From 7c9aac5b8f80dc973ab8b3336499d4133a664ba0 Mon Sep 17 00:00:00 2001 From: Kaustubh Dhokte Date: Wed, 2 Mar 2022 09:14:20 +0000 Subject: [PATCH] Debian: containerd upversion to 1.4.11 To align with k8s 1.21.8 to 1.23.1, Upgrade containerd from 1.4.6 to 1.4.11 Note: The change pulls containerd v1.4.12 debian source package from debian salsa. The patch 0001-revert-to-v1.4.11.patch reverts commits between version v1.4.11 and v1.4.12. Note that the patch has no conflicts with any of the other patches in debian source package. So it is safe to apply it after they get applied. Also, it is not a strict requirement to use 1.4.11 over 1.4.12. This is just to keep in-sync with the CentOS version of StarlingX. Test Plan: containerd package builds successfully All packages build successfully Image builds successfully Story: 2009845 Task: 44456 Signed-off-by: Kaustubh Dhokte Change-Id: I25a15a8cac1b324411b74b9f772978270d48a664 --- kubernetes/containerd/debian/meta_data.yaml | 10 +- .../debian/patches/0001-add_build_flags.patch | 35 -- .../patches/0001-revert-to-v1.4.11.patch | 590 ++++++++++++++++++ ...2-customize-containerd-for-StarlingX.patch | 55 ++ .../debian/patches/0002-fix_errorcode.patch | 28 - ...03-update-runc-binary-to-v1.0.0-rc95.patch | 21 - ...004-Prepare-release-notes-for-v1.4.6.patch | 35 -- .../patches/0005-Update-v1.4.6-version.patch | 26 - kubernetes/containerd/debian/patches/series | 7 +- 9 files changed, 652 insertions(+), 155 deletions(-) delete mode 100644 kubernetes/containerd/debian/patches/0001-add_build_flags.patch create mode 100644 kubernetes/containerd/debian/patches/0001-revert-to-v1.4.11.patch create mode 100644 kubernetes/containerd/debian/patches/0002-customize-containerd-for-StarlingX.patch delete mode 100644 kubernetes/containerd/debian/patches/0002-fix_errorcode.patch delete mode 100644 kubernetes/containerd/debian/patches/0003-update-runc-binary-to-v1.0.0-rc95.patch delete mode 100644 kubernetes/containerd/debian/patches/0004-Prepare-release-notes-for-v1.4.6.patch delete mode 100644 kubernetes/containerd/debian/patches/0005-Update-v1.4.6-version.patch diff --git a/kubernetes/containerd/debian/meta_data.yaml b/kubernetes/containerd/debian/meta_data.yaml index c0e75ff9a..c28a26bab 100644 --- a/kubernetes/containerd/debian/meta_data.yaml +++ b/kubernetes/containerd/debian/meta_data.yaml @@ -1,11 +1,11 @@ --- debname: containerd -debver: 1.4.5~ds1-2 +debver: 1.4.12~ds1-1 dl_path: - name: containerd-debian-1.4.5_ds1-2.tar.gz - url: https://salsa.debian.org/go-team/packages/containerd/-/archive/debian/1.4.5_ds1-2/containerd-debian-1.4.5_ds1-2.tar.gz - md5sum: 4c88399bd3aa387b8640d721743d62cf - sha256sum: 13c5b83c28880f0e42eff19ab17522a33b6d6e5c5f507dba152a802ebeb69414 + name: containerd-debian-1.4.12_ds1-1.tar.gz + url: https://salsa.debian.org/go-team/packages/containerd/-/archive/debian/1.4.12_ds1-1_deb11u1/containerd-debian-1.4.12_ds1-1_deb11u1.tar.gz + md5sum: 12565b0d12ce878b6315f049e48113cd + sha256sum: 00199134fed422a3a8041d7a9f8dd782811e7792ee2e7c298351f026c04b99db revision: dist: $STX_DIST PKG_GITREVCOUNT: true diff --git a/kubernetes/containerd/debian/patches/0001-add_build_flags.patch b/kubernetes/containerd/debian/patches/0001-add_build_flags.patch deleted file mode 100644 index e5b974d87..000000000 --- a/kubernetes/containerd/debian/patches/0001-add_build_flags.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 5625d5ed827cf3983f55d462a75b4ffcd9e7cf25 Mon Sep 17 00:00:00 2001 -From: Daniel Safta -Date: Fri, 8 Oct 2021 13:21:26 +0300 -Subject: [PATCH] add build flags -1. disable btrfs to avoid needing to pull in the devel package -2. hardcode version info due to miss git info in tarball. ---- - Makefile | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/Makefile b/Makefile -index c0fecb9..8b7b1a5 100644 ---- a/Makefile -+++ b/Makefile -@@ -20,7 +20,8 @@ ROOTDIR=$(dir $(abspath $(lastword $(MAKEFILE_LIST)))) - DESTDIR ?