From 02baf07d77dcf57f5423ec599d6f40807f3c1e70 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Thu, 25 Apr 2019 18:44:05 -0700 Subject: [PATCH 1/3] bump runc vendor v1.0.0-rc8 full diff: https://github.com/opencontainers/runc/compare/029124da7af7360afa781a0234d1b083550f797c...425e105d5a03fabd737a126ad93d62a9eeede87f - opencontainers/runc#2043 Vendor in latest selinux code for keycreate errors Signed-off-by: Sebastiaan van Stijn (cherry picked from commit 6df6fe602008fbd5c374f5d3ce722526a7e58b2c) Signed-off-by: Sebastiaan van Stijn --- vendor.conf | 2 +- vendor/github.com/opencontainers/runc/vendor.conf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/vendor.conf b/vendor.conf index 78b0befde721c..93f07c4e4df57 100644 --- a/vendor.conf +++ b/vendor.conf @@ -80,7 +80,7 @@ google.golang.org/grpc 7a6a684ca69eb4cae85ad0a484f2 # the containerd project first, and update both after that is merged. # This commit does not need to match RUNC_COMMIT as it is used for helper # packages but should be newer or equal. -github.com/opencontainers/runc 029124da7af7360afa781a0234d1b083550f797c # v1.0.0-rc7-6-g029124da +github.com/opencontainers/runc 425e105d5a03fabd737a126ad93d62a9eeede87f # v1.0.0-rc8 github.com/opencontainers/runtime-spec 29686dbc5559d93fb1ef402eeda3e35c38d75af4 # v1.0.1-59-g29686db github.com/opencontainers/image-spec d60099175f88c47cd379c4738d158884749ed235 # v1.0.1 github.com/seccomp/libseccomp-golang 32f571b70023028bd57d9288c20efbcb237f3ce0 diff --git a/vendor/github.com/opencontainers/runc/vendor.conf b/vendor/github.com/opencontainers/runc/vendor.conf index fb97650d80a1d..22cba0f1b22fb 100644 --- a/vendor/github.com/opencontainers/runc/vendor.conf +++ b/vendor/github.com/opencontainers/runc/vendor.conf @@ -5,7 +5,7 @@ github.com/opencontainers/runtime-spec 29686dbc5559d93fb1ef402eeda3e35c38d75af4 # Core libcontainer functionality. github.com/checkpoint-restore/go-criu v3.11 github.com/mrunalp/fileutils ed869b029674c0e9ce4c0dfa781405c2d9946d08 -github.com/opencontainers/selinux v1.2.1 +github.com/opencontainers/selinux v1.2.2 github.com/seccomp/libseccomp-golang 84e90a91acea0f4e51e62bc1a75de18b1fc0790f github.com/sirupsen/logrus a3f95b5c423586578a4e099b11a46c2479628cac github.com/syndtr/gocapability db04d3cc01c8b54962a58ec7e491717d06cfcc16 From 04c51495da884ed1b78dacb3ca2e3101fc3677a0 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Thu, 25 Apr 2019 18:56:17 -0700 Subject: [PATCH 2/3] bump runc binary v1.0.0-rc8 full diff: https://github.com/opencontainers/runc/compare/029124da7af7360afa781a0234d1b083550f797c...425e105d5a03fabd737a126ad93d62a9eeede87f - opencontainers/runc#2043 Vendor in latest selinux code for keycreate errors Signed-off-by: Sebastiaan van Stijn (cherry picked from commit 4bc310c11babd2aa635eb08a5bbc198f96bc19b3) Signed-off-by: Sebastiaan van Stijn --- hack/dockerfile/install/runc.installer | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hack/dockerfile/install/runc.installer b/hack/dockerfile/install/runc.installer index bfe5f41bd0579..dd9950ff34d9f 100755 --- a/hack/dockerfile/install/runc.installer +++ b/hack/dockerfile/install/runc.installer @@ -4,7 +4,7 @@ # The version of runc should match the version that is used by the containerd # version that is used. If you need to update runc, open a pull request in # the containerd project first, and update both after that is merged. -RUNC_COMMIT=029124da7af7360afa781a0234d1b083550f797c # v1.0.0-rc7-6-g029124da +RUNC_COMMIT=425e105d5a03fabd737a126ad93d62a9eeede87f # v1.0.0-rc8 install_runc() { # If using RHEL7 kernels (3.10.0 el7), disable kmem accounting/limiting From e7a837120de1f4f2d45c673e758bd444441a0c8f Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Thu, 25 Apr 2019 18:49:21 -0700 Subject: [PATCH 3/3] bump opencontainers/selinux v1.2.2 full diff: https://github.com/opencontainers/selinux/compare/v1.2.1...v1.2.2 - opencontainers/selinux#51 Older kernels do not support keyring labeling Signed-off-by: Sebastiaan van Stijn (cherry picked from commit 0d453115fe0b1b19c08c614b6029c4edf92a0f0a) Signed-off-by: Sebastiaan van Stijn --- vendor.conf | 2 +- .../opencontainers/selinux/go-selinux/selinux_linux.go | 9 ++++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/vendor.conf b/vendor.conf index 93f07c4e4df57..ae99800b49fd3 100644 --- a/vendor.conf +++ b/vendor.conf @@ -162,6 +162,6 @@ github.com/morikuni/aec 39771216ff4c63d11f5e604076f9 # metrics github.com/docker/go-metrics d466d4f6fd960e01820085bd7e1a24426ee7ef18 -github.com/opencontainers/selinux 0bb7b9fa9ba5c1120e9d22caed4961fca4228408 # v1.2.1 +github.com/opencontainers/selinux 3a1f366feb7aecbf7a0e71ac4cea88b31597de9e # v1.2.2 # DO NOT EDIT BELOW THIS LINE -------- reserved for downstream projects -------- diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go index 51fa8de68a33d..d7786c33c1976 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go @@ -406,7 +406,14 @@ func SocketLabel() (string, error) { // SetKeyLabel takes a process label and tells the kernel to assign the // label to the next kernel keyring that gets created func SetKeyLabel(label string) error { - return writeCon("/proc/self/attr/keycreate", label) + err := writeCon("/proc/self/attr/keycreate", label) + if os.IsNotExist(err) { + return nil + } + if label == "" && os.IsPermission(err) && !GetEnabled() { + return nil + } + return err } // KeyLabel retrieves the current kernel keyring label setting