Merged PR 7544318: Update ADO to fbcafad

.github/workflows/ci.yml

@@ -31,7 +31,7 @@ jobs:
           go-version: ${{ env.GO_VERSION }}
       - uses: golangci/golangci-lint-action@v3
         with:
-          version: v1.48
+          version: v1.49
           args: >-
             --verbose
             --max-issues-per-linter=0
@@ -168,6 +168,9 @@ jobs:
 
       - name: Test rego security policy
         run: go test --tags=rego -timeout=30m -mod=mod -gcflags=all=-d=checkptr -v ./pkg/securitypolicy
+
+      - name: Test rego policy interpreter
+        run: go test -mod=mod -gcflags=all=-d=checkptr -v ./internal/regopolicyinterpreter
 
   test-windows:
     needs: [lint, protos, verify-vendor, go-gen]
@@ -195,6 +198,9 @@ jobs:
       - run: go build -mod=mod -o sample-logging-driver.exe ./cri-containerd/helpers/log.go
         working-directory: test
 
+      - name: Test rego policy interpreter
+        run: go test -mod=mod -gcflags=all=-d=checkptr -v ./internal/regopolicyinterpreter
+
       - uses: actions/upload-artifact@v3
         if: ${{ github.event_name == 'pull_request' }}
         with:

.gitignore

@@ -43,3 +43,7 @@ test/results
 # go workspace files
 go.work
 go.work.sum
+
+# keys and related artifacts
+*.pem
+*.cose

cmd/containerd-shim-runhcs-v1/exec_hcs.go

@@ -290,7 +290,32 @@ func (he *hcsExec) Kill(ctx context.Context, signal uint32) error {
 		}
 		var delivered bool
 		if supported && options != nil {
-			delivered, err = he.p.Process.Signal(ctx, options)
+			if he.isWCOW {
+				// Servercore images block on signaling and wait until the target process
+				// is terminated to return to the caller. This causes issues when graceful
+				// termination of containers is requested (Bug36689012).
+				// To fix this, we deliver the signal to the target process in a separate background
+				// thread so that the caller can wait for the desired timeout before sending
+				// a SIGKILL to the process.
+				// TODO: We can get rid of these changes once the fix to support graceful termination is
+				// made in windows.
+				go func() {
+					signalDelivered, deliveryErr := he.p.Process.Signal(ctx, options)
+
+					if deliveryErr != nil {
+						if !hcs.IsAlreadyStopped(deliveryErr) {
+							// Process is not already stopped and there was a signal delivery error to this process
+							log.G(ctx).WithField("err", deliveryErr).Errorf("Error in delivering signal %d, to pid: %d", signal, he.pid)
+						}
+					}
+					if !signalDelivered {
+						log.G(ctx).Errorf("Error: NotFound; exec: '%s' in task: '%s' not found", he.id, he.tid)
+					}
+				}()
+				delivered, err = true, nil
+			} else {
+				delivered, err = he.p.Process.Signal(ctx, options)
+			}
 		} else {
 			// legacy path before signals support OR if WCOW with signals
 			// support needs to issue a terminate.

cmd/containerd-shim-runhcs-v1/main.go

@@ -26,7 +26,7 @@ const usage = ``
 const ttrpcAddressEnv = "TTRPC_ADDRESS"
 
 // Add a manifest to get proper Windows version detection.
-//go:generate go run github.com/josephspurrier/goversioninfo/cmd/goversioninfo -platform-specific
+//go:generate go run github.com/josephspurrier/goversioninfo/cmd/goversioninfo@v1.4.0 -platform-specific
 
 // version will be populated by the Makefile, read from
 // VERSION file of the source code.

cmd/containerd-shim-runhcs-v1/pod.go

@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
 	"sync"
 
