diff --git a/kubernetes/containerd/debian/meta_data.yaml b/kubernetes/containerd/debian/meta_data.yaml index c0e75ff9a..c28a26bab 100644 --- a/kubernetes/containerd/debian/meta_data.yaml +++ b/kubernetes/containerd/debian/meta_data.yaml @@ -1,11 +1,11 @@ --- debname: containerd -debver: 1.4.5~ds1-2 +debver: 1.4.12~ds1-1 dl_path: - name: containerd-debian-1.4.5_ds1-2.tar.gz - url: https://salsa.debian.org/go-team/packages/containerd/-/archive/debian/1.4.5_ds1-2/containerd-debian-1.4.5_ds1-2.tar.gz - md5sum: 4c88399bd3aa387b8640d721743d62cf - sha256sum: 13c5b83c28880f0e42eff19ab17522a33b6d6e5c5f507dba152a802ebeb69414 + name: containerd-debian-1.4.12_ds1-1.tar.gz + url: https://salsa.debian.org/go-team/packages/containerd/-/archive/debian/1.4.12_ds1-1_deb11u1/containerd-debian-1.4.12_ds1-1_deb11u1.tar.gz + md5sum: 12565b0d12ce878b6315f049e48113cd + sha256sum: 00199134fed422a3a8041d7a9f8dd782811e7792ee2e7c298351f026c04b99db revision: dist: $STX_DIST PKG_GITREVCOUNT: true diff --git a/kubernetes/containerd/debian/patches/0001-add_build_flags.patch b/kubernetes/containerd/debian/patches/0001-add_build_flags.patch deleted file mode 100644 index e5b974d87..000000000 --- a/kubernetes/containerd/debian/patches/0001-add_build_flags.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 5625d5ed827cf3983f55d462a75b4ffcd9e7cf25 Mon Sep 17 00:00:00 2001 -From: Daniel Safta -Date: Fri, 8 Oct 2021 13:21:26 +0300 -Subject: [PATCH] add build flags -1. disable btrfs to avoid needing to pull in the devel package -2. hardcode version info due to miss git info in tarball. ---- - Makefile | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/Makefile b/Makefile -index c0fecb9..8b7b1a5 100644 ---- a/Makefile -+++ b/Makefile -@@ -20,7 +20,8 @@ ROOTDIR=$(dir $(abspath $(lastword $(MAKEFILE_LIST)))) - DESTDIR ?= /usr/local - - # Used to populate variables in version package. --VERSION=$(shell git describe --match 'v[0-9]*' --dirty='.m' --always) -+# VERSION=$(shell git describe --match 'v[0-9]*' --dirty='.m' --always) -+VERSION=v1.4.6 - REVISION=$(shell git rev-parse HEAD)$(shell if ! git diff --no-ext-diff --quiet --exit-code; then echo .m; fi) - PACKAGE=github.com/containerd/containerd - SHIM_CGO_ENABLED ?= 0 -@@ -78,6 +79,7 @@ endif - # Build tags apparmor and selinux are needed by CRI plugin. - GO_BUILDTAGS ?= apparmor selinux - GO_BUILDTAGS += ${DEBUG_TAGS} -+GO_BUILDTAGS += no_btrfs - GO_TAGS=$(if $(GO_BUILDTAGS),-tags "$(GO_BUILDTAGS)",) - GO_LDFLAGS=-ldflags '-X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -X $(PKG)/version.Package=$(PACKAGE) $(EXTRA_LDFLAGS)' - SHIM_GO_LDFLAGS=-ldflags '-X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -X $(PKG)/version.Package=$(PACKAGE) -extldflags "-static" $(EXTRA_LDFLAGS)' --- -2.17.1 - diff --git a/kubernetes/containerd/debian/patches/0001-revert-to-v1.4.11.patch b/kubernetes/containerd/debian/patches/0001-revert-to-v1.4.11.patch new file mode 100644 index 000000000..3a0c05baf --- /dev/null +++ b/kubernetes/containerd/debian/patches/0001-revert-to-v1.4.11.patch @@ -0,0 +1,590 @@ +From 2c7e958673c945279f8e30d1ad162c460b9c0926 Mon Sep 17 00:00:00 2001 +From: Kaustubh Dhokte +Date: Thu, 24 Mar 2022 14:52:27 -0400 +Subject: [PATCH] revert to v1.4.11 + +Signed-off-by: Kaustubh Dhokte +--- + .github/workflows/ci.yml | 12 +- + .github/workflows/nightly.yml | 4 +- + .github/workflows/release.yml | 2 +- + .travis.yml | 2 +- + .zuul/playbooks/containerd-build/run.yaml | 2 +- + Vagrantfile | 2 +- + contrib/Dockerfile.test | 2 +- + images/image.go | 55 -------- + images/image_test.go | 150 ---------------------- + releases/v1.4.12.toml | 23 ---- + remotes/docker/fetcher.go | 4 - + remotes/docker/resolver.go | 35 ++--- + remotes/docker/schema1/converter.go | 9 +- + version/version.go | 2 +- + 14 files changed, 28 insertions(+), 276 deletions(-) + delete mode 100644 images/image_test.go + delete mode 100644 releases/v1.4.12.toml + +diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml +index 8f7a3a7a6..4ee47e5d1 100644 +--- a/.github/workflows/ci.yml ++++ b/.github/workflows/ci.yml +@@ -26,7 +26,7 @@ jobs: + - name: Install Go + uses: actions/setup-go@v2 + with: +- go-version: '1.16.10' ++ go-version: '1.16.8' + + - name: Set env + shell: bash +@@ -82,7 +82,7 @@ jobs: + steps: + - uses: actions/setup-go@v2 + with: +- go-version: '1.16.10' ++ go-version: '1.16.8' + + - name: Set env + shell: bash +@@ -128,7 +128,7 @@ jobs: + steps: + - uses: actions/setup-go@v2 + with: +- go-version: '1.16.10' ++ go-version: '1.16.8' + + - name: Set env + shell: bash +@@ -166,7 +166,7 @@ jobs: + steps: + - uses: actions/setup-go@v2 + with: +- go-version: '1.16.10' ++ go-version: '1.16.8' + + - name: Set env + shell: bash +@@ -199,7 +199,7 @@ jobs: + steps: + - uses: actions/setup-go@v2 + with: +- go-version: '1.16.10' ++ go-version: '1.16.8' + + - name: Set env + shell: bash +@@ -285,7 +285,7 @@ jobs: + steps: + - uses: actions/setup-go@v2 + with: +- go-version: '1.16.10' ++ go-version: '1.16.8' + + - name: Set env + shell: bash +diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml +index b050bbf18..1cb92a34b 100644 +--- a/.github/workflows/nightly.yml ++++ b/.github/workflows/nightly.yml +@@ -14,7 +14,7 @@ jobs: + steps: + - uses: actions/setup-go@v2 + with: +- go-version: '1.16.10' ++ go-version: '1.16.8' + + - name: Checkout + uses: actions/checkout@v1 +@@ -138,7 +138,7 @@ jobs: + steps: + - uses: actions/setup-go@v2 + with: +- go-version: '1.16.10' ++ go-version: '1.16.8' + + - name: Checkout + uses: actions/checkout@v1 +diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml +index d9e5a3eab..ec9971a4a 100644 +--- a/.github/workflows/release.yml ++++ b/.github/workflows/release.yml +@@ -62,7 +62,7 @@ jobs: + - name: Install Go + uses: actions/setup-go@v2 + with: +- go-version: '1.16.10' ++ go-version: '1.16.8' + + - name: Set env + shell: bash +diff --git a/.travis.yml b/.travis.yml +index 8314c796b..1726cf6d5 100644 +--- a/.travis.yml ++++ b/.travis.yml +@@ -15,7 +15,7 @@ os: + - linux + + go: +- - "1.16.10" ++ - "1.16.8" + + env: + - TRAVIS_GOOS=linux TEST_RUNTIME=io.containerd.runc.v1 TRAVIS_CGO_ENABLED=1 TRAVIS_DISTRO=bionic GOPROXY=direct +diff --git a/.zuul/playbooks/containerd-build/run.yaml b/.zuul/playbooks/containerd-build/run.yaml +index c3ebc7eae..815b4ec62 100644 +--- a/.zuul/playbooks/containerd-build/run.yaml ++++ b/.zuul/playbooks/containerd-build/run.yaml +@@ -2,7 +2,7 @@ + become: yes + roles: + - role: config-golang +- go_version: '1.16.10' ++ go_version: '1.16.8' + arch: arm64 + tasks: + - name: Build containerd +diff --git a/Vagrantfile b/Vagrantfile +index b31dfaa34..d1f30c559 100644 +--- a/Vagrantfile ++++ b/Vagrantfile +@@ -77,7 +77,7 @@ Vagrant.configure("2") do |config| + config.vm.provision "install-golang", type: "shell", run: "once" do |sh| + sh.upload_path = "/tmp/vagrant-install-golang" + sh.env = { +- 'GO_VERSION': ENV['GO_VERSION'] || "1.16.10", ++ 'GO_VERSION': ENV['GO_VERSION'] || "1.16.8", + } + sh.inline = <<~SHELL + #!