Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reading non-ociv1 image configs is lossy #1

Closed
nalind opened this issue Jan 31, 2017 · 4 comments
Closed

Reading non-ociv1 image configs is lossy #1

nalind opened this issue Jan 31, 2017 · 4 comments
Labels
locked - please file new issue/PR

Comments

@nalind
Copy link
Member

nalind commented Jan 31, 2017

Right now the tool assumes that image configurations can be decoded as OCI image-spec v1 Image objects. If the source image is anything else, we lose information this way.
@nalind
Copy link
Member Author

nalind commented Feb 24, 2017

We should be able to read github.com/docker/docker/image.Image configuration blobs now. There's some information in manifests that decode as github.com/containers/image/image.manifestSchema1 in images like kubernetes/pause where we don't have a config blob, and we might have to try fishing around in the manifest for them.

@rhatdan
Copy link
Member

rhatdan commented Apr 21, 2017

Is this issue still present?

@nalind
Copy link
Member Author

nalind commented May 1, 2017

We handle images that include config blobs (version 2, schema 2), but we still don't support digging around in (version 2, schema 1) images.

@nalind
Copy link
Member Author

nalind commented Jun 2, 2017

As of #118, we should be handling v2 schema 1 images, so I think we can finally close this one.

@nalind nalind closed this as completed Jun 2, 2017
@TomSweeneyRedHat TomSweeneyRedHat mentioned this issue Aug 3, 2017
Closed
nalind pushed a commit that referenced this issue Nov 28, 2017
@mheon
Merge pull request #1 from mheon/master
f5019df 
Initial checkin
@pixdrift pixdrift mentioned this issue Mar 31, 2018
Closed
@kbaegis kbaegis mentioned this issue Jun 24, 2018
Closed
@Spindel Spindel mentioned this issue Jul 20, 2018
Closed
@bowlofeggs bowlofeggs mentioned this issue Sep 25, 2018
Closed
@TomSweeneyRedHat TomSweeneyRedHat mentioned this issue Jan 9, 2019
Closed
@ghost ghost mentioned this issue Apr 30, 2019
Closed
@rhatdan rhatdan mentioned this issue Oct 2, 2019
Closed
@mderoy mderoy mentioned this issue Nov 1, 2019
Closed
@smothiki smothiki mentioned this issue Mar 13, 2020
Closed
@aadeshpa aadeshpa mentioned this issue Mar 26, 2020
Closed
kolyshkin added a commit to kolyshkin/buildah that referenced this issue May 16, 2020
@kolyshkin
fix MkdirAll usage
d254bbc 
This subtle bug keeps lurking in because error checking for `Mkdir()`
and `MkdirAll()` is slightly different wrt `EEXIST`/`IsExist`:

 - for `Mkdir()`, `IsExist` error should (usually) be ignored
   (unless you want to make sure directory was not there before)
   as it means "the destination directory was already there";

 - for `MkdirAll()`, `IsExist` error should NEVER be ignored.

This commit removes ignoring the IsExist error, as it should not
be ignored.

For more details, a quote from opencontainers/runc PR containers#162:

-quote-

TL;DR: check for IsExist(err) after a failed MkdirAll() is both
redundant and wrong -- so two reasons to remove it.

Quoting MkdirAll documentation:

> MkdirAll creates a directory named path, along with any necessary
> parents, and returns nil, or else returns an error. If path
> is already a directory, MkdirAll does nothing and returns nil.

This means two things:

1. If a directory to be created already exists, no error is
returned.

2. If the error returned is IsExist (EEXIST), it means there exists
a non-directory with the same name as MkdirAll need to use for
directory. Example: we want to MkdirAll("a/b"), but file "a"
(or "a/b") already exists, so MkdirAll fails.

The above is a theory, based on quoted documentation and my UNIX
knowledge.

3. In practice, though, current MkdirAll implementation [1] returns
ENOTDIR in most of cases described in containers#2, with the exception when
there is a race between MkdirAll and someone else creating the
last component of MkdirAll argument as a file. In this very case
MkdirAll() will indeed return EEXIST.

Because of containers#1, IsExist check after MkdirAll is not needed.

Because of containers#2 and containers#3, ignoring IsExist error is just plain wrong,
as directory we require is not created. It's cleaner to report
the error now.

