Merge pull request #109 from AkihiroSuda/a

update components; enable slirp4netns-seccomp

Dockerfile

@@ -4,22 +4,22 @@
 ### Version definitions
 # use ./hack/show-latest-commits.sh to get the latest commits
 
-# 2019-07-28T04:55:48Z
-ARG ROOTLESSKIT_COMMIT=93164c4427c9c75aa3199b8baa5005ce9adfcd69
-# 2019-07-28T04:08:29Z
-ARG SLIRP4NETNS_COMMIT=96ff33cafc1dabf1437b87133850ed2324b2c640
-# 2019-07-27T01:26:32Z
-ARG RUNC_COMMIT=9ae790178ee4535e1afd865eed70a7f7cdb655ac
-# 2019-07-26T23:09:22Z
-ARG MOBY_COMMIT=917a8b42594317e4b547c4d34a6bc733f32a9974
-# 2019-07-26T21:13:02Z
-ARG CONTAINERD_COMMIT=eabb536b1f376a259e3450a9d8f6fc7e6a18367e
-# 2019-07-25T01:24:20Z
-ARG CRIO_COMMIT=b94a84cd6d126b12c837db3650fed546376c1f58
-# 2019-07-24T15:32:15Z
-ARG CNI_PLUGINS_COMMIT=ded2f1757770e8e2aa41f65687f8fc876f83048b
-# 2019-07-27T16:25:56Z
-ARG KUBERNETES_COMMIT=23649560c060ad6cd82da8da42302f8f7e38cf1e
+# 2019-08-26T05:55:14Z
+ARG ROOTLESSKIT_COMMIT=229dd40047cafffbc6489b30ed9105d64bebcc42
+# 2019-08-25T17:18:54Z
+ARG SLIRP4NETNS_COMMIT=29db6bd2d7297dfc1c556ab3801e7cd079291946
+# 2019-08-25T20:15:15Z
+ARG RUNC_COMMIT=3525eddec5418b1e12118fe9f40c9a1cb41e0fb6
+# 2019-08-25T01:46:46Z
+ARG MOBY_COMMIT=cd1356d9ea6307659add38d6689a5b2ecb214c90
+# 2019-08-23T19:06:03Z
+ARG CONTAINERD_COMMIT=4a2f61c4f2b43b0c6e6636e48de89b1cb4860408
+# 2019-08-22T21:06:18Z
+ARG CRIO_COMMIT=c9764ea645d79279a72e279a36c2172c5d2a3298
+# 2019-08-14T18:26:26Z
+ARG CNI_PLUGINS_COMMIT=485be65581341430f9106a194a98f0f2412245fb
+# 2019-08-26T04:40:21Z
+ARG KUBERNETES_COMMIT=36b2914207d50abba2eb9aa5a252a94224eb5037
 
 ## Version definitions (cont.)
 ARG DOCKER_CLI_RELEASE=19.03.0
@@ -55,7 +55,7 @@ RUN mkdir /out && \
 
 #### slirp4netns (slirp4netns-build)
 FROM alpine:3.10 AS slirp4netns-build
-RUN apk add --no-cache git build-base autoconf automake libtool linux-headers glib-dev glib-static libcap-static libcap-dev
+RUN apk add --no-cache git build-base autoconf automake libtool linux-headers glib-dev glib-static libcap-static libcap-dev libseccomp-dev
 RUN git clone https://github.com/rootless-containers/slirp4netns.git /slirp4netns
 WORKDIR /slirp4netns
 ARG SLIRP4NETNS_COMMIT

boot/rootlesskit.sh

@@ -33,7 +33,7 @@ if [[ $_U7S_CHILD == 0 ]]; then
 	# * /opt: copy-up is required for mounting /opt/cni/bin
 	rootlesskit \
 		--state-dir $rk_state_dir \
-		--net=slirp4netns --mtu=65520 --disable-host-loopback --slirp4netns-sandbox=true \
+		--net=slirp4netns --mtu=65520 --disable-host-loopback --slirp4netns-sandbox=true --slirp4netns-seccomp=true \
 		--port-driver=builtin \
 		--copy-up=/etc --copy-up=/run --copy-up=/var/lib --copy-up=/opt \
 		--pidns \

src/patches/kubernetes/0001-kubelet-cm-ignore-sysctl-error-when-running-in-usern.patch

