Commit Graph

42 Commits

Author SHA1 Message Date
Christian Stewart
9242d4df12 package/docker-containerd: specify correct build targets
Adds build targets for runc shims.

Removes the outdated and now unnecessary symlinks to docker-runc
docker-containerd etc as well.

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-12-30 09:31:18 +01:00
Tian Yuanhao
8107509a1d package/docker-containerd: fix version output ldflags
Fix the ldflags specifying the version info for "version" command.

Signed-off-by: Tian Yuanhao <tianyuanhao@aliyun.com>
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-12-30 09:25:43 +01:00
Pascal Vizeli
924c1f93d4 package/docker-containerd: add AppArmor support
Signed-off-by: Pascal Vizeli <pvizeli@syshack.ch>
Signed-off-by: Stefan Agner <stefan@agner.ch>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-12-28 21:21:32 +01:00
Peter Korsgaard
1e1d1278c7 package/docker-containerd: security bump to version 1.4.3
Fixes the following security issue:

- CVE-2020-15257: Access controls for the shim’s API socket verified that
  the connecting process had an effective UID of 0, but did not otherwise
  restrict access to the abstract Unix domain socket.  This would allow
  malicious containers running in the same network namespace as the shim,
  with an effective UID of 0 but otherwise reduced privileges, to cause new
  processes to be run with elevated privileges.

For more details, see the advisory:
https://github.com/containerd/containerd/security/advisories/GHSA-36xw-fx78-c5r4

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-02 08:16:00 +01:00
Christian Stewart
87a8cbe617 package/docker-containerd: bump to version 1.4.1
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-10-24 23:00:30 +02:00
Christian Stewart
04b2afc65b package/docker-containerd: bump to version 1.4.0
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-13 22:33:56 +02:00
Christian Stewart
a7ed0ae6cc package/docker-containerd: drop <pkg>_WORKSPACE variable
With the go.mod integration, the <pkg>_WORKSPACE variable is no longer
needed, drop it.

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 14:49:12 +02:00
Christian Stewart
01c5e0ed72 package/docker-containerd: define <pkg>_GOMOD variable
In preparation for the go.mod integration, define the
DOCKER_CONTAINERD_GOMOD variable.

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 14:35:49 +02:00
Christian Stewart
93fecb7ed5 package/docker-containerd: bump version to 1.2.13
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-04-25 16:08:36 +02:00
Christian Stewart
8ebb77ac1d package/docker-containerd: security bump to 1.2.12
Fixes the following security issues:

- CVE-2019-19921: runc volume mount race condition with shared mounts

- CVE-2019-16884: runc through 1.0.0-rc8, as used in Docker through
  19.03.2-ce and other products, allows AppArmor restriction bypass because
  libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a
  malicious Docker image can mount over a /proc directory.

For details, see the announcement:
https://github.com/containerd/containerd/releases/tag/v1.2.12

containerd is now a separate CNCF sponsored project, and is no longer
explicitly associated with docker/moby.

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-05 13:50:54 +01:00
Christian Stewart
f40f2bae81 package/docker-containerd: security bump to 1.2.11
Fixes the following security vulnerabilities:

containerd 1.2.9/gRPC:

- CVE-2019-9512: Some HTTP/2 implementations are vulnerable to ping floods,
  potentially leading to a denial of service.  The attacker sends continual
  pings to an HTTP/2 peer, causing the peer to build an internal queue of
  responses.  Depending on how efficiently this data is queued, this can
  consume excess CPU, memory, or both

- CVE-2019-9514: Some HTTP/2 implementations are vulnerable to a reset
  flood, potentially leading to a denial of service.  The attacker opens a
  number of streams and sends an invalid request over each stream that
  should solicit a stream of RST_STREAM frames from the peer.  Depending on
  how the peer queues the RST_STREAM frames, this can consume excess memory,
  CPU, or both

- CVE-2019-9515: Some HTTP/2 implementations are vulnerable to a settings
  flood, potentially leading to a denial of service.  The attacker sends a
  stream of SETTINGS frames to the peer.  Since the RFC requires that the
  peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS
  frame is almost equivalent in behavior to a ping.  Depending on how
  efficiently this data is queued, this can consume excess CPU, memory, or
  both

containerd 1.2.10/runc:

- CVE-2019-16884: runc through 1.0.0-rc8, as used in Docker through
  19.03.2-ce and other products, allows AppArmor restriction bypass because
  libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a
  malicious Docker image can mount over a /proc director

