Migrate to containerd v1.7.0 and update dependencies

* Updates containerd to v1.7.0 and new binary for 32-bit
Arm OSes.
* Updates Go dependencies - openfaas and external

Signed-off-by: Alex Ellis (OpenFaaS Ltd) <alexellis2@gmail.com>

vendor/github.com/Microsoft/hcsshim/internal/log/context.go

@@ -0,0 +1,118 @@
+package log
+
+import (
+	"context"
+
+	"github.com/sirupsen/logrus"
+	"go.opencensus.io/trace"
+)
+
+type entryContextKeyType int
+
+const _entryContextKey entryContextKeyType = iota
+
+var (
+	// L is the default, blank logging entry. WithField and co. all return a copy
+	// of the original entry, so this will not leak fields between calls.
+	//
+	// Do NOT modify fields directly, as that will corrupt state for all users and
+	// is not thread safe.
+	// Instead, use `L.With*` or `L.Dup()`. Or `G(context.Background())`.
+	L = logrus.NewEntry(logrus.StandardLogger())
+
+	// G is an alias for GetEntry
+	G = GetEntry
+
+	// S is an alias for SetEntry
+	S = SetEntry
+
+	// U is an alias for UpdateContext
+	U = UpdateContext
+)
+
+// GetEntry returns a `logrus.Entry` stored in the context, if one exists.
+// Otherwise, it returns a default entry that points to the current context.
+//
+// Note: if the a new entry is returned, it will reference the passed in context.
+// However, existing contexts may be stored in parent contexts and additionally reference
+// earlier contexts.
+// Use `UpdateContext` to update the entry and context.
+func GetEntry(ctx context.Context) *logrus.Entry {
+	entry := fromContext(ctx)
+
+	if entry == nil {
+		entry = L.WithContext(ctx)
+	}
+
+	return entry
+}
+
+// SetEntry updates the log entry in the context with the provided fields, and
+// returns both. It is equivalent to:
+//
+//	entry := GetEntry(ctx).WithFields(fields)
+//	ctx = WithContext(ctx, entry)
+//
+// See WithContext for more information.
+func SetEntry(ctx context.Context, fields logrus.Fields) (context.Context, *logrus.Entry) {
+	e := GetEntry(ctx)
+	if len(fields) > 0 {
+		e = e.WithFields(fields)
+	}
+	return WithContext(ctx, e)
+}
+
+// UpdateContext extracts the log entry from the context, and, if the entry's
+// context points to a parent's of the current context, ands the entry
+// to the most recent context. It is equivalent to:
+//
+//	entry := GetEntry(ctx)
+//	ctx = WithContext(ctx, entry)
+//
+// This allows the entry to reference the most recent context and any new
+// values (such as span contexts) added to it.
+//
+// See WithContext for more information.
+func UpdateContext(ctx context.Context) context.Context {
+	// there is no way to check its ctx (and not one of its parents) that contains `e`
+	// so, at a slight cost, force add `e` to the context
+	ctx, _ = WithContext(ctx, GetEntry(ctx))
+	return ctx
+}
+
+// WithContext returns a context that contains the provided log entry.
+// The entry can be extracted with `GetEntry` (`G`)
+//
+// The entry in the context is a copy of `entry` (generated by `entry.WithContext`)
+func WithContext(ctx context.Context, entry *logrus.Entry) (context.Context, *logrus.Entry) {
+	// regardless of the order, entry.Context != GetEntry(ctx)
+	// here, the returned entry will reference the supplied context
+	entry = entry.WithContext(ctx)
+	ctx = context.WithValue(ctx, _entryContextKey, entry)
+
+	return ctx, entry
+}
+
+// Copy extracts the tracing Span and logging entry from the src Context, if they
+// exist, and adds them to the dst Context.
+//
+// This is useful to share tracing and logging between contexts, but not the
+// cancellation. For example, if the src Context has been cancelled but cleanup
+// operations triggered by the cancellation require a non-cancelled context to
+// execute.
+func Copy(dst context.Context, src context.Context) context.Context {
+	if s := trace.FromContext(src); s != nil {
+		dst = trace.NewContext(dst, s)
+	}
+
+	if e := fromContext(src); e != nil {
+		dst, _ = WithContext(dst, e)
+	}
+
+	return dst
+}
+
+func fromContext(ctx context.Context) *logrus.Entry {
+	e, _ := ctx.Value(_entryContextKey).(*logrus.Entry)
+	return e
+}

