When compiling containerd binaries statically, linker rightfully
complains:
+ make BUILDTAGS=static_build 'EXTRA_FLAGS=-buildmode pie' 'EXTRA_LDFLAGS=-extldflags "-fno-PIC -static"'
🇩 bin/ctr
# github.com/containerd/containerd/cmd/ctr
/tmp/go-link-343047789/000000.o: In function `_cgo_b0c710f30cfd_C2func_getaddrinfo':
/tmp/go-build/net/_obj/cgo-gcc-prolog:46: warning: Using 'getaddrinfo'
in statically linked applications requires at runtime the shared
libraries from the glibc version used for linking
The same error appears for ctr, containerd, and containerd-stress
binaries.
The fix is to use Go's own DNS resolver functions, rather than
glibc's getaddrinfo() -- this option is turned on by `netgo` build tag.
See https://golang.org/pkg/net/ (look for "Name Resolution") for more
details.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Upstream-commit: 7368ef96c89fd4f6879addf5214c4a09889a05be
Component: engine
Go has supported PIC builds for a while now, and given the security
benefits of using PIC binaries we should really enable them. There also
appears to be some indication that non-PIC builds have been interacting
oddly on ppc64le (the linker cannot load some shared libraries), and
using PIC builds appears to solve this problem.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
Upstream-commit: 1f4e37cf4bd2f73dc5257d791cc4dba294ddd156
Component: engine
This also update:
- runc to 3f2f8b84a77f73d38244dd690525642a72156c64
- runtime-specs to v1.0.0
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
Upstream-commit: 45d85c99139bbd16004bbedb7d5bac6a60264538
Component: engine
This reverts to a version of runc without the ONCLR cleared to not cause
a regression with different clients using --tty.
This also reverts the OPOST changes to the term package to support the
initial change.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Upstream-commit: a5e83836a49547b2add871bb52cbd8bfedb57114
Component: engine
Starting with this commit, integration tests should no longer rely on
the docker cli, they should be API tests instead. For the existing tests
the scripts will use a frozen version of the docker cli with a
DOCKER_API_VERSION frozen to 1.30, which should ensure that the CI remains
green at all times.
To help contributors develop and test manually with a modified docker
cli, this commit also adds a DOCKER_CLI_PATH environment variable to the
Makefile. This allows to set the path of a custom cli that will be
available inside the development container and used to run the
integration tests.
Signed-off-by: Arnaud Porterie (icecrime) <arnaud.porterie@docker.com>
Signed-off-by: Tibor Vass <tibor@docker.com>
Upstream-commit: 32915b1d0a315598edb737785d0357b5a1b8aa11
Component: engine
Add go-bindata for including the schema.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
Upstream-commit: f5af9b9738892b5988f987ce5fbce6e31a10e768
Component: engine
There is no reason to duplicate efforts and tini is well built and
better than grimes. It is a much stronger option for the default init
and @krallin has done a great job maintaining it and helping make
changes so that it will work with Docker.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Upstream-commit: d58b47623b252803f5cd12f6d9ca584d1587ab22
Component: engine
This version:
- properly follow context cancellation on Start and Exec
- add support for Solaris
- ensure exec exit events are always seen before init's
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
Upstream-commit: 0aa17f0f6090ddeefaa6a0bc618aeb8baf3afa3f
Component: engine
Until we can support existing behaviour with `sudo` disable
ambient capabilities in runc build.
Add tests that non root user cannot use default capabilities,
and that capabilities are working as expected.
Test for #27590
Update runc.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Upstream-commit: c5251f7116e3d9095a7169fc31bd170dff997c2e
Component: engine
diff:
```patch
diff --git a/Makefile b/Makefile
index 0b2b063..70df01b 100644
--- a/Makefile
+++ b/Makefile
@@ -1,3 +1,4 @@
+GIT_VERSION := $(shell git describe --abbrev=40 --long --dirty --always --tags)
all:
- gcc -O2 -o init -static grimes.c
+ gcc -O2 -DVERSION=\"$(GIT_VERSION)\" -o init -static grimes.c
diff --git a/grimes.c b/grimes.c
index d0f836b..ffeea98 100644
--- a/grimes.c
+++ b/grimes.c
@@ -29,7 +29,7 @@ typedef struct reaper_t {
} reaper_t;
// reaper_new initializes the reaper with the provided process.
-// it also sets up the signal handlers and child handlers for restore
+// it also sets up the signal handlers and child handlers for restore
// when the child is execed
int reaper_new(reaper_t * reaper, process_t * process)
{
@@ -57,7 +57,7 @@ int reaper_new(reaper_t * reaper, process_t * process)
return 0;
}
-// reaper_exit closes the reaper's signalfd and exits with the
+// reaper_exit closes the reaper's signalfd and exits with the
// child's exit status
void reaper_exit(reaper_t * reaper, int status)
{
@@ -68,11 +68,11 @@ void reaper_exit(reaper_t * reaper, int status)
exit(WEXITSTATUS(status));
}
-// reaper_reap reaps any dead processes. If the process that is reaped
+// reaper_reap reaps any dead processes. If the process that is reaped
// is the child process that we spawned get its exit status and exit this program
int reaper_reap(reaper_t * reaper)
{
- int status, child_exited, child_status = 0;
+ int status = 0, child_exited = 0, child_status = 0;
for (;;) {
pid_t pid = waitpid(-1, &status, WNOHANG);
switch (pid) {
@@ -140,6 +140,12 @@ int main(int argc, char **argv)
{
process_t process;
reaper_t reaper;
+
+ if (argc == 2 && !strcmp(argv[1], "--version")) {
+ printf("grimes version %s\n", VERSION);
+ exit(0);
+ }
+
if (reaper_new(&reaper, &process) != 0) {
bail("initialize reaper %s", strerror(errno));
}
```
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Upstream-commit: 131514dad67be6c8dce6098c219597839aa995d6
Component: engine
* change workdir for accessing install-binaries.sh
* use other gopath for binaries to preserve sources
* add sources of proxy and grimes to rpc spec
* use dynamic proxy with -linkmode external in deb and rpm
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
Upstream-commit: bf0fe87fe6acb0ad55539fdfa565dcdca8e343a5
Component: engine
This means we can vendor libnetwork without special casing, and
it is built the same way as the other external binaries.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Upstream-commit: 3996975b0840033bda3919440d122d734a4bc66b
Component: engine
Fixes a bug with background processes after the child process exits.
diff:
74341e923b
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Upstream-commit: 3c3ba4cb662b0a19d5821470dd534279f18699fa
Component: engine
This fixes an issue when wait4 returns a 0 return status causing the
reaping loop to continue to run.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Upstream-commit: c27116575e0d9b0d1eb085cffef0693babb7bdbb
Component: engine
It should allow easier updates for containerd and runc
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
Upstream-commit: 1b41125ad9f1a3881b71bd044d76fd285170addb
Component: engine
