From f2537f0a33c44c1a61a70254a3cb56fcaf99a9b7 Mon Sep 17 00:00:00 2001 From: Valentin Rothberg Date: Sat, 6 Feb 2021 13:00:29 +0100 Subject: [PATCH] Revert "Bump github.com/opencontainers/runc from 1.0.0-rc91 to 1.0.0-rc93" This reverts commit fc61280ca046bd4530b16b0c8a0763fe492ebb15. The bump of the gocapability package is causing regressions in Podman. Signed-off-by: Valentin Rothberg --- common/go.mod | 7 +- common/go.sum | 22 +-- common/pkg/chown/chown.go | 2 - common/pkg/chown/chown_test.go | 2 - common/pkg/chown/chown_windows.go | 12 -- common/pkg/parse/parse_unix.go | 7 +- .../cyphar/filepath-securejoin/.travis.yml | 19 --- .../cyphar/filepath-securejoin/LICENSE | 28 ---- .../cyphar/filepath-securejoin/README.md | 65 -------- .../cyphar/filepath-securejoin/VERSION | 1 - .../cyphar/filepath-securejoin/join.go | 134 --------------- .../cyphar/filepath-securejoin/vendor.conf | 1 - .../cyphar/filepath-securejoin/vfs.go | 41 ----- .../golang/protobuf/proto/text_decode.go | 2 +- .../{apparmor_linux.go => apparmor.go} | 20 ++- ...or_unsupported.go => apparmor_disabled.go} | 2 +- .../libcontainer/cgroups/fscommon/fscommon.go | 51 ------ .../libcontainer/cgroups/fscommon/open.go | 103 ------------ .../libcontainer/cgroups/fscommon/utils.go | 102 ------------ .../runc/libcontainer/cgroups/stats.go | 28 ---- .../runc/libcontainer/cgroups/utils.go | 135 ++++----------- .../runc/libcontainer/cgroups/v1_utils.go | 157 +++++++----------- .../runc/libcontainer/configs/cgroup_linux.go | 13 +- .../runc/libcontainer/configs/config.go | 15 +- .../{devices => configs}/device.go | 70 ++++---- .../runc/libcontainer/configs/devices.go | 17 -- .../libcontainer/configs/namespaces_linux.go | 2 +- .../runc/libcontainer/devices/device_unix.go | 16 -- .../libcontainer/devices/device_windows.go | 5 - .../runc/libcontainer/devices/devices.go | 34 ++-- .../runc/libcontainer/system/proc.go | 10 ++ .../runc/libcontainer/user/lookup_windows.go | 6 +- .../runc/libcontainer/user/user.go | 6 +- .../runc/libcontainer/utils/utils.go | 19 +-- .../runtime-spec/specs-go/config.go | 12 +- .../runtime-spec/specs-go/state.go | 2 +- .../syndtr/gocapability/capability/enum.go | 45 +---- .../gocapability/capability/enum_gen.go | 9 - common/vendor/modules.txt | 17 +- 39 files changed, 222 insertions(+), 1017 deletions(-) delete mode 100644 common/pkg/chown/chown_windows.go delete mode 100644 common/vendor/github.com/cyphar/filepath-securejoin/.travis.yml delete mode 100644 common/vendor/github.com/cyphar/filepath-securejoin/LICENSE delete mode 100644 common/vendor/github.com/cyphar/filepath-securejoin/README.md delete mode 100644 common/vendor/github.com/cyphar/filepath-securejoin/VERSION delete mode 100644 common/vendor/github.com/cyphar/filepath-securejoin/join.go delete mode 100644 common/vendor/github.com/cyphar/filepath-securejoin/vendor.conf delete mode 100644 common/vendor/github.com/cyphar/filepath-securejoin/vfs.go rename common/vendor/github.com/opencontainers/runc/libcontainer/apparmor/{apparmor_linux.go => apparmor.go} (67%) rename common/vendor/github.com/opencontainers/runc/libcontainer/apparmor/{apparmor_unsupported.go => apparmor_disabled.go} (91%) delete mode 100644 common/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fscommon/fscommon.go delete mode 100644 common/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fscommon/open.go delete mode 100644 common/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fscommon/utils.go rename common/vendor/github.com/opencontainers/runc/libcontainer/{devices => configs}/device.go (58%) delete mode 100644 common/vendor/github.com/opencontainers/runc/libcontainer/configs/devices.go delete mode 100644 common/vendor/github.com/opencontainers/runc/libcontainer/devices/device_unix.go delete mode 100644 common/vendor/github.com/opencontainers/runc/libcontainer/devices/device_windows.go diff --git a/common/go.mod b/common/go.mod index bd863769f8..c228fa28be 100644 --- a/common/go.mod +++ b/common/go.mod @@ -11,12 +11,13 @@ require ( github.com/docker/docker v17.12.0-ce-rc1.0.20201020191947-73dc6a680cdd+incompatible github.com/docker/go-units v0.4.0 github.com/ghodss/yaml v1.0.0 + github.com/google/go-cmp v0.5.2 // indirect github.com/gorilla/mux v1.8.0 // indirect github.com/hashicorp/go-multierror v1.1.0 github.com/onsi/ginkgo v1.15.0 github.com/onsi/gomega v1.10.5 - github.com/opencontainers/runc v1.0.0-rc93 - github.com/opencontainers/runtime-spec v1.0.3-0.20200929063507-e6143ca7d51d + github.com/opencontainers/runc v1.0.0-rc91 + github.com/opencontainers/runtime-spec v1.0.3-0.20200710190001-3e4195d92445 github.com/opencontainers/runtime-tools v0.9.0 github.com/opencontainers/selinux v1.8.0 github.com/pkg/errors v0.9.1 @@ -26,7 +27,7 @@ require ( github.com/spf13/cobra v1.1.1 github.com/spf13/pflag v1.0.5 github.com/stretchr/testify v1.7.0 - github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 + github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 golang.org/x/sys v0.0.0-20210112080510-489259a85091 ) diff --git a/common/go.sum b/common/go.sum index 277cdda4bf..088921b14f 100644 --- a/common/go.sum +++ b/common/go.sum @@ -38,19 +38,16 @@ github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdn github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= github.com/checkpoint-restore/go-criu/v4 v4.0.2/go.mod h1:xUQBLp4RLc5zJtWY++yjOoMoB5lihDt7fai+75m+rGw= -github.com/checkpoint-restore/go-criu/v4 v4.1.0/go.mod h1:xUQBLp4RLc5zJtWY++yjOoMoB5lihDt7fai+75m+rGw= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= github.com/cilium/ebpf v0.0.0-20200110133405-4032b1d8aae3/go.mod h1:MA5e5Lr8slmEg9bt0VpxxWqJlO4iwu3FBdHUzV7wQVg= github.com/cilium/ebpf v0.0.0-20200507155900-a9f01edf17e3/go.mod h1:XT+cAw5wfvsodedcijoh1l9cf7v1x9FlFB/3VmF/O8s= -github.com/cilium/ebpf v0.2.0/go.mod h1:To2CFviqOWL/M0gIMsvSMlqe7em/l1ALkX1PyjrX2Qs= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/containerd/cgroups v0.0.0-20200531161412-0dbf7f05ba59 h1:qWj4qVYZ95vLWwqyNJCQg7rDsG5wPdze0UaPolH7DUk= github.com/containerd/cgroups v0.0.0-20200531161412-0dbf7f05ba59/go.mod h1:pA0z1pT8KYB3TCXK/ocprsh7MAkoW8bZVzPdih9snmM= github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw= github.com/containerd/console v1.0.0/go.mod h1:8Pf4gM6VEbTNRIT26AyyU7hxdQU3MvAvxVI0sc00XBE= -github.com/containerd/console v1.0.1/go.mod h1:XUsP6YE/mKtz6bxc+I8UiKKTP04qjQL4qcS3XoQ5xkw= github.com/containerd/containerd v1.3.2/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= github.com/containerd/fifo v0.0.0-20190226154929-a9fb20d87448/go.mod h1:ODA38xgv3Kuk8dQz2ZQXpnv/UZZUHUCL7pnLehbXgQI= @@ -74,12 +71,9 @@ github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e h1:Wf6HqHfScWJN9 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd/v22 v22.0.0 h1:XJIw/+VlJ+87J+doOxznsAWIdmWuViOVhkQamW5YV28= github.com/coreos/go-systemd/v22 v22.0.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk= -github.com/coreos/go-systemd/v22 v22.1.0 h1:kq/SbG2BCKLkDKkjQf5OWwKWUKj1lgs3lFI4PxnR5lg= -github.com/coreos/go-systemd/v22 v22.1.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk= github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= -github.com/cyphar/filepath-securejoin v0.2.2 h1:jCwT2GTP+PY5nBz3c/YL5PAIbusElVrPujOBSCj8xRg= github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= @@ -135,8 +129,6 @@ github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:W github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= github.com/golang/protobuf v1.4.2 h1:+Z5KGCizgyZCbGh1KZqA0fcLLkwbsjIzS4aV2v7wJX0= github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= -github.com/golang/protobuf v1.4.3 h1:JjCZWpVbqXDqFVmTfYWEVTMIYrL/NPdPSCHPJ0T/raM= -github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= @@ -248,7 +240,6 @@ github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lN github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= github.com/mrunalp/fileutils v0.0.0-20171103030105-7d4729fb3618/go.mod h1:x8F1gnqOkIEiO4rqoeEEEqQbo7HjGMTvyoq3gej4iT0= -github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ= github.com/mtrmac/gpgme v0.1.2/go.mod h1:GYYHnGSuS7HK3zVS2n3y73y0okK/BeKzwnn5jgiVFNI= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/nxadm/tail v1.4.4 h1:DQuhQpB1tVlglWS2hLQ5OV6B5r8aGxSrPc5Qo6uTN78= @@ -272,13 +263,11 @@ github.com/opencontainers/image-spec v1.0.2-0.20190823105129-775207bd45b6/go.mod github.com/opencontainers/runc v0.0.0-20190115041553-12f6a991201f/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= github.com/opencontainers/runc v1.0.0-rc91 h1:Tp8LWs5G8rFpzTsbRjAtQkPVexhCu0bnANE5IfIhJ6g= github.com/opencontainers/runc v1.0.0-rc91/go.mod h1:3Sm6Dt7OT8z88EbdQqqcRN2oCT54jbi72tT/HqgflT8= -github.com/opencontainers/runc v1.0.0-rc93 h1:x2UMpOOVf3kQ8arv/EsDGwim8PTNqzL1/EYDr/+scOM= -github.com/opencontainers/runc v1.0.0-rc93/go.mod h1:3NOsor4w32B2tC0Zbl8Knk4Wg84SM2ImC1fxBuqJ/H0= github.com/opencontainers/runtime-spec v1.0.2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.0.3-0.20200520003142-237cc4f519e2 h1:9mv9SC7GWmRWE0J/+oD8w3GsN2KYGKtg6uwLN7hfP5E= github.com/opencontainers/runtime-spec v1.0.3-0.20200520003142-237cc4f519e2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= -github.com/opencontainers/runtime-spec v1.0.3-0.20200929063507-e6143ca7d51d h1:pNa8metDkwZjb9g4T8s+krQ+HRgZAkqnXml+wNir/+s= -github.com/opencontainers/runtime-spec v1.0.3-0.20200929063507-e6143ca7d51d/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= +github.com/opencontainers/runtime-spec v1.0.3-0.20200710190001-3e4195d92445 h1:y8cfsJRmn8g3VkM4IDpusKSgMUZEXhudm/BuYANLozE= +github.com/opencontainers/runtime-spec v1.0.3-0.20200710190001-3e4195d92445/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-tools v0.9.0 h1:FYgwVsKRI/H9hU32MJ/4MLOzXWodKK5zsQavY8NPMkU= github.com/opencontainers/runtime-tools v0.9.0/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs= github.com/opencontainers/selinux v1.5.1/go.mod h1:yTcKuYAh6R95iDpefGLQaPaRwJFwyzAJufJyiTt7s0g= @@ -359,8 +348,6 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2 