openkylin
/
containerd
mirror of https://gitee.com/openkylin/containerd.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

changed debian/source/format to native

This commit is contained in:
luoyaoming 2024-04-24 09:25:18 +08:00
parent 30af5366b8
commit ef0702237b
12 changed files with 1 additions and 822 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

99
debian/patches/0001-disable-windows-support-in-ctr-metric.patch vendored
View File

@ -1,99 +0,0 @@
From: Shengjing Zhu <zhsj@debian.org>
Date: Wed, 16 Sep 2020 15:15:44 +0800
Subject: disable windows support in ctr metric
Forwarded: not-needed
---
cmd/ctr/commands/tasks/metrics.go | 55 ---------------------------------------
1 file changed, 55 deletions(-)
diff --git a/cmd/ctr/commands/tasks/metrics.go b/cmd/ctr/commands/tasks/metrics.go
index b2c18f2..c0214f4 100644
--- a/cmd/ctr/commands/tasks/metrics.go
+++ b/cmd/ctr/commands/tasks/metrics.go
@@ -23,7 +23,6 @@ import (
"os"
"text/tabwriter"
- wstats "github.com/Microsoft/hcsshim/cmd/containerd-shim-runhcs-v1/stats"
v1 "github.com/containerd/cgroups/stats/v1"
v2 "github.com/containerd/cgroups/v2/stats"
"github.com/containerd/containerd/cmd/ctr/commands"
@@ -80,15 +79,12 @@ var metricsCommand = cli.Command{
var (
data *v1.Metrics
data2 *v2.Metrics
- windowsStats *wstats.Statistics
)
switch v := anydata.(type) {
case *v1.Metrics:
data = v
case *v2.Metrics:
data2 = v
- case *wstats.Statistics:
- windowsStats = v
default:
return errors.New("cannot convert metric data to cgroups.Metrics or windows.Statistics")
}
@@ -102,16 +98,6 @@ var metricsCommand = cli.Command{
printCgroupMetricsTable(w, data)
} else if data2 != nil {
printCgroup2MetricsTable(w, data2)
- } else {
- if windowsStats.GetLinux() != nil {
- printCgroupMetricsTable(w, windowsStats.GetLinux())
- } else if windowsStats.GetWindows() != nil {
- printWindowsContainerStatistics(w, windowsStats.GetWindows())
- }
- // Print VM stats if its isolated
- if windowsStats.VM != nil {
- printWindowsVMStatistics(w, windowsStats.VM)
- }
}
return w.Flush()
case formatJSON:
@@ -165,44 +151,3 @@ func printCgroup2MetricsTable(w *tabwriter.Writer, data *v2.Metrics) {
fmt.Fprintf(w, "memory.swap_limit\t%v\t\n", data.Memory.SwapLimit)
}
}
-
-func printWindowsContainerStatistics(w *tabwriter.Writer, stats *wstats.WindowsContainerStatistics) {
- fmt.Fprintf(w, "METRIC\tVALUE\t\n")
- fmt.Fprintf(w, "timestamp\t%s\t\n", stats.Timestamp)
- fmt.Fprintf(w, "start_time\t%s\t\n", stats.ContainerStartTime)
- fmt.Fprintf(w, "uptime_ns\t%d\t\n", stats.UptimeNS)
- if stats.Processor != nil {
- fmt.Fprintf(w, "cpu.total_runtime_ns\t%d\t\n", stats.Processor.TotalRuntimeNS)
- fmt.Fprintf(w, "cpu.runtime_user_ns\t%d\t\n", stats.Processor.RuntimeUserNS)
- fmt.Fprintf(w, "cpu.runtime_kernel_ns\t%d\t\n", stats.Processor.RuntimeKernelNS)
- }
- if stats.Memory != nil {
- fmt.Fprintf(w, "memory.commit_bytes\t%d\t\n", stats.Memory.MemoryUsageCommitBytes)
- fmt.Fprintf(w, "memory.commit_peak_bytes\t%d\t\n", stats.Memory.MemoryUsageCommitPeakBytes)
- fmt.Fprintf(w, "memory.private_working_set_bytes\t%d\t\n", stats.Memory.MemoryUsagePrivateWorkingSetBytes)
- }
- if stats.Storage != nil {
- fmt.Fprintf(w, "storage.read_count_normalized\t%d\t\n", stats.Storage.ReadCountNormalized)
- fmt.Fprintf(w, "storage.read_size_bytes\t%d\t\n", stats.Storage.ReadSizeBytes)
- fmt.Fprintf(w, "storage.write_count_normalized\t%d\t\n", stats.Storage.WriteCountNormalized)
- fmt.Fprintf(w, "storage.write_size_bytes\t%d\t\n", stats.Storage.WriteSizeBytes)
- }
-}
-
-func printWindowsVMStatistics(w *tabwriter.Writer, stats *wstats.VirtualMachineStatistics) {
- fmt.Fprintf(w, "METRIC\tVALUE\t\n")
- if stats.Processor != nil {
- fmt.Fprintf(w, "vm.cpu.total_runtime_ns\t%d\t\n", stats.Processor.TotalRuntimeNS)
- }
- if stats.Memory != nil {
- fmt.Fprintf(w, "vm.memory.working_set_bytes\t%d\t\n", stats.Memory.WorkingSetBytes)
- fmt.Fprintf(w, "vm.memory.virtual_node_count\t%d\t\n", stats.Memory.VirtualNodeCount)
- fmt.Fprintf(w, "vm.memory.available\t%d\t\n", stats.Memory.VmMemory.AvailableMemory)
- fmt.Fprintf(w, "vm.memory.available_buffer\t%d\t\n", stats.Memory.VmMemory.AvailableMemoryBuffer)
- fmt.Fprintf(w, "vm.memory.reserved\t%d\t\n", stats.Memory.VmMemory.ReservedMemory)
- fmt.Fprintf(w, "vm.memory.assigned\t%d\t\n", stats.Memory.VmMemory.AssignedMemory)
- fmt.Fprintf(w, "vm.memory.slp_active\t%t\t\n", stats.Memory.VmMemory.SlpActive)
- fmt.Fprintf(w, "vm.memory.balancing_enabled\t%t\t\n", stats.Memory.VmMemory.BalancingEnabled)
- fmt.Fprintf(w, "vm.memory.dm_operation_in_progress\t%t\t\n", stats.Memory.VmMemory.DmOperationInProgress)
- }
-}

