandWidth(bandWidth BandWidth) NamespaceOpts { } } -// WithCapabilityDNS adds support for dns -func WithCapabilityDNS(dns DNS) NamespaceOpts { - return func(c *Namespace) error { - c.capabilityArgs["dns"] = dns - return nil - } -} - func WithCapability(name string, capability interface{}) NamespaceOpts { return func(c *Namespace) error { c.capabilityArgs[name] = capability diff --git a/vendor/github.com/containerd/go-cni/opts.go b/vendor/github.com/containerd/go-cni/opts.go index 1dd7869a2d..5222df1e9e 100644 --- a/vendor/github.com/containerd/go-cni/opts.go +++ b/vendor/github.com/containerd/go-cni/opts.go @@ -142,24 +142,6 @@ func WithConfFile(fileName string) CNIOpt { } } -// WithConfListBytes can be used to load network config list directly -// from byte -func WithConfListBytes(bytes []byte) CNIOpt { - return func(c *libcni) error { - confList, err := cnilibrary.ConfListFromBytes(bytes) - if err != nil { - return err - } - i := len(c.networks) - c.networks = append(c.networks, &Network{ - cni: c.cniConfig, - config: confList, - ifName: getIfName(c.prefix, i), - }) - return nil - } -} - // WithConfListFile can be used to load network config // from an .conflist file. Supported with absolute fileName // with path only. diff --git a/vendor/github.com/containerd/go-cni/types.go b/vendor/github.com/containerd/go-cni/types.go index 0b7db1ee0a..8583050e48 100644 --- a/vendor/github.com/containerd/go-cni/types.go +++ b/vendor/github.com/containerd/go-cni/types.go @@ -53,13 +53,3 @@ type BandWidth struct { EgressRate uint64 EgressBurst uint64 } - -// DNS defines the dns config -type DNS struct { - // List of DNS servers of the cluster. - Servers []string - // List of DNS search domains of the cluster. - Searches []string - // List of DNS options. - Options []string -} diff --git a/vendor/github.com/hashicorp/errwrap/LICENSE b/vendor/github.com/hashicorp/errwrap/LICENSE new file mode 100644 index 0000000000..c33dcc7c92 --- /dev/null +++ b/vendor/github.com/hashicorp/errwrap/LICENSE @@ -0,0 +1,354 @@ +Mozilla Public License, version 2.0 + +1. Definitions + +1.1. “Contributor” + + means each individual or legal entity that creates, contributes to the + creation of, or owns Covered Software. + +1.2. “Contributor Version” + + means the combination of the Contributions of others (if any) used by a + Contributor and that particular Contributor’s Contribution. + +1.3. “Contribution” + + means Covered Software of a particular Contributor. + +1.4. “Covered Software” + + means Source Code Form to which the initial Contributor has attached the + notice in Exhibit A, the Executable Form of such Source Code Form, and + Modifications of such Source Code Form, in each case including portions + thereof. + +1.5. “Incompatible With Secondary Licenses” + means + + a. that the initial Contributor has attached the notice described in + Exhibit B to the Covered Software; or + + b. that the Covered Software was made available under the terms of version + 1.1 or earlier of the License, but not also under the terms of a + Secondary License. + +1.6. “Executable Form” + + means any form of the work other than Source Code Form. + +1.7. “Larger Work” + + means a work that combines Covered Software with other material, in a separate + file or files, that is not Covered Software. + +1.8. “License” + + means this document. + +1.9. “Licensable” + + means having the right to grant, to the maximum extent possible, whether at the + time of the initial grant or subsequently, any and all of the rights conveyed by + this License. + +1.10. “Modifications” + + means any of the following: + + a. any file in Source Code Form that results from an addition to, deletion + from, or modification of the contents of Covered Software; or + + b. any new file in Source Code Form that contains any Covered Software. + +1.11. “Patent Claims” of a Contributor + + means any patent claim(s), including without limitation, method, process, + and apparatus claims, in any patent Licensable by such Contributor that + would be infringed, but for the grant of the License, by the making, + using, selling, offering for sale, having made, import, or transfer of + either its Contributions or its Contributor Version. + +1.12. “Secondary License” + + means either the GNU General Public License, Version 2.0, the GNU Lesser + General Public License, Version 2.1, the GNU Affero General Public + License, Version 3.0, or any later versions of those licenses. + +1.13. “Source Code Form” + + means the form of the work preferred for making modifications. + +1.14. “You” (or “Your”) + + means an individual or a legal entity exercising rights under this + License. For legal entities, “You” includes any entity that controls, is + controlled by, or is under common control with You. For purposes of this + definition, “control” means (a) the power, direct or indirect, to cause + the direction or management of such entity, whether by contract or + otherwise, or (b) ownership of more than fifty percent (50%) of the + outstanding shares or beneficial ownership of such entity. + + +2. License Grants and Conditions + +2.1. Grants + + Each Contributor hereby grants You a world-wide, royalty-free, + non-exclusive license: + + a. under intellectual property rights (other than patent or trademark) + Licensable by such Contributor to use, reproduce, make available, + modify, display, perform, distribute, and otherwise exploit its + Contributions, either on an unmodified basis, with Modifications, or as + part of a Larger Work; and + + b. under Patent Claims of such Contributor to make, use, sell, offer for + sale, have made, import, and otherwise transfer either its Contributions + or its Contributor Version. + +2.2. Effective Date + + The licenses granted in Section 2.1 with respect to any Contribution become + effective for each Contribution on the date the Contributor first distributes + such Contribution. + +2.3. Limitations on Grant Scope + + The licenses granted in this Section 2 are the only rights granted under this + License. No additional rights or licenses will be implied from the distribution + or licensing of Covered Software under this License. Notwithstanding Section + 2.1(b) above, no patent license is granted by a Contributor: + + a. for any code that a Contributor has removed from Covered Software; or + + b. for infringements caused by: (i) Your and any other third party’s + modifications of Covered Software, or (ii) the combination of its + Contributions with other software (except as part of its Contributor + Version); or + + c. under Patent Claims infringed by Covered Software in the absence of its + Contributions. + + This License does not grant any rights in the trademarks, service marks, or + logos of any Contributor (except as may be necessary to comply with the + notice requirements in Section 3.4). + +2.4. Subsequent Licenses + + No Contributor makes additional grants as a result of Your choice to + distribute the Covered Software under a subsequent version of this License + (see Section 10.2) or under the terms of a Secondary License (if permitted + under the terms of Section 3.3). + +2.5. Representation + + Each Contributor represents that the Contributor believes its Contributions + are its original creation(s) or it has sufficient rights to grant the + rights to its Contributions conveyed by this License. + +2.6. Fair Use + + This License is not intended to limit any rights You have under applicable + copyright doctrines of fair use, fair dealing, or other equivalents. + +2.7. Conditions + + Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in + Section 2.1. + + +3. Responsibilities + +3.1. Distribution of Source Form + + All distribution of Covered Software in Source Code Form, including any + Modifications that You create or to which You contribute, must be under the + terms of this License. You must inform recipients that the Source Code Form + of the Covered Software is governed by the terms of this License, and how + they can obtain a copy of this License. You may not attempt to alter or + restrict the recipients’ rights in the Source Code Form. + +3.2. Distribution of Executable Form + + If You distribute Covered Software in Executable Form then: + + a. such Covered Software must also be made available in Source Code Form, + as described in Section 3.1, and You must inform recipients of the + Executable Form how they can obtain a copy of such Source Code Form by + reasonable means in a timely manner, at a charge no more than the cost + of distribution to the recipient; and + + b. You may distribute such Executable Form under the terms of this License, + or sublicense it under different terms, provided that the license for + the Executable Form does not attempt to limit or alter the recipients’ + rights in the Source Code Form under this License. + +3.3. Distribution of a Larger Work + + You may create and distribute a Larger Work under terms of Your choice, + provided that You also comply with the requirements of this License for the + Covered Software. If the Larger Work is a combination of Covered Software + with a work governed by one or more Secondary Licenses, and the Covered + Software is not Incompatible With Secondary Licenses, this License permits + You to additionally distribute such Covered Software under the terms of + such Secondary License(s), so that the recipient of the Larger Work may, at + their option, further distribute the Covered Software under the terms of + either this License or such Secondary License(s). + +3.4. Notices + + You may not remove or alter the substance of any license notices (including + copyright notices, patent notices, disclaimers of warranty, or limitations + of liability) contained within the Source Code Form of the Covered + Software, except that You may alter any license notices to the extent + required to remedy known factual inaccuracies. + +3.5. Application of Additional Terms + + You may choose to offer, and to charge a fee for, warranty, support, + indemnity or liability obligations to one or more recipients of Covered + Software. However, You may do so only on Your own behalf, and not on behalf + of any Contributor. You must make it absolutely clear that any such + warranty, support, indemnity, or liability obligation is offered by You + alone, and You hereby agree to indemnify every Contributor for any + liability incurred by such Contributor as a result of warranty, support, + indemnity or liability terms You offer. You may include additional + disclaimers of warranty and limitations of liability specific to any + jurisdiction. + +4. Inability to Comply Due to Statute or Regulation + + If it is impossible for You to comply with any of the terms of this License + with respect to some or all of the Covered Software due to statute, judicial + order, or regulation then You must: (a) comply with the terms of this License + to the maximum extent possible; and (b) describe the limitations and the code + they affect. Such description must be placed in a text file included with all + distributions of the Covered Software under this License. Except to the + extent prohibited by statute or regulation, such description must be + sufficiently detailed for a recipient of ordinary skill to be able to + understand it. + +5. Termination + +5.1. The rights granted under this License will terminate automatically if You + fail to comply with any of its terms. However, if You become compliant, + then the rights granted under this License from a particular Contributor + are reinstated (a) provisionally, unless and until such Contributor + explicitly and finally terminates Your grants, and (b) on an ongoing basis, + if such Contributor fails to notify You of the non-compliance by some + reasonable means prior to 60 days after You