starlingx/integ
Code Issues Proposed changes

Upgrade containerd to 1.6.21

Browse Source 
As documented at
https://kubernetes.io/blog/2022/12/09/kubernetes-v1-26-release K8s
1.26 will no longer support containerd 1.5 and lower.

Accordingly we are upgrading containerd to 1.6.21.

The Debian package for containerd 1.6 comes from "bookworm" and
would require us to bring in a newer glibc and newer python3, which
is not something we want to do at this point.

As a workaround, we are pulling in the prebuilt binaries from
the containerd github project, which work fine with our existing
packages.

It's not a compile-time dependency, but these Ansible changes are
needed to actually run K8s 1.26:
https://review.opendev.org/c/starlingx/ansible-playbooks/+/879356

Also, the debian packaging tools do not allow binaries to be installed
to /usr/local/sbin, so the script that was there previously has
been moved to /usr/sbin.  There is a corresponding change in the
containerd service file override that should be merged at the same
time:

https://review.opendev.org/c/starlingx/config-files/+/883214

Test Plan:
PASS Install AIO-SX with K8s 1.25 and upgrade to K8s 1.26.
PASS Install with K8s 1.26 on AIO-SX and ensure the system comes up
     normally.

Story: 2010368
Task: 46590

Change-Id: I9e7a0e28a1b153141ff17a88efa0626314a01c91
Signed-off-by: Chris Friesen <chris.friesen@windriver.com>
This commit is contained in:
Chris Friesen 2023-05-15 16:04:07 -04:00
parent 5e9b56a96d
commit 863c928d5c
18 changed files with 157 additions and 874 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
kubernetes/containerd/debian/README.txt Normal file
View File

@ -0,0 +1,26 @@
The containerd.service file and config.toml were pulled in
from the upstream Debian package
containerd_1.6.20~ds1-1+b1_amd64.deb downloaded from
http://ftp.ca.debian.org/debian/pool/main/c/containerd/
The config.toml file is identical to what we were using previously
with the older version of containerd, and is unchanged in the
newer version of the package. It will get overwritten by
ansible/puppet anyways during system bringup.
The containerd.service file is identical to the version from
the containerd github source tag "v1.6.21" except that the
containerd binary is in /usr/bin/ instead of /usr/local/bin.
The only difference from what we had before is that LimitNOFILE
is now set to "infinity" to align with both Debian and containerd
upstream.
The binaries that get pulled in at build time are from the
containerd upstream binary release
containerd-1.6.21-linux-amd64.tar.gz downloaded from
https://github.com/containerd/containerd/releases/tag/v1.6.21
The rationale for using the upstream binaries rather than the
Debian "bookworm" package is that the Debian package requires
a lot of other dependencies including newer glibc and python3,
which would be too intrusive for our purposes.

3
kubernetes/containerd/debian/deb_folder/changelog Normal file
View File

@ -0,0 +1,3 @@
containerd (1.6.21) stable; urgency=medium
* Initial release using binaries from upstream containerd package
-- Chris Friesen <chris.friesen@windriver.com> Mon, 15 May 2023 14:13:58 -0600

12
kubernetes/containerd/debian/deb_folder/containerd.install Executable file → Normal file
View File

@ -1,6 +1,6 @@
usr/bin
debian/config.toml /etc/containerd/
debian/bash-completion/ctr /usr/share/bash-completion/completions/
debian/zsh-completion/_ctr /usr/share/zsh/vendor-completions/
usr/local/sbin
k8s-container-cleanup.sh usr/local/sbin/
containerd usr/bin
containerd-* usr/bin
ctr usr/bin
config.toml etc/containerd/
k8s-container-cleanup.sh usr/sbin
containerd.service lib/systemd/system/

4
kubernetes/containerd/debian/deb_folder/containerd.links
View File

@ -1,4 +0,0 @@
/usr/bin/containerd /usr/local/bin/containerd
# file renaming can be done with dh-exec, this is a simpler workaround
/usr/local/sbin/k8s-container-cleanup.sh /usr/local/sbin/k8s-container-cleanup

2
kubernetes/containerd/debian/deb_folder/containerd.lintian-overrides
View File

@ -1,2 +0,0 @@
file-in-usr-local
dir-in-usr-local

26
kubernetes/containerd/debian/deb_folder/control Normal file
View File

@ -0,0 +1,26 @@
Source: containerd
Section: admin
Priority: optional
Maintainer: StarlingX Developers <starlingx-discuss@lists.starlingx.io>
Build-Depends: debhelper-compat (= 13),
build-info-dev
Standards-Version: 4.4.1
Homepage: https://containerd.io/
Package: containerd
Architecture: linux-any
Depends: runc (>= 0.1.0~),
${misc:Depends},
${shlibs:Depends},
Description: open and reliable container runtime
Containerd is an industry-standard container runtime with an emphasis on
simplicity, robustness and portability. It is available as a daemon for
Linux and Windows, which can manage the complete container life cycle of
its host system: image transfer and storage, container execution and
supervision, low-level storage and network attachments, etc.
.
Containerd is designed to be embedded into a larger system, rather than
being used directly by developers or end-users.
.
This package contains the binaries.