Note this error is all over the tree, I guess due to copy-paste,
or trying to follow the same usage pattern as for Mkdir(),
or some not quite correct examples on the Internet.

> [1] https://github.com/golang/go/blob/f9ed2f75/src/os/path.go

-end-quote-

Signed-off-by: Kir Kolyshkin <[email protected]>
@kolyshkin kolyshkin mentioned this issue May 16, 2020
Closed
@pabloyoyoista pabloyoyoista mentioned this issue May 24, 2020
Closed
@xiaotuanyu120 xiaotuanyu120 mentioned this issue Jun 8, 2020
Closed
bors bot added a commit that referenced this issue Jun 8, 2020
@bors @dependabot-preview
Merge #2396 #2397
916332a 
2396: Bump github.com/containers/storage from 1.20.1 to 1.20.2 r=rhatdan a=dependabot-preview[bot]

Bumps [github.com/containers/storage](https://github.com/containers/storage) from 1.20.1 to 1.20.2.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/containers/storage/releases">github.com/containers/storage's releases</a>.</em></p>
<blockquote>
<h2>v1.20.2</h2>
<pre><code>Add back skip_mount_home
Update git validation EPOCH
build(deps): bump github.com/opencontainers/runc from 1.0.0-rc9 to 1.0.0-rc90
build(deps): bump github.com/klauspost/compress from 1.10.5 to 1.10.7
build(deps): bump github.com/stretchr/testify from 1.5.1 to 1.6.0
unbreak build on mipsen
</code></pre>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/containers/storage/commit/e43b6d0a370bf26e3147f3ab10fad29cc25620f9"><code>e43b6d0</code></a> Bump to v1.20.2</li>
<li><a href="https://github.com/containers/storage/commit/80f21246e8e6ec24acf10a2d083573ed55b4c60f"><code>80f2124</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/containers/storage/issues/639">#639</a> from rhatdan/skip</li>
<li><a href="https://github.com/containers/storage/commit/0bfdcdb942abc97a6f9c3a63c4c4b77dc849450b"><code>0bfdcdb</code></a> Add back skip_mount_home</li>
<li><a href="https://github.com/containers/storage/commit/aa26d1860a7ab2f1a79c79d9beac8ab01c9a64a0"><code>aa26d18</code></a> Update git validation EPOCH</li>
<li><a href="https://github.com/containers/storage/commit/8fad529da3a4e5dbcb3f1fc1bc009bc857a4968b"><code>8fad529</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/containers/storage/issues/637">#637</a> from containers/dependabot/go_modules/github.com/klau...</li>
<li><a href="https://github.com/containers/storage/commit/17acc0ffa10e07fd71a8d84161e269564b72b90d"><code>17acc0f</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/containers/storage/issues/638">#638</a> from containers/dependabot/go_modules/github.com/open...</li>
<li><a href="https://github.com/containers/storage/commit/24e8e852d0dc09a1cef1ebe9a20446c83129470a"><code>24e8e85</code></a> build(deps): bump github.com/opencontainers/runc</li>
<li><a href="https://github.com/containers/storage/commit/b9dafa698726b5f070599dde6038999cf62c83c2"><code>b9dafa6</code></a> build(deps): bump github.com/klauspost/compress from 1.10.6 to 1.10.7</li>
<li><a href="https://github.com/containers/storage/commit/873116d157fad490a878cdfd0277dc3fc0c34950"><code>873116d</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/containers/storage/issues/636">#636</a> from containers/dependabot/go_modules/github.com/stre...</li>
<li><a href="https://github.com/containers/storage/commit/0a7c48440c25ec26b4a710c03c957e665f4b2649"><code>0a7c484</code></a> build(deps): bump github.com/stretchr/testify from 1.5.1 to 1.6.0</li>
<li>Additional commits viewable in <a href="https://github.com/containers/storage/compare/v1.20.1...v1.20.2">compare view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility score](https://api.dependabot.com/badges/compatibility_score?dependency-name=github.com/containers/storage&package-manager=go_modules&previous-version=1.20.1&new-version=1.20.2)](https://dependabot.com/compatibility-score/?dependency-name=github.com/containers/storage&package-manager=go_modules&previous-version=1.20.1&new-version=1.20.2)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Pull request limits (per update run and/or open at any time)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)



