Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[v0.10][MCR v23][Backport] 4600 4602 4603 4604 #1

Merged

Conversation

@aepifanov aepifanov changed the title V10 backport 4600 4601 4602 4603 4604 [v0.10][MCR v23][Backport] 4600 4601 4602 4603 4604 Feb 26, 2024
@aepifanov aepifanov changed the title [v0.10][MCR v23][Backport] 4600 4601 4602 4603 4604 [v0.10][MCR v23][Backport] 4600 4602 4603 4604 Feb 26, 2024
@aepifanov aepifanov force-pushed the v10_backport-4600-4601-4602-4603-4604 branch 4 times, most recently from 4b337d6 to 1a47866 Compare February 26, 2024 23:30
@dperny
Copy link
Collaborator

dperny commented Feb 27, 2024

I think this looks good to me. Pretty big update to runc though, isn't it?

@aepifanov aepifanov requested review from corhere and dperny February 27, 2024 22:38
@aepifanov
Copy link
Collaborator Author

aepifanov commented Feb 27, 2024

I think this looks good to me. Pretty big update to runc though, isn't it?

These are exactly for buildkit CVEs, not for runc, except the latest one, which a bit related.

Copy link
Collaborator

@corhere corhere left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Repeat a PR, get repeat code reviews.

Why 7a3af2a? I'm sure you have a very good reason for refactoring that file in this PR. But I can't read your mind. Please document your rationale in the commit message.

@@ -25,8 +26,8 @@ import (
"golang.org/x/sync/errgroup"
)

func llbBridgeToGatewayClient(ctx context.Context, llbBridge frontend.FrontendLLBBridge, opts map[string]string, inputs map[string]*opspb.Definition, w worker.Infos, sid string, sm *session.Manager) (*bridgeClient, error) {
bc := &bridgeClient{
func LLBBridgeToGatewayClient(ctx context.Context, llbBridge frontend.FrontendLLBBridge, exec executor.Executor, opts map[string]string, inputs map[string]*opspb.Definition, w worker.Infos, sid string, sm *session.Manager) (*BridgeClient, error) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is needed for breaking dependency loop

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What dependency loop? What kind of dependency loop? How does renaming a function from unexported to exported help? I don't understand.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

tonistiigi and others added 10 commits February 28, 2024 11:09
Running interactive container APIs was done by giving
the gateway implementation access to worker controller
directly, but it should be passed with a build job instead.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit 0971dffaab93d91e51af984b44c745b35b3c5b4d)
(cherry picked from commit 564f884e7bb6db9c63e03c3b081ea71e15aa7980)
(cherry picked from commit 5026d95)
Signed-off-by: Andrey Epifanov <aepifanov@mirantis.com>

`bridgeClient` is made exported since exported func LLBBridgeToGatewayClient should have exported-return

Signed-off-by: Andrey Epifanov <aepifanov@mirantis.com>

# Conflicts:
#	executor/executor.go
#	frontend/gateway/container/container.go
#	frontend/gateway/forwarder/forward.go
#	frontend/gateway/forwarder/frontend.go
#	frontend/gateway/gateway.go
#	solver/llbsolver/bridge.go
#	solver/llbsolver/provenance.go
#	solver/llbsolver/solver.go
#	worker/workercontroller.go
Ensure interactive calls validate same conditions that
the build requests do. Refactor of the build side is to ensure
we use the same validation function for both cases. There
was no validation issue with the LLB validation.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit d1970522d7145be5f4a1f1a028b1910bb527126c)
(cherry picked from commit e1e30278d0a491dfd34bd80fa66b54106614cffa)
(cherry picked from commit 92cc595)
Signed-off-by: Andrey Epifanov <aepifanov@mirantis.com>

# Conflicts:
#	client/build_test.go
#	solver/llbsolver/bridge.go
Fix issue 3148

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 0b5a315)
Signed-off-by: Andrey Epifanov <aepifanov@mirantis.com>

# Conflicts:
#	client/client_test.go
On Linux, an empty directory is usually 4096 bytes, not 0, so we need an
additional explicit check here.

Signed-off-by: Justin Chadwell <me@jedevc.com>
(cherry picked from commit 6778973)
Signed-off-by: Andrey Epifanov <aepifanov@mirantis.com>

# Conflicts:
#	client/client_test.go
Signed-off-by: Justin Chadwell <me@jedevc.com>
(cherry picked from commit 32b5e4d)
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit 96ccaec09c51176a6d954fd7c4ce57d519bae1b2)
(cherry picked from commit a9523c6476f39bb44dd02bcab19e8cb25c5bc37b)
(cherry picked from commit 00fe637)
Signed-off-by: Andrey Epifanov <aepifanov@mirantis.com>

# Conflicts:
#	executor/stubs.go
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit 42d866e)
(cherry picked from commit e81066f8a8623dc876f3d64fae8f693c17ecdc1a)
(cherry picked from commit d089e0b)
While submount paths were already validated there are some
cases where the parent mount may not be immutable while the
submount is created.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit 2529ec4121bcd8c35bcd96218083da175c2e5b77)
(cherry picked from commit cbc233b3b695918d92fd5b1407b829296c53db70)
(cherry picked from commit f781267)
Signed-off-by: Andrey Epifanov <aepifanov@mirantis.com>

# Conflicts:
#	executor/oci/spec.go
#	executor/oci/spec_windows.go
#	snapshot/localmounter_unix.go
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
(cherry picked from commit 5955ccf)
Signed-off-by: Andrey Epifanov <aepifanov@mirantis.com>

# Conflicts:
#	Dockerfile
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit bac3f2b)
Signed-off-by: Andrey Epifanov <aepifanov@mirantis.com>

# Conflicts:
#	Dockerfile
@aepifanov aepifanov force-pushed the v10_backport-4600-4601-4602-4603-4604 branch from b1d2785 to e364de6 Compare February 28, 2024 19:10
@aepifanov aepifanov requested a review from corhere February 28, 2024 20:09
Copy link
Collaborator

@corhere corhere left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can't vouch for whether the patches resolve the security vulnerabilities, but the backports look clean and reasonable.

@aepifanov aepifanov merged commit b1c77d9 into Mirantis:v0.10 Feb 28, 2024
40 checks passed
@aepifanov aepifanov deleted the v10_backport-4600-4601-4602-4603-4604 branch March 14, 2024 09:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants