treewide: bump to k8s v1.33.2
Update Kubernetes to 1.33 which is already at patch version 2. As part
of K8s gomod dependencies containerd was bumped a minor release to 2.1.3.
The UserNamespacesSupport feature gate is now default-on and was thus
dropped. The netlink patches were upstreamed and can now be dropped as
part of the depenency update. A new klog sink adapter for our logging
interface was introduced as the client-go MutationCache now requires a
logger.
containerd abuses gRPC interfaces for mocking, thus they are not
forward-compatible and need a new patch to be compatible with the
CRI version now being used.
Change-Id: I4feb2ab3bcfca5b83c7ea38ed444b14ade1e9bf0
Reviewed-on: https://review.monogon.dev/c/monogon/+/4433
Tested-by: Jenkins CI
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>
diff --git a/third_party/com_github_google_cadvisor/BUILD.bazel b/third_party/com_github_containerd_containerd_v2/BUILD.bazel
similarity index 100%
rename from third_party/com_github_google_cadvisor/BUILD.bazel
rename to third_party/com_github_containerd_containerd_v2/BUILD.bazel
diff --git a/third_party/com_github_containerd_containerd_v2/add-unimplemented-functions.patch b/third_party/com_github_containerd_containerd_v2/add-unimplemented-functions.patch
new file mode 100644
index 0000000..d182968
--- /dev/null
+++ b/third_party/com_github_containerd_containerd_v2/add-unimplemented-functions.patch
@@ -0,0 +1,59 @@
+Add unimplemented function for CRI compat.
+
+
+diff --git a/internal/cri/instrument/instrumented_service.go b/internal/cri/instrument/instrumented_service.go
+--- a/internal/cri/instrument/instrumented_service.go
++++ b/internal/cri/instrument/instrumented_service.go
+@@ -17,8 +17,9 @@
+ package instrument
+
+ import (
+ "context"
++ "errors"
+
+ "github.com/containerd/errdefs"
+ "github.com/containerd/errdefs/pkg/errgrpc"
+ "github.com/containerd/log"
+@@ -641,4 +642,8 @@
+ }()
+ res, err = in.c.RuntimeConfig(ctx, r)
+ return res, errgrpc.ToGRPC(err)
+ }
++
++func (in *instrumentedService) UpdatePodSandboxResources(ctx context.Context, r *runtime.UpdatePodSandboxResourcesRequest) (res *runtime.UpdatePodSandboxResourcesResponse, err error) {
++ return nil, errors.New("not implemented yet")
++}
+diff --git a/internal/cri/server/sandbox_update_resources.go b/internal/cri/server/sandbox_update_resources.go
+new file mode 100644
+index 000000000000..0fcd2c7c566c
+--- /dev/null
++++ b/internal/cri/server/sandbox_update_resources.go
+@@ -0,0 +1,28 @@
++/*
++ Copyright The containerd Authors.
++
++ Licensed under the Apache License, Version 2.0 (the "License");
++ you may not use this file except in compliance with the License.
++ You may obtain a copy of the License at
++
++ http://www.apache.org/licenses/LICENSE-2.0
++
++ Unless required by applicable law or agreed to in writing, software
++ distributed under the License is distributed on an "AS IS" BASIS,
++ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ See the License for the specific language governing permissions and
++ limitations under the License.
