Hello community,
here is the log from the commit of package cri-o for openSUSE:Factory checked in at 2018-11-20 22:28:38
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cri-o (Old)
and /work/SRC/openSUSE:Factory/.cri-o.new.19453 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cri-o"
Tue Nov 20 22:28:38 2018 rev:21 rq:650125 version:1.12.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/cri-o/cri-o.changes 2018-11-13 16:22:32.234980158 +0100
+++ /work/SRC/openSUSE:Factory/.cri-o.new.19453/cri-o.changes 2018-11-20 22:28:46.874729004 +0100
@@ -1,0 +2,11 @@
+Mon Nov 19 08:07:35 UTC 2018 - Valentin Rothberg
+
+- Update cri-o to v1.12.1:
+ * Remove nodev from mounts
+ * vendor: update storage for a panic fix
+ * container_create: fix dev mounts and remove nodev from /dev mounts
+ * Use CurrentContainerStatus in list CRI calls
+ * oci: Add CurrentContainerStatus API
+ * conmon: fsync the log file
+
+-------------------------------------------------------------------
Old:
----
cri-o-1.12.0.tar.xz
New:
----
cri-o-1.12.1.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ cri-o.spec ++++++
--- /var/tmp/diff_new_pack.VDd59l/_old 2018-11-20 22:28:48.954727768 +0100
+++ /var/tmp/diff_new_pack.VDd59l/_new 2018-11-20 22:28:48.954727768 +0100
@@ -31,7 +31,7 @@
%define name_source2 sysconfig.crio
%define name_source3 crio.conf
Name: cri-o
-Version: 1.12.0
+Version: 1.12.1
Release: 0
Summary: OCI-based implementation of Kubernetes Container Runtime Interface
License: Apache-2.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.VDd59l/_old 2018-11-20 22:28:48.994727745 +0100
+++ /var/tmp/diff_new_pack.VDd59l/_new 2018-11-20 22:28:48.994727745 +0100
@@ -2,8 +2,8 @@
<service name="tar_scm" mode="disabled">
<param name="url">https://github.com/kubernetes-sigs/cri-o</param>
<param name="scm">git</param>
-<param name="versionformat">1.12.0</param>
-<param name="revision">v1.12.0</param>
+<param name="versionformat">1.12.1</param>
+<param name="revision">v1.12.1</param>
</service>
<service name="recompress" mode="disabled">
<param name="file">cri-o-*.tar</param>
++++++ cri-o-1.12.0.tar.xz -> cri-o-1.12.1.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.12.0/Makefile new/cri-o-1.12.1/Makefile
--- old/cri-o-1.12.0/Makefile 2018-10-18 11:54:08.000000000 +0200
+++ new/cri-o-1.12.1/Makefile 2018-11-12 23:05:14.000000000 +0100
@@ -106,7 +106,7 @@
./bin/crio --config="" config --default > crio.conf
release-note:
- @$(GOPATH)/bin/containerd-release -n $(release)
+ @$(GOPATH)/bin/release-tool -n $(release)
conmon/config.h: cmd/crio-config/config.go oci/oci.go
$(GO) build -i $(LDFLAGS) -o bin/crio-config $(PROJECT)/cmd/crio-config
@@ -221,8 +221,8 @@
install.tools: .install.gitvalidation .install.gometalinter .install.md2man .install.release
.install.release:
- if [ ! -x "$(GOPATH)/bin/containerd-release" ]; then \
- go get -u github.com/containerd/containerd/cmd/containerd-release; \
+ if [ ! -x "$(GOPATH)/bin/release-tool" ]; then \
+ go get -u github.com/containerd/project/cmd/release-tool; \
fi
.install.gitvalidation: .gopathok
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.12.0/conmon/conmon.c new/cri-o-1.12.1/conmon/conmon.c
--- old/cri-o-1.12.0/conmon/conmon.c 2018-10-18 11:54:08.000000000 +0200
+++ new/cri-o-1.12.1/conmon/conmon.c 2018-11-12 23:05:14.000000000 +0100
@@ -156,6 +156,13 @@
exit(EXIT_FAILURE); \
} while (0)
+#define pwarn(s) \
+ do { \
+ fprintf(stderr, "[conmon:w]: %s %s\n", s, strerror(errno)); \
+ if (opt_syslog) \
+ syslog(LOG_INFO, "conmon %.20s <pwarn>: %s %s\n", opt_cid, s, strerror(errno)); \
+ } while (0)
+
#define nexit(s) \
do { \
fprintf(stderr, "[conmon:e] %s\n", s); \
@@ -398,6 +405,11 @@
{
_cleanup_free_ char *opt_log_path_tmp = g_strdup_printf("%s.tmp", opt_log_path);
+ /* Sync the logs to disk */
+ if (fsync(log_fd) < 0) {
+ pwarn("Failed to sync log file on reopen");
+ }
+
/* Close the current log_fd */
close(log_fd);
@@ -1723,6 +1735,13 @@
;
}
+ /* Sync the logs to disk */
+ if (log_fd > 0) {
+ if (fsync(log_fd) < 0) {
+ pwarn("Failed to sync log file before exit");
+ }
+ }
+
int exit_status = -1;
const char *exit_message = NULL;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.12.0/oci/oci.go new/cri-o-1.12.1/oci/oci.go
--- old/cri-o-1.12.0/oci/oci.go 2018-10-18 11:54:08.000000000 +0200
+++ new/cri-o-1.12.1/oci/oci.go 2018-11-12 23:05:14.000000000 +0100
@@ -897,6 +897,11 @@
return c.state
}
+// CurrentContainerStatus returns the state of a container without using a lock.
+func (r *Runtime) CurrentContainerStatus(c *Container) *ContainerState {
+ return c.state
+}
+
// PauseContainer pauses a container.
func (r *Runtime) PauseContainer(c *Container) error {
c.opLock.Lock()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.12.0/pkg/storage/runtime.go new/cri-o-1.12.1/pkg/storage/runtime.go
--- old/cri-o-1.12.0/pkg/storage/runtime.go 2018-10-18 11:54:08.000000000 +0200
+++ new/cri-o-1.12.1/pkg/storage/runtime.go 2018-11-12 23:05:14.000000000 +0100
@@ -420,7 +420,7 @@
if err != nil {
return err
}
- _, err = r.storageImageServer.GetStore().Unmount(container.ID, false)
+ _, err = r.storageImageServer.GetStore().Unmount(container.ID, true)
if err != nil {
logrus.Debugf("failed to unmount container %q: %v", container.ID, err)
return err
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.12.0/server/container_create.go new/cri-o-1.12.1/server/container_create.go
--- old/cri-o-1.12.0/server/container_create.go 2018-10-18 11:54:08.000000000 +0200
+++ new/cri-o-1.12.1/server/container_create.go 2018-11-12 23:05:14.000000000 +0100
@@ -61,6 +61,33 @@
return strings.Count(filepath.Clean(m[i].Destination), string(os.PathSeparator))
}
+// mounts defines how to sort runtime.Mount.
