Vendor in latest containers/storage

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

vendor/github.com/Microsoft/hcsshim/internal/hcs/process.go

@@ -161,7 +161,39 @@ func (process *Process) Kill(ctx context.Context) (bool, error) {
 		return true, nil
 	}
 
-	resultJSON, err := vmcompute.HcsTerminateProcess(ctx, process.handle)
+	// HCS serializes the signals sent to a target pid per compute system handle.
+	// To avoid SIGKILL being serialized behind other signals, we open a new compute
+	// system handle to deliver the kill signal.
+	// If the calls to opening a new compute system handle fail, we forcefully
+	// terminate the container itself so that no container is left behind
+	hcsSystem, err := OpenComputeSystem(ctx, process.system.id)
+	if err != nil {
+		// log error and force termination of container
+		log.G(ctx).WithField("err", err).Error("OpenComputeSystem() call failed")
+		err = process.system.Terminate(ctx)
+		// if the Terminate() call itself ever failed, log and return error
+		if err != nil {
+			log.G(ctx).WithField("err", err).Error("Terminate() call failed")
+			return false, err
+		}
+		process.system.Close()
+		return true, nil
+	}
+	defer hcsSystem.Close()
+
+	newProcessHandle, err := hcsSystem.OpenProcess(ctx, process.Pid())
+	if err != nil {
+		// Return true only if the target process has either already
+		// exited, or does not exist.
+		if IsAlreadyStopped(err) {
+			return true, nil
+		} else {
+			return false, err
+		}
+	}
+	defer newProcessHandle.Close()
+
+	resultJSON, err := vmcompute.HcsTerminateProcess(ctx, newProcessHandle.handle)
 	if err != nil {
 		// We still need to check these two cases, as processes may still be killed by an
 		// external actor (human operator, OOM, random script etc).
@@ -185,9 +217,9 @@ func (process *Process) Kill(ctx context.Context) (bool, error) {
 		}
 	}
 	events := processHcsResult(ctx, resultJSON)
-	delivered, err := process.processSignalResult(ctx, err)
+	delivered, err := newProcessHandle.processSignalResult(ctx, err)
 	if err != nil {
-		err = makeProcessError(process, operation, err, events)
+		err = makeProcessError(newProcessHandle, operation, err, events)
 	}
 
 	process.killSignalDelivered = delivered

vendor/github.com/containers/storage/.cirrus.yml

@@ -17,13 +17,13 @@ env:
     ####
     #### Cache-image names to test with (double-quotes around names are critical)
     ###
-    FEDORA_NAME: "fedora-36"
-    UBUNTU_NAME: "ubuntu-2204"
+    FEDORA_NAME: "fedora-37" ### 20230120t152650z-f37f36u2204
+    UBUNTU_NAME: "ubuntu-2204" ### 20230120t152650z-f37f36u2204
 
     # GCE project where images live
     IMAGE_PROJECT: "libpod-218412"
     # VM Image built in containers/automation_images
-    IMAGE_SUFFIX: "c5878804328480768"
+    IMAGE_SUFFIX: "c20230120t152650z-f37f36u2204"
     FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}"
     UBUNTU_CACHE_IMAGE_NAME: "ubuntu-${IMAGE_SUFFIX}"
 
@@ -58,7 +58,7 @@ fedora_testing_task: &fedora_testing
     name: &std_test_name "${OS_NAME} ${TEST_DRIVER}"
     depends_on:
         - lint
-
+    only_if: $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*'
     gce_instance:  # Only need to specify differences from defaults (above)
         image_name: "${VM_IMAGE}"
 
@@ -97,6 +97,7 @@ ubuntu_testing_task: &ubuntu_testing
     <<: *fedora_testing
     alias: ubuntu_testing
     name: *std_test_name
+    only_if: $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*'
     env:
         OS_NAME: "${UBUNTU_NAME}"
         VM_IMAGE: "${UBUNTU_CACHE_IMAGE_NAME}"
@@ -111,6 +112,8 @@ ubuntu_testing_task: &ubuntu_testing
             TEST_DRIVER: "fuse-overlay-whiteout"
         - env:
             TEST_DRIVER: "btrfs"
+        - env:
+            TEST_DRIVER: "zfs"
 
 
 lint_task:
@@ -161,6 +164,12 @@ vendor_task:
     test_script: hack/tree_status.sh
 
