starlingx/integ
Code Issues Proposed changes

Merge "Debian: containerd upversion to 1.4.11"

Browse Source
This commit is contained in:
Zuul 2022-04-08 19:53:36 +00:00 committed by Gerrit Code Review
commit 1b39149671
9 changed files with 652 additions and 155 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
kubernetes/containerd/debian/meta_data.yaml
View File

@ -1,11 +1,11 @@
---
debname: containerd
debver: 1.4.5~ds1-2
debver: 1.4.12~ds1-1
dl_path:
name: containerd-debian-1.4.5_ds1-2.tar.gz
url: https://salsa.debian.org/go-team/packages/containerd/-/archive/debian/1.4.5_ds1-2/containerd-debian-1.4.5_ds1-2.tar.gz
md5sum: 4c88399bd3aa387b8640d721743d62cf
sha256sum: 13c5b83c28880f0e42eff19ab17522a33b6d6e5c5f507dba152a802ebeb69414
name: containerd-debian-1.4.12_ds1-1.tar.gz
url: https://salsa.debian.org/go-team/packages/containerd/-/archive/debian/1.4.12_ds1-1_deb11u1/containerd-debian-1.4.12_ds1-1_deb11u1.tar.gz
md5sum: 12565b0d12ce878b6315f049e48113cd
sha256sum: 00199134fed422a3a8041d7a9f8dd782811e7792ee2e7c298351f026c04b99db
revision:
dist: $STX_DIST
PKG_GITREVCOUNT: true

35
kubernetes/containerd/debian/patches/0001-add_build_flags.patch
View File

@ -1,35 +0,0 @@
From 5625d5ed827cf3983f55d462a75b4ffcd9e7cf25 Mon Sep 17 00:00:00 2001
From: Daniel Safta <daniel.safta@windriver.com>
Date: Fri, 8 Oct 2021 13:21:26 +0300
Subject: [PATCH] add build flags
1. disable btrfs to avoid needing to pull in the devel package
2. hardcode version info due to miss git info in tarball.
---
Makefile | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index c0fecb9..8b7b1a5 100644
--- a/Makefile
+++ b/Makefile
@@ -20,7 +20,8 @@ ROOTDIR=$(dir $(abspath $(lastword $(MAKEFILE_LIST))))
DESTDIR ?= /usr/local
# Used to populate variables in version package.
-VERSION=$(shell git describe --match 'v[0-9]*' --dirty='.m' --always)
+# VERSION=$(shell git describe --match 'v[0-9]*' --dirty='.m' --always)
+VERSION=v1.4.6
REVISION=$(shell git rev-parse HEAD)$(shell if ! git diff --no-ext-diff --quiet --exit-code; then echo .m; fi)
PACKAGE=github.com/containerd/containerd
SHIM_CGO_ENABLED ?= 0
@@ -78,6 +79,7 @@ endif
# Build tags apparmor and selinux are needed by CRI plugin.
GO_BUILDTAGS ?= apparmor selinux
GO_BUILDTAGS += ${DEBUG_TAGS}
+GO_BUILDTAGS += no_btrfs
GO_TAGS=$(if $(GO_BUILDTAGS),-tags "$(GO_BUILDTAGS)",)
GO_LDFLAGS=-ldflags '-X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -X $(PKG)/version.Package=$(PACKAGE) $(EXTRA_LDFLAGS)'
SHIM_GO_LDFLAGS=-ldflags '-X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -X $(PKG)/version.Package=$(PACKAGE) -extldflags "-static" $(EXTRA_LDFLAGS)'
--
2.17.1

590
kubernetes/containerd/debian/patches/0001-revert-to-v1.4.11.patch Normal file
View File