+// This is the same with the Docker implementation:
+// https://github.com/moby/moby/blob/17.05.x/daemon/volumes.go#L26
+type criOrderedMounts []*pb.Mount
+
+// Len returns the number of mounts. Used in sorting.
+func (m criOrderedMounts) Len() int {
+ return len(m)
+}
+
+// Less returns true if the number of parts (a/b/c would be 3 parts) in the
+// mount indexed by parameter 1 is less than that of the mount indexed by
+// parameter 2. Used in sorting.
+func (m criOrderedMounts) Less(i, j int) bool {
+ return m.parts(i) < m.parts(j)
+}
+
+// Swap swaps two items in an array of mounts. Used in sorting
+func (m criOrderedMounts) Swap(i, j int) {
+ m[i], m[j] = m[j], m[i]
+}
+
+// parts returns the number of parts in the destination of a mount. Used in sorting.
+func (m criOrderedMounts) parts(i int) int {
+ return strings.Count(filepath.Clean(m[i].ContainerPath), string(os.PathSeparator))
+}
+
// Ensure mount point on which path is mounted, is shared.
func ensureShared(path string, mountInfos []*dockermounts.Info) error {
sourceMount, optionalOpts, err := getSourceMount(path, mountInfos)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.12.0/server/container_create_linux.go new/cri-o-1.12.1/server/container_create_linux.go
--- old/cri-o-1.12.0/server/container_create_linux.go 2018-10-18 11:54:08.000000000 +0200
+++ new/cri-o-1.12.1/server/container_create_linux.go 2018-11-12 23:05:14.000000000 +0100
@@ -982,8 +982,35 @@
volumes := []oci.ContainerVolume{}
ociMounts := []rspec.Mount{}
mounts := containerConfig.GetMounts()
+
+ // Sort mounts in number of parts. This ensures that high level mounts don't
+ // shadow other mounts.
+ sort.Sort(criOrderedMounts(mounts))
+
+ // Copy all mounts from default mounts, except for
+ // - mounts overridden by supplied mount;
+ // - all mounts under /dev if a supplied /dev is present.
+ mountSet := make(map[string]struct{})
+ for _, m := range mounts {
+ mountSet[filepath.Clean(m.ContainerPath)] = struct{}{}
+ }
+ defaultMounts := specgen.Mounts()
+ specgen.ClearMounts()
+ for _, m := range defaultMounts {
+ dst := filepath.Clean(m.Destination)
+ if _, ok := mountSet[dst]; ok {
+ // filter out mount overridden by a supplied mount
+ continue
+ }
+ if _, mountDev := mountSet["/dev"]; mountDev && strings.HasPrefix(dst, "/dev/") {
+ // filter out everything under /dev if /dev is a supplied mount
+ continue
+ }
+ specgen.AddMount(m)
+ }
+
for _, mount := range mounts {
- dest := mount.ContainerPath
+ dest := mount.GetContainerPath()
if dest == "" {
return nil, nil, fmt.Errorf("Mount.ContainerPath is empty")
}
@@ -991,7 +1018,7 @@
if mount.HostPath == "" {
return nil, nil, fmt.Errorf("Mount.HostPath is empty")
}
- src := filepath.Join(bindMountPrefix, mount.HostPath)
+ src := filepath.Join(bindMountPrefix, mount.GetHostPath())
resolvedSrc, err := resolveSymbolicLink(src, bindMountPrefix)
if err == nil {
@@ -1008,7 +1035,7 @@
if mount.Readonly {
options = []string{"ro"}
}
- options = append(options, "rbind", "nodev")
+ options = append(options, "rbind")
// mount propagation
mountInfos, err := dockermounts.GetMounts(nil)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.12.0/server/container_list.go new/cri-o-1.12.1/server/container_list.go
--- old/cri-o-1.12.0/server/container_list.go 2018-10-18 11:54:08.000000000 +0200
+++ new/cri-o-1.12.1/server/container_list.go 2018-11-12 23:05:14.000000000 +0100
@@ -90,7 +90,7 @@
continue
}
podSandboxID := ctr.Sandbox()
- cState := s.Runtime().ContainerStatus(ctr)
+ cState := s.Runtime().CurrentContainerStatus(ctr)
created := ctr.CreatedAt().UnixNano()
rState := pb.ContainerState_CONTAINER_UNKNOWN
cID := ctr.ID()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.12.0/server/sandbox_list.go new/cri-o-1.12.1/server/sandbox_list.go
--- old/cri-o-1.12.0/server/sandbox_list.go 2018-10-18 11:54:08.000000000 +0200
+++ new/cri-o-1.12.1/server/sandbox_list.go 2018-11-12 23:05:14.000000000 +0100
@@ -74,7 +74,7 @@
// it's better not to panic
continue
}
- cState := s.Runtime().ContainerStatus(podInfraContainer)
+ cState := s.Runtime().CurrentContainerStatus(podInfraContainer)
rStatus := pb.PodSandboxState_SANDBOX_NOTREADY
if cState.Status == oci.ContainerStateRunning {
rStatus = pb.PodSandboxState_SANDBOX_READY
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.12.0/vendor/github.com/containers/storage/README.md new/cri-o-1.12.1/vendor/github.com/containers/storage/README.md
--- old/cri-o-1.12.0/vendor/github.com/containers/storage/README.md 2018-10-18 11:54:08.000000000 +0200
+++ new/cri-o-1.12.1/vendor/github.com/containers/storage/README.md 2018-11-12 23:05:14.000000000 +0100
@@ -2,7 +2,7 @@
layers, container images, and containers. A `containers-storage` CLI wrapper
is also included for manual and scripting use.
-To build the CLI wrapper, use 'make build-binary'.
+To build the CLI wrapper, use 'make binary'.
