Merge pull request #621 from KCSesh/add-containerd-2-1

Add package: containerd-2.1

Author: KCSesh

Cargo.lock

@@ -16,6 +16,7 @@ members = [
   "packages/conntrack-tools",
   "packages/containerd-1.7",
   "packages/containerd-2.0",
+  "packages/containerd-2.1",
   "packages/coreutils",
   "packages/libcryptsetup",
   "packages/dbus-broker",

Cargo.toml

@@ -26,6 +26,7 @@ cni-plugins = { path = "../../packages/cni-plugins" }
 conntrack-tools = { path = "../../packages/conntrack-tools" }
 containerd-1_7 = { path = "../../packages/containerd-1.7" }
 containerd-2_0 = { path = "../../packages/containerd-2.0" }
+containerd-2_1 = { path = "../../packages/containerd-2.1" }
 coreutils = { path = "../../packages/coreutils" }
 dbus-broker = { path = "../../packages/dbus-broker" }
 docker-cli = { path = "../../packages/docker-cli" }

kits/bottlerocket-core-kit/Cargo.toml

@@ -6,7 +6,7 @@
 %global rpmver %{gover}
 %global gitrev 05044ec0a9a75232cad458027ca83437aae3f4da
 
-%global package_priority_epoch 1
+%global package_priority_epoch 2
 %global _dwz_low_mem_die_limit 0
 
 Name: %{_cross_os}%{gorepo}-1.7

packages/containerd-1.7/containerd-1.7.spec

@@ -6,7 +6,7 @@
 %global rpmver %{gover}
 %global gitrev fb4c30d4ede3531652d86197bf3fc9515e5276d9
 
-%global package_priority_epoch 0
+%global package_priority_epoch 1
 %global _dwz_low_mem_die_limit 0
 
 Name: %{_cross_os}%{gorepo}-2.0

packages/containerd-2.0/containerd-2.0.spec

@@ -0,0 +1,72 @@
+From f6f4f959862cad73cc44d07b088f449ae6c69066 Mon Sep 17 00:00:00 2001
+From: Henry Wang <[email protected]>
+Date: Thu, 10 Apr 2025 20:50:50 +0000
+Subject: [PATCH] Revert "Don't allow io_uring related syscalls in the
+ RuntimeDefault seccomp profile."
+
+This reverts commit a48ddf4a208b24eadea82f0eac62e236f2acf004.
+---
+ contrib/seccomp/seccomp_default.go      |  3 +++
+ contrib/seccomp/seccomp_default_test.go | 36 -------------------------
+ 2 files changed, 3 insertions(+), 36 deletions(-)
+ delete mode 100644 contrib/seccomp/seccomp_default_test.go
+
+diff --git a/contrib/seccomp/seccomp_default.go b/contrib/seccomp/seccomp_default.go
+index 55d673fcb..1135f2391 100644
+--- a/contrib/seccomp/seccomp_default.go
++++ b/contrib/seccomp/seccomp_default.go
+@@ -188,6 +188,9 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
+ 				"ioprio_set",
+ 				"io_setup",
+ 				"io_submit",
++				"io_uring_enter",
++				"io_uring_register",
++				"io_uring_setup",
+ 				"ipc",
+ 				"kill",
+ 				"landlock_add_rule",
+diff --git a/contrib/seccomp/seccomp_default_test.go b/contrib/seccomp/seccomp_default_test.go
+deleted file mode 100644
+index 53e386809..000000000
+--- a/contrib/seccomp/seccomp_default_test.go
++++ /dev/null
+@@ -1,36 +0,0 @@
+-package seccomp
+-
+-import (
+-	"testing"
+-
+-	"github.com/opencontainers/runtime-spec/specs-go"
+-)
+-
+-func TestIOUringIsNotAllowed(t *testing.T) {
+-
+-	disallowed := map[string]bool{
+-		"io_uring_enter":    true,
+-		"io_uring_register": true,
+-		"io_uring_setup":    true,
+-	}
+-
+-	got := DefaultProfile(&specs.Spec{
+-		Process: &specs.Process{
+-			Capabilities: &specs.LinuxCapabilities{
+-				Bounding: []string{},
+-			},
+-		},
+-	})
+-
+-	for _, config := range got.Syscalls {
+-		if config.Action != specs.ActAllow {
+-			continue
+-		}
+-
+-		for _, name := range config.Names {
+-			if disallowed[name] {
+-				t.Errorf("found disallowed io_uring related syscalls")
+-			}
+-		}
+-	}
+-}
+-- 
+2.45.0
+

packages/containerd-2.1/1001-Revert-Don-t-allow-io_uring-related-syscalls-in-the-.patch

