diff --git a/Dockerfile b/Dockerfile index 68ad1926..4b0f28e8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ # syntax = docker/dockerfile:1.3 ARG RUNC_VERSION=v1.0.2 -ARG CONTAINERD_VERSION=v1.6.0-rc.1 +ARG CONTAINERD_VERSION=v1.6.0-rc.2 # containerd v1.5 for integration tests ARG CONTAINERD_ALT_VERSION_15=v1.5.5 # containerd v1.4 for integration tests diff --git a/go.mod b/go.mod index 1296be4f..14426827 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ require ( github.com/agext/levenshtein v1.2.3 github.com/armon/circbuf v0.0.0-20190214190532-5111143e8da2 github.com/containerd/console v1.0.3 - github.com/containerd/containerd v1.6.0-rc.1.0.20220127150749-a43703fcba54 + github.com/containerd/containerd v1.6.0-rc.2 github.com/containerd/continuity v0.2.2 github.com/containerd/fuse-overlayfs-snapshotter v1.0.2 github.com/containerd/go-cni v1.1.2 @@ -84,7 +84,7 @@ require ( github.com/beorn7/perks v1.0.1 // indirect github.com/cenkalti/backoff/v4 v4.1.2 // indirect github.com/cespare/xxhash/v2 v2.1.2 // indirect - github.com/containerd/cgroups v1.0.2 // indirect + github.com/containerd/cgroups v1.0.3 // indirect github.com/containerd/fifo v1.0.0 // indirect github.com/containerd/ttrpc v1.1.0 // indirect github.com/containernetworking/cni v1.0.1 // indirect diff --git a/go.sum b/go.sum index 9f6449d3..e3813629 100644 --- a/go.sum +++ b/go.sum @@ -277,8 +277,9 @@ github.com/containerd/cgroups v0.0.0-20200710171044-318312a37340/go.mod h1:s5q4S github.com/containerd/cgroups v0.0.0-20200824123100-0b889c03f102/go.mod h1:s5q4SojHctfxANBDvMeIaIovkq29IP48TKAxnhYRxvo= github.com/containerd/cgroups v0.0.0-20210114181951-8a68de567b68/go.mod h1:ZJeTFisyysqgcCdecO57Dj79RfL0LNeGiFUqLYQRYLE= github.com/containerd/cgroups v1.0.1/go.mod h1:0SJrPIenamHDcZhEcJMNBB85rHcUsw4f25ZfBiPYRkU= -github.com/containerd/cgroups v1.0.2 h1:mZBclaSgNDfPWtfhj2xJY28LZ9nYIgzB0pwSURPl6JM= github.com/containerd/cgroups v1.0.2/go.mod h1:qpbpJ1jmlqsR9f2IyaLPsdkCdnt0rbDVqIDlhuu5tRY= +github.com/containerd/cgroups v1.0.3 h1:ADZftAkglvCiD44c77s5YmMqaP2pzVCFZvBmAlBdAP4= +github.com/containerd/cgroups v1.0.3/go.mod h1:/ofk34relqNjSGyqPrmEULrO4Sc8LJhvJmWbUCUKqj8= github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw= github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw= github.com/containerd/console v0.0.0-20191206165004-02ecf6a7291e/go.mod h1:8Pf4gM6VEbTNRIT26AyyU7hxdQU3MvAvxVI0sc00XBE= @@ -306,8 +307,8 @@ github.com/containerd/containerd v1.5.1/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTV github.com/containerd/containerd v1.5.7/go.mod h1:gyvv6+ugqY25TiXxcZC3L5yOeYgEw0QMhscqVp1AR9c= github.com/containerd/containerd v1.5.8/go.mod h1:YdFSv5bTFLpG2HIYmfqDpSYYTDX+mc5qtSuYx1YUb/s= github.com/containerd/containerd v1.6.0-rc.1/go.mod h1:jdeOXdXovU4bWF2Bd2hJjqpcOrrpSC1wmFCTtf6LD+A= -github.com/containerd/containerd v1.6.0-rc.1.0.20220127150749-a43703fcba54 h1:ZQqTZnRLXn44/VOq0LBjnH3vMOgGoEUic+8b1a1TBx4= -github.com/containerd/containerd v1.6.0-rc.1.0.20220127150749-a43703fcba54/go.mod h1:jdeOXdXovU4bWF2Bd2hJjqpcOrrpSC1wmFCTtf6LD+A= +github.com/containerd/containerd v1.6.0-rc.2 h1:hsW0v4GABCGKvBjSnF7gP6oamyEX9fOwvK8wZWHZYKs= +github.com/containerd/containerd v1.6.0-rc.2/go.mod h1:g4o55STrmMXiGegQmOMUb41SwwJk9wq+DlmFxuA8nu0= github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= github.com/containerd/continuity v0.0.0-20191127005431-f65d91d395eb/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= diff --git