@@ -1,4 +1,4 @@
-From 446629d78a49ba7f830437cdad46cdc413bfd1d8 Mon Sep 17 00:00:00 2001
+From edc4f7664108c5739af6c5cc4b1af15ffa3149c0 Mon Sep 17 00:00:00 2001
 From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 Date: Tue, 21 Aug 2018 16:45:04 +0900
 Subject: [PATCH 1/3] kubelet/cm: ignore sysctl error when running in userns
@@ -10,10 +10,10 @@ Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
  2 files changed, 7 insertions(+), 1 deletion(-)
 
 diff --git a/pkg/kubelet/cm/BUILD b/pkg/kubelet/cm/BUILD
-index 4ac55b4b30..a55ebba794 100644
+index 46f1c8fccd..8d65dfffa9 100644
 --- a/pkg/kubelet/cm/BUILD
 +++ b/pkg/kubelet/cm/BUILD
-@@ -89,6 +89,7 @@ go_library(
+@@ -90,6 +90,7 @@ go_library(
              "//vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs:go_default_library",
              "//vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd:go_default_library",
              "//vendor/github.com/opencontainers/runc/libcontainer/configs:go_default_library",
@@ -22,7 +22,7 @@ index 4ac55b4b30..a55ebba794 100644
              "//vendor/k8s.io/utils/path:go_default_library",
          ],
 diff --git a/pkg/kubelet/cm/container_manager_linux.go b/pkg/kubelet/cm/container_manager_linux.go
-index aa4cc8ac5a..a8de98330f 100644
+index da651b7842..a6b381153e 100644
 --- a/pkg/kubelet/cm/container_manager_linux.go
 +++ b/pkg/kubelet/cm/container_manager_linux.go
 @@ -32,6 +32,7 @@ import (
@@ -33,7 +33,7 @@ index aa4cc8ac5a..a8de98330f 100644
  	"k8s.io/klog"
 
  	v1 "k8s.io/api/core/v1"
-@@ -391,7 +392,11 @@ func setupKernelTunables(option KernelTunableBehavior) error {
+@@ -402,7 +403,11 @@ func setupKernelTunables(option KernelTunableBehavior) error {
  			klog.V(2).Infof("Updating kernel flag: %v, expected value: %v, actual value: %v", flag, expectedValue, val)
  			err = sysctl.SetSysctl(flag, expectedValue)
  			if err != nil {

src/patches/kubernetes/0002-kube-proxy-allow-running-in-userns.patch

@@ -1,4 +1,4 @@
-From 665f1772f32d9833ac0d08e18f45521269f999e1 Mon Sep 17 00:00:00 2001
+From 6e252338b3ac1b4fd34d0106e0138ab1a13d2113 Mon Sep 17 00:00:00 2001
 From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 Date: Thu, 23 Aug 2018 14:14:44 +0900
 Subject: [PATCH 2/3] kube-proxy: allow running in userns
@@ -12,82 +12,82 @@ Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
  4 files changed, 24 insertions(+), 2 deletions(-)
 