++*/
++
++package server
++
++import (
++ "context"
++ "errors"
++
++ runtime "k8s.io/cri-api/pkg/apis/runtime/v1"
++)
++
++func (c *criService) UpdatePodSandboxResources(ctx context.Context, r *runtime.UpdatePodSandboxResourcesRequest) (*runtime.UpdatePodSandboxResourcesResponse, error) {
++ return nil, errors.New("not implemented yet")
++}
diff --git a/third_party/com_github_containernetworking_plugins/cniplugins-add-linkgroup.patch b/third_party/com_github_containernetworking_plugins/cniplugins-add-linkgroup.patch
index f294550..ec83ddd 100644
--- a/third_party/com_github_containernetworking_plugins/cniplugins-add-linkgroup.patch
+++ b/third_party/com_github_containernetworking_plugins/cniplugins-add-linkgroup.patch
@@ -8,10 +8,10 @@
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/plugins/main/ptp/ptp.go b/plugins/main/ptp/ptp.go
-index 129146f2..aee37b11 100644
+index 9c88d901..e0b283c5 100644
--- a/plugins/main/ptp/ptp.go
+++ b/plugins/main/ptp/ptp.go
-@@ -46,6 +46,7 @@ type NetConf struct {
+@@ -47,6 +47,7 @@ type NetConf struct {
IPMasq bool `json:"ipMasq"`
IPMasqBackend *string `json:"ipMasqBackend,omitempty"`
MTU int `json:"mtu"`
@@ -19,16 +19,16 @@
}
func setupContainerVeth(netns ns.NetNS, ifName string, mtu int, pr *current.Result) (*current.Interface, *current.Interface, error) {
-@@ -145,7 +146,7 @@ func setupContainerVeth(netns ns.NetNS, ifName string, mtu int, pr *current.Resu
+@@ -146,7 +147,7 @@ func setupContainerVeth(netns ns.NetNS, ifName string, mtu int, pr *current.Resu
return hostInterface, containerInterface, nil
}
-func setupHostVeth(vethName string, result *current.Result) error {
+func setupHostVeth(vethName string, group int, result *current.Result) error {
// hostVeth moved namespaces and may have a new ifindex
- veth, err := netlink.LinkByName(vethName)
+ veth, err := netlinksafe.LinkByName(vethName)
if err != nil {
-@@ -177,6 +178,12 @@ func setupHostVeth(vethName string, result *current.Result) error {
+@@ -178,6 +179,12 @@ func setupHostVeth(vethName string, result *current.Result) error {
}
}
@@ -41,7 +41,7 @@
return nil
}
-@@ -224,7 +231,7 @@ func cmdAdd(args *skel.CmdArgs) error {
+@@ -225,7 +232,7 @@ func cmdAdd(args *skel.CmdArgs) error {
return err
}
diff --git a/third_party/com_github_google_cadvisor/cadvisor-errdefs1.patch b/third_party/com_github_google_cadvisor/cadvisor-errdefs1.patch
deleted file mode 100644
index c044e7a..0000000
--- a/third_party/com_github_google_cadvisor/cadvisor-errdefs1.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-containerd released a 0.1 preview of errdefs which was changed significantly before
-containerd 2.0 was released together with the 1.0 version of the errdefs package.
-
-cadvisor uses this preview version which cannot coexist with v1, so adjust it for
-v1. Should go away on next cadvisor release as they will do this upstream.
-
-https://github.com/google/cadvisor/pull/3622
-https://github.com/kubernetes/kubernetes/issues/128572
-
-diff --git a/container/containerd/client.go b/container/containerd/client.go
-index ff5625170a..34134baf3e 100644
---- a/container/containerd/client.go
-+++ b/container/containerd/client.go
-@@ -26,7 +26,7 @@ import (
- tasksapi "github.com/containerd/containerd/api/services/tasks/v1"
- versionapi "github.com/containerd/containerd/api/services/version/v1"
- tasktypes "github.com/containerd/containerd/api/types/task"
-- "github.com/containerd/errdefs"
-+ "github.com/containerd/errdefs/pkg/errgrpc"
- "google.golang.org/grpc"
- "google.golang.org/grpc/backoff"
- "google.golang.org/grpc/credentials/insecure"
-@@ -114,7 +114,7 @@ func (c *client) LoadContainer(ctx context.Context, id string) (*containers.Cont
- ID: id,
- })
- if err != nil {
-- return nil, errdefs.FromGRPC(err)
-+ return nil, errgrpc.ToNative(err)
- }
- return containerFromProto(r.Container), nil
- }
-@@ -124,7 +124,7 @@ func (c *client) TaskPid(ctx context.Context, id string) (uint32, error) {
- ContainerID: id,
- })
- if err != nil {
-- return 0, errdefs.FromGRPC(err)
-+ return 0, errgrpc.ToNative(err)
- }
- if response.Process.Status == tasktypes.Status_UNKNOWN {
- return 0, ErrTaskIsInUnknownState
-@@ -135,7 +135,7 @@ func (c *client) TaskPid(ctx context.Context, id string) (uint32, error) {
- func (c *client) Version(ctx context.Context) (string, error) {
- response, err := c.versionService.Version(ctx, &emptypb.Empty{})
- if err != nil {
-- return "", errdefs.FromGRPC(err)
-+ return "", errgrpc.ToNative(err)
- }
- return response.Version, nil
- }
diff --git a/third_party/com_github_vishvananda_netlink/BUILD.bazel b/third_party/com_github_vishvananda_netlink/BUILD.bazel
deleted file mode 100644
index e69de29..0000000
--- a/third_party/com_github_vishvananda_netlink/BUILD.bazel
+++ /dev/null
diff --git a/third_party/com_github_vishvananda_netlink/netlink-psample.patch b/third_party/com_github_vishvananda_netlink/netlink-psample.patch
deleted file mode 100644
index 210e353..0000000
--- a/third_party/com_github_vishvananda_netlink/netlink-psample.patch
+++ /dev/null
@@ -1,263 +0,0 @@
-From 5aceb9e681cd6c82a2eccc25e1452d72d991c613 Mon Sep 17 00:00:00 2001
-From: Mateusz Zalega <mateusz@monogon.tech>
-Date: Wed, 25 Jan 2023 11:20:06 +0000
-Subject: [PATCH] Support "sample" filter action
-
-This change adds support for packet sampling using "psample" kernel
-module.