@ -0,0 +1,590 @@
From 2c7e958673c945279f8e30d1ad162c460b9c0926 Mon Sep 17 00:00:00 2001
From: Kaustubh Dhokte <kaustubh.dhokte@windriver.com>
Date: Thu, 24 Mar 2022 14:52:27 -0400
Subject: [PATCH] revert to v1.4.11
Signed-off-by: Kaustubh Dhokte <kaustubh.dhokte@windriver.com>
---
.github/workflows/ci.yml | 12 +-
.github/workflows/nightly.yml | 4 +-
.github/workflows/release.yml | 2 +-
.travis.yml | 2 +-
.zuul/playbooks/containerd-build/run.yaml | 2 +-
Vagrantfile | 2 +-
contrib/Dockerfile.test | 2 +-
images/image.go | 55 --------
images/image_test.go | 150 ----------------------
releases/v1.4.12.toml | 23 ----
remotes/docker/fetcher.go | 4 -
remotes/docker/resolver.go | 35 ++---
remotes/docker/schema1/converter.go | 9 +-
version/version.go | 2 +-
14 files changed, 28 insertions(+), 276 deletions(-)
delete mode 100644 images/image_test.go
delete mode 100644 releases/v1.4.12.toml
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8f7a3a7a6..4ee47e5d1 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -26,7 +26,7 @@ jobs:
- name: Install Go
uses: actions/setup-go@v2
with:
- go-version: '1.16.10'
+ go-version: '1.16.8'
- name: Set env
shell: bash
@@ -82,7 +82,7 @@ jobs:
steps:
- uses: actions/setup-go@v2
with:
- go-version: '1.16.10'
+ go-version: '1.16.8'
- name: Set env
shell: bash
@@ -128,7 +128,7 @@ jobs:
steps:
- uses: actions/setup-go@v2
with:
- go-version: '1.16.10'
+ go-version: '1.16.8'
- name: Set env
shell: bash
@@ -166,7 +166,7 @@ jobs:
steps:
- uses: actions/setup-go@v2
with:
- go-version: '1.16.10'
+ go-version: '1.16.8'
- name: Set env
shell: bash
@@ -199,7 +199,7 @@ jobs:
steps:
- uses: actions/setup-go@v2
with:
- go-version: '1.16.10'
+ go-version: '1.16.8'
- name: Set env
shell: bash
@@ -285,7 +285,7 @@ jobs:
steps:
- uses: actions/setup-go@v2
with:
- go-version: '1.16.10'
+ go-version: '1.16.8'
- name: Set env
shell: bash
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index b050bbf18..1cb92a34b 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -14,7 +14,7 @@ jobs:
steps:
- uses: actions/setup-go@v2
with:
- go-version: '1.16.10'
+ go-version: '1.16.8'
- name: Checkout
uses: actions/checkout@v1
@@ -138,7 +138,7 @@ jobs:
steps:
- uses: actions/setup-go@v2
with:
- go-version: '1.16.10'
+ go-version: '1.16.8'
- name: Checkout
uses: actions/checkout@v1
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d9e5a3eab..ec9971a4a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -62,7 +62,7 @@ jobs:
- name: Install Go
uses: actions/setup-go@v2
with:
- go-version: '1.16.10'
+ go-version: '1.16.8'
- name: Set env
shell: bash
diff --git a/.travis.yml b/.travis.yml
index 8314c796b..1726cf6d5 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -15,7 +15,7 @@ os:
- linux
go:
- - "1.16.10"
+ - "1.16.8"
env:
- TRAVIS_GOOS=linux TEST_RUNTIME=io.containerd.runc.v1 TRAVIS_CGO_ENABLED=1 TRAVIS_DISTRO=bionic GOPROXY=direct
diff --git a/.zuul/playbooks/containerd-build/run.yaml b/.zuul/playbooks/containerd-build/run.yaml
index c3ebc7eae..815b4ec62 100644
--- a/.zuul/playbooks/containerd-build/run.yaml
+++ b/.zuul/playbooks/containerd-build/run.yaml
@@ -2,7 +2,7 @@
become: yes
roles:
- role: config-golang
- go_version: '1.16.10'
+ go_version: '1.16.8'
arch: arm64
tasks:
- name: Build containerd
diff --git a/Vagrantfile b/Vagrantfile
index b31dfaa34..d1f30c559 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -77,7 +77,7 @@ Vagrant.configure("2") do |config|
config.vm.provision "install-golang", type: "shell", run: "once" do |sh|
sh.upload_path = "/tmp/vagrant-install-golang"
sh.env = {
- 'GO_VERSION': ENV['GO_VERSION'] || "1.16.10",
+ 'GO_VERSION': ENV['GO_VERSION'] || "1.16.8",
}
sh.inline = <<~SHELL
#!/usr/bin/env bash
diff --git a/contrib/Dockerfile.test b/contrib/Dockerfile.test
index 020008ceb..875c457f0 100644
--- a/contrib/Dockerfile.test
+++ b/contrib/Dockerfile.test
@@ -10,7 +10,7 @@
#
# docker build -t containerd-test --build-arg RUNC_VERSION=v1.0.0-rc93 -f Dockerfile.test ../
-ARG GOLANG_VERSION=1.16.10
+ARG GOLANG_VERSION=1.16.8
FROM golang:${GOLANG_VERSION} AS golang-base
RUN mkdir -p /go/src/github.com/containerd/containerd
