From 4475fc92a0cc916f9f8c83ccf41b88c75b01a1f0 Mon Sep 17 00:00:00 2001 From: Akihiro Suda Date: Mon, 10 Mar 2025 10:11:33 +0900 Subject: [PATCH 1/2] update RootlessKit to v2.3.4 Contains a fix for Ubuntu 25.04 https://github.com/rootless-containers/rootlesskit/releases/tag/v2.3.3 https://github.com/rootless-containers/rootlesskit/releases/tag/v2.3.4 Signed-off-by: Akihiro Suda (cherry picked from commit cecae007017263e48a875ef15e0282c95e21ef75) --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 50a21cdb2d57..c44fe939f086 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,7 +6,7 @@ ARG CONTAINERD_VERSION=v2.0.2 ARG CONTAINERD_ALT_VERSION_17=v1.7.25 ARG CONTAINERD_ALT_VERSION_16=v1.6.36 ARG REGISTRY_VERSION=v2.8.3 -ARG ROOTLESSKIT_VERSION=v2.3.2 +ARG ROOTLESSKIT_VERSION=v2.3.4 ARG CNI_VERSION=v1.5.1 ARG STARGZ_SNAPSHOTTER_VERSION=v0.15.1 ARG NERDCTL_VERSION=v1.6.2 From 7c47445ddf48ea97cd51187de6ec9d0ac011f2a1 Mon Sep 17 00:00:00 2001 From: Derek McGowan Date: Mon, 17 Mar 2025 11:05:29 -0700 Subject: [PATCH 2/2] Update containerd to v2.0.4 Signed-off-by: Derek McGowan (cherry picked from commit 6636ddb86af383e155c4977e1f794758ae402640) --- go.mod | 2 +- go.sum | 4 ++-- .../containerd/containerd/v2/client/client.go | 3 ++- .../containerd/v2/core/images/image.go | 4 ++-- .../containerd/v2/core/images/mediatypes.go | 13 ++++++++++ .../containerd/v2/core/remotes/handlers.go | 2 ++ .../containerd/v2/pkg/oci/spec_opts.go | 24 +++++++++++++++---- .../containerd/v2/version/version.go | 3 ++- vendor/modules.txt | 2 +- 9 files changed, 45 insertions(+), 12 deletions(-) diff --git a/go.mod b/go.mod index dd696567a3cb..fadd0e827f5c 100644 --- a/go.mod +++ b/go.mod @@ -17,7 +17,7 @@ require ( github.com/aws/aws-sdk-go-v2/service/s3 v1.58.2 github.com/containerd/console v1.0.4 github.com/containerd/containerd/api v1.8.0 - github.com/containerd/containerd/v2 v2.0.3 + github.com/containerd/containerd/v2 v2.0.4 github.com/containerd/continuity v0.4.5 github.com/containerd/errdefs v1.0.0 github.com/containerd/fuse-overlayfs-snapshotter/v2 v2.1.1 diff --git a/go.sum b/go.sum index fdca30d64082..4a698e11961e 100644 --- a/go.sum +++ b/go.sum @@ -97,8 +97,8 @@ github.com/containerd/console v1.0.4 h1:F2g4+oChYvBTsASRTz8NP6iIAi97J3TtSAsLbIFn github.com/containerd/console v1.0.4/go.mod h1:YynlIjWYF8myEu6sdkwKIvGQq+cOckRm6So2avqoYAk= github.com/containerd/containerd/api v1.8.0 h1:hVTNJKR8fMc/2Tiw60ZRijntNMd1U+JVMyTRdsD2bS0= github.com/containerd/containerd/api v1.8.0/go.mod h1:dFv4lt6S20wTu/hMcP4350RL87qPWLVa/OHOwmmdnYc= -github.com/containerd/containerd/v2 v2.0.3 h1:zBKgwgZsuu+LPCMzCLgA4sC4MiZzZ59ZT31XkmiISQM= -github.com/containerd/containerd/v2 v2.0.3/go.mod h1:5j9QUUaV/cy9ZeAx4S+8n9ffpf+iYnEj4jiExgcbuLY= +github.com/containerd/containerd/v2 v2.0.4 h1:+r7yJMwhTfMm3CDyiBjMBQO8a9CTBxL2Bg/JtqtIwB8= +github.com/containerd/containerd/v2 v2.0.4/go.mod h1:5j9QUUaV/cy9ZeAx4S+8n9ffpf+iYnEj4jiExgcbuLY= github.com/containerd/continuity v0.4.5 h1:ZRoN1sXq9u7V6QoHMcVWGhOwDFqZ4B9i5H6un1Wh0x4= github.com/containerd/continuity v0.4.5/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE= github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI= diff --git a/vendor/github.com/containerd/containerd/v2/client/client.go b/vendor/github.com/containerd/containerd/v2/client/client.go index c58459b214f3..8a19d3307cc0 100644 --- a/vendor/github.com/containerd/containerd/v2/client/client.go +++ b/vendor/github.com/containerd/containerd/v2/client/client.go @@ -129,7 +129,8 @@ func New(address string, opts ...Opt) (*Client, error) { backoffConfig := backoff.DefaultConfig backoffConfig.MaxDelay = copts.timeout connParams := grpc.ConnectParams{ - Backoff: backoffConfig, + Backoff: backoffConfig, + MinConnectTimeout: copts.timeout, } gopts := []grpc.DialOption{ grpc.WithTransportCredentials(insecure.NewCredentials()), diff --git a/vendor/github.com/containerd/containerd/v2/core/images/image.go b/vendor/github.com/containerd/containerd/v2/core/images/image.go index 6bc106aac530..9fcce9b4eb0d 100644 --- a/vendor/github.com/containerd/containerd/v2/core/images/image.go +++ b/vendor/github.com/containerd/containerd/v2/core/images/image.go @@ -369,8 +369,8 @@ func Children(ctx context.Context, provider content.Provider, desc ocispec.Descr } return append([]ocispec.Descriptor{}, index.Manifests...), nil - } else if !IsLayerType(desc.MediaType) && !IsKnownConfig(desc.MediaType) { - // Layers and configs are childless data types and should not be logged. + } else if !IsLayerType(desc.MediaType) && !IsKnownConfig(desc.MediaType) && !IsAttestationType(desc.MediaType) { + // Layers, configs, and attestations are childless data types and should not be logged. log.G(ctx).Debugf("encountered unknown type %v; children may not be fetched", desc.MediaType) } return nil, nil diff --git a/vendor/github.com/containerd/containerd/v2/core/images/mediatypes.go b/vendor/github.com/containerd/containerd/v2/core/images/mediatypes.go index d2e845b16d52..0c8600d86ffc 100644 --- a/vendor/github.com/containerd/containerd/v2/core/images/mediatypes.go +++ b/vendor/github.com/containerd/containerd/v2/core/images/mediatypes.go @@ -58,6 +58,9 @@ const ( MediaTypeImageLayerEncrypted = ocispec.MediaTypeImageLayer + "+encrypted" MediaTypeImageLayerGzipEncrypted = ocispec.MediaTypeImageLayerGzip + "+encrypted" + + // In-toto attestation + MediaTypeInToto = "application/vnd.in-toto+json" ) // DiffCompression returns the compression as defined by the layer diff media @@ -193,6 +196,16 @@ func IsKnownConfig(mt string) bool { return false } +// IsAttestationType returns true if the media type is an attestation type +func IsAttestationType(mt string) bool { + switch mt { + case MediaTypeInToto: + return true + default: + return false + } +} + // ChildGCLabels returns the label for a given descriptor to reference it func ChildGCLabels(desc ocispec.Descriptor) []string { mt := desc.MediaType diff --git a/vendor/github.com/containerd/containerd/v2/core/remotes/handlers.go b/vendor/github.com/containerd/containerd/v2/core/remotes/handlers.go index 16fcdbf84dc0..a3e1ff984ae7 100644 --- a/vendor/github.com/containerd/containerd/v2/core/remotes/handlers.go +++ b/vendor/github.com/containerd/containerd/v2/core/remotes/handlers.go @@ -80,6 +80,8 @@ func MakeRefKey(ctx context.Context, desc ocispec.Descriptor) string { return "layer-" + key case images.IsKnownConfig(desc.MediaType): return "config-" + key + case images.IsAttestationType(desc.MediaType): + return "attestation-" + key default: log.G(ctx).Warnf("reference for unknown type: %s", desc.MediaType) return "unknown-" + key diff --git a/vendor/github.com/containerd/containerd/v2/pkg/oci/spec_opts.go