30
debian/patches/0002-disable-runhcs-option-in-cri-config.patch vendored
View File

@ -1,30 +0,0 @@
From: Shengjing Zhu <zhsj@debian.org>
Date: Sat, 23 Jan 2021 00:42:41 +0800
Subject: disable runhcs option in cri config
Forwarded: not-needed
---
pkg/cri/server/helpers.go | 3 ---
1 file changed, 3 deletions(-)
diff --git a/pkg/cri/server/helpers.go b/pkg/cri/server/helpers.go
index 9ee88a6..a94315a 100644
--- a/pkg/cri/server/helpers.go
+++ b/pkg/cri/server/helpers.go
@@ -40,7 +40,6 @@ import (
runtimespec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/sirupsen/logrus"
- runhcsoptions "github.com/Microsoft/hcsshim/cmd/containerd-shim-runhcs-v1/options"
imagedigest "github.com/opencontainers/go-digest"
"github.com/pelletier/go-toml"
"golang.org/x/net/context"
@@ -366,8 +365,6 @@ func getRuntimeOptionsType(t string) interface{} {
return &runcoptions.Options{}
case plugin.RuntimeLinuxV1:
return &runctypes.RuncOptions{}
- case runtimeRunhcsV1:
- return &runhcsoptions.Options{}
default:
return &runtimeoptions.Options{}
}

159
debian/patches/0003-Remove-depends-on-google.golang.org-protobuf-proto.patch vendored
View File