</details>

2397: Bump github.com/opencontainers/runc from 1.0.0-rc9 to 1.0.0-rc90 r=rhatdan a=dependabot-preview[bot]

Bumps [github.com/opencontainers/runc](https://github.com/opencontainers/runc) from 1.0.0-rc9 to 1.0.0-rc90.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/opencontainers/runc/releases">github.com/opencontainers/runc's releases</a>.</em></p>
<blockquote>
<h2>runc 1.0-rc90 -- &quot;We Have To Go Back!&quot;</h2>
<p>This release is <em>identical</em> to v1.0.0-rc10 (and thus the version string in
the binary will be v1.0.0-rc10).</p>
<p>The purpose of this release is to resolve an issue with our versioning
scheme (in particular, the format we've used under SemVer means that the
&quot;-rcNN&quot; string suffix is sorted lexicographically rather than in the
classic <code>sort -V</code> order).</p>
<p>Because we cannot do a post-1.0 release yet, this is a workaround to
make sure that systems such as Go modules correctly update to the latest
runc release. See <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2399">#2399</a> for more details.</p>
<p>The next release (which would've originally been called -rc11) will be
1.0.0-rc91. I'm sorry.</p>
<p>Signed-off-by: Aleksa Sarai <a href="mailto:[email protected]">[email protected]</a></p>
<h2>runc 1.0-rc10 -- &quot;Procfs Strikes Back&quot;</h2>
<p>This is a hot-fix for v1.0.0~rc9, primarily fixing CVE-2019-19921. Given
that the <a href="https://github-redirect.dependabot.com/opencontainers/runtime-spec/pull/1008">relevant runtime-spec PR which was considered a blocker has
been merged</a> the next rc release of runc should be the last one before
1.0.0.</p>
<p>Other notable changes include:</p>
<ul>
<li>Fixing an exec-fifo race that could be triggered under Kubernetes (opencontainers/runc#2185).</li>
<li>Partial cgroupv2 support (opencontainers/runc#2209 for remaining issues).</li>
</ul>
<p>Thanks to the following people who made this release possible:</p>
<ul>
<li>Akihiro Suda <a href="mailto:[email protected]">[email protected]</a></li>
<li>Aleksa Sarai <a href="mailto:[email protected]">[email protected]</a></li>
<li>James Peach <a href="mailto:[email protected]">[email protected]</a></li>
<li>Jordan Liggitt <a href="mailto:[email protected]">[email protected]</a></li>
<li>Julia Nedialkova <a href="mailto:[email protected]">[email protected]</a></li>
<li>Julio Montes <a href="mailto:[email protected]">[email protected]</a></li>
<li>Kevin Kelani <a href="mailto:[email protected]">[email protected]</a></li>
<li>Kurnia D Win <a href="mailto:[email protected]">[email protected]</a></li>
<li>Manuel Rüger <a href="mailto:[email protected]">[email protected]</a></li>
<li>Michael Crosby <a href="mailto:[email protected]">[email protected]</a></li>
<li>Mrunal Patel <a href="mailto:[email protected]">[email protected]</a></li>
<li>Qiang Huang <a href="mailto:[email protected]">[email protected]</a></li>
<li>Radostin Stoyanov <a href="mailto:[email protected]">[email protected]</a></li>
<li>Sascha Grunert <a href="mailto:[email protected]">[email protected]</a></li>
<li>tianye15 <a href="mailto:[email protected]">[email protected]</a></li>
</ul>
<p>Vote: <code>+4 -0 [#1](https://github.com/opencontainers/runc/issues/1)</code>
Signed-off-by: Aleksa Sarai <a href="mailto:[email protected]">[email protected]</a></p>
</tr></table> ... (truncated)
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/opencontainers/runc/commit/dc9208a3303feef5b3839f4323d9beb36df0a9dd"><code>dc9208a</code></a> VERSION: update to 1.0.0~rc10</li>
<li><a href="https://github.com/opencontainers/runc/commit/2fc03cc11c775b7a8b2e48d7ee447cb9bef32ad0"><code>2fc03cc</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2207">#2207</a> from cyphar/fix-double-volume-attack</li>
<li><a href="https://github.com/opencontainers/runc/commit/3291d66b98445bd7f7d02eac7f2bca2ac2c56942"><code>3291d66</code></a> rootfs: do not permit /proc mounts to non-directories</li>
<li><a href="https://github.com/opencontainers/runc/commit/f6fb7a0338c3ea8488bd9bd7cc7667b113aff8d8"><code>f6fb7a0</code></a> merge branch 'pr-2133'</li>
<li><a href="https://github.com/opencontainers/runc/commit/709377ca558df88ea538852c9310b700f140fc9b"><code>709377c</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2198">#2198</a> from AkihiroSuda/criu-master</li>
<li><a href="https://github.com/opencontainers/runc/commit/55f8c254beb00f916c115a7034f7eee0cfd657a1"><code>55f8c25</code></a> temporarily disable CRIU tests</li>
<li><a href="https://github.com/opencontainers/runc/commit/5c20ea1472dbeeebdb1bcef31a09888890a25b3a"><code>5c20ea1</code></a> fix merging <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2177">#2177</a> and <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2169">#2169</a></li>
<li><a href="https://github.com/opencontainers/runc/commit/5cc0deaf7a089a91a5ce4b81f835b64fcc4778d6"><code>5cc0dea</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2169">#2169</a> from AkihiroSuda/split-fs</li>
<li><a href="https://github.com/opencontainers/runc/commit/2b52db75279ca687e18156de86d845876e9ef35d"><code>2b52db7</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2177">#2177</a> from devimc/topic/libcontainer/kata-containers</li>
<li><a href="https://github.com/opencontainers/runc/commit/a88592a63474e6976030b4fbded41dd445152236"><code>a88592a</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2185">#2185</a> from liggitt/exec-race</li>
<li>Additional commits viewable in <a href="https://github.com/opencontainers/runc/compare/v1.0.0-rc9...v1.0.0-rc90">compare view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility score](https://api.dependabot.com/badges/compatibility_score?dependency-name=github.com/opencontainers/runc&package-manager=go_modules&previous-version=1.0.0-rc9&new-version=1.0.0-rc90)](https://dependabot.com/compatibility-score/?dependency-name=github.com/opencontainers/runc&package-manager=go_modules&previous-version=1.0.0-rc9&new-version=1.0.0-rc90)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Pull request limits (per update run and/or open at any time)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)



