[v0.11] cherry-picks #3463
Merged
[v0.11] cherry-picks #3463
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> (cherry picked from commit 61a1e33)
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> (cherry picked from commit 4d4b56a)
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> (cherry picked from commit 103a0a1)
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> (cherry picked from commit ad85ce7)
The GRPC docs on RecvMsg say: > RecvMsg blocks until it receives a message into m or the stream is > done. It returns io.EOF when the client has performed a CloseSend. > On any non-EOF error, the stream is aborted and the error contains > the RPC status. So if EOF is received that just means the client won't be sending anymore data. But it may still be expecting to read data, so we shouldn't close the conn yet. This was encountered in real life when forwarding a docker socket to a container, where it appears that the docker CLI closes its write side of the connection when requesting the stdout/stderr but then expects to read data after that. Signed-off-by: Erik Sipsma <erik@sipsma.dev> (cherry picked from commit eb9e2c9)
In order to support identity mapping and user namespaces, the Moby project needs to defer the creation of a container's network namespace to the runtime and hook into the container lifecycle to configure the network namespace before the user binary is started. The standard way to do so is by configuring a `createRuntime` OCI lifecycle hook, in which the OCI runtime executes a specified process in the runtime environment after the container has been created and before it is started. In the case of Moby the network namespace needs to be configured from the daemon process, which necessitates that the hook process communicate with the daemon process. This is complicated and slow. All the hook process does is inform the daemon of the container's PID and wait until the daemon has finished applying the network namespace configuration. There is an alternative to the `createRuntime` OCI hook which containerd clients can take advantage of. The `container.NewTask` method is directly analogous to the OCI create operation, and the `task.Start` method is directly analogous to the OCI start operation. Any operations performed between the `NewTask` and `Start` calls are therefore directly analogous to `createRuntime` OCI hooks, without needing to execute any external processes! Provide a mechanism for network.Namespace instances to register a callback function which can be used to configure a container's network namespace instead of, or in addition to, `createRuntime` OCI hooks. Signed-off-by: Cory Snider <csnider@mirantis.com> (cherry picked from commit b5fdf90)
It looks like there's some changes between `busybox:1.34.0` and up; version
1.34.0 of the image did not have a `/usr/bin` directory (only `/usr/sbin`);
docker run --rm -it busybox:1.34.0 ls -al /usr/
total 12
drwxr-xr-x 3 root root 4096 Sep 13 2021 .
drwxr-xr-x 1 root root 4096 Dec 27 14:45 ..
drwxr-xr-x 2 daemon daemon 4096 Sep 13 2021 sbin
But 1.34.1 and up do;
docker run --rm -it busybox:1.34.1 ls -al usr/
total 16
drwxr-xr-x 4 root root 4096 Dec 21 18:28 .
drwxr-xr-x 1 root root 4096 Dec 27 14:44 ..
drwxr-xr-x 2 root root 4096 Dec 21 18:28 bin
drwxr-xr-x 2 daemon daemon 4096 Dec 21 18:28 sbin
It's not immediately apparent what caused this change, or if it's in
busybox itself, or in the official image only;
mirror/busybox@1_34_0...1_34_1
But either way, this change caused a test to fail:
sandbox.go:238: time="2022-12-27T13:45:25.294022820Z" level=debug msg="> creating 4gr5bno8rj7l3k7h9jxe3jhal [/bin/sh -c mkdir /usr/bin && echo -n foo > /usr/bin/go]" span="[golang 2/2] RUN mkdir /usr/bin && echo -n foo > /usr/bin/go"
sandbox.go:238: time="2022-12-27T13:45:25.433886983Z" level=debug msg="sandbox set key processing took 70.062631ms for container 5b4o358g2ryquk4s6ami38gqo"
sandbox.go:238: mkdir: can't create directory '/usr/bin': File exists
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 34f9898)
Signed-off-by: JordanGoasdoue <jordan.goasdoue@dailymotion.com> (cherry picked from commit e849b62)
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> (cherry picked from commit 853d56e)
Signed-off-by: Gahl Saraf <saraf.gahl@gmail.com> (cherry picked from commit afb01a7)
Signed-off-by: Justin Chadwell <me@jedevc.com> (cherry picked from commit e9b167c)
This isn't anywhere at the moment, but we should be consistent here to help avoid any future logic issues. Signed-off-by: Justin Chadwell <me@jedevc.com> (cherry picked from commit 3959dc4)
Signed-off-by: Justin Chadwell <me@jedevc.com> (cherry picked from commit 244caf6)
Signed-off-by: Justin Chadwell <me@jedevc.com> (cherry picked from commit 3bc2aa6)
Signed-off-by: Justin Chadwell <me@jedevc.com> (cherry picked from commit 3fab94f)
Signed-off-by: Justin Chadwell <me@jedevc.com> (cherry picked from commit 24807f5)
Signed-off-by: Justin Chadwell <me@jedevc.com> (cherry picked from commit 13a24b7)
Signed-off-by: Justin Chadwell <me@jedevc.com> (cherry picked from commit b7a4bca)
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> (cherry picked from commit 4d807dd)
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> (cherry picked from commit c1963ec)
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> (cherry picked from commit 9c212c2)
Signed-off-by: David Karlsson <david.karlsson@docker.com> (cherry picked from commit 066091a)
Signed-off-by: David Karlsson <david.karlsson@docker.com> (cherry picked from commit ea715c8)
Signed-off-by: David Karlsson <david.karlsson@docker.com> (cherry picked from commit 4664605)
Signed-off-by: Justin Chadwell <me@jedevc.com> (cherry picked from commit 065e6a5)
Signed-off-by: Justin Chadwell <me@jedevc.com> (cherry picked from commit 618e8f2)
Signed-off-by: Justin Chadwell <me@jedevc.com> (cherry picked from commit 5845707)
There are quite a few pages dedicated to describing attestations, so for easier organization, we can move them all to a single location. Signed-off-by: Justin Chadwell <me@jedevc.com> (cherry picked from commit 4cfa60e)
Signed-off-by: Justin Chadwell <me@jedevc.com> (cherry picked from commit 1433d80)
Previously, we would attempt to add file data for every single SBOM - however, if these SBOMs were taken of layers that were not exported, then these could be wrong. To workaround this, for the file layer details to be added to the resulting SBOM, we require that the scanner add a metadata property to indicate the default value. This is configurable, since in the future we may want behavior that allows the frontend to specify no file layers, or wants an SBOM with layers other than the default. Signed-off-by: Justin Chadwell <me@jedevc.com> (cherry picked from commit 2948389)
This allows some of the client processing code to abstract more over the details of how the ociindex package works, and how it loads tags - the calling code only need to know that it's being pointed at a containerd content store directory. Importantly, this allows for reusability, so we can use this same code more easily in buildx for oci-layouts. Signed-off-by: Justin Chadwell <me@jedevc.com> (cherry picked from commit 49c2275)
…ndex Signed-off-by: Justin Chadwell <me@jedevc.com> (cherry picked from commit 9623017)
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> (cherry picked from commit c905063)
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> (cherry picked from commit b3a430c)
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> (cherry picked from commit 994b529)
tonistiigi
force-pushed
the
v0.11-picks
branch
from
53f46fb
to
4cbc411
Compare
crazy-max
approved these changes
Jan 6, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
#3423
#3428
#3431
#3254
#3436
#3430
#3440
#3058
#3416
#3450
#3375
#3459
#3422
#3409
#3443
#3461
#3462
#3466
#3469