 
+cross_task:
+    container:
+        image: golang:1.17
+    build_script: make cross
+
+
 # Represent overall pass/fail status from required dependent tasks
 success_task:
     depends_on:
@@ -169,6 +178,7 @@ success_task:
         - ubuntu_testing
         - meta
         - vendor
+        - cross
     container:
         image: golang:1.17
     clone_script: 'mkdir -p "$CIRRUS_WORKING_DIR"'  # Source code not needed

vendor/github.com/containers/storage/Makefile

@@ -44,7 +44,7 @@ containers-storage: $(sources) ## build using gc on the host
 	$(GO) build $(MOD_VENDOR) -compiler gc $(BUILDFLAGS) ./cmd/containers-storage
 
 codespell:
-	codespell -S Makefile,build,buildah,buildah.spec,imgtype,copy,AUTHORS,bin,vendor,.git,go.sum,CHANGELOG.md,changelog.txt,seccomp.json,.cirrus.yml,"*.xz,*.gz,*.tar,*.tgz,*ico,*.png,*.1,*.5,*.orig,*.rej" -L flate,uint,iff,od,ERRO -w
+	codespell -S Makefile,build,buildah,buildah.spec,imgtype,copy,AUTHORS,bin,vendor,.git,go.sum,CHANGELOG.md,changelog.txt,seccomp.json,.cirrus.yml,"*.xz,*.gz,*.tar,*.tgz,*ico,*.png,*.1,*.5,*.orig,*.rej" -L worl,flate,uint,iff,od,ERRO -w
 
 binary local-binary: containers-storage
 

vendor/github.com/containers/storage/VERSION

@@ -1 +1 @@
-1.45.3-dev
+1.45.4

vendor/github.com/containers/storage/drivers/driver.go

@@ -223,7 +223,7 @@ type CapabilityDriver interface {
 	Capabilities() Capabilities
 }
 
-// AdditionalLayer reprents a layer that is stored in the additional layer store
+// AdditionalLayer represents a layer that is stored in the additional layer store
 // This API is experimental and can be changed without bumping the major version number.
 type AdditionalLayer interface {
 	// CreateAs creates a new layer from this additional layer

vendor/github.com/containers/storage/drivers/overlay/overlay.go

@@ -47,8 +47,7 @@ var (
 )
 
 const (
-	defaultPerms     = os.FileMode(0555)
-	selinuxLabelTest = "system_u:object_r:container_file_t:s0"
+	defaultPerms = os.FileMode(0555)
 )
 
 // This backend uses the overlay union filesystem for containers
@@ -315,7 +314,10 @@ func Init(home string, options graphdriver.Options) (graphdriver.Driver, error)
 	}
 	fsName, ok := graphdriver.FsNames[fsMagic]
 	if !ok {
-		return nil, fmt.Errorf("filesystem type %#x reported for %s is not supported with 'overlay': %w", fsMagic, filepath.Dir(home), graphdriver.ErrIncompatibleFS)
+		if opts.mountProgram == "" {
+			return nil, fmt.Errorf("filesystem type %#x reported for %s is not supported with 'overlay': %w", fsMagic, filepath.Dir(home), graphdriver.ErrIncompatibleFS)
+		}
+		fsName = "<unknown>"
 	}
 	backingFs = fsName
 
@@ -654,6 +656,8 @@ func SupportsNativeOverlay(home, runhome string) (bool, error) {
 func supportsOverlay(home string, homeMagic graphdriver.FsMagic, rootUID, rootGID int) (supportsDType bool, err error) {
 	// We can try to modprobe overlay first
 
+	selinuxLabelTest := selinux.PrivContainerMountLabel()
+
 	exec.Command("modprobe", "overlay").Run()
 
 	logLevel := logrus.ErrorLevel
@@ -1505,7 +1509,7 @@ func (d *Driver) get(id string, disableShifting bool, options graphdriver.MountO
 		}
 	}
 