Operations which use VMs expect to launch them using 'vagrant', defaulting to
using its 'libvirt' provider. The boxes used are also available for the
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.12.0/vendor/github.com/containers/storage/containers.go new/cri-o-1.12.1/vendor/github.com/containers/storage/containers.go
--- old/cri-o-1.12.0/vendor/github.com/containers/storage/containers.go 2018-10-18 11:54:08.000000000 +0200
+++ new/cri-o-1.12.1/vendor/github.com/containers/storage/containers.go 2018-11-12 23:05:14.000000000 +0100
@@ -133,6 +133,20 @@
}
}
+func (c *Container) MountLabel() string {
+ if label, ok := c.Flags["MountLabel"].(string); ok {
+ return label
+ }
+ return ""
+}
+
+func (c *Container) ProcessLabel() string {
+ if label, ok := c.Flags["ProcessLabel"].(string); ok {
+ return label
+ }
+ return ""
+}
+
func (r *containerStore) Containers() ([]Container, error) {
containers := make([]Container, len(r.containers))
for i := range r.containers {
@@ -297,7 +311,7 @@
BigDataSizes: make(map[string]int64),
BigDataDigests: make(map[string]digest.Digest),
Created: time.Now().UTC(),
- Flags: make(map[string]interface{}),
+ Flags: copyStringInterfaceMap(options.Flags),
UIDMap: copyIDMap(options.UIDMap),
GIDMap: copyIDMap(options.GIDMap),
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.12.0/vendor/github.com/containers/storage/drivers/aufs/aufs.go new/cri-o-1.12.1/vendor/github.com/containers/storage/drivers/aufs/aufs.go
--- old/cri-o-1.12.0/vendor/github.com/containers/storage/drivers/aufs/aufs.go 2018-10-18 11:54:08.000000000 +0200
+++ new/cri-o-1.12.1/vendor/github.com/containers/storage/drivers/aufs/aufs.go 2018-11-12 23:05:14.000000000 +0100
@@ -416,7 +416,7 @@
// Get returns the rootfs path for the id.
// This will mount the dir at its given path
-func (a *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (string, error) {
+func (a *Driver) Get(id string, options graphdriver.MountOpts) (string, error) {
a.locker.Lock(id)
defer a.locker.Unlock(id)
parents, err := a.getParentLayerPaths(id)
@@ -441,7 +441,7 @@
// If a dir does not have a parent ( no layers )do not try to mount
// just return the diff path to the data
if len(parents) > 0 {
- if err := a.mount(id, m, mountLabel, parents); err != nil {
+ if err := a.mount(id, m, options.MountLabel, parents); err != nil {
return "", err
}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.12.0/vendor/github.com/containers/storage/drivers/btrfs/btrfs.go new/cri-o-1.12.1/vendor/github.com/containers/storage/drivers/btrfs/btrfs.go
--- old/cri-o-1.12.0/vendor/github.com/containers/storage/drivers/btrfs/btrfs.go 2018-10-18 11:54:08.000000000 +0200
+++ new/cri-o-1.12.1/vendor/github.com/containers/storage/drivers/btrfs/btrfs.go 2018-11-12 23:05:14.000000000 +0100
@@ -634,7 +634,7 @@
}
// Get the requested filesystem id.
-func (d *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (string, error) {
+func (d *Driver) Get(id string, options graphdriver.MountOpts) (string, error) {
dir := d.subvolumesDirID(id)
st, err := os.Stat(dir)
if err != nil {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.12.0/vendor/github.com/containers/storage/drivers/chown.go new/cri-o-1.12.1/vendor/github.com/containers/storage/drivers/chown.go
--- old/cri-o-1.12.0/vendor/github.com/containers/storage/drivers/chown.go 2018-10-18 11:54:08.000000000 +0200
+++ new/cri-o-1.12.1/vendor/github.com/containers/storage/drivers/chown.go 2018-11-12 23:05:14.000000000 +0100
@@ -114,7 +114,10 @@
// same "container" IDs.
func (n *naiveLayerIDMapUpdater) UpdateLayerIDMap(id string, toContainer, toHost *idtools.IDMappings, mountLabel string) error {
driver := n.ProtoDriver
- layerFs, err := driver.Get(id, mountLabel, nil, nil)
+ options := MountOpts{
+ MountLabel: mountLabel,
+ }
+ layerFs, err := driver.Get(id, options)
if err != nil {
return err
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.12.0/vendor/github.com/containers/storage/drivers/chown_unix.go new/cri-o-1.12.1/vendor/github.com/containers/storage/drivers/chown_unix.go
--- old/cri-o-1.12.0/vendor/github.com/containers/storage/drivers/chown_unix.go 2018-10-18 11:54:08.000000000 +0200
+++ new/cri-o-1.12.1/vendor/github.com/containers/storage/drivers/chown_unix.go 2018-11-12 23:05:14.000000000 +0100
@@ -8,6 +8,7 @@
"syscall"
"github.com/containers/storage/pkg/idtools"
+ "github.com/containers/storage/pkg/system"
)
func platformLChown(path string, info os.FileInfo, toHost, toContainer *idtools.IDMappings) error {
@@ -49,6 +50,11 @@
if err != nil {
return fmt.Errorf("%s: lstat(%q): %v", os.Args[0], path, err)
}
+ cap, err := system.Lgetxattr(path, "security.capability")
+ if err != nil && err != system.ErrNotSupportedPlatform {
+ return fmt.Errorf("%s: Lgetxattr(%q): %v", os.Args[0], path, err)
+ }
+
// Make the change.
if err := syscall.Lchown(path, uid, gid); err != nil {
return fmt.Errorf("%s: chown(%q): %v", os.Args[0], path, err)
@@ -59,6 +65,12 @@
return fmt.Errorf("%s: chmod(%q): %v", os.Args[0], path, err)
}
}
+ if cap != nil {
+ if err := system.Lsetxattr(path, "security.capability", cap, 0); err != nil {
+ return fmt.Errorf("%s: Lsetxattr(%q): %v", os.Args[0], path, err)
+ }
+ }
+
}
}
return nil
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.12.0/vendor/github.com/containers/storage/drivers/devmapper/driver.go new/cri-o-1.12.1/vendor/github.com/containers/storage/drivers/devmapper/driver.go
--- old/cri-o-1.12.0/vendor/github.com/containers/storage/drivers/devmapper/driver.go 2018-10-18 11:54:08.000000000 +0200
+++ new/cri-o-1.12.1/vendor/github.com/containers/storage/drivers/devmapper/driver.go 2018-11-12 23:05:14.000000000 +0100
@@ -163,7 +163,7 @@
}
// Get mounts a device with given id into the root filesystem
-func (d *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (string, error) {
+func (d *Driver) Get(id string, options graphdriver.MountOpts) (string, error) {
d.locker.Lock(id)
defer d.locker.Unlock(id)
mp := path.Join(d.home, "mnt", id)
@@ -189,7 +189,7 @@
}
// Mount the device
- if err := d.DeviceSet.MountDevice(id, mp, mountLabel); err != nil {
+ if err := d.DeviceSet.MountDevice(id, mp, options.MountLabel); err != nil {
d.ctr.Decrement(mp)
return "", err
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.12.0/vendor/github.com/containers/storage/drivers/driver.go new/cri-o-1.12.1/vendor/github.com/containers/storage/drivers/driver.go
--- old/cri-o-1.12.0/vendor/github.com/containers/storage/drivers/driver.go 2018-10-18 11:54:08.000000000 +0200
+++ new/cri-o-1.12.1/vendor/github.com/containers/storage/drivers/driver.go 2018-11-12 23:05:14.000000000 +0100
@@ -42,6 +42,15 @@
StorageOpt map[string]string
}
+// MountOpts contains optional arguments for LayerStope.Mount() methods.
