vendor: update common, image, storage to main

This also then bumps github.com/opencontainers/runtime-spec to v1.3.0
which contains breaking changes of the pid type as such we had to update
all the podman callers.

And tags.cncf.io/container-device-interface also used some changed
types from it and they have been updated in main so bump to the latest
commit there as well in order to get podman to compile properly.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This commit is contained in:
Paul Holzinger
2025-11-21 14:24:29 +01:00
parent f3d38d3974
commit d163c38a26
43 changed files with 454 additions and 225 deletions

View File

@@ -6,6 +6,7 @@ import (
"fmt"
"io"
"os"
"slices"
"strings"
"github.com/moby/sys/capability"
@@ -25,6 +26,12 @@ var (
}
)
const (
// UnlimitedPidsLimit can be passed to SetLinuxResourcesPidsLimit to
// request unlimited PIDs.
UnlimitedPidsLimit int64 = -1
)
// Generator represents a generator for a container config.
type Generator struct {
Config *rspec.Spec
@@ -88,7 +95,8 @@ func New(os string) (generator Generator, err error) {
}
}
if os == "linux" {
switch os {
case "linux":
config.Process.Capabilities = &rspec.LinuxCapabilities{
Bounding: []string{
"CAP_CHOWN",
@@ -237,7 +245,7 @@ func New(os string) (generator Generator, err error) {
},
Seccomp: seccomp.DefaultProfile(&config),
}
} else if os == "freebsd" {
case "freebsd":
config.Mounts = []rspec.Mount{
{
Destination: "/dev",
@@ -593,12 +601,10 @@ func (g *Generator) ClearProcessAdditionalGids() {
}
// AddProcessAdditionalGid adds an additional gid into g.Config.Process.AdditionalGids.
func (g *Generator) AddProcessAdditionalGid(gid uint32) {
func (g *Generator) AddProcessAdditionalGid(gid uint32) { //nolint:staticcheck // Ignore ST1003: method AddProcessAdditionalGid should be AddProcessAdditionalGID
g.initConfigProcess()
for _, group := range g.Config.Process.User.AdditionalGids {
if group == gid {
return
}
if slices.Contains(g.Config.Process.User.AdditionalGids, gid) {
return
}
g.Config.Process.User.AdditionalGids = append(g.Config.Process.User.AdditionalGids, gid)
}
@@ -868,7 +874,7 @@ func (g *Generator) DropLinuxResourcesHugepageLimit(pageSize string) {
}
}
// AddLinuxResourcesUnified sets the g.Config.Linux.Resources.Unified
// SetLinuxResourcesUnified sets the g.Config.Linux.Resources.Unified.
func (g *Generator) SetLinuxResourcesUnified(unified map[string]string) {
g.initConfigLinuxResourcesUnified()
for k, v := range unified {
@@ -911,7 +917,7 @@ func (g *Generator) SetLinuxResourcesMemorySwap(swap int64) {
// SetLinuxResourcesMemoryKernel sets g.Config.Linux.Resources.Memory.Kernel.
func (g *Generator) SetLinuxResourcesMemoryKernel(kernel int64) {
g.initConfigLinuxResourcesMemory()
g.Config.Linux.Resources.Memory.Kernel = &kernel
g.Config.Linux.Resources.Memory.Kernel = &kernel //nolint:staticcheck // Ignore SA1019: g.Config.Linux.Resources.Memory.Kernel is deprecated
}
// SetLinuxResourcesMemoryKernelTCP sets g.Config.Linux.Resources.Memory.KernelTCP.
@@ -970,7 +976,7 @@ func (g *Generator) DropLinuxResourcesNetworkPriorities(name string) {
// SetLinuxResourcesPidsLimit sets g.Config.Linux.Resources.Pids.Limit.
func (g *Generator) SetLinuxResourcesPidsLimit(limit int64) {
g.initConfigLinuxResourcesPids()
g.Config.Linux.Resources.Pids.Limit = limit
g.Config.Linux.Resources.Pids.Limit = &limit
}
// ClearLinuxSysctl clears g.Config.Linux.Sysctl.
@@ -1060,13 +1066,13 @@ func (g *Generator) ClearPreStartHooks() {
if g.Config == nil || g.Config.Hooks == nil {
return
}
g.Config.Hooks.Prestart = []rspec.Hook{}
g.Config.Hooks.Prestart = []rspec.Hook{} //nolint:staticcheck // Ignore SA1019: g.Config.Hooks.Prestart is deprecated
}
// AddPreStartHook add a prestart hook into g.Config.Hooks.Prestart.
func (g *Generator) AddPreStartHook(preStartHook rspec.Hook) {
g.initConfigHooks()
g.Config.Hooks.Prestart = append(g.Config.Hooks.Prestart, preStartHook)
g.Config.Hooks.Prestart = append(g.Config.Hooks.Prestart, preStartHook) //nolint:staticcheck // Ignore SA1019: g.Config.Hooks.Prestart is deprecated
}
// ClearPostStopHooks clear g.Config.Hooks.Poststop.

View File

@@ -3,7 +3,6 @@ package seccomp
import (
"runtime"
"github.com/opencontainers/runtime-spec/specs-go"
rspec "github.com/opencontainers/runtime-spec/specs-go"
)
@@ -31,7 +30,7 @@ func arches() []rspec.Arch {
}
// DefaultProfile defines the whitelist for the default seccomp profile.
func DefaultProfile(rs *specs.Spec) *rspec.LinuxSeccomp {
func DefaultProfile(rs *rspec.Spec) *rspec.LinuxSeccomp {
syscalls := []rspec.LinuxSyscall{
{
Names: []string{

View File

@@ -1,5 +1,4 @@
//go:build linux
// +build linux
package seccomp

View File

@@ -1,5 +1,4 @@
//go:build !linux
// +build !linux
package seccomp