</details>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
bors bot added a commit that referenced this issue Jun 8, 2020
@bors @dependabot-preview
Merge #2397
8c538bf 
2397: Bump github.com/opencontainers/runc from 1.0.0-rc9 to 1.0.0-rc90 r=rhatdan a=dependabot-preview[bot]

Bumps [github.com/opencontainers/runc](https://github.com/opencontainers/runc) from 1.0.0-rc9 to 1.0.0-rc90.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/opencontainers/runc/releases">github.com/opencontainers/runc's releases</a>.</em></p>
<blockquote>
<h2>runc 1.0-rc90 -- &quot;We Have To Go Back!&quot;</h2>
<p>This release is <em>identical</em> to v1.0.0-rc10 (and thus the version string in
the binary will be v1.0.0-rc10).</p>
<p>The purpose of this release is to resolve an issue with our versioning
scheme (in particular, the format we've used under SemVer means that the
&quot;-rcNN&quot; string suffix is sorted lexicographically rather than in the
classic <code>sort -V</code> order).</p>
<p>Because we cannot do a post-1.0 release yet, this is a workaround to
make sure that systems such as Go modules correctly update to the latest
runc release. See <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2399">#2399</a> for more details.</p>
<p>The next release (which would've originally been called -rc11) will be
1.0.0-rc91. I'm sorry.</p>
<p>Signed-off-by: Aleksa Sarai <a href="mailto:[email protected]">[email protected]</a></p>
<h2>runc 1.0-rc10 -- &quot;Procfs Strikes Back&quot;</h2>
<p>This is a hot-fix for v1.0.0~rc9, primarily fixing CVE-2019-19921. Given
that the <a href="https://github-redirect.dependabot.com/opencontainers/runtime-spec/pull/1008">relevant runtime-spec PR which was considered a blocker has
been merged</a> the next rc release of runc should be the last one before
1.0.0.</p>
<p>Other notable changes include:</p>
<ul>
<li>Fixing an exec-fifo race that could be triggered under Kubernetes (opencontainers/runc#2185).</li>
<li>Partial cgroupv2 support (opencontainers/runc#2209 for remaining issues).</li>
</ul>
<p>Thanks to the following people who made this release possible:</p>
<ul>
<li>Akihiro Suda <a href="mailto:[email protected]">[email protected]</a></li>
<li>Aleksa Sarai <a href="mailto:[email protected]">[email protected]</a></li>
<li>James Peach <a href="mailto:[email protected]">[email protected]</a></li>
<li>Jordan Liggitt <a href="mailto:[email protected]">[email protected]</a></li>
<li>Julia Nedialkova <a href="mailto:[email protected]">[email protected]</a></li>
<li>Julio Montes <a href="mailto:[email protected]">[email protected]</a></li>
<li>Kevin Kelani <a href="mailto:[email protected]">[email protected]</a></li>
<li>Kurnia D Win <a href="mailto:[email protected]">[email protected]</a></li>
<li>Manuel Rüger <a href="mailto:[email protected]">[email protected]</a></li>
<li>Michael Crosby <a href="mailto:[email protected]">[email protected]</a></li>
<li>Mrunal Patel <a href="mailto:[email protected]">[email protected]</a></li>
<li>Qiang Huang <a href="mailto:[email protected]">[email protected]</a></li>
<li>Radostin Stoyanov <a href="mailto:[email protected]">[email protected]</a></li>