/usr/bin/env bash +diff --git a/contrib/Dockerfile.test b/contrib/Dockerfile.test +index 020008ceb..875c457f0 100644 +--- a/contrib/Dockerfile.test ++++ b/contrib/Dockerfile.test +@@ -10,7 +10,7 @@ + # + # docker build -t containerd-test --build-arg RUNC_VERSION=v1.0.0-rc93 -f Dockerfile.test ../ + +-ARG GOLANG_VERSION=1.16.10 ++ARG GOLANG_VERSION=1.16.8 + + FROM golang:${GOLANG_VERSION} AS golang-base + RUN mkdir -p /go/src/github.com/containerd/containerd +diff --git a/images/image.go b/images/image.go +index 2e42ca09a..1868ee88d 100644 +--- a/images/image.go ++++ b/images/image.go +@@ -19,7 +19,6 @@ package images + import ( + "context" + "encoding/json" +- "fmt" + "sort" + "time" + +@@ -155,10 +154,6 @@ func Manifest(ctx context.Context, provider content.Provider, image ocispec.Desc + return nil, err + } + +- if err := validateMediaType(p, desc.MediaType); err != nil { +- return nil, errors.Wrapf(err, "manifest: invalid desc %s", desc.Digest) +- } +- + var manifest ocispec.Manifest + if err := json.Unmarshal(p, &manifest); err != nil { + return nil, err +@@ -199,10 +194,6 @@ func Manifest(ctx context.Context, provider content.Provider, image ocispec.Desc + return nil, err + } + +- if err := validateMediaType(p, desc.MediaType); err != nil { +- return nil, errors.Wrapf(err, "manifest: invalid desc %s", desc.Digest) +- } +- + var idx ocispec.Index + if err := json.Unmarshal(p, &idx); err != nil { + return nil, err +@@ -345,10 +336,6 @@ func Children(ctx context.Context, provider content.Provider, desc ocispec.Descr + return nil, err + } + +- if err := validateMediaType(p, desc.MediaType); err != nil { +- return nil, errors.Wrapf(err, "children: invalid desc %s", desc.Digest) +- } +- + // TODO(stevvooe): We just assume oci manifest, for now. There may be + // subtle differences from the docker version. + var manifest ocispec.Manifest +@@ -364,10 +351,6 @@ func Children(ctx context.Context, provider content.Provider, desc ocispec.Descr + return nil, err + } + +- if err := validateMediaType(p, desc.MediaType); err != nil { +- return nil, errors.Wrapf(err, "children: invalid desc %s", desc.Digest) +- } +- + var index ocispec.Index + if err := json.Unmarshal(p, &index); err != nil { + return nil, err +@@ -385,44 +368,6 @@ func Children(ctx context.Context, provider content.Provider, desc ocispec.Descr + return descs, nil + } + +-// unknownDocument represents a manifest, manifest list, or index that has not +-// yet been validated. +-type unknownDocument struct { +- MediaType string `json:"mediaType,omitempty"` +- Config json.RawMessage `json:"config,omitempty"` +- Layers json.RawMessage `json:"layers,omitempty"` +- Manifests json.RawMessage `json:"manifests,omitempty"` +- FSLayers json.RawMessage `json:"fsLayers,omitempty"` // schema 1 +-} +- +-// validateMediaType returns an error if the byte slice is invalid JSON or if +-// the media type identifies the blob as one format but it contains elements of +-// another format. +-func validateMediaType(b []byte, mt string) error { +- var doc unknownDocument +- if err := json.Unmarshal(b, &doc); err != nil { +- return err +- } +- if len(doc.FSLayers) != 0 { +- return fmt.Errorf("media-type: schema 1 not supported") +- } +- switch mt { +- case MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest: +- if len(doc.Manifests) != 0 || +- doc.MediaType == MediaTypeDockerSchema2ManifestList || +- doc.MediaType == ocispec.MediaTypeImageIndex { +- return fmt.Errorf("media-type: expected manifest but found index (%s)", mt) +- } +- case MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex: +- if len(doc.Config) != 0 || len(doc.Layers) != 0 || +- doc.MediaType == MediaTypeDockerSchema2Manifest || +- doc.MediaType == ocispec.MediaTypeImageManifest { +- return fmt.Errorf("media-type: expected index but found manifest (%s)", mt) +- } +- } +- return nil +-} +- + // RootFS returns the unpacked diffids that make up and images rootfs. + // + // These are used to verify that a set of layers unpacked to the expected +diff --git a/images/image_test.go b/images/image_test.go +deleted file mode 100644 +index 3e88e5076..000000000 +--- a/images/image_test.go ++++ /dev/null +@@ -1,150 +0,0 @@ +-/* +- Copyright The containerd Authors. +- +- Licensed under the Apache License, Version 2.0 (the "License"); +- you may not use this file except in compliance with the License. +- You may obtain a copy of the License at +- +- http://www.apache.org/licenses/LICENSE-2.0 +- +- Unless required by applicable law or agreed to in writing, software +- distributed under the License is distributed on an "AS IS" BASIS, +- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +- See the License for the specific language governing permissions and +- limitations under the License. +-*/ +- +-package images +- +-import ( +- "encoding/json" +- "testing" +- +- ocispec "github.com/opencontainers/image-spec/specs-go/v1" +-) +- +-func TestValidateMediaType(t *testing.T) { +- docTests := []struct { +- mt string +- index bool +- }{ +- {MediaTypeDockerSchema2Manifest, false}, +- {ocispec.MediaTypeImageManifest, false}, +- {MediaTypeDockerSchema2ManifestList, true}, +- {ocispec.MediaTypeImageIndex, true}, +- } +- for _, tc := range docTests { +- t.Run("manifest-"+tc.mt, func(t *testing.T) { +- manifest := ocispec.Manifest{ +- Config: ocispec.Descriptor{Size: 1}, +- Layers: []ocispec.Descriptor{{Size: 2}}, +- } +- b, err := json.Marshal(manifest) +- if err != nil { +- t.Fatal("failed to marshal manifest", err) +- } +- +- err = validateMediaType(b, tc.mt) +- if tc.index { +- if err == nil { +- t.Error("manifest should not be a valid index") +- } +- } else { +- if err != nil { +- t.Error("manifest should be valid") +- } +- } +- }) +- t.Run("index-"+tc.mt, func(t *testing.T) { +- index := ocispec.Index{ +- Manifests: []ocispec.Descriptor{{Size: 1}}, +- } +- b, err := json.Marshal(index) +- if err != nil { +- t.Fatal("failed to marshal index", err) +- } +- +- err = validateMediaType(b, tc.mt) +- if tc.index { +- if err != nil { +- t.Error("index should be valid") +- } +- } else { +- if err == nil { +- t.Error("index should not be a valid manifest") +- } +- } +- }) +- } +- +- mtTests := []struct { +- mt string +- valid []string +- invalid []string +- }{{ +- MediaTypeDockerSchema2Manifest, +- []string{MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest}, +- []string{MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex}, +- }, { +- ocispec.MediaTypeImageManifest, +- []string{MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest}, +- []string{MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex}, +- }, { +- MediaTypeDockerSchema2ManifestList, +- []string{MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex}, +- []string{MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest}, +- }, { +- ocispec.MediaTypeImageIndex, +- []string{MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex}, +- []string{MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest}, +- }} +- for _, tc := range mtTests { +- for _, v := range tc.valid { +- t.Run("valid-"+tc.mt+"-"+v, func(t *testing.T) { +- doc := struct { +- MediaType string `json:"mediaType"` +- }{MediaType: v} +- b, err := json.Marshal(doc) +- if err != nil { +- t.Fatal("failed to marshal document", err) +- } +- +- err = validateMediaType(b, tc.mt) +- if err != nil { +- t.Error("document should be valid", err) +- } +- }) +- } +- for _, iv := range tc.invalid { +- t.Run("invalid-"+tc.mt+"-"+iv, func(t *testing.T) { +- doc := struct { +- MediaType string `json:"mediaType"` +- }{MediaType: iv} +- b, err := json.Marshal(doc) +- if err != nil { +- t.Fatal("failed to marshal document", err) +- } +- +- err = validateMediaType(b, tc.mt) +- if err == nil { +- t.Error("document should not be valid") +- } +- }) +- } +- } +- t.Run("schema1", func(t *testing.T) { +- doc := struct { +- FSLayers []string `json:"fsLayers"` +- }{FSLayers: []string{"1"}} +- b, err := json.Marshal(doc) +- if err != nil { +- t.Fatal("failed to marshal document", err) +- } +- +- err = validateMediaType(b, "") +- if err == nil { +- t.Error("document should not be valid") +- } +- +- }) +-} +diff --git a/releases/v1.4.12.toml b/releases/v1.4.12.toml +deleted file mode 100644 +index 072d6959a..000000000 +--- a/releases/v1.4.12.toml ++++ /dev/null +@@ -1,23 +0,0 @@ +-# commit to be tagged for new release +-commit = "HEAD" +- +-project_name = "containerd" +-github_repo = "containerd/containerd" +-match_deps = "^github.com/(containerd/[a-zA-Z0-9-]+)$" +- +-# previous release +-previous = "v1.4.11" +- +-pre_release = false +- +-preface = """\ +-The twelfth patch release for containerd 1.4 contains a few minor bug fixes +-and an update to mitigate [CVE-2021-41190](https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m). +- +-### Notable Updates +- +-* **Handle ambiguous OCI manifest parsing** ([GHSA-5j5w-g665-5m35](https://github.com/containerd/containerd/security/advisories/GHSA-5j5w-g665-5m35)) +-* **Update pull to try next mirror for non-404 errors** ([#5275](https://github.com/containerd/containerd/pull/5275)) +-* **Update pull to handle of non-https urls in descriptors** ([#6221](https://github.com/containerd/containerd/pull/6221)) +- +-See the changelog for complete list of changes""" +diff --git a/remotes/docker/fetcher.go b/remotes/docker/fetcher.go +index 4b2c10e9a..5796fbf4a 100644 +--- a/remotes/docker/fetcher.go ++++ b/remotes/docker/fetcher.go +@@ -60,10 +60,6 @@ func (r dockerFetcher) Fetch(ctx context.Context, desc ocispec.Descriptor) (io.R + log.G(ctx).WithError(err).Debug("failed to parse") + continue + } +- if u.Scheme != "http" && u.Scheme != "https" { +- log.G(ctx).Debug("non-http(s) alternative url is unsupported") +- continue +- } + log.G(ctx).Debug("trying alternative url") + + // Try this first, parse it +diff --git a/remotes/docker/resolver.go b/remotes/docker/resolver.go +index d6ccd7072..06b08dee8 100644 +--- a/remotes/docker/resolver.go ++++ b/remotes/docker/resolver.go +@@ -229,10 +229,10 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp + } + + var ( +- firstErr error +- paths [][]string +- dgst = refspec.Digest() +- caps = HostCapabilityPull ++ lastErr error ++ paths [][]string ++ dgst = refspec.Digest() ++ caps = HostCapabilityPull + ) + + if dgst != "" { +@@ -283,8 +283,8 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp + err = errors.Wrapf(err, "pull access denied, repository does not exist or may require authorization") + } + // Store the error for referencing later +- if firstErr == nil { +- firstErr = err ++ if lastErr == nil { ++ lastErr = err + } + continue // try another host + } +@@ -294,14 +294,7 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp + if resp.StatusCode == http.StatusNotFound { + continue + } +- if resp.StatusCode > 399 { +- // Set firstErr when encountering the first non-404 status code. +- if firstErr == nil { +- firstErr = errors.Errorf("pulling from host %s failed with status code %v: %v", host.Host, u, resp.Status) +- } +- continue // try another host +- } +- return "", ocispec.Descriptor{}, errors.Errorf("pulling from host %s failed with unexpected status code %v: %v", host.Host, u, resp.Status) ++ return "", ocispec.Descriptor{}, errors.Errorf("unexpected status code %v: %v", u, resp.Status) + } + size := resp.ContentLength + contentType := getManifestMediaType(resp) +@@ -364,8 +357,8 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp + } + // Prevent resolving to excessively large manifests + if size > MaxManifestSize { +- if firstErr == nil { +- firstErr = errors.Wrapf(errdefs.ErrNotFound, "rejecting %d byte manifest for %s", size, ref) ++ if lastErr == nil { ++ lastErr = errors.Wrapf(errdefs.ErrNotFound, "rejecting %d byte manifest for %s", size, ref) + } + continue + } +@@ -381,15 +374,11 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp + } + } + +- // If above loop terminates without return, then there was an error. +- // "firstErr" contains the first non-404 error. That is, "firstErr == nil" +- // means that either no registries were given or each registry returned 404. +- +- if firstErr == nil { +- firstErr = errors.Wrap(errdefs.ErrNotFound, ref) ++ if lastErr == nil { ++ lastErr = errors.Wrap(errdefs.ErrNotFound, ref) + } + +- return "", ocispec.Descriptor{}, firstErr ++ return "", ocispec.Descriptor{}, lastErr + } + + func (r *dockerResolver) Fetcher(ctx context.Context, ref string) (remotes.Fetcher, error) { +diff --git a/remotes/docker/schema1/converter.go b/remotes/docker/schema1/converter.go +index f15a9acf3..8314c01d5 100644 +--- a/remotes/docker/schema1/converter.go ++++ b/remotes/docker/schema1/converter.go +@@ -256,9 +256,6 @@ func (c *Converter) fetchManifest(ctx context.Context, desc ocispec.Descriptor) + if err := json.Unmarshal(b, &m); err != nil { + return err + } +- if len(m.Manifests) != 0 || len(m.Layers) != 0 { +- return errors.New("converter: expected schema1 document but found extra keys") +- } + c.pulledManifest = &m + + return nil +@@ -475,10 +472,8 @@ type history struct { + } + + type manifest struct { +- FSLayers []fsLayer `json:"fsLayers"` +- History []history `json:"history"` +- Layers json.RawMessage `json:"layers,omitempty"` // OCI manifest +- Manifests json.RawMessage `json:"manifests,omitempty"` // OCI index ++ FSLayers []fsLayer `json:"fsLayers"` ++ History []history `json:"history"` + } + + type v1History struct { +diff --git a/version/version.go b/version/version.go +index dab4a1656..77f581f7c 100644 +--- a/version/version.go ++++ b/version/version.go +@@ -23,7 +23,7 @@ var ( + Package = "github.com/containerd/containerd" + + // Version holds the complete version number. Filled in at linking time. +- Version = "1.4.12+unknown" ++ Version = "1.4.11+unknown" + + // Revision is filled with the VCS (e.g. git) revision being used to build + // the program at linking time. +-- +2.25.1 + diff --git a/kubernetes/containerd/debian/patches/0002-customize-containerd-for-StarlingX.patch b/kubernetes/containerd/debian/patches/0002-customize-containerd-for-StarlingX.patch new file mode 100644 index 000000000..01ebf51c7 --- /dev/null +++ b/kubernetes/containerd/debian/patches/0002-customize-containerd-for-StarlingX.patch @@ -0,0 +1,55 @@ +From eeb59bb893f5f5ce6d7b9ec170ec67203f71478d Mon Sep 17 00:00:00 2001 +From: Kaustubh Dhokte +Date: Tue, 1 Mar 2022 20:43:42 -0500 +Subject: [PATCH] customize containerd for StarlingX + +1. disable btrfs to avoid needing to pull in the devel package +2. docker registry in StarlingX 3.0 branch doesn't support POST method +for token and will return 400. Switch to GET method to get token if +StatusCode is 400. +3. hardcode version info due to miss git info in tarball. + +Signed-off-by: Kaustubh Dhokte +--- + Makefile | 3 ++- + remotes/docker/authorizer.go | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/Makefile b/Makefile +index c0fecb9a6..d8cef89d5 100644 +--- a/Makefile ++++ b/Makefile +@@ -20,7 +20,7 @@ ROOTDIR=$(dir $(abspath $(lastword $(MAKEFILE_LIST)))) + DESTDIR ?