 diff --git a/cmd/kube-proxy/app/BUILD b/cmd/kube-proxy/app/BUILD
-index 55a6768291..7fb0a9716c 100644
+index 86a69857cf..ee8ec0c8f7 100644
 --- a/cmd/kube-proxy/app/BUILD
 +++ b/cmd/kube-proxy/app/BUILD
-@@ -77,6 +77,7 @@ go_library(
+@@ -76,6 +76,7 @@ go_library(
              "//pkg/util/node:go_default_library",
              "//staging/src/k8s.io/apimachinery/pkg/types:go_default_library",
              "//staging/src/k8s.io/apimachinery/pkg/util/net:go_default_library",
 +            "//vendor/github.com/opencontainers/runc/libcontainer/system:go_default_library",
          ],
          "@io_bazel_rules_go//go/platform:darwin": [
              "//pkg/proxy/metrics:go_default_library",
-@@ -84,6 +85,7 @@ go_library(
+@@ -83,6 +84,7 @@ go_library(
              "//pkg/util/node:go_default_library",
              "//staging/src/k8s.io/apimachinery/pkg/types:go_default_library",
              "//staging/src/k8s.io/apimachinery/pkg/util/net:go_default_library",
 +            "//vendor/github.com/opencontainers/runc/libcontainer/system:go_default_library",
          ],
          "@io_bazel_rules_go//go/platform:dragonfly": [
              "//pkg/proxy/metrics:go_default_library",
-@@ -91,6 +93,7 @@ go_library(
+@@ -90,6 +92,7 @@ go_library(
              "//pkg/util/node:go_default_library",
              "//staging/src/k8s.io/apimachinery/pkg/types:go_default_library",
              "//staging/src/k8s.io/apimachinery/pkg/util/net:go_default_library",
 +            "//vendor/github.com/opencontainers/runc/libcontainer/system:go_default_library",
          ],
          "@io_bazel_rules_go//go/platform:freebsd": [
              "//pkg/proxy/metrics:go_default_library",
-@@ -98,6 +101,7 @@ go_library(
+@@ -97,6 +100,7 @@ go_library(
              "//pkg/util/node:go_default_library",
              "//staging/src/k8s.io/apimachinery/pkg/types:go_default_library",
              "//staging/src/k8s.io/apimachinery/pkg/util/net:go_default_library",
 +            "//vendor/github.com/opencontainers/runc/libcontainer/system:go_default_library",
          ],
          "@io_bazel_rules_go//go/platform:linux": [
              "//pkg/proxy/metrics:go_default_library",
-@@ -105,6 +109,7 @@ go_library(
+@@ -104,6 +108,7 @@ go_library(
              "//pkg/util/node:go_default_library",
              "//staging/src/k8s.io/apimachinery/pkg/types:go_default_library",
              "//staging/src/k8s.io/apimachinery/pkg/util/net:go_default_library",
 +            "//vendor/github.com/opencontainers/runc/libcontainer/system:go_default_library",
          ],
          "@io_bazel_rules_go//go/platform:nacl": [
              "//pkg/proxy/metrics:go_default_library",
-@@ -112,6 +117,7 @@ go_library(
+@@ -111,6 +116,7 @@ go_library(
              "//pkg/util/node:go_default_library",
              "//staging/src/k8s.io/apimachinery/pkg/types:go_default_library",
              "//staging/src/k8s.io/apimachinery/pkg/util/net:go_default_library",
 +            "//vendor/github.com/opencontainers/runc/libcontainer/system:go_default_library",
          ],
          "@io_bazel_rules_go//go/platform:netbsd": [
              "//pkg/proxy/metrics:go_default_library",
-@@ -119,6 +125,7 @@ go_library(
+@@ -118,6 +124,7 @@ go_library(
              "//pkg/util/node:go_default_library",
              "//staging/src/k8s.io/apimachinery/pkg/types:go_default_library",
              "//staging/src/k8s.io/apimachinery/pkg/util/net:go_default_library",
 +            "//vendor/github.com/opencontainers/runc/libcontainer/system:go_default_library",
          ],
          "@io_bazel_rules_go//go/platform:openbsd": [
              "//pkg/proxy/metrics:go_default_library",
-@@ -126,6 +133,7 @@ go_library(
+@@ -125,6 +132,7 @@ go_library(
              "//pkg/util/node:go_default_library",
              "//staging/src/k8s.io/apimachinery/pkg/types:go_default_library",
              "//staging/src/k8s.io/apimachinery/pkg/util/net:go_default_library",
 +            "//vendor/github.com/opencontainers/runc/libcontainer/system:go_default_library",
          ],
          "@io_bazel_rules_go//go/platform:plan9": [
              "//pkg/proxy/metrics:go_default_library",
-@@ -133,6 +141,7 @@ go_library(
+@@ -132,6 +140,7 @@ go_library(
              "//pkg/util/node:go_default_library",
              "//staging/src/k8s.io/apimachinery/pkg/types:go_default_library",
              "//staging/src/k8s.io/apimachinery/pkg/util/net:go_default_library",
 +            "//vendor/github.com/opencontainers/runc/libcontainer/system:go_default_library",
          ],
          "@io_bazel_rules_go//go/platform:solaris": [
              "//pkg/proxy/metrics:go_default_library",
-@@ -140,6 +149,7 @@ go_library(
+@@ -139,6 +148,7 @@ go_library(
              "//pkg/util/node:go_default_library",
              "//staging/src/k8s.io/apimachinery/pkg/types:go_default_library",
              "//staging/src/k8s.io/apimachinery/pkg/util/net:go_default_library",
@@ -96,7 +96,7 @@ index 55a6768291..7fb0a9716c 100644
          "@io_bazel_rules_go//go/platform:windows": [
              "//pkg/proxy/winkernel:go_default_library",
 diff --git a/cmd/kube-proxy/app/server_others.go b/cmd/kube-proxy/app/server_others.go
-index a86a9593cf..da58bc0f5e 100644
+index ecd3427813..fcedc03cf4 100644
 --- a/cmd/kube-proxy/app/server_others.go
 +++ b/cmd/kube-proxy/app/server_others.go
 @@ -25,6 +25,7 @@ import (
@@ -105,9 +105,9 @@ index a86a9593cf..da58bc0f5e 100644
 
 +	libcontainersystem "github.com/opencontainers/runc/libcontainer/system"
  	"k8s.io/api/core/v1"
- 	"k8s.io/apimachinery/pkg/runtime"
  	"k8s.io/apimachinery/pkg/types"
-@@ -214,6 +215,12 @@ func newProxyServer(
+ 	utilnet "k8s.io/apimachinery/pkg/util/net"
+@@ -216,6 +217,12 @@ func newProxyServer(
 
  	iptInterface.AddReloadFunc(proxier.Sync)
 
@@ -120,7 +120,7 @@ index a86a9593cf..da58bc0f5e 100644
  	return &ProxyServer{
  		Client:                 client,
  		EventClient:            eventClient,
-@@ -225,7 +232,7 @@ func newProxyServer(
+@@ -227,7 +234,7 @@ func newProxyServer(
  		Broadcaster:            eventBroadcaster,
  		Recorder:               recorder,
  		ConntrackConfiguration: config.Conntrack,
@@ -142,7 +142,7 @@ index 87e3da69e9..8f148a1470 100644
          "//vendor/k8s.io/utils/exec:go_default_library",
      ] + select({
 diff --git a/pkg/proxy/userspace/proxier.go b/pkg/proxy/userspace/proxier.go
-index ae55842b30..91d44fc13a 100644
+index 46d9e9c86c..c777eb91ee 100644
 --- a/pkg/proxy/userspace/proxier.go
 +++ b/pkg/proxy/userspace/proxier.go
 @@ -26,6 +26,7 @@ import (

src/patches/kubernetes/0003-kubelet-new-feature-gate-SupportNoneCgroupDriver.patch

@@ -1,4 +1,4 @@
-From 33b6ed4c7b6fb424c5ac5972f3a5fb15da027985 Mon Sep 17 00:00:00 2001
+From 22d44422cf5ea191aff6370f777dc6b8f9a0618f Mon Sep 17 00:00:00 2001
 From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 Date: Sun, 2 Jun 2019 18:39:05 +0900
 Subject: [PATCH 3/3] kubelet: new feature gate: SupportNoneCgroupDriver
@@ -25,10 +25,10 @@ Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
  11 files changed, 126 insertions(+), 30 deletions(-)
 
 diff --git a/cmd/kubeadm/app/phases/kubelet/flags.go b/cmd/kubeadm/app/phases/kubelet/flags.go
-index a6c5d1411e..dbdb95db10 100644
+index 14f7317be1..6bb02f6ef4 100644
 --- a/cmd/kubeadm/app/phases/kubelet/flags.go
 +++ b/cmd/kubeadm/app/phases/kubelet/flags.go
-@@ -85,6 +85,8 @@ func buildKubeletArgMap(opts kubeletFlagsOpts) map[string]string {
+@@ -86,6 +86,8 @@ func buildKubeletArgMap(opts kubeletFlagsOpts) map[string]string {
  		if err != nil {
  			klog.Warningf("cannot automatically assign a '--cgroup-driver' value when starting the Kubelet: %v\n", err)
  		} else {
@@ -51,7 +51,7 @@ index 1a2b3263be..c718050aff 100644
  	fs.StringVar(&c.CPUManagerPolicy, "cpu-manager-policy", c.CPUManagerPolicy, "CPU Manager policy to use. Possible values: 'none', 'static'. Default: 'none'")
  	fs.DurationVar(&c.CPUManagerReconcilePeriod.Duration, "cpu-manager-reconcile-period", c.CPUManagerReconcilePeriod.Duration, "<Warning: Alpha feature> CPU Manager reconciliation period. Examples: '10s', or '1m'. If not supplied, defaults to `NodeStatusUpdateFrequency`")
 diff --git a/cmd/kubelet/app/server.go b/cmd/kubelet/app/server.go
-index 207893d8be..e83ab11616 100644
+index 46540e4760..7ac5a7d70e 100644
 --- a/cmd/kubelet/app/server.go
 +++ b/cmd/kubelet/app/server.go
 @@ -605,26 +605,28 @@ func run(s *options.KubeletServer, kubeDeps *kubelet.Dependencies, stopCh <-chan
@@ -103,10 +103,10 @@ index 207893d8be..e83ab11616 100644
 
  	if kubeDeps.CAdvisorInterface == nil {
 diff --git a/pkg/features/kube_features.go b/pkg/features/kube_features.go
-index 7ee1c8b195..36522ff9be 100644
+index 25eb7fedb8..1f93d33ca3 100644
 --- a/pkg/features/kube_features.go
 +++ b/pkg/features/kube_features.go
-@@ -477,6 +477,18 @@ const (
+@@ -468,6 +468,18 @@ const (
  	//
  	// Schedule pods evenly across available topology domains.
  	EvenPodsSpread featuregate.Feature = "EvenPodsSpread"
@@ -125,7 +125,7 @@ index 7ee1c8b195..36522ff9be 100644
  )
 