<li>Sascha Grunert <a href="mailto:[email protected]">[email protected]</a></li>
<li>tianye15 <a href="mailto:[email protected]">[email protected]</a></li>
</ul>
<p>Vote: <code>+4 -0 [#1](https://github.com/opencontainers/runc/issues/1)</code>
Signed-off-by: Aleksa Sarai <a href="mailto:[email protected]">[email protected]</a></p>
</tr></table> ... (truncated)
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/opencontainers/runc/commit/dc9208a3303feef5b3839f4323d9beb36df0a9dd"><code>dc9208a</code></a> VERSION: update to 1.0.0~rc10</li>
<li><a href="https://github.com/opencontainers/runc/commit/2fc03cc11c775b7a8b2e48d7ee447cb9bef32ad0"><code>2fc03cc</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2207">#2207</a> from cyphar/fix-double-volume-attack</li>
<li><a href="https://github.com/opencontainers/runc/commit/3291d66b98445bd7f7d02eac7f2bca2ac2c56942"><code>3291d66</code></a> rootfs: do not permit /proc mounts to non-directories</li>
<li><a href="https://github.com/opencontainers/runc/commit/f6fb7a0338c3ea8488bd9bd7cc7667b113aff8d8"><code>f6fb7a0</code></a> merge branch 'pr-2133'</li>
<li><a href="https://github.com/opencontainers/runc/commit/709377ca558df88ea538852c9310b700f140fc9b"><code>709377c</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2198">#2198</a> from AkihiroSuda/criu-master</li>
<li><a href="https://github.com/opencontainers/runc/commit/55f8c254beb00f916c115a7034f7eee0cfd657a1"><code>55f8c25</code></a> temporarily disable CRIU tests</li>
<li><a href="https://github.com/opencontainers/runc/commit/5c20ea1472dbeeebdb1bcef31a09888890a25b3a"><code>5c20ea1</code></a> fix merging <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2177">#2177</a> and <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2169">#2169</a></li>
<li><a href="https://github.com/opencontainers/runc/commit/5cc0deaf7a089a91a5ce4b81f835b64fcc4778d6"><code>5cc0dea</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2169">#2169</a> from AkihiroSuda/split-fs</li>
<li><a href="https://github.com/opencontainers/runc/commit/2b52db75279ca687e18156de86d845876e9ef35d"><code>2b52db7</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2177">#2177</a> from devimc/topic/libcontainer/kata-containers</li>
<li><a href="https://github.com/opencontainers/runc/commit/a88592a63474e6976030b4fbded41dd445152236"><code>a88592a</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2185">#2185</a> from liggitt/exec-race</li>
<li>Additional commits viewable in <a href="https://github.com/opencontainers/runc/compare/v1.0.0-rc9...v1.0.0-rc90">compare view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility score](https://api.dependabot.com/badges/compatibility_score?dependency-name=github.com/opencontainers/runc&package-manager=go_modules&previous-version=1.0.0-rc9&new-version=1.0.0-rc90)](https://dependabot.com/compatibility-score/?dependency-name=github.com/opencontainers/runc&package-manager=go_modules&previous-version=1.0.0-rc9&new-version=1.0.0-rc90)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Pull request limits (per update run and/or open at any time)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)



