From 68cdd9e163ad4551962cb900760e945df53caa6b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 18 Mar 2025 00:15:59 +0000 Subject: [PATCH] build(deps): bump github.com/containerd/containerd/v2 Bumps [github.com/containerd/containerd/v2](https://github.com/containerd/containerd) from 2.0.3 to 2.0.4. - [Release notes](https://github.com/containerd/containerd/releases) - [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md) - [Commits](https://github.com/containerd/containerd/compare/v2.0.3...v2.0.4) --- updated-dependencies: - dependency-name: github.com/containerd/containerd/v2 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 ++-- .../containerd/containerd/v2/client/client.go | 3 ++- .../containerd/v2/core/images/image.go | 4 ++-- .../containerd/v2/core/images/mediatypes.go | 13 ++++++++++ .../containerd/v2/core/remotes/handlers.go | 2 ++ .../containerd/v2/pkg/oci/spec_opts.go | 24 +++++++++++++++---- .../containerd/v2/version/version.go | 3 ++- vendor/modules.txt | 2 +- 9 files changed, 45 insertions(+), 12 deletions(-) diff --git a/go.mod b/go.mod index 654c3d5fd89c..8eccd8ecf865 100644 --- a/go.mod +++ b/go.mod @@ -17,7 +17,7 @@ require ( github.com/aws/aws-sdk-go-v2/service/s3 v1.58.2 github.com/containerd/console v1.0.4 github.com/containerd/containerd/api v1.8.0 - github.com/containerd/containerd/v2 v2.0.3 + github.com/containerd/containerd/v2 v2.0.4 github.com/containerd/continuity v0.4.5 github.com/containerd/errdefs v1.0.0 github.com/containerd/fuse-overlayfs-snapshotter/v2 v2.1.1 diff --git a/go.sum b/go.sum index 0bd8bd08158a..d605d1a9d59c 100644 --- a/go.sum +++ b/go.sum @@ -95,8 +95,8 @@ github.com/containerd/console v1.0.4 h1:F2g4+oChYvBTsASRTz8NP6iIAi97J3TtSAsLbIFn github.com/containerd/console v1.0.4/go.mod h1:YynlIjWYF8myEu6sdkwKIvGQq+cOckRm6So2avqoYAk= github.com/containerd/containerd/api v1.8.0 h1:hVTNJKR8fMc/2Tiw60ZRijntNMd1U+JVMyTRdsD2bS0= github.com/containerd/containerd/api v1.8.0/go.mod h1:dFv4lt6S20wTu/hMcP4350RL87qPWLVa/OHOwmmdnYc= -github.com/containerd/containerd/v2 v2.0.3 h1:zBKgwgZsuu+LPCMzCLgA4sC4MiZzZ59ZT31XkmiISQM= -github.com/containerd/containerd/v2 v2.0.3/go.mod h1:5j9QUUaV/cy9ZeAx4S+8n9ffpf+iYnEj4jiExgcbuLY= +github.com/containerd/containerd/v2 v2.0.4 h1:+r7yJMwhTfMm3CDyiBjMBQO8a9CTBxL2Bg/JtqtIwB8= +github.com/containerd/containerd/v2 v2.0.4/go.mod h1:5j9QUUaV/cy9ZeAx4S+8n9ffpf+iYnEj4jiExgcbuLY= github.com/containerd/continuity v0.4.5 h1:ZRoN1sXq9u7V6QoHMcVWGhOwDFqZ4B9i5H6un1Wh0x4= github.com/containerd/continuity v0.4.5/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE= github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI= diff --git a/vendor/github.com/containerd/containerd/v2/client/client.go b/vendor/github.com/containerd/containerd/v2/client/client.go index c58459b214f3..8a19d3307cc0 100644 --- a/vendor/github.com/containerd/containerd/v2/client/client.go +++ b/vendor/github.com/containerd/containerd/v2/client/client.go @@ -129,7 +129,8 @@ func New(address string, opts ...Opt) (*Client, error) { backoffConfig := backoff.DefaultConfig backoffConfig.MaxDelay = copts.timeout connParams := grpc.ConnectParams{ - Backoff: backoffConfig, + Backoff: backoffConfig, + MinConnectTimeout: copts.timeout, } gopts := []grpc.DialOption{ grpc.WithTransportCredentials(insecure.NewCredentials()), diff --git a/vendor/github.com/containerd/containerd/v2/core/images/image.go b/vendor/github.com/containerd/containerd/v2/core/images/image.go index 6bc106aac530..9fcce9b4eb0d 100644 --- a/vendor/github.com/containerd/containerd/v2/core/images/image.go +++ b/vendor/github.com/containerd/containerd/v2/core/images/image.go @@ -369,8 +369,8 @@ func Children(ctx context.Context, provider content.Provider, desc ocispec.Descr } return append([]ocispec.Descriptor{}, index.Manifests...), nil - } else if !IsLayerType(desc.MediaType) && !IsKnownConfig(desc.MediaType) { - // Layers and configs are childless data types and should not be logged. + } else if !IsLayerType(desc.MediaType) && !IsKnownConfig(desc.MediaType) && !IsAttestationType(desc.MediaType) { + // Layers, configs, and attestations are childless data types and should not be logged. log.G(ctx).Debugf("encountered unknown type %v; children may not be fetched", desc.MediaType) } return nil, nil diff --git a/vendor/github.com/containerd/containerd/v2/core/images/mediatypes.go b/vendor/github.com/containerd/containerd/v2/core/images/mediatypes.go index d2e845b16d52..0c8600d86ffc 100644 --- a/vendor/github.com/containerd/containerd/v2/core/images/mediatypes.go +++ b/vendor/github.com/containerd/containerd/v2/core/images/mediatypes.go @@ -58,6 +58,9 @@ const ( MediaTypeImageLayerEncrypted = ocispec.MediaTypeImageLayer + "+encrypted" MediaTypeImageLayerGzipEncrypted = ocispec.MediaTypeImageLayerGzip + "+encrypted" + + // In-toto attestation + MediaTypeInToto = "application/vnd.in-toto+json" ) // DiffCompression returns the compression as defined by the layer diff media @@ -193,6 +196,16 @@ func IsKnownConfig(mt string) bool { return false } +// IsAttestationType returns true if the media type is an attestation type +func IsAttestationType(mt string) bool { + switch mt { + case MediaTypeInToto: + return true + default: + return false + } +} + // ChildGCLabels returns the label for a given descriptor to reference it func ChildGCLabels(desc ocispec.Descriptor) []string { mt := desc.MediaType diff --git a/vendor/github.com/containerd/containerd/v2/core/remotes/handlers.go b/vendor/github.com/containerd/containerd/v2/core/remotes/handlers.go index 16fcdbf84dc0..a3e1ff984ae7 100644 --- a/vendor/github.com/containerd/containerd/v2/core/remotes/handlers.go +++ b/vendor/github.com/containerd/containerd/v2/core/remotes/handlers.go @@ -80,6 +80,8 @@ func MakeRefKey(ctx context.Context, desc ocispec.Descriptor) string { return "layer-" + key case images.IsKnownConfig(desc.MediaType): return "config-" + key + case images.IsAttestationType(desc.MediaType): + return "attestation-" + key default: log.G(ctx).Warnf("reference for unknown type: %s", desc.MediaType) return "unknown-" + key diff --git a/vendor/github.com/containerd/containerd/v2/pkg/oci/spec_opts.go b/vendor/github.com/containerd/containerd/v2/pkg/oci/spec_opts.go index 3b85d764ae10..f7b298122957 100644 --- a/vendor/github.com/containerd/containerd/v2/pkg/oci/spec_opts.go +++ b/vendor/github.com/containerd/containerd/v2/pkg/oci/spec_opts.go @@ -22,6 +22,7 @@ import ( "encoding/json" "errors" "fmt" + "math" "os" "path/filepath" "runtime" @@ -593,6 +594,20 @@ func WithUser(userstr string) SpecOpts { defer ensureAdditionalGids(s) setProcess(s) s.Process.User.AdditionalGids = nil + // While the Linux kernel allows the max UID to be MaxUint32 - 2, + // and the OCI Runtime Spec has no definition about the max UID, + // the runc implementation is known to require the UID to be <= MaxInt32. + // + // containerd follows runc's limitation here. + // + // In future we may relax this limitation to allow MaxUint32 - 2, + // or, amend the OCI Runtime Spec to codify the implementation limitation. + const ( + minUserID = 0 + maxUserID = math.MaxInt32 + minGroupID = 0 + maxGroupID = math.MaxInt32 + ) // For LCOW it's a bit harder to confirm that the user actually exists on the host as a rootfs isn't // mounted on the host and shared into the guest, but rather the rootfs is constructed entirely in the @@ -611,8 +626,8 @@ func WithUser(userstr string) SpecOpts { switch len(parts) { case 1: v, err := strconv.Atoi(parts[0]) - if err != nil { - // if we cannot parse as a uint they try to see if it is a username + if err != nil || v < minUserID || v > maxUserID { + // if we cannot parse as an int32 then try to see if it is a username return WithUsername(userstr)(ctx, client, c, s) } return WithUserID(uint32(v))(ctx, client, c, s) @@ -623,12 +638,13 @@ func WithUser(userstr string) SpecOpts { ) var uid, gid uint32 v, err := strconv.Atoi(parts[0]) - if err != nil { + if err != nil || v < minUserID || v > maxUserID { username = parts[0] } else { uid = uint32(v) } - if v, err = strconv.Atoi(parts[1]); err != nil { + v, err = strconv.Atoi(parts[1]) + if err != nil || v < minGroupID || v > maxGroupID { groupname = parts[1] } else { gid = uint32(v) diff --git a/vendor/github.com/containerd/containerd/v2/version/version.go b/vendor/github.com/containerd/containerd/v2/version/version.go index d0749a6cfcd3..23d820a9e951 100644 --- a/vendor/github.com/containerd/containerd/v2/version/version.go +++ b/vendor/github.com/containerd/containerd/v2/version/version.go @@ -19,11 +19,12 @@ package version import "runtime" var ( + Name = "containerd" // Package is filled at linking time Package = "github.com/containerd/containerd/v2" // Version holds the complete version number. Filled in at linking time. - Version = "2.0.3+unknown" + Version = "2.0.4+unknown" // Revision is filled with the VCS (e.g. git) revision being used to build // the program at linking time. diff --git a/vendor/modules.txt b/vendor/modules.txt index 9d9c492f1add..6c204246cc0a 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -301,7 +301,7 @@ github.com/containerd/containerd/api/types/runc/options github.com/containerd/containerd/api/types/runtimeoptions/v1 github.com/containerd/containerd/api/types/task github.com/containerd/containerd/api/types/transfer -# github.com/containerd/containerd/v2 v2.0.3 +# github.com/containerd/containerd/v2 v2.0.4 ## explicit; go 1.22.0 github.com/containerd/containerd/v2/client github.com/containerd/containerd/v2/core/containers