h1:b6uOv7YOFK0TYG7HtkIgExQo+2RdLuwRft63jn2HWj8= github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= -github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI= -github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= github.com/tchap/go-patricia v2.3.0+incompatible h1:GkY4dP3cEfEASBPPkWd+AmjYxhmDkqO9/zg7R0lSQRs= github.com/tchap/go-patricia v2.3.0+incompatible/go.mod h1:bmLyhP68RS6kStMGxByiQ23RP/odRBOTVjwp2cDyi6I= github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= @@ -444,8 +431,6 @@ golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb h1:eBmm0M9fYhWpKZLjQUUKka/LtIxf46G4fxeEz5KJr9U= golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20201224014010-6772e930b67b h1:iFwSg7t5GZmB/Q5TjiEAsdoLDrdJRC1RiF2WhuV29Qw= -golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -487,17 +472,14 @@ golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200327173247-9dae0f8f5775/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200909081042-eff7692f9009/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200916030750-2334cc1a136f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f h1:+Nyd8tzPX9R7BWHguqsrbFdRx3WQ/1ib8I44HXV5yTA= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3 h1:kzM6+9dur93BcC2kVlYl34cHU+TYZLanmpSJHVMmL64= golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201218084310-7d0127a74742 h1:+CBz4km/0KPU3RGTwARGh/noP3bEwtHcq+0YcBQM2JQ= golang.org/x/sys v0.0.0-20201218084310-7d0127a74742/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210112080510-489259a85091 h1:DMyOG0U+gKfu8JZzg2UQe9MeaC1X+xQWlAKcRnjxjCw= golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= diff --git a/common/pkg/chown/chown.go b/common/pkg/chown/chown.go index 3254660ac7..fe794304ed 100644 --- a/common/pkg/chown/chown.go +++ b/common/pkg/chown/chown.go @@ -1,5 +1,3 @@ -// +build !windows - package chown import ( diff --git a/common/pkg/chown/chown_test.go b/common/pkg/chown/chown_test.go index 52bfce9120..b92040e33c 100644 --- a/common/pkg/chown/chown_test.go +++ b/common/pkg/chown/chown_test.go @@ -1,5 +1,3 @@ -// +build !windows - package chown import ( diff --git a/common/pkg/chown/chown_windows.go b/common/pkg/chown/chown_windows.go deleted file mode 100644 index 5781eb0628..0000000000 --- a/common/pkg/chown/chown_windows.go +++ /dev/null @@ -1,12 +0,0 @@ -package chown - -// DangerousHostPath validates if a host path is dangerous and should not be modified -func DangerousHostPath(path string) (bool, error) { - return false, nil -} - -// ChangeHostPathOwnership changes the uid and gid ownership of a directory or file within the host. -// This is used by the volume U flag to change source volumes ownership -func ChangeHostPathOwnership(path string, recursive bool, uid, gid int) error { - return nil -} diff --git a/common/pkg/parse/parse_unix.go b/common/pkg/parse/parse_unix.go index c07471c931..880fbf674f 100644 --- a/common/pkg/parse/parse_unix.go +++ b/common/pkg/parse/parse_unix.go @@ -7,12 +7,13 @@ import ( "path/filepath" "github.com/containers/storage/pkg/unshare" + "github.com/opencontainers/runc/libcontainer/configs" "github.com/opencontainers/runc/libcontainer/devices" "github.com/pkg/errors" ) -func DeviceFromPath(device string) ([]devices.Device, error) { - var devs []devices.Device +func DeviceFromPath(device string) ([]configs.Device, error) { + var devs []configs.Device src, dst, permissions, err := Device(device) if err != nil { return nil, err @@ -43,7 +44,7 @@ func DeviceFromPath(device string) ([]devices.Device, error) { } for _, d := range srcDevices { d.Path = filepath.Join(dst, filepath.Base(d.Path)) - d.Permissions = devices.Permissions(permissions) + d.Permissions = configs.DevicePermissions(permissions) devs = append(devs, *d) } return devs, nil diff --git a/common/vendor/github.com/cyphar/filepath-securejoin/.travis.yml b/common/vendor/github.com/cyphar/filepath-securejoin/.travis.yml deleted file mode 100644 index 3938f38349..0000000000 --- a/common/vendor/github.com/cyphar/filepath-securejoin/.travis.yml +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright (C) 2017 SUSE LLC. All rights reserved. -# Use of this source code is governed by a BSD-style -# license that can be found in the LICENSE file. - -language: go -go: - - 1.7.x - - 1.8.x - - tip - -os: - - linux - - osx - -script: - - go test -cover -v ./... - -notifications: - email: false diff --git a/common/vendor/github.com/cyphar/filepath-securejoin/LICENSE b/common/vendor/github.com/cyphar/filepath-securejoin/LICENSE deleted file mode 100644 index bec842f294..0000000000 --- a/common/vendor/github.com/cyphar/filepath-securejoin/LICENSE +++ /dev/null @@ -1,28 +0,0 @@ -Copyright (C) 2014-2015 Docker Inc & Go Authors. All rights reserved. -Copyright (C) 2017 SUSE LLC. All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are -met: - - * Redistributions of source code must retain the above copyright -notice, this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above -copyright notice, this list of conditions and the following disclaimer -in the documentation and/or other materials provided with the -distribution. - * Neither the name of Google Inc. nor the names of its -contributors may be used to endorse or promote products derived from -this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/common/vendor/github.com/cyphar/filepath-securejoin/README.md b/common/vendor/github.com/cyphar/filepath-securejoin/README.md deleted file mode 100644 index 49b2baa9f3..0000000000 --- a/common/vendor/github.com/cyphar/filepath-securejoin/README.md +++ /dev/null @@ -1,65 +0,0 @@ -## `filepath-securejoin` ## - -[![Build Status](https://travis-ci.org/cyphar/filepath-securejoin.svg?branch=master)](https://travis-ci.org/cyphar/filepath-securejoin) - -An implementation of `SecureJoin`, a [candidate for inclusion in the Go -standard library][go#20126]. The purpose of this function is to be a "secure" -alternative to `filepath.Join`, and in particular it provides certain -guarantees that are not provided by `filepath.Join`. - -This is the function prototype: - -```go -func SecureJoin(root, unsafePath string) (string, error) -``` - -This library **guarantees** the following: - -* If no error is set, the resulting string **must** be a child path of - `SecureJoin` and will not contain any symlink path components (they will all - be expanded). - -* When expanding symlinks, all symlink path components **must** be resolved - relative to the provided root. In particular, this can be considered a - userspace implementation of how `chroot(2)` operates on file paths. Note that - these symlinks will **not** be expanded lexically (`filepath.Clean` is not - called on the input before processing). - -* Non-existant path components are unaffected by `SecureJoin` (similar to - `filepath.EvalSymlinks`'s semantics). - -* The returned path will always be `filepath.Clean`ed and thus not contain any - `..` components. - -A (trivial) implementation of this function on GNU/Linux systems could be done -with the following (note that this requires root privileges and is far more -opaque than the implementation in this library, and also requires that -`readlink` is inside the `root` path): - -```go -package securejoin - -import ( - "os/exec" - "path/filepath" -) - -func SecureJoin(root, unsafePath string) (string, error) { - unsafePath = string(filepath.Separator) + unsafePath - cmd := exec.Command("chroot", root, - "readlink", "--canonicalize-missing", "--no-newline", unsafePath) - output, err := cmd.CombinedOutput() - if err != nil { - return "", err - } - expanded := string(output) - return filepath.Join(root, expanded), nil -} -``` - -[go#20126]: https://github.com/golang/go/issues/20126 - -### License ### - -The license of this project is the same as Go, which is a BSD 3-clause license -available in the `LICENSE` file. diff --git a/common/vendor/github.com/cyphar/filepath-securejoin/VERSION b/common/vendor/github.com/cyphar/filepath-securejoin/VERSION deleted file mode 100644 index ee1372d33a..0000000000 --- a/common/vendor/github.com/cyphar/filepath-securejoin/VERSION +++ /dev/null @@ -1 +0,0 @@ -0.2.2 diff --git a/common/vendor/github.com/cyphar/filepath-securejoin/join.go b/common/vendor/github.com/cyphar/filepath-securejoin/join.go deleted file mode 100644 index c4ca3d7130..0000000000 --- a/common/vendor/github.com/cyphar/filepath-securejoin/join.go +++ /dev/null @@ -1,134 +0,0 @@ -// Copyright (C) 2014-2015 Docker Inc & Go Authors. All rights reserved. -// Copyright (C) 2017 SUSE LLC. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package securejoin is an implementation of the hopefully-soon-to-be-included -// SecureJoin helper that is meant to be part of the "path/filepath" package. -// The purpose of this project is to provide a PoC implementation to make the -// SecureJoin proposal (https://github.com/golang/go/issues/20126) more -// tangible. -package securejoin - -import ( - "bytes" - "os" - "path/filepath" - "strings" - "syscall" - - "github.com/pkg/errors" -) - -// ErrSymlinkLoop is returned by SecureJoinVFS when too many symlinks have been -// evaluated in attempting to securely join the two given paths. -var ErrSymlinkLoop = errors.Wrap(syscall.ELOOP, "secure join") - -// IsNotExist tells you if err is an error that implies that either the path -// accessed does not exist (or path components don't exist). This is -// effectively a more broad version of os.IsNotExist. -func IsNotExist(err error) bool { - // If it's a bone-fide ENOENT just bail. - if os.IsNotExist(errors.Cause(err)) { - return true - } - - // Check that it's not actually an ENOTDIR, which in some cases is a more - // convoluted case of ENOENT (usually involving weird paths). - var errno error - switch err := errors.Cause(err).