 	"github.com/Microsoft/hcsshim/internal/log"
@@ -238,10 +239,20 @@ func createPod(ctx context.Context, events publisher, req *task.CreateTaskReques
 		}
 	} else {
 		if isWCOW {
-			// The pause container activation will immediately exit on Windows
+			defaultArgs := "c:\\windows\\system32\\cmd.exe"
+			// For the default pause image, the  entrypoint
+			// used is pause.exe
+			// If the default pause image is not used for pause containers,
+			// the activation will immediately exit on Windows
 			// because there is no command. We forcibly update the command here
-			// to keep it alive.
-			s.Process.CommandLine = "cmd /c ping -t 127.0.0.1 > nul"
+			// to keep it alive only for non-default pause images.
+			// TODO: This override can be completely removed from containerd/1.7
+			if (len(s.Process.Args) == 1 && strings.EqualFold(s.Process.Args[0], defaultArgs)) ||
+				strings.EqualFold(s.Process.CommandLine, defaultArgs) {
+				log.G(ctx).Warning("Detected CMD override for pause container entrypoint." +
+					"Please consider switching to a pause image with an explicit cmd set")
+				s.Process.CommandLine = "cmd /c ping -t 127.0.0.1 > nul"
+			}
 		}
 		// LCOW (and WCOW Process Isolated for the time being) requires a real
 		// task for the sandbox.

cmd/dmverity-vhd/README.md

@@ -23,11 +23,19 @@ generator.
 ## Example usage
 
 Create VHDs:
+
 ```bash
 dmverity-vhd create -i alpine:3.12 -o alpine_3_12_layers
 ```
 
 Compute root hashes:
+
 ```bash
 dmverity-vhd --docker roothash -i alpine:3.12
 ```
+
+Compute root hashes with tarball:
+
+```bash
+dmverity-vhd --tarball /path/to/tarball.tar roothash -i alpine:3.12
+```

cmd/dmverity-vhd/main.go

@@ -10,6 +10,7 @@ import (
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/daemon"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
+	"github.com/google/go-containerregistry/pkg/v1/tarball"
 	"github.com/pkg/errors"
 	log "github.com/sirupsen/logrus"
 	"github.com/urfave/cli"
@@ -26,7 +27,8 @@ const (
 	imageFlag         = "image"
 	verboseFlag       = "verbose"
 	outputDirFlag     = "out-dir"
-	sourceFlag        = "docker"
+	dockerFlag        = "docker"
+	tarballFlag       = "tarball"
 	hashDeviceVhdFlag = "hash-dev-vhd"
 	maxVHDSize        = dmverity.RecommendedVHDSizeGB
 )
@@ -59,9 +61,13 @@ func main() {
 			Usage: "Optional: verbose output",
 		},
 		cli.BoolFlag{
-			Name:  sourceFlag + ",d",
+			Name:  dockerFlag + ",d",
 			Usage: "Optional: use local docker daemon",
 		},
+		cli.StringFlag{
+			Name:  tarballFlag + ",t",
+			Usage: "Optional: path to tarball containing image info",
+		},
 	}
 
 	if err := app.Run(os.Args); err != nil {
@@ -72,16 +78,31 @@ func main() {
 
 func fetchImageLayers(ctx *cli.Context) (layers []v1.Layer, err error) {
 	image := ctx.String(imageFlag)
+	tarballPath := ctx.GlobalString(tarballFlag)
 	ref, err := name.ParseReference(image)
 	if err != nil {
 		return nil, errors.Wrapf(err, "failed to parse image reference: %s", image)
 	}
 
-	local := ctx.GlobalBool(sourceFlag)
+	dockerDaemon := ctx.GlobalBool(dockerFlag)
+
+	// error check to make sure docker and tarball are not both defined
+	if dockerDaemon && tarballPath != "" {
+		return nil, errors.Errorf("cannot use both docker and tarball for image source")
+	}
 
 	// by default, using remote as source
 	var img v1.Image
-	if local {
+	if tarballPath != "" {
+		// create a tag and search the tarball for the image specified
+		var imageNameAndTag name.Tag
+		imageNameAndTag, err = name.NewTag(image)
+		if err != nil {
+			return nil, errors.Wrapf(err, "failed to failed to create a tag to search tarball for: %s", image)
+		}
+		// if only an image name is provided and not a tag, the default is "latest"
+		img, err = tarball.ImageFromPath(tarballPath, &imageNameAndTag)
+	} else if dockerDaemon {
 		img, err = daemon.Image(ref)
 	} else {
 		var remoteOpts []remote.Option

cmd/runhcs/main.go

@@ -18,7 +18,7 @@ import (
 )
 
 // Add a manifest to get proper Windows version detection.
-//go:generate go run github.com/josephspurrier/goversioninfo/cmd/goversioninfo -platform-specific
+//go:generate go run github.com/josephspurrier/goversioninfo/cmd/goversioninfo@v1.4.0 -platform-specific
 
 // version will be populated by the Makefile, read from
 // VERSION file of the source code.

cmd/wclayer/wclayer.go

@@ -13,7 +13,7 @@ import (
 )
 