a/vendor/github.com/containerd/containerd/RELEASES.md b/vendor/github.com/containerd/containerd/RELEASES.md index e5b5d10e..cd7f4532 100644 --- a/vendor/github.com/containerd/containerd/RELEASES.md +++ b/vendor/github.com/containerd/containerd/RELEASES.md @@ -100,8 +100,8 @@ The current state is available in the following tables: | [1.1](https://github.com/containerd/containerd/releases/tag/v1.1.8) | End of Life | April 23, 2018 | October 23, 2019 | | [1.2](https://github.com/containerd/containerd/releases/tag/v1.2.13) | End of Life | October 24, 2018 | October 15, 2020 | | [1.3](https://github.com/containerd/containerd/releases/tag/v1.3.10) | End of Life | September 26, 2019 | March 4, 2021 | -| [1.4](https://github.com/containerd/containerd/releases/tag/v1.4.4) | Extended | August 17, 2020 | November 3, 2021 (Active), February 3, 2022 (Extended) | -| [1.5](https://github.com/containerd/containerd/releases/tag/v1.5.0) | Active | May 3, 2021 | max(May 3, 2022, release of 1.6.0 + 6 months) | +| [1.4](https://github.com/containerd/containerd/releases/tag/v1.4.12) | Extended | August 17, 2020 | November 3, 2021 (Active), March 3, 2022 (Extended) | +| [1.5](https://github.com/containerd/containerd/releases/tag/v1.5.9) | Active | May 3, 2021 | max(May 3, 2022, release of 1.6.0 + 6 months) | | [1.6](https://github.com/containerd/containerd/milestone/34) | Next | TBD | max(TBD+1 year, release of 1.7.0 or 2.0.0 + 6 months) | Note that branches and release from before 1.0 may not follow these rules. diff --git a/vendor/github.com/containerd/containerd/images/archive/importer.go b/vendor/github.com/containerd/containerd/images/archive/importer.go index 8afdd68f..c5310495 100644 --- a/vendor/github.com/containerd/containerd/images/archive/importer.go +++ b/vendor/github.com/containerd/containerd/images/archive/importer.go @@ -269,9 +269,13 @@ func resolveLayers(ctx context.Context, store content.Store, layerFiles []string if ok { desc := descs[digest.Digest(dgst)] if desc != nil { - desc.MediaType = images.MediaTypeDockerSchema2LayerGzip desc.Digest = info.Digest desc.Size = info.Size + mediaType, err := detectLayerMediaType(ctx, store, *desc) + if err != nil { + return fmt.Errorf("failed to detect media type of layer: %w", err) + } + desc.MediaType = mediaType } } return nil @@ -381,3 +385,29 @@ func writeManifest(ctx context.Context, cs content.Ingester, manifest interface{ return desc, nil } + +func detectLayerMediaType(ctx context.Context, store content.Store, desc ocispec.Descriptor) (string, error) { + var mediaType string + // need to parse existing blob to use the proper media type + bytes := make([]byte, 10) + ra, err := store.ReaderAt(ctx, desc) + if err != nil { + return "", fmt.Errorf("failed to read content store to detect layer media type: %w", err) + } + defer ra.Close() + _, err = ra.ReadAt(bytes, 0) + if err != nil && err != io.EOF { + return "", fmt.Errorf("failed to read header bytes from layer to detect media type: %w", err) + } + if err == io.EOF { + // in the case of an empty layer then the media type should be uncompressed + return images.MediaTypeDockerSchema2Layer, nil + } + switch c := compression.DetectCompression(bytes); c { + case compression.Uncompressed: + mediaType = images.MediaTypeDockerSchema2Layer + default: + mediaType = images.MediaTypeDockerSchema2LayerGzip + } + return mediaType, nil +} diff --git a/vendor/github.com/containerd/containerd/oci/spec_opts.go