diff --git a/.mailmap b/.mailmap index 8e1d63d094aab..7ddee5fa6013c 100644 --- a/.mailmap +++ b/.mailmap @@ -77,6 +77,7 @@ Junyu Liu LongtaoZhang Lorenz Brun Luc Perkins +Luke Hinds <123011167+lukefr09@users.noreply.github.com> James Sturtevant Jiajun Jiang Jin Dong @@ -90,6 +91,7 @@ Kante Kazuyoshi Kato Kazuyoshi Kato Kazuyoshi Kato +Kazuyoshi Kato Kenfe-Mickaël Laventure Kevin Kern Kevin Parsons diff --git a/go.mod b/go.mod index de3df47769864..4cc721940ffe3 100644 --- a/go.mod +++ b/go.mod @@ -12,7 +12,7 @@ require ( github.com/containerd/btrfs/v2 v2.0.0 github.com/containerd/cgroups/v3 v3.1.3 github.com/containerd/console v1.0.5 - github.com/containerd/containerd/api v1.10.0 + github.com/containerd/containerd/api v1.11.0-beta.0 github.com/containerd/continuity v0.4.5 github.com/containerd/errdefs v1.0.0 github.com/containerd/errdefs/pkg v0.3.0 @@ -161,5 +161,3 @@ require ( sigs.k8s.io/yaml v1.6.0 // indirect tags.cncf.io/container-device-interface/specs-go v1.1.0 // indirect ) - -replace github.com/containerd/containerd/api => ./api diff --git a/go.sum b/go.sum index 47ded24c9f665..b61498a8a8671 100644 --- a/go.sum +++ b/go.sum @@ -43,6 +43,8 @@ github.com/containerd/cgroups/v3 v3.1.3 h1:eUNflyMddm18+yrDmZPn3jI7C5hJ9ahABE5q6 github.com/containerd/cgroups/v3 v3.1.3/go.mod h1:PKZ2AcWmSBsY/tJUVhtS/rluX0b1uq1GmPO1ElCmbOw= github.com/containerd/console v1.0.5 h1:R0ymNeydRqH2DmakFNdmjR2k0t7UPuiOV/N/27/qqsc= github.com/containerd/console v1.0.5/go.mod h1:YynlIjWYF8myEu6sdkwKIvGQq+cOckRm6So2avqoYAk= +github.com/containerd/containerd/api v1.11.0-beta.0 h1:qtnn2fNjzVl82CRfzt6VvDikwQnMD66eq06Djb+I1Lc= +github.com/containerd/containerd/api v1.11.0-beta.0/go.mod h1:NBm1OAk8ZL+LG8R0ceObGxT5hbUYj7CzTmR3xh0DlMM= github.com/containerd/continuity v0.4.5 h1:ZRoN1sXq9u7V6QoHMcVWGhOwDFqZ4B9i5H6un1Wh0x4= github.com/containerd/continuity v0.4.5/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE= github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI= diff --git a/pkg/shim/util_abstract_test.go b/pkg/shim/util_abstract_test.go new file mode 100644 index 0000000000000..5c20e95e5c15e --- /dev/null +++ b/pkg/shim/util_abstract_test.go @@ -0,0 +1,41 @@ +//go:build !windows && !darwin + +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package shim + +import ( + "net" + "testing" + "time" +) + +func TestNewSocketAbstract(t *testing.T) { + address := "@shim-test-abstract" + + l, err := NewSocket(address) + if err != nil { + t.Fatalf("NewSocket failed: %v", err) + } + t.Cleanup(func() { l.Close() }) + + conn, err := net.DialTimeout("unix", socket(address).path(), time.Second) + if err != nil { + t.Fatalf("failed to connect to socket: %v", err) + } + conn.Close() +} diff --git a/pkg/shim/util_unix.go b/pkg/shim/util_unix.go index 874aaf5ddafa7..d255d7f0dba27 100644 --- a/pkg/shim/util_unix.go +++ b/pkg/shim/util_unix.go @@ -29,7 +29,6 @@ import ( "net" "os" "path/filepath" - "runtime" "strconv" "strings" "syscall" @@ -119,16 +118,14 @@ func NewSocket(address string) (*net.UnixListener, error) { sock = socket(address) path = sock.path() isAbstract = sock.isAbstract() - perm = os.FileMode(0600) + // Socket file permissions: read/write for owner only + sockPerm = os.FileMode(0600) + // Directory permissions: need execute bit for traversal + dirPerm = os.FileMode(0700) ) - // Darwin needs +x to access socket, otherwise it'll fail with "bind: permission denied" when running as non-root. - if runtime.GOOS == "darwin" { - perm = 0700 - } - if !isAbstract { - if err := os.MkdirAll(filepath.Dir(path), perm); err != nil { + if err := os.MkdirAll(filepath.Dir(path), dirPerm); err != nil { return nil, fmt.Errorf("mkdir failed for %s: %w", path, err) } } @@ -138,7 +135,7 @@ func NewSocket(address string) (*net.UnixListener, error) { } if !isAbstract { - if err := os.Chmod(path, perm); err != nil { + if err := os.Chmod(path, sockPerm); err != nil { os.Remove(sock.path()) l.Close() return nil, fmt.Errorf("chmod failed for %s: %w", path, err) diff --git a/pkg/shim/util_unix_test.go b/pkg/shim/util_unix_test.go new file mode 100644 index 0000000000000..3e57b51b65248 --- /dev/null +++ b/pkg/shim/util_unix_test.go @@ -0,0 +1,74 @@ +//go:build !windows + +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package shim + +import ( + "fmt" + "net" + "os" + "path/filepath" + "testing" + "time" +) + +func TestNewSocket(t *testing.T) { + t.Run("socket in nested directory", func(t *testing.T) { + dir, err := os.MkdirTemp("/tmp", "shim-test-") + if err != nil { + t.Fatalf("failed to create temp dir: %v", err) + } + t.Cleanup(func() { os.RemoveAll(dir) }) + + address := fmt.Sprintf("unix://%s/a/b/test.sock", dir) + + l, err := NewSocket(address) + if err != nil { + t.Fatalf("NewSocket failed: %v", err) + } + t.Cleanup(func() { l.Close() }) + + conn, err := net.DialTimeout("unix", socket(address).path(), time.Second) + if err != nil { + t.Fatalf("failed to connect to socket: %v", err) + } + conn.Close() + }) + + t.Run("socket in existing directory", func(t *testing.T) { + dir, err := os.MkdirTemp("/tmp", "shim-test-") + if err != nil { + t.Fatalf("failed to create temp dir: %v", err) + } + t.Cleanup(func() { os.RemoveAll(dir) }) + + address := "unix://" + filepath.Join(dir, "test.sock") + + l, err := NewSocket(address) + if err != nil { + t.Fatalf("NewSocket failed: %v", err) + } + t.Cleanup(func() { l.Close() }) + + conn, err := net.DialTimeout("unix", socket(address).path(), time.Second) + if err != nil { + t.Fatalf("failed to connect to socket: %v", err) + } + conn.Close() + }) +} diff --git a/releases/v2.3.0-beta.toml b/releases/v2.3.0-beta.toml new file mode 100644 index 0000000000000..2ea8990e40f6e --- /dev/null +++ b/releases/v2.3.0-beta.toml @@ -0,0 +1,36 @@ +# commit to be tagged for new release +commit = "HEAD" + +project_name = "containerd" +github_repo = "containerd/containerd" +match_deps = "^github.com/(containerd/[a-zA-Z0-9-]+)$" +ignore_deps = [ "github.com/containerd/containerd" ] + +# previous release +previous = "v2.2.0" + +pre_release = true + +preface = """\ +The third minor release of containerd 2.x focuses on continued stability alongside +new features and improvements. This is the third time-based release for containerd. + +Starting with containerd 2.3, the project has moved to release cadence aligned with +the Kubernetes release schedule, with new minor releases about every 4 months. The +containerd 2.3 release is also the first annual LTS (Long Term Stable) release under +this new schedule, with support planned for at least two years. Direct upgrades +between sequential LTS releases (e.g., 1.7 to 2.3) will be tested and supported. + +This is a beta release and some functionality is still under development. +""" + +postface = """\ +### Which file should I download? +* `containerd---.tar.gz`: ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04). +* `containerd-static---.tar.gz`: Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent. + +In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases) +and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too. + +See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation. +""" diff --git a/vendor/github.com/containerd/containerd/api/LICENSE b/vendor/github.com/containerd/containerd/api/LICENSE new file mode 100644 index 0000000000000..584149b6ee28c --- /dev/null +++ b/vendor/github.com/containerd/containerd/api/LICENSE @@ -0,0 +1,191 @@ + + Apache License + Version 2.0, January 2004 + https://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + Copyright The containerd Authors + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + https://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/vendor/modules.txt b/vendor/modules.txt index eb35f2eb0e540..eb799969b184f 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -114,7 +114,7 @@ github.com/containerd/cgroups/v3/cgroup2/stats # github.com/containerd/console v1.0.5 ## explicit; go 1.13 github.com/containerd/console -# github.com/containerd/containerd/api v1.10.0 => ./api +# github.com/containerd/containerd/api v1.11.0-beta.0 ## explicit; go 1.23.0 github.com/containerd/containerd/api/events github.com/containerd/containerd/api/runtime/sandbox/v1 @@ -986,4 +986,3 @@ tags.cncf.io/container-device-interface/pkg/parser # tags.cncf.io/container-device-interface/specs-go v1.1.0 ## explicit; go 1.19 tags.cncf.io/container-device-interface/specs-go -# github.com/containerd/containerd/api => ./api diff --git a/version/version.go b/version/version.go index 773dd12d5d69c..4f952be28b920 100644 --- a/version/version.go +++ b/version/version.go @@ -24,7 +24,7 @@ var ( Package = "github.com/containerd/containerd/v2" // Version holds the complete version number. Filled in at linking time. - Version = "2.2.0+unknown" + Version = "2.3.0-beta+unknown" // Revision is filled with the VCS (e.g. git) revision being used to build // the program at linking time.