update containerd to 1.4.3, runc to 1.0.0-rc93

packages/Cargo.toml

@@ -65,7 +65,6 @@ members = [
     "release",
     "runc",
     "selinux-policy",
-    "socat",
     "strace",
     "systemd",
     "tcpdump",

packages/containerd/1001-cri-reduce-logging-when-no-errors-have-occurred.patch

@@ -1,7 +1,7 @@
-From 620046d6f883433ef1d030ea9c428acbd1e71035 Mon Sep 17 00:00:00 2001
+From 4cbd7bccb089e6954f687b270b4383a16cfc6dec Mon Sep 17 00:00:00 2001
 From: Matt Briggs <brigmatt@amazon.com>
 Date: Wed, 1 Apr 2020 16:55:04 -0700
-Subject: [PATCH] cri: reduce logging when no errors have occurred
+Subject: [PATCH 1001/1003] cri: reduce logging when no errors have occurred
 
 ---
  .../containerd/cri/pkg/server/container_execsync.go           | 3 ++-
@@ -10,10 +10,10 @@ Subject: [PATCH] cri: reduce logging when no errors have occurred
  3 files changed, 5 insertions(+), 4 deletions(-)
 
 diff --git a/vendor/github.com/containerd/cri/pkg/server/container_execsync.go b/vendor/github.com/containerd/cri/pkg/server/container_execsync.go
-index b46e6e5..36e64c0 100644
+index 1c019f651..da50ed3eb 100644
 --- a/vendor/github.com/containerd/cri/pkg/server/container_execsync.go
 +++ b/vendor/github.com/containerd/cri/pkg/server/container_execsync.go
-@@ -186,10 +186,11 @@ func (c *criService) execInContainer(ctx context.Context, id string, opts execOp
+@@ -171,10 +171,11 @@ func (c *criService) execInternal(ctx context.Context, container containerd.Cont
  		return nil, errors.Wrapf(execCtx.Err(), "timeout %v exceeded", opts.timeout)
  	case exitRes := <-exitCh:
  		code, _, err := exitRes.Result()
@@ -27,7 +27,7 @@ index b46e6e5..36e64c0 100644
  		log.G(ctx).Debugf("Stream pipe for exec process %q done", execID)
  		return &code, nil
 diff --git a/vendor/github.com/containerd/cri/pkg/server/instrumented_service.go b/vendor/github.com/containerd/cri/pkg/server/instrumented_service.go
-index 8a23c13..11e1f34 100644
+index 2c2528ab6..1488dc09d 100644
 --- a/vendor/github.com/containerd/cri/pkg/server/instrumented_service.go
 +++ b/vendor/github.com/containerd/cri/pkg/server/instrumented_service.go
 @@ -247,12 +247,12 @@ func (in *instrumentedService) ExecSync(ctx context.Context, r *runtime.ExecSync
@@ -46,7 +46,7 @@ index 8a23c13..11e1f34 100644
  				res.GetStdout(), res.GetStderr())
  		}
 diff --git a/vendor/github.com/containerd/cri/pkg/server/io/exec_io.go b/vendor/github.com/containerd/cri/pkg/server/io/exec_io.go
-index 3b2c36a..4e868b6 100644
+index 4a695030d..f1b9ef370 100644
 --- a/vendor/github.com/containerd/cri/pkg/server/io/exec_io.go
 +++ b/vendor/github.com/containerd/cri/pkg/server/io/exec_io.go
 @@ -99,7 +99,7 @@ func (e *ExecIO) Attach(opts AttachOptions) <-chan struct{} {
@@ -59,5 +59,5 @@ index 3b2c36a..4e868b6 100644
 
  	if opts.Stdout != nil {
 -- 
-2.21.0
+2.26.2
 

packages/containerd/3001-cri-set-default-RLIMIT_NOFILE.patch → packages/containerd/1002-cri-set-default-RLIMIT_NOFILE.patch