diff --git a/images/image.go b/images/image.go
index 2e42ca09a..1868ee88d 100644
--- a/images/image.go
+++ b/images/image.go
@@ -19,7 +19,6 @@ package images
import (
"context"
"encoding/json"
- "fmt"
"sort"
"time"
@@ -155,10 +154,6 @@ func Manifest(ctx context.Context, provider content.Provider, image ocispec.Desc
return nil, err
}
- if err := validateMediaType(p, desc.MediaType); err != nil {
- return nil, errors.Wrapf(err, "manifest: invalid desc %s", desc.Digest)
- }
-
var manifest ocispec.Manifest
if err := json.Unmarshal(p, &manifest); err != nil {
return nil, err
@@ -199,10 +194,6 @@ func Manifest(ctx context.Context, provider content.Provider, image ocispec.Desc
return nil, err
}
- if err := validateMediaType(p, desc.MediaType); err != nil {
- return nil, errors.Wrapf(err, "manifest: invalid desc %s", desc.Digest)
- }
-
var idx ocispec.Index
if err := json.Unmarshal(p, &idx); err != nil {
return nil, err
@@ -345,10 +336,6 @@ func Children(ctx context.Context, provider content.Provider, desc ocispec.Descr
return nil, err
}
- if err := validateMediaType(p, desc.MediaType); err != nil {
- return nil, errors.Wrapf(err, "children: invalid desc %s", desc.Digest)
- }
-
// TODO(stevvooe): We just assume oci manifest, for now. There may be
// subtle differences from the docker version.
var manifest ocispec.Manifest
@@ -364,10 +351,6 @@ func Children(ctx context.Context, provider content.Provider, desc ocispec.Descr
return nil, err
}
- if err := validateMediaType(p, desc.MediaType); err != nil {
- return nil, errors.Wrapf(err, "children: invalid desc %s", desc.Digest)
- }
-
var index ocispec.Index
if err := json.Unmarshal(p, &index); err != nil {
return nil, err
@@ -385,44 +368,6 @@ func Children(ctx context.Context, provider content.Provider, desc ocispec.Descr
return descs, nil
}
-// unknownDocument represents a manifest, manifest list, or index that has not
-// yet been validated.
-type unknownDocument struct {
- MediaType string `json:"mediaType,omitempty"`
- Config json.RawMessage `json:"config,omitempty"`
- Layers json.RawMessage `json:"layers,omitempty"`
- Manifests json.RawMessage `json:"manifests,omitempty"`
- FSLayers json.RawMessage `json:"fsLayers,omitempty"` // schema 1
-}
-
-// validateMediaType returns an error if the byte slice is invalid JSON or if
-// the media type identifies the blob as one format but it contains elements of
-// another format.
-func validateMediaType(b []byte, mt string) error {
- var doc unknownDocument
- if err := json.Unmarshal(b, &doc); err != nil {
- return err
- }
- if len(doc.FSLayers) != 0 {
- return fmt.Errorf("media-type: schema 1 not supported")
- }
- switch mt {
- case MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest:
- if len(doc.Manifests) != 0 ||
- doc.MediaType == MediaTypeDockerSchema2ManifestList ||
- doc.MediaType == ocispec.MediaTypeImageIndex {
- return fmt.Errorf("media-type: expected manifest but found index (%s)", mt)
- }
- case MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex:
- if len(doc.Config) != 0 || len(doc.Layers) != 0 ||
- doc.MediaType == MediaTypeDockerSchema2Manifest ||
- doc.MediaType == ocispec.MediaTypeImageManifest {
- return fmt.Errorf("media-type: expected index but found manifest (%s)", mt)
- }
- }
- return nil
-}
-
// RootFS returns the unpacked diffids that make up and images rootfs.
//
// These are used to verify that a set of layers unpacked to the expected
diff --git a/images/image_test.go b/images/image_test.go
deleted file mode 100644
index 3e88e5076..000000000
--- a/images/image_test.go
+++ /dev/null
@@ -1,150 +0,0 @@
-/*
- Copyright The containerd Authors.
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-*/
-
-package images
-
-import (
- "encoding/json"
- "testing"
-
- ocispec "github.com/opencontainers/image-spec/specs-go/v1"
-)
-
-func TestValidateMediaType(t *testing.T) {
- docTests := []struct {
- mt string
- index bool
- }{
- {MediaTypeDockerSchema2Manifest, false},
- {ocispec.MediaTypeImageManifest, false},
- {MediaTypeDockerSchema2ManifestList, true},
- {ocispec.MediaTypeImageIndex, true},
- }
- for _, tc := range docTests {
- t.Run("manifest-"+tc.mt, func(t *testing.T) {
- manifest := ocispec.Manifest{
- Config: ocispec.Descriptor{Size: 1},
- Layers: []ocispec.Descriptor{{Size: 2}},
- }
- b, err := json.Marshal(manifest)
- if err != nil {
- t.Fatal("failed to marshal manifest", err)
- }
-
- err = validateMediaType(b, tc.mt)
- if tc.index {
- if err == nil {
- t.Error("manifest should not be a valid index")
- }
- } else {
- if err != nil {
- t.Error("manifest should be valid")
- }
- }
- })
- t.Run("index-"+tc.mt, func(t *testing.T) {
- index := ocispec.Index{
- Manifests: []ocispec.Descriptor{{Size: 1}},
- }
- b, err := json.Marshal(index)
- if err != nil {
- t.Fatal("failed to marshal index", err)
- }
-
- err = validateMediaType(b, tc.mt)
- if tc.index {
- if err != nil {
- t.Error("index should be valid")
- }
- } else {
- if err == nil {
- t.Error("index should not be a valid manifest")
- }
- }
- })
- }
-
- mtTests := []struct {
- mt string
- valid []string
- invalid []string
- }{{
- MediaTypeDockerSchema2Manifest,
- []string{MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest},
- []string{MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex},
- }, {
- ocispec.MediaTypeImageManifest,
- []string{MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest},
- []string{MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex},
- }, {
- MediaTypeDockerSchema2ManifestList,
- []string{MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex},
- []string{MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest},
- }, {
- ocispec.MediaTypeImageIndex,
- []string{MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex},
- []string{MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest},
- }}
- for _, tc := range mtTests {
- for _, v := range tc.valid {
- t.Run("valid-"+tc.mt+"-"+v, func(t *testing.T) {
- doc := struct {
- MediaType string `json:"mediaType"`
- }{MediaType: v}
- b, err := json.Marshal(doc)
- if err != nil {
- t.Fatal("failed to marshal document", err)
- }
-
- err = validateMediaType(b, tc.mt)
- if err != nil {
- t.Error("document should be valid", err)
- }
- })
- }
- for _, iv := range tc.invalid {
- t.Run("invalid-"+tc.mt+"-"+iv, func(t *testing.T) {
- doc := struct {
- MediaType string `json:"mediaType"`
- }{MediaType: iv}
- b, err := json.Marshal(doc)
- if err != nil {
- t.Fatal("failed to marshal document", err)
- }
-
- err = validateMediaType(b, tc.mt)
- if err == nil {
- t.Error("document should not be valid")
- }
- })
- }
- }
- t.Run("schema1", func(t *testing.T) {
- doc := struct {
- FSLayers []string `json:"fsLayers"`
- }{FSLayers: []string{"1"}}
- b, err := json.Marshal(doc)
- if err != nil {
- t.Fatal("failed to marshal document", err)
- }
-
- err = validateMediaType(b, "")
- if err == nil {
- t.Error("document should not be valid")
- }
-
- })
-}
diff --git a/releases/v1.4.12.toml b/releases/v1.4.12.toml
deleted file mode 100644
index 072d6959a..000000000
--- a/releases/v1.4.12.toml
+++ /dev/null
@@ -1,23 +0,0 @@
-# commit to be tagged for new release
-commit = "HEAD"
-
-project_name = "containerd"
-github_repo = "containerd/containerd"
-match_deps = "^github.com/(containerd/[a-zA-Z0-9-]+)$"
-
-# previous release
-previous = "v1.4.11"
-
-pre_release = false
-
-preface = """\
-The twelfth patch release for containerd 1.4 contains a few minor bug fixes
-and an update to mitigate [CVE-2021-41190](https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m).
-
-### Notable Updates
-
-* **Handle ambiguous OCI manifest parsing** ([GHSA-5j5w-g665-5m35](https://github.com/containerd/containerd/security/advisories/GHSA-5j5w-g665-5m35))
-* **Update pull to try next mirror for non-404 errors** ([#5275](https://github.com/containerd/containerd/pull/5275))
-* **Update pull to handle of non-https urls in descriptors** ([#6221](https://github.com/containerd/containerd/pull/6221))
-
-See the changelog for complete list of changes"""
diff --git a/remotes/docker/fetcher.go b/remotes/docker/fetcher.go
index 4b2c10e9a..5796fbf4a 100644
--- a/remotes/docker/fetcher.go
+++ b/remotes/docker/fetcher.go
@@ -60,10 +60,6 @@ func (r dockerFetcher) Fetch(ctx context.Context, desc ocispec.Descriptor) (io.R
