diff --git a/src/runtime/go.mod b/src/runtime/go.mod index 07cf8bb7eb2a..467239892aae 100644 --- a/src/runtime/go.mod +++ b/src/runtime/go.mod @@ -14,7 +14,7 @@ require ( github.com/container-orchestrated-devices/container-device-interface v0.6.0 github.com/containerd/cgroups v1.1.0 github.com/containerd/console v1.0.5 - github.com/containerd/containerd v1.7.27 + github.com/containerd/containerd v1.7.28 github.com/containerd/containerd/api v1.9.0 github.com/containerd/cri-containerd v1.19.0 github.com/containerd/fifo v1.1.0 diff --git a/src/runtime/go.sum b/src/runtime/go.sum index 84ba41532c67..92fada983a91 100644 --- a/src/runtime/go.sum +++ b/src/runtime/go.sum @@ -36,8 +36,8 @@ github.com/containerd/cgroups/v3 v3.0.5 h1:44na7Ud+VwyE7LIoJ8JTNQOa549a8543BmzaJ github.com/containerd/cgroups/v3 v3.0.5/go.mod h1:SA5DLYnXO8pTGYiAHXz94qvLQTKfVM5GEVisn4jpins= github.com/containerd/console v1.0.5 h1:R0ymNeydRqH2DmakFNdmjR2k0t7UPuiOV/N/27/qqsc= github.com/containerd/console v1.0.5/go.mod h1:YynlIjWYF8myEu6sdkwKIvGQq+cOckRm6So2avqoYAk= -github.com/containerd/containerd v1.7.27 h1:yFyEyojddO3MIGVER2xJLWoCIn+Up4GaHFquP7hsFII= -github.com/containerd/containerd v1.7.27/go.mod h1:xZmPnl75Vc+BLGt4MIfu6bp+fy03gdHAn9bz+FreFR0= +github.com/containerd/containerd v1.7.28 h1:Nsgm1AtcmEh4AHAJ4gGlNSaKgXiNccU270Dnf81FQ3c= +github.com/containerd/containerd v1.7.28/go.mod h1:azUkWcOvHrWvaiUjSQH0fjzuHIwSPg1WL5PshGP4Szs= github.com/containerd/containerd/api v1.9.0 h1:HZ/licowTRazus+wt9fM6r/9BQO7S0vD5lMcWspGIg0= github.com/containerd/containerd/api v1.9.0/go.mod h1:GhghKFmTR3hNtyznBoQ0EMWr9ju5AqHjcZPsSpTKutI= github.com/containerd/continuity v0.4.5 h1:ZRoN1sXq9u7V6QoHMcVWGhOwDFqZ4B9i5H6un1Wh0x4= diff --git a/src/runtime/vendor/github.com/containerd/containerd/BUILDING.md b/src/runtime/vendor/github.com/containerd/containerd/BUILDING.md index 20edcb59e566..58981a1184b4 100644 --- a/src/runtime/vendor/github.com/containerd/containerd/BUILDING.md +++ b/src/runtime/vendor/github.com/containerd/containerd/BUILDING.md @@ -15,7 +15,7 @@ This doc includes: To build the `containerd` daemon, and the `ctr` simple test client, the following build system dependencies are required: -* Go 1.22.x or above +* Go 1.23.x or above * Protoc 3.x compiler and headers (download at the [Google protobuf releases page](https://github.com/protocolbuffers/protobuf/releases)) * Btrfs headers and libraries for your distribution. Note that building the btrfs driver can be disabled via the build tag `no_btrfs`, removing this dependency. diff --git a/src/runtime/vendor/github.com/containerd/containerd/Vagrantfile b/src/runtime/vendor/github.com/containerd/containerd/Vagrantfile index 96dd881c4c98..bb01a9cb2e10 100644 --- a/src/runtime/vendor/github.com/containerd/containerd/Vagrantfile +++ b/src/runtime/vendor/github.com/containerd/containerd/Vagrantfile @@ -21,6 +21,12 @@ Vagrant.configure("2") do |config| # BOX_VERSION is deprecated. Use "BOX=@". config.vm.box_version = ENV["BOX_VERSION"] || (ENV["BOX"].split("@")[1] if ENV["BOX"]) + # Set box_url for archive boxes + # Workaround for https://github.com/containerd/containerd/issues/12124 + if config.vm.box.include?