----
- filter.go | 23 +++++++++
- filter_linux.go | 25 +++++++++
- filter_test.go | 132 ++++++++++++++++++++++++++++++++++++++++++++++++
- nl/tc_linux.go | 11 ++++
- 4 files changed, 191 insertions(+)
-
-diff --git a/filter.go b/filter.go
-index 84e1ca7..e4f3167 100644
---- a/filter.go
-+++ b/filter.go
-@@ -369,6 +369,29 @@ func NewPoliceAction() *PoliceAction {
- }
- }
-
-+type SampleAction struct {
-+ ActionAttrs
-+ Group uint32
-+ Rate uint32
-+ TruncSize uint32
-+}
-+
-+func (action *SampleAction) Type() string {
-+ return "sample"
-+}
-+
-+func (action *SampleAction) Attrs() *ActionAttrs {
-+ return &action.ActionAttrs
-+}
-+
-+func NewSampleAction() *SampleAction {
-+ return &SampleAction{
-+ ActionAttrs: ActionAttrs{
-+ Action: TC_ACT_PIPE,
-+ },
-+ }
-+}
-+
- // MatchAll filters match all packets
- type MatchAll struct {
- FilterAttrs
-diff --git a/filter_linux.go b/filter_linux.go
-index 1930661..d61e357 100644
---- a/filter_linux.go
-+++ b/filter_linux.go
-@@ -705,6 +705,17 @@ func EncodeActions(attr *nl.RtAttr, actions []Action) error {
- aopts.AddRtAttr(nl.TCA_ACT_BPF_PARMS, gen.Serialize())
- aopts.AddRtAttr(nl.TCA_ACT_BPF_FD, nl.Uint32Attr(uint32(action.Fd)))
- aopts.AddRtAttr(nl.TCA_ACT_BPF_NAME, nl.ZeroTerminated(action.Name))
-+ case *SampleAction:
-+ table := attr.AddRtAttr(tabIndex, nil)
-+ tabIndex++
-+ table.AddRtAttr(nl.TCA_ACT_KIND, nl.ZeroTerminated("sample"))
-+ aopts := table.AddRtAttr(nl.TCA_ACT_OPTIONS, nil)
-+ gen := nl.TcGen{}
-+ toTcGen(action.Attrs(), &gen)
-+ aopts.AddRtAttr(nl.TCA_ACT_SAMPLE_PARMS, gen.Serialize())
-+ aopts.AddRtAttr(nl.TCA_ACT_SAMPLE_RATE, nl.Uint32Attr(action.Rate))
-+ aopts.AddRtAttr(nl.TCA_ACT_SAMPLE_PSAMPLE_GROUP, nl.Uint32Attr(action.Group))
-+ aopts.AddRtAttr(nl.TCA_ACT_SAMPLE_TRUNC_SIZE, nl.Uint32Attr(action.TruncSize))
- case *GenericAction:
- table := attr.AddRtAttr(tabIndex, nil)
- tabIndex++
-@@ -790,6 +801,8 @@ func parseActions(tables []syscall.NetlinkRouteAttr) ([]Action, error) {
- action = &ConnmarkAction{}
- case "csum":
- action = &CsumAction{}
-+ case "sample":
-+ action = &SampleAction{}
- case "gact":
- action = &GenericAction{}
- case "tunnel_key":
-@@ -902,6 +915,18 @@ func parseActions(tables []syscall.NetlinkRouteAttr) ([]Action, error) {
- tcTs := nl.DeserializeTcf(adatum.Value)
- actionTimestamp = toTimeStamp(tcTs)
- }
-+ case "sample":
-+ switch adatum.Attr.Type {
-+ case nl.TCA_ACT_SAMPLE_PARMS:
-+ gen := *nl.DeserializeTcGen(adatum.Value)
-+ toAttrs(&gen, action.Attrs())
-+ case nl.TCA_ACT_SAMPLE_RATE:
-+ action.(*SampleAction).Rate = native.Uint32(adatum.Value[0:4])
-+ case nl.TCA_ACT_SAMPLE_PSAMPLE_GROUP:
-+ action.(*SampleAction).Group = native.Uint32(adatum.Value[0:4])
-+ case nl.TCA_ACT_SAMPLE_TRUNC_SIZE:
-+ action.(*SampleAction).TruncSize = native.Uint32(adatum.Value[0:4])
