From ed8ba18e8776a7bf37b3326baeca8196b4ea76b0 Mon Sep 17 00:00:00 2001 From: Leandro Motta Barros Date: Wed, 30 Aug 2023 10:42:12 -0400 Subject: [PATCH 1/2] Don't enable AppArmor if `apparmor_parser` is not present This commit updates balena-containerd to a new version in which we cherry-picked the change from here: https://github.com/containerd/containerd/pull/8086 This change avoids enabling AppArmor if the `/sbin/apparmor_parser` binary is not found in the system. Signed-off-by: Leandro Motta Barros Change-type: patch --- vendor.conf | 2 +- .../containerd/containerd/pkg/apparmor/apparmor.go | 11 ++++++----- .../containerd/pkg/apparmor/apparmor_linux.go | 10 ++++++---- 3 files changed, 13 insertions(+), 10 deletions(-) diff --git a/vendor.conf b/vendor.conf index ebff4f8499..b695bd99c4 100644 --- a/vendor.conf +++ b/vendor.conf @@ -131,7 +131,7 @@ github.com/googleapis/gax-go bd5b16380fd03dc758d11cef74ba google.golang.org/genproto e50cd9704f63023d62cd06a1994b98227fc4d21a # containerd -github.com/containerd/containerd e427a4fa7dd076978806aead28ad563cf10d126a https://github.com/balena-os/balena-containerd # 20.10.17-balena branch, equivalent to upstream's v1.6.6 +github.com/containerd/containerd 2412f5439937b966cdd7fa4a83656371254bdc4f https://github.com/balena-os/balena-containerd # 20.10.17-balena branch, equivalent to upstream's v1.6.6 github.com/containerd/fifo 650e8a8a179d040123db61f016cb133143e7a581 # v1.0.0 github.com/containerd/continuity 092b2c8f580622aee465fd5d6aba1dc8fad58b56 # v0.2.2 github.com/containerd/cgroups 1df78138f1e1e6ee593db155c6b369466f577651 # v1.0.3 diff --git a/vendor/github.com/containerd/containerd/pkg/apparmor/apparmor.go b/vendor/github.com/containerd/containerd/pkg/apparmor/apparmor.go index dd4d860c0e..293f8ba499 100644 --- a/vendor/github.com/containerd/containerd/pkg/apparmor/apparmor.go +++ b/vendor/github.com/containerd/containerd/pkg/apparmor/apparmor.go @@ -16,12 +16,13 @@ package apparmor -// HostSupports returns true if apparmor is enabled for the host, // On non-Linux returns false -// On Linux returns true if apparmor_parser is enabled, and if we -// are not running docker-in-docker. +// HostSupports returns true if apparmor is enabled for the host: +// - On Linux returns true if apparmor is enabled, apparmor_parser is +// present, and if we are not running docker-in-docker. +// - On non-Linux returns false. // -// It is a modified version of libcontainer/apparmor.IsEnabled(), which does not -// check for apparmor_parser to be present, or if we're running docker-in-docker. +// This is derived from libcontainer/apparmor.IsEnabled(), with the addition +// of checks for apparmor_parser to be present and docker-in-docker. func HostSupports() bool { return hostSupports() } diff --git a/vendor/github.com/containerd/containerd/pkg/apparmor/apparmor_linux.go b/vendor/github.com/containerd/containerd/pkg/apparmor/apparmor_linux.go index ab54df8eab..c96de6a268 100644 --- a/vendor/github.com/containerd/containerd/pkg/apparmor/apparmor_linux.go +++ b/vendor/github.com/containerd/containerd/pkg/apparmor/apparmor_linux.go @@ -29,14 +29,16 @@ var ( // hostSupports returns true if apparmor is enabled for the host, if // apparmor_parser is enabled, and if we are not running docker-in-docker. // -// It is a modified version of libcontainer/apparmor.IsEnabled(), which does not -// check for apparmor_parser to be present, or if we're running docker-in-docker. +// This is derived from libcontainer/apparmor.IsEnabled(), with the addition +// of checks for apparmor_parser to be present and docker-in-docker. func hostSupports() bool { checkAppArmor.Do(func() { // see https://github.com/opencontainers/runc/blob/0d49470392206f40eaab3b2190a57fe7bb3df458/libcontainer/apparmor/apparmor_linux.go if _, err := os.Stat("/sys/kernel/security/apparmor"); err == nil && os.Getenv("container") == "" { - buf, err := os.ReadFile("/sys/module/apparmor/parameters/enabled") - appArmorSupported = err == nil && len(buf) > 1 && buf[0] == 'Y' + if _, err = os.Stat("/sbin/apparmor_parser"); err == nil { + buf, err := os.ReadFile("/sys/module/apparmor/parameters/enabled") + appArmorSupported = err == nil && len(buf) > 1 && buf[0] == 'Y' + } } }) return appArmorSupported From 4db6fbd11b397ed51b297529ba3bb7a0ec0bd8d6 Mon Sep 17 00:00:00 2001 From: Leandro Motta Barros Date: Wed, 30 Aug 2023 10:52:30 -0400 Subject: [PATCH 2/2] Update dev docs about vendoring --- DEVELOPMENT.md | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md index 56e5fb1dd7..3c3c5d8aad 100644 --- a/DEVELOPMENT.md +++ b/DEVELOPMENT.md @@ -175,20 +175,30 @@ suite while changing them to make use of the API. #### Vendoring -Moby 22.06 will make use of the standard Go modules/vendoring system. Until -then, we are using [vndr](https://github.com/LK4D4/vndr). +More recent versions of Moby use of the standard Go modules/vendoring system. +Until we update, we are using [vndr](https://github.com/LK4D4/vndr). -Here's what you'd do to update a dependency: +The safest way to vendor dependencies is this: 1. Edit `vendor.conf`, making the desired dependency point to the desired version or commit hash. 2. Run `make BIND_DIR=. shell` to enter into the "development environment". container. -3. Run `vndr` for the desired dependency, e.g., `vndr - github.com/balena-os/librsync-go`. +3. Run `./hack/vendor.sh`. This will take a while to run, and will re-download + all dependencies. 4. Leave the development environment (`exit` or Ctrl+D). The code under `vendor/` will be updated. +You probably want to stick with the steps above. + +However, if you are in a hurry, really know what you are doing, and don't mind +some manual tweaking, you can ask for a single dependency to be vendored. To do +this, simply replace step 3 above with a command like `vndr +github.com/balena-os/librsync-go` (adjusting for the desired dependency). The +danger is that you'll skip some smartness built into the `vendor.sh` script. For +example, as I write this, calling `vndr` directly will *also* remove everything +under `vendor/archive/tar/` (which is needed and must be manually restored). + ## Update to a new upstream release We need to merge the upstream release into the engine repository and update our