Import Debian changes 1.5.9-ok2

containerd (1.5.9-ok2) yangtze; urgency=medium

  * Update version info. 

containerd (1.5.9-ok1) yangtze; urgency=low

  * Initial release.

debian/README.Debian

@@ -0,0 +1,8 @@
+containerd for Debian
+
+Please edit this to provide information specific to
+this containerd Debian package.
+
+    (Automatically generated by debmake Version 4.3.1)
+
+ -- Luoyaoming <luoyaoming@kylinos.cn>  Fri, 30 Dec 2022 13:48:35 +0800

debian/changelog

@@ -0,0 +1,11 @@
+containerd (1.5.9-ok2) yangtze; urgency=medium
+
+  * Update version info. 
+
+ -- Luoyaoming <luoyaoming@kylinos.cn>  Fri, 30 Dec 2022 14:22:46 +0800
+
+containerd (1.5.9-ok1) yangtze; urgency=low
+
+  * Initial release.
+
+ -- Luoyaoming <luoyaoming@kylinos.cn>  Fri, 30 Dec 2022 13:48:35 +0800

debian/clean

@@ -0,0 +1,3 @@
+.gocache/
+.gopath/
+man/

debian/compat

@@ -0,0 +1 @@
+11

debian/containerd.docs

@@ -0,0 +1,3 @@
+README.md
+docs/*.md
+docs/*.pdf

debian/containerd.install

@@ -0,0 +1,2 @@
+usr/bin
+usr/share/man

debian/containerd.service

@@ -0,0 +1 @@
+../containerd.service

debian/control

@@ -0,0 +1,42 @@
+Source: containerd
+Section: admin
+Priority: optional
+Maintainer: Openkylin Developers <packaging@lists.openkylin.top>
+XSBC-Original-Maintainer: Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>
+Uploaders: Luo Yaoming <luoyaoming@kylinos.cn>
+Build-Depends: debhelper (>= 11),
+               dh-golang,
+               go-md2man,
+               golang-go,
+               libbtrfs-dev | btrfs-progs (<< 4.16.1~),
+               libseccomp-dev,
+               pkg-config
+Standards-Version: 3.9.7
+Homepage: https://containerd.io
+Vcs-Git: https://gitee/openkylin/containerd.git 
+Vcs-Browser: https://gitee/openkylin/containerd
+XS-Go-Import-Path: github.com/containerd/containerd
+
+Package: containerd
+Architecture: linux-any
+Depends: runc (>= 1.0.0~rc2~), ${misc:Depends}, ${shlibs:Depends}
+Breaks: docker.io (<< 19.03.13-0)
+Built-Using: ${misc:Built-Using}
+Description: daemon to control runC
+ Containerd is a daemon to control runC, built for performance and density.
+ Containerd leverages runC's advanced features such as seccomp and user
+ namespace support as well as checkpoint and restore for cloning and live
+ migration of containers.
+ .
+ This package contains the binaries.
+
+Package: golang-github-containerd-containerd-dev
+Architecture: all
+Depends: ${misc:Depends}
+Description: runC develpoment files
+ Containerd is a daemon to control runC, built for performance and density.
+ Containerd leverages runC's advanced features such as seccomp and user
+ namespace support as well as checkpoint and restore for cloning and live
+ migration of containers.
+ .
+ This package provides development files.

debian/docs

@@ -0,0 +1,2 @@
+README.md
+docs

debian/gbp.conf

@@ -0,0 +1,2 @@
+[DEFAULT]
+pristine-tar = True

debian/golang-github-containerd-containerd-dev.install

@@ -0,0 +1 @@
+usr/share/gocode/src

debian/patches/CVE-2022-23648.patch

@@ -0,0 +1,37 @@
+From d1d905b2fe66cb5c6f888256731ede6a918bb7c3 Mon Sep 17 00:00:00 2001
+From: ruiwen-zhao <ruiwen@google.com>
+Date: Fri, 11 Feb 2022 04:21:58 +0000
+Subject: [PATCH] Use fs.RootPath when mounting volumes
+
+Signed-off-by: Ruiwen Zhao <ruiwen@google.com>
+---
+ pkg/cri/opts/container.go | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/pkg/cri/opts/container.go b/pkg/cri/opts/container.go
+index 472104b04..5a4c94b88 100644
+--- a/pkg/cri/opts/container.go
++++ b/pkg/cri/opts/container.go
+@@ -20,7 +20,6 @@ import (
+ 	"context"
+ 	"io/ioutil"
+ 	"os"
+-	"path/filepath"
+ 
+ 	"github.com/containerd/containerd"
+ 	"github.com/containerd/containerd/containers"
+@@ -89,7 +88,10 @@ func WithVolumes(volumeMounts map[string]string) containerd.NewContainerOpts {
+ 		}()
+ 
+ 		for host, volume := range volumeMounts {
+-			src := filepath.Join(root, volume)
++			src, err := fs.RootPath(root, volume)
++			if err != nil {
++				return errors.Wrapf(err, "rootpath on root %s, volume %s", root, volume)
++			}
+ 			if _, err := os.Stat(src); err != nil {
+ 				if os.IsNotExist(err) {
+ 					// Skip copying directory if it does not exist.
+-- 
+2.35.1
+