+type MountOpts struct {
+ // Mount label is the MAC Labels to assign to mount point (SELINUX)
+ MountLabel string
+ // UidMaps & GidMaps are the User Namespace mappings to be assigned to content in the mount point
+ UidMaps []idtools.IDMap
+ GidMaps []idtools.IDMap
+}
+
// InitFunc initializes the storage driver.
type InitFunc func(root string, options []string, uidMaps, gidMaps []idtools.IDMap) (Driver, error)
@@ -68,7 +77,7 @@
// to by this id. You can optionally specify a mountLabel or "".
// Optionally it gets the mappings used to create the layer.
// Returns the absolute path to the mounted layered filesystem.
- Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (dir string, err error)
+ Get(id string, options MountOpts) (dir string, err error)
// Put releases the system resources for the specified id,
// e.g, unmounting layered filesystem.
Put(id string) error
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.12.0/vendor/github.com/containers/storage/drivers/fsdiff.go new/cri-o-1.12.1/vendor/github.com/containers/storage/drivers/fsdiff.go
--- old/cri-o-1.12.0/vendor/github.com/containers/storage/drivers/fsdiff.go 2018-10-18 11:54:08.000000000 +0200
+++ new/cri-o-1.12.1/vendor/github.com/containers/storage/drivers/fsdiff.go 2018-11-12 23:05:14.000000000 +0100
@@ -51,7 +51,10 @@
parentMappings = &idtools.IDMappings{}
}
- layerFs, err := driver.Get(id, mountLabel, nil, nil)
+ options := MountOpts{
+ MountLabel: mountLabel,
+ }
+ layerFs, err := driver.Get(id, options)
if err != nil {
return nil, err
}
@@ -78,7 +81,7 @@
}), nil
}
- parentFs, err := driver.Get(parent, mountLabel, nil, nil)
+ parentFs, err := driver.Get(parent, options)
if err != nil {
return nil, err
}
@@ -119,7 +122,10 @@
parentMappings = &idtools.IDMappings{}
}
- layerFs, err := driver.Get(id, mountLabel, nil, nil)
+ options := MountOpts{
+ MountLabel: mountLabel,
+ }
+ layerFs, err := driver.Get(id, options)
if err != nil {
return nil, err
}
@@ -128,7 +134,10 @@
parentFs := ""
if parent != "" {
- parentFs, err = driver.Get(parent, mountLabel, nil, nil)
+ options := MountOpts{
+ MountLabel: mountLabel,
+ }
+ parentFs, err = driver.Get(parent, options)
if err != nil {
return nil, err
}
@@ -149,7 +158,10 @@
}
// Mount the root filesystem so we can apply the diff/layer.
- layerFs, err := driver.Get(id, mountLabel, nil, nil)
+ mountOpts := MountOpts{
+ MountLabel: mountLabel,
+ }
+ layerFs, err := driver.Get(id, mountOpts)
if err != nil {
return
}
@@ -189,7 +201,10 @@
return
}
- layerFs, err := driver.Get(id, mountLabel, nil, nil)
+ options := MountOpts{
+ MountLabel: mountLabel,
+ }
+ layerFs, err := driver.Get(id, options)
if err != nil {
return
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.12.0/vendor/github.com/containers/storage/drivers/overlay/check.go new/cri-o-1.12.1/vendor/github.com/containers/storage/drivers/overlay/check.go
--- old/cri-o-1.12.0/vendor/github.com/containers/storage/drivers/overlay/check.go 2018-10-18 11:54:08.000000000 +0200
+++ new/cri-o-1.12.1/vendor/github.com/containers/storage/drivers/overlay/check.go 2018-11-12 23:05:14.000000000 +0100
@@ -20,7 +20,7 @@
// which copies up the opaque flag when copying up an opaque
// directory or the kernel enable CONFIG_OVERLAY_FS_REDIRECT_DIR.
// When these exist naive diff should be used.
-func doesSupportNativeDiff(d string) error {
+func doesSupportNativeDiff(d, mountOpts string) error {
td, err := ioutil.TempDir(d, "opaque-bug-check")
if err != nil {
return err
@@ -57,6 +57,9 @@
}
opts := fmt.Sprintf("lowerdir=%s:%s,upperdir=%s,workdir=%s", path.Join(td, "l2"), path.Join(td, "l1"), path.Join(td, "l3"), path.Join(td, "work"))
+ if mountOpts != "" {
+ opts = fmt.Sprintf("%s,%s", opts, mountOpts)
+ }
if err := unix.Mount("overlay", filepath.Join(td, "merged"), "overlay", 0, opts); err != nil {
return errors.Wrap(err, "failed to mount overlay")
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.12.0/vendor/github.com/containers/storage/drivers/overlay/overlay.go new/cri-o-1.12.1/vendor/github.com/containers/storage/drivers/overlay/overlay.go
--- old/cri-o-1.12.0/vendor/github.com/containers/storage/drivers/overlay/overlay.go 2018-10-18 11:54:08.000000000 +0200
+++ new/cri-o-1.12.1/vendor/github.com/containers/storage/drivers/overlay/overlay.go 2018-11-12 23:05:14.000000000 +0100
@@ -138,10 +138,12 @@
}
// check if they are running over btrfs, aufs, zfs, overlay, or ecryptfs
- switch fsMagic {
- case graphdriver.FsMagicAufs, graphdriver.FsMagicZfs, graphdriver.FsMagicOverlay, graphdriver.FsMagicEcryptfs:
- logrus.Errorf("'overlay' is not supported over %s", backingFs)
- return nil, errors.Wrapf(graphdriver.ErrIncompatibleFS, "'overlay' is not supported over %s", backingFs)
+ if opts.mountProgram == "" {
+ switch fsMagic {
+ case graphdriver.FsMagicAufs, graphdriver.FsMagicZfs, graphdriver.FsMagicOverlay, graphdriver.FsMagicEcryptfs:
+ logrus.Errorf("'overlay' is not supported over %s", backingFs)
+ return nil, errors.Wrapf(graphdriver.ErrIncompatibleFS, "'overlay' is not supported over %s", backingFs)
+ }
}
rootUID, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps)
@@ -204,7 +206,7 @@
return nil, fmt.Errorf("Storage option overlay.size only supported for backingFS XFS. Found %v", backingFs)
}
- logrus.Debugf("backingFs=%s, projectQuotaSupported=%v, useNativeDiff=%v", backingFs, projectQuotaSupported, !useNaiveDiff(home))
+ logrus.Debugf("backingFs=%s, projectQuotaSupported=%v, useNativeDiff=%v", backingFs, projectQuotaSupported, !d.useNaiveDiff())
return d, nil
}
@@ -336,9 +338,13 @@
return supportsDType, errors.Wrap(graphdriver.ErrNotSupported, "'overlay' not found as a supported filesystem on this host. Please ensure kernel is new enough and has overlay support loaded.")