= /usr/local - - # Used to populate variables in version package. --VERSION=$(shell git describe --match 'v[0-9]*' --dirty='.m' --always) -+# VERSION=$(shell git describe --match 'v[0-9]*' --dirty='.m' --always) -+VERSION=v1.4.6 - REVISION=$(shell git rev-parse HEAD)$(shell if ! git diff --no-ext-diff --quiet --exit-code; then echo .m; fi) - PACKAGE=github.com/containerd/containerd - SHIM_CGO_ENABLED ?= 0 -@@ -78,6 +79,7 @@ endif - # Build tags apparmor and selinux are needed by CRI plugin. - GO_BUILDTAGS ?= apparmor selinux - GO_BUILDTAGS += ${DEBUG_TAGS} -+GO_BUILDTAGS += no_btrfs - GO_TAGS=$(if $(GO_BUILDTAGS),-tags "$(GO_BUILDTAGS)",) - GO_LDFLAGS=-ldflags '-X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -X $(PKG)/version.Package=$(PACKAGE) $(EXTRA_LDFLAGS)' - SHIM_GO_LDFLAGS=-ldflags '-X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -X $(PKG)/version.Package=$(PACKAGE) -extldflags "-static" $(EXTRA_LDFLAGS)' --- -2.17.1 - diff --git a/kubernetes/containerd/debian/patches/0001-revert-to-v1.4.11.patch b/kubernetes/containerd/debian/patches/0001-revert-to-v1.4.11.patch new file mode 100644 index 000000000..3a0c05baf --- /dev/null +++ b/kubernetes/containerd/debian/patches/0001-revert-to-v1.4.11.patch @@ -0,0 +1,590 @@ +From 2c7e958673c945279f8e30d1ad162c460b9c0926 Mon Sep 17 00:00:00 2001 +From: Kaustubh Dhokte +Date: Thu, 24 Mar 2022 14:52:27 -0400 +Subject: [PATCH] revert to v1.4.11 + +Signed-off-by: Kaustubh Dhokte +--- + .github/workflows/ci.yml | 12 +- + .github/workflows/nightly.yml | 4 +- + .github/workflows/release.yml | 2 +- + .travis.yml | 2 +- + .zuul/playbooks/containerd-build/run.yaml | 2 +- + Vagrantfile | 2 +- + contrib/Dockerfile.test | 2 +- + images/image.go | 55 -------- + images/image_test.go | 150 ---------------------- + releases/v1.4.12.toml | 23 ---- + remotes/docker/fetcher.go | 4 - + remotes/docker/resolver.go | 35 ++--- + remotes/docker/schema1/converter.go | 9 +- + version/version.go | 2 +- + 14 files changed, 28 insertions(+), 276 deletions(-) + delete mode 100644 images/image_test.go + delete mode 100644 releases/v1.4.12.toml + +diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml +index 8f7a3a7a6..4ee47e5d1 100644 +--- a/.github/workflows/ci.yml ++++ b/.github/workflows/ci.yml +@@ -26,7 +26,7 @@ jobs: + - name: Install Go + uses: actions/setup-go@v2 + with: +- go-version: '1.16.10' ++ go-version: '1.16.8' + + - name: Set env + shell: bash +@@ -82,7 +82,7 @@ jobs: + steps: + - uses: actions/setup-go@v2 + with: +- go-version: '1.16.10' ++ go-version: '1.16.8' + + - name: Set env + shell: bash +@@ -128,7 +128,7 @@ jobs: + steps: + - uses: actions/setup-go@v2 + with: +- go-version: '1.16.10' ++ go-version: '1.16.8' + + - name: Set env + shell: bash +@@ -166,7 +166,7 @@ jobs: + steps: + - uses: actions/setup-go@v2 + with: +- go-version: '1.16.10' ++ go-version: '1.16.8' + + - name: Set env + shell: bash +@@ -199,7 +199,7 @@ jobs: + steps: + - uses: actions/setup-go@v2 + with: +- go-version: '1.16.10' ++ go-version: '1.16.8' + + - name: Set env + shell: bash +@@ -285,7 +285,7 @@ jobs: + steps: + - uses: actions/setup-go@v2 + with: +- go-version: '1.16.10' ++ go-version: '1.16.8' + + - name: Set env + shell: bash +diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml +index b050bbf18..1cb92a34b 100644 +--- a/.github/workflows/nightly.yml ++++ b/.github/workflows/nightly.yml +@@ -14,7 +14,7 @@ jobs: + steps: + - uses: actions/setup-go@v2 + with: +- go-version: '1.16.10' ++ go-version: '1.16.8' + + - name: Checkout + uses: actions/checkout@v1 +@@ -138,7 +138,7 @@ jobs: + steps: + - uses: actions/setup-go@v2 + with: +- go-version: '1.16.10' ++ go-version: '1.16.8' + + - name: Checkout + uses: actions/checkout@v1 +diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml +index d9e5a3eab..ec9971a4a 100644 +--- a/.github/workflows/release.yml ++++ b/.github/workflows/release.yml +@@ -62,7 +62,7 @@ jobs: + - name: Install Go + uses: actions/setup-go@v2 + with: +- go-version: '1.16.10' ++ go-version: '1.16.8' + + - name: Set env + shell: bash +diff --git a/.travis.yml b/.travis.yml +index 8314c796b..1726cf6d5 100644 +--- a/.travis.yml ++++ b/.travis.yml +@@ -15,7 +15,7 @@ os: + - linux + + go: +- - "1.16.10" ++ - "1.16.8" + + env: + - TRAVIS_GOOS=linux TEST_RUNTIME=io.containerd.runc.v1 TRAVIS_CGO_ENABLED=1 TRAVIS_DISTRO=bionic GOPROXY=direct +diff --git a/.zuul/playbooks/containerd-build/run.yaml b/.zuul/playbooks/containerd-build/run.yaml +index c3ebc7eae..815b4ec62 100644 +--- a/.zuul/playbooks/containerd-build/run.yaml ++++ b/.zuul/playbooks/containerd-build/run.yaml +@@ -2,7 +2,7 @@ + become: yes + roles: + - role: config-golang +- go_version: '1.16.10' ++ go_version: '1.16.8' + arch: arm64 + tasks: + - name: Build containerd +diff --git a/Vagrantfile b/Vagrantfile +index b31dfaa34..d1f30c559 100644 +--- a/Vagrantfile ++++ b/Vagrantfile +@@ -77,7 +77,7 @@ Vagrant.configure("2") do |config| + config.vm.provision "install-golang", type: "shell", run: "once" do |sh| + sh.upload_path = "/tmp/vagrant-install-golang" + sh.env = { +- 'GO_VERSION': ENV['GO_VERSION'] || "1.16.10", ++ 'GO_VERSION': ENV['GO_VERSION'] || "1.16.8", + } + sh.inline = <<~SHELL + #!/usr/bin/env bash +diff --git a/contrib/Dockerfile.test b/contrib/Dockerfile.test +index 020008ceb..875c457f0 100644 +--- a/contrib/Dockerfile.test ++++ b/contrib/Dockerfile.test +@@ -10,7 +10,7 @@ + # + # docker build -t containerd-test --build-arg RUNC_VERSION=v1.0.0-rc93 -f Dockerfile.test ../ + +-ARG GOLANG_VERSION=1.16.10 ++ARG GOLANG_VERSION=1.16.8 + + FROM golang:${GOLANG_VERSION} AS golang-base + RUN mkdir -p /go/src/github.com/containerd/containerd +diff --git a/images/image.go b/images/image.go +index 2e42ca09a..1868ee88d 100644 +--- a/images/image.go ++++ b/images/image.go +@@ -19,7 +19,6 @@ package images + import ( + "context" + "encoding/json" +- "fmt" + "sort" + "time" + +@@ -155,10 +154,6 @@ func Manifest(ctx context.Context, provider content.Provider, image ocispec.Desc + return nil, err + } + +- if err := validateMediaType(p, desc.MediaType); err != nil { +- return nil, errors.Wrapf(err, "manifest: invalid desc %s", desc.Digest) +- } +- + var manifest ocispec.Manifest + if err := json.Unmarshal(p, &manifest); err != nil { + return nil, err +@@ -199,10 +194,6 @@ func Manifest(ctx context.Context, provider content.Provider, image ocispec.Desc + return nil, err + } + +- if err := validateMediaType(p, desc.MediaType); err != nil { +- return nil, errors.Wrapf(err, "manifest: invalid desc %s", desc.Digest) +- } +- + var idx ocispec.Index + if err := json.Unmarshal(p, &idx); err != nil { + return nil, err +@@ -345,10 +336,6 @@ func Children(ctx context.Context, provider content.Provider, desc ocispec.Descr + return nil, err + } + +- if err := validateMediaType(p, desc.MediaType); err != nil { +- return nil, errors.Wrapf(err, "children: invalid desc %s", desc.Digest) +- } +- + // TODO(stevvooe): We just assume oci manifest, for now. There may be + // subtle differences from the docker version. + var manifest ocispec.Manifest +@@ -364,10 +351,6 @@ func Children(ctx context.Context, provider content.Provider, desc ocispec.Descr + return nil, err + } + +- if err := validateMediaType(p, desc.MediaType); err != nil { +- return nil, errors.Wrapf(err, "children: invalid desc %s", desc.Digest) +- } +- + var index ocispec.Index + if err := json.Unmarshal(p, &index); err != nil { + return nil, err +@@ -385,44 +368,6 @@ func Children(ctx context.Context, provider content.Provider, desc ocispec.Descr + return descs, nil + } + +-// unknownDocument represents a manifest, manifest list, or index that has not +-// yet been validated. +-type unknownDocument struct { +- MediaType string `json:"mediaType,omitempty"` +- Config json.RawMessage `json:"config,omitempty"` +- Layers json.RawMessage `json:"layers,omitempty"` +- Manifests json.RawMessage `json:"manifests,omitempty"` +- FSLayers json.RawMessage `json:"fsLayers,omitempty"` // schema 1 +-} +- +-// validateMediaType returns an error if the byte slice is invalid JSON or if +-// the media type identifies the blob as one format but it contains elements of +-// another format. +-func validateMediaType(b []byte, mt string) error { +- var doc unknownDocument +- if err := json.Unmarshal(b, &doc); err != nil { +- return err +- } +- if len(doc.FSLayers) != 0 { +- return fmt.Errorf("media-type: schema 1 not supported") +- } +- switch mt { +- case MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest: +- if len(doc.Manifests) != 0 || +- doc.MediaType == MediaTypeDockerSchema2ManifestList || +- doc.MediaType == ocispec.MediaTypeImageIndex { +- return fmt.Errorf("media-type: expected manifest but found index (%s)", mt) +- } +- case MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex: +- if len(doc.Config) != 0 || len(doc.Layers) != 0 || +- doc.MediaType == MediaTypeDockerSchema2Manifest || +- doc.MediaType == ocispec.MediaTypeImageManifest { +- return fmt.Errorf("media-type: expected index but found manifest (%s)", mt) +- } +- } +- return nil +-} +- + // RootFS returns the unpacked diffids that make up and images rootfs. + // + // These are used to verify that a set of layers unpacked to the expected +diff --git a/images/image_test.go b/images/image_test.go +deleted file mode 100644 +index 3e88e5076..000000000 +--- a/images/image_test.go ++++ /dev/null +@@ -1,150 +0,0 @@ +-/* +- Copyright The containerd Authors. +- +- Licensed under the Apache License, Version 2.0 (the "License"); +- you may not use this file except in compliance with the License. +- You may obtain a copy of the License at +- +- http://www.apache.org/licenses/LICENSE-2.0 +- +- Unless required by applicable law or agreed to in writing, software +- distributed under the License is distributed on an "AS IS" BASIS, +- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +- See the License for the specific language governing permissions and +- limitations under the License. +-*/ +- +-package images +- +-import ( +- "encoding/json" +- "testing" +- +- ocispec "github.com/opencontainers/image-spec/specs-go/v1" +-) +- +-func TestValidateMediaType(t *testing.T) { +- docTests := []struct { +- mt string +- index bool +- }{ +- {MediaTypeDockerSchema2Manifest, false}, +- {ocispec.MediaTypeImageManifest, false}, +- {MediaTypeDockerSchema2ManifestList, true}, +- {ocispec.MediaTypeImageIndex, true}, +- } +- for _, tc := range docTests { +- t.Run("manifest-"+tc.mt, func(t *testing.T) { +- manifest := ocispec.Manifest{ +- Config: ocispec.Descriptor{Size: 1}, +- Layers: []ocispec.Descriptor{{Size: 2}}, +- } +- b, err := json.Marshal(manifest) +- if err != nil { +- t.Fatal("failed to marshal manifest", err) +- } +- +- err = validateMediaType(b, tc.mt) +- if tc.index { +- if err == nil { +- t.Error("manifest should not be a valid index") +- } +- } else { +- if err != nil { +- t.Error("manifest should be valid") +- } +- } +- }) +- t.Run("index-"+tc.mt, func(t *testing.T) { +- index := ocispec.Index{ +- Manifests: []ocispec.Descriptor{{Size: 1}}, +- } +- b, err := json.Marshal(index) +- if err != nil { +- t.Fatal("failed to marshal index", err) +- } +- +- err = validateMediaType(b, tc.mt) +- if tc.index { +- if err != nil { +- t.Error("index should be valid") +- } +- } else { +- if err == nil { +- t.Error("index should not be a valid manifest") +- } +- } +- }) +- } +- +- mtTests := []struct { +- mt string +- valid []string +- invalid []string +- }{{ +- MediaTypeDockerSchema2Manifest, +- []string{MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest}, +- []string{MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex}, +- }, { +- ocispec.MediaTypeImageManifest, +- []string{MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest}, +- []string{MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex}, +- }, { +- MediaTypeDockerSchema2ManifestList, +- []string{MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex}, +- []string{MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest}, +- }, { +- ocispec.MediaTypeImageIndex, +- []string{MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex}, +- []string{MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest}, +- }} +- for _, tc := range mtTests { +- for _, v := range tc.valid { +- t.Run("valid-"+tc.mt+"-"+v, func(t *testing.T) { +- doc := struct { +- MediaType string `json:"mediaType"` +- }{MediaType: v} +- b, err := json.Marshal(doc) +- if err != nil { +- t.Fatal("failed to marshal document", err) +- } +- +- err = validateMediaType(b, tc.mt) +- if err != nil { +- t.Error("document should be valid", err) +- } +- }) +- } +- for _, iv := range tc.invalid { +- t.Run("invalid-"+tc.mt+"-"+iv, func(t *testing.T) { +- doc := struct { +- MediaType string `json:"mediaType"` +- }{MediaType: iv} +- b, err := json.Marshal(doc) +- if err != nil { +- t.Fatal("failed to marshal document", err) +- } +- +- err = validateMediaType(b, tc.mt) +- if err == nil { +- t.Error("document should not be valid") +- } +- }) +- } +- } +- t.Run("schema1", func(t *testing.T) { +- doc := struct { +- FSLayers []string `json:"fsLayers"` +- }{FSLayers: []string{"1"}} +- b, err := json.Marshal(doc) +- if err != nil { +- t.Fatal("failed to marshal document", err) +- } +- +- err = validateMediaType(b, "") +- if err == nil { +- t.Error("document should not be valid") +- } +- +- }) +-} +diff --git a/releases/v1.4.12.toml b/releases/v1.4.12.toml +deleted file mode 100644 +index 072d6959a..000000000 +--- a/releases/v1.4.12.toml ++++ /dev/null +@@ -1,23 +0,0 @@ +-# commit to be tagged for new release +-commit = "HEAD" +- +-project_name = "containerd" +-github_repo = "containerd/containerd" +-match_deps = "^github.com/(containerd/[a-zA-Z0-9-]+)$" +- +-# previous release +-previous = "v1.4.11" +- +-pre_release = false +- +-preface = """\ +-The twelfth patch release for containerd 1.4 contains a few minor bug fixes +-and an update to mitigate [CVE-2021-41190](https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m). +- +-### Notable Updates +- +-* **Handle ambiguous OCI manifest parsing** ([GHSA-5j5w-g665-5m35](https://github.com/containerd/containerd/security/advisories/GHSA-5j5w-g665-5m35)) +-* **Update pull to try next mirror for non-404 errors** ([#5275](https://github.com/containerd/containerd/pull/5275)) +-* **Update pull to handle of non-https urls in descriptors** ([#6221](https://github.com/containerd/containerd/pull/6221)) +- +-See the changelog for complete list of changes""" +diff --git a/remotes/docker/fetcher.go b/remotes/docker/fetcher.go +index 4b2c10e9a..5796fbf4a 100644 +--- a/remotes/docker/fetcher.go ++++ b/remotes/docker/fetcher.go +@@ -60,10 +60,6 @@ func (r dockerFetcher) Fetch(ctx context.Context, desc ocispec.Descriptor) (io.R + log.G(ctx).WithError(err).Debug("failed to parse") + continue + } +- if u.Scheme != "http" && u.Scheme != "https" { +- log.G(ctx).Debug("non-http(s) alternative url is unsupported") +- continue +- } + log.G(ctx).Debug("trying alternative url") + + // Try this first, parse it +diff --git a/remotes/docker/resolver.go b/remotes/docker/resolver.go +index d6ccd7072..06b08dee8 100644 +--- a/remotes/docker/resolver.go ++++ b/remotes/docker/resolver.go +@@ -229,10 +229,10 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp + } + + var ( +- firstErr error +- paths [][]string +- dgst = refspec.Digest() +- caps = HostCapabilityPull ++ lastErr error ++ paths [][]string ++ dgst = refspec.Digest() ++ caps = HostCapabilityPull + ) + + if dgst != "" { +@@ -283,8 +283,8 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp + err = errors.Wrapf(err, "pull access denied, repository does not exist or may require authorization") + } + // Store