@ -1,159 +0,0 @@
From: Shengjing Zhu <zhsj@debian.org>
Date: Fri, 16 Dec 2022 02:34:18 +0800
Subject: Remove depends on google.golang.org/protobuf/proto
Forwarded: not-needed
---
.../container_update_resources_linux_test.go | 61 +++++++++++-----------
1 file changed, 31 insertions(+), 30 deletions(-)
diff --git a/pkg/cri/server/container_update_resources_linux_test.go b/pkg/cri/server/container_update_resources_linux_test.go
index 33a6acf..8466b00 100644
--- a/pkg/cri/server/container_update_resources_linux_test.go
+++ b/pkg/cri/server/container_update_resources_linux_test.go
@@ -22,7 +22,6 @@ import (
runtimespec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/stretchr/testify/assert"
- "google.golang.org/protobuf/proto"
runtime "k8s.io/cri-api/pkg/apis/runtime/v1"
criconfig "github.com/containerd/containerd/pkg/cri/config"
@@ -30,6 +29,8 @@ import (
)
func TestUpdateOCILinuxResource(t *testing.T) {
+ newI64 := func(i int64) *int64 { return &i }
+ newU64 := func(i uint64) *uint64 { return &i }
oomscoreadj := new(int)
*oomscoreadj = -500
expectedSwap := func(swap int64) *int64 {
@@ -49,11 +50,11 @@ func TestUpdateOCILinuxResource(t *testing.T) {
Process: &runtimespec.Process{OOMScoreAdj: oomscoreadj},
Linux: &runtimespec.Linux{
Resources: &runtimespec.LinuxResources{
- Memory: &runtimespec.LinuxMemory{Limit: proto.Int64(12345)},
+ Memory: &runtimespec.LinuxMemory{Limit: newI64(12345)},
CPU: &runtimespec.LinuxCPU{
- Shares: proto.Uint64(1111),
- Quota: proto.Int64(2222),
- Period: proto.Uint64(3333),
+ Shares: newU64(1111),
+ Quota: newI64(2222),
+ Period: newU64(3333),
Cpus: "0-1",
Mems: "2-3",
},
@@ -78,13 +79,13 @@ func TestUpdateOCILinuxResource(t *testing.T) {
Linux: &runtimespec.Linux{
Resources: &runtimespec.LinuxResources{
Memory: &runtimespec.LinuxMemory{
- Limit: proto.Int64(54321),
+ Limit: newI64(54321),
Swap: expectedSwap(54321),
},
CPU: &runtimespec.LinuxCPU{
- Shares: proto.Uint64(4444),
- Quota: proto.Int64(5555),
- Period: proto.Uint64(6666),
+ Shares: newU64(4444),
+ Quota: newI64(5555),
+ Period: newU64(6666),
Cpus: "4-5",
Mems: "6-7",
},
@@ -98,11 +99,11 @@ func TestUpdateOCILinuxResource(t *testing.T) {
Process: &runtimespec.Process{OOMScoreAdj: oomscoreadj},
Linux: &runtimespec.Linux{
Resources: &runtimespec.LinuxResources{
- Memory: &runtimespec.LinuxMemory{Limit: proto.Int64(12345)},
+ Memory: &runtimespec.LinuxMemory{Limit: newI64(12345)},
CPU: &runtimespec.LinuxCPU{
- Shares: proto.Uint64(1111),
- Quota: proto.Int64(2222),
- Period: proto.Uint64(3333),
+ Shares: newU64(1111),
+ Quota: newI64(2222),
+ Period: newU64(3333),
Cpus: "0-1",
Mems: "2-3",
},
@@ -124,13 +125,13 @@ func TestUpdateOCILinuxResource(t *testing.T) {
Linux: &runtimespec.Linux{
Resources: &runtimespec.LinuxResources{
Memory: &runtimespec.LinuxMemory{
- Limit: proto.Int64(54321),
+ Limit: newI64(54321),
Swap: expectedSwap(54321),
},
CPU: &runtimespec.LinuxCPU{
- Shares: proto.Uint64(4444),
- Quota: proto.Int64(5555),
- Period: proto.Uint64(3333),
+ Shares: newU64(4444),
+ Quota: newI64(5555),
+ Period: newU64(3333),
Cpus: "0-1",
Mems: "6-7",
},
@@ -144,7 +145,7 @@ func TestUpdateOCILinuxResource(t *testing.T) {
Process: &runtimespec.Process{OOMScoreAdj: oomscoreadj},
Linux: &runtimespec.Linux{
Resources: &runtimespec.LinuxResources{
- Memory: &runtimespec.LinuxMemory{Limit: proto.Int64(12345)},
+ Memory: &runtimespec.LinuxMemory{Limit: newI64(12345)},
},
},
},
@@ -165,13 +166,13 @@ func TestUpdateOCILinuxResource(t *testing.T) {
Linux: &runtimespec.Linux{
Resources: &runtimespec.LinuxResources{
Memory: &runtimespec.LinuxMemory{
- Limit: proto.Int64(54321),
+ Limit: newI64(54321),
Swap: expectedSwap(54321),
},
CPU: &runtimespec.LinuxCPU{
- Shares: proto.Uint64(4444),
- Quota: proto.Int64(5555),
- Period: proto.Uint64(6666),
+ Shares: newU64(4444),
+ Quota: newI64(5555),
+ Period: newU64(6666),
Cpus: "4-5",
Mems: "6-7",
},
@@ -185,11 +186,11 @@ func TestUpdateOCILinuxResource(t *testing.T) {
Process: &runtimespec.Process{OOMScoreAdj: oomscoreadj},
Linux: &runtimespec.Linux{
Resources: &runtimespec.LinuxResources{
- Memory: &runtimespec.LinuxMemory{Limit: proto.Int64(12345)},
+ Memory: &runtimespec.LinuxMemory{Limit: newI64(12345)},
CPU: &runtimespec.LinuxCPU{
- Shares: proto.Uint64(1111),
- Quota: proto.Int64(2222),
- Period: proto.Uint64(3333),
+ Shares: newU64(1111),
+ Quota: newI64(2222),
+ Period: newU64(3333),
Cpus: "0-1",
Mems: "2-3",
},
@@ -214,13 +215,13 @@ func TestUpdateOCILinuxResource(t *testing.T) {
Linux: &runtimespec.Linux{
Resources: &runtimespec.LinuxResources{
Memory: &runtimespec.LinuxMemory{
- Limit: proto.Int64(54321),
+ Limit: newI64(54321),
Swap: expectedSwap(54321),
},
CPU: &runtimespec.LinuxCPU{
- Shares: proto.Uint64(4444),
- Quota: proto.Int64(5555),
- Period: proto.Uint64(6666),
+ Shares: newU64(4444),
+ Quota: newI64(5555),
+ Period: newU64(6666),
Cpus: "4-5",
Mems: "6-7",
},