</details>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
kolyshkin added a commit to kolyshkin/buildah that referenced this issue Jun 11, 2020
@kolyshkin
fix MkdirAll usage
68d0be5 
This subtle bug keeps lurking in because error checking for `Mkdir()`
and `MkdirAll()` is slightly different wrt `EEXIST`/`IsExist`:

 - for `Mkdir()`, `IsExist` error should (usually) be ignored
   (unless you want to make sure directory was not there before)
   as it means "the destination directory was already there";

 - for `MkdirAll()`, `IsExist` error should NEVER be ignored.

This commit removes ignoring the IsExist error, as it should not
be ignored.

[v2: skip patching (*Builder).Run]

For more details, a quote from opencontainers/runc PR containers#162:

-quote-

TL;DR: check for IsExist(err) after a failed MkdirAll() is both
redundant and wrong -- so two reasons to remove it.

Quoting MkdirAll documentation:

> MkdirAll creates a directory named path, along with any necessary
> parents, and returns nil, or else returns an error. If path
> is already a directory, MkdirAll does nothing and returns nil.

This means two things:

1. If a directory to be created already exists, no error is
returned.

2. If the error returned is IsExist (EEXIST), it means there exists
a non-directory with the same name as MkdirAll need to use for
directory. Example: we want to MkdirAll("a/b"), but file "a"
(or "a/b") already exists, so MkdirAll fails.

The above is a theory, based on quoted documentation and my UNIX
knowledge.

3. In practice, though, current MkdirAll implementation [1] returns
ENOTDIR in most of cases described in containers#2, with the exception when
there is a race between MkdirAll and someone else creating the
last component of MkdirAll argument as a file. In this very case
MkdirAll() will indeed return EEXIST.

Because of containers#1, IsExist check after MkdirAll is not needed.

Because of containers#2 and containers#3, ignoring IsExist error is just plain wrong,
as directory we require is not created. It's cleaner to report
the error now.

Note this error is all over the tree, I guess due to copy-paste,
or trying to follow the same usage pattern as for Mkdir(),
or some not quite correct examples on the Internet.

> [1] https://github.com/golang/go/blob/f9ed2f75/src/os/path.go

-end-quote-

Signed-off-by: Kir Kolyshkin <[email protected]>
kolyshkin added a commit to kolyshkin/buildah that referenced this issue Jul 1, 2020
@kolyshkin
fix MkdirAll usage
baf2849 
This subtle bug keeps lurking in because error checking for `Mkdir()`
and `MkdirAll()` is slightly different wrt `EEXIST`/`IsExist`:

 - for `Mkdir()`, `IsExist` error should (usually) be ignored
   (unless you want to make sure directory was not there before)
   as it means "the destination directory was already there";

 - for `MkdirAll()`, `IsExist` error should NEVER be ignored.

This commit removes ignoring the IsExist error, as it should not
be ignored.

[v2: skip patching (*Builder).Run]

For more details, a quote from opencontainers/runc PR containers#162:

-quote-

TL;DR: check for IsExist(err) after a failed MkdirAll() is both
redundant and wrong -- so two reasons to remove it.

Quoting MkdirAll documentation:

> MkdirAll creates a directory named path, along with any necessary
> parents, and returns nil, or else returns an error. If path
> is already a directory, MkdirAll does nothing and returns nil.

This means two things:

1. If a directory to be created already exists, no error is
returned.

2. If the error returned is IsExist (EEXIST), it means there exists
a non-directory with the same name as MkdirAll need to use for
directory. Example: we want to MkdirAll("a/b"), but file "a"
(or "a/b") already exists, so MkdirAll fails.