-	if d.supportsIDmappedMounts() && len(options.UidMaps) > 0 && len(options.GidMaps) > 0 {
+	if !disableShifting && len(options.UidMaps) > 0 && len(options.GidMaps) > 0 {
 		var newAbsDir []string
 		mappedRoot := filepath.Join(d.home, id, "mapped")
 		if err := os.MkdirAll(mappedRoot, 0700); err != nil {
@@ -2098,8 +2102,8 @@ func (d *Driver) supportsIDmappedMounts() bool {
 
 // SupportsShifting tells whether the driver support shifting of the UIDs/GIDs in an userNS
 func (d *Driver) SupportsShifting() bool {
-	if os.Getenv("_TEST_FORCE_SUPPORT_SHIFTING") == "yes-please" {
-		return true
+	if os.Getenv("_CONTAINERS_OVERLAY_DISABLE_IDMAP") == "yes" {
+		return false
 	}
 	if d.options.mountProgram != "" {
 		return true

vendor/github.com/containers/storage/layers.go

@@ -281,7 +281,7 @@ type rwLayerStore interface {
 	// unmount unmounts a layer when it is no longer in use.
 	// If conditional is set, it will fail with ErrLayerNotMounted if the layer is not mounted (without conditional, the caller is
 	// making a promise that the layer is actually mounted).
-	// If force is set, it will physically try to unmount it even if it is mounted multple times, or even if (!conditional and)
+	// If force is set, it will physically try to unmount it even if it is mounted multiple times, or even if (!conditional and)
 	// there are no records of it being mounted in the first place.
 	// It returns whether the layer was still mounted at the time this function returned.
 	// WARNING: The return value may already be obsolete by the time it is available

vendor/github.com/containers/storage/pkg/ioutils/readers.go

@@ -1,11 +1,10 @@
 package ioutils
 
 import (
+	"context"
 	"crypto/sha256"
 	"encoding/hex"
 	"io"
-
-	"golang.org/x/net/context"
 )
 
 type readCloserWrapper struct {

vendor/github.com/containers/storage/pkg/regexp/regexp.go

@@ -7,7 +7,7 @@ import (
 )
 
 // Regexp is a wrapper struct used for wrapping MustCompile regex expressions
-// used as global variables. Using this stucture helps speed the startup time
+// used as global variables. Using this structure helps speed the startup time
 // of apps that want to use global regex variables. This library initializes them on
 // first use as opposed to the start of the executable.
 type Regexp struct {

vendor/github.com/containers/storage/pkg/truncindex/truncindex.go

@@ -9,7 +9,7 @@ import (
 	"strings"
 	"sync"
 
-	"github.com/tchap/go-patricia/patricia"
+	"github.com/tchap/go-patricia/v2/patricia"
 )
 
 var (

vendor/github.com/containers/storage/store.go

@@ -519,7 +519,7 @@ type Store interface {
 	GarbageCollect() error
 }
 
-// AdditionalLayer reprents a layer that is contained in the additional layer store
+// AdditionalLayer represents a layer that is contained in the additional layer store
 // This API is experimental and can be changed without bumping the major version number.
 type AdditionalLayer interface {
 	// PutAs creates layer based on this handler, using diff contents from the additional
@@ -820,7 +820,7 @@ func (s *store) GIDMap() []idtools.IDMap {
 	return copyIDMap(s.gidMap)
 }
 
-// This must only be called when constructing store; it writes to fields that are assumed to be constant after constrution.
+// This must only be called when constructing store; it writes to fields that are assumed to be constant after construction.
 func (s *store) load() error {
 	var driver drivers.Driver
 	if err := func() error { // A scope for defer