-+ }
- case "gact":
- switch adatum.Attr.Type {
- case nl.TCA_GACT_PARMS:
-diff --git a/filter_test.go b/filter_test.go
-index 3a49f1b..774e7d6 100644
---- a/filter_test.go
-+++ b/filter_test.go
-@@ -2471,3 +2471,135 @@ func TestFilterChainAddDel(t *testing.T) {
- t.Fatal("Failed to remove qdisc")
- }
- }
-+
-+func TestFilterSampleAddDel(t *testing.T) {
-+ minKernelRequired(t, 4, 11)
-+ if _, err := GenlFamilyGet("psample"); err != nil {
-+ t.Skip("psample genetlink family unavailable - is CONFIG_PSAMPLE enabled?")
-+ }
-+
-+ tearDown := setUpNetlinkTest(t)
-+ defer tearDown()
-+ if err := LinkAdd(&Ifb{LinkAttrs{Name: "foo"}}); err != nil {
-+ t.Fatal(err)
-+ }
-+ link, err := LinkByName("foo")
-+ if err != nil {
-+ t.Fatal(err)
-+ }
-+ if err := LinkSetUp(link); err != nil {
-+ t.Fatal(err)
-+ }
-+
-+ qdisc := &Ingress{
-+ QdiscAttrs: QdiscAttrs{
-+ LinkIndex: link.Attrs().Index,
-+ Handle: MakeHandle(0xffff, 0),
-+ Parent: HANDLE_INGRESS,
-+ },
-+ }
-+ if err := QdiscAdd(qdisc); err != nil {
-+ t.Fatal(err)
-+ }
-+ qdiscs, err := SafeQdiscList(link)
-+ if err != nil {
-+ t.Fatal(err)
-+ }
-+
-+ found := false
-+ for _, v := range qdiscs {
-+ if _, ok := v.(*Ingress); ok {
-+ found = true
-+ break
-+ }
-+ }
-+ if !found {
-+ t.Fatal("Qdisc is the wrong type")
-+ }
-+
-+ sample := NewSampleAction()
-+ sample.Group = 7
-+ sample.Rate = 12
-+ sample.TruncSize = 200
-+
-+ classId := MakeHandle(1, 1)
-+ filter := &MatchAll{
-+ FilterAttrs: FilterAttrs{
-+ LinkIndex: link.Attrs().Index,
-+ Parent: MakeHandle(0xffff, 0),
-+ Priority: 1,
-+ Protocol: unix.ETH_P_ALL,
-+ },
-+ ClassId: classId,
-+ Actions: []Action{
-+ sample,
-+ },
-+ }
-+
-+ if err := FilterAdd(filter); err != nil {
-+ t.Fatal(err)
-+ }
-+
-+ filters, err := FilterList(link, MakeHandle(0xffff, 0))
-+ if err != nil {
-+ t.Fatal(err)
-+ }
-+ if len(filters) != 1 {
-+ t.Fatal("Failed to add filter")
-+ }
-+ mf, ok := filters[0].(*MatchAll)
-+ if !ok {
-+ t.Fatal("Filter is the wrong type")
-+ }
-+
-+ if len(mf.Actions) < 1 {
-+ t.Fatalf("Too few Actions in filter")
-+ }
-+ if mf.ClassId != classId {
-+ t.Fatalf("ClassId of the filter is the wrong value")
-+ }
-+
-+ lsample, ok := mf.Actions[0].(*SampleAction)
-+ if !ok {
-+ t.Fatal("Unable to find sample action")
-+ }
-+ if lsample.Group != sample.Group {
-+ t.Fatalf("Inconsistent sample action group")
-+ }
-+ if lsample.Rate != sample.Rate {
-+ t.Fatalf("Inconsistent sample action rate")
-+ }
-+ if lsample.TruncSize != sample.TruncSize {
-+ t.Fatalf("Inconsistent sample truncation size")
-+ }
-+
-+ if err := FilterDel(filter); err != nil {
-+ t.Fatal(err)
-+ }
-+ filters, err = FilterList(link, MakeHandle(0xffff, 0))
-+ if err != nil {
-+ t.Fatal(err)
-+ }
-+ if len(filters) != 0 {
-+ t.Fatal("Failed to remove filter")
-+ }
-+
-+ if err := QdiscDel(qdisc); err != nil {