("fedora/39-cloud-base") + config.vm.box_url = "https://archives.fedoraproject.org/pub/archive/fedora/linux/releases/39/Cloud/x86_64/images/Fedora-Cloud-Base-Vagrant-39-1.5.x86_64.vagrant-libvirt.box" + end + memory = 4096 cpus = 2 disk_size = 60 @@ -35,7 +41,10 @@ Vagrant.configure("2") do |config| v.memory = memory v.cpus = cpus v.machine_virtual_size = disk_size - v.loader = "/usr/share/OVMF/OVMF_CODE.fd" + # https://github.com/vagrant-libvirt/vagrant-libvirt/issues/1725#issuecomment-1454058646 + # Needs `sudo cp /usr/share/OVMF/OVMF_VARS_4M.fd /var/lib/libvirt/qemu/nvram/` + v.loader = '/usr/share/OVMF/OVMF_CODE_4M.fd' + v.nvram = '/var/lib/libvirt/qemu/nvram/OVMF_VARS_4M.fd' end config.vm.synced_folder ".", "/vagrant", type: "rsync" @@ -104,7 +113,7 @@ EOF config.vm.provision "install-golang", type: "shell", run: "once" do |sh| sh.upload_path = "/tmp/vagrant-install-golang" sh.env = { - 'GO_VERSION': ENV['GO_VERSION'] || "1.23.7", + 'GO_VERSION': ENV['GO_VERSION'] || "1.23.11", } sh.inline = <<~SHELL #!/usr/bin/env bash @@ -246,6 +255,7 @@ EOF sh.upload_path = "/tmp/test-integration" sh.env = { 'RUNC_FLAVOR': ENV['RUNC_FLAVOR'] || "runc", + 'RUNC_RUNTIME': ENV['RUNC_RUNTIME'] || "io.containerd.runc.v2", 'GOTEST': ENV['GOTEST'] || "go test", 'GOTESTSUM_JUNITFILE': ENV['GOTESTSUM_JUNITFILE'], 'GOTESTSUM_JSONFILE': ENV['GOTESTSUM_JSONFILE'], @@ -258,7 +268,7 @@ EOF rm -rf /var/lib/containerd-test /run/containerd-test cd ${GOPATH}/src/github.com/containerd/containerd go test -v -count=1 -race ./metrics/cgroups - make integration EXTRA_TESTFLAGS="-timeout 15m -no-criu -test.v" TEST_RUNTIME=io.containerd.runc.v2 RUNC_FLAVOR=$RUNC_FLAVOR + make integration EXTRA_TESTFLAGS="-timeout 15m -no-criu -test.v" TEST_RUNTIME=$RUNC_RUNTIME RUNC_FLAVOR=$RUNC_FLAVOR SHELL end @@ -269,6 +279,7 @@ EOF sh.upload_path = "/tmp/test-cri-integration" sh.env = { 'GOTEST': ENV['GOTEST'] || "go test", + 'RUNC_RUNTIME': ENV['RUNC_RUNTIME'] || "io.containerd.runc.v2", 'GOTESTSUM_JUNITFILE': ENV['GOTESTSUM_JUNITFILE'], 'GOTESTSUM_JSONFILE': ENV['GOTESTSUM_JSONFILE'], 'GITHUB_WORKSPACE': '', @@ -287,7 +298,7 @@ EOF # cri-integration.sh executes containerd from ./bin, not from $PATH . make BUILDTAGS="seccomp selinux no_aufs no_btrfs no_devmapper no_zfs" binaries bin/cri-integration.test chcon -v -t container_runtime_exec_t ./bin/{containerd,containerd-shim*} - CONTAINERD_RUNTIME=io.containerd.runc.v2 ./script/test/cri-integration.sh + CONTAINERD_RUNTIME=$RUNC_RUNTIME ./script/test/cri-integration.sh cleanup SHELL end diff --git a/src/runtime/vendor/github.com/containerd/containerd/remotes/docker/auth/fetch.go b/src/runtime/vendor/github.com/containerd/containerd/remotes/docker/auth/fetch.go index 244e03509a7d..c9c224b2ac0e 100644 --- a/src/runtime/vendor/github.com/containerd/containerd/remotes/docker/auth/fetch.go +++ b/src/runtime/vendor/github.com/containerd/containerd/remotes/docker/auth/fetch.go @@ -86,11 +86,11 @@ type TokenOptions struct { // OAuthTokenResponse is response from fetching token with a OAuth POST request type OAuthTokenResponse struct { - AccessToken string `json:"access_token"` - RefreshToken string `json:"refresh_token"` - ExpiresIn