containerd 1.7.3

Welcome to the v1.7.3 release of containerd!

The third patch release for containerd 1.7 contains various fixes and updates.

Notable Updates

• RunC: Update runc binary to v1.1.8 (#8843)
• CRI: Fix additionalGids: it should fallback to imageConfig.User when securityContext.RunAsUser,RunAsUsername are empty (#8824)
• CRI: write generated CNI config atomically (#8825)
• Port-Forward: Correctly handle known errors (#8806)
• Resolve docker.NewResolver race condition (#8799)
• Fix net.ipv4.ping_group_range with userns (#8786)
• Runtime/V2/RunC: handle early exits w/o big locks (#8712)
• SecComp: always allow name_to_handle_at (#8753)
• CRI: Windows Pod Stats: Add a check to skip stats for containers that are not running (#8654)
• Task: don't close() io before cancel() (#8658)
• Remove CNI conf_template deprecation (#8638)
• Fix issue for HPC pod metrics (#8634)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Akihiro Suda
• Phil Estes
• Sebastiaan van Stijn
• Wei Fu
• Derek McGowan
• Kazuyoshi Kato
• Austin Vazquez
• Samuel Karp
• Shingo Omura
• Jin Dong
• Maksym Pavlenko
• Aditi Sharma
• Danny Canter
• James Sturtevant
• Laura Brehm
• Rodrigo Campos
• Akhil Mohan
• Andrey Epifanov
• Bjorn Neergaard
• Cory Snider
• Madhav Jivrajani
• Mahamed Ali
• Priyanka Saggu
• Qasim Sarfraz
• wangxiang
• zounengren

Changes

63 commits

• [release/1.7] Prepare release notes for v1.7.3 (#8871)
  • 4cb2f1515 [release/1.7] Add release notes for v1.7.3
• [release/1.7] cri: memory.memsw.limit_in_bytes: no such file or directory (#8869)
  • b461ecacf cri: memory.memsw.limit_in_bytes: no such file or directory
• [release/1.7] migrate to community owned bucket for node e2e tests (#8875)
  • 14328ae03 migrate to community owned bucket
• [release/1.7 backport] update runc binary to v1.1.8 (#8843)
  • b985f7ef1 update runc binary to v1.1.8
• [release/1.7 backport] [CRI] fix additionalGids: it should fallback to imageConfig.User when securityContext.RunAsUser,RunAsUsername are empty (#8824)
  • 083f57160 capture desc variable in range variable just in case that it run in parallel mode
  • a9440ce6b Use t.TempDir instead of os.MkdirTemp
  • eea3440d8 use strings.Cut instead of strings.Split for parsing imageConfig.User
  • eace67180 fix userstr for dditionalGids on Linux
• [release/1.7 backport] cri: write generated CNI config atomically (#8825)
  • 7353c0286 ctr: update WritePidFile to use atomicfile
  • ae7021300 shim: WritePidFile & WriteAddress use atomicfile
  • 186eb64b7 cri: write generated CNI config atomically on Unix
  • 64c3dcd8e atomicfile: new package for atomic file writes
• [release/1.7 backport] Move logrus setup code to log package (#8831)
  • f7a20e17c Move logrus setup code to log package
• [release/1.7 backport] Cirrus CI: configure apt-get to wait for locks (#8814)
  • 60a6db9c2 Cirrus CI: configure apt-get to wait for locks
• [release/1.7 backport] Update Go to 1.20.6,1.19.11 (#8815)
  • 973778193 Update Go to 1.20.6,1.19.11
• [release/1.7 backport] update go to go1.20.5, go1.19.10 (#8716)
  • 403033e52 update go to go1.20.5, go1.19.10
• [release/1.7 backport] bugfix(port-forward): Correctly handle known errors (#8806)
  • 6b6b0c828 bugfix(port-forward): Correctly handle known errors
• [release/1.7] Resolve docker.NewResolver race condition (#8799)
  • 898eca21e Change http.Header copy to builtin Clone
  • fa2efc406 Resolve docker.NewResolver race condition
• [release/1.7] Fix net.ipv4.ping_group_range with userns (#8786)
  • 241514815 pkg/cri/server: Test net.ipv4.ping_group_range works with userns
  • 801e8c806 pkg/cri/server: Fix net.ipv4.ping_group_range with userns
• [release/1.7 backport] vendor: github.com/containerd/zfs v1.1.0 (#8782)
  • d5639a5a8 vendor: github.com/containerd/zfs v1.1.0
• [release/1.7 backport] ci: remove libseccomp-dev installation for nightly (#8772)
  • 15d65709e ci: remove libseccomp-dev installation for nightly
• [release/1.7] go.mod: Update cgroups to 3.0.2 (#8769)
  • a08ae718c [release/1.7] go.mod: Update cgroups to 3.0.2
• [release/1.7 backport] runtime/v2/runc: handle early exits w/o big locks (#8712)
  • 18c6503d9 runtime/v2/runc: handle early exits w/o big locks
• [release/1.7 backport] integration/client: add timeout to TestShimOOMScore (#8750)
  • 3bf3996d9 integration/client: add timeout to TestShimOOMScore
• [release/1.7 backport] Update ginkgo to match cri-tools' version (#8760)
  • c2c54af9d Update ginkgo to match cri-tools' version
• [release/1.7 backport] seccomp: always allow name_to_handle_at (#8753)
  • 6281d46df seccomp: always allow name_to_handle_at
• [release/1.7] Pinned image support (#8718)
  • 699d6701a Pinned image support
• [release/1.7] cherry-pick: No more nondistributable layers in MS registry (#8690)
  • dafbeb5b1 No more nondistributable layers in MS registry
• [release/1.7] [cri] Windows Pod Stats: Add a check to skip stats for containers that are not running (#8654)
  • [58b6b99cd](https://github.com...