(type) { - case *os.PathError: - errno = err.Err - case *os.LinkError: - errno = err.Err - case *os.SyscallError: - errno = err.Err - } - return errno == syscall.ENOTDIR || errno == syscall.ENOENT -} - -// SecureJoinVFS joins the two given path components (similar to Join) except -// that the returned path is guaranteed to be scoped inside the provided root -// path (when evaluated). Any symbolic links in the path are evaluated with the -// given root treated as the root of the filesystem, similar to a chroot. The -// filesystem state is evaluated through the given VFS interface (if nil, the -// standard os.* family of functions are used). -// -// Note that the guarantees provided by this function only apply if the path -// components in the returned string are not modified (in other words are not -// replaced with symlinks on the filesystem) after this function has returned. -// Such a symlink race is necessarily out-of-scope of SecureJoin. -func SecureJoinVFS(root, unsafePath string, vfs VFS) (string, error) { - // Use the os.* VFS implementation if none was specified. - if vfs == nil { - vfs = osVFS{} - } - - var path bytes.Buffer - n := 0 - for unsafePath != "" { - if n > 255 { - return "", ErrSymlinkLoop - } - - // Next path component, p. - i := strings.IndexRune(unsafePath, filepath.Separator) - var p string - if i == -1 { - p, unsafePath = unsafePath, "" - } else { - p, unsafePath = unsafePath[:i], unsafePath[i+1:] - } - - // Create a cleaned path, using the lexical semantics of /../a, to - // create a "scoped" path component which can safely be joined to fullP - // for evaluation. At this point, path.String() doesn't contain any - // symlink components. - cleanP := filepath.Clean(string(filepath.Separator) + path.String() + p) - if cleanP == string(filepath.Separator) { - path.Reset() - continue - } - fullP := filepath.Clean(root + cleanP) - - // Figure out whether the path is a symlink. - fi, err := vfs.Lstat(fullP) - if err != nil && !IsNotExist(err) { - return "", err - } - // Treat non-existent path components the same as non-symlinks (we - // can't do any better here). - if IsNotExist(err) || fi.Mode()&os.ModeSymlink == 0 { - path.WriteString(p) - path.WriteRune(filepath.Separator) - continue - } - - // Only increment when we actually dereference a link. - n++ - - // It's a symlink, expand it by prepending it to the yet-unparsed path. - dest, err := vfs.Readlink(fullP) - if err != nil { - return "", err - } - // Absolute symlinks reset any work we've already done. - if filepath.IsAbs(dest) { - path.Reset() - } - unsafePath = dest + string(filepath.Separator) + unsafePath - } - - // We have to clean path.String() here because it may contain '..' - // components that are entirely lexical, but would be misleading otherwise. - // And finally do a final clean to ensure that root is also lexically - // clean. - fullP := filepath.Clean(string(filepath.Separator) + path.String()) - return filepath.Clean(root + fullP), nil -} - -// SecureJoin is a wrapper around SecureJoinVFS that just uses the os.* library -// of functions as the VFS. If in doubt, use this function over SecureJoinVFS. -func SecureJoin(root, unsafePath string) (string, error) { - return SecureJoinVFS(root, unsafePath, nil) -} diff --git a/common/vendor/github.com/cyphar/filepath-securejoin/vendor.conf b/common/vendor/github.com/cyphar/filepath-securejoin/vendor.conf deleted file mode 100644 index 66bb574b95..0000000000 --- a/common/vendor/github.com/cyphar/filepath-securejoin/vendor.conf +++ /dev/null @@ -1 +0,0 @@ -github.com/pkg/errors v0.8.0 diff --git a/common/vendor/github.com/cyphar/filepath-securejoin/vfs.go b/common/vendor/github.com/cyphar/filepath-securejoin/vfs.go deleted file mode 100644 index a82a5eae11..0000000000 --- a/common/vendor/github.com/cyphar/filepath-securejoin/vfs.go +++ /dev/null @@ -1,41 +0,0 @@ -// Copyright (C) 2017 SUSE LLC. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package securejoin - -import "os" - -// In future this should be moved into a separate package, because now there -// are several projects (umoci and go-mtree) that are using this sort of -// interface. - -// VFS is the minimal interface necessary to use SecureJoinVFS. A nil VFS is -// equivalent to using the standard os.* family of functions. This is mainly -// used for the purposes of mock testing, but also can be used to otherwise use -// SecureJoin with VFS-like system. -type VFS interface { - // Lstat returns a FileInfo describing the named file. If the file is a - // symbolic link, the returned FileInfo describes the symbolic link. Lstat - // makes no attempt to follow the link. These semantics are identical to - // os.Lstat. - Lstat(name string) (os.FileInfo, error) - - // Readlink returns the destination of the named symbolic link. These - // semantics are identical to os.Readlink. - Readlink(name string) (string, error) -} - -// osVFS is the "nil" VFS, in that it just passes everything through to the os -// module. -type osVFS struct{} - -// Lstat returns a FileInfo describing the named file. If the file is a -// symbolic link, the returned FileInfo describes the symbolic link. Lstat -// makes no attempt to follow the link. These semantics are identical to -// os.Lstat. -func (o osVFS) Lstat(name string) (os.FileInfo, error) { return os.Lstat(name) } - -// Readlink returns the destination of the named symbolic link. These -// semantics are identical to os.Readlink. -func (o osVFS) Readlink(name string) (string, error) { return os.Readlink(name) } diff --git a/common/vendor/github.com/golang/protobuf/proto/text_decode.go b/common/vendor/github.com/golang/protobuf/proto/text_decode.go index 47eb3e4450..4a59310098 100644 --- a/common/vendor/github.com/golang/protobuf/proto/text_decode.go +++ b/common/vendor/github.com/golang/protobuf/proto/text_decode.go @@ -765,7 +765,7 @@ func unescape(s string) (ch string, tail string, err error) { if i > utf8.MaxRune { return "", "", fmt.Errorf(`\%c%s is not a valid Unicode code point`, r, ss) } - return string(rune(i)), s, nil + return string(i), s, nil } return "", "", fmt.Errorf(`unknown escape \%c`, r) } diff --git a/common/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go b/common/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor.go similarity index 67% rename from common/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go rename to common/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor.go index 73965f12d8..debfc1e489 100644 --- a/common/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go +++ b/common/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor.go @@ -1,7 +1,8 @@ +// +build apparmor,linux + package apparmor import ( - "bytes" "fmt" "io/ioutil" "os" @@ -11,9 +12,11 @@ import ( // IsEnabled returns true if apparmor is enabled for the host. func IsEnabled() bool { - if _, err := os.Stat("/sys/kernel/security/apparmor"); err == nil { - buf, err := ioutil.ReadFile("/sys/module/apparmor/parameters/enabled") - return err == nil && bytes.HasPrefix(buf, []byte("Y")) + if _, err := os.Stat("/sys/kernel/security/apparmor"); err == nil && os.Getenv("container") == "" { + if _, err = os.Stat("/sbin/apparmor_parser"); err == nil { + buf, err := ioutil.ReadFile("/sys/module/apparmor/parameters/enabled") + return err == nil && len(buf) > 1 && buf[0] == 'Y' + } } return false } @@ -21,7 +24,9 @@ func IsEnabled() bool { func setProcAttr(attr, value string) error { // Under AppArmor you can only change your own attr, so use /proc/self/ // instead of /proc// like libapparmor does - f, err := os.OpenFile("/proc/self/attr/"+attr, os.O_WRONLY, 0) + path := fmt.Sprintf("/proc/self/attr/%s", attr) + + f, err := os.OpenFile(path, os.O_WRONLY, 0) if err != nil { return err } @@ -31,13 +36,14 @@ func setProcAttr(attr, value string) error { return err } - _, err = f.WriteString(value) + _, err = fmt.Fprintf(f, "%s", value) return err } // changeOnExec reimplements aa_change_onexec from libapparmor in Go func changeOnExec(name string) error { - if err := setProcAttr("exec", "exec "+name); err != nil { + value := "exec " + name + if err := setProcAttr("exec", value); err != nil { return fmt.Errorf("apparmor failed to apply profile: %s", err) } return nil diff --git a/common/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_unsupported.go b/common/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_disabled.go similarity index 91% rename from common/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_unsupported.go rename to common/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_disabled.go index 0bc473f810..d4110cf0bc 100644 --- a/common/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_unsupported.go +++ b/common/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_disabled.go @@ -1,4 +1,4 @@ -// +build !linux +// +build !apparmor !linux package apparmor diff --git a/common/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fscommon/fscommon.go b/common/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fscommon/fscommon.go deleted file mode 100644 index ae2613cdbd..0000000000 --- a/common/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fscommon/fscommon.go +++ /dev/null @@ -1,51 +0,0 @@ -// +build linux - -package fscommon - -import ( - "bytes" - "os" - - "github.com/pkg/errors" - "github.com/sirupsen/logrus" - "golang.org/x/sys/unix" -) - -// WriteFile writes data to a cgroup file in dir. -// It is supposed to be used for cgroup files only. -func WriteFile(dir, file, data string) error { - fd, err := OpenFile(dir, file, unix.O_WRONLY) - if err != nil { - return err - } - defer fd.Close() - if err := retryingWriteFile(fd, data); err != nil { - return errors.Wrapf(err, "failed to write %q", data) - } - return nil -} - -// ReadFile reads data from a cgroup file in dir. -// It is supposed to be used for cgroup files only. -func ReadFile(dir, file string) (string, error) { - fd, err := OpenFile(dir, file, unix.O_RDONLY) - if err != nil { - return "", err - } - defer fd.Close() - var buf bytes.Buffer - - _, err = buf.ReadFrom(fd) - return buf.String(), err -} - -func retryingWriteFile(fd *os.File, data string) error { - for { - _, err := fd.Write([]byte(data)) - if