have come back into compliance. + Moreover, Your grants from a particular Contributor are reinstated on an + ongoing basis if such Contributor notifies You of the non-compliance by + some reasonable means, this is the first time You have received notice of + non-compliance with this License from such Contributor, and You become + compliant prior to 30 days after Your receipt of the notice. + +5.2. If You initiate litigation against any entity by asserting a patent + infringement claim (excluding declaratory judgment actions, counter-claims, + and cross-claims) alleging that a Contributor Version directly or + indirectly infringes any patent, then the rights granted to You by any and + all Contributors for the Covered Software under Section 2.1 of this License + shall terminate. + +5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user + license agreements (excluding distributors and resellers) which have been + validly granted by You or Your distributors under this License prior to + termination shall survive termination. + +6. Disclaimer of Warranty + + Covered Software is provided under this License on an “as is” basis, without + warranty of any kind, either expressed, implied, or statutory, including, + without limitation, warranties that the Covered Software is free of defects, + merchantable, fit for a particular purpose or non-infringing. The entire + risk as to the quality and performance of the Covered Software is with You. + Should any Covered Software prove defective in any respect, You (not any + Contributor) assume the cost of any necessary servicing, repair, or + correction. This disclaimer of warranty constitutes an essential part of this + License. No use of any Covered Software is authorized under this License + except under this disclaimer. + +7. Limitation of Liability + + Under no circumstances and under no legal theory, whether tort (including + negligence), contract, or otherwise, shall any Contributor, or anyone who + distributes Covered Software as permitted above, be liable to You for any + direct, indirect, special, incidental, or consequential damages of any + character including, without limitation, damages for lost profits, loss of + goodwill, work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses, even if such party shall have been + informed of the possibility of such damages. This limitation of liability + shall not apply to liability for death or personal injury resulting from such + party’s negligence to the extent applicable law prohibits such limitation. + Some jurisdictions do not allow the exclusion or limitation of incidental or + consequential damages, so this exclusion and limitation may not apply to You. + +8. Litigation + + Any litigation relating to this License may be brought only in the courts of + a jurisdiction where the defendant maintains its principal place of business + and such litigation shall be governed by laws of that jurisdiction, without + reference to its conflict-of-law provisions. Nothing in this Section shall + prevent a party’s ability to bring cross-claims or counter-claims. + +9. Miscellaneous + + This License represents the complete agreement concerning the subject matter + hereof. If any provision of this License is held to be unenforceable, such + provision shall be reformed only to the extent necessary to make it + enforceable. Any law or regulation which provides that the language of a + contract shall be construed against the drafter shall not be used to construe + this License against a Contributor. + + +10. Versions of the License + +10.1. New Versions + + Mozilla Foundation is the license steward. Except as provided in Section + 10.3, no one other than the license steward has the right to modify or + publish new versions of this License. Each version will be given a + distinguishing version number. + +10.2. Effect of New Versions + + You may distribute the Covered Software under the terms of the version of + the License under which You originally received the Covered Software, or + under the terms of any subsequent version published by the license + steward. + +10.3. Modified Versions + + If you create software not governed by this License, and you want to + create a new license for such software, you may create and use a modified + version of this License if you rename the license and remove any + references to the name of the license steward (except to note that such + modified license differs from this License). + +10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses + If You choose to distribute Source Code Form that is Incompatible With + Secondary Licenses under the terms of this version of the License, the + notice described in Exhibit B of this License must be attached. + +Exhibit A - Source Code Form License Notice + + This Source Code Form is subject to the + terms of the Mozilla Public License, v. + 2.0. If a copy of the MPL was not + distributed with this file, You can + obtain one at + http://mozilla.org/MPL/2.0/. + +If it is not possible or desirable to put the notice in a particular file, then +You may include the notice in a location (such as a LICENSE file in a relevant +directory) where a recipient would be likely to look for such a notice. + +You may add additional accurate notices of copyright ownership. + +Exhibit B - “Incompatible With Secondary Licenses” Notice + + This Source Code Form is “Incompatible + With Secondary Licenses”, as defined by + the Mozilla Public License, v. 2.0. + diff --git a/vendor/github.com/hashicorp/errwrap/README.md b/vendor/github.com/hashicorp/errwrap/README.md new file mode 100644 index 0000000000..1c95f59782 --- /dev/null +++ b/vendor/github.com/hashicorp/errwrap/README.md @@ -0,0 +1,89 @@ +# errwrap + +`errwrap` is a package for Go that formalizes the pattern of wrapping errors +and checking if an error contains another error. + +There is a common pattern in Go of taking a returned `error` value and +then wrapping it (such as with `fmt.Errorf`) before returning it. The problem +with this pattern is that you completely lose the original `error` structure. + +Arguably the _correct_ approach is that you should make a custom structure +implementing the `error` interface, and have the original error as a field +on that structure, such [as this example](http://golang.org/pkg/os/#PathError). +This is a good approach, but you have to know the entire chain of possible +rewrapping that happens, when you might just care about one. + +`errwrap` formalizes this pattern (it doesn't matter what approach you use +above) by giving a single interface for wrapping errors, checking if a specific +error is wrapped, and extracting that error. + +## Installation and Docs + +Install using `go get github.com/hashicorp/errwrap`. + +Full documentation is available at +http://godoc.org/github.com/hashicorp/errwrap + +## Usage + +#### Basic Usage + +Below is a very basic example of its usage: + +```go +// A function that always returns an error, but wraps it, like a real +// function might. +func tryOpen() error { + _, err := os.Open("/i/dont/exist") + if err != nil { + return errwrap.Wrapf("Doesn't exist: {{err}}", err) + } + + return nil +} + +func main() { + err := tryOpen() + + // We can use the Contains helpers to check if an error contains + // another error. It is safe to do this with a nil error, or with + // an error that doesn't even use the errwrap package. + if errwrap.Contains(err, ErrNotExist) { + // Do something + } + if errwrap.ContainsType(err, new(os.PathError)) { + // Do something + } + + // Or we can use the associated `Get` functions to just extract + // a specific error. This would return nil if that specific error doesn't + // exist. + perr := errwrap.GetType(err, new(os.PathError)) +} +``` + +#### Custom Types + +If you're already making custom types that properly wrap errors, then +you can get all the functionality of `errwraps.Contains` and such by +implementing the `Wrapper` interface with just one function. Example: + +```go +type AppError { + Code ErrorCode + Err error +} + +func (e *AppError) WrappedErrors() []error { + return []error{e.Err} +} +``` + +Now this works: + +```go +err := &AppError{Err: fmt.Errorf("an error")} +if errwrap.ContainsType(err, fmt.Errorf("")) { + // This will work! +} +``` diff --git a/vendor/github.com/hashicorp/errwrap/errwrap.go b/vendor/github.com/hashicorp/errwrap/errwrap.go new file mode 100644 index 0000000000..a733bef18c --- /dev/null +++ b/vendor/github.com/hashicorp/errwrap/errwrap.go @@ -0,0 +1,169 @@ +// Package errwrap implements methods to formalize error wrapping in Go. +// +// All of the top-level functions that take an `error` are built to be able +// to take any error, not just wrapped errors. This allows you to use errwrap +// without having to type-check and type-cast everywhere. +package errwrap + +import ( + "errors" + "reflect" + "strings" +) + +// WalkFunc is the callback called for Walk. +type WalkFunc func(error) + +// Wrapper is an interface that can be implemented by custom types to +// have all the Contains, Get, etc. functions in errwrap work. +// +// When Walk reaches a Wrapper, it will call the callback for every +// wrapped error in addition to the wrapper itself. Since all the top-level +// functions in errwrap use Walk, this means that all those functions work +// with your custom type. +type Wrapper interface { + WrappedErrors() []error +} + +// Wrap defines that outer wraps inner, returning an error type that +// can be cleanly used with the other methods in this package, such as +// Contains, GetAll, etc. +// +// This function won't modify the error message at all (the outer message +// will be used). +func Wrap(outer, inner error) error { + return &wrappedError{ + Outer: outer, + Inner: inner, + } +} + +// Wrapf wraps an error with a formatting message. This is similar to using +// `fmt.Errorf` to wrap an error. If you're using `fmt.Errorf` to wrap +// errors, you should replace it with this. +// +// format is the format of the error message. The string '{{err}}' will +// be replaced with the original error message. +func Wrapf(format string, err error) error { + outerMsg := "" + if err != nil { + outerMsg = err.Error() + } + + outer := errors.New(strings.Replace( + format, "{{err}}", outerMsg, -1)) + + return Wrap(outer, err) +} + +// Contains checks if the given error contains an error with the +// message msg. If err is not a wrapped error, this will always return +// false unless the error itself happens to match this msg. +func Contains(err error, msg string) bool { + return len(GetAll(err, msg)) > 0 +} + +// ContainsType checks if the given error contains an error with +// the same concrete type as v. If err is not a wrapped error, this will +// check the err itself. +func ContainsType(err error, v interface{}) bool { + return len(GetAllType(err, v)) > 0 +} + +// Get is the same as GetAll but returns the deepest matching error. +func Get(err error, msg string) error { + es := GetAll(err, msg) + if len(es) > 0 { + return es[len(es)-1] + } + + return nil +} + +// GetType is the same as GetAllType but returns the deepest matching error. +func GetType(err error, v interface{}) error { + es := GetAllType(err, v) + if len(es) > 0 { + return es[len(es)-1] + } + + return nil +} + +// GetAll gets all the errors that might be wrapped in err with the +// given message. The order of the errors is such that the outermost +// matching error (the most recent wrap) is index zero, and so on. +func GetAll(err error, msg string) []error { + var result []error + + Walk(err, func(err error) { + if err.Error() == msg { + result = append(result, err) + } + }) + + return result +} + +// GetAllType gets all the errors that are the same type as v. +// +// The order of the return value is the same as described in GetAll. +func GetAllType(err error, v interface{}) []error { + var result []error + + var search string + if v != nil { + search = reflect.TypeOf(v).String() + } + Walk(err, func(err error) { + var needle string + if err != nil { + needle = reflect.TypeOf(err).String() + } + + if needle == search { + result = append(result, err) + } + }) + + return result +} + +// Walk walks all the wrapped errors in err and calls the callback. If +// err isn't a wrapped error, this will be called once for err. If err +// is a wrapped error, the callback will be called for both the wrapper +// that implements error as well as the wrapped error itself. +func Walk(err error, cb WalkFunc) { + if err == nil { + return + } + + switch e := err.