}
-func useNaiveDiff(home string) bool {
+func (d *Driver) useNaiveDiff() bool {
useNaiveDiffLock.Do(func() {
- if err := doesSupportNativeDiff(home); err != nil {
+ if d.options.mountProgram != "" {
+ useNaiveDiffOnly = true
+ return
+ }
+ if err := doesSupportNativeDiff(d.home, d.options.mountOptions); err != nil {
logrus.Warnf("Not using native diff for overlay, this may cause degraded performance for building images: %v", err)
useNaiveDiffOnly = true
}
@@ -356,7 +362,7 @@
return [][2]string{
{"Backing Filesystem", backingFs},
{"Supports d_type", strconv.FormatBool(d.supportsDType)},
- {"Native Overlay Diff", strconv.FormatBool(!useNaiveDiff(d.home))},
+ {"Native Overlay Diff", strconv.FormatBool(!d.useNaiveDiff())},
}
}
@@ -642,11 +648,11 @@
}
// Get creates and mounts the required file system for the given id and returns the mount path.
-func (d *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (_ string, retErr error) {
- return d.get(id, mountLabel, false, uidMaps, gidMaps)
+func (d *Driver) Get(id string, options graphdriver.MountOpts) (_ string, retErr error) {
+ return d.get(id, false, options)
}
-func (d *Driver) get(id, mountLabel string, disableShifting bool, uidMaps, gidMaps []idtools.IDMap) (_ string, retErr error) {
+func (d *Driver) get(id string, disableShifting bool, options graphdriver.MountOpts) (_ string, retErr error) {
d.locker.Lock(id)
defer d.locker.Unlock(id)
dir := d.dir(id)
@@ -740,7 +746,7 @@
if d.options.mountOptions != "" {
opts = fmt.Sprintf("%s,%s", d.options.mountOptions, opts)
}
- mountData := label.FormatMountLabel(opts, mountLabel)
+ mountData := label.FormatMountLabel(opts, options.MountLabel)
mountFunc := unix.Mount
mountTarget := mergedDir
@@ -753,7 +759,7 @@
if d.options.mountProgram != "" {
mountFunc = func(source string, target string, mType string, flags uintptr, label string) error {
if !disableShifting {
- label = d.optsAppendMappings(label, uidMaps, gidMaps)
+ label = d.optsAppendMappings(label, options.UidMaps, options.GidMaps)
}
mountProgram := exec.Command(d.options.mountProgram, "-o", label, target)
@@ -763,7 +769,7 @@
} else if len(mountData) > pageSize {
//FIXME: We need to figure out to get this to work with additional stores
opts = fmt.Sprintf("lowerdir=%s,upperdir=%s,workdir=%s", strings.Join(relLowers, ":"), path.Join(id, "diff"), path.Join(id, "work"))
- mountData = label.FormatMountLabel(opts, mountLabel)
+ mountData = label.FormatMountLabel(opts, options.MountLabel)
if len(mountData) > pageSize {
return "", fmt.Errorf("cannot mount layer, mount label too large %d", len(mountData))
}
@@ -881,7 +887,7 @@
// and its parent and returns the size in bytes of the changes
// relative to its base filesystem directory.
func (d *Driver) DiffSize(id string, idMappings *idtools.IDMappings, parent string, parentMappings *idtools.IDMappings, mountLabel string) (size int64, err error) {
- if useNaiveDiff(d.home) || !d.isParent(id, parent) {
+ if d.useNaiveDiff() || !d.isParent(id, parent) {
return d.naiveDiff.DiffSize(id, idMappings, parent, parentMappings, mountLabel)
}
return directory.Size(d.getDiffPath(id))
@@ -890,7 +896,7 @@
// Diff produces an archive of the changes between the specified
// layer and its parent layer which may be "".
func (d *Driver) Diff(id string, idMappings *idtools.IDMappings, parent string, parentMappings *idtools.IDMappings, mountLabel string) (io.ReadCloser, error) {
- if useNaiveDiff(d.home) || !d.isParent(id, parent) {
+ if d.useNaiveDiff() || !d.isParent(id, parent) {
return d.naiveDiff.Diff(id, idMappings, parent, parentMappings, mountLabel)
}
@@ -917,7 +923,7 @@
// Changes produces a list of changes between the specified layer
// and its parent layer. If parent is "", then all changes will be ADD changes.
func (d *Driver) Changes(id string, idMappings *idtools.IDMappings, parent string, parentMappings *idtools.IDMappings, mountLabel string) ([]archive.Change, error) {
- if useNaiveDiff(d.home) || !d.isParent(id, parent) {
+ if d.useNaiveDiff() || !d.isParent(id, parent) {
return d.naiveDiff.Changes(id, idMappings, parent, parentMappings, mountLabel)
}
// Overlay doesn't have snapshots, so we need to get changes from all parent
@@ -952,7 +958,10 @@
}
// Mount the new layer and handle ownership changes and possible copy_ups in it.
- layerFs, err := d.get(id, mountLabel, true, nil, nil)
+ options := graphdriver.MountOpts{
+ MountLabel: mountLabel,
+ }
+ layerFs, err := d.get(id, true, options)
if err != nil {
return err
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.12.0/vendor/github.com/containers/storage/drivers/vfs/driver.go new/cri-o-1.12.1/vendor/github.com/containers/storage/drivers/vfs/driver.go
--- old/cri-o-1.12.0/vendor/github.com/containers/storage/drivers/vfs/driver.go 2018-10-18 11:54:08.000000000 +0200
+++ new/cri-o-1.12.1/vendor/github.com/containers/storage/drivers/vfs/driver.go 2018-11-12 23:05:14.000000000 +0100
@@ -137,7 +137,7 @@
label.SetFileLabel(dir, mountLabel)
}
if parent != "" {
- parentDir, err := d.Get(parent, "", nil, nil)
+ parentDir, err := d.Get(parent, graphdriver.MountOpts{})
if err != nil {
return fmt.Errorf("%s: %s", parent, err)
}
@@ -179,7 +179,7 @@
}
// Get returns the directory for the given id.