errors.Is(err, unix.EINTR) { - logrus.Infof("interrupted while writing %s to %s", data, fd.Name()) - continue - } - return err - } -} diff --git a/common/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fscommon/open.go b/common/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fscommon/open.go deleted file mode 100644 index 0a7e3d9528..0000000000 --- a/common/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fscommon/open.go +++ /dev/null @@ -1,103 +0,0 @@ -package fscommon - -import ( - "os" - "strings" - "sync" - - securejoin "github.com/cyphar/filepath-securejoin" - "github.com/pkg/errors" - "github.com/sirupsen/logrus" - "golang.org/x/sys/unix" -) - -const ( - cgroupfsDir = "/sys/fs/cgroup" - cgroupfsPrefix = cgroupfsDir + "/" -) - -var ( - // Set to true by fs unit tests - TestMode bool - - cgroupFd int = -1 - prepOnce sync.Once - prepErr error - resolveFlags uint64 -) - -func prepareOpenat2() error { - prepOnce.Do(func() { - fd, err := unix.Openat2(-1, cgroupfsDir, &unix.OpenHow{ - Flags: unix.O_DIRECTORY | unix.O_PATH}) - if err != nil { - prepErr = &os.PathError{Op: "openat2", Path: cgroupfsDir, Err: err} - if err != unix.ENOSYS { - logrus.Warnf("falling back to securejoin: %s", prepErr) - } else { - logrus.Debug("openat2 not available, falling back to securejoin") - } - return - } - var st unix.Statfs_t - if err = unix.Fstatfs(fd, &st); err != nil { - prepErr = &os.PathError{Op: "statfs", Path: cgroupfsDir, Err: err} - logrus.Warnf("falling back to securejoin: %s", prepErr) - return - } - - cgroupFd = fd - - resolveFlags = unix.RESOLVE_BENEATH | unix.RESOLVE_NO_MAGICLINKS - if st.Type == unix.CGROUP2_SUPER_MAGIC { - // cgroupv2 has a single mountpoint and no "cpu,cpuacct" symlinks - resolveFlags |= unix.RESOLVE_NO_XDEV | unix.RESOLVE_NO_SYMLINKS - } - - }) - - return prepErr -} - -// OpenFile opens a cgroup file in a given dir with given flags. -// It is supposed to be used for cgroup files only. -func OpenFile(dir, file string, flags int) (*os.File, error) { - if dir == "" { - return nil, errors.Errorf("no directory specified for %s", file) - } - mode := os.FileMode(0) - if TestMode && flags&os.O_WRONLY != 0 { - // "emulate" cgroup fs for unit tests - flags |= os.O_TRUNC | os.O_CREATE - mode = 0o600 - } - reldir := strings.TrimPrefix(dir, cgroupfsPrefix) - if len(reldir) == len(dir) { // non-standard path, old system? - return openWithSecureJoin(dir, file, flags, mode) - } - if prepareOpenat2() != nil { - return openWithSecureJoin(dir, file, flags, mode) - } - - relname := reldir + "/" + file - fd, err := unix.Openat2(cgroupFd, relname, - &unix.OpenHow{ - Resolve: resolveFlags, - Flags: uint64(flags) | unix.O_CLOEXEC, - Mode: uint64(mode), - }) - if err != nil { - return nil, &os.PathError{Op: "openat2", Path: dir + "/" + file, Err: err} - } - - return os.NewFile(uintptr(fd), cgroupfsPrefix+relname), nil -} - -func openWithSecureJoin(dir, file string, flags int, mode os.FileMode) (*os.File, error) { - path, err := securejoin.SecureJoin(dir, file) - if err != nil { - return nil, err - } - - return os.OpenFile(path, flags, mode) -} diff --git a/common/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fscommon/utils.go b/common/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fscommon/utils.go deleted file mode 100644 index 2e4e837f2b..0000000000 --- a/common/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fscommon/utils.go +++ /dev/null @@ -1,102 +0,0 @@ -// +build linux - -package fscommon - -import ( - "errors" - "fmt" - "math" - "strconv" - "strings" -) - -var ( - ErrNotValidFormat = errors.New("line is not a valid key value format") -) - -// ParseUint converts a string to an uint64 integer. -// Negative values are returned at zero as, due to kernel bugs, -// some of the memory cgroup stats can be negative. -func ParseUint(s string, base, bitSize int) (uint64, error) { - value, err := strconv.ParseUint(s, base, bitSize) - if err != nil { - intValue, intErr := strconv.ParseInt(s, base, bitSize) - // 1. Handle negative values greater than MinInt64 (and) - // 2. Handle negative values lesser than MinInt64 - if intErr == nil && intValue < 0 { - return 0, nil - } else if intErr != nil && intErr.(*strconv.NumError).Err == strconv.ErrRange && intValue < 0 { - return 0, nil - } - - return value, err - } - - return value, nil -} - -// GetCgroupParamKeyValue parses a space-separated "name value" kind of cgroup -// parameter and returns its components. For example, "io_service_bytes 1234" -// will return as "io_service_bytes", 1234. -func GetCgroupParamKeyValue(t string) (string, uint64, error) { - parts := strings.Fields(t) - switch len(parts) { - case 2: - value, err := ParseUint(parts[1], 10, 64) - if err != nil { - return "", 0, fmt.Errorf("unable to convert to uint64: %v", err) - } - - return parts[0], value, nil - default: - return "", 0, ErrNotValidFormat - } -} - -// GetCgroupParamUint reads a single uint64 value from the specified cgroup file. -// If the value read is "max", the math.MaxUint64 is returned. -func GetCgroupParamUint(path, file string) (uint64, error) { - contents, err := GetCgroupParamString(path, file) - if err != nil { - return 0, err - } - contents = strings.TrimSpace(contents) - if contents == "max" { - return math.MaxUint64, nil - } - - res, err := ParseUint(contents, 10, 64) - if err != nil { - return res, fmt.Errorf("unable to parse file %q", path+"/"+file) - } - return res, nil -} - -// GetCgroupParamInt reads a single int64 value from specified cgroup file. -// If the value read is "max", the math.MaxInt64 is returned. -func GetCgroupParamInt(path, file string) (int64, error) { - contents, err := ReadFile(path, file) - if err != nil { - return 0, err - } - contents = strings.TrimSpace(contents) - if contents == "max" { - return math.MaxInt64, nil - } - - res, err := strconv.ParseInt(contents, 10, 64) - if err != nil { - return res, fmt.Errorf("unable to parse %q as a int from Cgroup file %q", contents, path+"/"+file) - } - return res, nil -} - -// GetCgroupParamString reads a string from the specified cgroup file. -func GetCgroupParamString(path, file string) (string, error) { - contents, err := ReadFile(path, file) - if err != nil { - return "", err - } - - return strings.TrimSpace(contents), nil -} diff --git a/common/vendor/github.com/opencontainers/runc/libcontainer/cgroups/stats.go b/common/vendor/github.com/opencontainers/runc/libcontainer/cgroups/stats.go index e7f9c46263..7ac8166059 100644 --- a/common/vendor/github.com/opencontainers/runc/libcontainer/cgroups/stats.go +++ b/common/vendor/github.com/opencontainers/runc/libcontainer/cgroups/stats.go @@ -39,33 +39,6 @@ type CpuStats struct { ThrottlingData ThrottlingData `json:"throttling_data,omitempty"` } -type CPUSetStats struct { - // List of the physical numbers of the CPUs on which processes - // in that cpuset are allowed to execute - CPUs []uint16 `json:"cpus,omitempty"` - // cpu_exclusive flag - CPUExclusive uint64 `json:"cpu_exclusive"` - // List of memory nodes on which processes in that cpuset - // are allowed to allocate memory - Mems []uint16 `json:"mems,omitempty"` - // mem_hardwall flag - MemHardwall uint64 `json:"mem_hardwall"` - // mem_exclusive flag - MemExclusive uint64 `json:"mem_exclusive"` - // memory_migrate flag - MemoryMigrate uint64 `json:"memory_migrate"` - // memory_spread page flag - MemorySpreadPage uint64 `json:"memory_spread_page"` - // memory_spread slab flag - MemorySpreadSlab uint64 `json:"memory_spread_slab"` - // memory_pressure - MemoryPressure uint64 `json:"memory_pressure"` - // sched_load balance flag - SchedLoadBalance uint64 `json:"sched_load_balance"` - // sched_relax_domain_level - SchedRelaxDomainLevel int64 `json:"sched_relax_domain_level"` -} - type MemoryData struct { Usage uint64 `json:"usage,omitempty"` MaxUsage uint64 `json:"max_usage,omitempty"` @@ -148,7 +121,6 @@ type HugetlbStats struct { type Stats struct { CpuStats CpuStats `json:"cpu_stats,omitempty"` - CPUSetStats CPUSetStats `json:"cpuset_stats,omitempty"` MemoryStats MemoryStats `json:"memory_stats,omitempty"` PidsStats PidsStats `json:"pids_stats,omitempty"` BlkioStats BlkioStats `json:"blkio_stats,omitempty"` diff --git a/common/vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go b/common/vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go index 840817e398..6e88b5dff6 100644 --- a/common/vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go +++ b/common/vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go @@ -15,9 +15,7 @@ import ( "sync" "time" - "github.com/opencontainers/runc/libcontainer/cgroups/fscommon" - "github.com/opencontainers/runc/libcontainer/system" - "github.com/sirupsen/logrus" + units "github.com/docker/go-units" "golang.org/x/sys/unix" ) @@ -31,19 +29,19 @@ var ( isUnified bool ) +// HugePageSizeUnitList is a list of the units used by the linux kernel when +// naming the HugePage control files. +// https://www.kernel.org/doc/Documentation/cgroup-v1/hugetlb.txt +// TODO Since the kernel only use KB, MB and GB; TB and PB should be removed, +// depends on https://github.com/docker/go-units/commit/a09cd47f892041a4fac473133d181f5aea6fa393 +var HugePageSizeUnitList = []string{"B", "KB", "MB", "GB", "TB", "PB"} + // IsCgroup2UnifiedMode returns whether we are running in cgroup v2 unified mode. func IsCgroup2UnifiedMode() bool { isUnifiedOnce.Do(func() { var st unix.Statfs_t - err := unix.Statfs(unifiedMountpoint, &st) - if err != nil { - if os.IsNotExist(err) && system.RunningInUserNS() { - // ignore the "not found" error if running in userns - logrus.WithError(err).Debugf("%s missing, assuming cgroup v1", unifiedMountpoint) - isUnified = false - return - } - panic(fmt.Sprintf("cannot statfs cgroup root: %s", err)) + if err := unix.Statfs(unifiedMountpoint, &st); err != nil { + panic("cannot statfs cgroup root") } isUnified = st.Type == unix.CGROUP2_SUPER_MAGIC }) @@ -88,11 +86,11 @@ func GetAllSubsystems() ([]string, error) { // - freezer: implemented in kernel 5.2 // We assume these are always