(type) { + case *wrappedError: + cb(e.Outer) + Walk(e.Inner, cb) + case Wrapper: + cb(err) + + for _, err := range e.WrappedErrors() { + Walk(err, cb) + } + default: + cb(err) + } +} + +// wrappedError is an implementation of error that has both the +// outer and inner errors. +type wrappedError struct { + Outer error + Inner error +} + +func (w *wrappedError) Error() string { + return w.Outer.Error() +} + +func (w *wrappedError) WrappedErrors() []error { + return []error{w.Outer, w.Inner} +} diff --git a/vendor/github.com/hashicorp/go-multierror/.travis.yml b/vendor/github.com/hashicorp/go-multierror/.travis.yml new file mode 100644 index 0000000000..4b865d194a --- /dev/null +++ b/vendor/github.com/hashicorp/go-multierror/.travis.yml @@ -0,0 +1,12 @@ +sudo: false + +language: go + +go: + - 1.6 + +branches: + only: + - master + +script: make test testrace diff --git a/vendor/github.com/hashicorp/go-multierror/LICENSE b/vendor/github.com/hashicorp/go-multierror/LICENSE new file mode 100644 index 0000000000..82b4de97c7 --- /dev/null +++ b/vendor/github.com/hashicorp/go-multierror/LICENSE @@ -0,0 +1,353 @@ +Mozilla Public License, version 2.0 + +1. Definitions + +1.1. “Contributor” + + means each individual or legal entity that creates, contributes to the + creation of, or owns Covered Software. + +1.2. “Contributor Version” + + means the combination of the Contributions of others (if any) used by a + Contributor and that particular Contributor’s Contribution. + +1.3. “Contribution” + + means Covered Software of a particular Contributor. + +1.4. “Covered Software” + + means Source Code Form to which the initial Contributor has attached the + notice in Exhibit A, the Executable Form of such Source Code Form, and + Modifications of such Source Code Form, in each case including portions + thereof. + +1.5. “Incompatible With Secondary Licenses” + means + + a. that the initial Contributor has attached the notice described in + Exhibit B to the Covered Software; or + + b. that the Covered Software was made available under the terms of version + 1.1 or earlier of the License, but not also under the terms of a + Secondary License. + +1.6. “Executable Form” + + means any form of the work other than Source Code Form. + +1.7. “Larger Work” + + means a work that combines Covered Software with other material, in a separate + file or files, that is not Covered Software. + +1.8. “License” + + means this document. + +1.9. “Licensable” + + means having the right to grant, to the maximum extent possible, whether at the + time of the initial grant or subsequently, any and all of the rights conveyed by + this License. + +1.10. “Modifications” + + means any of the following: + + a. any file in Source Code Form that results from an addition to, deletion + from, or modification of the contents of Covered Software; or + + b. any new file in Source Code Form that contains any Covered Software. + +1.11. “Patent Claims” of a Contributor + + means any patent claim(s), including without limitation, method, process, + and apparatus claims, in any patent Licensable by such Contributor that + would be infringed, but for the grant of the License, by the making, + using, selling, offering for sale, having made, import, or transfer of + either its Contributions or its Contributor Version. + +1.12. “Secondary License” + + means either the GNU General Public License, Version 2.0, the GNU Lesser + General Public License, Version 2.1, the GNU Affero General Public + License, Version 3.0, or any later versions of those licenses. + +1.13. “Source Code Form” + + means the form of the work preferred for making modifications. + +1.14. “You” (or “Your”) + + means an individual or a legal entity exercising rights under this + License. For legal entities, “You” includes any entity that controls, is + controlled by, or is under common control with You. For purposes of this + definition, “control” means (a) the power, direct or indirect, to cause + the direction or management of such entity, whether by contract or + otherwise, or (b) ownership of more than fifty percent (50%) of the + outstanding shares or beneficial ownership of such entity. + + +2. License Grants and Conditions + +2.1. Grants + + Each Contributor hereby grants You a world-wide, royalty-free, + non-exclusive license: + + a. under intellectual property rights (other than patent or trademark) + Licensable by such Contributor to use, reproduce, make available, + modify, display, perform, distribute, and otherwise exploit its + Contributions, either on an unmodified basis, with Modifications, or as + part of a Larger Work; and + + b. under Patent Claims of such Contributor to make, use, sell, offer for + sale, have made, import, and otherwise transfer either its Contributions + or its Contributor Version. + +2.2. Effective Date + + The licenses granted in Section 2.1 with respect to any Contribution become + effective for each Contribution on the date the Contributor first distributes + such Contribution. + +2.3. Limitations on Grant Scope + + The licenses granted in this Section 2 are the only rights granted under this + License. No additional rights or licenses will be implied from the distribution + or licensing of Covered Software under this License. Notwithstanding Section + 2.1(b) above, no patent license is granted by a Contributor: + + a. for any code that a Contributor has removed from Covered Software; or + + b. for infringements caused by: (i) Your and any other third party’s + modifications of Covered Software, or (ii) the combination of its + Contributions with other software (except as part of its Contributor + Version); or + + c. under Patent Claims infringed by Covered Software in the absence of its + Contributions. + + This License does not grant any rights in the trademarks, service marks, or + logos of any Contributor (except as may be necessary to comply with the + notice requirements in Section 3.4). + +2.4. Subsequent Licenses + + No Contributor makes additional grants as a result of Your choice to + distribute the Covered Software under a subsequent version of this License + (see Section 10.2) or under the terms of a Secondary License (if permitted + under the terms of Section 3.3). + +2.5. Representation + + Each Contributor represents that the Contributor believes its Contributions + are its original creation(s) or it has sufficient rights to grant the + rights to its Contributions conveyed by this License. + +2.6. Fair Use + + This License is not intended to limit any rights You have under applicable + copyright doctrines of fair use, fair dealing, or other equivalents. + +2.7. Conditions + + Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in + Section 2.1. + + +3. Responsibilities + +3.1. Distribution of Source Form + + All distribution of Covered Software in Source Code Form, including any + Modifications that You create or to which You contribute, must be under the + terms of this License. You must inform recipients that the Source Code Form + of the Covered Software is governed by the terms of this License, and how + they can obtain a copy of this License. You may not attempt to alter or + restrict the recipients’ rights in the Source Code Form. + +3.2. Distribution of Executable Form + + If You distribute Covered Software in Executable Form then: + + a. such Covered Software must also be made available in Source Code Form, + as described in Section 3.1, and You must inform recipients of the + Executable Form how they can obtain a copy of such Source Code Form by + reasonable means in a timely manner, at a charge no more than the cost + of distribution to the recipient; and + + b. You may distribute such Executable Form under the terms of this License, + or sublicense it under different terms, provided that the license for + the Executable Form does not attempt to limit or alter the recipients’ + rights in the Source Code Form under this License. + +3.3. Distribution of a Larger Work + + You may create and distribute a Larger Work under terms of Your choice, + provided that You also comply with the requirements of this License for the + Covered Software. If the Larger Work is a combination of Covered Software + with a work governed by one or more Secondary Licenses, and the Covered + Software is not Incompatible With Secondary Licenses, this License permits + You to additionally distribute such Covered Software under the terms of + such Secondary License(s), so that the recipient of the Larger Work may, at + their option, further distribute the Covered Software under the terms of + either this License or such Secondary License(s). + +3.4. Notices + + You may not remove or alter the substance of any license notices (including + copyright notices, patent notices, disclaimers of warranty, or limitations + of liability) contained within the Source Code Form of the Covered + Software, except that You may alter any license notices to the extent + required to remedy known factual inaccuracies. + +3.5. Application of Additional Terms + + You may choose to offer, and to charge a fee for, warranty, support, + indemnity or liability obligations to one or more recipients of Covered + Software. However, You may do so only on Your own behalf, and not on behalf + of any Contributor. You must make it absolutely clear that any such + warranty, support, indemnity, or liability obligation is offered by You + alone, and You hereby agree to indemnify every Contributor for any + liability incurred by such Contributor as a result of warranty, support, + indemnity or liability terms You offer. You may include additional + disclaimers of warranty and limitations of liability specific to any + jurisdiction. + +4. Inability to Comply Due to Statute or Regulation + + If it is impossible for You to comply with any of the terms of this License + with respect to some or all of the Covered Software due to statute, judicial + order, or regulation then You must: (a) comply with the terms of this License + to the maximum extent possible; and (b) describe the limitations and the code + they affect. Such description must be placed in a text file included with all + distributions of the Covered Software under this License. Except to the + extent prohibited by statute or regulation, such description must be + sufficiently detailed for a recipient of ordinary skill to be able to + understand it. + +5. Termination + +5.1. The rights granted under this License will terminate automatically if You + fail to comply with any of its terms. However, if You become compliant, + then the rights granted under this License from a particular Contributor + are reinstated (a) provisionally, unless and until such Contributor + explicitly and finally terminates Your grants, and (b) on an ongoing basis, + if such Contributor fails to notify You of the non-compliance by some + reasonable means prior to 60 days after You have come back into compliance. + Moreover, Your grants from a particular Contributor are reinstated on an + ongoing basis if such Contributor notifies You of the non-compliance