[release-1.30] Update component versions (#558)

* [release-1.30] Update component versions * Unpin Go version used in runc build * add patches for v1.1.13 --------- Co-authored-by: Angelos Kolaitis <[email protected]> Co-authored-by: Etienne Audet-Cobello <[email protected]>
canonical · Jul 19, 2024 · 306e1d8 · 306e1d8
1 parent 414ee0e
commit 306e1d8
Show file tree

Hide file tree

Showing 7 changed files with 145 additions and 11 deletions.
diff --git a/build-scripts/components/containerd/version b/build-scripts/components/containerd/version
@@ -1 +1 @@
-v1.6.33
+v1.6.34
diff --git a/build-scripts/components/kubernetes/version b/build-scripts/components/kubernetes/version
@@ -1 +1 @@
-v1.30.2
+v1.30.3
diff --git a/build-scripts/components/runc/build.sh b/build-scripts/components/runc/build.sh
@@ -5,14 +5,6 @@ VERSION="${2}"
 export INSTALL="${1}/bin"
 mkdir -p "${INSTALL}"
 
-# TODO(neoaggelos): Revert after https://github.com/opencontainers/runc/issues/4233 is resolved.
-if ! which go_121; then
-  snap download go --channel 1.21 --basename go
-  snap set core experimental.parallel-instances=true
-  snap install ./go.snap --classic --dangerous --name go_121
-fi
-export GO=go_121
-
 # Ensure `runc --version` prints the right commit hash from upstream
 export COMMIT="$(git describe --long --always "${VERSION}")"
 

