Merge pull request #9734 from containers/dependabot/go_modules/github.com/containers/storage-1.28.0

Bump github.com/containers/storage from 1.25.0 to 1.28.0

7 files changed, 28 insertions, 203 deletions

diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_linux.go
index 6e90ae16b..aada5d62f 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_linux.go
@@ -2,6 +2,7 @@ package configs
 
 import (
 	systemdDbus "github.com/coreos/go-systemd/v22/dbus"
+	"github.com/opencontainers/runc/libcontainer/devices"
 )
 
 type FreezerState string
@@ -42,7 +43,7 @@ type Cgroup struct {
 
 type Resources struct {
 	// Devices is the set of access rules for devices in the container.
-	Devices []*DeviceRule `json:"devices"`
+	Devices []*devices.Rule `json:"devices"`
 
 	// Memory limit (in bytes)
 	Memory int64 `json:"memory"`
@@ -127,6 +128,9 @@ type Resources struct {
 	// CpuWeight sets a proportional bandwidth limit.
 	CpuWeight uint64 `json:"cpu_weight"`
 
+	// Unified is cgroupv2-only key-value map.
+	Unified map[string]string `json:"unified"`
+
 	// SkipDevices allows to skip configuring device permissions.
 	// Used by e.g. kubelet while creating a parent cgroup (kubepods)
 	// common for many containers.
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/config.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/config.go
index ac523b417..e1cd16265 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/config.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/config.go
@@ -7,6 +7,7 @@ import (
 	"os/exec"
 	"time"
 
+	"github.com/opencontainers/runc/libcontainer/devices"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -92,6 +93,9 @@ type Config struct {
 	// Path to a directory containing the container's root filesystem.
 	Rootfs string `json:"rootfs"`
 
+	// Umask is the umask to use inside of the container.
+	Umask *uint32 `json:"umask"`
+
 	// Readonlyfs will remount the container's rootfs as readonly where only externally mounted
 	// bind mounts are writtable.
 	Readonlyfs bool `json:"readonlyfs"`
@@ -104,7 +108,7 @@ type Config struct {
 	Mounts []*Mount `json:"mounts"`
 
 	// The device nodes that should be automatically created within the container upon container start.  Note, make sure that the node is marked as allowed in the cgroup as well!
-	Devices []*Device `json:"devices"`
+	Devices []*devices.Device `json:"devices"`
 
 	MountLabel string `json:"mount_label"`
 
@@ -239,15 +243,6 @@ const (
 	Poststop = "poststop"
 )
 