33
kubernetes/containerd/debian/deb_folder/copyright Normal file
View File

@ -0,0 +1,33 @@
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: containerd
Source: https://github.com/containerd/containerd
Files: *
License: Apache-2.0
Files: files/*
Copyright: 2016 Tianon Gravi <tianon@debian.org>
2019 Shengjing Zhu <zhsj@debian.org>
License: Apache-2.0
Files: files/k8s-container-cleanup.sh
Copyright: 2022, Wind River Systems, Inc.
License: Apache-2.0
License: Apache-2.0
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
.
http://www.apache.org/licenses/LICENSE-2.0
.
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
.
On Debian systems, the complete text of the Apache version 2.0 license
can be found in "/usr/share/common-licenses/Apache-2.0".

62
kubernetes/containerd/debian/deb_folder/rules
View File

@ -1,62 +1,8 @@
#!/usr/bin/make -f
#
# Copyright (c) 2022 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# This file based from upstream containerd_1.4.12/debian/rules,
# modified to install k8s-container-cleanup.sh to /usr/local/sbin.
DEBIAN_BUILDDIR := $(CURDIR)/debian/tmp
include /usr/share/dpkg/default.mk
PKG := github.com/containerd/containerd
TAGS := seccomp apparmor
GO_LDFLAGS += -X $(PKG)/version.Version=$(DEB_VERSION_UPSTREAM)
GO_LDFLAGS += -X $(PKG)/version.Revision=$(DEB_VERSION)
EXCLUDES += cmd/protoc-gen-gogoctrd cmd/containerd-stress
EXCLUDES += runtime/v2/example/cmd
CRI_FILE += cmd/containerd/builtins_cri.go vendor/github.com/containerd/cri
CRI_FILE += vendor/k8s.io vendor/github.com/docker/docker
CRI_FILE += vendor/github.com/containerd/imgcrypt
export DH_GOLANG_EXCLUDES := $(EXCLUDES)
export PATH := /usr/lib/go-1.17/bin:$(PATH)
# See debhelper(7) (uncomment to enable)
# output every command that modifies files on the build system.
export DH_VERBOSE = 1
%:
dh $@ --buildsystem=golang --with=golang --builddirectory=_build
dh $@
# want dh_userlocal to do nothing since proper debian packages have
# only empty directories under /usr/local.
override_dh_usrlocal:
# Do Nothing
override_dh_auto_build:
dh_auto_build -- -tags '$(TAGS)' -ldflags '$(GO_LDFLAGS)'
execute_after_dh_auto_build:
mkdir -p man
make man/containerd-config.8
make man/containerd-config.toml.5
_build/bin/gen-manpages containerd.8 man
_build/bin/gen-manpages ctr.8 man
rm -vf _build/bin/gen-manpages
sed 's|/usr/local/bin|/usr/bin|' containerd.service > debian/containerd.service
mkdir -vp debian/bash-completion
install -m644 -T /usr/share/gocode/src/github.com/urfave/cli/autocomplete/bash_autocomplete \
debian/bash-completion/ctr
mkdir -vp debian/zsh-completion
sed 's|$$PROG|ctr|g' /usr/share/gocode/src/github.com/urfave/cli/autocomplete/zsh_autocomplete > \
debian/zsh-completion/_ctr
override_dh_auto_test:
dh_auto_test -- -tags '$(TAGS)'
override_dh_auto_install:
DH_GOLANG_EXCLUDES="$(EXCLUDES) $(CRI_FILE)" dh_auto_install
install -d $(DEBIAN_BUILDDIR)/usr/local/sbin/
install -m 755 -p -D k8s-container-cleanup.sh $(DEBIAN_BUILDDIR)/usr/local/sbin/

1
kubernetes/containerd/debian/deb_folder/source/format Normal file
View File

@ -0,0 +1 @@
1.0

27
kubernetes/containerd/debian/deb_patches/0001-Update-to-Go-1.17-due-to-containernetworking-plugins.patch
View File

@ -1,27 +0,0 @@
From 5a09ae888e41a92bcb76c6d0ec5fe452fe0695bf Mon Sep 17 00:00:00 2001
From: Yue Tao <yue.tao@windriver.com>
Date: Tue, 18 Apr 2023 08:41:40 +0000
Subject: [PATCH] Update to Go 1.17 due to containernetworking-plugins upgraded
to v1.2.0
Signed-off-by: Yue Tao <yue.tao@windriver.com>
---
debian/control | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/debian/control b/debian/control
index 57a3a9c..db17fb8 100644
--- a/debian/control
+++ b/debian/control
@@ -8,7 +8,7 @@ Uploaders: Tianon Gravi <tianon@debian.org>,
Build-Depends: debhelper-compat (= 13),
dh-golang,
go-md2man,
- golang-any,
+ golang-1.17,
golang-github-burntsushi-toml-dev,
golang-github-containerd-btrfs-dev (>= 0.0~git20200117.1539353~),
golang-github-containerd-cgroups-dev (>= 0.0~git20200817.7a3c009~),
--
2.30.2

1
kubernetes/containerd/debian/deb_patches/series
View File

@ -1 +0,0 @@
0001-Update-to-Go-1.17-due-to-containernetworking-plugins.patch

9
kubernetes/containerd/debian/files/config.toml Normal file
View File

@ -0,0 +1,9 @@
version = 2
[plugins]
[plugins."io.containerd.grpc.v1.cri"]
[plugins."io.containerd.grpc.v1.cri".cni]
bin_dir = "/usr/lib/cni"
conf_dir = "/etc/cni/net.d"
[plugins."io.containerd.internal.v1.opt"]
path = "/var/lib/containerd/opt"