-func (d *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (string, error) {
+func (d *Driver) Get(id string, options graphdriver.MountOpts) (_ string, retErr error) {
dir := d.dir(id)
if st, err := os.Stat(dir); err != nil {
return "", err
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.12.0/vendor/github.com/containers/storage/drivers/windows/windows.go new/cri-o-1.12.1/vendor/github.com/containers/storage/drivers/windows/windows.go
--- old/cri-o-1.12.0/vendor/github.com/containers/storage/drivers/windows/windows.go 2018-10-18 11:54:08.000000000 +0200
+++ new/cri-o-1.12.1/vendor/github.com/containers/storage/drivers/windows/windows.go 2018-11-12 23:05:14.000000000 +0100
@@ -362,9 +362,9 @@
}
// Get returns the rootfs path for the id. This will mount the dir at its given path.
-func (d *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (string, error) {
+func (d *Driver) Get(id string, options graphdriver.MountOpts) (string, error) {
panicIfUsedByLcow()
- logrus.Debugf("WindowsGraphDriver Get() id %s mountLabel %s", id, mountLabel)
+ logrus.Debugf("WindowsGraphDriver Get() id %s mountLabel %s", id, options.MountLabel)
var dir string
rID, err := d.resolveID(id)
@@ -620,7 +620,7 @@
return
}
- layerFs, err := d.Get(id, "", nil, nil)
+ layerFs, err := d.Get(id, graphdriver.MountOpts{})
if err != nil {
return
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.12.0/vendor/github.com/containers/storage/drivers/zfs/zfs.go new/cri-o-1.12.1/vendor/github.com/containers/storage/drivers/zfs/zfs.go
--- old/cri-o-1.12.0/vendor/github.com/containers/storage/drivers/zfs/zfs.go 2018-10-18 11:54:08.000000000 +0200
+++ new/cri-o-1.12.1/vendor/github.com/containers/storage/drivers/zfs/zfs.go 2018-11-12 23:05:14.000000000 +0100
@@ -52,7 +52,7 @@
return nil, errors.Wrap(graphdriver.ErrPrerequisites, "the 'zfs' command is not available")
}
- file, err := os.OpenFile("/dev/zfs", os.O_RDWR, 600)
+ file, err := os.OpenFile("/dev/zfs", os.O_RDWR, 0600)
if err != nil {
logrus.Debugf("[zfs] cannot open /dev/zfs: %v", err)
return nil, errors.Wrapf(graphdriver.ErrPrerequisites, "could not open /dev/zfs: %v", err)
@@ -360,15 +360,15 @@
}
// Get returns the mountpoint for the given id after creating the target directories if necessary.
-func (d *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (string, error) {
+func (d *Driver) Get(id string, options graphdriver.MountOpts) (string, error) {
mountpoint := d.mountPath(id)
if count := d.ctr.Increment(mountpoint); count > 1 {
return mountpoint, nil
}
filesystem := d.zfsPath(id)
- options := label.FormatMountLabel(d.options.mountOptions, mountLabel)
- logrus.Debugf(`[zfs] mount("%s", "%s", "%s")`, filesystem, mountpoint, options)
+ opts := label.FormatMountLabel(d.options.mountOptions, options.MountLabel)
+ logrus.Debugf(`[zfs] mount("%s", "%s", "%s")`, filesystem, mountpoint, opts)
rootUID, rootGID, err := idtools.GetRootUIDGID(d.uidMaps, d.gidMaps)
if err != nil {
@@ -381,7 +381,7 @@
return "", err
}
- if err := mount.Mount(filesystem, mountpoint, "zfs", options); err != nil {
+ if err := mount.Mount(filesystem, mountpoint, "zfs", opts); err != nil {
d.ctr.Decrement(mountpoint)
return "", fmt.Errorf("error creating zfs mount of %s to %s: %v", filesystem, mountpoint, err)
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.12.0/vendor/github.com/containers/storage/layers.go new/cri-o-1.12.1/vendor/github.com/containers/storage/layers.go
--- old/cri-o-1.12.0/vendor/github.com/containers/storage/layers.go 2018-10-18 11:54:08.000000000 +0200
+++ new/cri-o-1.12.1/vendor/github.com/containers/storage/layers.go 2018-11-12 23:05:14.000000000 +0100
@@ -21,6 +21,7 @@
"github.com/containers/storage/pkg/system"
"github.com/containers/storage/pkg/truncindex"
digest "github.com/opencontainers/go-digest"
+ "github.com/opencontainers/selinux/go-selinux/label"
"github.com/pkg/errors"
"github.com/vbatts/tar-split/tar/asm"
"github.com/vbatts/tar-split/tar/storage"
@@ -210,7 +211,7 @@
// layers, it should not be written to. An SELinux label to be applied to the
// mount can be specified to override the one configured for the layer.
// The mappings used by the container can be specified.
- Mount(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (string, error)
+ Mount(id string, options drivers.MountOpts) (string, error)
// Unmount unmounts a layer when it is no longer in use.