= /usr/local + + # Used to populate variables in version package. +-VERSION=$(shell git describe --match 'v[0-9]*' --dirty='.m' --always) ++VERSION=v1.4.11 + REVISION=$(shell git rev-parse HEAD)$(shell if ! git diff --no-ext-diff --quiet --exit-code; then echo .m; fi) + PACKAGE=github.com/containerd/containerd + SHIM_CGO_ENABLED ?= 0 +@@ -78,6 +78,7 @@ endif + # Build tags apparmor and selinux are needed by CRI plugin. + GO_BUILDTAGS ?= apparmor selinux + GO_BUILDTAGS += ${DEBUG_TAGS} ++GO_BUILDTAGS += no_btrfs + GO_TAGS=$(if $(GO_BUILDTAGS),-tags "$(GO_BUILDTAGS)",) + GO_LDFLAGS=-ldflags '-X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -X $(PKG)/version.Package=$(PACKAGE) $(EXTRA_LDFLAGS)' + SHIM_GO_LDFLAGS=-ldflags '-X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -X $(PKG)/version.Package=$(PACKAGE) -extldflags "-static" $(EXTRA_LDFLAGS)' +diff --git a/remotes/docker/authorizer.go b/remotes/docker/authorizer.go +index 67e4aea8d..bacaa502d 100644 +--- a/remotes/docker/authorizer.go ++++ b/remotes/docker/authorizer.go +@@ -284,7 +284,8 @@ func (ah *authHandler) doBearerAuth(ctx context.Context) (token string, err erro + // Registries without support for POST may return 404 for POST /v2/token. + // As of September 2017, GCR is known to return 404. + // As of February 2018, JFrog Artifactory is known to return 401. +- if (errStatus.StatusCode == 405 && to.Username != "") || errStatus.StatusCode == 404 || errStatus.StatusCode == 401 { ++ // Registry in StarlingX 6.0 returns 400 for POST /v2/token. Should check if still applicable. ++ if (errStatus.StatusCode == 405 && to.Username != "") || errStatus.StatusCode == 404 || errStatus.StatusCode == 401 || errStatus.StatusCode == 400 { + resp, err := auth.FetchToken(ctx, ah.client, ah.header, to) + if err != nil { + return "", err +-- +2.25.1 + diff --git a/kubernetes/containerd/debian/patches/0002-fix_errorcode.patch b/kubernetes/containerd/debian/patches/0002-fix_errorcode.patch deleted file mode 100644 index 66ca7aba2..000000000 --- a/kubernetes/containerd/debian/patches/0002-fix_errorcode.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 7bdbc31f47a801dc9215163ae5cd84581f1d83e2 Mon Sep 17 00:00:00 2001 -From: Daniel Safta -Date: Mon, 11 Oct 2021 12:13:15 +0300 -Subject: [PATCH] fix errorcode -docker registry in StarlingX 3.0 branch doesn't support POST method -for token and will return 400. Switch to GET method to get token if -StatusCode is 400. - ---- - remotes/docker/authorizer.go | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/remotes/docker/authorizer.go b/remotes/docker/authorizer.go -index 67e4aea..c06b222 100644 ---- a/remotes/docker/authorizer.go -+++ b/remotes/docker/authorizer.go -@@ -284,7 +284,7 @@ func (ah *authHandler) doBearerAuth(ctx context.Context) (token string, err erro - // Registries without support for POST may return 404 for POST /v2/token. - // As of September 2017, GCR is known to return 404. - // As of February 2018, JFrog Artifactory is known to return 401. -- if (errStatus.StatusCode == 405 && to.Username != "") || errStatus.StatusCode == 404 || errStatus.StatusCode == 401 { -+ if (errStatus.StatusCode == 405 && to.Username != "") || errStatus.StatusCode == 404 || errStatus.StatusCode == 401 || errStatus.StatusCode == 400 { - resp, err := auth.FetchToken(ctx, ah.client, ah.header, to) - if err != nil { - return "", err --- -2.17.1 - diff --git a/kubernetes/containerd/debian/patches/0003-update-runc-binary-to-v1.0.0-rc95.patch b/kubernetes/containerd/debian/patches/0003-update-runc-binary-to-v1.0.0-rc95.patch