40
kubernetes/containerd/debian/files/containerd.service Normal file
View File

@ -0,0 +1,40 @@
# Copyright The containerd Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
[Unit]
Description=containerd container runtime
Documentation=https://containerd.io
After=network.target local-fs.target
[Service]
ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/bin/containerd
Type=notify
Delegate=yes
KillMode=process
Restart=always
RestartSec=5
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC=infinity
LimitCORE=infinity
LimitNOFILE=infinity
# Comment TasksMax if your systemd version does not supports it.
# Only systemd 226 and above support this version.
TasksMax=infinity
OOMScoreAdjust=-999
[Install]
WantedBy=multi-user.target

15
kubernetes/containerd/debian/meta_data.yaml
View File

@ -1,13 +1,16 @@
---
debname: containerd
debver: 1.4.12~ds1-1
debver: 1.6.21
dl_path:
name: containerd-debian-1.4.12_ds1-1.tar.gz
url: https://salsa.debian.org/go-team/packages/containerd/-/archive/debian/1.4.12_ds1-1_deb11u1/containerd-debian-1.4.12_ds1-1_deb11u1.tar.gz
md5sum: 12565b0d12ce878b6315f049e48113cd
sha256sum: 00199134fed422a3a8041d7a9f8dd782811e7792ee2e7c298351f026c04b99db
name: containerd-1.6.21-linux-amd64.tar.gz
url: https://github.com/containerd/containerd/releases/download/v1.6.21/containerd-1.6.21-linux-amd64.tar.gz
sha256sum: 04dcc1b99368492caee758583e531392683268197e58156888a3cea2941117b6
src_files:
- debian/files/config.toml
- debian/files/containerd.service
- debian/files/k8s-container-cleanup.sh
revision:
dist: $STX_DIST
GITREVCOUNT:
BASE_SRCREV: 5993c6715c645f39eb0258b62ec38a9e6eeb57bb
BASE_SRCREV: 5e9b56a96d58ab5069cb1e6afb856d50450b8875
SRC_DIR: ${MY_REPO}/stx/integ/kubernetes/containerd