int `json:"expires_in"` - IssuedAt time.Time `json:"issued_at"` - Scope string `json:"scope"` + AccessToken string `json:"access_token"` + RefreshToken string `json:"refresh_token"` + ExpiresInSeconds int `json:"expires_in"` + IssuedAt time.Time `json:"issued_at"` + Scope string `json:"scope"` } // FetchTokenWithOAuth fetches a token using a POST request @@ -152,11 +152,11 @@ func FetchTokenWithOAuth(ctx context.Context, client *http.Client, headers http. // FetchTokenResponse is response from fetching token with GET request type FetchTokenResponse struct { - Token string `json:"token"` - AccessToken string `json:"access_token"` - ExpiresIn int `json:"expires_in"` - IssuedAt time.Time `json:"issued_at"` - RefreshToken string `json:"refresh_token"` + Token string `json:"token"` + AccessToken string `json:"access_token"` + ExpiresInSeconds int `json:"expires_in"` + IssuedAt time.Time `json:"issued_at"` + RefreshToken string `json:"refresh_token"` } // FetchToken fetches a token using a GET request diff --git a/src/runtime/vendor/github.com/containerd/containerd/remotes/docker/authorizer.go b/src/runtime/vendor/github.com/containerd/containerd/remotes/docker/authorizer.go index 2bf388e8cb0c..6aabe95a452a 100644 --- a/src/runtime/vendor/github.com/containerd/containerd/remotes/docker/authorizer.go +++ b/src/runtime/vendor/github.com/containerd/containerd/remotes/docker/authorizer.go @@ -24,6 +24,7 @@ import ( "net/http" "strings" "sync" + "time" "github.com/containerd/log" @@ -206,9 +207,10 @@ func (a *dockerAuthorizer) AddResponses(ctx context.Context, responses []*http.R // authResult is used to control limit rate. type authResult struct { sync.WaitGroup - token string - refreshToken string - err error + token string + refreshToken string + expirationTime *time.Time + err error } // authHandler is used to handle auth request per registry server. @@ -271,8 +273,12 @@ func (ah *authHandler) doBearerAuth(ctx context.Context) (token, refreshToken st // Docs: https://docs.docker.com/registry/spec/auth/scope scoped := strings.Join(to.Scopes, " ") + // Keep track of the expiration time of cached bearer tokens so they can be + // refreshed when they expire without a server roundtrip. + var expirationTime *time.Time + ah.Lock() - if r, exist := ah.scopedTokens[scoped]; exist { + if r, exist := ah.scopedTokens[scoped]; exist && (r.expirationTime == nil || r.expirationTime.After(time.Now())) { ah.Unlock() r.Wait() return r.token, r.refreshToken, r.err @@ -286,7 +292,7 @@ func (ah *authHandler) doBearerAuth(ctx context.Context) (token, refreshToken st defer func() { token = fmt.Sprintf("Bearer %s", token) - r.token, r.refreshToken, r.err = token, refreshToken, err + r.token, r.refreshToken, r.err, r.expirationTime = token, refreshToken, err, expirationTime r.Done() }() @@ -312,6 +318,7 @@ func (ah *authHandler) doBearerAuth(ctx context.Context) (token, refreshToken st if err != nil { return "", "", err } + expirationTime = getExpirationTime(resp.ExpiresInSeconds) return resp.Token, resp.RefreshToken, nil } log.G(ctx).WithFields(log.Fields{ @@ -321,6 +328,7 @@ func (ah *authHandler) doBearerAuth(ctx