@@ -1,26 +1,27 @@
-From 64deef11da4cf532ea9d82cc499f5174a8907e29 Mon Sep 17 00:00:00 2001
+From 2223c4f21880a3fe7086008f0db665da55ee1d44 Mon Sep 17 00:00:00 2001
 From: Zac Mrowicki <mrowicki@amazon.com>
 Date: Thu, 22 Oct 2020 20:44:38 +0000
-Subject: [PATCH] cri: set default RLIMIT_NOFILE
+Subject: [PATCH 1002/1003] cri: set default RLIMIT_NOFILE
 
 The `cri` plugin currently inherits the limit from the default OCI spec
 or the containerd process.  This change sets the default hard
 RLIMIT_NOFILE to 1048576 and the soft limit to 65536 in the OCI spec for
 any container spawned using `cri`.
 ---
- vendor/github.com/containerd/cri/pkg/config/config.go |  8 ++++++++
- .../containerd/cri/pkg/containerd/opts/spec.go        | 11 +++++++++++
- .../containerd/cri/pkg/server/container_create.go     | 11 +++++++++++
- 3 files changed, 30 insertions(+)
+ vendor/github.com/containerd/cri/pkg/config/config.go |  6 ++++++
+ .../containerd/cri/pkg/config/config_unix.go          |  2 ++
+ .../containerd/cri/pkg/containerd/opts/spec_unix.go   | 11 +++++++++++
+ .../cri/pkg/server/container_create_unix.go           | 11 +++++++++++
+ 4 files changed, 30 insertions(+)
 
 diff --git a/vendor/github.com/containerd/cri/pkg/config/config.go b/vendor/github.com/containerd/cri/pkg/config/config.go
-index 7c5f9eb..772bf28 100644
+index a0c86fa76..f8f914fed 100644
 --- a/vendor/github.com/containerd/cri/pkg/config/config.go
 +++ b/vendor/github.com/containerd/cri/pkg/config/config.go
-@@ -204,6 +204,12 @@ type PluginConfig struct {
- 	// DisableProcMount disables Kubernetes ProcMount support. This MUST be set to `true`
- 	// when using containerd with Kubernetes <=1.11.
- 	DisableProcMount bool `toml:"disable_proc_mount" json:"disableProcMount"`
+@@ -252,6 +252,12 @@ type PluginConfig struct {
+ 	// isolation, security and early detection of issues in the mount configuration when using
+ 	// ReadOnlyRootFilesystem since containers won't silently mount a temporary volume.
+ 	IgnoreImageDefinedVolumes bool `toml:"ignore_image_defined_volumes" json:"ignoreImageDefinedVolumes"`
 +	// ProcessRLimitNoFileSoft sets the soft limit of maximum file
 +	// descriptors each container process can use.
 +	ProcessRLimitNoFileSoft int `toml:"process_rlimit_no_file_soft" json:"process_rlimit_no_file_soft"`
@@ -30,21 +31,24 @@ index 7c5f9eb..772bf28 100644
  }
 