by + some reasonable means, this is the first time You have received notice of + non-compliance with this License from such Contributor, and You become + compliant prior to 30 days after Your receipt of the notice. + +5.2. If You initiate litigation against any entity by asserting a patent + infringement claim (excluding declaratory judgment actions, counter-claims, + and cross-claims) alleging that a Contributor Version directly or + indirectly infringes any patent, then the rights granted to You by any and + all Contributors for the Covered Software under Section 2.1 of this License + shall terminate. + +5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user + license agreements (excluding distributors and resellers) which have been + validly granted by You or Your distributors under this License prior to + termination shall survive termination. + +6. Disclaimer of Warranty + + Covered Software is provided under this License on an “as is” basis, without + warranty of any kind, either expressed, implied, or statutory, including, + without limitation, warranties that the Covered Software is free of defects, + merchantable, fit for a particular purpose or non-infringing. The entire + risk as to the quality and performance of the Covered Software is with You. + Should any Covered Software prove defective in any respect, You (not any + Contributor) assume the cost of any necessary servicing, repair, or + correction. This disclaimer of warranty constitutes an essential part of this + License. No use of any Covered Software is authorized under this License + except under this disclaimer. + +7. Limitation of Liability + + Under no circumstances and under no legal theory, whether tort (including + negligence), contract, or otherwise, shall any Contributor, or anyone who + distributes Covered Software as permitted above, be liable to You for any + direct, indirect, special, incidental, or consequential damages of any + character including, without limitation, damages for lost profits, loss of + goodwill, work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses, even if such party shall have been + informed of the possibility of such damages. This limitation of liability + shall not apply to liability for death or personal injury resulting from such + party’s negligence to the extent applicable law prohibits such limitation. + Some jurisdictions do not allow the exclusion or limitation of incidental or + consequential damages, so this exclusion and limitation may not apply to You. + +8. Litigation + + Any litigation relating to this License may be brought only in the courts of + a jurisdiction where the defendant maintains its principal place of business + and such litigation shall be governed by laws of that jurisdiction, without + reference to its conflict-of-law provisions. Nothing in this Section shall + prevent a party’s ability to bring cross-claims or counter-claims. + +9. Miscellaneous + + This License represents the complete agreement concerning the subject matter + hereof. If any provision of this License is held to be unenforceable, such + provision shall be reformed only to the extent necessary to make it + enforceable. Any law or regulation which provides that the language of a + contract shall be construed against the drafter shall not be used to construe + this License against a Contributor. + + +10. Versions of the License + +10.1. New Versions + + Mozilla Foundation is the license steward. Except as provided in Section + 10.3, no one other than the license steward has the right to modify or + publish new versions of this License. Each version will be given a + distinguishing version number. + +10.2. Effect of New Versions + + You may distribute the Covered Software under the terms of the version of + the License under which You originally received the Covered Software, or + under the terms of any subsequent version published by the license + steward. + +10.3. Modified Versions + + If you create software not governed by this License, and you want to + create a new license for such software, you may create and use a modified + version of this License if you rename the license and remove any + references to the name of the license steward (except to note that such + modified license differs from this License). + +10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses + If You choose to distribute Source Code Form that is Incompatible With + Secondary Licenses under the terms of this version of the License, the + notice described in Exhibit B of this License must be attached. + +Exhibit A - Source Code Form License Notice + + This Source Code Form is subject to the + terms of the Mozilla Public License, v. + 2.0. If a copy of the MPL was not + distributed with this file, You can + obtain one at + http://mozilla.org/MPL/2.0/. + +If it is not possible or desirable to put the notice in a particular file, then +You may include the notice in a location (such as a LICENSE file in a relevant +directory) where a recipient would be likely to look for such a notice. + +You may add additional accurate notices of copyright ownership. + +Exhibit B - “Incompatible With Secondary Licenses” Notice + + This Source Code Form is “Incompatible + With Secondary Licenses”, as defined by + the Mozilla Public License, v. 2.0. diff --git a/vendor/github.com/hashicorp/go-multierror/Makefile b/vendor/github.com/hashicorp/go-multierror/Makefile new file mode 100644 index 0000000000..b97cd6ed02 --- /dev/null +++ b/vendor/github.com/hashicorp/go-multierror/Makefile @@ -0,0 +1,31 @@ +TEST?=./... + +default: test + +# test runs the test suite and vets the code. +test: generate + @echo "==> Running tests..." + @go list $(TEST) \ + | grep -v "/vendor/" \ + | xargs -n1 go test -timeout=60s -parallel=10 ${TESTARGS} + +# testrace runs the race checker +testrace: generate + @echo "==> Running tests (race)..." + @go list $(TEST) \ + | grep -v "/vendor/" \ + | xargs -n1 go test -timeout=60s -race ${TESTARGS} + +# updatedeps installs all the dependencies needed to run and build. +updatedeps: + @sh -c "'${CURDIR}/scripts/deps.sh' '${NAME}'" + +# generate runs `go generate` to build the dynamically generated source files. +generate: + @echo "==> Generating..." + @find . -type f -name '.DS_Store' -delete + @go list ./... \ + | grep -v "/vendor/" \ + | xargs -n1 go generate + +.PHONY: default test testrace updatedeps generate diff --git a/vendor/github.com/hashicorp/go-multierror/README.md b/vendor/github.com/hashicorp/go-multierror/README.md new file mode 100644 index 0000000000..ead5830f7b --- /dev/null +++ b/vendor/github.com/hashicorp/go-multierror/README.md @@ -0,0 +1,97 @@ +# go-multierror + +[![Build Status](http://img.shields.io/travis/hashicorp/go-multierror.svg?style=flat-square)][travis] +[![Go Documentation](http://img.shields.io/badge/go-documentation-blue.svg?style=flat-square)][godocs] + +[travis]: https://travis-ci.org/hashicorp/go-multierror +[godocs]: https://godoc.org/github.com/hashicorp/go-multierror + +`go-multierror` is a package for Go that provides a mechanism for +representing a list of `error` values as a single `error`. + +This allows a function in Go to return an `error` that might actually +be a list of errors. If the caller knows this, they can unwrap the +list and access the errors. If the caller doesn't know, the error +formats to a nice human-readable format. + +`go-multierror` implements the +[errwrap](https://github.com/hashicorp/errwrap) interface so that it can +be used with that library, as well. + +## Installation and Docs + +Install using `go get github.com/hashicorp/go-multierror`. + +Full documentation is available at +http://godoc.org/github.com/hashicorp/go-multierror + +## Usage + +go-multierror is easy to use and purposely built to be unobtrusive in +existing Go applications/libraries that may not be aware of it. + +**Building a list of errors** + +The `Append` function is used to create a list of errors. This function +behaves a lot like the Go built-in `append` function: it doesn't matter +if the first argument is nil, a `multierror.Error`, or any other `error`, +the function behaves as you would expect. + +```go +var result error + +if err := step1(); err != nil { + result = multierror.Append(result, err) +} +if err := step2(); err != nil { + result = multierror.Append(result, err) +} + +return result +``` + +**Customizing the formatting of the errors** + +By specifying a custom `ErrorFormat`, you can customize the format +of the `Error() string` function: + +```go +var result *multierror.Error + +// ... accumulate errors here, maybe using Append + +if result != nil { + result.ErrorFormat = func([]error) string { + return "errors!" + } +} +``` + +**Accessing the list of errors** + +`multierror.Error` implements `error` so if the caller doesn't know about +multierror, it will work just fine. But if you're aware a multierror might +be returned, you can use type switches to access the list of errors: + +```go +if err := something(); err != nil { + if merr, ok := err.(*multierror.Error); ok { + // Use merr.Errors + } +} +``` + +**Returning a multierror only if there are errors** + +If you build a `multierror.Error`, you can use the `ErrorOrNil` function +to return an `error` implementation only if there are errors to return: + +```go +var result *multierror.Error + +// ... accumulate errors here + +// Return the `error` only if errors were added to the multierror, otherwise +// return nil since there are no errors. +return result.ErrorOrNil() +``` diff --git a/vendor/github.com/hashicorp/go-multierror/append.go b/vendor/github.com/hashicorp/go-multierror/append.go new file mode 100644 index 0000000000..775b6e753e --- /dev/null +++ b/vendor/github.com/hashicorp/go-multierror/append.go @@ -0,0 +1,41 @@ +package multierror + +// Append is a helper function that will append more errors +// onto an Error in order to create a larger multi-error. +// +// If err is not a multierror.Error, then it will be turned into +// one. If any of the errs are multierr.Error, they will be flattened +// one level into err. +func Append(err error, errs ...error) *Error { + switch err := err.(type) { + case *Error: + // Typed nils can reach here, so initialize if we are nil + if err == nil { + err = new(Error) + } + + // Go through each error and flatten + for _, e := range errs { + switch e := e.(type) { + case *Error: + if e != nil { + err.Errors = append(err.Errors, e.Errors...) + } + default: + if e != nil { + err.Errors = append(err.Errors, e) + } + } + } + + return err + default: + newErrs := make([]error, 0, len(errs)+1) + if err != nil { + newErrs = append(newErrs, err) + } + newErrs = append(newErrs, errs...) + + return Append(&Error{}, newErrs...) + } +} diff --git a/vendor/github.com/hashicorp/go-multierror/flatten.go b/vendor/github.com/hashicorp/go-multierror/flatten.go new file mode 100644 index 0000000000..aab8e9abec --- /dev/null +++ b/vendor/github.com/hashicorp/go-multierror/flatten.go @@ -0,0 +1,26 @@ +package multierror + +// Flatten flattens the given error, merging any *Errors together into +// a single *Error. +func Flatten(err error) error { + // If it isn't an *Error, just return the error as-is + if _, ok := err.(*Error); !ok { + return err + } + + // Otherwise, make the result and flatten away! + flatErr := new(Error) + flatten(err, flatErr) + return flatErr +} + +func flatten(err error, flatErr *Error) { + switch err := err.