available, as it is hard to detect availability. pseudo := []string{"devices", "freezer"} - data, err := fscommon.ReadFile("/sys/fs/cgroup", "cgroup.controllers") + data, err := ioutil.ReadFile("/sys/fs/cgroup/cgroup.controllers") if err != nil { return nil, err } - subsystems := append(pseudo, strings.Fields(data)...) + subsystems := append(pseudo, strings.Fields(string(data))...) return subsystems, nil } f, err := os.Open("/proc/cgroups") @@ -209,66 +207,20 @@ func EnterPid(cgroupPaths map[string]string, pid int) error { return nil } -func rmdir(path string) error { - err := unix.Rmdir(path) - if err == nil || err == unix.ENOENT { - return nil - } - return &os.PathError{Op: "rmdir", Path: path, Err: err} -} - -// RemovePath aims to remove cgroup path. It does so recursively, -// by removing any subdirectories (sub-cgroups) first. -func RemovePath(path string) error { - // try the fast path first - if err := rmdir(path); err == nil { - return nil - } - - infos, err := ioutil.ReadDir(path) - if err != nil { - if os.IsNotExist(err) { - err = nil - } - return err - } - for _, info := range infos { - if info.IsDir() { - // We should remove subcgroups dir first - if err = RemovePath(filepath.Join(path, info.Name())); err != nil { - break - } - } - } - if err == nil { - err = rmdir(path) - } - return err -} - // RemovePaths iterates over the provided paths removing them. // We trying to remove all paths five times with increasing delay between tries. // If after all there are not removed cgroups - appropriate error will be // returned. func RemovePaths(paths map[string]string) (err error) { - const retries = 5 delay := 10 * time.Millisecond - for i := 0; i < retries; i++ { + for i := 0; i < 5; i++ { if i != 0 { time.Sleep(delay) delay *= 2 } for s, p := range paths { - if err := RemovePath(p); err != nil { - // do not log intermediate iterations - switch i { - case 0: - logrus.WithError(err).Warnf("Failed to remove cgroup (will retry)") - case retries - 1: - logrus.WithError(err).Error("Failed to remove cgroup") - } - - } + os.RemoveAll(p) + // TODO: here probably should be logging _, err := os.Stat(p) // We need this strange way of checking cgroups existence because // RemoveAll almost always returns error, even on already removed @@ -278,8 +230,6 @@ func RemovePaths(paths map[string]string) (err error) { } } if len(paths) == 0 { - //nolint:ineffassign,staticcheck // done to help garbage collecting: opencontainers/runc#2506 - paths = make(map[string]string) return nil } } @@ -287,50 +237,27 @@ func RemovePaths(paths map[string]string) (err error) { } func GetHugePageSize() ([]string, error) { - dir, err := os.OpenFile("/sys/kernel/mm/hugepages", unix.O_DIRECTORY|unix.O_RDONLY, 0) + files, err := ioutil.ReadDir("/sys/kernel/mm/hugepages") if err != nil { - return nil, err + return []string{}, err } - files, err := dir.Readdirnames(0) - dir.Close() - if err != nil { - return nil, err + var fileNames []string + for _, st := range files { + fileNames = append(fileNames, st.Name()) } - - return getHugePageSizeFromFilenames(files) + return getHugePageSizeFromFilenames(fileNames) } func getHugePageSizeFromFilenames(fileNames []string) ([]string, error) { - pageSizes := make([]string, 0, len(fileNames)) - - for _, file := range fileNames { - // example: hugepages-1048576kB - val := strings.TrimPrefix(file, "hugepages-") - if len(val) == len(file) { - // unexpected file name: no prefix found - continue - } - // The suffix is always "kB" (as of Linux 5.9) - eLen := len(val) - 2 - val = strings.TrimSuffix(val, "kB") - if len(val) != eLen { - logrus.Warnf("GetHugePageSize: %s: invalid filename suffix (expected \"kB\")", file) - continue - } - size, err := strconv.Atoi(val) + var pageSizes []string + for _, fileName := range fileNames { + nameArray := strings.Split(fileName, "-") + pageSize, err := units.RAMInBytes(nameArray[1]) if err != nil { - return nil, err + return []string{}, err } - // Model after https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/mm/hugetlb_cgroup.c?id=eff48ddeab782e35e58ccc8853f7386bbae9dec4#n574 - // but in our case the size is in KB already. - if size >= (1 << 20) { - val = strconv.Itoa(size>>20) + "GB" - } else if size >= (1 << 10) { - val = strconv.Itoa(size>>10) + "MB" - } else { - val += "KB" - } - pageSizes = append(pageSizes, val) + sizeString := units.CustomSize("%g%s", float64(pageSize), 1024.0, HugePageSizeUnitList) + pageSizes = append(pageSizes, sizeString) } return pageSizes, nil @@ -376,14 +303,14 @@ func WriteCgroupProc(dir string, pid int) error { return nil } - file, err := fscommon.OpenFile(dir, CgroupProcesses, os.O_WRONLY) + cgroupProcessesFile, err := os.OpenFile(filepath.Join(dir, CgroupProcesses), os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0700) if err != nil { return fmt.Errorf("failed to write %v to %v: %v", pid, CgroupProcesses, err) } - defer file.Close() + defer cgroupProcessesFile.Close() for i := 0; i < 5; i++ { - _, err = file.WriteString(strconv.Itoa(pid)) + _, err = cgroupProcessesFile.WriteString(strconv.Itoa(pid)) if err == nil { return nil } diff --git a/common/vendor/github.com/opencontainers/runc/libcontainer/cgroups/v1_utils.go b/common/vendor/github.com/opencontainers/runc/libcontainer/cgroups/v1_utils.go index 95ec9dff02..f8487b0a97 100644 --- a/common/vendor/github.com/opencontainers/runc/libcontainer/cgroups/v1_utils.go +++ b/common/vendor/github.com/opencontainers/runc/libcontainer/cgroups/v1_utils.go @@ -1,17 +1,13 @@ package cgroups import ( + "bufio" "errors" "fmt" + "io" "os" "path/filepath" "strings" - "sync" - "syscall" - - securejoin "github.com/cyphar/filepath-securejoin" - "github.com/moby/sys/mountinfo" - "golang.org/x/sys/unix" ) // Code in this source file are specific to cgroup v1, @@ -19,16 +15,10 @@ import ( const ( CgroupNamePrefix = "name=" - defaultPrefix = "/sys/fs/cgroup" ) var ( - errUnified = errors.New("not implemented for cgroup v2 unified hierarchy") - ErrV1NoUnified = errors.New("invalid configuration: cannot use unified on cgroup v1") - - readMountinfoOnce sync.Once - readMountinfoErr error - cgroupMountinfo []*mountinfo.Info + errUnified = errors.New("not implemented for cgroup v2 unified hierarchy") ) type NotFoundError struct { @@ -53,74 +43,11 @@ func IsNotFound(err error) bool { return ok } -func tryDefaultPath(cgroupPath, subsystem string) string { - if !strings.HasPrefix(defaultPrefix, cgroupPath) { - return "" - } - - // remove possible prefix - subsystem = strings.TrimPrefix(subsystem, CgroupNamePrefix) - - // Make sure we're still under defaultPrefix, and resolve - // a possible symlink (like cpu -> cpu,cpuacct). - path, err := securejoin.SecureJoin(defaultPrefix, subsystem) - if err != nil { - return "" - } - - // (1) path should be a directory. - st, err := os.Lstat(path) - if err != nil || !st.IsDir() { - return "" - } - - // (2) path should be a mount point. - pst, err := os.Lstat(filepath.Dir(path)) - if err != nil { - return "" - } - - if st.Sys().(*syscall.Stat_t).Dev == pst.Sys().(*syscall.Stat_t).Dev { - // parent dir has the same dev -- path is not a mount point - return "" - } - - // (3) path should have 'cgroup' fs type. - fst := unix.Statfs_t{} - err = unix.Statfs(path, &fst) - if err != nil || fst.Type != unix.CGROUP_SUPER_MAGIC { - return "" - } - - return path -} - -// readCgroupMountinfo returns a list of cgroup v1 mounts (i.e. the ones -// with fstype of "cgroup") for the current running process. -// -// The results are cached (to avoid re-reading mountinfo which is relatively -// expensive), so it is assumed that cgroup mounts are not being changed. -func readCgroupMountinfo() ([]*mountinfo.Info, error) { - readMountinfoOnce.Do(func() { - cgroupMountinfo, readMountinfoErr = mountinfo.GetMounts( - mountinfo.FSTypeFilter("cgroup"), - ) - }) - - return cgroupMountinfo, readMountinfoErr -} - // https://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.txt func FindCgroupMountpoint(cgroupPath, subsystem string) (string, error) { if IsCgroup2UnifiedMode() { return "", errUnified } - - // Avoid parsing mountinfo by trying the default path first, if possible. - if path := tryDefaultPath(cgroupPath, subsystem); path != "" { - return path, nil - } - mnt, _, err := FindCgroupMountpointAndRoot(cgroupPath, subsystem) return mnt, err } @@ -130,28 +57,58 @@ func FindCgroupMountpointAndRoot(cgroupPath, subsystem string) (string, string, return "", "", errUnified } - mi, err := readCgroupMountinfo() + // We are not using mount.GetMounts() because it's super-inefficient, + // parsing it directly sped up x10 times because of not using Sscanf. + // It was one of two major performance drawbacks in container start. + if !isSubsystemAvailable(subsystem) { + return "", "", NewNotFoundError(subsystem) + } + + f, err := os.Open("/proc/self/mountinfo") if err != nil { return "", "", err } + defer f.Close() - return findCgroupMountpointAndRootFromMI(mi, cgroupPath, subsystem) + return findCgroupMountpointAndRootFromReader(f, cgroupPath, subsystem) } -func findCgroupMountpointAndRootFromMI(mounts []*mountinfo.Info, cgroupPath, subsystem string) (string, string, error) { - for _, mi := range mounts { - if strings.HasPrefix(mi.Mountpoint, cgroupPath) { - for _, opt := range strings.Split(mi.VFSOptions, ",") { +func findCgroupMountpointAndRootFromReader(reader io.Reader, cgroupPath, subsystem string) (string, string, error) { + scanner := bufio.NewScanner(reader) + for scanner.Scan() { + txt := scanner.Text() + fields := strings.Fields(txt) + if len(fields) < 9 { + continue + } + if strings.HasPrefix(fields[4], cgroupPath) { + for _, opt := range strings.Split(fields[len(fields)-1], ",") { if opt == subsystem { - return mi.Mountpoint, mi.Root, nil + return fields[4], fields[3], nil } } } } + if err := scanner.Err(); err != nil { + return "", "", err + } return "", "", NewNotFoundError(subsystem) } +func isSubsystemAvailable(subsystem string) bool { + if IsCgroup2UnifiedMode() { + panic("don't call isSubsystemAvailable from cgroupv2 code") + } + + cgroups, err := ParseCgroupFile("/proc/self/cgroup") + if err != nil { + return false + } + _, avail := cgroups[subsystem] + return avail +} + func (m Mount) GetOwnCgroup(cgroups map[string]string) (string, error) { if len(m.Subsystems) == 0 { return "", fmt.Errorf("no subsystem for mount") @@ -160,15 +117,25 @@ func (m Mount) GetOwnCgroup(cgroups map[string]string) (string, error) { return getControllerPath(m.Subsystems[0], cgroups) } -func getCgroupMountsHelper(ss map[string]bool, mounts []*mountinfo.Info, all bool) ([]Mount, error) { +func getCgroupMountsHelper(ss map[string]bool, mi io.Reader, all bool) ([]Mount, error) { res := make([]Mount, 0, len(ss)) + scanner := bufio.NewScanner(mi) numFound := 0 - for _, mi := range mounts { - m := Mount{ - Mountpoint: mi.Mountpoint, - Root: mi.Root, + for scanner.Scan() && numFound < len(ss) { + txt := scanner.Text() + sepIdx := strings.Index(txt, " - ") + if sepIdx == -1 { + return nil, fmt.Errorf("invalid mountinfo format") } - for _, opt := range strings.Split(mi.VFSOptions, ",") { + if txt[sepIdx+3:sepIdx+10] == "cgroup2" || txt[sepIdx+3:sepIdx+9] != "cgroup" { + continue + } + fields := strings.Split(txt, " ") + m := Mount{ + Mountpoint: fields[4], + Root: fields[3], + } + for _, opt := range strings.Split(fields[len(fields)-1], ",") { seen, known := ss[opt] if !known || (!all && seen) { continue @@ -181,18 +148,19 @@ func getCgroupMountsHelper(ss map[string]bool, mounts []*mountinfo.Info, all boo if len(m.Subsystems) > 0 || all { res = append(res, m) } - if !all && numFound >= len(ss) { - break - } + } + if err := scanner.Err(); err != nil { + return nil, err } return res, nil } func getCgroupMountsV1(all bool) ([]Mount, error) { - mi, err := readCgroupMountinfo() + f, err := os.Open("/proc/self/mountinfo") if err != nil { return nil, err } + defer f.Close() allSubsystems, err := ParseCgroupFile("/proc/self/cgroup") if err != nil { @@ -203,8 +171,7 @@ func getCgroupMountsV1(all bool) ([]Mount, error) { for s := range allSubsystems { allMap[s] = false } - - return getCgroupMountsHelper(allMap, mi, all) + return getCgroupMountsHelper(allMap, f, all) } // GetOwnCgroup returns the relative path to the cgroup docker is running in. diff --git a/common/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_linux.go b/common/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_linux.go index aada5d62f1..f1a5bd11f5 100644 --- a/common/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_linux.go +++ b/common/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_linux.go @@ -2,7 +2,6 @@ package configs import ( systemdDbus "github.com/coreos/go-systemd/v22/dbus" - "github.com/opencontainers/runc/libcontainer/devices" ) type FreezerState string @@ -43,7 +42,7 @@ type Cgroup struct { type Resources struct { // Devices is the set of access rules for devices in the container. - Devices []*devices.Rule `json:"devices"` + Devices []*DeviceRule `json:"devices"` // Memory limit (in bytes) Memory int64 `json:"memory"` @@ -127,14 +126,4 @@ type Resources struct { // CpuWeight sets a proportional bandwidth limit. CpuWeight uint64 `json:"cpu_weight"` - - // Unified is cgroupv2-only key-value map. - Unified map[string]string `json:"unified"` - - // SkipDevices allows to skip configuring device permissions. - // Used by e.g. kubelet while creating a parent cgroup (kubepods) - // common for many containers. - // - // NOTE it is impossible to start a container which has this flag set. - SkipDevices bool `json:"skip_devices"` } diff --git a/common/vendor/github.com/opencontainers/runc/libcontainer/configs/config.go b/common/vendor/github.com/opencontainers/runc/libcontainer/configs/config.go index e1cd162656..ac523b4176 100644 --- a/common/vendor/github.com/opencontainers/runc/libcontainer/configs/config.go +++ b/common/vendor/github.com/opencontainers/runc/libcontainer/configs/config.go @@ -7,7 +7,6 @@ import ( "os/exec" "time" - "github.com/opencontainers/runc/libcontainer/devices" "github.com/opencontainers/runtime-spec/specs-go" "github.com/pkg/errors" "github.com/sirupsen/logrus" @@ -93,9 +92,6 @@ type Config struct { // Path to a directory containing the container's root filesystem. Rootfs string `json:"rootfs"` - // Umask is the umask to use inside of the container. - Umask *uint32 `json:"umask"` - // Readonlyfs will remount the container's rootfs as readonly where only externally mounted // bind mounts are writtable. Readonlyfs bool `json:"readonlyfs"` @@ -108,7 +104,7 @@ type Config struct { Mounts []*Mount `json:"mounts"` // The device nodes that should be automatically created within the container upon container start. Note, make sure that the node is marked as allowed in the cgroup as well! - Devices []*devices.Device `json:"devices"` + Devices []*Device `json:"devices"` MountLabel string `json:"mount_label"` @@ -243,6 +239,15 @@ const ( Poststop = "poststop" ) +// TODO move this to runtime-spec +// See: https://github.com/opencontainers/runtime-spec/pull/1046 +const ( + Creating = "creating" + Created = "created" + Running = "running" + Stopped = "stopped" +) + type Capabilities struct { // Bounding is the set of capabilities checked by the kernel. Bounding []string diff --git a/common/vendor/github.com/opencontainers/runc/libcontainer/devices/device.go b/common/vendor/github.com/opencontainers/runc/libcontainer/configs/device.go similarity index 58% rename from common/vendor/github.com/opencontainers/runc/libcontainer/devices/device.go rename to common/vendor/github.com/opencontainers/runc/libcontainer/configs/device.go index 3eb73cc7c7..24c5bbfa6a 100644 --- a/common/vendor/github.com/opencontainers/runc/libcontainer/devices/device.go +++ b/common/vendor/github.com/opencontainers/runc/libcontainer/configs/device.go @@ -1,17 +1,22 @@ -package devices +package configs import ( + "errors" "fmt" "os" "strconv" + + "golang.org/x/sys/unix" ) const ( Wildcard = -1 ) +// TODO Windows: This can be factored out in the future + type Device struct { - Rule + DeviceRule // Path to the device. Path string `json:"path"` @@ -26,10 +31,10 @@ type Device struct { Gid uint32 `json:"gid"` } -// Permissions is a cgroupv1-style string to represent device access. It +// DevicePermissions is a cgroupv1-style string to represent device access. It // has to be a string for backward compatibility reasons, hence why it has // methods to do set operations. -type Permissions string +type DevicePermissions string const ( deviceRead uint = (1 << iota) @@ -37,7 +42,7 @@ const ( deviceMknod ) -func (p Permissions) toSet() uint { +func (p DevicePermissions) toSet() uint { var set uint for _, perm := range p { switch perm { @@ -52,7 +57,7 @@ func (p Permissions) toSet() uint { return set } -func fromSet(set uint) Permissions { +func fromSet(set uint) DevicePermissions { var perm string if set&deviceRead == deviceRead { perm += "r" @@ -63,53 +68,53 @@ func fromSet(set uint) Permissions { if set&deviceMknod == deviceMknod { perm += "m" } - return Permissions(perm) + return DevicePermissions(perm) } -// Union returns the union of the two sets of Permissions. -func (p Permissions) Union(o Permissions) Permissions { +// Union returns the union of the two sets of DevicePermissions. +func (p DevicePermissions) Union(o DevicePermissions) DevicePermissions { lhs := p.toSet() rhs := o.toSet() return fromSet(lhs | rhs) } -// Difference returns the set difference of the two sets of Permissions. +// Difference returns the set difference of the two sets of DevicePermissions. // In set notation, A.Difference(B) gives you A\B. -func (p Permissions) Difference(o Permissions) Permissions { +func (p DevicePermissions) Difference(o DevicePermissions) DevicePermissions { lhs := p.toSet() rhs := o.toSet() return fromSet(lhs &^ rhs) } -// Intersection computes the intersection of the two sets of Permissions. -func (p Permissions) Intersection(o Permissions) Permissions { +// Intersection computes the intersection of the two sets of DevicePermissions. +func (p DevicePermissions) Intersection(o DevicePermissions) DevicePermissions { lhs := p.toSet() rhs := o.toSet() return fromSet(lhs & rhs) } -// IsEmpty returns whether the set of permissions in a Permissions is +// IsEmpty returns whether the set of permissions in a DevicePermissions is // empty. -func (p Permissions) IsEmpty() bool { - return p == Permissions("") +func (p DevicePermissions) IsEmpty() bool { + return p == DevicePermissions("") } // IsValid returns whether the set of permissions is a subset of valid // permissions (namely, {r,w,m}). -func (p Permissions) IsValid() bool { +func (p DevicePermissions) IsValid() bool { return p == fromSet(p.toSet()) } -type Type rune +type DeviceType rune const ( - WildcardDevice Type = 'a' - BlockDevice Type = 'b' - CharDevice Type = 'c' // or 'u' - FifoDevice Type = 'p' + WildcardDevice DeviceType = 'a' + BlockDevice DeviceType = 'b' + CharDevice DeviceType = 'c' // or 'u' + FifoDevice DeviceType = 'p' ) -func (t Type) IsValid() bool { +func (t DeviceType) IsValid() bool { switch t { case WildcardDevice, BlockDevice, CharDevice, FifoDevice: return true @@ -118,7 +123,7 @@ func (t Type) IsValid() bool { } } -func (t Type) CanMknod() bool { +func (t DeviceType) CanMknod() bool { switch t { case BlockDevice, CharDevice, FifoDevice: return true @@ -127,7 +132,7 @@ func (t Type) CanMknod() bool { } } -func (t Type) CanCgroup() bool { +func (t DeviceType) CanCgroup() bool { switch t { case WildcardDevice, BlockDevice, CharDevice: return true @@ -136,10 +141,10 @@ func (t Type) CanCgroup() bool { } } -type Rule struct { +type DeviceRule struct { // Type of device ('c' for char, 'b' for block). If set to 'a', this rule // acts as a wildcard and all fields other than Allow are ignored. - Type Type `json:"type"` + Type DeviceType `json:"type"` // Major is the device's major number. Major int64 `json:"major"` @@ -149,13 +154,13 @@ type Rule struct { // Permissions is the set of permissions that this rule applies to (in the // cgroupv1 format -- any combination of "rwm"). - Permissions Permissions `json:"permissions"` + Permissions DevicePermissions `json:"permissions"` // Allow specifies whether this rule is allowed. Allow bool `json:"allow"` } -func (d *Rule) CgroupString() string { +func (d *DeviceRule) CgroupString() string { var ( major = strconv.FormatInt(d.Major, 10) minor = strconv.FormatInt(d.Minor, 10) @@ -168,3 +173,10 @@ func (d *Rule) CgroupString() string { } return fmt.Sprintf("%c %s:%s %s", d.Type, major, minor, d.Permissions) } + +func (d *DeviceRule) Mkdev() (uint64, error) { + if d.Major == Wildcard || d.Minor == Wildcard { + return 0, errors.New("cannot mkdev() device with wildcards") + } + return unix.Mkdev(uint32(d.Major), uint32(d.Minor)), nil +} diff --git a/common/vendor/github.com/opencontainers/runc/libcontainer/configs/devices.go b/common/vendor/github.com/opencontainers/runc/libcontainer/configs/devices.go deleted file mode 100644 index b9e3664cea..0000000000 --- a/common/vendor/github.com/opencontainers/runc/libcontainer/configs/devices.go +++ /dev/null @@ -1,17 +0,0 @@ -package configs - -import "github.com/opencontainers/runc/libcontainer/devices" - -type ( - // Deprecated: use libcontainer/devices.Device - Device = devices.Device - - // Deprecated: use libcontainer/devices.Rule - DeviceRule = devices.Rule - - // Deprecated: use libcontainer/devices.Type - DeviceType = devices.Type - - // Deprecated: use libcontainer/devices.Permissions - DevicePermissions = devices.Permissions -) diff --git a/common/vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_linux.go b/common/vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_linux.go index d52d6fcd14..1bbaef9bd9 100644 --- a/common/vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_linux.go +++ b/common/vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_linux.go @@ -56,7 +56,7 @@ func IsNamespaceSupported(ns NamespaceType) bool { if nsFile == "" { return false } - _, err := os.Stat("/proc/self/ns/" + nsFile) + _, err := os.Stat(fmt.Sprintf("/proc/self/ns/%s", nsFile)) // a namespace is supported if it exists and we have permissions to read it supported = err == nil supportedNamespaces[ns] = supported diff --git a/common/vendor/github.com/opencontainers/runc/libcontainer/devices/device_unix.go b/common/vendor/github.com/opencontainers/runc/libcontainer/devices/device_unix.go deleted file mode 100644 index a400341e44..0000000000 --- a/common/vendor/github.com/opencontainers/runc/libcontainer/devices/device_unix.go +++ /dev/null @@ -1,16 +0,0 @@ -// +build !windows - -package devices - -import ( - "errors" - - "golang.org/x/sys/unix" -) - -func (d *Rule) Mkdev() (uint64, error) { - if d.Major == Wildcard || d.Minor == Wildcard { - return 0, errors.New("cannot mkdev() device with wildcards") - } - return unix.Mkdev(uint32(d.Major), uint32(d.Minor)), nil -} diff --git a/common/vendor/github.com/opencontainers/runc/libcontainer/devices/device_windows.go b/common/vendor/github.com/opencontainers/runc/libcontainer/devices/device_windows.go deleted file mode 100644 index 8511bf00e0..0000000000 --- a/common/vendor/github.com/opencontainers/runc/libcontainer/devices/device_windows.go +++ /dev/null @@ -1,5 +0,0 @@ -package devices - -func (d *Rule) Mkdev() (uint64, error) { - return 0, nil -} diff --git a/common/vendor/github.com/opencontainers/runc/libcontainer/devices/devices.go b/common/vendor/github.com/opencontainers/runc/libcontainer/devices/devices.go index 5011f373d2..702f913ec9 100644 --- a/common/vendor/github.com/opencontainers/runc/libcontainer/devices/devices.go +++ b/common/vendor/github.com/opencontainers/runc/libcontainer/devices/devices.go @@ -6,6 +6,7 @@ import ( "os" "path/filepath" + "github.com/opencontainers/runc/libcontainer/configs" "golang.org/x/sys/unix" ) @@ -22,7 +23,7 @@ var ( // Given the path to a device and its cgroup_permissions(which cannot be easily queried) look up the // information about a linux device and return that information as a Device struct. -func DeviceFromPath(path, permissions string) (*Device, error) { +func DeviceFromPath(path, permissions string) (*configs.Device, error) { var stat unix.Stat_t err := unixLstat(path, &stat) if err != nil { @@ -30,28 +31,28 @@ func DeviceFromPath(path, permissions string) (*Device, error) { } var ( - devType Type + devType configs.DeviceType mode = stat.Mode devNumber = uint64(stat.Rdev) major = unix.Major(devNumber) minor = unix.Minor(devNumber) ) - switch mode & unix.S_IFMT { - case unix.S_IFBLK: - devType = BlockDevice - case unix.S_IFCHR: - devType = CharDevice - case unix.S_IFIFO: - devType = FifoDevice + switch { + case mode&unix.S_IFBLK == unix.S_IFBLK: + devType = configs.BlockDevice + case mode&unix.S_IFCHR == unix.S_IFCHR: + devType = configs.CharDevice + case mode&unix.S_IFIFO == unix.S_IFIFO: + devType = configs.FifoDevice default: return nil, ErrNotADevice } - return &Device{ - Rule: Rule{ + return &configs.Device{ + DeviceRule: configs.DeviceRule{ Type: devType, Major: int64(major), Minor: int64(minor), - Permissions: Permissions(permissions), + Permissions: configs.DevicePermissions(permissions), }, Path: path, FileMode: os.FileMode(mode), @@ -61,18 +62,18 @@ func DeviceFromPath(path, permissions string) (*Device, error) { } // HostDevices returns all devices that can be found under /dev directory. -func HostDevices() ([]*Device, error) { +func HostDevices() ([]*configs.Device, error) { return GetDevices("/dev") } // GetDevices recursively traverses a directory specified by path // and returns all devices found there. -func GetDevices(path string) ([]*Device, error) { +func GetDevices(path string) ([]*configs.Device, error) { files, err := ioutilReadDir(path) if err != nil { return nil, err } - var out []*Device + var out []*configs.Device for _, f := range files { switch { case f.IsDir(): @@ -103,9 +104,6 @@ func GetDevices(path string) ([]*Device, error) { } return nil, err } - if device.Type == FifoDevice { - continue - } out = append(out, device) } return out, nil diff --git a/common/vendor/github.com/opencontainers/runc/libcontainer/system/proc.go b/common/vendor/github.com/opencontainers/runc/libcontainer/system/proc.go index b73cf70b43..79232a4371 100644 --- a/common/vendor/github.com/opencontainers/runc/libcontainer/system/proc.go +++ b/common/vendor/github.com/opencontainers/runc/libcontainer/system/proc.go @@ -71,6 +71,16 @@ func Stat(pid int) (stat Stat_t, err error) { return parseStat(string(bytes)) } +// GetProcessStartTime is deprecated. Use Stat(pid) and +// Stat_t.StartTime instead. +func GetProcessStartTime(pid int) (string, error) { + stat, err := Stat(pid) + if err != nil { + return "", err + } + return fmt.Sprintf("%d", stat.StartTime), nil +} + func parseStat(data string) (stat Stat_t, err error) { // From proc(5), field 2 could contain space and is inside `(` and `)`. // The following is an example: diff --git a/common/vendor/github.com/opencontainers/runc/libcontainer/user/lookup_windows.go b/common/vendor/github.com/opencontainers/runc/libcontainer/user/lookup_windows.go index f19333e61e..65cd40e928 100644 --- a/common/vendor/github.com/opencontainers/runc/libcontainer/user/lookup_windows.go +++ b/common/vendor/github.com/opencontainers/runc/libcontainer/user/lookup_windows.go @@ -3,8 +3,8 @@ package user import ( + "fmt" "os/user" - "strconv" ) func lookupUser(username string) (User, error) { @@ -16,7 +16,7 @@ func lookupUser(username string) (User, error) { } func lookupUid(uid int) (User, error) { - u, err := user.LookupId(strconv.Itoa(uid)) + u, err := user.LookupId(fmt.Sprintf("%d", uid)) if err != nil { return User{}, err } @@ -32,7 +32,7 @@ func lookupGroup(groupname string) (Group, error) { } func lookupGid(gid int) (Group, error) { - g, err := user.LookupGroupId(strconv.Itoa(gid)) + g, err := user.LookupGroupId(fmt.Sprintf("%d", gid)) if err != nil { return Group{}, err } diff --git a/common/vendor/github.com/opencontainers/runc/libcontainer/user/user.go b/common/vendor/github.com/opencontainers/runc/libcontainer/user/user.go index a533bf5e66..de30982ba2 100644 --- a/common/vendor/github.com/opencontainers/runc/libcontainer/user/user.go +++ b/common/vendor/github.com/opencontainers/runc/libcontainer/user/user.go @@ -60,7 +60,7 @@ type Group struct { // groupFromOS converts an os/user.(*Group) to local Group // -// (This does not include Pass or List) +// (This does not include Pass, Shell or Gecos) func groupFromOS(g *user.Group) (Group, error) { newGroup := Group{ Name: g.Name, @@ -466,7 +466,7 @@ func GetAdditionalGroups(additionalGroups []string, group io.Reader) ([]int, err // we asked for a group but didn't find it. let's check to see // if we wanted a numeric group if !found { - gid, err := strconv.ParseInt(ag, 10, 64) + gid, err := strconv.Atoi(ag) if err != nil { return nil, fmt.Errorf("Unable to find group %s", ag) } @@ -474,7 +474,7 @@ func GetAdditionalGroups(additionalGroups []string, group io.Reader) ([]int, err if gid < minId || gid > maxId { return nil, ErrRange } - gidMap[int(gid)] = struct{}{} + gidMap[gid] = struct{}{} } } gids := []int{} diff --git a/common/vendor/github.com/opencontainers/runc/libcontainer/utils/utils.go b/common/vendor/github.com/opencontainers/runc/libcontainer/utils/utils.go index 1b72b7a1c1..40ccfaa1a0 100644 --- a/common/vendor/github.com/opencontainers/runc/libcontainer/utils/utils.go +++ b/common/vendor/github.com/opencontainers/runc/libcontainer/utils/utils.go @@ -1,7 +1,6 @@ package utils import ( - "encoding/binary" "encoding/json" "io" "os" @@ -16,20 +15,6 @@ const ( exitSignalOffset = 128 ) -// NativeEndian is the native byte order of the host system. -var NativeEndian binary.ByteOrder - -func init() { - // Copied from . - i := uint32(1) - b := (*[4]byte)(unsafe.Pointer(&i)) - if b[0] == 1 { - NativeEndian = binary.LittleEndian - } else { - NativeEndian = binary.BigEndian - } -} - // ResolveRootfs ensures that the current working directory is // not a symlink and returns the absolute