-// TODO move this to runtime-spec
-// See: https://github.com/opencontainers/runtime-spec/pull/1046
-const (
-	Creating = "creating"
-	Created  = "created"
-	Running  = "running"
-	Stopped  = "stopped"
-)
-
 type Capabilities struct {
 	// Bounding is the set of capabilities checked by the kernel.
 	Bounding []string
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/device.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/device.go
deleted file mode 100644
index 632bf6ac4..000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/device.go
+++ /dev/null
@@ -1,170 +0,0 @@
-package configs
-
-import (
-	"fmt"
-	"os"
-	"strconv"
-)
-
-const (
-	Wildcard = -1
-)
-
-type Device struct {
-	DeviceRule
-
-	// Path to the device.
-	Path string `json:"path"`
-
-	// FileMode permission bits for the device.
-	FileMode os.FileMode `json:"file_mode"`
-
-	// Uid of the device.
-	Uid uint32 `json:"uid"`
-
-	// Gid of the device.
-	Gid uint32 `json:"gid"`
-}
-
-// DevicePermissions is a cgroupv1-style string to represent device access. It
-// has to be a string for backward compatibility reasons, hence why it has
-// methods to do set operations.
-type DevicePermissions string
-
-const (
-	deviceRead uint = (1 << iota)
-	deviceWrite
-	deviceMknod
-)
-
-func (p DevicePermissions) toSet() uint {
-	var set uint
-	for _, perm := range p {
-		switch perm {
-		case 'r':
-			set |= deviceRead
-		case 'w':
-			set |= deviceWrite
-		case 'm':
-			set |= deviceMknod
-		}
-	}
-	return set
-}
-
-func fromSet(set uint) DevicePermissions {
-	var perm string
-	if set&deviceRead == deviceRead {
-		perm += "r"
-	}
-	if set&deviceWrite == deviceWrite {
-		perm += "w"
-	}
-	if set&deviceMknod == deviceMknod {
-		perm += "m"
-	}
-	return DevicePermissions(perm)
-}
-
-// Union returns the union of the two sets of DevicePermissions.
-func (p DevicePermissions) Union(o DevicePermissions) DevicePermissions {
-	lhs := p.toSet()
-	rhs := o.toSet()
-	return fromSet(lhs | rhs)
-}
-
-// Difference returns the set difference of the two sets of DevicePermissions.
-// In set notation, A.Difference(B) gives you A\B.
-func (p DevicePermissions) Difference(o DevicePermissions) DevicePermissions {
-	lhs := p.toSet()
-	rhs := o.toSet()
-	return fromSet(lhs &^ rhs)
-}
-
-// Intersection computes the intersection of the two sets of DevicePermissions.
-func (p DevicePermissions) Intersection(o DevicePermissions) DevicePermissions {
-	lhs := p.toSet()
-	rhs := o.toSet()
-	return fromSet(lhs & rhs)
-}
-
-// IsEmpty returns whether the set of permissions in a DevicePermissions is
-// empty.
-func (p DevicePermissions) IsEmpty() bool {
-	return p == DevicePermissions("")
-}
-
-// IsValid returns whether the set of permissions is a subset of valid
-// permissions (namely, {r,w,m}).
-func (p DevicePermissions) IsValid() bool {
-	return p == fromSet(p.toSet())
-}
-
-type DeviceType rune
-
-const (
-	WildcardDevice DeviceType = 'a'
-	BlockDevice    DeviceType = 'b'
-	CharDevice     DeviceType = 'c' // or 'u'
-	FifoDevice     DeviceType = 'p'
-)
-
-func (t DeviceType) IsValid() bool {
-	switch t {
-	case WildcardDevice, BlockDevice, CharDevice, FifoDevice:
-		return true
-	default:
-		return false
-	}
-}
-
-func (t DeviceType) CanMknod() bool {
-	switch t {
-	case BlockDevice, CharDevice, FifoDevice:
-		return true
-	default:
-		return false
-	}
-}
-
-func (t DeviceType) CanCgroup() bool {
-	switch t {
-	case WildcardDevice, BlockDevice, CharDevice:
-		return true
-	default:
-		return false
-	}
-}
-
-type DeviceRule struct {
-	// Type of device ('c' for char, 'b' for block). If set to 'a', this rule
-	// acts as a wildcard and all fields other than Allow are ignored.
-	Type DeviceType `json:"type"`
-
-	// Major is the device's major number.
-	Major int64 `json:"major"`
-
-	// Minor is the device's minor number.
-	Minor int64 `json:"minor"`
-
-	// Permissions is the set of permissions that this rule applies to (in the
-	// cgroupv1 format -- any combination of "rwm").
-	Permissions DevicePermissions `json:"permissions"`
-
-	// Allow specifies whether this rule is allowed.
-	Allow bool `json:"allow"`
-}
-
-func (d *DeviceRule) CgroupString() string {
-	var (
-		major = strconv.FormatInt(d.Major, 10)
-		minor = strconv.FormatInt(d.Minor, 10)
-	)
-	if d.Major == Wildcard {
-		major = "*"
-	}
-	if d.Minor == Wildcard {
-		minor = "*"
-	}
-	return fmt.Sprintf("%c %s:%s %s", d.Type, major, minor, d.Permissions)
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/device_unix.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/device_unix.go
deleted file mode 100644
index 650c46848..000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/device_unix.go
+++ /dev/null
@@ -1,16 +0,0 @@
-// +build !windows
-
-package configs
-
-import (
-	"errors"
-
-	"golang.org/x/sys/unix"
-)
-
-func (d *DeviceRule) Mkdev() (uint64, error) {
-	if d.Major == Wildcard || d.Minor == Wildcard {
-		return 0, errors.New("cannot mkdev() device with wildcards")
-	}
-	return unix.Mkdev(uint32(d.Major), uint32(d.Minor)), nil
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/device_windows.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/device_windows.go
deleted file mode 100644
index 729289393..000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/device_windows.go
+++ /dev/null
@@ -1,5 +0,0 @@
-package configs
-
-func (d *DeviceRule) Mkdev() (uint64, error) {
-	return 0, nil
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/devices.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/devices.go
new file mode 100644
index 000000000..b9e3664ce
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/devices.go
@@ -0,0 +1,17 @@
+package configs
+
+import "github.com/opencontainers/runc/libcontainer/devices"
+
+type (
+	// Deprecated: use libcontainer/devices.Device
+	Device = devices.Device
+
+	// Deprecated: use libcontainer/devices.Rule
+	DeviceRule = devices.Rule
+
+	// Deprecated: use libcontainer/devices.Type
+	DeviceType = devices.Type
+
+	// Deprecated: use libcontainer/devices.Permissions
+	DevicePermissions = devices.Permissions
+)
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_linux.go
index 1bbaef9bd..d52d6fcd1 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_linux.go
@@ -56,7 +56,7 @@ func IsNamespaceSupported(ns NamespaceType) bool {
 	if nsFile == "" {
 		return false
 	}
-	_, err := os.Stat(fmt.Sprintf("/proc/self/ns/%s", nsFile))
+	_, err := os.Stat("/proc/self/ns/" + nsFile)
 	// a namespace is supported if it exists and we have permissions to read it
 	supported = err == nil
 	supportedNamespaces[ns] = supported