  // X509KeyPairStreaming contains the x509 configuration for streaming
-@@ -271,6 +277,8 @@ func DefaultConfig() PluginConfig {
- 		},
- 		MaxConcurrentDownloads: 3,
- 		DisableProcMount:       false,
-+		ProcessRLimitNoFileSoft:    65536,
-+		ProcessRLimitNoFileHard:    1048576,
+diff --git a/vendor/github.com/containerd/cri/pkg/config/config_unix.go b/vendor/github.com/containerd/cri/pkg/config/config_unix.go
+index 62ea66207..72d556103 100644
+--- a/vendor/github.com/containerd/cri/pkg/config/config_unix.go
++++ b/vendor/github.com/containerd/cri/pkg/config/config_unix.go
+@@ -72,5 +72,7 @@ func DefaultConfig() PluginConfig {
+ 		TolerateMissingHugetlbController: true,
+ 		DisableHugetlbController:         true,
+ 		IgnoreImageDefinedVolumes:        false,
++		ProcessRLimitNoFileSoft:          65536,
++		ProcessRLimitNoFileHard:          1048576,
  	}
  }
-
-diff --git a/vendor/github.com/containerd/cri/pkg/containerd/opts/spec.go b/vendor/github.com/containerd/cri/pkg/containerd/opts/spec.go
-index 0da421a..445c279 100644
---- a/vendor/github.com/containerd/cri/pkg/containerd/opts/spec.go
-+++ b/vendor/github.com/containerd/cri/pkg/containerd/opts/spec.go
-@@ -48,6 +48,17 @@ const (
- 	DefaultSandboxCPUshares = 2
+diff --git a/vendor/github.com/containerd/cri/pkg/containerd/opts/spec_unix.go b/vendor/github.com/containerd/cri/pkg/containerd/opts/spec_unix.go
+index d644962d5..559dd1c5f 100644
+--- a/vendor/github.com/containerd/cri/pkg/containerd/opts/spec_unix.go
++++ b/vendor/github.com/containerd/cri/pkg/containerd/opts/spec_unix.go
+@@ -46,6 +46,17 @@ import (
+ 	"github.com/containerd/cri/pkg/util"
  )
 
 +// WithProcessRLimits sets the RLimits for this container process
@@ -61,11 +65,11 @@ index 0da421a..445c279 100644
  // WithAdditionalGIDs adds any additional groups listed for a particular user in the
  // /etc/groups file of the image's root filesystem to the OCI spec's additionalGids array.
  func WithAdditionalGIDs(userstr string) oci.SpecOpts {
-diff --git a/vendor/github.com/containerd/cri/pkg/server/container_create.go b/vendor/github.com/containerd/cri/pkg/server/container_create.go
-index d35fff3..c665973 100644
---- a/vendor/github.com/containerd/cri/pkg/server/container_create.go
-+++ b/vendor/github.com/containerd/cri/pkg/server/container_create.go
-@@ -335,6 +335,17 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP
+diff --git a/vendor/github.com/containerd/cri/pkg/server/container_create_unix.go b/vendor/github.com/containerd/cri/pkg/server/container_create_unix.go
+index 6ebebf9ad..0e089b48a 100644
+--- a/vendor/github.com/containerd/cri/pkg/server/container_create_unix.go
++++ b/vendor/github.com/containerd/cri/pkg/server/container_create_unix.go
+@@ -123,6 +123,17 @@ func (c *criService) containerSpec(id string, sandboxID string, sandboxPid uint3
  		// this will be set based on the security context below
  		oci.WithNewPrivileges,
  	}
@@ -84,5 +88,5 @@ index d35fff3..c665973 100644
  		specOpts = append(specOpts, oci.WithProcessCwd(config.GetWorkingDir()))
  	} else if imageConfig.WorkingDir != "" {
 -- 
-2.21.0
+2.26.2
 