b/vendor/github.com/containerd/containerd/v2/pkg/oci/spec_opts.go index 3b85d764ae10..f7b298122957 100644 --- a/vendor/github.com/containerd/containerd/v2/pkg/oci/spec_opts.go +++ b/vendor/github.com/containerd/containerd/v2/pkg/oci/spec_opts.go @@ -22,6 +22,7 @@ import ( "encoding/json" "errors" "fmt" + "math" "os" "path/filepath" "runtime" @@ -593,6 +594,20 @@ func WithUser(userstr string) SpecOpts { defer ensureAdditionalGids(s) setProcess(s) s.Process.User.AdditionalGids = nil + // While the Linux kernel allows the max UID to be MaxUint32 - 2, + // and the OCI Runtime Spec has no definition about the max UID, + // the runc implementation is known to require the UID to be <= MaxInt32. + // + // containerd follows runc's limitation here. + // + // In future we may relax this limitation to allow MaxUint32 - 2, + // or, amend the OCI Runtime Spec to codify the implementation limitation. + const ( + minUserID = 0 + maxUserID = math.MaxInt32 + minGroupID = 0 + maxGroupID = math.MaxInt32 + ) // For LCOW it's a bit harder to confirm that the user actually exists on the host as a rootfs isn't // mounted on the host and shared into the guest, but rather the rootfs is constructed entirely in the @@ -611,8 +626,8 @@ func WithUser(userstr string) SpecOpts { switch len(parts) { case 1: v, err := strconv.Atoi(parts[0]) - if err != nil { - // if we cannot parse as a uint they try to see if it is a username + if err != nil || v < minUserID || v > maxUserID { + // if we cannot parse as an int32 then try to see if it is a username return WithUsername(userstr)(ctx, client, c, s) } return WithUserID(uint32(v))(ctx, client, c, s) @@ -623,12 +638,13 @@ func WithUser(userstr string) SpecOpts { ) var uid, gid uint32 v, err := strconv.Atoi(parts[0]) - if err != nil { + if err != nil || v < minUserID || v > maxUserID { username = parts[0] } else { uid = uint32(v) } - if v, err = strconv.Atoi(parts[1]); err != nil { + v, err = strconv.Atoi(parts[1]) + if err != nil || v < minGroupID || v > maxGroupID { groupname = parts[1] } else { gid = uint32(v) diff --git a/vendor/github.com/containerd/containerd/v2/version/version.go b/vendor/github.com/containerd/containerd/v2/version/version.go index d0749a6cfcd3..23d820a9e951 100644 --- a/vendor/github.com/containerd/containerd/v2/version/version.go +++ b/vendor/github.com/containerd/containerd/v2/version/version.go @@ -19,11 +19,12 @@ package version import "runtime" var ( + Name = "containerd" // Package is filled at linking time Package = "github.com/containerd/containerd/v2" // Version holds the complete version number. Filled in at linking time. - Version = "2.0.3+unknown" + Version = "2.0.4+unknown" // Revision is filled with the VCS (e.g. git) revision being used to build // the program at linking time. diff --git a/vendor/modules.txt b/vendor/modules.txt index 7dfe5e911ffd..ae8e86398392 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -301,7 +301,7 @@ github.com/containerd/containerd/api/types/runc/options github.com/containerd/containerd/api/types/runtimeoptions/v1 github.com/containerd/containerd/api/types/task github.com/containerd/containerd/api/types/transfer -# github.com/containerd/containerd/v2 v2.0.3 +# github.com/containerd/containerd/v2 v2.0.4 ## explicit; go 1.22.0 github.com/containerd/containerd/v2/client github.com/containerd/containerd/v2/core/containers