log.G(ctx).WithError(err).Debug("failed to parse")
continue
}
- if u.Scheme != "http" && u.Scheme != "https" {
- log.G(ctx).Debug("non-http(s) alternative url is unsupported")
- continue
- }
log.G(ctx).Debug("trying alternative url")
// Try this first, parse it
diff --git a/remotes/docker/resolver.go b/remotes/docker/resolver.go
index d6ccd7072..06b08dee8 100644
--- a/remotes/docker/resolver.go
+++ b/remotes/docker/resolver.go
@@ -229,10 +229,10 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp
}
var (
- firstErr error
- paths [][]string
- dgst = refspec.Digest()
- caps = HostCapabilityPull
+ lastErr error
+ paths [][]string
+ dgst = refspec.Digest()
+ caps = HostCapabilityPull
)
if dgst != "" {
@@ -283,8 +283,8 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp
err = errors.Wrapf(err, "pull access denied, repository does not exist or may require authorization")
}
// Store the error for referencing later
- if firstErr == nil {
- firstErr = err
+ if lastErr == nil {
+ lastErr = err
}
continue // try another host
}
@@ -294,14 +294,7 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp
if resp.StatusCode == http.StatusNotFound {
continue
}
- if resp.StatusCode > 399 {
- // Set firstErr when encountering the first non-404 status code.
- if firstErr == nil {
- firstErr = errors.Errorf("pulling from host %s failed with status code %v: %v", host.Host, u, resp.Status)
- }
- continue // try another host
- }
- return "", ocispec.Descriptor{}, errors.Errorf("pulling from host %s failed with unexpected status code %v: %v", host.Host, u, resp.Status)
+ return "", ocispec.Descriptor{}, errors.Errorf("unexpected status code %v: %v", u, resp.Status)
}
size := resp.ContentLength
contentType := getManifestMediaType(resp)
@@ -364,8 +357,8 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp
}
// Prevent resolving to excessively large manifests
if size > MaxManifestSize {
- if firstErr == nil {
- firstErr = errors.Wrapf(errdefs.ErrNotFound, "rejecting %d byte manifest for %s", size, ref)
+ if lastErr == nil {
+ lastErr = errors.Wrapf(errdefs.ErrNotFound, "rejecting %d byte manifest for %s", size, ref)
}
continue
}
@@ -381,15 +374,11 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp
}
}
- // If above loop terminates without return, then there was an error.
- // "firstErr" contains the first non-404 error. That is, "firstErr == nil"
- // means that either no registries were given or each registry returned 404.
-
- if firstErr == nil {
- firstErr = errors.Wrap(errdefs.ErrNotFound, ref)
+ if lastErr == nil {
+ lastErr = errors.Wrap(errdefs.ErrNotFound, ref)
}
- return "", ocispec.Descriptor{}, firstErr
+ return "", ocispec.Descriptor{}, lastErr
}
func (r *dockerResolver) Fetcher(ctx context.Context, ref string) (remotes.Fetcher, error) {
diff --git a/remotes/docker/schema1/converter.go b/remotes/docker/schema1/converter.go
index f15a9acf3..8314c01d5 100644
--- a/remotes/docker/schema1/converter.go
+++ b/remotes/docker/schema1/converter.go
@@ -256,9 +256,6 @@ func (c *Converter) fetchManifest(ctx context.Context, desc ocispec.Descriptor)
if err := json.Unmarshal(b, &m); err != nil {
return err
}
- if len(m.Manifests) != 0 || len(m.Layers) != 0 {
- return errors.New("converter: expected schema1 document but found extra keys")
- }
c.pulledManifest = &m
return nil
@@ -475,10 +472,8 @@ type history struct {
}
type manifest struct {
- FSLayers []fsLayer `json:"fsLayers"`
- History []history `json:"history"`
- Layers json.RawMessage `json:"layers,omitempty"` // OCI manifest
- Manifests json.RawMessage `json:"manifests,omitempty"` // OCI index
+ FSLayers []fsLayer `json:"fsLayers"`
+ History []history `json:"history"`
}
type v1History struct {
diff --git a/version/version.go b/version/version.go
index dab4a1656..77f581f7c 100644
--- a/version/version.go
+++ b/version/version.go
@@ -23,7 +23,7 @@ var (
Package = "github.com/containerd/containerd"
// Version holds the complete version number. Filled in at linking time.
- Version = "1.4.12+unknown"
+ Version = "1.4.11+unknown"
// Revision is filled with the VCS (e.g. git) revision being used to build
// the program at linking time.
--
2.25.1

55
kubernetes/containerd/debian/patches/0002-customize-containerd-for-StarlingX.patch Normal file
View File

@ -0,0 +1,55 @@
From eeb59bb893f5f5ce6d7b9ec170ec67203f71478d Mon Sep 17 00:00:00 2001
From: Kaustubh Dhokte <kaustubh.dhokte@windriver.com>
Date: Tue, 1 Mar 2022 20:43:42 -0500
Subject: [PATCH] customize containerd for StarlingX
1. disable btrfs to avoid needing to pull in the devel package
2. docker registry in StarlingX 3.0 branch doesn't support POST method
for token and will return 400. Switch to GET method to get token if
StatusCode is 400.
3. hardcode version info due to miss git info in tarball.
Signed-off-by: Kaustubh Dhokte <kaustubh.dhokte@windriver.com>
---
Makefile | 3 ++-
remotes/docker/authorizer.go | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/Makefile b/Makefile
index c0fecb9a6..d8cef89d5 100644
--- a/Makefile
+++ b/Makefile
@@ -20,7 +20,7 @@ ROOTDIR=$(dir $(abspath $(lastword $(MAKEFILE_LIST))))
DESTDIR ?= /usr/local
# Used to populate variables in version package.
-VERSION=$(shell git describe --match 'v[0-9]*' --dirty='.m' --always)
+VERSION=v1.4.11
REVISION=$(shell git rev-parse HEAD)$(shell if ! git diff --no-ext-diff --quiet --exit-code; then echo .m; fi)
PACKAGE=github.com/containerd/containerd
SHIM_CGO_ENABLED ?= 0
@@ -78,6 +78,7 @@ endif
# Build tags apparmor and selinux are needed by CRI plugin.
GO_BUILDTAGS ?= apparmor selinux
GO_BUILDTAGS += ${DEBUG_TAGS}
+GO_BUILDTAGS += no_btrfs
GO_TAGS=$(if $(GO_BUILDTAGS),-tags "$(GO_BUILDTAGS)",)
GO_LDFLAGS=-ldflags '-X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -X $(PKG)/version.Package=$(PACKAGE) $(EXTRA_LDFLAGS)'
SHIM_GO_LDFLAGS=-ldflags '-X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -X $(PKG)/version.Package=$(PACKAGE) -extldflags "-static" $(EXTRA_LDFLAGS)'
diff --git a/remotes/docker/authorizer.go b/remotes/docker/authorizer.go
index 67e4aea8d..bacaa502d 100644
--- a/remotes/docker/authorizer.go
+++ b/remotes/docker/authorizer.go
@@ -284,7 +284,8 @@ func (ah *authHandler) doBearerAuth(ctx context.Context) (token string, err erro
// Registries without support for POST may return 404 for POST /v2/token.
// As of September 2017, GCR is known to return 404.
// As of February 2018, JFrog Artifactory is known to return 401.
- if (errStatus.StatusCode == 405 && to.Username != "") || errStatus.StatusCode == 404 || errStatus.StatusCode == 401 {
+ // Registry in StarlingX 6.0 returns 400 for POST /v2/token. Should check if still applicable.
+ if (errStatus.StatusCode == 405 && to.Username != "") || errStatus.StatusCode == 404 || errStatus.StatusCode == 401 || errStatus.StatusCode == 400 {
resp, err := auth.FetchToken(ctx, ah.client, ah.header, to)
if err != nil {
return "", err
--
2.25.1