  func init() {
-@@ -556,6 +568,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
+@@ -546,6 +558,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
  	PodOverhead:                                    {Default: false, PreRelease: featuregate.Alpha},
  	IPv6DualStack:                                  {Default: false, PreRelease: featuregate.Alpha},
  	EvenPodsSpread:                                 {Default: false, PreRelease: featuregate.Alpha},
@@ -147,7 +147,7 @@ index bf99db85f0..93408248c2 100644
  	// CPUManagerPolicy is the name of the policy to use.
  	// Requires the CPUManager feature gate to be enabled.
 diff --git a/pkg/kubelet/cm/cgroup_manager_linux.go b/pkg/kubelet/cm/cgroup_manager_linux.go
-index 39aad1fb38..7612bba68d 100644
+index a653e67c79..c51ca75b79 100644
 --- a/pkg/kubelet/cm/cgroup_manager_linux.go
 +++ b/pkg/kubelet/cm/cgroup_manager_linux.go
 @@ -46,6 +46,9 @@ const (
@@ -260,10 +260,10 @@ index 5d77ed7a45..5654d737fd 100644
 
  func (m *unsupportedCgroupManager) Name(_ CgroupName) string {
 diff --git a/pkg/kubelet/cm/container_manager_linux.go b/pkg/kubelet/cm/container_manager_linux.go
-index a8de98330f..66a0350583 100644
+index a6b381153e..723752bfb4 100644
 --- a/pkg/kubelet/cm/container_manager_linux.go
 +++ b/pkg/kubelet/cm/container_manager_linux.go
-@@ -245,9 +245,15 @@ func NewContainerManager(mountUtil mount.Interface, cadvisorInterface cadvisor.I
+@@ -240,9 +240,15 @@ func NewContainerManager(mountUtil mount.Interface, cadvisorInterface cadvisor.I
 
  	// Turn CgroupRoot from a string (in cgroupfs path format) to internal CgroupName
  	cgroupRoot := ParseCgroupfsToCgroupName(nodeConfig.CgroupRoot)
@@ -280,7 +280,7 @@ index a8de98330f..66a0350583 100644
  		// this does default to / when enabled, but this tests against regressions.
  		if nodeConfig.CgroupRoot == "" {
  			return nil, fmt.Errorf("invalid configuration: cgroups-per-qos was specified and cgroup-root was not specified. To enable the QoS cgroup hierarchy you need to specify a valid cgroup-root")
-@@ -257,7 +263,7 @@ func NewContainerManager(mountUtil mount.Interface, cadvisorInterface cadvisor.I
+@@ -252,7 +258,7 @@ func NewContainerManager(mountUtil mount.Interface, cadvisorInterface cadvisor.I
  		// of note, we always use the cgroupfs driver when performing this check since
  		// the input is provided in that format.
  		// this is important because we do not want any name conversion to occur.
@@ -308,7 +308,7 @@ index 62c9f203a0..fda4177a05 100644
  			qosContainersInfo: qosContainersInfo,
  		}
 diff --git a/pkg/kubelet/dockershim/docker_service.go b/pkg/kubelet/dockershim/docker_service.go
-index 16cd9fda9b..ae4ea40ed0 100644
+index ce40e9ff5b..8962d35d94 100644
 --- a/pkg/kubelet/dockershim/docker_service.go
 +++ b/pkg/kubelet/dockershim/docker_service.go
 @@ -267,7 +267,8 @@ func NewDockerService(config *ClientConfig, podSandboxImage string, streamingCon
@@ -322,10 +322,10 @@ index 16cd9fda9b..ae4ea40ed0 100644
  	}
  	klog.Infof("Setting cgroupDriver to %s", cgroupDriver)
 diff --git a/test/e2e_node/node_container_manager_test.go b/test/e2e_node/node_container_manager_test.go
-index 2be3d1ed6f..0b6cec8560 100644
+index 98d9b39476..c03baf5181 100644
 --- a/test/e2e_node/node_container_manager_test.go
 +++ b/test/e2e_node/node_container_manager_test.go
-@@ -159,7 +159,10 @@ func runTest(f *framework.Framework) error {
+@@ -161,7 +161,10 @@ func runTest(f *framework.Framework) error {
  	}
 
  	// Create a cgroup manager object for manipulating cgroups.