containerd 1.6.22

Welcome to the v1.6.22 release of containerd!

The twenty-second patch release for containerd 1.6 contains various fixes and updates.

Notable Updates

• RunC: Update runc binary to v1.1.8 (#8842)
• CRI: Fix additionalGids: it should fallback to imageConfig.User when securityContext.RunAsUser,RunAsUsername are empty (#8823)
• CRI: Write generated CNI config atomically (#8826)
• Fix concurrent writes for UpdateContainerStats (#8819)
• Make checkContainerTimestamps less strict on Windows (#8827)
• Port-Forward: Correctly handle known errors (#8805)
• Resolve docker.NewResolver race condition (#8800)
• SecComp: Always allow name_to_handle_at (#8754)
• Adding support to run hcsshim from local clone (#8713)
• Pinned image support (#8720)
• Runtime/V2/RunC: Handle early exits w/o big locks (#8695)
• CRITool: Move up to CRI-TOOLS v1.27.0 (#7997)
• Fix cpu architecture detection issue on emulated ARM platform (#8533)
• Task: Don't close() io before cancel() (#8659)
• Fix panic when remote differ returns empty result (#8640)
• Plugins: Notify readiness when registered plugins are ready (#8583)
• Unwrap io errors in server connection receive error handling (ttrpc#143)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Akihiro Suda
• Phil Estes
• Sebastiaan van Stijn
• Derek McGowan
• Wei Fu
• Kazuyoshi Kato
• Austin Vazquez
• Samuel Karp
• dependabot[bot]
• Jin Dong
• Maksym Pavlenko
• Mike Brown
• Shingo Omura
• Akhil Mohan
• Bjorn Neergaard
• Laura Brehm
• Tony Fang
• Aditi Sharma
• Andrey Epifanov
• Benjamin Wang
• Brian Goff
• Cory Snider
• Daniel Canter
• Daniel Lenar
• Henry Wang
• Luca Comellini
• Madhav Jivrajani
• Mahamed Ali
• Mohit Sharma
• Oliver Radwell
• Priyanka Saggu
• Qasim Sarfraz
• Takumasa Sakao
• wangxiang
• zounengren