The above is a theory, based on quoted documentation and my UNIX
knowledge.

3. In practice, though, current MkdirAll implementation [1] returns
ENOTDIR in most of cases described in containers#2, with the exception when
there is a race between MkdirAll and someone else creating the
last component of MkdirAll argument as a file. In this very case
MkdirAll() will indeed return EEXIST.

Because of containers#1, IsExist check after MkdirAll is not needed.

Because of containers#2 and containers#3, ignoring IsExist error is just plain wrong,
as directory we require is not created. It's cleaner to report
the error now.

Note this error is all over the tree, I guess due to copy-paste,
or trying to follow the same usage pattern as for Mkdir(),
or some not quite correct examples on the Internet.

> [1] https://github.com/golang/go/blob/f9ed2f75/src/os/path.go

-end-quote-

Signed-off-by: Kir Kolyshkin <[email protected]>
@ketank-new ketank-new mentioned this issue Aug 26, 2020
Closed
@jandroav jandroav mentioned this issue Oct 10, 2020
Closed
openshift-merge-robot pushed a commit that referenced this issue Nov 5, 2020
@rhatdan
fix MkdirAll usage
dc03c3e 
This subtle bug keeps lurking in because error checking for `Mkdir()`
and `MkdirAll()` is slightly different wrt `EEXIST`/`IsExist`:

 - for `Mkdir()`, `IsExist` error should (usually) be ignored
   (unless you want to make sure directory was not there before)
   as it means "the destination directory was already there";

 - for `MkdirAll()`, `IsExist` error should NEVER be ignored.

This commit removes ignoring the IsExist error, as it should not
be ignored.

[v2: skip patching (*Builder).Run]

For more details, a quote from opencontainers/runc PR #162:

-quote-

TL;DR: check for IsExist(err) after a failed MkdirAll() is both
redundant and wrong -- so two reasons to remove it.

Quoting MkdirAll documentation:

> MkdirAll creates a directory named path, along with any necessary
> parents, and returns nil, or else returns an error. If path
> is already a directory, MkdirAll does nothing and returns nil.

This means two things:

1. If a directory to be created already exists, no error is
returned.

2. If the error returned is IsExist (EEXIST), it means there exists
a non-directory with the same name as MkdirAll need to use for
directory. Example: we want to MkdirAll("a/b"), but file "a"
(or "a/b") already exists, so MkdirAll fails.

The above is a theory, based on quoted documentation and my UNIX
knowledge.

3. In practice, though, current MkdirAll implementation [1] returns
ENOTDIR in most of cases described in #2, with the exception when
there is a race between MkdirAll and someone else creating the
last component of MkdirAll argument as a file. In this very case
MkdirAll() will indeed return EEXIST.

Because of #1, IsExist check after MkdirAll is not needed.

Because of #2 and #3, ignoring IsExist error is just plain wrong,
as directory we require is not created. It's cleaner to report
the error now.

Note this error is all over the tree, I guess due to copy-paste,
or trying to follow the same usage pattern as for Mkdir(),
or some not quite correct examples on the Internet.

> [1] https://github.com/golang/go/blob/f9ed2f75/src/os/path.go

-end-quote-

Signed-off-by: Kir Kolyshkin <[email protected]>
Signed-off-by: Daniel J Walsh <[email protected]>
@jarcher jarcher mentioned this issue Dec 2, 2020
Closed
@kirbyzhou kirbyzhou mentioned this issue Jan 26, 2021
Closed
@ebiederm ebiederm mentioned this issue Mar 10, 2021
Closed
@quantum77 quantum77 mentioned this issue May 25, 2021
Closed
@mfblair mfblair mentioned this issue Sep 24, 2021
Closed
@gshanemiller gshanemiller mentioned this issue Oct 1, 2021
Closed
@mangelajo mangelajo mentioned this issue May 11, 2022
Open
@c-linse c-linse mentioned this issue Jun 24, 2022
Closed
@dtmdl dtmdl mentioned this issue Sep 19, 2022
Open
@isavl isavl mentioned this issue May 22, 2023
Closed
@douggutaby douggutaby mentioned this issue Jun 6, 2023
Open
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 23, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
locked - please file new issue/PR
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nalind @rhatdan