context.Context) (token, refreshToken st } return "", "", err } + expirationTime = getExpirationTime(resp.ExpiresInSeconds) return resp.AccessToken, resp.RefreshToken, nil } // do request anonymously @@ -328,9 +336,18 @@ func (ah *authHandler) doBearerAuth(ctx context.Context) (token, refreshToken st if err != nil { return "", "", fmt.Errorf("failed to fetch anonymous token: %w", err) } + expirationTime = getExpirationTime(resp.ExpiresInSeconds) return resp.Token, resp.RefreshToken, nil } +func getExpirationTime(expiresInSeconds int) *time.Time { + if expiresInSeconds <= 0 { + return nil + } + expirationTime := time.Now().Add(time.Duration(expiresInSeconds) * time.Second) + return &expirationTime +} + func invalidAuthorization(ctx context.Context, c auth.Challenge, responses []*http.Response) (retry bool, _ error) { errStr := c.Parameters["error"] if errStr == "" { diff --git a/src/runtime/vendor/github.com/containerd/containerd/runtime/nsmap.go b/src/runtime/vendor/github.com/containerd/containerd/runtime/nsmap.go index ed172adcc127..d37f305d96a6 100644 --- a/src/runtime/vendor/github.com/containerd/containerd/runtime/nsmap.go +++ b/src/runtime/vendor/github.com/containerd/containerd/runtime/nsmap.go @@ -31,7 +31,7 @@ type object interface { // NSMap extends Map type with a notion of namespaces passed via Context. type NSMap[T object] struct { - mu sync.Mutex + mu sync.RWMutex objects map[string]map[string]T } @@ -44,13 +44,14 @@ func NewNSMap[T object]() *NSMap[T] { // Get a task func (m *NSMap[T]) Get(ctx context.Context, id string) (T, error) { - m.mu.Lock() - defer m.mu.Unlock() namespace, err := namespaces.NamespaceRequired(ctx) var t T if err != nil { return t, err } + + m.mu.RLock() + defer m.mu.RUnlock() tasks, ok := m.objects[namespace] if !ok { return t, errdefs.ErrNotFound @@ -64,8 +65,8 @@ func (m *NSMap[T]) Get(ctx context.Context, id string) (T, error) { // GetAll objects under a namespace func (m *NSMap[T]) GetAll(ctx context.Context, noNS bool) ([]T, error) { - m.mu.Lock() - defer m.mu.Unlock() + m.mu.RLock() + defer m.mu.RUnlock() var o []T if noNS { for ns := range m.objects { @@ -100,10 +101,10 @@ func (m *NSMap[T]) Add(ctx context.Context, t T) error { // AddWithNamespace adds a task with the provided namespace func (m *NSMap[T]) AddWithNamespace(namespace string, t T) error { + id := t.ID() + m.mu.Lock() defer m.mu.Unlock() - - id := t.ID() if _, ok := m.objects[namespace]; !ok { m.objects[namespace] = make(map[string]T) } @@ -116,12 +117,13 @@ func (m *NSMap[T]) AddWithNamespace(namespace string, t T) error { // Delete a task func (m *NSMap[T]) Delete(ctx context.Context, id string) { - m.mu.Lock() - defer m.mu.Unlock() namespace, err := namespaces.NamespaceRequired(ctx) if err != nil { return } + + m.mu.Lock() + defer m.mu.Unlock() tasks, ok := m.objects[namespace] if ok { delete(tasks, id) @@ -129,8 +131,8 @@ func (m *NSMap[T]) Delete(ctx context.Context, id string) { } func (m *NSMap[T]) IsEmpty() bool { - m.mu.Lock() - defer m.mu.Unlock() + m.mu.RLock() + defer m.mu.RUnlock() for ns := range m.objects { if len(m.objects[ns]) > 0 { diff --git a/src/runtime/vendor/github.com/containerd/containerd/snapshotter_default_linux.go