b/vendor/github.com/containerd/containerd/oci/spec_opts.go index 51eb6e00..9b0cfc3f 100644 --- a/vendor/github.com/containerd/containerd/oci/spec_opts.go +++ b/vendor/github.com/containerd/containerd/oci/spec_opts.go @@ -602,6 +602,8 @@ func WithUser(userstr string) SpecOpts { if err != nil { return err } + + mounts = tryReadonlyMounts(mounts) return mount.WithTempMount(ctx, mounts, f) default: return fmt.Errorf("invalid USER value %s", userstr) @@ -655,6 +657,8 @@ func WithUserID(uid uint32) SpecOpts { if err != nil { return err } + + mounts = tryReadonlyMounts(mounts) return mount.WithTempMount(ctx, mounts, func(root string) error { user, err := UserFromPath(root, func(u user.User) bool { return u.Uid == int(uid) @@ -706,6 +710,8 @@ func WithUsername(username string) SpecOpts { if err != nil { return err } + + mounts = tryReadonlyMounts(mounts) return mount.WithTempMount(ctx, mounts, func(root string) error { user, err := UserFromPath(root, func(u user.User) bool { return u.Name == username @@ -790,6 +796,8 @@ func WithAdditionalGIDs(userstr string) SpecOpts { if err != nil { return err } + + mounts = tryReadonlyMounts(mounts) return mount.WithTempMount(ctx, mounts, setAdditionalGids) } } @@ -1278,3 +1286,21 @@ func WithDevShmSize(kb int64) SpecOpts { return ErrNoShmMount } } + +// tryReadonlyMounts is used by the options which are trying to get user/group +// information from container's rootfs. Since the option does read operation +// only, this helper will append ReadOnly mount option to prevent linux kernel +// from syncing whole filesystem in umount syscall. +// +// TODO(fuweid): +// +// Currently, it only works for overlayfs. I think we can apply it to other +// kinds of filesystem. Maybe we can return `ro` option by `snapshotter.Mount` +// API, when the caller passes that experimental annotation +// `containerd.io/snapshot/readonly.mount` something like that. +func tryReadonlyMounts(mounts []mount.Mount) []mount.Mount { + if len(mounts) == 1 && mounts[0].Type == "overlay" { + mounts[0].Options = append(mounts[0].Options, "ro") + } + return mounts +} diff --git a/vendor/github.com/containerd/containerd/platforms/platforms.go b/vendor/github.com/containerd/containerd/platforms/platforms.go index 18216522..8f955d03 100644 --- a/vendor/github.com/containerd/containerd/platforms/platforms.go +++ b/vendor/github.com/containerd/containerd/platforms/platforms.go @@ -257,10 +257,5 @@ func Format(platform specs.Platform) string { func Normalize(platform specs.Platform) specs.Platform { platform.OS = normalizeOS(platform.OS) platform.Architecture, platform.Variant = normalizeArch(platform.Architecture, platform.Variant) - - // these fields are deprecated, remove them - platform.OSFeatures = nil - platform.OSVersion = "" - return platform } diff --git a/vendor/github.com/containerd/containerd/remotes/docker/authorizer.go b/vendor/github.com/containerd/containerd/remotes/docker/authorizer.go index d898ca4f..eaa0e5db 100644 --- a/vendor/github.com/containerd/containerd/remotes/docker/authorizer.go +++ b/vendor/github.com/containerd/containerd/remotes/docker/authorizer.go @@ -311,7 +311,8 @@ func (ah *authHandler) doBearerAuth(ctx context.Context) (token, refreshToken st // Registries without support for POST may return 404 for POST /v2/token. // As of September 2017, GCR is known to return 404. // As of February 2018, JFrog Artifactory is known to return 401. - if (errStatus.StatusCode == 405 && to.Username != "") || errStatus.StatusCode == 404 || errStatus.StatusCode == 401 { + // As of January 2022, ACR is known to return 400. + if (errStatus.StatusCode == 405 && to.Username != "") || errStatus.StatusCode == 404 || errStatus.StatusCode == 401 || errStatus.StatusCode == 400 { resp, err := auth.FetchToken(ctx, ah.client, ah.header, to) if err != nil { return "", "", err diff --git a/vendor/github.com/containerd/containerd/remotes/docker/pusher.go b/vendor/github.com/containerd/containerd/remotes/docker/pusher.go index 3705da26..c786ad21 100644 --- a/vendor/github.com/containerd/containerd/remotes/docker/pusher.go +++ b/vendor/github.com/containerd/containerd/remotes/docker/pusher.go @@ -79,7 +79,7 @@ func (p dockerPusher) push(ctx context.Context, desc ocispec.Descriptor, ref str if status.Committed && status.Offset == status.Total { return nil, fmt.Errorf("ref %v: %w", ref, errdefs.ErrAlreadyExists) } - if unavailableOnFail { + if unavailableOnFail && status.ErrClosed == nil { // Another push of this ref is happening elsewhere. The rest of function // will continue only when `errdefs.IsNotFound(err) == true` (i.e. there // is no actively-tracked ref already). @@ -355,6 +355,12 @@ func (pw *pushWriter) Write(p []byte) (n int, err error) { } func (pw *pushWriter) Close() error { + status, err := pw.tracker.GetStatus(pw.ref) + if err == nil && !status.Committed { + // Closing an incomplete writer. Record this as an error so that following write can retry it. + status.ErrClosed = errors.New("closed incomplete writer") + pw.tracker.SetStatus(pw.ref, status) + } return pw.pipe.Close() } diff --git a/vendor/github.com/containerd/containerd/remotes/docker/status.go b/vendor/github.com/containerd/containerd/remotes/docker/status.go index 751c2766..1f7b278a 100644 --- a/vendor/github.com/containerd/containerd/remotes/docker/status.go +++ b/vendor/github.com/containerd/containerd/remotes/docker/status.go @@ -31,6 +31,9 @@ type Status struct { Committed bool + // ErrClosed contains error encountered on close. + ErrClosed error + // UploadUUID is used by the Docker registry to reference blob uploads UploadUUID string } diff --git a/vendor/github.com/containerd/containerd/version/version.go b/vendor/github.com/containerd/containerd/version/version.go index 030448a6..a6ea4037 100644 --- a/vendor/github.com/containerd/containerd/version/version.go +++ b/vendor/github.com/containerd/containerd/version/version.go @@ -23,7 +23,7 @@ var ( Package = "github.com/containerd/containerd" // Version holds the complete version number. Filled in at linking time. - Version = "1.6.0-rc.1+unknown" + Version = "1.6.0-rc.2+unknown" // Revision is filled with the VCS (e.g. git) revision being used to build // the program at linking time. diff --git a/vendor/modules.txt b/vendor/modules.txt index 9ca7ef82..7cc46396 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -51,13 +51,13 @@ github.com/cenkalti/backoff/v4 # github.com/cespare/xxhash/v2 v2.1.2 ## explicit; go 1.11 github.com/cespare/xxhash/v2 -# github.com/containerd/cgroups v1.0.2 +# github.com/containerd/cgroups v1.0.3 ## explicit; go 1.16 github.com/containerd/cgroups/stats/v1 # github.com/containerd/console v1.0.3 ## explicit; go 1.13 github.com/containerd/console -# github.com/containerd/containerd v1.6.0-rc.1.0.20220127150749-a43703fcba54 +# github.com/containerd/containerd v1.6.0-rc.2 ## explicit; go 1.16 github.com/containerd/containerd github.com/containerd/containerd/api/services/containers/v1