56
debian/patches/0004-Disable-otelgrpc-telemetry.patch vendored
View File

@ -1,56 +0,0 @@
From: Shengjing Zhu <zhsj@debian.org>
Date: Mon, 21 Feb 2022 00:53:36 +0800
Subject: Disable opentelemetry
go.opentelemetry.io/contrib is not packaged.
Forwarded: not-needed
---
cmd/containerd/builtins.go | 1 -
services/server/server.go | 14 ++------------
2 files changed, 2 insertions(+), 13 deletions(-)
diff --git a/cmd/containerd/builtins.go b/cmd/containerd/builtins.go
index 8c6f1fe..dd8b1d3 100644
--- a/cmd/containerd/builtins.go
+++ b/cmd/containerd/builtins.go
@@ -36,5 +36,4 @@ import (
_ "github.com/containerd/containerd/services/snapshots"
_ "github.com/containerd/containerd/services/tasks"
_ "github.com/containerd/containerd/services/version"
- _ "github.com/containerd/containerd/tracing/plugin"
)
diff --git a/services/server/server.go b/services/server/server.go
index 857cc9c..b6ea8cf 100644
--- a/services/server/server.go
+++ b/services/server/server.go
@@ -53,10 +53,8 @@ import (
"github.com/containerd/containerd/sys"
"github.com/containerd/ttrpc"
metrics "github.com/docker/go-metrics"
- grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware"
grpc_prometheus "github.com/grpc-ecosystem/go-grpc-prometheus"
bolt "go.etcd.io/bbolt"
- "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
"google.golang.org/grpc"
"google.golang.org/grpc/backoff"
"google.golang.org/grpc/credentials"
@@ -131,16 +129,8 @@ func New(ctx context.Context, config *srvconfig.Config) (*Server, error) {
}
serverOpts := []grpc.ServerOption{
- grpc.StreamInterceptor(grpc_middleware.ChainStreamServer(
- otelgrpc.StreamServerInterceptor(),
- grpc.StreamServerInterceptor(grpc_prometheus.StreamServerInterceptor),
- streamNamespaceInterceptor,
- )),
- grpc.UnaryInterceptor(grpc_middleware.ChainUnaryServer(
- otelgrpc.UnaryServerInterceptor(),
- grpc.UnaryServerInterceptor(grpc_prometheus.UnaryServerInterceptor),
- unaryNamespaceInterceptor,
- )),
+ grpc.UnaryInterceptor(grpc_prometheus.UnaryServerInterceptor),
+ grpc.StreamInterceptor(grpc_prometheus.StreamServerInterceptor),
}
if config.GRPC.MaxRecvMsgSize > 0 {
serverOpts = append(serverOpts, grpc.MaxRecvMsgSize(config.GRPC.MaxRecvMsgSize))

155
debian/patches/0005-Revert-Use-insecure.NewCredentials-instead-of-grpc.W.patch vendored
View File

@ -1,155 +0,0 @@
From: Shengjing Zhu <zhushengjing@cambricon.com>
Date: Mon, 21 Feb 2022 00:50:59 +0800
Subject: Revert "Use insecure.NewCredentials instead of grpc.WithInsecure"
This reverts commit 2ee3ce510cf26d5eb400fac118aeeec5c20ed83f.
Need golang-google-grpc-dev v1.34.0
Forwarded: not-needed
---
client.go | 3 +--
cmd/containerd/command/publish.go | 3 +--
integration/main_test.go | 6 +-----
integration/remote/remote_image.go | 7 +------
integration/remote/remote_runtime.go | 7 +------
services/server/server.go | 3 +--
6 files changed, 6 insertions(+), 23 deletions(-)
diff --git a/client.go b/client.go
index 1c2202e..86fa787 100644
--- a/client.go
+++ b/client.go
@@ -64,7 +64,6 @@ import (
"golang.org/x/sync/semaphore"
"google.golang.org/grpc"
"google.golang.org/grpc/backoff"
- "google.golang.org/grpc/credentials/insecure"
"google.golang.org/grpc/health/grpc_health_v1"
)
@@ -118,7 +117,7 @@ func New(address string, opts ...ClientOpt) (*Client, error) {
}
gopts := []grpc.DialOption{
grpc.WithBlock(),
- grpc.WithTransportCredentials(insecure.NewCredentials()),
+ grpc.WithInsecure(),
grpc.FailOnNonTempDialError(true),
grpc.WithConnectParams(connParams),
grpc.WithContextDialer(dialer.ContextDialer),
diff --git a/cmd/containerd/command/publish.go b/cmd/containerd/command/publish.go
index b18f19f..e138ed4 100644
--- a/cmd/containerd/command/publish.go
+++ b/cmd/containerd/command/publish.go
@@ -32,7 +32,6 @@ import (
"github.com/urfave/cli"
"google.golang.org/grpc"
"google.golang.org/grpc/backoff"
- "google.golang.org/grpc/credentials/insecure"
)
var publishCommand = cli.Command{
@@ -100,7 +99,7 @@ func connect(address string, d func(gocontext.Context, string) (net.Conn, error)
}
gopts := []grpc.DialOption{
grpc.WithBlock(),
- grpc.WithTransportCredentials(insecure.NewCredentials()),
+ grpc.WithInsecure(),
grpc.WithContextDialer(d),
grpc.FailOnNonTempDialError(true),
grpc.WithConnectParams(connParams),
diff --git a/integration/main_test.go b/integration/main_test.go
index a62687c..fb8556e 100644
--- a/integration/main_test.go
+++ b/integration/main_test.go
@@ -47,7 +47,6 @@ import (
"github.com/stretchr/testify/require"
exec "golang.org/x/sys/execabs"
"google.golang.org/grpc"
- "google.golang.org/grpc/credentials/insecure"
runtime "k8s.io/cri-api/pkg/apis/runtime/v1"
)
@@ -507,10 +506,7 @@ func RawRuntimeClient() (runtime.RuntimeServiceClient, error) {
}
ctx, cancel := context.WithTimeout(context.Background(), timeout)
defer cancel()
- conn, err := grpc.DialContext(ctx, addr,
- grpc.WithTransportCredentials(insecure.NewCredentials()),
- grpc.WithContextDialer(dialer),
- )
+ conn, err := grpc.DialContext(ctx, addr, grpc.WithInsecure(), grpc.WithContextDialer(dialer))
if err != nil {
return nil, fmt.Errorf("failed to connect cri endpoint: %w", err)
}
diff --git a/integration/remote/remote_image.go b/integration/remote/remote_image.go
index 16088a9..a722d41 100644
--- a/integration/remote/remote_image.go
+++ b/integration/remote/remote_image.go
@@ -39,7 +39,6 @@ import (
"time"
"google.golang.org/grpc"
- "google.golang.org/grpc/credentials/insecure"
"k8s.io/klog/v2"
internalapi "github.com/containerd/containerd/integration/cri-api/pkg/apis"
@@ -65,11 +64,7 @@ func NewImageService(endpoint string, connectionTimeout time.Duration) (internal
ctx, cancel := context.WithTimeout(context.Background(), connectionTimeout)
defer cancel()
- conn, err := grpc.DialContext(ctx, addr,
- grpc.WithTransportCredentials(insecure.NewCredentials()),
- grpc.WithContextDialer(dialer),
- grpc.WithDefaultCallOptions(grpc.MaxCallRecvMsgSize(maxMsgSize)),
- )
+ conn, err := grpc.DialContext(ctx, addr, grpc.WithInsecure(), grpc.WithContextDialer(dialer), grpc.WithDefaultCallOptions(grpc.MaxCallRecvMsgSize(maxMsgSize)))
if err != nil {
klog.Errorf("Connect remote image service %s failed: %v", addr, err)
return nil, err
diff --git a/integration/remote/remote_runtime.go b/integration/remote/remote_runtime.go
index b172b94..d9bd813 100644
--- a/integration/remote/remote_runtime.go
+++ b/integration/remote/remote_runtime.go
@@ -40,7 +40,6 @@ import (
"time"
"google.golang.org/grpc"
- "google.golang.org/grpc/credentials/insecure"
"k8s.io/klog/v2"
internalapi "github.com/containerd/containerd/integration/cri-api/pkg/apis"
@@ -74,11 +73,7 @@ func NewRuntimeService(endpoint string, connectionTimeout time.Duration) (intern
ctx, cancel := context.WithTimeout(context.Background(), connectionTimeout)
defer cancel()
- conn, err := grpc.DialContext(ctx, addr,
- grpc.WithTransportCredentials(insecure.NewCredentials()),
- grpc.WithContextDialer(dialer),
- grpc.WithDefaultCallOptions(grpc.MaxCallRecvMsgSize(maxMsgSize)),
- )
+ conn, err := grpc.DialContext(ctx, addr, grpc.WithInsecure(), grpc.WithContextDialer(dialer), grpc.WithDefaultCallOptions(grpc.MaxCallRecvMsgSize(maxMsgSize)))
if err != nil {
klog.Errorf("Connect remote runtime %s failed: %v", addr, err)
return nil, err
diff --git a/services/server/server.go b/services/server/server.go
index b6ea8cf..614591f 100644
--- a/services/server/server.go
+++ b/services/server/server.go
@@ -58,7 +58,6 @@ import (
"google.golang.org/grpc"
"google.golang.org/grpc/backoff"
"google.golang.org/grpc/credentials"
- "google.golang.org/grpc/credentials/insecure"
)
const (
@@ -540,7 +539,7 @@ func (pc *proxyClients) getClient(address string) (*grpc.ClientConn, error) {
Backoff: backoffConfig,
}
gopts := []grpc.DialOption{
- grpc.WithTransportCredentials(insecure.NewCredentials()),
+ grpc.WithInsecure(),
grpc.WithConnectParams(connParams),
grpc.WithContextDialer(dialer.ContextDialer),