(type) { + case *Error: + for _, e := range err.Errors { + flatten(e, flatErr) + } + default: + flatErr.Errors = append(flatErr.Errors, err) + } +} diff --git a/vendor/github.com/hashicorp/go-multierror/format.go b/vendor/github.com/hashicorp/go-multierror/format.go new file mode 100644 index 0000000000..6c7a3cc91d --- /dev/null +++ b/vendor/github.com/hashicorp/go-multierror/format.go @@ -0,0 +1,27 @@ +package multierror + +import ( + "fmt" + "strings" +) + +// ErrorFormatFunc is a function callback that is called by Error to +// turn the list of errors into a string. +type ErrorFormatFunc func([]error) string + +// ListFormatFunc is a basic formatter that outputs the number of errors +// that occurred along with a bullet point list of the errors. +func ListFormatFunc(es []error) string { + if len(es) == 1 { + return fmt.Sprintf("1 error occurred:\n\n* %s", es[0]) + } + + points := make([]string, len(es)) + for i, err := range es { + points[i] = fmt.Sprintf("* %s", err) + } + + return fmt.Sprintf( + "%d errors occurred:\n\n%s", + len(es), strings.Join(points, "\n")) +} diff --git a/vendor/github.com/hashicorp/go-multierror/multierror.go b/vendor/github.com/hashicorp/go-multierror/multierror.go new file mode 100644 index 0000000000..2ea0827329 --- /dev/null +++ b/vendor/github.com/hashicorp/go-multierror/multierror.go @@ -0,0 +1,51 @@ +package multierror + +import ( + "fmt" +) + +// Error is an error type to track multiple errors. This is used to +// accumulate errors in cases and return them as a single "error". +type Error struct { + Errors []error + ErrorFormat ErrorFormatFunc +} + +func (e *Error) Error() string { + fn := e.ErrorFormat + if fn == nil { + fn = ListFormatFunc + } + + return fn(e.Errors) +} + +// ErrorOrNil returns an error interface if this Error represents +// a list of errors, or returns nil if the list of errors is empty. This +// function is useful at the end of accumulation to make sure that the value +// returned represents the existence of errors. +func (e *Error) ErrorOrNil() error { + if e == nil { + return nil + } + if len(e.Errors) == 0 { + return nil + } + + return e +} + +func (e *Error) GoString() string { + return fmt.Sprintf("*%#v", *e) +} + +// WrappedErrors returns the list of errors that this Error is wrapping. +// It is an implementatin of the errwrap.Wrapper interface so that +// multierror.Error can be used with that library. +// +// This method is not safe to be called concurrently and is no different +// than accessing the Errors field directly. It is implementd only to +// satisfy the errwrap.Wrapper interface. +func (e *Error) WrappedErrors() []error { + return e.Errors +} diff --git a/vendor/github.com/hashicorp/go-multierror/prefix.go b/vendor/github.com/hashicorp/go-multierror/prefix.go new file mode 100644 index 0000000000..5c477abe44 --- /dev/null +++ b/vendor/github.com/hashicorp/go-multierror/prefix.go @@ -0,0 +1,37 @@ +package multierror + +import ( + "fmt" + + "github.com/hashicorp/errwrap" +) + +// Prefix is a helper function that will prefix some text +// to the given error. If the error is a multierror.Error, then +// it will be prefixed to each wrapped error. +// +// This is useful to use when appending multiple multierrors +// together in order to give better scoping. +func Prefix(err error, prefix string) error { + if err == nil { + return nil + } + + format := fmt.Sprintf("%s {{err}}", prefix) + switch err := err.(type) { + case *Error: + // Typed nils can reach here, so initialize if we are nil + if err == nil { + err = new(Error) + } + + // Wrap each of the errors + for i, e := range err.Errors { + err.Errors[i] = errwrap.Wrapf(format, e) + } + + return err + default: + return errwrap.Wrapf(format, err) + } +} diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go index e178568fd3..fea096c180 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go @@ -1,109 +1,97 @@ -// +build !selinux !linux - package label -// InitLabels returns the process label and file labels to be used within -// the container. A list of options can be passed into this function to alter -// the labels. -func InitLabels(options []string) (string, string, error) { - return "", "", nil -} +import ( + "fmt" -func ROMountLabel() string { - return "" -} + "github.com/opencontainers/selinux/go-selinux" +) -func GenLabels(options string) (string, string, error) { - return "", "", nil -} +// Deprecated: use selinux.ROFileLabel +var ROMountLabel = selinux.ROFileLabel -func FormatMountLabel(src string, mountLabel string) string { - return src -} +// SetProcessLabel takes a process label and tells the kernel to assign the +// label to the next program executed by the current process. +// Deprecated: use selinux.SetExecLabel +var SetProcessLabel = selinux.SetExecLabel -func SetProcessLabel(processLabel string) error { - return nil -} +// ProcessLabel returns the process label that the kernel will assign +// to the next program executed by the current process. If "" is returned +// this indicates that the default labeling will happen for the process. +// Deprecated: use selinux.ExecLabel +var ProcessLabel = selinux.ExecLabel -func ProcessLabel() (string, error) { - return "", nil -} +// SetSocketLabel takes a process label and tells the kernel to assign the +// label to the next socket that gets created +// Deprecated: use selinux.SetSocketLabel +var SetSocketLabel = selinux.SetSocketLabel -func SetSocketLabel(processLabel string) error { - return nil -} +// SocketLabel retrieves the current default socket label setting +// Deprecated: use selinux.SocketLabel +var SocketLabel = selinux.SocketLabel -func SocketLabel() (string, error) { - return "", nil -} +// SetKeyLabel takes a process label and tells the kernel to assign the +// label to the next kernel keyring that gets created +// Deprecated: use selinux.SetKeyLabel +var SetKeyLabel = selinux.SetKeyLabel -func SetKeyLabel(processLabel string) error { - return nil -} +// KeyLabel retrieves the current default kernel keyring label setting +// Deprecated: use selinux.KeyLabel +var KeyLabel = selinux.KeyLabel -func KeyLabel() (string, error) { - return "", nil -} +// FileLabel returns the label for specified path +// Deprecated: use selinux.FileLabel +var FileLabel = selinux.FileLabel -func FileLabel(path string) (string, error) { - return "", nil -} - -func SetFileLabel(path string, fileLabel string) error { - return nil -} - -func SetFileCreateLabel(fileLabel string) error { - return nil -} - -func Relabel(path string, fileLabel string, shared bool) error { - return nil -} - -func PidLabel(pid int) (string, error) { - return "", nil -} +// PidLabel will return the label of the process running with the specified pid +// Deprecated: use selinux.PidLabel +var PidLabel = selinux.PidLabel +// Init initialises the labeling system func Init() { + _ = selinux.GetEnabled() } -// ClearLabels clears all reserved labels -func ClearLabels() { - return -} +// ClearLabels will clear all reserved labels +// Deprecated: use selinux.ClearLabels +var ClearLabels = selinux.ClearLabels +// ReserveLabel will record the fact that the MCS label has already been used. +// This will prevent InitLabels from using the MCS label in a newly created +// container +// Deprecated: use selinux.ReserveLabel func ReserveLabel(label string) error { + selinux.ReserveLabel(label) return nil } +// ReleaseLabel will remove the reservation of the MCS label. +// This will allow InitLabels to use the MCS label in a newly created +// containers +// Deprecated: use selinux.ReleaseLabel func ReleaseLabel(label string) error { + selinux.ReleaseLabel(label) return nil } // DupSecOpt takes a process label and returns security options that // can be used to set duplicate labels on future container processes -func DupSecOpt(src string) ([]string, error) { - return nil, nil -} +// Deprecated: use selinux.DupSecOpt +var DupSecOpt = selinux.DupSecOpt -// DisableSecOpt returns a security opt that can disable labeling -// support for future container processes -func DisableSecOpt() []string { - return nil -} - -// Validate checks that the label does not include unexpected options -func Validate(label string) error { - return nil -} - -// RelabelNeeded checks whether the user requested a relabel -func RelabelNeeded(label string) bool { - return false -} - -// IsShared checks that the label includes a "shared" mark -func IsShared(label string) bool { - return false +// FormatMountLabel returns a string to be used by the mount command. +// The format of this string will be used to alter the labeling of the mountpoint. +// The string returned is suitable to be used as the options field of the mount command. +// If you need to have additional mount point options, you can pass them in as +// the first parameter. Second parameter is the label that you wish to apply +// to all content in the mount point. +func FormatMountLabel(src, mountLabel string) string { + if mountLabel != "" { + switch src { + case "": + src = fmt.Sprintf("context=%q", mountLabel) + default: + src = fmt.Sprintf("%s,context=%q", src, mountLabel) + } + } + return src } diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go index 2730fcf4a9..10ac15a852 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go @@ -3,12 +3,12 @@ package label import ( - "fmt" "os" "os/user" "strings" "github.com/opencontainers/selinux/go-selinux" + "github.com/pkg/errors" ) // Valid Label Options @@ -21,7 +21,7 @@ var validOptions = map[string]bool{ "level": true, } -var ErrIncompatibleLabel = fmt.Errorf("Bad SELinux option z and Z can not be used together") +var ErrIncompatibleLabel = errors.New("Bad SELinux option z and Z can not be used together") // InitLabels returns the process label and file labels to be used within // the container. A list of options can be passed into this function to alter @@ -35,14 +35,14 @@ func InitLabels(options []string) (plabel string, mlabel string, Err error) { if processLabel != "" { defer func() { if Err != nil { - ReleaseLabel(mountLabel) + selinux.ReleaseLabel(mountLabel) } }() pcon, err := selinux.NewContext(processLabel) if err != nil { return "", "", err } - + mcsLevel := pcon["level"] mcon, err := selinux.NewContext(mountLabel) if err != nil { return "", "", err @@ -52,121 +52,61 @@ func InitLabels(options []string) (plabel string, mlabel string, Err error) { return "", mountLabel, nil } if i := strings.Index(opt, ":"); i == -1 { - return "", "", fmt.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type, filetype' followed by ':' and a value", opt) + return "", "", errors.