 // Add a manifest to get proper Windows version detection.
-//go:generate go run github.com/josephspurrier/goversioninfo/cmd/goversioninfo -platform-specific
+//go:generate go run github.com/josephspurrier/goversioninfo/cmd/goversioninfo@v1.4.0 -platform-specific
 
 var usage = `Windows Container layer utility
 

go.mod

@@ -15,8 +15,9 @@ require (
 	github.com/containerd/typeurl v1.0.2
 	github.com/gogo/protobuf v1.3.2
 	github.com/golang/mock v1.6.0
-	github.com/google/go-cmp v0.5.8
-	github.com/google/go-containerregistry v0.11.0
+	github.com/google/go-cmp v0.5.9
+	github.com/google/go-containerregistry v0.12.1
+	github.com/lestrrat-go/jwx v1.2.25
 	github.com/linuxkit/virtsock v0.0.0-20201010232012-f8cee7dfc7a3
 	github.com/mattn/go-shellwords v1.0.12
 	github.com/open-policy-agent/opa v0.42.2
@@ -25,55 +26,63 @@ require (
 	github.com/pkg/errors v0.9.1
 	github.com/sirupsen/logrus v1.9.0
 	github.com/urfave/cli v1.22.4
+	github.com/veraison/go-cose v1.0.0-rc.1
 	github.com/vishvananda/netlink v1.1.1-0.20210330154013-f5de75959ad5
 	github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f
 	go.etcd.io/bbolt v1.3.6
-	go.opencensus.io v0.23.0
-	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4
-	golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f
+	go.opencensus.io v0.24.0
+	golang.org/x/sync v0.1.0
+	golang.org/x/sys v0.1.0
 	google.golang.org/grpc v1.47.0
 )
 
-require github.com/josephspurrier/goversioninfo v1.4.0
-
 require (
 	github.com/OneOfOne/xxhash v1.2.8 // indirect
 	github.com/agnivade/levenshtein v1.0.1 // indirect
-	github.com/akavel/rsrc v0.10.2 // indirect
 	github.com/containerd/fifo v1.0.0 // indirect
-	github.com/containerd/stargz-snapshotter/estargz v0.12.0 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.12.1 // indirect
 	github.com/coreos/go-systemd/v22 v22.3.2 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
-	github.com/docker/cli v20.10.17+incompatible // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.0-20210816181553-5444fa50b93d // indirect
+	github.com/docker/cli v20.10.20+incompatible // indirect
 	github.com/docker/distribution v2.8.1+incompatible // indirect
-	github.com/docker/docker v20.10.17+incompatible // indirect
-	github.com/docker/docker-credential-helpers v0.6.4 // indirect
+	github.com/docker/docker v20.10.20+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.7.0 // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
-	github.com/docker/go-units v0.4.0 // indirect
+	github.com/docker/go-units v0.5.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.4.0 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
+	github.com/goccy/go-json v0.9.7 // indirect
 	github.com/godbus/dbus/v5 v5.0.6 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
-	github.com/klauspost/compress v1.15.8 // indirect
+	github.com/klauspost/compress v1.15.11 // indirect
+	github.com/lestrrat-go/backoff/v2 v2.0.8 // indirect
+	github.com/lestrrat-go/blackmagic v1.0.0 // indirect
+	github.com/lestrrat-go/httpcc v1.0.1 // indirect
+	github.com/lestrrat-go/iter v1.0.1 // indirect
+	github.com/lestrrat-go/option v1.0.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/moby/sys/mountinfo v0.5.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198 // indirect
+	github.com/opencontainers/image-spec v1.1.0-rc2 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/vbatts/tar-split v0.11.2 // indirect
 	github.com/vektah/gqlparser/v2 v2.4.5 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/yashtewari/glob-intersection v0.1.0 // indirect
-	golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
-	golang.org/x/net v0.0.0-20220722155237-a158d28d115b // indirect
-	golang.org/x/text v0.3.7 // indirect
+	golang.org/x/crypto v0.1.0 // indirect
+	golang.org/x/mod v0.6.0 // indirect
+	golang.org/x/net v0.1.0 // indirect
+	golang.org/x/text v0.4.0 // indirect
 	golang.org/x/tools v0.1.12 // indirect
 	google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368 // indirect
-	google.golang.org/protobuf v1.28.0 // indirect
+	google.golang.org/protobuf v1.28.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 )