174
debian/patches/0006-Fix-build-with-gccgo.patch vendored
View File

@ -1,174 +0,0 @@
From: Shengjing Zhu <zhsj@debian.org>
Date: Tue, 22 Feb 2022 01:57:23 +0800
Subject: Fix build with gccgo
Origin: backport, https://github.com/containerd/containerd/commit/d28981d4
---
mount/subprocess_unsafe.s | 15 +++++++++++++++
mount/subprocess_unsafe_gc.go | 33 +++++++++++++++++++++++++++++++++
mount/subprocess_unsafe_gccgo.go | 33 +++++++++++++++++++++++++++++++++
mount/subprocess_unsafe_linux.go | 30 ------------------------------
mount/subprocess_unsafe_linux.s | 15 ---------------
5 files changed, 81 insertions(+), 45 deletions(-)
create mode 100644 mount/subprocess_unsafe.s
create mode 100644 mount/subprocess_unsafe_gc.go
create mode 100644 mount/subprocess_unsafe_gccgo.go
delete mode 100644 mount/subprocess_unsafe_linux.go
delete mode 100644 mount/subprocess_unsafe_linux.s
diff --git a/mount/subprocess_unsafe.s b/mount/subprocess_unsafe.s
new file mode 100644
index 0000000..c073fa4
--- /dev/null
+++ b/mount/subprocess_unsafe.s
@@ -0,0 +1,15 @@
+/*
+ Copyright The containerd Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+*/
diff --git a/mount/subprocess_unsafe_gc.go b/mount/subprocess_unsafe_gc.go
new file mode 100644
index 0000000..695280a
--- /dev/null
+++ b/mount/subprocess_unsafe_gc.go
@@ -0,0 +1,33 @@
+//go:build linux && gc
+// +build linux,gc
+
+/*
+ Copyright The containerd Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+*/
+
+package mount
+
+import (
+ _ "unsafe" // required for go:linkname.
+)
+
+//go:linkname beforeFork syscall.runtime_BeforeFork
+func beforeFork()
+
+//go:linkname afterFork syscall.runtime_AfterFork
+func afterFork()
+
+//go:linkname afterForkInChild syscall.runtime_AfterForkInChild
+func afterForkInChild()
diff --git a/mount/subprocess_unsafe_gccgo.go b/mount/subprocess_unsafe_gccgo.go
new file mode 100644
index 0000000..72c38e7
--- /dev/null
+++ b/mount/subprocess_unsafe_gccgo.go
@@ -0,0 +1,33 @@
+//go:build linux && gccgo
+// +build linux,gccgo
+
+/*
+ Copyright The containerd Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+*/
+
+package mount
+
+import (
+ _ "unsafe" // required for go:linkname.
+)
+
+//go:linkname beforeFork syscall.runtime__BeforeFork
+func beforeFork()
+
+//go:linkname afterFork syscall.runtime__AfterFork
+func afterFork()
+
+//go:linkname afterForkInChild syscall.runtime__AfterForkInChild
+func afterForkInChild()
diff --git a/mount/subprocess_unsafe_linux.go b/mount/subprocess_unsafe_linux.go
deleted file mode 100644
index c7cb0c0..0000000
--- a/mount/subprocess_unsafe_linux.go
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- Copyright The containerd Authors.
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-*/
-
-package mount
-
-import (
- _ "unsafe" // required for go:linkname.
-)
-
-//go:linkname beforeFork syscall.runtime_BeforeFork
-func beforeFork()
-
-//go:linkname afterFork syscall.runtime_AfterFork
-func afterFork()
-
-//go:linkname afterForkInChild syscall.runtime_AfterForkInChild
-func afterForkInChild()
diff --git a/mount/subprocess_unsafe_linux.s b/mount/subprocess_unsafe_linux.s
deleted file mode 100644
index c073fa4..0000000
--- a/mount/subprocess_unsafe_linux.s
+++ /dev/null
@@ -1,15 +0,0 @@
-/*
- Copyright The containerd Authors.
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-*/

