diff --git a/vendor.conf b/vendor.conf index 18fd31bf2b..69e68e36da 100644 --- a/vendor.conf +++ b/vendor.conf @@ -123,7 +123,7 @@ github.com/googleapis/gax-go 317e0006254c44a0ac427cc52a0e google.golang.org/genproto 3f1135a288c9a07e340ae8ba4cc6c7065a3160e8 # containerd -github.com/containerd/containerd 09814d48d50816305a8e6c1a4ae3e2bcc4ba725a # v1.4.0 +github.com/containerd/containerd c623d1b36f09f8ef6536a057bd658b3aa8632828 # v1.4.1 github.com/containerd/fifo f15a3290365b9d2627d189e619ab4008e0069caf github.com/containerd/continuity efbc4488d8fe1bdc16bde3b2d2990d9b3a899165 github.com/containerd/cgroups 318312a373405e5e91134d8063d04d59768a1bff diff --git a/vendor/github.com/containerd/containerd/contrib/seccomp/seccomp_default.go b/vendor/github.com/containerd/containerd/contrib/seccomp/seccomp_default.go index 7da95a0c30..f1337e6db3 100644 --- a/vendor/github.com/containerd/containerd/contrib/seccomp/seccomp_default.go +++ b/vendor/github.com/containerd/containerd/contrib/seccomp/seccomp_default.go @@ -55,6 +55,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp { "accept", "accept4", "access", + "adjtimex", "alarm", "bind", "brk", @@ -93,6 +94,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp { "exit", "exit_group", "faccessat", + "faccessat2", "fadvise64", "fadvise64_64", "fallocate", @@ -173,6 +175,9 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp { "ioprio_set", "io_setup", "io_submit", + "io_uring_enter", + "io_uring_register", + "io_uring_setup", "ipc", "kill", "lchown", @@ -190,6 +195,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp { "lstat", "lstat64", "madvise", + "membarrier", "memfd_create", "mincore", "mkdir", @@ -224,6 +230,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp { "_newselect", "open", "openat", + "openat2", "pause", "pipe", "pipe2", @@ -233,11 +240,13 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp { "prctl", "pread64", "preadv", + "preadv2", "prlimit64", "pselect6", "pselect6_time64", "pwrite64", "pwritev", + "pwritev2", "read", "readahead", "readlink", @@ -344,7 +353,6 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp { "sync_file_range", "syncfs", "sysinfo", - "syslog", "tee", "tgkill", "time", @@ -406,6 +414,28 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp { }, }, }, + { + Names: []string{"personality"}, + Action: specs.ActAllow, + Args: []specs.LinuxSeccompArg{ + { + Index: 0, + Value: 0x20000, + Op: specs.OpEqualTo, + }, + }, + }, + { + Names: []string{"personality"}, + Action: specs.ActAllow, + Args: []specs.LinuxSeccompArg{ + { + Index: 0, + Value: 0x20008, + Op: specs.OpEqualTo, + }, + }, + }, { Names: []string{"personality"}, Action: specs.ActAllow, @@ -427,11 +457,20 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp { // include by arch switch runtime.GOARCH { + case "ppc64le": + s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{ + Names: []string{ + "sync_file_range2", + }, + Action: specs.ActAllow, + Args: []specs.LinuxSeccompArg{}, + }) case "arm", "arm64": s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{ Names: []string{ "arm_fadvise64_64", "arm_sync_file_range", + "sync_file_range2", "breakpoint", "cacheflush", "set_tls", @@ -488,9 +527,11 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp { "mount", "name_to_handle_at", "perf_event_open", + "quotactl", "setdomainname", "sethostname", "setns", + "syslog", "umount", "umount2", "unshare", @@ -551,7 +592,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp { Names: []string{ "settimeofday", "stime", - "adjtimex", + "clock_settime", }, Action: specs.ActAllow, Args: []specs.LinuxSeccompArg{}, @@ -562,6 +603,12 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp { Action: specs.ActAllow, Args: []specs.LinuxSeccompArg{}, }) + case "CAP_SYSLOG": + s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{ + Names: []string{"syslog"}, + Action: specs.ActAllow, + Args: []specs.LinuxSeccompArg{}, + }) } } diff --git a/vendor/github.com/containerd/containerd/runtime/v1/shim/client/client.go b/vendor/github.com/containerd/containerd/runtime/v1/shim/client/client.go index 562ee6ca48..9653454afc 100644 --- a/vendor/github.com/containerd/containerd/runtime/v1/shim/client/client.go +++ b/vendor/github.com/containerd/containerd/runtime/v1/shim/client/client.go @@ -22,6 +22,7 @@ import ( "context" "fmt" "io" + "io/ioutil" "net" "os" "os/exec" @@ -67,23 +68,25 @@ func WithStart(binary, address, daemonAddress, cgroup string, debug bool, exitHa } defer f.Close() - var stdoutLog io.ReadWriteCloser - var stderrLog io.ReadWriteCloser - if debug { - stdoutLog, err = v1.OpenShimStdoutLog(ctx, config.WorkDir) - if err != nil { - return nil, nil, errors.Wrapf(err, "failed to create stdout log") - } - - stderrLog, err = v1.OpenShimStderrLog(ctx, config.WorkDir) - if err != nil { - return nil, nil, errors.Wrapf(err, "failed to create stderr log") - } - - go io.Copy(os.Stdout, stdoutLog) - go io.Copy(os.Stderr, stderrLog) + stdoutCopy := ioutil.Discard + stderrCopy := ioutil.Discard + stdoutLog, err := v1.OpenShimStdoutLog(ctx, config.WorkDir) + if err != nil { + return nil, nil, errors.Wrapf(err, "failed to create stdout log") } + stderrLog, err := v1.OpenShimStderrLog(ctx, config.WorkDir) + if err != nil { + return nil, nil, errors.Wrapf(err, "failed to create stderr log") + } + if debug { + stdoutCopy = os.Stdout + stderrCopy = os.Stderr + } + + go io.Copy(stdoutCopy, stdoutLog) + go io.Copy(stderrCopy, stderrLog) + cmd, err := newCommand(binary, daemonAddress, debug, config, f, stdoutLog, stderrLog) if err != nil { return nil, nil, err diff --git a/vendor/github.com/containerd/containerd/runtime/v1/shim/service.go b/vendor/github.com/containerd/containerd/runtime/v1/shim/service.go index 6bd6aefa22..2f5a8c2f21 100644 --- a/vendor/github.com/containerd/containerd/runtime/v1/shim/service.go +++ b/vendor/github.com/containerd/containerd/runtime/v1/shim/service.go @@ -514,7 +514,7 @@ func (s *Service) checkProcesses(e runc.Exit) { } s.mu.Unlock() if p == nil { - log.G(s.context).Infof("process with id:%d wasn't found", e.Pid) + log.G(s.context).Debugf("process with id:%d wasn't found", e.Pid) return } if ip, ok := p.(*process.Init); ok { diff --git a/vendor/github.com/containerd/containerd/vendor.conf b/vendor/github.com/containerd/containerd/vendor.conf index aee8ad2415..59ec791489 100644 --- a/vendor/github.com/containerd/containerd/vendor.conf +++ b/vendor/github.com/containerd/containerd/vendor.conf @@ -86,9 +86,9 @@ sigs.k8s.io/structured-merge-diff/v3 v3.0.0 sigs.k8s.io/yaml v1.2.0 # cni dependencies -github.com/containerd/go-cni v1.0.0 -github.com/containernetworking/cni v0.7.1 -github.com/containernetworking/plugins v0.7.6 +github.com/containerd/go-cni v1.0.1 +github.com/containernetworking/cni v0.8.0 +github.com/containernetworking/plugins v0.8.6 github.com/fsnotify/fsnotify v1.4.9 # image decrypt depedencies diff --git a/vendor/github.com/containerd/containerd/version/version.go b/vendor/github.com/containerd/containerd/version/version.go index 3eb8c902bf..9a23540288 100644 --- a/vendor/github.com/containerd/containerd/version/version.go +++ b/vendor/github.com/containerd/containerd/version/version.go @@ -23,7 +23,7 @@ var ( Package = "github.com/containerd/containerd" // Version holds the complete version number. Filled in at linking time. - Version = "1.4.0+unknown" + Version = "1.4.1+unknown" // Revision is filled with the VCS (e.g. git) revision being used to build // the program at linking time.