diff --git a/...ts/runc/strict-patches/v1.1.13/0001-apparmor-change-profile-immediately-not-on-exec.patch b/...ts/runc/strict-patches/v1.1.13/0001-apparmor-change-profile-immediately-not-on-exec.patch
@@ -0,0 +1,36 @@
+From a367e391600dfab0d9eb3deaec4db300a2fb1fa1 Mon Sep 17 00:00:00 2001
+From: Alberto Mardegan <[email protected]>
+Date: Wed, 16 Jun 2021 15:04:16 +0300
+Subject: [PATCH 1/3] apparmor: change profile immediately, not on exec
+
+---
+ libcontainer/apparmor/apparmor_linux.go | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/libcontainer/apparmor/apparmor_linux.go b/libcontainer/apparmor/apparmor_linux.go
+index 8b1483c..292cfa6 100644
+--- a/libcontainer/apparmor/apparmor_linux.go
++++ b/libcontainer/apparmor/apparmor_linux.go
+@@ -48,9 +48,9 @@ func setProcAttr(attr, value string) error {
+ 	return err
+ }
+
+-// changeOnExec reimplements aa_change_onexec from libapparmor in Go
+-func changeOnExec(name string) error {
+-	if err := setProcAttr("exec", "exec "+name); err != nil {
++// changeProfile reimplements aa_change_profile from libapparmor in Go
++func changeProfile(name string) error {
++	if err := setProcAttr("current", "changeprofile "+name); err != nil {
+ 		return fmt.Errorf("apparmor failed to apply profile: %w", err)
+ 	}
+ 	return nil
+@@ -64,5 +64,5 @@ func applyProfile(name string) error {
+ 		return nil
+ 	}
+
+-	return changeOnExec(name)
++	return changeProfile(name)
+ }
+-- 
+2.34.1
+
diff --git a/...nc/strict-patches/v1.1.13/0002-setns_init_linux-set-the-NNP-flag-after-changing-the.patch b/...nc/strict-patches/v1.1.13/0002-setns_init_linux-set-the-NNP-flag-after-changing-the.patch
@@ -0,0 +1,51 @@
+From 36fca252c746022e4e2273092ed21e2e4efe33f8 Mon Sep 17 00:00:00 2001
+From: eaudetcobello <[email protected]>
+Date: Fri, 19 Jul 2024 09:42:31 -0400
+Subject: [PATCH 2/3] setns_init_linux: set the NNP flag after changing the  
+ apparmor profile
+
+With the current version of the AppArmor kernel module, it's not
+possible to switch the AppArmor profile if the NoNewPrivileges flag is
+set. So, we invert the order of the two operations.
+
+Adjusts the previous patch for runc version v1.1.13
+
+Co-Authored-By: Alberto Mardegan <[email protected]>
+Co-Authored-By: Angelos Kolaitis <[email protected]>
+---
+ libcontainer/setns_init_linux.go | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go
+index bb358901..b496c81e 100644
+--- a/libcontainer/setns_init_linux.go
++++ b/libcontainer/setns_init_linux.go
+@@ -57,12 +57,6 @@ func (l *linuxSetnsInit) Init() error {
+ 			return err
+ 		}
+ 	}
+-	if l.config.NoNewPrivileges {
+-		if err := unix.Prctl(unix.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {
+-			return err
+-		}
+-	}
+-
+ 	// Tell our parent that we're ready to exec. This must be done before the
+ 	// Seccomp rules have been applied, because we need to be able to read and
+ 	// write to a socket.
+@@ -93,7 +87,11 @@ func (l *linuxSetnsInit) Init() error {
+ 	if err := apparmor.ApplyProfile(l.config.AppArmorProfile); err != nil {
+ 		return err
+ 	}
+-
++	if l.config.NoNewPrivileges {
++		if err := unix.Prctl(unix.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {
++			return err
++		}
++	}
+ 	// Check for the arg before waiting to make sure it exists and it is
+ 	// returned as a create time error.
+ 	name, err := exec.LookPath(l.config.Args[0])
+-- 
+2.43.0
+
diff --git a/...nc/strict-patches/v1.1.13/0003-standard_init_linux-change-AppArmor-profile-as-late-.patch b/...nc/strict-patches/v1.1.13/0003-standard_init_linux-change-AppArmor-profile-as-late-.patch
@@ -0,0 +1,55 @@
+From 7fc0138605e1a4c6da32db9abbaeba313d30b960 Mon Sep 17 00:00:00 2001
+From: eaudetcobello <[email protected]>
+Date: Fri, 19 Jul 2024 09:28:24 -0400
+Subject: [PATCH 3/3] standard_init_linux: change AppArmor profile as late as  
+ possible
+
+---
+ libcontainer/standard_init_linux.go | 18 ++++++++----------
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
+index d9a6a224..1ee95988 100644
+--- a/libcontainer/standard_init_linux.go
++++ b/libcontainer/standard_init_linux.go
+@@ -127,10 +127,6 @@ func (l *linuxStandardInit) Init() error {
+ 			return &os.SyscallError{Syscall: "sethostname", Err: err}
+ 		}
+ 	}
+-	if err := apparmor.ApplyProfile(l.config.AppArmorProfile); err != nil {
+-		return fmt.Errorf("unable to apply apparmor profile: %w", err)
+-	}
+-
+ 	for key, value := range l.config.Config.Sysctl {
+ 		if err := writeSystemProperty(key, value); err != nil {
+ 			return err
+@@ -150,18 +146,20 @@ func (l *linuxStandardInit) Init() error {
+ 	if err != nil {
+ 		return fmt.Errorf("can't get pdeath signal: %w", err)
+ 	}
+-	if l.config.NoNewPrivileges {
+-		if err := unix.Prctl(unix.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {
+-			return &os.SyscallError{Syscall: "prctl(SET_NO_NEW_PRIVS)", Err: err}
+-		}
+-	}
+-
+ 	// Tell our parent that we're ready to exec. This must be done before the
+ 	// Seccomp rules have been applied, because we need to be able to read and
+ 	// write to a socket.
+ 	if err := syncParentReady(l.pipe); err != nil {
+ 		return fmt.Errorf("sync ready: %w", err)
+ 	}
++	if err := apparmor.ApplyProfile(l.config.AppArmorProfile); err != nil {
++		return fmt.Errorf("unable to apply apparmor profile: %w", err)
++	}
++	if l.config.NoNewPrivileges {
++		if err := unix.Prctl(unix.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {
++			return &os.SyscallError{Syscall: "prctl(SET_NO_NEW_PRIVS)", Err: err}
++		}
++	}
+ 	if err := selinux.SetExecLabel(l.config.ProcessLabel); err != nil {
+ 		return fmt.Errorf("can't set process label: %w", err)
+ 	}
+-- 
+2.43.0
+
diff --git a/build-scripts/components/runc/version b/build-scripts/components/runc/version
@@ -1 +1 @@
-v1.1.12
+v1.1.13