590
kubernetes/containerd/debian/patches/0001-revert-to-v1.4.11.patch
View File

@ -1,590 +0,0 @@
From 2c7e958673c945279f8e30d1ad162c460b9c0926 Mon Sep 17 00:00:00 2001
From: Kaustubh Dhokte <kaustubh.dhokte@windriver.com>
Date: Thu, 24 Mar 2022 14:52:27 -0400
Subject: [PATCH] revert to v1.4.11
Signed-off-by: Kaustubh Dhokte <kaustubh.dhokte@windriver.com>
---
.github/workflows/ci.yml | 12 +-
.github/workflows/nightly.yml | 4 +-
.github/workflows/release.yml | 2 +-
.travis.yml | 2 +-
.zuul/playbooks/containerd-build/run.yaml | 2 +-
Vagrantfile | 2 +-
contrib/Dockerfile.test | 2 +-
images/image.go | 55 --------
images/image_test.go | 150 ----------------------
releases/v1.4.12.toml | 23 ----
remotes/docker/fetcher.go | 4 -
remotes/docker/resolver.go | 35 ++---
remotes/docker/schema1/converter.go | 9 +-
version/version.go | 2 +-
14 files changed, 28 insertions(+), 276 deletions(-)
delete mode 100644 images/image_test.go
delete mode 100644 releases/v1.4.12.toml
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8f7a3a7a6..4ee47e5d1 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -26,7 +26,7 @@ jobs:
- name: Install Go
uses: actions/setup-go@v2
with:
- go-version: '1.16.10'
+ go-version: '1.16.8'
- name: Set env
shell: bash
@@ -82,7 +82,7 @@ jobs:
steps:
- uses: actions/setup-go@v2
with:
- go-version: '1.16.10'
+ go-version: '1.16.8'
- name: Set env
shell: bash
@@ -128,7 +128,7 @@ jobs:
steps:
- uses: actions/setup-go@v2
with:
- go-version: '1.16.10'
+ go-version: '1.16.8'
- name: Set env
shell: bash
@@ -166,7 +166,7 @@ jobs:
steps:
- uses: actions/setup-go@v2
with:
- go-version: '1.16.10'
+ go-version: '1.16.8'
- name: Set env
shell: bash
@@ -199,7 +199,7 @@ jobs:
steps:
- uses: actions/setup-go@v2
with:
- go-version: '1.16.10'
+ go-version: '1.16.8'
- name: Set env
shell: bash
@@ -285,7 +285,7 @@ jobs:
steps:
- uses: actions/setup-go@v2
with:
- go-version: '1.16.10'
+ go-version: '1.16.8'
- name: Set env
shell: bash
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index b050bbf18..1cb92a34b 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -14,7 +14,7 @@ jobs:
steps:
- uses: actions/setup-go@v2
with:
- go-version: '1.16.10'
+ go-version: '1.16.8'
- name: Checkout
uses: actions/checkout@v1
@@ -138,7 +138,7 @@ jobs:
steps:
- uses: actions/setup-go@v2
with:
- go-version: '1.16.10'
+ go-version: '1.16.8'
- name: Checkout
uses: actions/checkout@v1
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d9e5a3eab..ec9971a4a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -62,7 +62,7 @@ jobs:
- name: Install Go
uses: actions/setup-go@v2
with:
- go-version: '1.16.10'
+ go-version: '1.16.8'
- name: Set env
shell: bash
diff --git a/.travis.yml b/.travis.yml
index 8314c796b..1726cf6d5 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -15,7 +15,7 @@ os:
- linux
go:
- - "1.16.10"
+ - "1.16.8"
env:
- TRAVIS_GOOS=linux TEST_RUNTIME=io.containerd.runc.v1 TRAVIS_CGO_ENABLED=1 TRAVIS_DISTRO=bionic GOPROXY=direct
diff --git a/.zuul/playbooks/containerd-build/run.yaml b/.zuul/playbooks/containerd-build/run.yaml
index c3ebc7eae..815b4ec62 100644
--- a/.zuul/playbooks/containerd-build/run.yaml
+++ b/.zuul/playbooks/containerd-build/run.yaml
@@ -2,7 +2,7 @@
become: yes
roles:
- role: config-golang
- go_version: '1.16.10'
+ go_version: '1.16.8'
arch: arm64
tasks:
- name: Build containerd
diff --git a/Vagrantfile b/Vagrantfile
index b31dfaa34..d1f30c559 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -77,7 +77,7 @@ Vagrant.configure("2") do |config|
config.vm.provision "install-golang", type: "shell", run: "once" do |sh|
sh.upload_path = "/tmp/vagrant-install-golang"
sh.env = {
- 'GO_VERSION': ENV['GO_VERSION'] || "1.16.10",
+ 'GO_VERSION': ENV['GO_VERSION'] || "1.16.8",
}
sh.inline = <<~SHELL
#!/usr/bin/env bash
diff --git a/contrib/Dockerfile.test b/contrib/Dockerfile.test
index 020008ceb..875c457f0 100644
--- a/contrib/Dockerfile.test
+++ b/contrib/Dockerfile.test
@@ -10,7 +10,7 @@
#
# docker build -t containerd-test --build-arg RUNC_VERSION=v1.0.0-rc93 -f Dockerfile.test ../
-ARG GOLANG_VERSION=1.16.10
+ARG GOLANG_VERSION=1.16.8
FROM golang:${GOLANG_VERSION} AS golang-base
RUN mkdir -p /go/src/github.com/containerd/containerd
diff --git a/images/image.go b/images/image.go
index 2e42ca09a..1868ee88d 100644
--- a/images/image.go
+++ b/images/image.go
@@ -19,7 +19,6 @@ package images
import (
"context"
"encoding/json"
- "fmt"
"sort"
"time"
@@ -155,10 +154,6 @@ func Manifest(ctx context.Context, provider content.Provider, image ocispec.Desc
return nil, err
}
- if err := validateMediaType(p, desc.MediaType); err != nil {
- return nil, errors.Wrapf(err, "manifest: invalid desc %s", desc.Digest)
- }
-
var manifest ocispec.Manifest
if err := json.Unmarshal(p, &manifest); err != nil {
return nil, err
@@ -199,10 +194,6 @@ func Manifest(ctx context.Context, provider content.Provider, image ocispec.Desc
return nil, err
}
- if err := validateMediaType(p, desc.MediaType); err != nil {
- return nil, errors.Wrapf(err, "manifest: invalid desc %s", desc.Digest)
- }
-
var idx ocispec.Index
if err := json.Unmarshal(p, &idx); err != nil {
return nil, err
@@ -345,10 +336,6 @@ func Children(ctx context.Context, provider content.Provider, desc ocispec.Descr
return nil, err
}
- if err := validateMediaType(p, desc.MediaType); err != nil {
- return nil, errors.Wrapf(err, "children: invalid desc %s", desc.Digest)
- }
-
// TODO(stevvooe): We just assume oci manifest, for now. There may be
// subtle differences from the docker version.
var manifest ocispec.Manifest