vendor/github.com/containers/storage/types/options.go

@@ -152,20 +152,24 @@ func defaultStoreOptionsIsolated(rootless bool, rootlessUID int, storageConf str
 			}
 		}
 	}
-	if storageOpts.RunRoot != "" {
-		runRoot, err := expandEnvPath(storageOpts.RunRoot, rootlessUID)
-		if err != nil {
-			return storageOpts, err
-		}
-		storageOpts.RunRoot = runRoot
+	if storageOpts.RunRoot == "" {
+		return storageOpts, fmt.Errorf("runroot must be set")
 	}
-	if storageOpts.GraphRoot != "" {
-		graphRoot, err := expandEnvPath(storageOpts.GraphRoot, rootlessUID)
-		if err != nil {
-			return storageOpts, err
-		}
-		storageOpts.GraphRoot = graphRoot
+	runRoot, err := expandEnvPath(storageOpts.RunRoot, rootlessUID)
+	if err != nil {
+		return storageOpts, err
 	}
+	storageOpts.RunRoot = runRoot
+
+	if storageOpts.GraphRoot == "" {
+		return storageOpts, fmt.Errorf("graphroot must be set")
+	}
+	graphRoot, err := expandEnvPath(storageOpts.GraphRoot, rootlessUID)
+	if err != nil {
+		return storageOpts, err
+	}
+	storageOpts.GraphRoot = graphRoot
+
 	if storageOpts.RootlessStoragePath != "" {
 		storagePath, err := expandEnvPath(storageOpts.RootlessStoragePath, rootlessUID)
 		if err != nil {
@@ -186,7 +190,7 @@ func loadStoreOptions(rootless bool, rootlessUID int) (StoreOptions, error) {
 	return defaultStoreOptionsIsolated(rootless, rootlessUID, storageConf)
 }
 
-// UpdateOptions should be called iff container engine recieved a SIGHUP,
+// UpdateOptions should be called iff container engine received a SIGHUP,
 // otherwise use DefaultStoreOptions
 func UpdateStoreOptions(rootless bool, rootlessUID int) (StoreOptions, error) {
 	storeOptions, storeError = loadStoreOptions(rootless, rootlessUID)

vendor/github.com/opencontainers/runtime-spec/specs-go/config.go

@@ -319,6 +319,10 @@ type LinuxMemory struct {
 	DisableOOMKiller *bool `json:"disableOOMKiller,omitempty"`
 	// Enables hierarchical memory accounting
 	UseHierarchy *bool `json:"useHierarchy,omitempty"`
+	// CheckBeforeUpdate enables checking if a new memory limit is lower
+	// than the current usage during update, and if so, rejecting the new
+	// limit.
+	CheckBeforeUpdate *bool `json:"checkBeforeUpdate,omitempty"`
 }
 
 // LinuxCPU for Linux cgroup 'cpu' resource management
@@ -327,6 +331,9 @@ type LinuxCPU struct {
 	Shares *uint64 `json:"shares,omitempty"`
 	// CPU hardcap limit (in usecs). Allowed cpu time in a given period.
 	Quota *int64 `json:"quota,omitempty"`
+	// CPU hardcap burst limit (in usecs). Allowed accumulated cpu time additionally for burst in a
+	// given period.
+	Burst *uint64 `json:"burst,omitempty"`
 	// CPU period to be used for hardcapping (in usecs).
 	Period *uint64 `json:"period,omitempty"`
 	// How much time realtime scheduling may use (in usecs).
@@ -645,6 +652,10 @@ const (
 	// LinuxSeccompFlagSpecAllow can be used to disable Speculative Store
 	// Bypass mitigation. (since Linux 4.17)
 	LinuxSeccompFlagSpecAllow LinuxSeccompFlag = "SECCOMP_FILTER_FLAG_SPEC_ALLOW"
+
+	// LinuxSeccompFlagWaitKillableRecv can be used to switch to the wait
+	// killable semantics. (since Linux 5.19)
+	LinuxSeccompFlagWaitKillableRecv LinuxSeccompFlag = "SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV"
 )
 
 // Additional architectures permitted to be used for system calls

vendor/github.com/opencontainers/runtime-spec/specs-go/version.go

@@ -6,12 +6,12 @@ const (
 	// VersionMajor is for an API incompatible changes
 	VersionMajor = 1
 	// VersionMinor is for functionality in a backwards-compatible manner
-	VersionMinor = 0
+	VersionMinor = 1
 	// VersionPatch is for backwards-compatible bug fixes
-	VersionPatch = 2
+	VersionPatch = 0
 
 	// VersionDev indicates development branch. Releases will be empty string.
-	VersionDev = "-dev"
+	VersionDev = "-rc.1"
 )
 
 // Version is the specification version that the package types support.