28
kubernetes/containerd/debian/patches/0002-fix_errorcode.patch
View File

@ -1,28 +0,0 @@
From 7bdbc31f47a801dc9215163ae5cd84581f1d83e2 Mon Sep 17 00:00:00 2001
From: Daniel Safta <daniel.safta@windriver.com>
Date: Mon, 11 Oct 2021 12:13:15 +0300
Subject: [PATCH] fix errorcode
docker registry in StarlingX 3.0 branch doesn't support POST method
for token and will return 400. Switch to GET method to get token if
StatusCode is 400.
---
remotes/docker/authorizer.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/remotes/docker/authorizer.go b/remotes/docker/authorizer.go
index 67e4aea..c06b222 100644
--- a/remotes/docker/authorizer.go
+++ b/remotes/docker/authorizer.go
@@ -284,7 +284,7 @@ func (ah *authHandler) doBearerAuth(ctx context.Context) (token string, err erro
// Registries without support for POST may return 404 for POST /v2/token.
// As of September 2017, GCR is known to return 404.
// As of February 2018, JFrog Artifactory is known to return 401.
- if (errStatus.StatusCode == 405 && to.Username != "") || errStatus.StatusCode == 404 || errStatus.StatusCode == 401 {
+ if (errStatus.StatusCode == 405 && to.Username != "") || errStatus.StatusCode == 404 || errStatus.StatusCode == 401 || errStatus.StatusCode == 400 {
resp, err := auth.FetchToken(ctx, ah.client, ah.header, to)
if err != nil {
return "", err
--
2.17.1