39
debian/patches/0007-cri-fix-integration-test-on-cgroupsv2-system.patch vendored
View File

@ -1,39 +0,0 @@
From: Shengjing Zhu <zhsj@debian.org>
Date: Sun, 27 Feb 2022 23:16:03 +0800
Subject: cri: fix integration test on cgroupsv2 system
Forwarded: https://github.com/containerd/containerd/pull/6595
---
integration/container_update_resources_test.go | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)
diff --git a/integration/container_update_resources_test.go b/integration/container_update_resources_test.go
index 1d05800..69f6d81 100644
--- a/integration/container_update_resources_test.go
+++ b/integration/container_update_resources_test.go
@@ -270,11 +270,8 @@ func TestUpdateContainerResources_MemoryLimit(t *testing.T) {
require.NoError(t, err)
t.Log("Check memory limit in cgroup")
- cgroup, err := cgroups.Load(cgroups.V1, cgroups.PidPath(int(task.Pid())))
- require.NoError(t, err)
- stat, err := cgroup.Stat(cgroups.IgnoreNotExist)
- require.NoError(t, err)
- assert.Equal(t, uint64(400*1024*1024), stat.Memory.Usage.Limit)
+ memLimit := getCgroupMemoryLimitForTask(t, task)
+ assert.Equal(t, uint64(400*1024*1024), memLimit)
swapLimit := getCgroupSwapLimitForTask(t, task)
assert.Equal(t, uint64(400*1024*1024), swapLimit)
@@ -291,9 +288,8 @@ func TestUpdateContainerResources_MemoryLimit(t *testing.T) {
checkMemorySwapLimit(t, spec, expectedSwapLimit(800*1024*1024))
t.Log("Check memory limit in cgroup")
- stat, err = cgroup.Stat(cgroups.IgnoreNotExist)
- require.NoError(t, err)
- assert.Equal(t, uint64(800*1024*1024), stat.Memory.Usage.Limit)
+ memLimit = getCgroupMemoryLimitForTask(t, task)
+ assert.Equal(t, uint64(800*1024*1024), memLimit)
swapLimit = getCgroupSwapLimitForTask(t, task)
assert.Equal(t, uint64(800*1024*1024), swapLimit)
}

22
debian/patches/0008-Add-Debian-specific-CNI-bin-dir-to-ctr-run-command.patch vendored
View File

@ -1,22 +0,0 @@
From: Shengjing Zhu <zhsj@debian.org>
Date: Tue, 1 Mar 2022 21:38:59 +0800
Subject: Add Debian specific CNI bin dir to ctr run command
Forwarded: not-needed
---
cmd/ctr/commands/run/run.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cmd/ctr/commands/run/run.go b/cmd/ctr/commands/run/run.go
index bf0ebfe..5c2b489 100644
--- a/cmd/ctr/commands/run/run.go
+++ b/cmd/ctr/commands/run/run.go
@@ -180,7 +180,7 @@ var Command = cli.Command{
}
var network gocni.CNI
if enableCNI {
- if network, err = gocni.New(gocni.WithDefaultConf); err != nil {
+ if network, err = gocni.New(gocni.WithPluginDir([]string{gocni.DefaultCNIDir, "/usr/lib/cni"}), gocni.WithDefaultConf); err != nil {
return err
}
}