Signed-off-by: Christian Stewart <christian@paral.in>
[Peter: mention security impact]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-01-05 22:38:19 +01:00
Victor Huesca
69808c7536 package: remove 'v' prefix from github-fetched packages
On Github, a large number of projects name their tag vXYZ (i.e v3.0,
v0.1, etc.). In some packages we do:

 <pkg>_VERSION = v0.3
 <pkg>_SITE = $(call github foo,bar,$(<pkg>_VERSION))

And in some other packages we do:

 <pkg>_VERSION = 0.3
 <pkg>_SITE = $(call github foo,bar,v$(<pkg>_VERSION))

I.e in one case we consider the version to be v0.3, in the other case
we consider 0.3 to be the version.

The problem with v0.3 is that when used in conjunction with
release-monitoring.org, it doesn't work very well, because
release-monitoring.org has the concept of "version prefix" and using
that they drop the "v" prefix for the version.

Therefore, a number of packages in Buildroot have a version that
doesn't match with release-monitoring.org because Buildroot has 'v0.3'
and release-monitoring.org has '0.3'.

Since really the version number of 0.3, is makes sense to update our
packages to drop this 'v'.

This commit only addresses the (common) case of github packages where
the prefix is simply 'v'. Other cases will be handled by separate
commits. Also, there are a few cases that couldn't be handled
mechanically that aren't covered by this commit.

Signed-off-by: Victor Huesca <victor.huesca@bootlin.com>
[Arnout: don't change flatbuffers, json-for-modern-cpp, libpagekite,
 python-scapy3k, softether]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2019-06-19 22:27:55 +02:00
Christian Stewart
bcf7f56f26 package/docker-containerd: bump to version 1.2.6
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-05-01 21:34:38 +02:00
Peter Korsgaard
638504bcdf package/docker-containerd: refer to official website
Containerd is no longer maintained under the docker github project and now
has an official website, so refer to that in the help text.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-04-07 15:21:13 +02:00
Peter Korsgaard
20af865354 package/docker-containerd: bump version to v1.2.5
Contains a number of bugfixes. For more details, see the announcement:

https://github.com/containerd/containerd/releases/tag/v1.2.5

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-04-07 15:21:00 +02:00
Peter Korsgaard
4b13a21692 Revert "runc: depend on linux headers >= 3.11 for O_TMPFILE"
This reverts commit 905e976a6a.

With the bump to 1.0.0-rc7, runc no longer needs O_TMPFILE.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-04-07 15:20:49 +02:00
Peter Korsgaard
18fb2167f7 Revert "package/runc: blacklist Codesourcery ARM toolchain"
This reverts commit ce76a98902.

With the bump to 1.0.0-rc7, runc no longer needs O_TMPFILE.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-04-07 15:20:44 +02:00
Angelo Compagnucci
8291bc7793 package/go: rename BR2_PACKAGE_HOST_GO_{ARCH_SUPPORTS,CGO_LINKING_SUPPORTS}
The hidden Config.in option BR2_PACKAGE_HOST_GO_ARCH_SUPPORTS name is
not very clear as to whether it says whether Go is available for the
target architecture or the host architecture.

Until now, this was fine since there was support for host Go
packages. But as we are about to introduce support for building host
Go packages, we need to clarify the meaning of
BR2_PACKAGE_HOST_GO_ARCH_SUPPORTS. Since it says whether the target
architecture has support for Go or not, we rename it to
BR2_PACKAGE_HOST_GO_TARGET_ARCH_SUPPORTS.

And since BR2_PACKAGE_HOST_GO_CGO_LINKING_SUPPORTS is tightly related,
we rename it to BR2_PACKAGE_HOST_GO_TARGET_CGO_LINKING_SUPPORTS.

Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Tested-by: Adam Duskett <aduskett@gmail.com>
[Thomas: entirely rewrite commit log]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-03-17 17:20:53 +01:00
Peter Korsgaard
ce76a98902 package/runc: blacklist Codesourcery ARM toolchain
Fixes:
http://autobuild.buildroot.net/results/018e309caa0fc662aa2993e47b2037fb6c569011/

This toolchain uses glibc 2.18, which does not provide O_TMPFILE support.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-04 16:25:44 +01:00
Christian Stewart
905e976a6a runc: depend on linux headers >= 3.11 for O_TMPFILE
Fixes:
http://autobuild.buildroot.net/results/63e9d88ae5177541be463f1e2aafec59aa410479

Add dependency on headers >= 3.11 for O_TMPFILE, used by runc after the
fix for CVE-2019-5736 and propagate to the reverse dependencies of runc.