21
kubernetes/containerd/debian/patches/0003-update-runc-binary-to-v1.0.0-rc95.patch
View File

@ -1,21 +0,0 @@
From 5ab8e65d580831184f6c10b40e479da9ce0e8b67 Mon Sep 17 00:00:00 2001
From: Daniel Safta <daniel.safta@windriver.com>
Date: Tue, 19 Oct 2021 13:17:46 +0000
Subject: [PATCH] update runc binary to v1.0.0-rc95 Signed-off-by: Akihiro Suda
<akihiro.suda.cz@hco.ntt.co.jp> (cherry picked from commit 599127f)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
---
script/setup/runc-version | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/script/setup/runc-version b/script/setup/runc-version
index fd84c98..ded5e1b 100644
--- a/script/setup/runc-version
+++ b/script/setup/runc-version
@@ -1 +1 @@
-v1.0.0-rc94
+v1.0.0-rc95
--
2.30.2

35
kubernetes/containerd/debian/patches/0004-Prepare-release-notes-for-v1.4.6.patch
View File

@ -1,35 +0,0 @@
From 3731fefcb230c11e50d18f21aabc2f8573a0f329 Mon Sep 17 00:00:00 2001
From: Daniel Safta <daniel.safta@windriver.com>
Date: Tue, 19 Oct 2021 13:24:00 +0000
Subject: [PATCH] Prepare release notes for v1.4.6 Signed-off-by: Derek McGowan
<derek@mcg.dev>
---
releases/v1.4.6.toml | 15 +++++++++++++++
1 file changed, 15 insertions(+)
create mode 100644 releases/v1.4.6.toml
diff --git a/releases/v1.4.6.toml b/releases/v1.4.6.toml
new file mode 100644
index 0000000..6b88d07
--- /dev/null
+++ b/releases/v1.4.6.toml
@@ -0,0 +1,15 @@
+# commit to be tagged for new release
+commit = "HEAD"
+
+project_name = "containerd"
+github_repo = "containerd/containerd"
+match_deps = "^github.com/(containerd/[a-zA-Z0-9-]+)$"
+
+# previous release
+previous = "v1.4.5"
+
+pre_release = false
+
+preface = """\
+The sixth patch release for containerd 1.4 is a security release to update
+runc for [CVE-2021-30465](https://github.com/opencontainers/runc/security/advisories/GHSA-c3xm-pvg7-gh7r)"""
--
2.30.2

26
kubernetes/containerd/debian/patches/0005-Update-v1.4.6-version.patch
View File

@ -1,26 +0,0 @@
From d676fb16812f068009bf23bbe68dcb24e60d3e14 Mon Sep 17 00:00:00 2001
From: Daniel Safta <daniel.safta@windriver.com>
Date: Tue, 19 Oct 2021 13:25:38 +0000
Subject: [PATCH] Update v1.4.6 version Signed-off-by: Derek McGowan
<derek@mcg.dev>
---
version/version.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/version/version.go b/version/version.go
index b4d3a5f..05bde28 100644
--- a/version/version.go
+++ b/version/version.go
@@ -23,7 +23,7 @@ var (
Package = "github.com/containerd/containerd"
// Version holds the complete version number. Filled in at linking time.
- Version = "1.4.5+unknown"
+ Version = "1.4.6+unknown"
// Revision is filled with the VCS (e.g. git) revision being used to build
// the program at linking time.
--
2.30.2

7
kubernetes/containerd/debian/patches/series
View File

@ -1,5 +1,2 @@
0001-add_build_flags.patch
0002-fix_errorcode.patch
0003-update-runc-binary-to-v1.0.0-rc95.patch
0004-Prepare-release-notes-for-v1.4.6.patch
0005-Update-v1.4.6-version.patch
0001-revert-to-v1.4.11.patch
0002-customize-containerd-for-StarlingX.patch