Changes

95 commits

• [release/1.6] Prepare release notes for v1.6.22 (#8863)
  • 0770a4601 [release/1.6] Add release notes for v1.6.22
• [release/1.6] migrate to community owned bucket for node e2e tests (#8876)
  • 512a672af migrate to community owned bucket
• [release/1.6] cri: memory.memsw.limit_in_bytes: no such file or directory (#8870)
  • b585ff155 cri: memory.memsw.limit_in_bytes: no such file or directory
• [release/1.6] Update go-restful to v3.10.1 (#8412)
  • a322077bf go.mod: github.com/emicklei/go-restful/v3 v3.10.1
• [release/1.6 backport] update runc binary to v1.1.8 (#8842)
  • b3ac068eb update runc binary to v1.1.8
• [release/1.6 backport] ci: remove libseccomp-dev installation for nightly (#8773)
  • 6e2bcb6dd ci: remove libseccomp-dev installation for nightly
• [release/1.6 backport] [CRI] fix additionalGids: it should fallback to imageConfig.User when securityContext.RunAsUser,RunAsUsername are empty (#8823)
  • cd06f23af capture desc variable in range variable just in case that it run in parallel mode
  • 30f5c6a1f Use t.TempDir instead of os.MkdirTemp
  • 59d8363ef fix userstr for dditionalGids on Linux
• [release/1.6 backport] cri: write generated CNI config atomically (#8826)
  • d75bf78c2 ctr: update WritePidFile to use atomicfile
  • 5f70b23c1 shim: WritePidFile & WriteAddress use atomicfile
  • 505d444b0 cri: write generated CNI config atomically on Unix
  • b2d2d3829 atomicfile: new package for atomic file writes
• [release/1.6 backport] Fix concurrent writes for UpdateContainerStats (#8819)
  • 9f650143f Fix concurrent writes for UpdateContainerStats
• [release/1.6 backport] Make checkContainerTimestamps less strict on Windows (#8827)
  • 568ce91ca Make checkContainerTimestamps less strict on Windows
• [release/1.6 backport] dependency: bump go.etcd.io/bbolt to v1.3.7 (#8817)
  • d2f47192a dependency: bump go.etcd.io/bbolt to v1.3.7
  • fb56dc245 [release/1.6] vendor: github.com/stretchr/testify v1.8.1
• [release/1.6 backport] Move logrus setup code to log package (#8832)
  • 7fbd5dc89 Move logrus setup code to log package
• [release/1.6 backport] release: Add "cri-containerd.DEPRECATED.txt" in the deprecated cri-containerd-* bundles (#8820)
  • 59a143670 release: Add "cri-containerd.DEPRECATED.txt" in the deprecated cri-containerd-* bundles
• [release/1.6 backport] Use version 2 configuration format in docs (#8821)
  • 5b51b79e2 [release/1.6] fix remaining "v1 config" plugin IDs
  • b7cf26d8d docs: Fix sample config.toml syntax
  • fcdaf0966 docs: migrate config v1 to v2
  • 728d5c5f0 Use version 2 config and mention containerd config command
• [release/1.6] update go to go1.19.11 (#8816)
  • 81aa14718 [release/1.6] update go to go1.19.11
• [release/1.6] update go to go1.19.10 (#8715)
  • 17cd86629 [release/1.6] update go to go1.19.10
• [release/1.6 backport] bugfix(port-forward): Correctly handle known errors (#8805)
  • fdb65f214 bugfix(port-forward): Correctly handle known errors
• [release/1.6] Resolve docker.NewResolver race condition (#8800)
  • b5784af66 Change http.Header copy to builtin Clone
  • 31c466f82 Resolve docker.NewResolver race condition
• [release/1.6 backport] vendor: github.com/containerd/zfs v1.1.0 (#8781)
  • be6406ca6 vendor: github.com/containerd/zfs v1.1.0
  • [9f1260074](https://github.com/containerd/conta...

containerd 1.7.2

Welcome to the v1.7.2 release of containerd!

