*: bump up Go dependencies
This started off as 'let's bump gVisor'. However, pulling that thread
resulted in quite a few things that also required bumping for the build
to actually work. Here I come back from a day in the Bazel mines,
bearing fruits of my labor.
Notable changes:
- bump up gVisor
- bump up containerd
- bump up Bazel
- bump up rules_go, rules_docker, Gazelle
- use google.golang.org/protobuf (the 'new' go proto package)
- bump up gRPC (but not too much, as go-etcd is still straggling)
Notable effects:
- new gVisor supports TTY allocation (kubectl run -it
--image=ubuntu:20.04 ubuntu bash now works!)
Notable notes:
- gVisor shim has new been rolled into the main gVisor package and is
slightly easier to build (we can get rid of a bunch of patches).
- Opencontainers' runtime-specs now follow containerd instead of gVisor
- gVisor had to be taught to use the slightly newer runtime-specs via a
new patch.
- go_rule() in Starlark is now deprecated, and we had to change our
Starlark rule definitions to use rule() instead. We also had to patch
gVisor to do that (as there hasn't yet been a release that rolled
this up).
- Gazelle now supports different naming schemes for generated Go
targets - either the old //foo/bar:go_default_library scheme, or a
new and nicer //foo/bar:bar scheme. We currently force the usage of
the old scheme, as switching over is probably not going to be easy
(we use a lot of external Bazel files, and we have to wait for their
compatibility with the new scheme first).
- New Bazel/rules_go sets a TMPDIR long enough to generate paths (via
ioutil.TempDir) to which sockets cannot be bound (108-byte limit).
- The new protobuf API is incompatible with gogoproto. containerd/ttrpc
uses gogoproto, but we are smart enough to pull in the old protobuf
library as gogoproto's transitive dep. However, ttrpc also wants to
use some proto-generated grpc bits, and that doesn't work. We have to
pull in a ttrpc fork from a PR that hasn't yet been merged that fixes
this issue.
Test Plan: Refactor only, should be covered by tests.
X-Origin-Diff: phab/D689
GitOrigin-RevId: 1188c0605d25e7f40307fab5fd96e7019f3a9171
diff --git a/build/fietsje/def.bzl b/build/fietsje/def.bzl
index 65997f6..f735797 100644
--- a/build/fietsje/def.bzl
+++ b/build/fietsje/def.bzl
@@ -17,7 +17,6 @@
load(
"@io_bazel_rules_go//go:def.bzl",
_go_context = "go_context",
- _go_rule = "go_rule",
)
load(
"@bazel_skylib//lib:shell.bzl",
@@ -47,7 +46,7 @@
executable = out_file,
)]
-_fietsje_runner = _go_rule(
+_fietsje_runner = rule(
implementation = _fietsje_runner_impl,
attrs = {
"fietsje": attr.label(
@@ -59,7 +58,11 @@
default = "//build/fietsje:fietsje.bash.in",
allow_single_file = True,
),
+ "_go_context_data": attr.label(
+ default = "@io_bazel_rules_go//:go_context_data",
+ ),
},
+ toolchains = ["@io_bazel_rules_go//go:toolchain"],
)
def fietsje(name):
diff --git a/build/fietsje/dependency.go b/build/fietsje/dependency.go
index 8644bc4..6b75000 100644
--- a/build/fietsje/dependency.go
+++ b/build/fietsje/dependency.go
@@ -117,13 +117,6 @@
// And resolve its bazelName.
name := label.ImportPathToBazelRepoName(d.importpath)
- // Hack for github.com/google/gvisor: it requests @com_github_opencontainers_runtime-spec.
- // We fix the generated name for this repo so it conforms to what gvisor expects.
- // TODO(q3k): instead of this, patch gvisor?
