This also then bumps github.com/opencontainers/runtime-spec to v1.3.0
which contains breaking changes of the pid type as such we had to update
all the podman callers.
And tags.cncf.io/container-device-interface also used some changed
types from it and they have been updated in main so bump to the latest
commit there as well in order to get podman to compile properly.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Since this will be required by the runc security update I bump it hare
already to make the runc bump easier. Note while there is 0.6.0 out we
use 0.5.1 intentionally as 0.6 comes with breaking changes that won't
build in our dependencies.
Also note the lib now contains code licensed under MPL-2 which is not
yet approved by the CNCF[1] but because the runc fix requires it we were
advised to just go ahead and update it for now.
[1] https://github.com/cncf/foundation/issues/1154
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* If possible, update each dependency to the latest available version.
* Use releases over commit IDs and avoid vendoring branches.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
We implement the securejoin method to make sure the paths to /etc/passwd and
/etc/group are not symlinks to something naughty or outside the container
image. And then instead of actually chrooting, we use the runc functions to
get information about a user. The net result is increased security and
a a performance gain from 41ms to 100us.
Signed-off-by: baude <bbaude@redhat.com>
Made necessary changes to functions to include contex.Context wherever needed
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #640
Approved by: baude
When running a privileged container, it should inherit the same
devices the host has.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #330
Approved by: mheon