b/src/runtime/vendor/github.com/containerd/containerd/snapshotter_default_linux.go index d925d4ef9424..47e249951cbd 100644 --- a/src/runtime/vendor/github.com/containerd/containerd/snapshotter_default_linux.go +++ b/src/runtime/vendor/github.com/containerd/containerd/snapshotter_default_linux.go @@ -21,4 +21,6 @@ const ( // This will be based on the client compilation target, so take that into // account when choosing this value. DefaultSnapshotter = "overlayfs" + // DefaultDiffer will set the default differ for the platform. + DefaultDiffer = "walking" ) diff --git a/src/runtime/vendor/github.com/containerd/containerd/snapshotter_default_unix.go b/src/runtime/vendor/github.com/containerd/containerd/snapshotter_default_unix.go index 8e191ca6ac6c..fd05aa70b44c 100644 --- a/src/runtime/vendor/github.com/containerd/containerd/snapshotter_default_unix.go +++ b/src/runtime/vendor/github.com/containerd/containerd/snapshotter_default_unix.go @@ -23,4 +23,6 @@ const ( // This will be based on the client compilation target, so take that into // account when choosing this value. DefaultSnapshotter = "native" + // DefaultDiffer will set the default differ for the platform. + DefaultDiffer = "walking" ) diff --git a/src/runtime/vendor/github.com/containerd/containerd/snapshotter_default_windows.go b/src/runtime/vendor/github.com/containerd/containerd/snapshotter_default_windows.go index 320211a4a56d..217705da845f 100644 --- a/src/runtime/vendor/github.com/containerd/containerd/snapshotter_default_windows.go +++ b/src/runtime/vendor/github.com/containerd/containerd/snapshotter_default_windows.go @@ -21,4 +21,6 @@ const ( // This will be based on the client compilation target, so take that into // account when choosing this value. DefaultSnapshotter = "windows" + // DefaultDiffer will set the default differ for the platform. + DefaultDiffer = "walking" ) diff --git a/src/runtime/vendor/github.com/containerd/containerd/version/version.go b/src/runtime/vendor/github.com/containerd/containerd/version/version.go index e806164cab8d..cd788cbde39c 100644 --- a/src/runtime/vendor/github.com/containerd/containerd/version/version.go +++ b/src/runtime/vendor/github.com/containerd/containerd/version/version.go @@ -23,7 +23,7 @@ var ( Package = "github.com/containerd/containerd" // Version holds the complete version number. Filled in at linking time. - Version = "1.7.27+unknown" + Version = "1.7.28+unknown" // Revision is filled with the VCS (e.g. git) revision being used to build // the program at linking time. diff --git a/src/runtime/vendor/modules.txt b/src/runtime/vendor/modules.txt index 8e1252545053..382206b85024 100644 --- a/src/runtime/vendor/modules.txt +++ b/src/runtime/vendor/modules.txt @@ -98,8 +98,8 @@ github.com/containerd/cgroups/v3/cgroup1/stats # github.com/containerd/console v1.0.5 ## explicit; go 1.13 github.com/containerd/console -# github.com/containerd/containerd v1.7.27 -## explicit; go 1.21 +# github.com/containerd/containerd v1.7.28 +## explicit; go 1.23.0 github.com/containerd/containerd github.com/containerd/containerd/archive github.com/containerd/containerd/archive/compression