@@ -0,0 +1,20 @@
+[package]
+name = "containerd-2_1"
+version = "0.1.0"
+edition = "2021"
+publish = false
+build = "../build.rs"
+
+[lib]
+path = "../packages.rs"
+
+[package.metadata.build-package]
+package-name = "containerd-2.1"
+releases-url = "https://github.com/containerd/containerd/releases"
+
+[[package.metadata.build-package.external-files]]
+url = "https://github.com/containerd/containerd/archive/v2.1.4/containerd-2.1.4.tar.gz"
+sha512 = "a9f84784e917621ee5ea38ad20b8106e642fbf463a00d319b73a1a8e4d1fdd5be2fba0789b6a5d31107ef239d3713eced99ce979d4b2764714271a63c0936c15"
+
+[build-dependencies]
+glibc = { path = "../glibc" }

packages/containerd-2.1/Cargo.toml

@@ -0,0 +1,16 @@
+[clarify."sigs.k8s.io/yaml"]
+expression = "MIT AND BSD-3-Clause"
+license-files = [
+    { path = "LICENSE", hash = 0x617d80bc },
+    { path = "goyaml.v2/LICENSE", hash = 0xe569d630 },
+    { path = "goyaml.v2/LICENSE.libyaml", hash = 0xa2e4ce3 },
+    { path = "goyaml.v2/NOTICE", hash = 0x49bceeb9 }
+
+]
+
+[clarify."github.com/grpc-ecosystem/go-grpc-middleware/v2"]
+expression = "Apache-2.0"
+license-files = [
+    { path = "COPYRIGHT", hash = 0x4bba7b1 },
+    { path = "LICENSE", hash = 0x6a39c900 }
+]