path to the rootfs func ResolveRootfs(uncleanRootfs string) (string, error) { @@ -121,3 +106,7 @@ func Annotations(labels []string) (bundle string, userAnnotations map[string]str } return } + +func GetIntSize() int { + return int(unsafe.Sizeof(1)) +} diff --git a/common/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go b/common/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go index 5fceeb6353..08af677985 100644 --- a/common/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go +++ b/common/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go @@ -60,7 +60,7 @@ type Process struct { SelinuxLabel string `json:"selinuxLabel,omitempty" platform:"linux"` } -// LinuxCapabilities specifies the list of allowed capabilities that are kept for a process. +// LinuxCapabilities specifies the whitelist of capabilities that are kept for a process. // http://man7.org/linux/man-pages/man7/capabilities.7.html type LinuxCapabilities struct { // Bounding is the set of capabilities checked by the kernel. @@ -90,7 +90,7 @@ type User struct { // GID is the group id. GID uint32 `json:"gid" platform:"linux,solaris"` // Umask is the umask for the init process. - Umask *uint32 `json:"umask,omitempty" platform:"linux,solaris"` + Umask uint32 `json:"umask,omitempty" platform:"linux,solaris"` // AdditionalGids are additional group ids set for the container's process. AdditionalGids []uint32 `json:"additionalGids,omitempty" platform:"linux,solaris"` // Username is the user name. @@ -354,7 +354,7 @@ type LinuxRdma struct { // LinuxResources has container runtime resource constraints type LinuxResources struct { - // Devices configures the device allowlist. + // Devices configures the device whitelist. Devices []LinuxDeviceCgroup `json:"devices,omitempty"` // Memory restriction configuration Memory *LinuxMemory `json:"memory,omitempty"` @@ -372,8 +372,6 @@ type LinuxResources struct { // Limits are a set of key value pairs that define RDMA resource limits, // where the key is device name and value is resource limits. Rdma map[string]LinuxRdma `json:"rdma,omitempty"` - // Unified resources. - Unified map[string]string `json:"unified,omitempty"` } // LinuxDevice represents the mknod information for a Linux special device file @@ -394,8 +392,7 @@ type LinuxDevice struct { GID *uint32 `json:"gid,omitempty"` } -// LinuxDeviceCgroup represents a device rule for the devices specified to -// the device controller +// LinuxDeviceCgroup represents a device rule for the whitelist controller type LinuxDeviceCgroup struct { // Allow or deny Allow bool `json:"allow"` @@ -631,7 +628,6 @@ const ( ArchS390X Arch = "SCMP_ARCH_S390X" ArchPARISC Arch = "SCMP_ARCH_PARISC" ArchPARISC64 Arch = "SCMP_ARCH_PARISC64" - ArchRISCV64 Arch = "SCMP_ARCH_RISCV64" ) // LinuxSeccompAction taken upon Seccomp rule match diff --git a/common/vendor/github.com/opencontainers/runtime-spec/specs-go/state.go b/common/vendor/github.com/opencontainers/runtime-spec/specs-go/state.go index e2e64c6631..765300f4dc 100644 --- a/common/vendor/github.com/opencontainers/runtime-spec/specs-go/state.go +++ b/common/vendor/github.com/opencontainers/runtime-spec/specs-go/state.go @@ -25,7 +25,7 @@ type State struct { // ID is the container ID ID string `json:"id"` // Status is the runtime status of the container. - Status ContainerState `json:"status"` + Status string `json:"status"` // Pid is the process ID for the container process. Pid int `json:"pid,omitempty"` // Bundle is the path to the container's bundle directory. diff --git a/common/vendor/github.com/syndtr/gocapability/capability/enum.go b/common/vendor/github.com/syndtr/gocapability/capability/enum.go index ad10785314..693817317b 100644 --- a/common/vendor/github.com/syndtr/gocapability/capability/enum.go +++ b/common/vendor/github.com/syndtr/gocapability/capability/enum.go @@ -41,9 +41,7 @@ const ( //go:generate go run enumgen/gen.go type Cap int -// POSIX-draft defined capabilities and Linux extensions. -// -// Defined in https://github.com/torvalds/linux/blob/master/include/uapi/linux/capability.h +// POSIX-draft defined capabilities. const ( // In a system with the [_POSIX_CHOWN_RESTRICTED] option defined, this // overrides the restriction of changing file ownership and group @@ -189,7 +187,6 @@ const ( // arbitrary SCSI commands // Allow setting encryption key on loopback filesystem // Allow setting zone reclaim policy - // Allow everything under CAP_BPF and CAP_PERFMON for backward compatibility CAP_SYS_ADMIN = Cap(21) // Allow use of reboot() @@ -214,7 +211,6 @@ const ( // Allow more than 64hz interrupts from the real-time clock // Override max number of consoles on console allocation // Override max number of keymaps - // Control memory reclaim behavior CAP_SYS_RESOURCE = Cap(24) // Allow manipulation of system clock @@ -260,45 +256,8 @@ const ( // Allow preventing system suspends CAP_BLOCK_SUSPEND = Cap(36) - // Allow reading the audit log via multicast netlink socket + // Allow reading audit messages from the kernel CAP_AUDIT_READ = Cap(37) - - // Allow system performance and observability privileged operations - // using perf_events, i915_perf and other kernel subsystems - CAP_PERFMON = Cap(38) - - // CAP_BPF allows the following BPF operations: - // - Creating all types of BPF maps - // - Advanced verifier features - // - Indirect variable access - // - Bounded loops - // - BPF to BPF function calls - // - Scalar precision tracking - // - Larger complexity limits - // - Dead code elimination - // - And potentially other features - // - Loading BPF Type Format (BTF) data - // - Retrieve xlated and JITed code of BPF programs - // - Use bpf_spin_lock() helper - // - // CAP_PERFMON relaxes the verifier checks further: - // - BPF progs can use of pointer-to-integer conversions - // - speculation attack hardening measures are bypassed - // - bpf_probe_read to read arbitrary kernel memory is allowed - // - bpf_trace_printk to print kernel memory is allowed - // - // CAP_SYS_ADMIN is required to use bpf_probe_write_user. - // - // CAP_SYS_ADMIN is required to iterate system wide loaded - // programs, maps, links, BTFs and convert their IDs to file descriptors. - // - // CAP_PERFMON and CAP_BPF are required to load tracing programs. - // CAP_NET_ADMIN and CAP_BPF are required to load networking programs. - CAP_BPF = Cap(39) - - // Allow checkpoint/restore related operations. - // Introduced in kernel 5.9 - CAP_CHECKPOINT_RESTORE = Cap(40) ) var ( diff --git a/common/vendor/github.com/syndtr/gocapability/capability/enum_gen.go b/common/vendor/github.com/syndtr/gocapability/capability/enum_gen.go index 2ff9bf4d88..b9e6d2d5e1 100644 --- a/common/vendor/github.com/syndtr/gocapability/capability/enum_gen.go +++ b/common/vendor/github.com/syndtr/gocapability/capability/enum_gen.go @@ -80,12 +80,6 @@ func (c Cap) String() string { return "block_suspend" case CAP_AUDIT_READ: return "audit_read" - case CAP_PERFMON: - return "perfmon" - case CAP_BPF: - return "bpf" - case CAP_CHECKPOINT_RESTORE: - return "checkpoint_restore" } return "unknown" } @@ -131,8 +125,5 @@ func List() []Cap { CAP_WAKE_ALARM, CAP_BLOCK_SUSPEND, CAP_AUDIT_READ, - CAP_PERFMON, - CAP_BPF, - CAP_CHECKPOINT_RESTORE, } } diff --git a/common/vendor/modules.txt b/common/vendor/modules.txt index 49f23c3e24..7d4759e9d6 100644 --- a/common/vendor/modules.txt +++ b/common/vendor/modules.txt @@ -105,10 +105,8 @@ github.com/containers/storage/pkg/system github.com/containers/storage/pkg/tarlog github.com/containers/storage/pkg/truncindex github.com/containers/storage/pkg/unshare -# github.com/coreos/go-systemd/v22 v22.1.0 +# github.com/coreos/go-systemd/v22 v22.0.0 github.com/coreos/go-systemd/v22/dbus -# github.com/cyphar/filepath-securejoin v0.2.2 -github.com/cyphar/filepath-securejoin # github.com/davecgh/go-spew v1.1.1 github.com/davecgh/go-spew/spew # github.com/docker/distribution v2.7.1+incompatible @@ -150,8 +148,10 @@ github.com/godbus/dbus/v5 github.com/gogo/protobuf/gogoproto github.com/gogo/protobuf/proto github.com/gogo/protobuf/protoc-gen-gogo/descriptor -# github.com/golang/protobuf v1.4.3 +# github.com/golang/protobuf v1.4.2 github.com/golang/protobuf/proto +# github.com/google/go-cmp v0.5.2 +## explicit # github.com/gorilla/mux v1.8.0 ## explicit github.com/gorilla/mux @@ -227,17 +227,16 @@ github.com/opencontainers/go-digest # github.com/opencontainers/image-spec v1.0.2-0.20190823105129-775207bd45b6 github.com/opencontainers/image-spec/specs-go github.com/opencontainers/image-spec/specs-go/v1 -# github.com/opencontainers/runc v1.0.0-rc93 +# github.com/opencontainers/runc v1.0.0-rc91 ## explicit github.com/opencontainers/runc/libcontainer/apparmor github.com/opencontainers/runc/libcontainer/cgroups -github.com/opencontainers/runc/libcontainer/cgroups/fscommon github.com/opencontainers/runc/libcontainer/configs github.com/opencontainers/runc/libcontainer/devices github.com/opencontainers/runc/libcontainer/system github.com/opencontainers/runc/libcontainer/user github.com/opencontainers/runc/libcontainer/utils -# github.com/opencontainers/runtime-spec v1.0.3-0.20200929063507-e6143ca7d51d +# github.com/opencontainers/runtime-spec v1.0.3-0.20200710190001-3e4195d92445 ## explicit github.com/opencontainers/runtime-spec/specs-go # github.com/opencontainers/runtime-tools v0.9.0 @@ -293,7 +292,7 @@ github.com/spf13/pflag ## explicit github.com/stretchr/testify/assert github.com/stretchr/testify/require -# github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 +# github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2 ## explicit github.com/syndtr/gocapability/capability # github.com/tchap/go-patricia v2.3.0+incompatible @@ -324,7 +323,7 @@ go.opencensus.io/trace/tracestate # golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 ## explicit golang.org/x/crypto/ssh/terminal -# golang.org/x/net v0.0.0-20201224014010-6772e930b67b +# golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb golang.org/x/net/context golang.org/x/net/html golang.org/x/net/html/atom