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type, filetype' followed by ':' and a value", opt) } con := strings.SplitN(opt, ":", 2) if !validOptions[con[0]] { - return "", "", fmt.Errorf("Bad label option %q, valid options 'disable, user, role, level, type, filetype'", con[0]) + return "", "", errors.Errorf("Bad label option %q, valid options 'disable, user, role, level, type, filetype'", con[0]) } if con[0] == "filetype" { mcon["type"] = con[1] + continue } pcon[con[0]] = con[1] if con[0] == "level" || con[0] == "user" { mcon[con[0]] = con[1] } } - _ = ReleaseLabel(processLabel) - processLabel = pcon.Get() + if pcon.Get() != processLabel { + if pcon["level"] != mcsLevel { + selinux.ReleaseLabel(processLabel) + } + processLabel = pcon.Get() + selinux.ReserveLabel(processLabel) + } mountLabel = mcon.Get() - _ = ReserveLabel(processLabel) } return processLabel, mountLabel, nil } -func ROMountLabel() string { - return selinux.ROFileLabel() -} - -// DEPRECATED: The GenLabels function is only to be used during the transition to the official API. +// Deprecated: The GenLabels function is only to be used during the transition +// to the official API. Use InitLabels(strings.Fields(options)) instead. func GenLabels(options string) (string, string, error) { return InitLabels(strings.Fields(options)) } -// FormatMountLabel returns a string to be used by the mount command. -// The format of this string will be used to alter the labeling of the mountpoint. -// The string returned is suitable to be used as the options field of the mount command. -// If you need to have additional mount point options, you can pass them in as -// the first parameter. Second parameter is the label that you wish to apply -// to all content in the mount point. -func FormatMountLabel(src, mountLabel string) string { - if mountLabel != "" { - switch src { - case "": - src = fmt.Sprintf("context=%q", mountLabel) - default: - src = fmt.Sprintf("%s,context=%q", src, mountLabel) - } - } - return src -} - -// SetProcessLabel takes a process label and tells the kernel to assign the -// label to the next program executed by the current process. -func SetProcessLabel(processLabel string) error { - return selinux.SetExecLabel(processLabel) -} - -// SetSocketLabel takes a process label and tells the kernel to assign the -// label to the next socket that gets created -func SetSocketLabel(processLabel string) error { - return selinux.SetSocketLabel(processLabel) -} - -// SocketLabel retrieves the current default socket label setting -func SocketLabel() (string, error) { - return selinux.SocketLabel() -} - -// SetKeyLabel takes a process label and tells the kernel to assign the -// label to the next kernel keyring that gets created -func SetKeyLabel(processLabel string) error { - return selinux.SetKeyLabel(processLabel) -} - -// KeyLabel retrieves the current default kernel keyring label setting -func KeyLabel() (string, error) { - return selinux.KeyLabel() -} - -// ProcessLabel returns the process label that the kernel will assign -// to the next program executed by the current process. If "" is returned -// this indicates that the default labeling will happen for the process. -func ProcessLabel() (string, error) { - return selinux.ExecLabel() -} - -// FileLabel returns the label for specified path -func FileLabel(path string) (string, error) { - return selinux.FileLabel(path) -} - // SetFileLabel modifies the "path" label to the specified file label func SetFileLabel(path string, fileLabel string) error { - if selinux.GetEnabled() && fileLabel != "" { - return selinux.SetFileLabel(path, fileLabel) + if !selinux.GetEnabled() || fileLabel == "" { + return nil } - return nil + return selinux.SetFileLabel(path, fileLabel) } // SetFileCreateLabel tells the kernel the label for all files to be created func SetFileCreateLabel(fileLabel string) error { - if selinux.GetEnabled() { - return selinux.SetFSCreateLabel(fileLabel) + if !selinux.GetEnabled() { + return nil } - return nil + return selinux.SetFSCreateLabel(fileLabel) } // Relabel changes the label of path to the filelabel string. // It changes the MCS label to s0 if shared is true. // This will allow all containers to share the content. func Relabel(path string, fileLabel string, shared bool) error { - if !selinux.GetEnabled() { - return nil - } - - if fileLabel == "" { + if !selinux.GetEnabled() || fileLabel == "" { return nil } @@ -211,7 +151,7 @@ func Relabel(path string, fileLabel string, shared bool) error { path = strings.TrimSuffix(path, "/") } if exclude_paths[path] { - return fmt.Errorf("SELinux relabeling of %s is not allowed", path) + return errors.Errorf("SELinux relabeling of %s is not allowed", path) } if shared { @@ -229,48 +169,10 @@ func Relabel(path string, fileLabel string, shared bool) error { return nil } -// PidLabel will return the label of the process running with the specified pid -func PidLabel(pid int) (string, error) { - return selinux.PidLabel(pid) -} - -// Init initialises the labeling system -func Init() { - selinux.GetEnabled() -} - -// ClearLabels will clear all reserved labels -func ClearLabels() { - selinux.ClearLabels() -} - -// ReserveLabel will record the fact that the MCS label has already been used. -// This will prevent InitLabels from using the MCS label in a newly created -// container -func ReserveLabel(label string) error { - selinux.ReserveLabel(label) - return nil -} - -// ReleaseLabel will remove the reservation of the MCS label. -// This will allow InitLabels to use the MCS label in a newly created -// containers -func ReleaseLabel(label string) error { - selinux.ReleaseLabel(label) - return nil -} - -// DupSecOpt takes a process label and returns security options that -// can be used to set duplicate labels on future container processes -func DupSecOpt(src string) ([]string, error) { - return selinux.DupSecOpt(src) -} - // DisableSecOpt returns a security opt that can disable labeling // support for future container processes -func DisableSecOpt() []string { - return selinux.DisableSecOpt() -} +// Deprecated: use selinux.DisableSecOpt +var DisableSecOpt = selinux.DisableSecOpt // Validate checks that the label does not include unexpected options func Validate(label string) error { diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_stub.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_stub.go new file mode 100644 index 0000000000..c2bdd35d73 --- /dev/null +++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_stub.go @@ -0,0 +1,50 @@ +// +build !selinux !linux + +package label + +// InitLabels returns the process label and file labels to be used within +// the container. A list of options can be passed into this function to alter +// the labels. +func InitLabels(options []string) (string, string, error) { + return "", "", nil +} + +// Deprecated: The GenLabels function is only to be used during the transition +// to the official API. Use InitLabels(strings.Fields(options)) instead. +func GenLabels(options string) (string, string, error) { + return "", "", nil +} + +func SetFileLabel(path string, fileLabel string) error { + return nil +} + +func SetFileCreateLabel(fileLabel string) error { + return nil +} + +func Relabel(path string, fileLabel string, shared bool) error { + return nil +} + +// DisableSecOpt returns a security opt that can disable labeling +// support for future container processes +func DisableSecOpt() []string { + // TODO the selinux.DisableSecOpt stub returns []string{"disable"} instead of "nil" + return nil +} + +// Validate checks that the label does not include unexpected options +func Validate(label string) error { + return nil +} + +// RelabelNeeded checks whether the user requested a relabel +func RelabelNeeded(label string) bool { + return false +} + +// IsShared checks that the label includes a "shared" mark +func IsShared(label string) bool { + return false +} diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go index 8cdf1b054a..f22c04b6c6 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go @@ -7,18 +7,19 @@ import ( "bytes" "crypto/rand" "encoding/binary" - "errors" "fmt" "io" "io/ioutil" "os" + "path" "path/filepath" "regexp" "strconv" "strings" "sync" - "syscall" + "github.com/opencontainers/selinux/pkg/pwalk" + "github.com/pkg/errors" "golang.org/x/sys/unix" ) @@ -30,22 +31,24 @@ const ( // Disabled constant to indicate SELinux is disabled Disabled = -1 + // DefaultCategoryRange is the upper bound on the category range + DefaultCategoryRange = uint32(1024) + + contextFile = "/usr/share/containers/selinux/contexts" selinuxDir = "/etc/selinux/" selinuxConfig = selinuxDir + "config" selinuxfsMount = "/sys/fs/selinux" selinuxTypeTag = "SELINUXTYPE" selinuxTag = "SELINUX" xattrNameSelinux = "security.selinux" - stRdOnly = 0x01 - selinuxfsMagic = 0xf97cff8c ) type selinuxState struct { - enabledSet bool - enabled bool - selinuxfsSet bool - selinuxfs string - mcsList map[string]bool + enabledSet bool + enabled bool + selinuxfsOnce sync.Once + selinuxfs string + mcsList map[string]bool sync.Mutex } @@ -57,11 +60,18 @@ var ( // InvalidLabel is returned when an invalid label is specified. InvalidLabel = errors.New("Invalid Label") + // CategoryRange allows the upper bound on the category range to be adjusted + CategoryRange = DefaultCategoryRange + assignRegex = regexp.MustCompile(`^([^=]+)=(.*)$`) roFileLabel string state = selinuxState{ mcsList: make(map[string]bool), } + + // for attrPath() + attrPathOnce sync.Once + haveThreadSelf bool ) // Context is a representation of the SELinux label broken into 4 parts @@ -98,30 +108,23 @@ func SetDisabled() { state.setEnable(false) } -func (s *selinuxState) setSELinuxfs(selinuxfs string) string { - s.Lock() - defer s.Unlock() - s.selinuxfsSet = true - s.selinuxfs = selinuxfs - return s.selinuxfs -} - func verifySELinuxfsMount(mnt string) bool { - var buf syscall.Statfs_t + var buf unix.Statfs_t for { - err := syscall.Statfs(mnt, &buf) + err := unix.Statfs(mnt, &buf) if err == nil { break } - if err == syscall.EAGAIN { + if err == unix.EAGAIN { continue } return false } - if uint32(buf.Type) != uint32(selinuxfsMagic) { + + if uint32(buf.Type) != uint32(unix.SELINUX_MAGIC) { return false } - if (buf.Flags & stRdOnly) != 0 { + if (buf.Flags & unix.ST_RDONLY) != 0 { return false } @@ -166,33 +169,29 @@ func findSELinuxfs() string { // if there is one, or an empty string in case of EOF or error. func findSELinuxfsMount(s *bufio.Scanner) string { for s.Scan() { - txt := s.Text() + txt := s.Bytes() // The first field after - is fs type. // Safe as spaces in mountpoints are encoded as \040 - if !strings.Contains(txt, " - selinuxfs ") { + if !bytes.Contains(txt, []byte(" - selinuxfs ")) { continue } const mPos = 5 // mount point is 5th field - fields := strings.SplitN(txt, " ", mPos+1) + fields := bytes.SplitN(txt, []byte(" "), mPos+1) if len(fields) < mPos+1 { continue } - return fields[mPos-1] + return string(fields[mPos-1]) } return "" } func (s *selinuxState) getSELinuxfs() string { - s.Lock() - selinuxfs := s.selinuxfs - selinuxfsSet := s.selinuxfsSet - s.Unlock() - if selinuxfsSet { - return selinuxfs - } + s.selinuxfsOnce.Do(func() { + s.selinuxfs = findSELinuxfs() + }) - return s.setSELinuxfs(findSELinuxfs()) + return s.selinuxfs } // getSelinuxMountPoint returns the path to the mountpoint of an selinuxfs @@ -254,10 +253,17 @@ func getSELinuxPolicyRoot() string { return filepath.Join(selinuxDir, readConfig(selinuxTypeTag)) } -func isProcHandle(fh *os.File) (bool, error) { +func isProcHandle(fh *os.File) error { var buf unix.Statfs_t err := unix.Fstatfs(int(fh.Fd()), &buf) - return buf.Type == unix.PROC_SUPER_MAGIC, err + if err != nil { + return errors.Wrapf(err, "statfs(%q) failed", fh.Name()) + } + if buf.Type != unix.PROC_SUPER_MAGIC { + return errors.Errorf("file %q is not on procfs", fh.Name()) + } + + return nil } func readCon(fpath string) (string, error) { @@ -271,10 +277,8 @@ func readCon(fpath string) (string, error) { } defer in.Close() - if ok, err := isProcHandle(in); err != nil { + if err := isProcHandle(in); err != nil { return "", err - } else if !ok { - return "", fmt.Errorf("%s not on procfs", fpath) } var retval string @@ -284,12 +288,32 @@ func readCon(fpath string) (string, error) { return strings.Trim(retval, "\x00"), nil } +// ClassIndex returns the int index for an object class in the loaded policy, or -1 and an error +func ClassIndex(class string) (int, error) { + permpath := fmt.Sprintf("class/%s/index", class) + indexpath := filepath.Join(getSelinuxMountPoint(), permpath) + + indexB, err := ioutil.ReadFile(indexpath) + if err != nil { + return -1, err + } + index, err := strconv.Atoi(string(indexB)) + if err != nil { + return -1, err + } + + return index, nil +} + // SetFileLabel sets the SELinux label for this path or returns an error. func SetFileLabel(fpath string, label string) error { if fpath == "" { return ErrEmptyPath } - return lsetxattr(fpath, xattrNameSelinux, []byte(label), 0) + if err := unix.Lsetxattr(fpath, xattrNameSelinux, []byte(label), 0); err != nil { + return errors.Wrapf(err, "failed to set file label on %s", fpath) + } + return nil } // FileLabel returns the SELinux label for this path or returns an error. @@ -314,7 +338,7 @@ SetFSCreateLabel tells kernel the label to create all file system objects created by this task. Setting label="" to return to default. */ func SetFSCreateLabel(label string) error { - return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/fscreate", syscall.Gettid()), label) + return writeAttr("fscreate", label) } /* @@ -322,12 +346,12 @@ FSCreateLabel returns the default label the kernel which the kernel is using for file system objects created by this task. "" indicates default. */ func FSCreateLabel() (string, error) { - return readCon(fmt.Sprintf("/proc/self/task/%d/attr/fscreate", syscall.Gettid())) + return readAttr("fscreate") } // CurrentLabel returns the SELinux label of the current process thread, or an error. func CurrentLabel() (string, error) { - return readCon(fmt.Sprintf("/proc/self/task/%d/attr/current", syscall.Gettid())) + return readAttr("current") } // PidLabel returns the SELinux label of the given pid, or an error. @@ -340,10 +364,10 @@ ExecLabel returns the SELinux label that the kernel will use for any programs that are executed by the current process thread, or an error. */ func ExecLabel() (string, error) { - return readCon(fmt.Sprintf("/proc/self/task/%d/attr/exec", syscall.Gettid())) + return readAttr("exec") } -func writeCon(fpath string, val string) error { +func writeCon(fpath, val string) error { if fpath == "" { return ErrEmptyPath } @@ -359,10 +383,8 @@ func writeCon(fpath string, val string) error { } defer out.Close() - if ok, err := isProcHandle(out); err != nil { + if err := isProcHandle(out); err != nil { return err - } else if !ok { - return fmt.Errorf("%s not on procfs", fpath) } if val != "" { @@ -370,7 +392,36 @@ func writeCon(fpath string, val string) error { } else { _, err = out.Write(nil) } - return err + if err != nil { + return errors.Wrapf(err, "failed to set %s on procfs", fpath) + } + return nil +} + +func attrPath(attr string) string { + // Linux >= 3.17 provides this + const threadSelfPrefix = "/proc/thread-self/attr" + + attrPathOnce.Do(func() { + st, err := os.Stat(threadSelfPrefix) + if err == nil && st.Mode().IsDir() { + haveThreadSelf = true + } + }) + + if haveThreadSelf { + return path.Join(threadSelfPrefix, attr) + } + + return path.Join("/proc/self/task/", strconv.Itoa(unix.Gettid()), "/attr/", attr) +} + +func readAttr(attr string) (string, error) { + return readCon(attrPath(attr)) +} + +func writeAttr(attr, val string) error { + return writeCon(attrPath(attr), val) } /* @@ -382,6 +433,18 @@ func CanonicalizeContext(val string) (string, error) { return readWriteCon(filepath.Join(getSelinuxMountPoint(), "context"), val) } +/* +ComputeCreateContext requests the type transition from source to target for class from the kernel. +*/ +func ComputeCreateContext(source string, target string, class string) (string, error) { + classidx, err := ClassIndex(class) + if err != nil { + return "", err + } + + return readWriteCon(filepath.Join(getSelinuxMountPoint(), "create"), fmt.Sprintf("%s %s %d", source, target, classidx)) +} + func readWriteCon(fpath string, val string) (string, error) { if fpath == "" { return "", ErrEmptyPath @@ -409,7 +472,7 @@ SetExecLabel sets the SELinux label that the kernel will use for any programs that are executed by the current process thread, or an error. */ func SetExecLabel(label string) error { - return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/exec", syscall.Gettid()), label) + return writeAttr("exec", label) } /* @@ -417,33 +480,33 @@ SetTaskLabel sets the SELinux label for the current thread, or an error. This requires the dyntransition permission. */ func SetTaskLabel(label string) error { - return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/current", syscall.Gettid()), label) + return writeAttr("current", label) } // SetSocketLabel takes a process label and tells the kernel to assign the // label to the next socket that gets created func SetSocketLabel(label string) error { - return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/sockcreate", syscall.Gettid()), label) + return writeAttr("sockcreate", label) } // SocketLabel retrieves the current socket label setting func SocketLabel() (string, error) { - return readCon(fmt.Sprintf("/proc/self/task/%d/attr/sockcreate", syscall.Gettid())) + return readAttr("sockcreate") } // PeerLabel retrieves the label of the client on the other side of a socket func PeerLabel(fd uintptr) (string, error) { - return unix.GetsockoptString(int(fd), syscall.SOL_SOCKET, syscall.SO_PEERSEC) + return unix.GetsockoptString(int(fd), unix.SOL_SOCKET, unix.SO_PEERSEC) } // SetKeyLabel takes a process label and tells the kernel to assign the // label to the next kernel keyring that gets created func SetKeyLabel(label string) error { err := writeCon("/proc/self/attr/keycreate", label) - if os.IsNotExist(err) { + if os.IsNotExist(errors.Cause(err)) { return nil } - if label == "" && os.IsPermission(err) && !GetEnabled() { + if label == "" && os.IsPermission(errors.Cause(err)) { return nil } return err @@ -499,19 +562,18 @@ func ReserveLabel(label string) { } func selinuxEnforcePath() string { - return fmt.Sprintf("%s/enforce", getSelinuxMountPoint()) + return path.Join(getSelinuxMountPoint(), "enforce") } // EnforceMode returns the current SELinux mode Enforcing, Permissive, Disabled func EnforceMode() int { var enforce int - enforceS, err := readCon(selinuxEnforcePath()) + enforceB, err := ioutil.ReadFile(selinuxEnforcePath()) if err != nil { return -1 } - - enforce, err = strconv.Atoi(string(enforceS)) + enforce, err = strconv.Atoi(string(enforceB)) if err != nil { return -1 } @@ -523,7 +585,7 @@ SetEnforceMode sets the current SELinux mode Enforcing, Permissive. Disabled is not valid, since this needs to be set at boot time. */ func SetEnforceMode(mode int) error { - return writeCon(selinuxEnforcePath(), fmt.Sprintf("%d", mode)) + return ioutil.WriteFile(selinuxEnforcePath(), []byte(strconv.Itoa(mode)), 0644) } /* @@ -629,23 +691,26 @@ func ROFileLabel() string { return roFileLabel } -/* -ContainerLabels returns an allocated processLabel and fileLabel to be used for -container labeling by the calling process. -*/ -func ContainerLabels() (processLabel string, fileLabel string) { +func openContextFile() (*os.File, error) { + if f, err := os.Open(contextFile); err == nil { + return f, nil + } + lxcPath := filepath.Join(getSELinuxPolicyRoot(), "/contexts/lxc_contexts") + return os.Open(lxcPath) +} + +var labels = loadLabels() + +func loadLabels() map[string]string { var ( val, key string bufin *bufio.Reader ) - if !GetEnabled() { - return "", "" - } - lxcPath := fmt.Sprintf("%s/contexts/lxc_contexts", getSELinuxPolicyRoot()) - in, err := os.Open(lxcPath) + labels := make(map[string]string) + in, err := openContextFile() if err != nil { - return "", "" + return labels } defer in.Close() @@ -657,7 +722,7 @@ func ContainerLabels() (processLabel string, fileLabel string) { if err == io.EOF { done = true } else { - goto exit + break } } line = strings.TrimSpace(line) @@ -671,29 +736,67 @@ func ContainerLabels() (processLabel string, fileLabel string) { } if groups := assignRegex.FindStringSubmatch(line); groups != nil { key, val = strings.TrimSpace(groups[1]), strings.TrimSpace(groups[2]) - if key == "process" { - processLabel = strings.Trim(val, "\"") - } - if key == "file" { - fileLabel = strings.Trim(val, "\"") - } - if key == "ro_file" { - roFileLabel = strings.Trim(val, "\"") - } + labels[key] = strings.Trim(val, "\"") } } - if processLabel == "" || fileLabel == "" { + return labels +} + +/* +KVMContainerLabels returns the default processLabel and mountLabel to be used +for kvm containers by the calling process. +*/ +func KVMContainerLabels() (string, string) { + processLabel := labels["kvm_process"] + if processLabel == "" { + processLabel = labels["process"] + } + + return addMcs(processLabel, labels["file"]) +} + +/* +InitContainerLabels returns the default processLabel and file labels to be +used for containers running an init system like systemd by the calling process. +*/ +func InitContainerLabels() (string, string) { + processLabel := labels["init_process"] + if processLabel == "" { + processLabel = labels["process"] + } + + return addMcs(processLabel, labels["file"]) +} + +/* +ContainerLabels returns an allocated processLabel and fileLabel to be used for +container labeling by the calling process. +*/ +func ContainerLabels() (processLabel string, fileLabel string) { + if !GetEnabled() { return "", "" } + processLabel = labels["process"] + fileLabel = labels["file"] + roFileLabel = labels["ro_file"] + + if processLabel == "" || fileLabel == "" { + return "", fileLabel + } + if roFileLabel == "" { roFileLabel = fileLabel } -exit: + + return addMcs(processLabel, fileLabel) +} + +func addMcs(processLabel, fileLabel string) (string, string) { scon, _ := NewContext(processLabel) if scon["level"] != "" { - mcs := uniqMcs(1024) + mcs := uniqMcs(CategoryRange) scon["level"] = mcs processLabel = scon.Get() scon, _ = NewContext(fileLabel) @@ -705,7 +808,7 @@ exit: // SecurityCheckContext validates that the SELinux label is understood by the kernel func SecurityCheckContext(val string) error { - return writeCon(fmt.Sprintf("%s/context", getSelinuxMountPoint()), val) + return ioutil.WriteFile(path.Join(getSelinuxMountPoint(), "context"), []byte(val), 0644) } /* @@ -745,14 +848,14 @@ func badPrefix(fpath string) error { badPrefixes := []string{"/usr"} for _, prefix := range badPrefixes { if strings.HasPrefix(fpath, prefix) { - return fmt.Errorf("relabeling content in %s is not allowed", prefix) + return errors.Errorf("relabeling content in %s is not allowed", prefix) } } return nil } -// Chcon changes the `fpath` file object to the SELinux label `label`. -// If `fpath` is a directory and `recurse`` is true, Chcon will walk the +// Chcon changes the fpath file object to the SELinux label label. +// If fpath is a directory and recurse is true, Chcon will walk the // directory tree setting the label. func Chcon(fpath string, label string, recurse bool) error { if fpath == "" { @@ -764,19 +867,19 @@ func Chcon(fpath string, label string, recurse bool) error { if err := badPrefix(fpath); err != nil { return err } - callback := func(p string, info os.FileInfo, err error) error { + + if !recurse { + return SetFileLabel(fpath, label) + } + + return pwalk.Walk(fpath, func(p string, info os.FileInfo, err error) error { e := SetFileLabel(p, label) - if os.IsNotExist(e) { + // Walk a file tree can race with removal, so ignore ENOENT + if os.IsNotExist(errors.Cause(e)) { return nil } return e - } - - if recurse { - return filepath.Walk(fpath, callback) - } - - return SetFileLabel(fpath, label) + }) } // DupSecOpt takes an SELinux process label and returns security options that diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go index 0c2e1cd38e..c5fbba2faa 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go @@ -1,4 +1,4 @@ -// +build !selinux +// +build !selinux !linux package selinux @@ -13,6 +13,8 @@ const ( Permissive = 0 // Disabled constant to indicate SELinux is disabled Disabled = -1 + // DefaultCategoryRange is the upper bound on the category range + DefaultCategoryRange = uint32(1024) ) var ( @@ -20,6 +22,8 @@ var ( ErrMCSAlreadyExists = errors.New("MCS label already exists") // ErrEmptyPath is returned when an empty path has been specified. ErrEmptyPath = errors.New("empty path") + // CategoryRange allows the upper bound on the category range to be adjusted + CategoryRange = DefaultCategoryRange ) // Context is a representation of the SELinux label broken into 4 parts @@ -35,6 +39,11 @@ func GetEnabled() bool { return false } +// ClassIndex returns the int index for an object class in the loaded policy, or -1 and an error +func ClassIndex(class string) (int, error) { + return -1, nil +} + // SetFileLabel sets the SELinux label for this path or returns an error. func SetFileLabel(fpath string, label string) error { return nil @@ -88,6 +97,13 @@ func CanonicalizeContext(val string) (string, error) { return "", nil } +/* +ComputeCreateContext requests the type transition from source to target for class from the kernel. +*/ +func ComputeCreateContext(source string, target string, class string) (string, error) { + return "", nil +} + /* SetExecLabel sets the SELinux label that the kernel will use for any programs that are executed by the current process thread, or an error. @@ -101,7 +117,7 @@ SetTaskLabel sets the SELinux label for the current thread, or an error. This requires the dyntransition permission. */ func SetTaskLabel(label string) error { - return nil + return nil } /* @@ -189,6 +205,18 @@ func ROFileLabel() string { return "" } +// KVMContainerLabels returns the default processLabel and mountLabel to be used +// for kvm containers by the calling process. +func KVMContainerLabels() (string, string) { + return "", "" +} + +// InitContainerLabels returns the default processLabel and file labels to be +// used for containers running an init system like systemd by the calling +func InitContainerLabels() (string, string) { + return "", "" +} + /* ContainerLabels returns an allocated processLabel and fileLabel to be used for container labeling by the calling process. diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/xattrs.go b/vendor/github.com/opencontainers/selinux/go-selinux/xattrs.go index 67a9d8ee85..de5c80ef3a 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/xattrs.