-+ t.Fatal(err)
-+ }
-+ qdiscs, err = SafeQdiscList(link)
-+ if err != nil {
-+ t.Fatal(err)
-+ }
-+
-+ found = false
-+ for _, v := range qdiscs {
-+ if _, ok := v.(*Ingress); ok {
-+ found = true
-+ break
-+ }
-+ }
-+ if found {
-+ t.Fatal("Failed to remove qdisc")
-+ }
-+}
-diff --git a/nl/tc_linux.go b/nl/tc_linux.go
-index 0720729..db3ca1c 100644
---- a/nl/tc_linux.go
-+++ b/nl/tc_linux.go
-@@ -77,6 +77,17 @@ const (
- TCA_ACT_MAX
- )
-
-+const (
-+ TCA_ACT_SAMPLE_UNSPEC = iota
-+ TCA_ACT_SAMPLE_TM
-+ TCA_ACT_SAMPLE_PARMS
-+ TCA_ACT_SAMPLE_RATE
-+ TCA_ACT_SAMPLE_TRUNC_SIZE
-+ TCA_ACT_SAMPLE_PSAMPLE_GROUP
-+ TCA_ACT_SAMPLE_PAD
-+ TCA_ACT_SAMPLE_MAX
-+)
-+
- const (
- TCA_PRIO_UNSPEC = iota
- TCA_PRIO_MQ
---
-2.47.0
-
diff --git a/third_party/com_k8s_io_mount_utils/k8s-native-mounter.patch b/third_party/com_k8s_io_mount_utils/k8s-native-mounter.patch
index 29a5e34..517a573 100644
--- a/third_party/com_k8s_io_mount_utils/k8s-native-mounter.patch
+++ b/third_party/com_k8s_io_mount_utils/k8s-native-mounter.patch
@@ -8,10 +8,10 @@
1 file changed, 140 insertions(+)
diff --git a/mount_linux.go b/mount_linux.go
-index 541af2c391e..23523bf5d30 100644
+index 9c0b6d5..542d0e3 100644
--- a/mount_linux.go
+++ b/mount_linux.go
-@@ -70,6 +70,8 @@ type Mounter struct {
+@@ -69,6 +69,8 @@ type Mounter struct {
withSystemd *bool
trySystemd bool
withSafeNotMountedBehavior bool
@@ -20,7 +20,7 @@
}
var _ MounterForceUnmounter = &Mounter{}
-@@ -82,6 +84,8 @@ func New(mounterPath string) Interface {
+@@ -81,6 +83,8 @@ func New(mounterPath string) Interface {
mounterPath: mounterPath,
trySystemd: true,
withSafeNotMountedBehavior: detectSafeNotMountedBehavior(),
@@ -29,7 +29,7 @@
}
}
-@@ -94,6 +98,8 @@ func NewWithoutSystemd(mounterPath string) Interface {
+@@ -93,6 +97,8 @@ func NewWithoutSystemd(mounterPath string) Interface {
mounterPath: mounterPath,
trySystemd: false,
withSafeNotMountedBehavior: detectSafeNotMountedBehavior(),
@@ -38,8 +38,8 @@
}
}
-@@ -165,6 +171,29 @@ func (mounter *Mounter) bindMountSensitive(mounterPath string, mountCmd string,
- }
+@@ -155,6 +161,29 @@ func (mounter *Mounter) bindMountSensitive(mounterPath string, mountCmd string,
+ return mounter.doMount(mounterPath, mountCmd, source, target, fstype, bindRemountOpts, bindRemountOptsSensitive, mountFlags, systemdMountRequired)
}
+func (mounter *Mounter) mountNative(source string, target string, fstype string, options []string, sensitiveOptions []string) error {
@@ -68,7 +68,7 @@
// Mount mounts source to target as fstype with given options. 'source' and 'fstype' must
// be an empty string in case it's not required, e.g. for remount, or for auto filesystem
// type, where kernel handles fstype for you. The mount 'options' is a list of options,