The second patch release for containerd 1.7 includes enhancements to CRI sandbox mode,
Windows snapshot mounting support, and CRI and container IO bug fixes.

CRI/Sandbox Updates

• Publish sandbox events (#8613)
• Make stats respect sandbox's platform (#8604)

Other Notable Updates

• Mount snapshots on Windows (#8616)
• Notify readiness when registered plugins are ready (#8584)
• Fix cio.Cancel() should close pipes (#8624)
• CDI: Use CRI Config.CDIDevices field for CDI injection (#8519)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Gabriel Adrian Samfira
• Derek McGowan
• Paul "TBBle" Hampson
• Maksym Pavlenko
• Phil Estes
• Austin Vazquez
• Akihiro Suda
• Kazuyoshi Kato
• Danny Canter
• Samuel Karp
• Sebastiaan van Stijn
• Ed Bartosh
• Henry Wang
• Hsing-Yu (David) Chen
• Jan Dubois
• Mike Brown
• Wei Fu
• helen

Changes

59 commits

• [release/1.7] Prepare release notes for v1.7.2 (#8629)
  • 0e41daaea [release/1.7] Prepare release notes for v1.7.2
• [1.7 backport] Fix panic when remote differ returns empty result (#8631)
  • e134b6393 Fix panic when remote differ returns empty result
• [release/1.7 backport] Mount snapshots on Windows (#8616)
  • 313c226b8 Update continuity to a tagged version
  • 8dd16285a UnmountAll is a no-op for missing mount points
  • acff3eefa Improve error messages and remove check
  • b4dd3bf4e Make ReadOnly() available on all platforms
  • 08d8baf3f Increase integration test tmieout to 20m
  • 1f0dbd011 Remove bind code path in mount()
  • 8f37b1c63 Remove "bind" code path from diff
  • 9139208b3 Properly mount base layers
  • e61e7b312 Skip parent layer options on bind mounts
  • e4307926f Add ReadOnly() function
  • 0277b9b01 Remove escalated privileges
  • d5c18dfb7 Use DefaultSnapshotter
  • 853179366 use t.Fatal if we cannot enable process privileges
  • 5b3ee413f Update continuity
  • 375172604 Fix go.mod, simplify boolean logic, add logging
  • 600abd137 Ignore ERROR_NOT_FOUND error when removing mount
  • df7295dcd Update continuity, go-winio and hcsshim
  • 0db78c482 Remove unused function
  • 219058766 Grant needed privileges for snapshotter tests
  • 96fbe5bc8 Fix layer comparison and enable read-only checks
  • 279e0d3c9 Use bind filer for mounts
  • 93e94da40 Enable TestSnapshotterClient on Windows
  • 3a3da693a Run Windows snapshotter through the test suite
  • e7b62322f Fix misspelling of 'Native' as 'Naive'
  • e1f999a18 Add paired 'mount' log for 'unmount'
  • 5788d6e52 Don't use all-upper-case filenames in snapshot tests
  • 3cdcb2f10 Skip tests that do not apply to WCOW on Windows
  • b0968b8bb Ensure mounts are unmounted before leaving the test
  • b57424851 Unify testutil.Unmount on Windows and Unix
  • b9a8aad45 Implement Windows mounting for bind and windows-layer mounts
  • 1a64ee183 Implement WCOW parentless active snapshots and view snapshots
• [release/1.7] fix: cio.Cancel() should close the pipes (#8624)
  • 99582fb1a fix: cio.Cancel() should close the pipes
• [release/1.7 backport] remotes/docker: ResolverOptions: fix deprecation comments (#8621)
  • eeda70fb0 remotes/docker: ResolverOptions: fix deprecation comments
• [release/1.7] Publish sandbox events (#8613)
  • e21c8beee Post cherry-pick fixes
  • 246240f71 Move PLEG event back to CRI
  • 16f3726dd Generate sandbox exit events from CRI
  • 0c8cfb1a7 Move pod sandbox recovery to podsandbox/ package
  • 91d9f5c64 Publish sandbox events
  • 4b77683b4 Add sandbox events protos
• [release/1.7] notify readiness when registered plugins are ready (#8584)
  • 2c38cad77 notify readiness when registered plugins are ready
• [release/1.7] Backport CRI sandbox server stats changes (#8604)
  • 7851b0a9f CRI: Make stats respect sandbox's platform
  • 8d7c340ca [sbserver] handle missing cpu stats
  • d08b2a088 [sbserver] Refactor usageNanoCores be to used for all OSes
• [release/1.7] Cherry-pick: Update volume-ownership image with latest hashes (#8574)
  • 08de6e7b8 Update volume-ownership image with latest hashes
• [release/1.7] CDI: Use CRI Config.CDIDevices field for CDI injection (#8519)
  • 6a5e54c15 Get CDI devices from CRI Config.CDIDevices field
• [release/1.7 backport] snapshots/testsuite: Rename: fix fuse-overlayfs incompatibility (#8510)
  • 9e60300ea snapshots/testsuite: Rename: fix fuse-overlayfs incompatibility