54
debian/patches/0009-seccomp-apparmor-add-go-noinline.patch vendored
View File

@ -1,54 +0,0 @@
From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Date: Tue, 15 Aug 2023 04:31:45 +0900
Subject: seccomp, apparmor: add go:noinline
Origin: backport, https://github.com/containerd/containerd/commit/0f043ae4
---
contrib/apparmor/apparmor.go | 5 +++++
contrib/seccomp/seccomp.go | 10 ++++++++++
2 files changed, 15 insertions(+)
diff --git a/contrib/apparmor/apparmor.go b/contrib/apparmor/apparmor.go
index be6a49a..52a1056 100644
--- a/contrib/apparmor/apparmor.go
+++ b/contrib/apparmor/apparmor.go
@@ -40,6 +40,11 @@ func WithProfile(profile string) oci.SpecOpts {
// WithDefaultProfile will generate a default apparmor profile under the provided name
// for the container. It is only generated if a profile under that name does not exist.
+//
+// FIXME: pkg/cri/[sb]server/container_create_linux_test.go depends on go:noinline
+// since Go 1.21.
+//
+//go:noinline
func WithDefaultProfile(name string) oci.SpecOpts {
return func(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error {
if err := LoadDefaultProfile(name); err != nil {
diff --git a/contrib/seccomp/seccomp.go b/contrib/seccomp/seccomp.go
index 5292cbc..becf089 100644
--- a/contrib/seccomp/seccomp.go
+++ b/contrib/seccomp/seccomp.go
@@ -30,6 +30,11 @@ import (
// WithProfile receives the name of a file stored on disk comprising a json
// formatted seccomp profile, as specified by the opencontainers/runtime-spec.
// The profile is read from the file, unmarshaled, and set to the spec.
+//
+// FIXME: pkg/cri/[sb]server/container_create_linux_test.go depends on go:noinline
+// since Go 1.21.
+//
+//go:noinline
func WithProfile(profile string) oci.SpecOpts {
return func(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error {
s.Linux.Seccomp = &specs.LinuxSeccomp{}
@@ -46,6 +51,11 @@ func WithProfile(profile string) oci.SpecOpts {
// WithDefaultProfile sets the default seccomp profile to the spec.
// Note: must follow the setting of process capabilities
+//
+// FIXME: pkg/cri/[sb]server/container_create_linux_test.go depends on go:noinline
+// since Go 1.21.
+//
+//go:noinline
func WithDefaultProfile() oci.SpecOpts {
return func(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error {
s.Linux.Seccomp = DefaultProfile(s)

23
debian/patches/0010-sys-unprivileged-user-can-adjust-oom-scroe-when-init.patch vendored
View File

@ -1,23 +0,0 @@
From: Shengjing Zhu <zhsj@debian.org>
Date: Wed, 23 Aug 2023 14:07:38 +0800
Subject: sys: unprivileged user can adjust oom scroe when initial is negative
Forwarded: https://github.com/containerd/containerd/pull/8999
---
sys/oom_linux_test.go | 3 +++
1 file changed, 3 insertions(+)
diff --git a/sys/oom_linux_test.go b/sys/oom_linux_test.go
index 0c8f90b..170aa98 100644
--- a/sys/oom_linux_test.go
+++ b/sys/oom_linux_test.go
@@ -55,6 +55,9 @@ func TestSetNegativeOomScoreAdjustmentWhenUnprivilegedHasNoEffect(t *testing.T)
initial, adjustment, err := adjustOom(-123)
assert.NilError(t, err)
+ if initial < 0 {
+ t.Skip("unprivileged user can adjust oom scroe when initial is negative")
+ }
assert.Check(t, is.Equal(adjustment, initial))
}

10
debian/patches/series vendored
View File

@ -1,10 +0,0 @@
0001-disable-windows-support-in-ctr-metric.patch
0002-disable-runhcs-option-in-cri-config.patch
0003-Remove-depends-on-google.golang.org-protobuf-proto.patch
0004-Disable-otelgrpc-telemetry.patch
0005-Revert-Use-insecure.NewCredentials-instead-of-grpc.W.patch
0006-Fix-build-with-gccgo.patch
0007-cri-fix-integration-test-on-cgroupsv2-system.patch
0008-Add-Debian-specific-CNI-bin-dir-to-ctr-run-command.patch
0009-seccomp-apparmor-add-go-noinline.patch
0010-sys-unprivileged-user-can-adjust-oom-scroe-when-init.patch

2
debian/source/format vendored
View File

@ -1 +1 @@
3.0 (quilt) 3.0 (native)