@@ -364,10 +351,6 @@ func Children(ctx context.Context, provider content.Provider, desc ocispec.Descr
return nil, err
}
- if err := validateMediaType(p, desc.MediaType); err != nil {
- return nil, errors.Wrapf(err, "children: invalid desc %s", desc.Digest)
- }
-
var index ocispec.Index
if err := json.Unmarshal(p, &index); err != nil {
return nil, err
@@ -385,44 +368,6 @@ func Children(ctx context.Context, provider content.Provider, desc ocispec.Descr
return descs, nil
}
-// unknownDocument represents a manifest, manifest list, or index that has not
-// yet been validated.
-type unknownDocument struct {
- MediaType string `json:"mediaType,omitempty"`
- Config json.RawMessage `json:"config,omitempty"`
- Layers json.RawMessage `json:"layers,omitempty"`
- Manifests json.RawMessage `json:"manifests,omitempty"`
- FSLayers json.RawMessage `json:"fsLayers,omitempty"` // schema 1
-}
-
-// validateMediaType returns an error if the byte slice is invalid JSON or if
-// the media type identifies the blob as one format but it contains elements of
-// another format.
-func validateMediaType(b []byte, mt string) error {
- var doc unknownDocument
- if err := json.Unmarshal(b, &doc); err != nil {
- return err
- }
- if len(doc.FSLayers) != 0 {
- return fmt.Errorf("media-type: schema 1 not supported")
- }
- switch mt {
- case MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest:
- if len(doc.Manifests) != 0 ||
- doc.MediaType == MediaTypeDockerSchema2ManifestList ||
- doc.MediaType == ocispec.MediaTypeImageIndex {
- return fmt.Errorf("media-type: expected manifest but found index (%s)", mt)
- }
- case MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex:
- if len(doc.Config) != 0 || len(doc.Layers) != 0 ||
- doc.MediaType == MediaTypeDockerSchema2Manifest ||
- doc.MediaType == ocispec.MediaTypeImageManifest {
- return fmt.Errorf("media-type: expected index but found manifest (%s)", mt)
- }
- }
- return nil
-}
-
// RootFS returns the unpacked diffids that make up and images rootfs.
//
// These are used to verify that a set of layers unpacked to the expected
diff --git a/images/image_test.go b/images/image_test.go
deleted file mode 100644
index 3e88e5076..000000000
--- a/images/image_test.go
+++ /dev/null
@@ -1,150 +0,0 @@
-/*
- Copyright The containerd Authors.
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-*/
-
-package images
-
-import (
- "encoding/json"
- "testing"
-
- ocispec "github.com/opencontainers/image-spec/specs-go/v1"
-)
-
-func TestValidateMediaType(t *testing.T) {
- docTests := []struct {
- mt string
- index bool
- }{
- {MediaTypeDockerSchema2Manifest, false},
- {ocispec.MediaTypeImageManifest, false},
- {MediaTypeDockerSchema2ManifestList, true},
- {ocispec.MediaTypeImageIndex, true},
- }
- for _, tc := range docTests {
- t.Run("manifest-"+tc.mt, func(t *testing.T) {
- manifest := ocispec.Manifest{
- Config: ocispec.Descriptor{Size: 1},
- Layers: []ocispec.Descriptor{{Size: 2}},
- }
- b, err := json.Marshal(manifest)
- if err != nil {
- t.Fatal("failed to marshal manifest", err)
- }
-
- err = validateMediaType(b, tc.mt)
- if tc.index {
- if err == nil {
- t.Error("manifest should not be a valid index")
- }
- } else {
- if err != nil {
- t.Error("manifest should be valid")
- }
- }
- })
- t.Run("index-"+tc.mt, func(t *testing.T) {
- index := ocispec.Index{
- Manifests: []ocispec.Descriptor{{Size: 1}},
- }
- b, err := json.Marshal(index)
- if err != nil {
- t.Fatal("failed to marshal index", err)
- }
-
- err = validateMediaType(b, tc.mt)
- if tc.index {
- if err != nil {
- t.Error("index should be valid")
- }
- } else {
- if err == nil {
- t.Error("index should not be a valid manifest")
- }
- }
- })
- }
-
- mtTests := []struct {
- mt string
- valid []string
- invalid []string
- }{{
- MediaTypeDockerSchema2Manifest,
- []string{MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest},
- []string{MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex},
- }, {
- ocispec.MediaTypeImageManifest,
- []string{MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest},
- []string{MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex},
- }, {
- MediaTypeDockerSchema2ManifestList,
- []string{MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex},
- []string{MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest},
- }, {
- ocispec.MediaTypeImageIndex,
- []string{MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex},
- []string{MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest},
- }}
- for _, tc := range mtTests {
- for _, v := range tc.valid {
- t.Run("valid-"+tc.mt+"-"+v, func(t *testing.T) {
- doc := struct {
- MediaType string `json:"mediaType"`
- }{MediaType: v}
- b, err := json.Marshal(doc)
- if err != nil {
- t.Fatal("failed to marshal document", err)
- }
-
- err = validateMediaType(b, tc.mt)
- if err != nil {
- t.Error("document should be valid", err)
- }
- })
- }
- for _, iv := range tc.invalid {
- t.Run("invalid-"+tc.mt+"-"+iv, func(t *testing.T) {
- doc := struct {
- MediaType string `json:"mediaType"`
- }{MediaType: iv}
- b, err := json.Marshal(doc)
- if err != nil {
- t.Fatal("failed to marshal document", err)
- }
-
- err = validateMediaType(b, tc.mt)
- if err == nil {
- t.Error("document should not be valid")
- }
- })
- }
- }
- t.Run("schema1", func(t *testing.T) {
- doc := struct {
- FSLayers []string `json:"fsLayers"`
- }{FSLayers: []string{"1"}}
- b, err := json.Marshal(doc)
- if err != nil {
- t.Fatal("failed to marshal document", err)
- }
-
- err = validateMediaType(b, "")
- if err == nil {
- t.Error("document should not be valid")
- }
-
- })
-}
diff --git a/releases/v1.4.12.toml b/releases/v1.4.12.toml
deleted file mode 100644
index 072d6959a..000000000
--- a/releases/v1.4.12.toml
+++ /dev/null
@@ -1,23 +0,0 @@
-# commit to be tagged for new release
-commit = "HEAD"
-
-project_name = "containerd"
-github_repo = "containerd/containerd"
-match_deps = "^github.com/(containerd/[a-zA-Z0-9-]+)$"
-
-# previous release
-previous = "v1.4.11"
-
-pre_release = false
-
-preface = """\
-The twelfth patch release for containerd 1.4 contains a few minor bug fixes
-and an update to mitigate [CVE-2021-41190](https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m).
-
-### Notable Updates
-
-* **Handle ambiguous OCI manifest parsing** ([GHSA-5j5w-g665-5m35](https://github.com/containerd/containerd/security/advisories/GHSA-5j5w-g665-5m35))
-* **Update pull to try next mirror for non-404 errors** ([#5275](https://github.com/containerd/containerd/pull/5275))
-* **Update pull to handle of non-https urls in descriptors** ([#6221](https://github.com/containerd/containerd/pull/6221))
-
-See the changelog for complete list of changes"""
diff --git a/remotes/docker/fetcher.go b/remotes/docker/fetcher.go
index 4b2c10e9a..5796fbf4a 100644
--- a/remotes/docker/fetcher.go
+++ b/remotes/docker/fetcher.go
@@ -60,10 +60,6 @@ func (r dockerFetcher) Fetch(ctx context.Context, desc ocispec.Descriptor) (io.R
log.G(ctx).WithError(err).Debug("failed to parse")
continue
}
- if u.Scheme != "http" && u.Scheme != "https" {
- log.G(ctx).Debug("non-http(s) alternative url is unsupported")
- continue
- }
log.G(ctx).Debug("trying alternative url")
// Try this first, parse it
diff --git a/remotes/docker/resolver.go b/remotes/docker/resolver.go
index d6ccd7072..06b08dee8 100644
--- a/remotes/docker/resolver.go
+++ b/remotes/docker/resolver.go
@@ -229,10 +229,10 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp
}
var (
- firstErr error
- paths [][]string
- dgst = refspec.Digest()
- caps = HostCapabilityPull
+ lastErr error
+ paths [][]string
+ dgst = refspec.Digest()
+ caps = HostCapabilityPull
)
if dgst != "" {
@@ -283,8 +283,8 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp
err = errors.Wrapf(err, "pull access denied, repository does not exist or may require authorization")
}
// Store the error for referencing later
- if firstErr == nil {
- firstErr = err
+ if lastErr == nil {
+ lastErr = err
}
continue // try another host
}
@@ -294,14 +294,7 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp
if resp.StatusCode == http.StatusNotFound {
continue
}
- if resp.StatusCode > 399 {
- // Set firstErr when encountering the first non-404 status code.
- if firstErr == nil {
- firstErr = errors.Errorf("pulling from host %s failed with status code %v: %v", host.Host, u, resp.Status)
- }
- continue // try another host
- }
- return "", ocispec.Descriptor{}, errors.Errorf("pulling from host %s failed with unexpected status code %v: %v", host.Host, u, resp.Status)
+ return "", ocispec.Descriptor{}, errors.Errorf("unexpected status code %v: %v", u, resp.Status)
}
size := resp.ContentLength
contentType := getManifestMediaType(resp)
@@ -364,8 +357,8 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp
}
// Prevent resolving to excessively large manifests
if size > MaxManifestSize {
- if firstErr == nil {
- firstErr = errors.Wrapf(errdefs.ErrNotFound, "rejecting %d byte manifest for %s", size, ref)
+ if lastErr == nil {
+ lastErr = errors.Wrapf(errdefs.ErrNotFound, "rejecting %d byte manifest for %s", size, ref)
}
continue
}
@@ -381,15 +374,11 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp
}
}
- // If above loop terminates without return, then there was an error.
- // "firstErr" contains the first non-404 error. That is, "firstErr == nil"
- // means that either no registries were given or each registry returned 404.
-
- if firstErr == nil {
- firstErr = errors.Wrap(errdefs.ErrNotFound, ref)
+ if lastErr == nil {
+ lastErr = errors.Wrap(errdefs.ErrNotFound, ref)
}
- return "", ocispec.Descriptor{}, firstErr
+ return "", ocispec.Descriptor{}, lastErr
}
func (r *dockerResolver) Fetcher(ctx context.Context, ref string) (remotes.Fetcher, error) {
diff --git a/remotes/docker/schema1/converter.go b/remotes/docker/schema1/converter.go
index f15a9acf3..8314c01d5 100644
--- a/remotes/docker/schema1/converter.go
+++ b/remotes/docker/schema1/converter.go
@@ -256,9 +256,6 @@ func (c *Converter) fetchManifest(ctx context.Context, desc ocispec.Descriptor)
if err := json.Unmarshal(b, &m); err != nil {
return err
}
- if len(m.Manifests) != 0 || len(m.Layers) != 0 {
- return errors.New("converter: expected schema1 document but found extra keys")
- }
c.pulledManifest = &m
return nil
@@ -475,10 +472,8 @@ type history struct {
}
type manifest struct {
- FSLayers []fsLayer `json:"fsLayers"`
- History []history `json:"history"`
- Layers json.RawMessage `json:"layers,omitempty"` // OCI manifest
- Manifests json.RawMessage `json:"manifests,omitempty"` // OCI index
+ FSLayers []fsLayer `json:"fsLayers"`
+ History []history `json:"history"`
}
type v1History struct {
diff --git a/version/version.go b/version/version.go
index dab4a1656..77f581f7c 100644
--- a/version/version.go
+++ b/version/version.go
@@ -23,7 +23,7 @@ var (
Package = "github.com/containerd/containerd"
// Version holds the complete version number. Filled in at linking time.
- Version = "1.4.12+unknown"
+ Version = "1.4.11+unknown"
// Revision is filled with the VCS (e.g. git) revision being used to build
// the program at linking time.
--
2.25.1