Unmount(id string, force bool) (bool, error)
@@ -294,6 +295,9 @@
mounts := make(map[string]*Layer)
compressedsums := make(map[digest.Digest][]string)
uncompressedsums := make(map[digest.Digest][]string)
+ if r.lockfile.IsReadWrite() {
+ label.ClearLabels()
+ }
if err = json.Unmarshal(data, &layers); len(data) == 0 || err == nil {
idlist = make([]string, 0, len(layers))
for n, layer := range layers {
@@ -312,6 +316,9 @@
if layer.UncompressedDigest != "" {
uncompressedsums[layer.UncompressedDigest] = append(uncompressedsums[layer.UncompressedDigest], layer.ID)
}
+ if layer.MountLabel != "" {
+ label.ReserveLabel(layer.MountLabel)
+ }
}
}
if shouldSave && !r.IsReadWrite() {
@@ -535,8 +542,8 @@
_, idInUse = r.byid[id]
}
}
- if _, idInUse := r.byid[id]; idInUse {
- return nil, -1, ErrDuplicateID
+ if duplicateLayer, idInUse := r.byid[id]; idInUse {
+ return duplicateLayer, -1, ErrDuplicateID
}
names = dedupeNames(names)
for _, name := range names {
@@ -552,6 +559,9 @@
} else {
parentMappings = &idtools.IDMappings{}
}
+ if mountLabel != "" {
+ label.ReserveLabel(mountLabel)
+ }
idMappings := idtools.NewIDMappingsFromMaps(moreOptions.UIDMap, moreOptions.GIDMap)
opts := drivers.CreateOpts{
MountLabel: mountLabel,
@@ -649,7 +659,7 @@
return layer.MountCount, nil
}
-func (r *layerStore) Mount(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (string, error) {
+func (r *layerStore) Mount(id string, options drivers.MountOpts) (string, error) {
if !r.IsReadWrite() {
return "", errors.Wrapf(ErrStoreIsReadOnly, "not allowed to update mount locations for layers at %q", r.mountspath())
}
@@ -661,16 +671,16 @@
layer.MountCount++
return layer.MountPoint, r.Save()
}
- if mountLabel == "" {
- mountLabel = layer.MountLabel
+ if options.MountLabel == "" {
+ options.MountLabel = layer.MountLabel
}
- if (uidMaps != nil || gidMaps != nil) && !r.driver.SupportsShifting() {
- if !reflect.DeepEqual(uidMaps, layer.UIDMap) || !reflect.DeepEqual(gidMaps, layer.GIDMap) {
+ if (options.UidMaps != nil || options.GidMaps != nil) && !r.driver.SupportsShifting() {
+ if !reflect.DeepEqual(options.UidMaps, layer.UIDMap) || !reflect.DeepEqual(options.GidMaps, layer.GIDMap) {
return "", fmt.Errorf("cannot mount layer %v: shifting not enabled", layer.ID)
}
}
- mountpoint, err := r.driver.Get(id, mountLabel, uidMaps, gidMaps)
+ mountpoint, err := r.driver.Get(id, options)
if mountpoint != "" && err == nil {
if layer.MountPoint != "" {
delete(r.bymount, layer.MountPoint)
@@ -839,6 +849,7 @@
os.Remove(r.tspath(id))
delete(r.byid, id)
r.idindex.Delete(id)
+ mountLabel := layer.MountLabel
if layer.MountPoint != "" {
delete(r.bymount, layer.MountPoint)
}
@@ -857,6 +868,18 @@
r.layers = append(r.layers[:toDeleteIndex], r.layers[toDeleteIndex+1:]...)
}
}
+ if mountLabel != "" {
+ var found bool
+ for _, candidate := range r.layers {
+ if candidate.MountLabel == mountLabel {
+ found = true
+ break
+ }
+ }
+ if !found {
+ label.ReleaseLabel(mountLabel)
+ }
+ }
if err = r.Save(); err != nil {
return err
}
@@ -957,7 +980,7 @@
if getter, ok := r.driver.(drivers.DiffGetterDriver); ok {
return getter.DiffGetter(id)
}
- path, err := r.Mount(id, "", nil, nil)
+ path, err := r.Mount(id, drivers.MountOpts{})
if err != nil {
return nil, err
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.12.0/vendor/github.com/containers/storage/store.go new/cri-o-1.12.1/vendor/github.com/containers/storage/store.go
--- old/cri-o-1.12.0/vendor/github.com/containers/storage/store.go 2018-10-18 11:54:08.000000000 +0200
+++ new/cri-o-1.12.1/vendor/github.com/containers/storage/store.go 2018-11-12 23:05:14.000000000 +0100
@@ -25,6 +25,7 @@
"github.com/containers/storage/pkg/stringid"
"github.com/containers/storage/pkg/stringutils"
digest "github.com/opencontainers/go-digest"
+ "github.com/opencontainers/selinux/go-selinux/label"
"github.com/pkg/errors"
)
@@ -251,6 +252,8 @@
// Mount attempts to mount a layer, image, or container for access, and
// returns the pathname if it succeeds.
+ // Note if the mountLabel == "", the default label for the container
+ // will be used.
//
// Note that we do some of this work in a child process. The calling
// process's main() function needs to import our pkg/reexec package and
@@ -497,6 +500,8 @@
// container's layer will inherit settings from the image's top layer
// or, if it is not being created based on an image, the Store object.
IDMappingOptions
+ LabelOpts []string
+ Flags map[string]interface{}
}
type store struct {
@@ -1175,7 +1180,26 @@
},
}
}
- clayer, err := rlstore.Create(layer, imageTopLayer, nil, "", nil, layerOptions, true)
+ if options.Flags == nil {
+ options.Flags = make(map[string]interface{})
+ }
+ plabel, _ := options.Flags["ProcessLabel"].(string)
+ mlabel, _ := options.Flags["MountLabel"].(string)
+ if (plabel == "" && mlabel != "") ||
+ (plabel != "" && mlabel == "") {
+ return nil, errors.Errorf("ProcessLabel and Mountlabel must either not be specified or both specified")
+ }
+
+ if plabel == "" {
+ processLabel, mountLabel, err := label.InitLabels(options.LabelOpts)
+ if err != nil {
+ return nil, err
+ }
+ options.Flags["ProcessLabel"] = processLabel
+ options.Flags["MountLabel"] = mountLabel
+ }
+
+ clayer, err := rlstore.Create(layer, imageTopLayer, nil, options.Flags["MountLabel"].(string), nil, layerOptions, true)
if err != nil {
return nil, err
}
@@ -1189,13 +1213,11 @@
if modified, err := rcstore.Modified(); modified || err != nil {
rcstore.Load()
}
- options = &ContainerOptions{
- IDMappingOptions: IDMappingOptions{
- HostUIDMapping: len(options.UIDMap) == 0,
- HostGIDMapping: len(options.GIDMap) == 0,
- UIDMap: copyIDMap(options.UIDMap),
- GIDMap: copyIDMap(options.GIDMap),
- },
+ options.IDMappingOptions = IDMappingOptions{
+ HostUIDMapping: len(options.UIDMap) == 0,
+ HostGIDMapping: len(options.GIDMap) == 0,
+ UIDMap: copyIDMap(options.UIDMap),
+ GIDMap: copyIDMap(options.GIDMap),
}
container, err := rcstore.Create(id, names, imageID, layer, metadata, options)
if err != nil || container == nil {
@@ -2273,7 +2295,12 @@
rlstore.Load()
}
if rlstore.Exists(id) {
- return rlstore.Mount(id, mountLabel, uidMap, gidMap)
+ options := drivers.MountOpts{
+ MountLabel: mountLabel,
+ UidMaps: uidMap,
+ GidMaps: gidMap,
+ }
+ return rlstore.Mount(id, options)
}
return "", ErrLayerUnknown
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.12.0/vendor/github.com/containers/storage/vendor.conf new/cri-o-1.12.1/vendor/github.com/containers/storage/vendor.conf
--- old/cri-o-1.12.0/vendor/github.com/containers/storage/vendor.conf 2018-10-18 11:54:08.000000000 +0200