packages/containerd/1003-cri-relabel-volumes-after-copying-source-files.patch

@@ -0,0 +1,86 @@
+From 267bdad4dfaaf40bf09514979acab10619205d9d Mon Sep 17 00:00:00 2001
+From: Ben Cressey <bcressey@amazon.com>
+Date: Fri, 19 Feb 2021 22:11:12 +0000
+Subject: [PATCH 1003/1003] cri: relabel volumes after copying source files
+
+Otherwise the extended attributes from the source files will be used
+instead of the expected label, which could prevent processes inside
+the container from reading or writing to them.
+
+Signed-off-by: Ben Cressey <bcressey@amazon.com>
+---
+ .../containerd/cri/pkg/containerd/opts/container.go  | 12 +++++++++++-
+ .../containerd/cri/pkg/server/container_create.go    | 10 ++++++++--
+ 2 files changed, 19 insertions(+), 3 deletions(-)
+
+diff --git a/vendor/github.com/containerd/cri/pkg/containerd/opts/container.go b/vendor/github.com/containerd/cri/pkg/containerd/opts/container.go
+index fe199d5fb..4f0f32b4e 100644
+--- a/vendor/github.com/containerd/cri/pkg/containerd/opts/container.go
++++ b/vendor/github.com/containerd/cri/pkg/containerd/opts/container.go
+@@ -29,6 +29,8 @@ import (
+ 	"github.com/containerd/containerd/mount"
+ 	"github.com/containerd/continuity/fs"
+ 	"github.com/pkg/errors"
++	"github.com/opencontainers/selinux/go-selinux/label"
++	"golang.org/x/sys/unix"
+ )
+
+ // WithNewSnapshot wraps `containerd.WithNewSnapshot` so that if creating the
+@@ -53,7 +55,7 @@ func WithNewSnapshot(id string, i containerd.Image) containerd.NewContainerOpts
+ // WithVolumes copies ownership of volume in rootfs to its corresponding host path.
+ // It doesn't update runtime spec.
+ // The passed in map is a host path to container path map for all volumes.
+-func WithVolumes(volumeMounts map[string]string) containerd.NewContainerOpts {
++func WithVolumes(volumeMounts map[string]string, mountLabel string) containerd.NewContainerOpts {
+ 	return func(ctx context.Context, client *containerd.Client, c *containers.Container) (err error) {
+ 		if c.Snapshotter == "" {
+ 			return errors.New("no snapshotter set for container")
+@@ -99,6 +101,14 @@ func WithVolumes(volumeMounts map[string]string) containerd.NewContainerOpts {
+ 			if err := copyExistingContents(src, host); err != nil {
+ 				return errors.Wrap(err, "taking runtime copy of volume")
+ 			}
++
++			// Relabel the host directory after copying, since xattrs will be copied
++			// from the source and might not be correct.
++			if mountLabel != "" {
++				if err := label.Relabel(host, mountLabel, false); err != nil && err != unix.ENOTSUP {
++					return errors.Wrapf(err, "relabel %q with %q failed", host, mountLabel)
++				}
++			}
+ 		}
+ 		return nil
+ 	}
+diff --git a/vendor/github.com/containerd/cri/pkg/server/container_create.go b/vendor/github.com/containerd/cri/pkg/server/container_create.go
+index 12c068518..21e334121 100644
+--- a/vendor/github.com/containerd/cri/pkg/server/container_create.go
++++ b/vendor/github.com/containerd/cri/pkg/server/container_create.go
+@@ -189,7 +189,11 @@ func (c *criService) CreateContainer(ctx context.Context, r *runtime.CreateConta
+ 		for _, v := range volumeMounts {
+ 			mountMap[filepath.Clean(v.HostPath)] = v.ContainerPath
+ 		}
+-		opts = append(opts, customopts.WithVolumes(mountMap))
++		mountLabel := ""
++		if spec.Linux != nil {
++			mountLabel = spec.Linux.MountLabel
++		}
++		opts = append(opts, customopts.WithVolumes(mountMap, mountLabel))
+ 	}
+ 	meta.ImageRef = image.ID
+ 	meta.StopSignal = image.ImageSpec.Config.StopSignal
+@@ -292,10 +296,12 @@ func (c *criService) volumeMounts(containerRootDir string, criMounts []*runtime.
+ 		volumeID := util.GenerateID()
+ 		src := filepath.Join(containerRootDir, "volumes", volumeID)
+ 		// addOCIBindMounts will create these volumes.
++		// The volume should not be relabeled yet, since any labels will be overwritten when
++		// the contents are copied from the source.
+ 		mounts = append(mounts, &runtime.Mount{
+ 			ContainerPath:  dst,
+ 			HostPath:       src,
+-			SelinuxRelabel: true,
++			SelinuxRelabel: false,
+ 		})
+ 	}
+ 	return mounts
+-- 
+2.26.2
+