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/xattrs.go @@ -3,76 +3,28 @@ package selinux import ( - "syscall" - "unsafe" + "golang.org/x/sys/unix" ) -var _zero uintptr - // Returns a []byte slice if the xattr is set and nil otherwise // Requires path and its attribute as arguments func lgetxattr(path string, attr string) ([]byte, error) { - var sz int - pathBytes, err := syscall.BytePtrFromString(path) - if err != nil { - return nil, err - } - attrBytes, err := syscall.BytePtrFromString(attr) - if err != nil { - return nil, err - } - // Start with a 128 length byte array - sz = 128 - dest := make([]byte, sz) - destBytes := unsafe.Pointer(&dest[0]) - _sz, _, errno := syscall.Syscall6(syscall.SYS_LGETXATTR, uintptr(unsafe.Pointer(pathBytes)), uintptr(unsafe.Pointer(attrBytes)), uintptr(destBytes), uintptr(len(dest)), 0, 0) + dest := make([]byte, 128) + sz, errno := unix.Lgetxattr(path, attr, dest) + for errno == unix.ERANGE { + // Buffer too small, use zero-sized buffer to get the actual size + sz, errno = unix.Lgetxattr(path, attr, []byte{}) + if errno != nil { + return nil, errno + } - switch { - case errno == syscall.ENODATA: - return nil, errno - case errno == syscall.ENOTSUP: - return nil, errno - case errno == syscall.ERANGE: - // 128 byte array might just not be good enough, - // A dummy buffer is used ``uintptr(0)`` to get real size - // of the xattrs on disk - _sz, _, errno = syscall.Syscall6(syscall.SYS_LGETXATTR, uintptr(unsafe.Pointer(pathBytes)), uintptr(unsafe.Pointer(attrBytes)), uintptr(unsafe.Pointer(nil)), uintptr(0), 0, 0) - sz = int(_sz) - if sz < 0 { - return nil, errno - } dest = make([]byte, sz) - destBytes := unsafe.Pointer(&dest[0]) - _sz, _, errno = syscall.Syscall6(syscall.SYS_LGETXATTR, uintptr(unsafe.Pointer(pathBytes)), uintptr(unsafe.Pointer(attrBytes)), uintptr(destBytes), uintptr(len(dest)), 0, 0) - if errno != 0 { - return nil, errno - } - case errno != 0: + sz, errno = unix.Lgetxattr(path, attr, dest) + } + if errno != nil { return nil, errno } - sz = int(_sz) + return dest[:sz], nil } - -func lsetxattr(path string, attr string, data []byte, flags int) error { - pathBytes, err := syscall.BytePtrFromString(path) - if err != nil { - return err - } - attrBytes, err := syscall.BytePtrFromString(attr) - if err != nil { - return err - } - var dataBytes unsafe.Pointer - if len(data) > 0 { - dataBytes = unsafe.Pointer(&data[0]) - } else { - dataBytes = unsafe.Pointer(&_zero) - } - _, _, errno := syscall.Syscall6(syscall.SYS_LSETXATTR, uintptr(unsafe.Pointer(pathBytes)), uintptr(unsafe.Pointer(attrBytes)), uintptr(dataBytes), uintptr(len(data)), uintptr(flags), 0) - if errno != 0 { - return errno - } - return nil -} diff --git a/vendor/github.com/opencontainers/selinux/pkg/pwalk/README.md b/vendor/github.com/opencontainers/selinux/pkg/pwalk/README.md new file mode 100644 index 0000000000..16c4dfd3ec --- /dev/null +++ b/vendor/github.com/opencontainers/selinux/pkg/pwalk/README.md @@ -0,0 +1,42 @@ +## pwalk: parallel implementation of filepath.Walk + +This is a wrapper for [filepath.Walk](https://pkg.go.dev/path/filepath?tab=doc#Walk) +which may speed it up by calling multiple callback functions (WalkFunc) in parallel, +utilizing goroutines. + +By default, it utilizes 2\*runtime.NumCPU() goroutines for callbacks. +This can be changed by using WalkN function which has the additional +parameter, specifying the number of goroutines (concurrency). + +### Caveats + +Please note the following limitations of this code: + +* Unlike filepath.Walk, the order of calls is non-deterministic; + +* Only primitive error handling is supported: + + * filepath.SkipDir is not supported; + + * no errors are ever passed to WalkFunc; + + * once any error is returned from any WalkFunc instance, no more new calls + to WalkFunc are made, and the error is returned to the caller of Walk; + + * if more than one walkFunc instance will return an error, only one + of such errors will be propagated and returned by Walk, others + will be silently discarded. + +### Documentation + +For the official documentation, see +https://pkg.go.dev/github.com/opencontainers/selinux/pkg/pwalk?tab=doc + +### Benchmarks + +For a WalkFunc that consists solely of the return statement, this +implementation is about 10% slower than the standard library's +filepath.Walk. + +Otherwise (if a WalkFunc is doing something) this is usually faster, +except when the WalkN(..., 1) is used. diff --git a/vendor/github.com/opencontainers/selinux/pkg/pwalk/pwalk.go b/vendor/github.com/opencontainers/selinux/pkg/pwalk/pwalk.go new file mode 100644 index 0000000000..2ee0d01508 --- /dev/null +++ b/vendor/github.com/opencontainers/selinux/pkg/pwalk/pwalk.go @@ -0,0 +1,99 @@ +package pwalk + +import ( + "os" + "path/filepath" + "runtime" + "sync" + + "github.com/pkg/errors" +) + +type WalkFunc = filepath.WalkFunc + +// Walk is a wrapper for filepath.Walk which can call multiple walkFn +// in parallel, allowing to handle each item concurrently. A maximum of +// twice the runtime.NumCPU() walkFn will be called at any one time. +// If you want to change the maximum, use WalkN instead. +// +// The order of calls is non-deterministic. +// +// Note that this implementation only supports primitive error handling: +// +// * no errors are ever passed to WalkFn +// +// * once a walkFn returns any error, all further processing stops +// and the error is returned to the caller of Walk; +// +// * filepath.SkipDir is not supported; +// +// * if more than one walkFn instance will return an error, only one +// of such errors will be propagated and returned by Walk, others +// will be silently discarded. +// +func Walk(root string, walkFn WalkFunc) error { + return WalkN(root, walkFn, runtime.NumCPU()*2) +} + +// WalkN is a wrapper for filepath.Walk which can call multiple walkFn +// in parallel, allowing to handle each item concurrently. A maximum of +// num walkFn will be called at any one time. +func WalkN(root string, walkFn WalkFunc, num int) error { + // make sure limit is sensible + if num < 1 { + return errors.Errorf("walk(%q): num must be > 0", root) + } + + files := make(chan *walkArgs, 2*num) + errCh := make(chan error, 1) // get the first error, ignore others + + // Start walking a tree asap + var err error + go func() { + err = filepath.Walk(root, func(p string, info os.FileInfo, err error) error { + if err != nil { + close(files) + return err + } + // add a file to the queue unless a callback sent an error + select { + case e := <-errCh: + close(files) + return e + default: + files <- &walkArgs{path: p, info: &info} + return nil + } + }) + if err == nil { + close(files) + } + }() + + var wg sync.WaitGroup + wg.Add(num) + for i := 0; i < num; i++ { + go func() { + for file := range files { + if e := walkFn(file.path, *file.info, nil); e != nil { + select { + case errCh <- e: // sent ok + default: // buffer full + } + } + } + wg.Done() + }() + } + + wg.Wait() + + return err +} + +// walkArgs holds the arguments that were passed to the Walk or WalkLimit +// functions. +type walkArgs struct { + path string + info *os.FileInfo +} diff --git a/vendor/modules.txt b/vendor/modules.txt index 74aaf294db..070e678597 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -157,7 +157,7 @@ github.com/container-storage-interface/spec/lib/go/csi github.com/containerd/cgroups # github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1 => github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50 github.com/containerd/console -# github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69 => github.com/rancher/containerd v1.3.3-k3s2 +# github.com/containerd/containerd v1.3.6 => github.com/rancher/containerd v1.3.6-k3s1 github.com/containerd/containerd github.com/containerd/containerd/api/events github.com/containerd/containerd/api/services/containers/v1 @@ -294,7 +294,7 @@ github.com/containerd/continuity/pathdriver github.com/containerd/continuity/proto github.com/containerd/continuity/syscallx github.com/containerd/continuity/sysx -# github.com/containerd/cri v0.0.0-00010101000000-000000000000 => github.com/rancher/cri v1.3.0-k3s.6 +# github.com/containerd/cri v0.0.0-00010101000000-000000000000 => github.com/rancher/cri v1.3.0-k3s.7 github.com/containerd/cri github.com/containerd/cri/pkg/annotations github.com/containerd/cri/pkg/api/runtimeoptions/v1 @@ -318,9 +318,9 @@ github.com/containerd/cri/pkg/store/snapshot github.com/containerd/cri/pkg/util # github.com/containerd/fifo v0.0.0-20190816180239-bda0ff6ed73c => github.com/containerd/fifo v0.0.0-20190816180239-bda0ff6ed73c github.com/containerd/fifo -# github.com/containerd/go-cni v0.0.0-20190904155053-d20b7eebc7ee +# github.com/containerd/go-cni v0.0.0-20190813230227-49fbd9b210f3 github.com/containerd/go-cni -# github.com/containerd/go-runc v0.0.0-20190923131748-a2952bc25f51 => github.com/containerd/go-runc v0.0.0-20190911050354-e029b79d8cda +# github.com/containerd/go-runc v0.0.0-20190911050354-e029b79d8cda github.com/containerd/go-runc # github.com/containerd/ttrpc v0.0.0-20190828172938-92c8520ef9f8 github.com/containerd/ttrpc @@ -591,6 +591,10 @@ github.com/grpc-ecosystem/go-grpc-prometheus github.com/grpc-ecosystem/grpc-gateway/internal github.com/grpc-ecosystem/grpc-gateway/runtime github.com/grpc-ecosystem/grpc-gateway/utilities +# github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce +github.com/hashicorp/errwrap +# github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874 +github.com/hashicorp/go-multierror # github.com/hashicorp/golang-lru v0.5.3 github.com/hashicorp/golang-lru github.com/hashicorp/golang-lru/simplelru @@ -686,9 +690,10 @@ github.com/opencontainers/runc/libcontainer/utils github.com/opencontainers/runc/types # github.com/opencontainers/runtime-spec v1.0.0 => github.com/opencontainers/runtime-spec v0.0.0-20180911193056-5684b8af48c1 github.com/opencontainers/runtime-spec/specs-go -# github.com/opencontainers/selinux v1.3.1-0.20190929122143-5215b1806f52 +# github.com/opencontainers/selinux v1.5.3-0.20200613095409-bb88c45a3863 github.com/opencontainers/selinux/go-selinux github.com/opencontainers/selinux/go-selinux/label +github.com/opencontainers/selinux/pkg/pwalk # github.com/peterbourgon/diskv v2.0.1+incompatible github.com/peterbourgon/diskv # github.com/pkg/errors v0.9.1