the error for referencing later +- if firstErr == nil { +- firstErr = err ++ if lastErr == nil { ++ lastErr = err + } + continue // try another host + } +@@ -294,14 +294,7 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp + if resp.StatusCode == http.StatusNotFound { + continue + } +- if resp.StatusCode > 399 { +- // Set firstErr when encountering the first non-404 status code. +- if firstErr == nil { +- firstErr = errors.Errorf("pulling from host %s failed with status code %v: %v", host.Host, u, resp.Status) +- } +- continue // try another host +- } +- return "", ocispec.Descriptor{}, errors.Errorf("pulling from host %s failed with unexpected status code %v: %v", host.Host, u, resp.Status) ++ return "", ocispec.Descriptor{}, errors.Errorf("unexpected status code %v: %v", u, resp.Status) + } + size := resp.ContentLength + contentType := getManifestMediaType(resp) +@@ -364,8 +357,8 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp + } + // Prevent resolving to excessively large manifests + if size > MaxManifestSize { +- if firstErr == nil { +- firstErr = errors.Wrapf(errdefs.ErrNotFound, "rejecting %d byte manifest for %s", size, ref) ++ if lastErr == nil { ++ lastErr = errors.Wrapf(errdefs.ErrNotFound, "rejecting %d byte manifest for %s", size, ref) + } + continue + } +@@ -381,15 +374,11 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp + } + } + +- // If above loop terminates without return, then there was an error. +- // "firstErr" contains the first non-404 error. That is, "firstErr == nil" +- // means that either no registries were given or each registry returned 404. +- +- if firstErr == nil { +- firstErr = errors.Wrap(errdefs.ErrNotFound, ref) ++ if lastErr == nil { ++ lastErr = errors.Wrap(errdefs.ErrNotFound, ref) + } + +- return "", ocispec.Descriptor{}, firstErr ++ return "", ocispec.Descriptor{}, lastErr + } + + func (r *dockerResolver) Fetcher(ctx context.Context, ref string) (remotes.Fetcher, error) { +diff --git a/remotes/docker/schema1/converter.go b/remotes/docker/schema1/converter.go +index f15a9acf3..8314c01d5 100644 +--- a/remotes/docker/schema1/converter.go ++++ b/remotes/docker/schema1/converter.go +@@ -256,9 +256,6 @@ func (c *Converter) fetchManifest(ctx context.Context, desc ocispec.Descriptor) + if err := json.Unmarshal(b, &m); err != nil { + return err + } +- if len(m.Manifests) != 0 || len(m.Layers) != 0 { +- return errors.New("converter: expected schema1 document but found extra keys") +- } + c.pulledManifest = &m + + return nil +@@ -475,10 +472,8 @@ type history struct { + } + + type manifest struct { +- FSLayers []fsLayer `json:"fsLayers"` +- History []history `json:"history"` +- Layers json.RawMessage `json:"layers,omitempty"` // OCI manifest +- Manifests json.RawMessage `json:"manifests,omitempty"` // OCI index ++ FSLayers []fsLayer `json:"fsLayers"` ++ History []history `json:"history"` + } + + type v1History struct { +diff --git a/version/version.go b/version/version.go +index dab4a1656..77f581f7c 100644 +--- a/version/version.go ++++ b/version/version.go +@@ -23,7 +23,7 @@ var ( + Package = "github.com/containerd/containerd" + + // Version holds the complete version number. Filled in at linking time. +- Version = "1.4.12+unknown" ++ Version = "1.4.11+unknown" + + // Revision is filled with the VCS (e.g. git) revision being used to build + // the program at linking time. +-- +2.25.1 + diff --git a/kubernetes/containerd/debian/patches/0002-customize-containerd-for-StarlingX.patch b/kubernetes/containerd/debian/patches/0002-customize-containerd-for-StarlingX.patch new file mode 100644 index 000000000..01ebf51c7 --- /dev/null +++ b/kubernetes/containerd/debian/patches/0002-customize-containerd-for-StarlingX.patch @@ -0,0 +1,55 @@ +From eeb59bb893f5f5ce6d7b9ec170ec67203f71478d Mon Sep 17 00:00:00 2001 +From: Kaustubh Dhokte +Date: Tue, 1 Mar 2022 20:43:42 -0500 +Subject: [PATCH] customize containerd for