- if name == "com_github_opencontainers_runtime_spec" {
- name = "com_github_opencontainers_runtime-spec"
- }
-
d.locked = &locked{
bazelName: name,
sum: sum,
diff --git a/build/fietsje/deps_containerd.go b/build/fietsje/deps_containerd.go
index 5172ffe..09db846 100644
--- a/build/fietsje/deps_containerd.go
+++ b/build/fietsje/deps_containerd.go
@@ -18,7 +18,7 @@
func depsContainerd(p *planner) {
p.collectOverride(
- "github.com/containerd/containerd", "v1.4.0-beta.2",
+ "github.com/containerd/containerd", "v1.4.3",
buildTags("no_zfs", "no_aufs", "no_devicemapper", "no_btrfs"),
disabledProtoBuild,
).use(
@@ -35,7 +35,6 @@
"github.com/containerd/go-runc",
"github.com/containerd/imgcrypt",
"github.com/containers/ocicrypt",
- "github.com/containerd/ttrpc",
"github.com/containerd/typeurl",
"github.com/containernetworking/cni",
"github.com/coreos/go-systemd/v22",
@@ -72,7 +71,6 @@
"github.com/prometheus/common",
"github.com/prometheus/procfs",
"github.com/russross/blackfriday/v2",
- "github.com/seccomp/libseccomp-golang",
"github.com/shurcooL/sanitized_anchor_name",
"github.com/sirupsen/logrus",
"github.com/syndtr/gocapability",
@@ -83,7 +81,6 @@
"golang.org/x/crypto",
"golang.org/x/oauth2",
"golang.org/x/sync",
- "golang.org/x/sys",
"google.golang.org/genproto",
"gopkg.in/inf.v0",
"gopkg.in/yaml.v2",
@@ -96,6 +93,37 @@
"github.com/gogo/googleapis",
).with(buildTags("selinux")).use(
"github.com/opencontainers/selinux",
+ "github.com/willf/bitset",
+ ).with(patches(
+ "ttrpc-hacks.patch",
+ )).use(
+ "github.com/containerd/ttrpc",
+ ).replace(
+ // ttrpc is broken by go protobuf v2, this is a tentative PR that's
+ // not yet merged by upstream.
+ // See: https://github.com/containerd/ttrpc/pull/67
+ //
+ // It also contains our own fix that builds up on the above and allows
+ // services to return the original status error library values. This is
+ // required for ttrpc to actually work from runsc and for results to be
+ // correctly interpreted by containerd.
+ // See: https://github.com/monogon-dev/ttrpc/commit/222b428f008e3ecb11cfff12e3fd92e3143a2f01
+ //
+ // Note: this is not a good fix, and has known issues, like not being
+ // able to return Details in gRPC status errors. However, with the
+ // limited usage within gvisor/containerd it works. In the future
+ // upstream will have to resolve this properly, eg. port ttrpc away
+ // from gogo, or fix gogo to work with the new protobuf APU.
+ "github.com/containerd/ttrpc",
+ "github.com/monogon-dev/ttrpc", "222b428f008e3ecb11cfff12e3fd92e3143a2f01",
+ )
+
+ // This is depended on by github.com/containerd/containerd, but not mentioned in their
+ // vendor.conf. They seem to be moving off of vendoring to gomod, so this should be
+ // reverted on the next containerd bump (when fietsje will panic about vendor.conf
+ // missing).
+ p.collectOverride(
+ "github.com/checkpoint-restore/go-criu/v4", "v4.1.0",
)
// containernetworking/plugins
diff --git a/build/fietsje/deps_gvisor.go b/build/fietsje/deps_gvisor.go
index 1856aa7..3209aa4 100644
--- a/build/fietsje/deps_gvisor.go
+++ b/build/fietsje/deps_gvisor.go
@@ -18,24 +18,20 @@
func depsGVisor(p *planner) {
p.collect(
- "github.com/google/gvisor", "release-20200511.0",
- patches("gvisor.patch"),
+ "github.com/google/gvisor", "release-20201216.0",
+ patches(
+ "gvisor.patch",
+ "gvisor-build-against-newer-runtime-specs.patch",
+ ),
).use(
"github.com/cenkalti/backoff",
"github.com/gofrs/flock",
"github.com/google/subcommands",
"github.com/kr/pretty",
"github.com/kr/pty",
+ "github.com/mohae/deepcopy",
"golang.org/x/time",
)
// gRPC is used by gvisor's bazel machinery, but not present in go.sum. Include it manually.