55
kubernetes/containerd/debian/patches/0002-customize-containerd-for-StarlingX.patch
View File

@ -1,55 +0,0 @@
From eeb59bb893f5f5ce6d7b9ec170ec67203f71478d Mon Sep 17 00:00:00 2001
From: Kaustubh Dhokte <kaustubh.dhokte@windriver.com>
Date: Tue, 1 Mar 2022 20:43:42 -0500
Subject: [PATCH] customize containerd for StarlingX
1. disable btrfs to avoid needing to pull in the devel package
2. docker registry in StarlingX 3.0 branch doesn't support POST method
for token and will return 400. Switch to GET method to get token if
StatusCode is 400.
3. hardcode version info due to miss git info in tarball.
Signed-off-by: Kaustubh Dhokte <kaustubh.dhokte@windriver.com>
---
Makefile | 3 ++-
remotes/docker/authorizer.go | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/Makefile b/Makefile
index c0fecb9a6..d8cef89d5 100644
--- a/Makefile
+++ b/Makefile
@@ -20,7 +20,7 @@ ROOTDIR=$(dir $(abspath $(lastword $(MAKEFILE_LIST))))
DESTDIR ?= /usr/local
# Used to populate variables in version package.
-VERSION=$(shell git describe --match 'v[0-9]*' --dirty='.m' --always)
+VERSION=v1.4.11
REVISION=$(shell git rev-parse HEAD)$(shell if ! git diff --no-ext-diff --quiet --exit-code; then echo .m; fi)
PACKAGE=github.com/containerd/containerd
SHIM_CGO_ENABLED ?= 0
@@ -78,6 +78,7 @@ endif
# Build tags apparmor and selinux are needed by CRI plugin.
GO_BUILDTAGS ?= apparmor selinux
GO_BUILDTAGS += ${DEBUG_TAGS}
+GO_BUILDTAGS += no_btrfs
GO_TAGS=$(if $(GO_BUILDTAGS),-tags "$(GO_BUILDTAGS)",)
GO_LDFLAGS=-ldflags '-X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -X $(PKG)/version.Package=$(PACKAGE) $(EXTRA_LDFLAGS)'
SHIM_GO_LDFLAGS=-ldflags '-X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -X $(PKG)/version.Package=$(PACKAGE) -extldflags "-static" $(EXTRA_LDFLAGS)'
diff --git a/remotes/docker/authorizer.go b/remotes/docker/authorizer.go
index 67e4aea8d..bacaa502d 100644
--- a/remotes/docker/authorizer.go
+++ b/remotes/docker/authorizer.go
@@ -284,7 +284,8 @@ func (ah *authHandler) doBearerAuth(ctx context.Context) (token string, err erro
// Registries without support for POST may return 404 for POST /v2/token.
// As of September 2017, GCR is known to return 404.
// As of February 2018, JFrog Artifactory is known to return 401.
- if (errStatus.StatusCode == 405 && to.Username != "") || errStatus.StatusCode == 404 || errStatus.StatusCode == 401 {
+ // Registry in StarlingX 6.0 returns 400 for POST /v2/token. Should check if still applicable.
+ if (errStatus.StatusCode == 405 && to.Username != "") || errStatus.StatusCode == 404 || errStatus.StatusCode == 401 || errStatus.StatusCode == 400 {
resp, err := auth.FetchToken(ctx, ah.client, ah.header, to)
if err != nil {
return "", err
--
2.25.1

122
kubernetes/containerd/debian/patches/0003-CRI-Reduce-clutter-of-log-entries-during-process-exe.patch
View File