debian/patches/preserve-debug-info.patch

@@ -0,0 +1,10 @@
+--- a/Makefile
++++ b/Makefile
+@@ -53,7 +53,6 @@
+ endif
+ 
+ ifndef GODEBUG
+-	EXTRA_LDFLAGS += -s -w
+ 	DEBUG_GO_GCFLAGS :=
+ 	DEBUG_TAGS :=
+ else

debian/patches/series

@@ -0,0 +1,4 @@
+skip-tests-with-privilege.patch
+preserve-debug-info.patch
+CVE-2022-23648.patch
+build-with-go1.18.patch

debian/patches/skip-tests-with-privilege.patch

@@ -0,0 +1,149 @@
+Description: Skip tests which require a certain level of privilege
+ During build we cannot bindmount sysfs and cgroupfs in a chroot which leads to
+ failures.
+Author: Lucas Kanashiro <kanashiro@ubuntu.com>
+Forwarded: not-needed
+Last-Updated: 2021-05-20
+
+--- a/pkg/cri/server/container_create_linux_test.go
++++ b/pkg/cri/server/container_create_linux_test.go
+@@ -187,6 +187,7 @@
+ }
+ 
+ func TestContainerCapabilities(t *testing.T) {
++	t.Skip("It requires HugeTLB controller enabled which requires mounting cgroupfs. Not achievable during the build.")
+ 	testID := "test-id"
+ 	testSandboxID := "sandbox-id"
+ 	testContainerName := "container-name"
+@@ -267,6 +268,7 @@
+ }
+ 
+ func TestContainerSpecTty(t *testing.T) {
++	t.Skip("It requires HugeTLB controller enabled which requires mounting cgroupfs. Not achievable during the build.")
+ 	testID := "test-id"
+ 	testSandboxID := "sandbox-id"
+ 	testContainerName := "container-name"
+@@ -289,6 +291,7 @@
+ }
+ 
+ func TestContainerSpecDefaultPath(t *testing.T) {
++	t.Skip("It requires HugeTLB controller enabled which requires mounting cgroupfs. Not achievable during the build.")
+ 	testID := "test-id"
+ 	testSandboxID := "sandbox-id"
+ 	testContainerName := "container-name"
+@@ -311,6 +314,7 @@
+ }
+ 
+ func TestContainerSpecReadonlyRootfs(t *testing.T) {
++	t.Skip("It requires HugeTLB controller enabled which requires mounting cgroupfs. Not achievable during the build.")
+ 	testID := "test-id"
+ 	testSandboxID := "sandbox-id"
+ 	testContainerName := "container-name"
+@@ -328,6 +332,7 @@
+ }
+ 
+ func TestContainerSpecWithExtraMounts(t *testing.T) {
++	t.Skip("It requires HugeTLB controller enabled which requires mounting cgroupfs. Not achievable during the build.")
+ 	testID := "test-id"
+ 	testSandboxID := "sandbox-id"
+ 	testContainerName := "container-name"
+@@ -389,6 +394,7 @@
+ }
+ 
+ func TestContainerAndSandboxPrivileged(t *testing.T) {
++	t.Skip("It requires HugeTLB controller enabled which requires mounting cgroupfs. Not achievable during the build.")
+ 	testID := "test-id"
+ 	testSandboxID := "sandbox-id"
+ 	testContainerName := "container-name"
+@@ -591,6 +597,7 @@
+ }
+ 
+ func TestPrivilegedBindMount(t *testing.T) {
++	t.Skip("It requires privilege to mount sysfs and cgroupfs. Not achievable during the build.")
+ 	testPid := uint32(1234)
+ 	c := newTestCRIService()
+ 	testSandboxID := "sandbox-id"
+@@ -741,6 +748,7 @@
+ }
+ 
+ func TestPidNamespace(t *testing.T) {
++	t.Skip("It requires HugeTLB controller enabled which requires mounting cgroupfs. Not achievable during the build.")