vendor/github.com/Microsoft/hcsshim/internal/log/g.go

@@ -1,23 +0,0 @@
-package log
-
-import (
-	"context"
-
-	"github.com/sirupsen/logrus"
-	"go.opencensus.io/trace"
-)
-
-// G returns a `logrus.Entry` with the `TraceID, SpanID` from `ctx` if `ctx`
-// contains an OpenCensus `trace.Span`.
-func G(ctx context.Context) *logrus.Entry {
-	span := trace.FromContext(ctx)
-	if span != nil {
-		sctx := span.SpanContext()
-		return logrus.WithFields(logrus.Fields{
-			"traceID": sctx.TraceID.String(),
-			"spanID":  sctx.SpanID.String(),
-			// "parentSpanID": TODO: JTERRY75 - Try to convince OC to export this?
-		})
-	}
-	return logrus.NewEntry(logrus.StandardLogger())
-}

vendor/github.com/Microsoft/hcsshim/internal/log/hook.go

@@ -0,0 +1,45 @@
+package log
+
+import (
+	"github.com/Microsoft/hcsshim/internal/logfields"
+	"github.com/sirupsen/logrus"
+	"go.opencensus.io/trace"
+)
+
+// Hook serves to intercept and format `logrus.Entry`s before they are passed
+// to the ETW hook.
+//
+// The containerd shim discards the (formatted) logrus output, and outputs only via ETW.
+// The Linux GCS outputs logrus entries over stdout, which is consumed by the shim and
+// then re-output via the ETW hook.
+type Hook struct{}
+
+var _ logrus.Hook = &Hook{}
+
+func NewHook() *Hook {
+	return &Hook{}
+}
+
+func (h *Hook) Levels() []logrus.Level {
+	return logrus.AllLevels
+}
+
+func (h *Hook) Fire(e *logrus.Entry) (err error) {
+	h.addSpanContext(e)
+
+	return nil
+}
+
+func (h *Hook) addSpanContext(e *logrus.Entry) {
+	ctx := e.Context
+	if ctx == nil {
+		return
+	}
+	span := trace.FromContext(ctx)
+	if span == nil {
+		return
+	}
+	sctx := span.SpanContext()
+	e.Data[logfields.TraceID] = sctx.TraceID.String()
+	e.Data[logfields.SpanID] = sctx.SpanID.String()
+}