@ -1,122 +0,0 @@
From 80f56a43f5ff7f7d10689a21a004279345221f70 Mon Sep 17 00:00:00 2001
From: Davanum Srinivas <davanum@gmail.com>
Date: Wed, 6 Jan 2021 08:57:31 -0500
Subject: [PATCH] [CRI] Reduce clutter of log entries during process execution
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
---
.../vendor/github.com/containerd/cri/pkg/server/container_execsync.go | 4 ++--
.../vendor/github.com/cri/pkg/server/instrumented_service.go | 12 ++++++------
.../vendor/github.com/containerd/cri/pkg/server/io/container_io.go | 4 ++--
.../vendor/github.com/containerd/cri/pkg/server/io/exec_io.go | 2 +-
4 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/vendor/github.com/containerd/cri/pkg/server/container_execsync.go b/vendor/github.com/containerd/cri/pkg/server/container_execsync.go
index 1c019f651..17c2bd39d 100644
--- a/vendor/github.com/containerd/cri/pkg/server/container_execsync.go
+++ b/vendor/github.com/containerd/cri/pkg/server/container_execsync.go
@@ -164,14 +164,14 @@ func (c *criService) execInternal(ctx context.Context, container containerd.Cont
}
// Wait for the process to be killed.
exitRes := <-exitCh
- log.G(ctx).Infof("Timeout received while waiting for exec process kill %q code %d and error %v",
+ log.G(ctx).Debugf("Timeout received while waiting for exec process kill %q code %d and error %v",
execID, exitRes.ExitCode(), exitRes.Error())
<-attachDone
log.G(ctx).Debugf("Stream pipe for exec process %q done", execID)
return nil, errors.Wrapf(execCtx.Err(), "timeout %v exceeded", opts.timeout)
case exitRes := <-exitCh:
code, _, err := exitRes.Result()
- log.G(ctx).Infof("Exec process %q exits with exit code %d and error %v", execID, code, err)
+ log.G(ctx).Debugf("Exec process %q exits with exit code %d and error %v", execID, code, err)
if err != nil {
return nil, errors.Wrapf(err, "failed while waiting for exec %q", execID)
}
diff --git a/vendor/github.com/containerd/cri/pkg/server/instrumented_service.go b/vendor/github.com/containerd/cri/pkg/server/instrumented_service.go
index 2c2528ab6..74bebe858 100644
--- a/vendor/github.com/containerd/cri/pkg/server/instrumented_service.go
+++ b/vendor/github.com/containerd/cri/pkg/server/instrumented_service.go
@@ -247,12 +247,12 @@ func (in *instrumentedService) ExecSync(ctx context.Context, r *runtime.ExecSync
if err := in.checkInitialized(); err != nil {
return nil, err
}
- log.G(ctx).Infof("ExecSync for %q with command %+v and timeout %d (s)", r.GetContainerId(), r.GetCmd(), r.GetTimeout())
+ log.G(ctx).Debugf("ExecSync for %q with command %+v and timeout %d (s)", r.GetContainerId(), r.GetCmd(), r.GetTimeout())
defer func() {
if err != nil {
log.G(ctx).WithError(err).Errorf("ExecSync for %q failed", r.GetContainerId())
} else {
- log.G(ctx).Infof("ExecSync for %q returns with exit code %d", r.GetContainerId(), res.GetExitCode())
+ log.G(ctx).Debugf("ExecSync for %q returns with exit code %d", r.GetContainerId(), res.GetExitCode())
log.G(ctx).Debugf("ExecSync for %q outputs - stdout: %q, stderr: %q", r.GetContainerId(),
res.GetStdout(), res.GetStderr())
}
@@ -265,13 +265,13 @@ func (in *instrumentedService) Exec(ctx context.Context, r *runtime.ExecRequest)
if err := in.checkInitialized(); err != nil {
return nil, err
}
- log.G(ctx).Infof("Exec for %q with command %+v, tty %v and stdin %v",
+ log.G(ctx).Debugf("Exec for %q with command %+v, tty %v and stdin %v",
r.GetContainerId(), r.GetCmd(), r.GetTty(), r.GetStdin())
defer func() {
if err != nil {
log.G(ctx).WithError(err).Errorf("Exec for %q failed", r.GetContainerId())
} else {
- log.G(ctx).Infof("Exec for %q returns URL %q", r.GetContainerId(), res.GetUrl())
+ log.G(ctx).Debugf("Exec for %q returns URL %q", r.GetContainerId(), res.GetUrl())
}
}()
res, err = in.c.Exec(ctrdutil.WithNamespace(ctx), r)
@@ -282,12 +282,12 @@ func (in *instrumentedService) Attach(ctx context.Context, r *runtime.AttachRequ
if err := in.checkInitialized(); err != nil {
return nil, err
}
- log.G(ctx).Infof("Attach for %q with tty %v and stdin %v", r.GetContainerId(), r.GetTty(), r.GetStdin())
+ log.G(ctx).Debugf("Attach for %q with tty %v and stdin %v", r.GetContainerId(), r.GetTty(), r.GetStdin())
defer func() {
if err != nil {
log.G(ctx).WithError(err).Errorf("Attach for %q failed", r.GetContainerId())
} else {
- log.G(ctx).Infof("Attach for %q returns URL %q", r.GetContainerId(), res.Url)
+ log.G(ctx).Debugf("Attach for %q returns URL %q", r.GetContainerId(), res.Url)
}
}()
res, err = in.c.Attach(ctrdutil.WithNamespace(ctx), r)
diff --git a/vendor/github.com/containerd/cri/pkg/server/io/container_io.go b/vendor/github.com/containerd/cri/pkg/server/io/container_io.go
index c66549ca5..c69cadd6c 100644
--- a/vendor/github.com/containerd/cri/pkg/server/io/container_io.go
+++ b/vendor/github.com/containerd/cri/pkg/server/io/container_io.go
@@ -114,7 +114,7 @@ func (c *ContainerIO) Pipe() {
c.stdout.Close()
c.stdoutGroup.Close()
wg.Done()
- logrus.Infof("Finish piping stdout of container %q", c.id)
+ logrus.Debugf("Finish piping stdout of container %q", c.id)
}()
}
@@ -127,7 +127,7 @@ func (c *ContainerIO) Pipe() {
c.stderr.Close()
c.stderrGroup.Close()
wg.Done()
- logrus.Infof("Finish piping stderr of container %q", c.id)
+ logrus.Debugf("Finish piping stderr of container %q", c.id)
}()
}
}
diff --git a/vendor/github.com/containerd/cri/pkg/server/io/exec_io.go b/vendor/github.com/containerd/cri/pkg/server/io/exec_io.go
index 4a695030d..f1b9ef370 100644
--- a/vendor/github.com/containerd/cri/pkg/server/io/exec_io.go
+++ b/vendor/github.com/containerd/cri/pkg/server/io/exec_io.go
@@ -99,7 +99,7 @@ func (e *ExecIO) Attach(opts AttachOptions) <-chan struct{} {
}
e.closer.wg.Done()
wg.Done()
- logrus.Infof("Finish piping %q of container exec %q", t, e.id)
+ logrus.Debugf("Finish piping %q of container exec %q", t, e.id)
}
if opts.Stdout != nil {
--
2.25.1

3
kubernetes/containerd/debian/patches/series
View File

@ -1,3 +0,0 @@
0001-revert-to-v1.4.11.patch
0002-customize-containerd-for-StarlingX.patch
0003-CRI-Reduce-clutter-of-log-entries-during-process-exe.patch