packages/containerd-2.1/clarify.toml

@@ -0,0 +1,179 @@
+%global goproject github.com/containerd
+%global gorepo containerd
+%global goimport %{goproject}/%{gorepo}
+
+%global gover 2.1.4
+%global rpmver %{gover}
+%global gitrev 75cb2b7193e4e490e9fbdc236c0e811ccaba3376
+
+%global package_priority_epoch 0
+%global _dwz_low_mem_die_limit 0
+
+Name: %{_cross_os}%{gorepo}-2.1
+Version: %{rpmver}
+Release: 1%{?dist}
+Summary: An industry-standard container runtime
+License: Apache-2.0
+URL: https://%{goimport}
+Source0: https://%{goimport}/archive/v%{gover}/%{gorepo}-%{gover}.tar.gz
+Source1: containerd.service
+Source2: containerd-config-toml_k8s_containerd_sock
+Source3: containerd-config-toml_basic
+Source4: containerd-config-toml_k8s_nvidia_containerd_sock
+Source5: containerd-tmpfiles.conf
+Source6: containerd-cri-base-json
+Source7: snapshotter-toml
+
+# Mount for writing containerd configuration
+Source100: etc-containerd.mount
+
+# Create container storage mount point.
+Source110: prepare-var-lib-containerd.service
+
+# Drop-ins to disable igzip or pigz if the other implementation is preferred.
+Source200: containerd-disable-igzip.conf
+Source201: containerd-disable-pigz.conf
+
+Source1000: clarify.toml
+
+# Patch to support moving from containerd-1.7 to 2.x
+Patch1001: 1001-Revert-Don-t-allow-io_uring-related-syscalls-in-the-.patch
+
+BuildRequires: git
+BuildRequires: %{_cross_os}glibc-devel
+Requires: %{_cross_os}runc
+Requires: %{name}(optimized-gunzip)
+Requires: %{name}(binaries)
+
+Provides: %{_cross_os}%{gorepo} = %{package_priority_epoch}:
+Conflicts: %{_cross_os}%{gorepo}
+
+%description
+%{summary}.
+
+%package bin
+Summary: An industry-standard container runtime's binaries
+Provides: %{name}(binaries)
+Requires: (%{_cross_os}image-feature(no-fips) and %{name})
+Conflicts: (%{_cross_os}image-feature(fips) or %{name}-fips-bin)
+
+%description bin
+%{summary}.
+
+%package fips-bin
+Summary: An industry-standard container runtime's binaries, FIPS edition
+Provides: %{name}(binaries)
+Requires: (%{_cross_os}image-feature(fips) and %{name})
+Conflicts: (%{_cross_os}image-feature(no-fips) or %{name}-bin)
+
+%description fips-bin
+%{summary}.
+
+%package pigz
+Summary: Prefer pigz for gzip decompression
+Requires: %{_cross_os}pigz
+Requires: %{name}
+Provides: %{_cross_os}%{gorepo}-pigz = %{package_priority_epoch}:
+Conflicts: %{name}-igzip
+Provides: %{name}(optimized-gunzip) = 1:
+
+%description pigz
+%{summary}.
+
+%package igzip
+Summary: Prefer igzip for gzip decompression
+Requires: %{_cross_os}igzip
+Requires: %{name}
+Provides: %{_cross_os}%{gorepo}-igzip = %{package_priority_epoch}:
+Conflicts: %{name}-pigz
+%if "%{_cross_arch}" == "x86_64"
+Provides: %{name}(optimized-gunzip) = 2:
+%else
+Provides: %{name}(optimized-gunzip) = 0:
+%endif
+
+%description igzip
+%{summary}.
+
+%prep
+%autosetup -Sgit -n %{gorepo}-%{gover} -p1
+
+%build
+%set_cross_go_flags
+
+export BUILDTAGS="no_btrfs selinux"
+export LD_VERSION="-X github.com/containerd/containerd/v2/version.Version=%{gover}+bottlerocket"
+export LD_REVISION="-X github.com/containerd/containerd/v2/version.Revision=%{gitrev}"
+
+declare -a BUILD_ARGS
+BUILD_ARGS=(
+  -tags="${BUILDTAGS}"
+  -ldflags="${GOLDFLAGS} ${LD_VERSION} ${LD_REVISION}"
+)
+
+for bin in \
+  containerd \
+  containerd-shim-runc-v2 \
+  ctr ;
+do
+  go build "${BUILD_ARGS[@]}" -o ${bin} ./cmd/${bin}
+  gofips build "${BUILD_ARGS[@]}" -o fips/${bin} ./cmd/${bin}
+done
+
+%install
+install -d %{buildroot}{%{_cross_bindir},%{_cross_fips_bindir}}
+for bin in \
+  containerd \
+  containerd-shim-runc-v2 \
+  ctr ;
+do
+  install -p -m 0755 ${bin} %{buildroot}%{_cross_bindir}
+  install -p -m 0755 fips/${bin} %{buildroot}%{_cross_fips_bindir}
+done
+
+install -d %{buildroot}%{_cross_unitdir}
+install -p -m 0644 %{S:1} %{S:100} %{S:110} %{buildroot}%{_cross_unitdir}
+
+install -d %{buildroot}%{_cross_templatedir}
+install -d %{buildroot}%{_cross_factorydir}%{_cross_sysconfdir}/containerd
+install -p -m 0644 %{S:2} %{S:3} %{S:4} %{S:6} %{S:7} %{buildroot}%{_cross_templatedir}
+
+install -d %{buildroot}%{_cross_tmpfilesdir}
+install -p -m 0644 %{S:5} %{buildroot}%{_cross_tmpfilesdir}/containerd.conf
+
+install -d %{buildroot}%{_cross_unitdir}/containerd.service.d
+install -p -m 0644 %{S:200} %{buildroot}%{_cross_unitdir}/containerd.service.d/005-disable-igzip.conf
+install -p -m 0644 %{S:201} %{buildroot}%{_cross_unitdir}/containerd.service.d/005-disable-pigz.conf
+
+%cross_scan_attribution --clarify %{S:1000} go-vendor vendor
+
+%files
+%license LICENSE NOTICE
+%{_cross_attribution_file}
+%{_cross_attribution_vendor_dir}
+%{_cross_unitdir}/containerd.service
+%{_cross_unitdir}/etc-containerd.mount
+%{_cross_unitdir}/prepare-var-lib-containerd.service
+%dir %{_cross_factorydir}%{_cross_sysconfdir}/containerd
+%{_cross_templatedir}/containerd-config-toml*
+%{_cross_templatedir}/containerd-cri-base-json
+%{_cross_templatedir}/snapshotter-toml
+%{_cross_tmpfilesdir}/containerd.conf
+
+%files bin
+%{_cross_bindir}/containerd
+%{_cross_bindir}/containerd-shim-runc-v2
+%{_cross_bindir}/ctr
+
+%files fips-bin
+%{_cross_fips_bindir}/containerd
+%{_cross_fips_bindir}/containerd-shim-runc-v2
+%{_cross_fips_bindir}/ctr
+
+%files pigz
+%{_cross_unitdir}/containerd.service.d/005-disable-igzip.conf
+
+%files igzip
+%{_cross_unitdir}/containerd.service.d/005-disable-pigz.conf
+
+%changelog

packages/containerd-2.1/containerd-2.1.spec

@@ -0,0 +1,17 @@
++++
+version = 3
+root = "/var/lib/containerd"
+state = "/run/containerd"
+disabled_plugins = [
+    "io.containerd.internal.v1.opt",
+    "io.containerd.internal.v1.tracing",
+    "io.containerd.snapshotter.v1.blockfile",
+    "io.containerd.snapshotter.v1.devmapper",
+    "io.containerd.snapshotter.v1.native",
+    "io.containerd.snapshotter.v1.zfs",
+    "io.containerd.grpc.v1.cri",
+    "io.containerd.tracing.processor.v1.otlp",
+]
+
+[grpc]
+address = "/run/containerd/containerd.sock"