Notice that C library support for O_TMPFILE is also needed, which was added
in glibc 2.19 and musl 0.9.15.

Signed-off-by: Christian Stewart <christian@paral.in>
[Peter: squash series, extend commit message, mention C library dependency,
	fix indentation]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-02-27 10:05:49 +01:00
Thomas Petazzoni
17c7b93379 package/docker-containerd: fix typo in uclibc dependency
Commit 6e3f7fbc07 ("package/runc: add
upstream security fix for CVE-2019-5736") added a dependency of
docker-containerd to uclibc (inherited from runc), but the depends on
has a typo that makes it ineffective. Due to this, docker-containerd
can still be selected in uClibc configurations, causing runc to be
build, and failing to build due fexecve() being missing in uClibc.

Fixes:

  http://autobuild.buildroot.net/results/64ecdb1e007106fdb05979b10b42b90591255504/

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-02-14 11:06:02 +01:00
Christian Stewart
f51e3a5004 docker-containerd: bump to v1.2.3
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-02-12 20:21:30 +01:00
Peter Korsgaard
6e3f7fbc07 package/runc: add upstream security fix for CVE-2019-5736
The vulnerability allows a malicious container to (with minimal user
interaction) overwrite the host runc binary and thus gain root-level
code execution on the host. The level of user interaction is being able
to run any command (it doesn't matter if the command is not
attacker-controlled) as root within a container in either of these
contexts:

  * Creating a new container using an attacker-controlled image.
  * Attaching (docker exec) into an existing container which the
    attacker had previous write access to.

For more details, see the advisory:

https://www.openwall.com/lists/oss-security/2019/02/11/2

The fix for this issue uses fexecve(3), which isn't available on uClibc, so
add a dependency on !uclibc to runc and propagate to the reverse
dependencies (containerd/docker-engine).

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-02-12 20:04:14 +01:00
Thomas Petazzoni
14cbcbe2d4 package/docker-containerd: add missing dependency on host-pkgconf
When libsseccomp support is enabled, docker-containerd uses pkg-config
to find libsseccomp, so we must depend on host-pkconf.

Fixes the following build issue, detected with per-package directory
support:

pkg-config: exec: "pkg-config": executable file not found in $PATH

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-12-30 16:57:14 +01:00
Christian Stewart
ff92d5d1b6 package/docker-containerd: bump to version 1.2.1
This commit bumps docker-containerd to the latest tagged release, v1.2.1.

This release is compatible with the current docker engine release (18.09).

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-12-30 14:40:00 +01:00
Christian Stewart
c5a33a11be docker-containerd: bump to v1.1.3
This commit bumps docker-containerd to v1.1.3.

This is a requisite bump for the upgrade of docker-engine to 2018.06.

The license file was renamed from LICENSE.code to LICENSE, so we take
this opportunity to add the hash for the license file. The only change
between LICENSE.code and LICENSE is:

-   Copyright 2013-2016 Docker, Inc.
+   Copyright The containerd Authors

Signed-off-by: Christian Stewart <christian@paral.in>
[Thomas: fix legal info, add hash for license file.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-09-16 21:39:08 +02:00
Sam Lancia
ded50f69c6 docker-containerd: add missing docker-containerd symlink
Prior to commit 2dccb4f2fe
("package/docker-containerd: convert to golang infrastructure"), the
containerd binary was installed as docker-containerd. Following the
conversion to the golang package infrastructure, the binary is now
installed as "containerd", which breaks some use cases.

Let's add a symlink link docker-containerd -> containerd to fix such
use cases.

Fixes: https://bugs.busybox.net/show_bug.cgi?id=11076

Signed-off-by: Sam Lancia <sam@gpsm.co.uk>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-06-07 15:47:53 +02:00
Angelo Compagnucci
2dccb4f2fe package/docker-containerd: convert to golang infrastructure
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2018-03-31 19:57:31 +02:00
Thomas Petazzoni
e8257a8f09 docker-containerd: remove symlink to $(RUNC_SRCDIR)
The DOCKER_CONTAINERD_CONFIGURE_CMDS creates a symlink to runc's
source directory, but it does not build depend on runc, which means
that the runc package may not have been extracted/built before
docker-containerd.