vendor/github.com/Microsoft/hcsshim/internal/log/scrub.go

@@ -0,0 +1,194 @@
+package log
+
+import (
+	"bytes"
+	"encoding/json"
+	"errors"
+	"strings"
+	"sync/atomic"
+
+	hcsschema "github.com/Microsoft/hcsshim/internal/hcs/schema2"
+)
+
+// This package scrubs objects of potentially sensitive information to pass to logging
+
+type genMap = map[string]interface{}
+type scrubberFunc func(genMap) error
+
+const _scrubbedReplacement = "<scrubbed>"
+
+var (
+	ErrUnknownType = errors.New("encoded object is of unknown type")
+
+	// case sensitive keywords, so "env" is not a substring on "Environment"
+	_scrubKeywords = [][]byte{[]byte("env"), []byte("Environment")}
+
+	_scrub int32
+)
+
+// SetScrubbing enables scrubbing
+func SetScrubbing(enable bool) {
+	v := int32(0) // cant convert from bool to int32 directly
+	if enable {
+		v = 1
+	}
+	atomic.StoreInt32(&_scrub, v)
+}
+
+// IsScrubbingEnabled checks if scrubbing is enabled
+func IsScrubbingEnabled() bool {
+	v := atomic.LoadInt32(&_scrub)
+	return v != 0
+}
+
+// ScrubProcessParameters scrubs HCS Create Process requests with config parameters of
+// type internal/hcs/schema2.ScrubProcessParameters (aka hcsshema.ScrubProcessParameters)
+func ScrubProcessParameters(s string) (string, error) {
+	// todo: deal with v1 ProcessConfig
+	b := []byte(s)
+	if !IsScrubbingEnabled() || !hasKeywords(b) || !json.Valid(b) {
+		return s, nil
+	}
+
+	pp := hcsschema.ProcessParameters{}
+	if err := json.Unmarshal(b, &pp); err != nil {
+		return "", err
+	}
+	pp.Environment = map[string]string{_scrubbedReplacement: _scrubbedReplacement}
+
+	buf := bytes.NewBuffer(b[:0])
+	if err := encode(buf, pp); err != nil {
+		return "", err
+	}
+	return strings.TrimSpace(buf.String()), nil
+}
+
+// ScrubBridgeCreate scrubs requests sent over the bridge of type
+// internal/gcs/protocol.containerCreate wrapping an internal/hcsoci.linuxHostedSystem
+func ScrubBridgeCreate(b []byte) ([]byte, error) {
+	return scrubBytes(b, scrubBridgeCreate)
+}
+
+func scrubBridgeCreate(m genMap) error {
+	if !isRequestBase(m) {
+		return ErrUnknownType
+	}
+	if ss, ok := m["ContainerConfig"]; ok {
+		// ContainerConfig is a json encoded struct passed as a regular string field
+		s, ok := ss.(string)
+		if !ok {
+			return ErrUnknownType
+		}
+		b, err := scrubBytes([]byte(s), scrubLinuxHostedSystem)
+		if err != nil {
+			return err
+		}
+		m["ContainerConfig"] = string(b)
+		return nil
+	}
+	return ErrUnknownType
+}
+
+func scrubLinuxHostedSystem(m genMap) error {
+	if m, ok := index(m, "OciSpecification"); ok {
+		if _, ok := m["annotations"]; ok {
+			m["annotations"] = map[string]string{_scrubbedReplacement: _scrubbedReplacement}
+		}
+		if m, ok := index(m, "process"); ok {
+			if _, ok := m["env"]; ok {
+				m["env"] = []string{_scrubbedReplacement}
+				return nil
+			}
+		}
+	}
+	return ErrUnknownType
+}
+
+// ScrubBridgeExecProcess scrubs requests sent over the bridge of type
+// internal/gcs/protocol.containerExecuteProcess
+func ScrubBridgeExecProcess(b []byte) ([]byte, error) {
+	return scrubBytes(b, scrubExecuteProcess)
+}
+
+func scrubExecuteProcess(m genMap) error {
+	if !isRequestBase(m) {
+		return ErrUnknownType
+	}
+	if m, ok := index(m, "Settings"); ok {
+		if ss, ok := m["ProcessParameters"]; ok {
+			// ProcessParameters is a json encoded struct passed as a regular sting field
+			s, ok := ss.(string)
+			if !ok {
+				return ErrUnknownType
+			}
+
+			s, err := ScrubProcessParameters(s)
+			if err != nil {
+				return err
+			}
+
+			m["ProcessParameters"] = s
+			return nil
+		}
+	}
+	return ErrUnknownType
+}
+
+func scrubBytes(b []byte, scrub scrubberFunc) ([]byte, error) {
+	if !IsScrubbingEnabled() || !hasKeywords(b) || !json.Valid(b) {
+		return b, nil
+	}
+
+	m := make(genMap)
+	if err := json.Unmarshal(b, &m); err != nil {
+		return nil, err
+	}
+
+	// could use regexp, but if the env strings contain braces, the regexp fails
+	// parsing into individual structs would require access to private structs
+	if err := scrub(m); err != nil {
+		return nil, err
+	}
+
+	buf := &bytes.Buffer{}
+	if err := encode(buf, m); err != nil {
+		return nil, err
+	}
+
+	return bytes.TrimSpace(buf.Bytes()), nil
+}
+
+func encode(buf *bytes.Buffer, v interface{}) error {
+	enc := json.NewEncoder(buf)
+	enc.SetEscapeHTML(false)
+	if err := enc.Encode(v); err != nil {
+		return err
+	}
+	return nil
+}
+
+func isRequestBase(m genMap) bool {
+	// neither of these are (currently) `omitempty`
+	_, a := m["ActivityId"]
+	_, c := m["ContainerId"]
+	return a && c
+}
+
+// combination `m, ok := m[s]` and `m, ok := m.(genMap)`
+func index(m genMap, s string) (genMap, bool) {
+	if m, ok := m[s]; ok {
+		mm, ok := m.(genMap)
+		return mm, ok
+	}
+
+	return m, false
+}
+
+func hasKeywords(b []byte) bool {
+	for _, bb := range _scrubKeywords {
+		if bytes.Contains(b, bb) {
+			return true
+		}
+	}
+	return false
+}