- p.collect("github.com/grpc/grpc", "v1.26.0")
-
- p.collect(
- "github.com/google/gvisor-containerd-shim", "v0.0.4",
- patches(
- "gvisor-containerd-shim.patch", "gvisor-containerd-shim-build.patch",
- "gvisor-containerd-shim-nogo.patch", "gvisor-shim-root.patch",
- ),
- )
+ p.collect("github.com/grpc/grpc", "v1.29.1")
}
diff --git a/build/fietsje/deps_kubernetes.go b/build/fietsje/deps_kubernetes.go
index 3626f68..13b425d 100644
--- a/build/fietsje/deps_kubernetes.go
+++ b/build/fietsje/deps_kubernetes.go
@@ -33,7 +33,7 @@
),
).inject(
// repo infra, not requested by k8s, but used with bazel
- "k8s.io/repo-infra", "df02ded38f9506e5bbcbf21702034b4fef815f2f",
+ "k8s.io/repo-infra", "a3483874bd37251c629c92df6d82a226b0e6ad92",
).with(prePatches("k8s-client-go.patch")).use(
"k8s.io/client-go",
).with(patches("k8s-native-mounter.patch")).use(
@@ -72,7 +72,6 @@
"github.com/bgentry/speakeasy",
"github.com/blang/semver",
"github.com/chai2010/gettext-go",
- "github.com/checkpoint-restore/go-criu/v4",
"github.com/container-storage-interface/spec",
"github.com/coreos/go-oidc",
"github.com/coreos/go-semver",
diff --git a/build/fietsje/main.go b/build/fietsje/main.go
index 7be1107..247379a 100644
--- a/build/fietsje/main.go
+++ b/build/fietsje/main.go
@@ -53,10 +53,10 @@
shelf: shelf,
}
- // gRPC/proto deps (https://github.com/bazelbuild/rules_go/blob/master/go/workspace.rst#id8)
- // bump down from 1.28.1 to 1.26.0 because https://github.com/etcd-io/etcd/issues/11563
+ // Currently can't bump past v1.30.0, as that removes the old balancer.Picker API that
+ // go-etcd depends upon. See https://github.com/etcd-io/etcd/pull/12398 .
p.collect(
- "google.golang.org/grpc", "v1.26.0",
+ "google.golang.org/grpc", "v1.29.1",
).use(
"golang.org/x/net",
"golang.org/x/text",
diff --git a/build/fietsje/render.go b/build/fietsje/render.go
index 16fd089..3374e8f 100644
--- a/build/fietsje/render.go
+++ b/build/fietsje/render.go
@@ -80,14 +80,13 @@
if d.patches != nil || d.prePatches != nil {
fmt.Fprintf(w, " patch_args = [%q],\n", "-p1")
}
- if d.buildExtraArgs != nil {
- fmt.Fprintf(w, " build_extra_args = [\n")
- for _, arg := range d.buildExtraArgs {
- fmt.Fprintf(w, " %q,\n", arg)
- }
- fmt.Fprintf(w, " ],\n")
+ fmt.Fprintf(w, " build_extra_args = [\n")
+ fmt.Fprintf(w, " %q,\n", "-go_naming_convention=go_default_library")
+ fmt.Fprintf(w, " %q,\n", "-go_naming_convention_external=go_default_library")
+ for _, arg := range d.buildExtraArgs {
+ fmt.Fprintf(w, " %q,\n", arg)
}
-
+ fmt.Fprintf(w, " ],\n")
fmt.Fprintf(w, " )\n")
}
return nil