deleted file mode 100644 index 91e64c171..000000000 --- a/kubernetes/containerd/debian/patches/0003-update-runc-binary-to-v1.0.0-rc95.patch +++ /dev/null @@ -1,21 +0,0 @@ -From 5ab8e65d580831184f6c10b40e479da9ce0e8b67 Mon Sep 17 00:00:00 2001 -From: Daniel Safta -Date: Tue, 19 Oct 2021 13:17:46 +0000 -Subject: [PATCH] update runc binary to v1.0.0-rc95 Signed-off-by: Akihiro Suda - (cherry picked from commit 599127f) - Signed-off-by: Akihiro Suda - ---- - script/setup/runc-version | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/script/setup/runc-version b/script/setup/runc-version -index fd84c98..ded5e1b 100644 ---- a/script/setup/runc-version -+++ b/script/setup/runc-version -@@ -1 +1 @@ --v1.0.0-rc94 -+v1.0.0-rc95 --- -2.30.2 - diff --git a/kubernetes/containerd/debian/patches/0004-Prepare-release-notes-for-v1.4.6.patch b/kubernetes/containerd/debian/patches/0004-Prepare-release-notes-for-v1.4.6.patch deleted file mode 100644 index 44c8202ef..000000000 --- a/kubernetes/containerd/debian/patches/0004-Prepare-release-notes-for-v1.4.6.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 3731fefcb230c11e50d18f21aabc2f8573a0f329 Mon Sep 17 00:00:00 2001 -From: Daniel Safta -Date: Tue, 19 Oct 2021 13:24:00 +0000 -Subject: [PATCH] Prepare release notes for v1.4.6 Signed-off-by: Derek McGowan - - ---- - releases/v1.4.6.toml | 15 +++++++++++++++ - 1 file changed, 15 insertions(+) - create mode 100644 releases/v1.4.6.toml - -diff --git a/releases/v1.4.6.toml b/releases/v1.4.6.toml -new file mode 100644 -index 0000000..6b88d07 ---- /dev/null -+++ b/releases/v1.4.6.toml -@@ -0,0 +1,15 @@ -+# commit to be tagged for new release -+commit = "HEAD" -+ -+project_name = "containerd" -+github_repo = "containerd/containerd" -+match_deps = "^github.com/(containerd/[a-zA-Z0-9-]+)$" -+ -+# previous release -+previous = "v1.4.5" -+ -+pre_release = false -+ -+preface = """\ -+The sixth patch release for containerd 1.4 is a security release to update -+runc for [CVE-2021-30465](https://github.com/opencontainers/runc/security/advisories/GHSA-c3xm-pvg7-gh7r)""" --- -2.30.2 - diff --git a/kubernetes/containerd/debian/patches/0005-Update-v1.4.6-version.patch b/kubernetes/containerd/debian/patches/0005-Update-v1.4.6-version.patch deleted file mode 100644 index c319a2719..000000000 --- a/kubernetes/containerd/debian/patches/0005-Update-v1.4.6-version.patch +++ /dev/null @@ -1,26 +0,0 @@ -From d676fb16812f068009bf23bbe68dcb24e60d3e14 Mon Sep 17 00:00:00 2001 -From: Daniel Safta -Date: Tue, 19 Oct 2021 13:25:38 +0000 -Subject: [PATCH] Update v1.4.6 version Signed-off-by: Derek McGowan - - ---- - version/version.go | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/version/version.go b/version/version.go -index b4d3a5f..05bde28 100644 ---- a/version/version.go -+++ b/version/version.go -@@ -23,7 +23,7 @@ var ( - Package = "github.com/containerd/containerd" - - // Version holds the complete version number. Filled in at linking time. -- Version = "1.4.5+unknown" -+ Version = "1.4.6+unknown" - - // Revision is filled with the VCS (e.g. git) revision being used to build - // the program at linking time. --- -2.30.2 - diff --git a/kubernetes/containerd/debian/patches/series b/kubernetes/containerd/debian/patches/series index 347c98455..314d322be 100644 --- a/kubernetes/containerd/debian/patches/series +++ b/kubernetes/containerd/debian/patches/series @@ -1,5 +1,2 @@ -0001-add_build_flags.patch -0002-fix_errorcode.patch -0003-update-runc-binary-to-v1.0.0-rc95.patch -0004-Prepare-release-notes-for-v1.4.6.patch -0005-Update-v1.4.6-version.patch +0001-revert-to-v1.4.11.patch +0002-customize-containerd-for-StarlingX.patch