Therefore, when doing a build with "make docker-containerd", this
symbolic link is broken, but it doesn't prevent docker-containerd from
building.

Therefore, this symlink is not necessary and can be dropped.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2018-03-31 19:57:31 +02:00
Arnout Vandecappelle
0f9c0bf3d5 Globally replace $(HOST_DIR)/usr/bin with $(HOST_DIR)/bin
Since things are no longer installed in $(HOST_DIR)/usr, the callers
should also not refer to it.

This is a mechanical change with
git grep -l '$(HOST_DIR)/usr/bin' | xargs sed -i 's%$(HOST_DIR)/usr/bin%$(HOST_DIR)/bin%g'

Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-07-05 15:19:29 +02:00
Christian Stewart
d445d7d7b4 docker-containerd: bump to version 9048e5e50717ea4497b757314bad98ea3763c145
This is a runtime dependency of docker-engine in version 17.05.0-ce

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-06-11 18:42:55 +02:00
Fabrice Fontaine
2aef84a635 docker-containerd: bump to version 422e31ce907fd9c3833a38d7b8fdd023e5a76e73
This is a runtime dependency of docker-engine in version 17.04.0-ce

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-04-06 21:49:43 +02:00
Fabrice Fontaine
44a9efe9a0 docker-containerd: bump to version 4ab9917febca54791c5f071a9d1f404867857fcc
This is a runtime dependency of docker-engine in version 17.03.1-ce

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-04-01 16:12:05 +02:00
Fabrice Fontaine
68793184f5 docker-containerd: bump to version 977c511eda0925a723debdc94d09459af49d082a
This is a runtime dependency of docker-engine in version 17.03.0-ce

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-03-03 23:52:42 +01:00
Fabrice Fontaine
d0d6b5f9e4 docker-containerd: bump to version aa8187dbd3b7ad67d8e5e3a15115d3eef43a7ed1
Version bump as a dependency of docker-engine v1.13.1

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-02-26 15:05:56 +01:00
Rahul Bedarkar
4427fe2821 package: fix reverse dependencies of util-linux
Commit 006a328ad6 ("util-linux: fix build with ncurses") removed
dependency on BR2_USE_WCHAR, but failed to update the reverse
dependencies of util-linux.

This commit fixes all such reverse dependencies by removing dependency
on BR2_USE_WCHAR as it is not required by package itself.

Fixes: 006a328ad6 ("util-linux: fix build with ncurses")
Signed-off-by: Rahul Bedarkar <rahul.bedarkar@imgtec.com>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Cc: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-01-28 21:02:51 +13:00
Christian Stewart
80f6660460 docker-containerd: bump version to v0.2.5
Version bump as a dependency of Docker-Engine v1.12.5.

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-12-23 09:15:06 +01:00
Christian Stewart
fef19b44f1 docker-containerd: bump to v0.2.4
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-10-19 09:46:54 +02:00
Thomas Petazzoni
98cc1cbeb6 docker-containerd: pass -extldflags '-static' on when BR2_STATIC_LIBS=y
There is no reason to link Go binaries statically, unless when
BR2_STATIC_LIBS=y.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Tested-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-07-24 21:59:23 +02:00
Christian Stewart
317e3b3469 package/docker-containerd: bump to latest
Bump the pinned docker-containerd version to the latest in advance
of the introduction of docker-engine v1.12.0-rc4.

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-07-24 15:14:34 +02:00
Thomas Petazzoni
5d988ec6f5 docker-containerd: needs CGO linking
Fixes:

  http://autobuild.buildroot.net/results/09a23c8926ce32408fbbfa1fb5b3ed7c4f8733e3/

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-07-06 23:06:02 +02:00
Christian Stewart
16ec6a6c78 docker-containerd: new package
docker-containerd is a daemon and API for controlling and managing runC
containers.

https://containerd.tools/

Signed-off-by: Christian Stewart <christian@paral.in>
Reviewed-by: Romain Naour <romain.naour@gmail.com>
[Thomas:
 - simplify a bit the comments about the runtime dependencies
 - add missing comment on wchar, and take into account the BR2_USE_MMU
   dependency in the comment
 - factorize the build step with a foreach loop.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-07-05 11:01:00 +02:00