+ 	testID := "test-id"
+ 	testPid := uint32(1234)
+ 	testSandboxID := "sandbox-id"
+@@ -782,6 +790,7 @@
+ }
+ 
+ func TestNoDefaultRunMount(t *testing.T) {
++	t.Skip("It requires HugeTLB controller enabled which requires mounting cgroupfs. Not achievable during the build.")
+ 	testID := "test-id"
+ 	testPid := uint32(1234)
+ 	testSandboxID := "sandbox-id"
+@@ -1086,6 +1095,7 @@
+ }
+ 
+ func TestMaskedAndReadonlyPaths(t *testing.T) {
++	t.Skip("It requires HugeTLB controller enabled which requires mounting cgroupfs. Not achievable during the build.")
+ 	testID := "test-id"
+ 	testSandboxID := "sandbox-id"
+ 	testContainerName := "container-name"
+@@ -1174,6 +1184,7 @@
+ }
+ 
+ func TestHostname(t *testing.T) {
++	t.Skip("It requires HugeTLB controller enabled which requires mounting cgroupfs. Not achievable during the build.")
+ 	testID := "test-id"
+ 	testSandboxID := "sandbox-id"
+ 	testContainerName := "container-name"
+@@ -1305,6 +1316,7 @@
+ }
+ 
+ func TestPrivilegedDevices(t *testing.T) {
++	t.Skip("It requires privilege to test devices. Not achievable during the build.")
+ 	testPid := uint32(1234)
+ 	c := newTestCRIService()
+ 	testSandboxID := "sandbox-id"
+@@ -1367,6 +1379,7 @@
+ }
+ 
+ func TestBaseOCISpec(t *testing.T) {
++	t.Skip("It requires HugeTLB controller enabled which requires mounting cgroupfs. Not achievable during the build.")
+ 	c := newTestCRIService()
+ 	baseLimit := int64(100)
+ 	c.baseOCISpecs = map[string]*oci.Spec{
+--- a/pkg/cri/server/container_create_test.go
++++ b/pkg/cri/server/container_create_test.go
+@@ -56,6 +56,7 @@
+ const testImageName = "container-image-name"
+ 
+ func TestGeneralContainerSpec(t *testing.T) {
++	t.Skip("It requires HugeTLB controller enabled which requires mounting cgroupfs. Not achievable during the build.")
+ 	testID := "test-id"
+ 	testPid := uint32(1234)
+ 	containerConfig, sandboxConfig, imageConfig, specCheck := getCreateContainerTestData()
+@@ -69,6 +70,7 @@
+ }
+ 
+ func TestPodAnnotationPassthroughContainerSpec(t *testing.T) {
++	t.Skip("It requires HugeTLB controller enabled which requires mounting cgroupfs. Not achievable during the build.")
+ 	if goruntime.GOOS == "darwin" {
+ 		t.Skip("not implemented on Darwin")
+ 	}
+@@ -277,6 +279,7 @@
+ }
+ 
+ func TestContainerAnnotationPassthroughContainerSpec(t *testing.T) {
++	t.Skip("It requires HugeTLB controller enabled which requires mounting cgroupfs. Not achievable during the build.")
+ 	if goruntime.GOOS == "darwin" {
+ 		t.Skip("not implemented on Darwin")
+ 	}
+--- a/pkg/cri/server/container_update_resources_linux_test.go
++++ b/pkg/cri/server/container_update_resources_linux_test.go
+@@ -27,6 +27,7 @@
+ )
+ 
+ func TestUpdateOCILinuxResource(t *testing.T) {
++	t.Skip("It requires some privileges not achievable during the build.")
+ 	oomscoreadj := new(int)
+ 	*oomscoreadj = -500
+ 	for desc, test := range map[string]struct {