+++ new/cri-o-1.12.1/vendor/github.com/containers/storage/vendor.conf 2018-11-12 23:05:14.000000000 +0100
@@ -2,13 +2,14 @@
github.com/Microsoft/go-winio 307e919c663683a9000576fdc855acaf9534c165
github.com/Microsoft/hcsshim a8d9cc56cbce765a7eebdf4792e6ceceeff3edb8
github.com/davecgh/go-spew 346938d642f2ec3594ed81d874461961cd0faa76
-github.com/docker/engine-api 4290f40c056686fcaa5c9caf02eac1dde9315adf
+github.com/docker/docker 86f080cff0914e9694068ed78d503701667c4c00
github.com/docker/go-units 0dadbb0345b35ec7ef35e228dabb8de89a65bf52
github.com/mattn/go-shellwords 753a2322a99f87c0eff284980e77f53041555bc6
github.com/mistifyio/go-zfs c0224de804d438efd11ea6e52ada8014537d6062
github.com/opencontainers/go-digest master
github.com/opencontainers/runc 6c22e77604689db8725fa866f0f2ec0b3e8c3a07
-github.com/opencontainers/selinux ba1aefe8057f1d0cfb8e88d0ec1dc85925ef987d
+github.com/opencontainers/selinux 36a9bc45a08c85f2c52bd9eb32e20267876773bd
+github.com/ostreedev/ostree-go aeb02c6b6aa2889db3ef62f7855650755befd460
github.com/pborman/uuid 1b00554d822231195d1babd97ff4a781231955c9
github.com/pkg/errors master
github.com/pmezard/go-difflib v1.0.0
@@ -20,4 +21,3 @@
github.com/vbatts/tar-split v0.10.2
golang.org/x/net 7dcfb8076726a3fdd9353b6b8a1f1b6be6811bd6
golang.org/x/sys 07c182904dbd53199946ba614a412c61d3c548f5
-github.com/ostreedev/ostree-go aeb02c6b6aa2889db3ef62f7855650755befd460
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.12.0/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go new/cri-o-1.12.1/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go
--- old/cri-o-1.12.0/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go 2018-10-18 11:54:08.000000000 +0200
+++ new/cri-o-1.12.1/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go 2018-11-12 23:05:14.000000000 +0100
@@ -48,6 +48,11 @@
func Init() {
}
+// ClearLabels clears all reserved labels
+func ClearLabels() {
+ return
+}
+
func ReserveLabel(label string) error {
return nil
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.12.0/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go new/cri-o-1.12.1/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go
--- old/cri-o-1.12.0/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go 2018-10-18 11:54:08.000000000 +0200
+++ new/cri-o-1.12.1/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go 2018-11-12 23:05:14.000000000 +0100
@@ -24,17 +24,22 @@
// the container. A list of options can be passed into this function to alter
// the labels. The labels returned will include a random MCS String, that is
// guaranteed to be unique.
-func InitLabels(options []string) (string, string, error) {
+func InitLabels(options []string) (plabel string, mlabel string, Err error) {
if !selinux.GetEnabled() {
return "", "", nil
}
processLabel, mountLabel := selinux.ContainerLabels()
if processLabel != "" {
+ defer func() {
+ if Err != nil {
+ ReleaseLabel(mountLabel)
+ }
+ }()
pcon := selinux.NewContext(processLabel)
mcon := selinux.NewContext(mountLabel)
for _, opt := range options {
if opt == "disable" {
- return "", "", nil
+ return "", mountLabel, nil
}
if i := strings.Index(opt, ":"); i == -1 {
return "", "", fmt.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type' followed by ':' and a value", opt)
@@ -156,6 +161,11 @@
selinux.GetEnabled()
}
+// ClearLabels will clear all reserved labels
+func ClearLabels() {
+ selinux.ClearLabels()
+}
+
// ReserveLabel will record the fact that the MCS label has already been used.
// This will prevent InitLabels from using the MCS label in a newly created
// container
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.12.0/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go new/cri-o-1.12.1/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
--- old/cri-o-1.12.0/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go 2018-10-18 11:54:08.000000000 +0200
+++ new/cri-o-1.12.1/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go 2018-11-12 23:05:14.000000000 +0100
@@ -409,6 +409,13 @@
return c
}
+// ClearLabels clears all reserved labels
+func ClearLabels() {
+ state.Lock()
+ state.mcsList = make(map[string]bool)
+ state.Unlock()
+}
+
// ReserveLabel reserves the MLS/MCS level component of the specified label
func ReserveLabel(label string) {
if len(label) != 0 {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.12.0/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go new/cri-o-1.12.1/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
--- old/cri-o-1.12.0/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go 2018-10-18 11:54:08.000000000 +0200
+++ new/cri-o-1.12.1/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go 2018-11-12 23:05:14.000000000 +0100
@@ -107,6 +107,11 @@
return c
}
+// ClearLabels clears all reserved MLS/MCS levels
+func ClearLabels() {
+ return
+}
+
// ReserveLabel reserves the MLS/MCS level component of the specified label
func ReserveLabel(label string) {
return
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.12.0/vendor.conf new/cri-o-1.12.1/vendor.conf
--- old/cri-o-1.12.0/vendor.conf 2018-10-18 11:54:08.000000000 +0200
+++ new/cri-o-1.12.1/vendor.conf 2018-11-12 23:05:14.000000000 +0100
@@ -16,11 +16,11 @@
github.com/containers/image 8f11f3ad8912d8bc43a7d25992b8f313ffefd430
github.com/docker/docker-credential-helpers d68f9aeca33f5fd3f08eeae5e9d175edf4e731d1
github.com/ostreedev/ostree-go master
-github.com/containers/storage 68332c059156eae970a03245cfcd4d717fb66ecd
+github.com/containers/storage c57ac62f89f5496ae16a6273554f26301aa188e7
github.com/containernetworking/cni v0.4.0
google.golang.org/grpc 5b3c4e850e90a4cf6a20ebd46c8b32a0a3afcb9e https://github.com/grpc/grpc-go
google.golang.org/genproto 09f6ed296fc66555a25fe4ce95173148778dfa85
-github.com/opencontainers/selinux b6fa367ed7f534f9ba25391cc2d467085dbb445a
+github.com/opencontainers/selinux 077c8b6d1c18456fb7c792bc0de52295a0d1900e
github.com/opencontainers/go-digest v1.0.0-rc0
github.com/opencontainers/runtime-tools 1c243a8a8eb44d491790798afc9b634c6f6a6380
github.com/opencontainers/runc 459bfaec1fc6c17d8bfb12d0a0f69e7e7271ed2a
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.12.0/version/version.go new/cri-o-1.12.1/version/version.go
--- old/cri-o-1.12.0/version/version.go 2018-10-18 11:54:08.000000000 +0200
+++ new/cri-o-1.12.1/version/version.go 2018-11-12 23:05:14.000000000 +0100
@@ -1,4 +1,4 @@
package version
// Version is the version of the build.
-const Version = "1.12.0"
+const Version = "1.12.1"