StarlingX + +1. disable btrfs to avoid needing to pull in the devel package +2. docker registry in StarlingX 3.0 branch doesn't support POST method +for token and will return 400. Switch to GET method to get token if +StatusCode is 400. +3. hardcode version info due to miss git info in tarball. + +Signed-off-by: Kaustubh Dhokte +--- + Makefile | 3 ++- + remotes/docker/authorizer.go | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/Makefile b/Makefile +index c0fecb9a6..d8cef89d5 100644 +--- a/Makefile ++++ b/Makefile +@@ -20,7 +20,7 @@ ROOTDIR=$(dir $(abspath $(lastword $(MAKEFILE_LIST)))) + DESTDIR ?= /usr/local + + # Used to populate variables in version package. +-VERSION=$(shell git describe --match 'v[0-9]*' --dirty='.m' --always) ++VERSION=v1.4.11 + REVISION=$(shell git rev-parse HEAD)$(shell if ! git diff --no-ext-diff --quiet --exit-code; then echo .m; fi) + PACKAGE=github.com/containerd/containerd + SHIM_CGO_ENABLED ?= 0 +@@ -78,6 +78,7 @@ endif + # Build tags apparmor and selinux are needed by CRI plugin. + GO_BUILDTAGS ?= apparmor selinux + GO_BUILDTAGS += ${DEBUG_TAGS} ++GO_BUILDTAGS += no_btrfs + GO_TAGS=$(if $(GO_BUILDTAGS),-tags "$(GO_BUILDTAGS)",) + GO_LDFLAGS=-ldflags '-X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -X $(PKG)/version.Package=$(PACKAGE) $(EXTRA_LDFLAGS)' + SHIM_GO_LDFLAGS=-ldflags '-X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -X $(PKG)/version.Package=$(PACKAGE) -extldflags "-static" $(EXTRA_LDFLAGS)' +diff --git a/remotes/docker/authorizer.go b/remotes/docker/authorizer.go +index 67e4aea8d..bacaa502d 100644 +--- a/remotes/docker/authorizer.go ++++ b/remotes/docker/authorizer.go +@@ -284,7 +284,8 @@ func (ah *authHandler) doBearerAuth(ctx context.Context) (token string, err erro + // Registries without support for POST may return 404 for POST /v2/token. + // As of September 2017, GCR is known to return 404. + // As of February 2018, JFrog Artifactory is known to return 401. +- if (errStatus.StatusCode == 405 && to.Username != "") || errStatus.StatusCode == 404 || errStatus.StatusCode == 401 { ++ // Registry in StarlingX 6.0 returns 400 for POST /v2/token. Should check if still applicable. ++ if (errStatus.StatusCode == 405 && to.Username != "") || errStatus.StatusCode == 404 || errStatus.StatusCode == 401 || errStatus.StatusCode == 400 { + resp, err := auth.FetchToken(ctx, ah.client, ah.header, to) + if err != nil { + return "", err +-- +2.25.1 + diff --git a/kubernetes/containerd/debian/patches/0002-fix_errorcode.patch b/kubernetes/containerd/debian/patches/0002-fix_errorcode.patch deleted file mode 100644 index 66ca7aba2..000000000 --- a/kubernetes/containerd/debian/patches/0002-fix_errorcode.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 7bdbc31f47a801dc9215163ae5cd84581f1d83e2 Mon Sep 17 00:00:00 2001 -From: Daniel Safta -Date: Mon, 11 Oct 2021 12:13:15 +0300 -Subject: [PATCH] fix errorcode -docker registry in StarlingX 3.0 branch doesn't support POST method -for token and will return 400. Switch to GET method to get token if -StatusCode is 400. - ---- - remotes/docker/authorizer.go | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/remotes/docker/authorizer.go b/remotes/docker/authorizer.go -index 67e4aea..c06b222 100644 ---- a/remotes/docker/authorizer.go -+++ b/remotes/docker/authorizer.go -@@ -284,7 +284,7 @@ func (ah *authHandler) doBearerAuth(ctx context.Context) (token string, err erro - // Registries without support for POST may return 404 for POST /v2/token. - // As of September 2017, GCR is known to return 404. - // As of February 2018, JFrog Artifactory is known to return 401. -- if (errStatus.StatusCode == 405 && to.Username != "") || errStatus.StatusCode == 404 || errStatus.StatusCode == 401 { -+ if (errStatus.StatusCode == 405 && to.Username != "") || errStatus.StatusCode == 404 || errStatus.StatusCode == 401 || errStatus.StatusCode == 400 { - resp, err := auth.FetchToken(ctx, ah.client, ah.header, to) - if err != nil { - return "", err --- -2.17.1 - diff --git a/kubernetes/containerd/debian/patches/0003-update-runc-binary-to-v1.0.0-rc95.patch b/kubernetes/containerd/debian/patches/0003-update-runc-binary-to-v1.0.0-rc95.patch deleted file mode 100644 index 91e64c171..000000000 --- a/kubernetes/containerd/debian/patches/0003-update-runc-binary-to-v1.0.0-rc95.patch +++ /dev/null @@ -1,21 +0,0 @@ -From 5ab8e65d580831184f6c10b40e479da9ce0e8b67 Mon Sep 17 00:00:00 2001 -From: Daniel Safta -Date: Tue, 19 Oct 2021 13:17:46 +0000 -Subject: [PATCH] update runc binary to v1.0.0-rc95 Signed-off-by: Akihiro Suda - (cherry picked from commit 599127f) - Signed-off-by: Akihiro Suda - ---- - script/setup/runc-version | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/script/setup/runc-version b/script/setup/runc-version -index fd84c98..ded5e1b 100644 ---- a/script/setup/runc-version -+++ b/script/setup/runc-version -@@ -1 +1 @@ --v1.0.0-rc94 -+v1.0.0-rc95 --- -2.30.2 - diff --git a/kubernetes/containerd/debian/patches/0004-Prepare-release-notes-for-v1.4.6.patch b/kubernetes/containerd/debian/patches/0004-Prepare-release-notes-for-v1.4.6.patch deleted file mode 100644 index 44c8202ef..000000000 --- a/kubernetes/containerd/debian/patches/0004-Prepare-release-notes-for-v1.4.6.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 3731fefcb230c11e50d18f21aabc2f8573a0f329 Mon Sep 17 00:00:00 2001 -From: Daniel Safta -Date: Tue, 19 Oct 2021 13:24:00 +0000 -Subject: [PATCH] Prepare release notes for v1.4.6 Signed-off-by: Derek McGowan - - ---- - releases/v1.4.6.toml | 15 +++++++++++++++ - 1 file changed, 15 insertions(+) - create mode 100644 releases/v1.4.6.toml - -diff --git a/releases/v1.4.6.toml b/releases/v1.4.6.toml -new file mode 100644 -index 0000000..6b88d07 ---- /dev/null -+++ b/releases/v1.4.6.toml -@@ -0,0 +1,15 @@ -+# commit to be tagged for new release -+commit = "HEAD" -+ -+project_name = "containerd" -+github_repo = "containerd/containerd" -+match_deps = "^github.com/(containerd/[a-zA-Z0-9-]+)$" -+ -+# previous release -+previous = "v1.4.5" -+ -+pre_release = false -+ -+preface = """\ -+The sixth patch release for containerd 1.4 is a security release to update -+runc for [CVE-2021-30465](https://github.com/opencontainers/runc/security/advisories/GHSA-c3xm-pvg7-gh7r)""" --- -2.30.2 - diff --git a/kubernetes/containerd/debian/patches/0005-Update-v1.4.6-version.patch b/kubernetes/containerd/debian/patches/0005-Update-v1.4.6-version.patch deleted file mode 100644 index c319a2719..000000000 --- a/kubernetes/containerd/debian/patches/0005-Update-v1.4.6-version.patch +++ /dev/null @@ -1,26 +0,0 @@ -From d676fb16812f068009bf23bbe68dcb24e60d3e14 Mon Sep 17 00:00:00 2001 -From: Daniel Safta -Date: Tue, 19 Oct 2021 13:25:38 +0000 -Subject: [PATCH] Update v1.4.6 version Signed-off-by: Derek McGowan - - ---- - version/version.go | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/version/version.go b/version/version.go -index b4d3a5f..05bde28 100644 ---- a/version/version.go -+++ b/version/version.go -@@ -23,7 +23,7 @@ var ( - Package = "github.com/containerd/containerd" - - // Version holds the complete version number. Filled in at linking time. -- Version = "1.4.5+unknown" -+ Version = "1.4.6+unknown" - - // Revision is filled with the VCS (e.g. git) revision being used to build - // the program at linking time. --- -2.30.2 - diff --git a/kubernetes/containerd/debian/patches/series b/kubernetes/containerd/debian/patches/series index 347c98455..314d322be 100644 --- a/kubernetes/containerd/debian/patches/series +++ b/kubernetes/containerd/debian/patches/series @@ -1,5 +1,2 @@ -0001-add_build_flags.patch -0002-fix_errorcode.patch -0003-update-runc-binary-to-v1.0.0-rc95.patch -0004-Prepare-release-notes-for-v1.4.6.patch -0005-Update-v1.4.6-version.patch +0001-revert-to-v1.4.11.patch +0002-customize-containerd-for-StarlingX.patch