-@@ -180,6 +209,10 @@ func (mounter *Mounter) Mount(source string, target string, fstype string, optio
+@@ -170,6 +199,10 @@ func (mounter *Mounter) Mount(source string, target string, fstype string, optio
// method should be used by callers that pass sensitive material (like
// passwords) as mount options.
func (mounter *Mounter) MountSensitive(source string, target string, fstype string, options []string, sensitiveOptions []string) error {
@@ -79,7 +79,7 @@
// Path to mounter binary if containerized mounter is needed. Otherwise, it is set to empty.
// All Linux distros are expected to be shipped with a mount utility that a support bind mounts.
mounterPath := ""
-@@ -207,6 +240,9 @@ func (mounter *Mounter) MountSensitiveWithoutSystemd(source string, target strin
+@@ -197,6 +230,9 @@ func (mounter *Mounter) MountSensitiveWithoutSystemd(source string, target strin
// MountSensitiveWithoutSystemdWithMountFlags is the same as MountSensitiveWithoutSystemd with additional mount flags.
func (mounter *Mounter) MountSensitiveWithoutSystemdWithMountFlags(source string, target string, fstype string, options []string, sensitiveOptions []string, mountFlags []string) error {
@@ -89,7 +89,7 @@
mounterPath := ""
bind, bindOpts, bindRemountOpts, bindRemountOptsSensitive := MakeBindOptsSensitive(options, sensitiveOptions)
if bind {
-@@ -225,6 +261,80 @@ func (mounter *Mounter) MountSensitiveWithoutSystemdWithMountFlags(source string
+@@ -215,6 +251,80 @@ func (mounter *Mounter) MountSensitiveWithoutSystemdWithMountFlags(source string
return mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, options, sensitiveOptions, mountFlags, false)
}
@@ -170,7 +170,7 @@
// doMount runs the mount command. mounterPath is the path to mounter binary if containerized mounter is used.
// sensitiveOptions is an extension of options except they will not be logged (because they may contain sensitive material)
// systemdMountRequired is an extension of option to decide whether uses systemd mount.
-@@ -340,6 +450,30 @@ func detectSafeNotMountedBehaviorWithExec(exec utilexec.Interface) bool {
+@@ -330,6 +440,30 @@ func detectSafeNotMountedBehaviorWithExec(exec utilexec.Interface) bool {
return false
}
@@ -201,7 +201,7 @@
// MakeMountArgs makes the arguments to the mount(8) command.
// options MUST not contain sensitive material (like passwords).
func MakeMountArgs(source, target, fstype string, options []string) (mountArgs []string) {
-@@ -410,6 +544,12 @@ func AddSystemdScopeSensitive(systemdRunPath, mountName, command string, args []
+@@ -400,6 +534,12 @@ func AddSystemdScopeSensitive(systemdRunPath, mountName, command string, args []
// If the mounter has safe "not mounted" behavior, no error will be returned when the target is not a mount point.
func (mounter *Mounter) Unmount(target string) error {
klog.V(4).Infof("Unmounting %s", target)