debian/rules

@@ -0,0 +1,76 @@
+#!/usr/bin/make -f
+
+include /usr/share/dpkg/architecture.mk
+
+# temporary build path (see http://golang.org/doc/code.html#GOPATH)
+OUR_GOPATH := $(CURDIR)/.gopath
+export GOPATH := $(OUR_GOPATH)
+export GOCACHE := $(CURDIR)/.gocache
+
+# https://blog.golang.org/go116-module-changes (TODO figure out a new solution for Go 1.17+)
+export GO111MODULE := auto
+
+# riscv64 doesn't support cgo
+# https://github.com/golang/go/issues/36641
+ifeq (riscv64, $(DEB_BUILD_ARCH))
+TAGS += no_btrfs
+SKIP += github.com/containerd/containerd/snapshots/btrfs
+endif
+
+# build explicitly against Go 1.13 (for now):
+#   https://github.com/containerd/containerd/issues/4509
+#   https://github.com/containerd/containerd/pull/4050
+#   https://github.com/golang/go/issues/37942
+# (containerd 1.4+ and Go 1.15+ can go back to "golang-go")
+export PATH := /usr/lib/go-1.13/bin:$(PATH)
+
+override_dh_gencontrol:
+	# use "dh_golang" to generate "misc:Built-Using" (via "go list")
+	DH_GOLANG_BUILDPKG=' \
+		-tags "$(TAGS)" \
+		github.com/containerd/containerd/cmd/containerd \
+		github.com/containerd/containerd/cmd/containerd-shim \
+		github.com/containerd/containerd/cmd/containerd-shim-runc-v1 \
+		github.com/containerd/containerd/cmd/containerd-shim-runc-v2 \
+		github.com/containerd/containerd/cmd/containerd-stress \
+		github.com/containerd/containerd/cmd/ctr \
+	' dh_golang --builddirectory='$(OUR_GOPATH:$(CURDIR)/%=%)'
+	dh_gencontrol
+
+override_dh_auto_configure:
+	# copy pristine source for "/usr/share/gocode" to get into "golang-github-containerd-containerd-dev" before we muddy it with build artifacts, etc
+	mkdir -p .pristine-source
+	tar -c --exclude=debian --exclude=.pc --exclude=.pristine-source --exclude=vendor . | tar -xC .pristine-source
+	# set up GOPATH symlink farm
+	mkdir -p '$(OUR_GOPATH)/src/github.com/containerd'
+	ln -sfT '$(CURDIR)' '$(OUR_GOPATH)/src/github.com/containerd/containerd'
+
+override_dh_auto_build:
+	cd '$(OUR_GOPATH)/src/github.com/containerd/containerd' \
+		&& make \
+			LDFLAGS='' \
+			VERSION='$(shell dpkg-parsechangelog -SVersion)' \
+			REVISION='' \
+			BUILDTAGS='$(TAGS)' \
+		&& make man
+
+override_dh_auto_test:
+ifneq (arm, $(DEB_HOST_ARCH_CPU)) # skip the tests on armhf ("--- FAIL: TestParseSelector/linux (0.00s)  platforms_test.go:292: arm support not fully implemented: not implemented")
+	cd '$(OUR_GOPATH)/src/github.com/containerd/containerd' && make test SKIPTESTS='$(SKIP)'
+endif
+
+override_dh_auto_install:
+	make install DESTDIR='$(CURDIR)/debian/tmp/usr'
+	make install-man DESTDIR='$(CURDIR)/debian/tmp/usr/share'
+	mkdir -p debian/tmp/usr/share/gocode/src/github.com/containerd \
+		&& mv .pristine-source debian/tmp/usr/share/gocode/src/github.com/containerd/containerd
+
+override_dh_installsystemd:
+	dh_installsystemd
+	# replace "/usr/local/bin/containerd" with "/usr/bin/containerd" in our systemd service file
+	grep '/usr/local/bin/containerd' debian/*/lib/systemd/system/containerd.service \
+		&& sed -i 's!/usr/local/bin/containerd!/usr/bin/containerd!g' debian/*/lib/systemd/system/containerd.service \
+		&& ! grep '/usr/local/bin/containerd' debian/*/lib/systemd/system/containerd.service
+
+%:
+	dh $@

debian/source/format

@@ -0,0 +1 @@
+3.0 (quilt)

debian/tests/basic-smoke

@@ -0,0 +1,15 @@
+#!/bin/bash
+set -Eeuo pipefail
+set -x
+
+# start up containerd
+containerd &
+
+# pull the "busybox" image from Docker Hub
+ctr images pull docker.io/library/busybox:latest
+
+# run it and capture the output
+output="$(ctr run --rm docker.io/library/busybox:latest "test-$$-$RANDOM" echo success)"
+
+# ensure the output was exactly what we expected
+[ "$output" = 'success' ]

debian/tests/control

@@ -0,0 +1,3 @@
+Tests: basic-smoke
+Depends: ca-certificates, @
+Restrictions: allow-stderr isolation-machine needs-root

debian/watch

@@ -0,0 +1,5 @@
+version=3
+opts=filenamemangle=s/.+\/v?(\d\S*)\.tar\.gz/containerd-$1\.tar\.gz/,\
+uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|beta|alpha|preview)\d*)$/$1~$2/,\
+dversionmangle=s/[~+]ds\d*$// \
+  https://github.com/containerd/containerd/tags .*/v?(\d\S*)\.tar\.gz