#...

containerd 1.7.1

Welcome to the v1.7.1 release of containerd!

The first patch release for containerd 1.7 includes many fixes to CRI
sandbox mode, various other fixes, runc update, and important fixes in
core dependencies such as ttrpc and typeurl.

CRI/Sandbox Updates

• Throw not supported error when UID or GID mappings provided (#8211)
• Cleanup shim on start failure (#8282)
• Fix premature close of CRI service when there are no CNI configuration monitors (#8282)
• Avoid UID lookup from mount on Darwin (#8314)
• Keep Linux mounts for Linux sandboxes on non-Linux hosts (#8331)
• Add noexec,nodev,nosuid to /etc/resolv.conf bind mount (#8336)
• Remove entry for container from container store on error (#8457)
• Fix unmarshal in container metrics (#8472)

Other Notable Updates

• Use readonly for temporary mounts (#8300 #8358)
• Fix skip docker manifest option on image exporter (#8344)
• Update runc binary to v1.1.7 (#8451)
• Fix runtime path task option (#8453)
• Fix panic from nil checkpoint options (#8475)
• Fix transfer service configuration options (#8491)
• Fix server-side goroutine leak on receive message error (ttrpc#141)
• Fix panic caused by race to close send channel (ttrpc#140)
• Fix unmarshal to return non-nil object when nil value (ttrpc#140)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Sebastiaan van Stijn
• Akihiro Suda
• Iceber Gu
• Phil Estes
• Maksym Pavlenko
• Wei Fu
• Danny Canter
• Kirtana Ashok
• Rodrigo Campos
• Samuel Karp
• Vinayak Goyal
• Austin Vazquez
• Justin Chadwell
• Kazuyoshi Kato
• Brad Davidson
• Djordje Lukic
• Ethan Lowman
• Laura Brehm
• Michael Crosby

Changes

68 commits

• [release/1.7] Prepare release notes for v1.7.1 (#8501)
  • 27a0d957b Prepare release notes for v1.7.1
• [release/1.7] Update ttrpc v1.2.2 (#8499)
  • 7b288e2d7 Update ttrpc to v1.2.2
• [release/1.7] runtime/shim: fix the nil checkpoint options (#8475)
  • 3ef5b689a runtime/shim: fix the nil checkpoint options
• [release/1.7] bump typeurl to v2.1.1 (#8495)
  • 0e0532eb2 bump typeurl to v2.1.1
• [release/1.7] Transfer service backports (#8491)
  • 35e86f96c [transfer] avoid setting limiters when max is 0
  • f7233811f Update transfer configuration
  • 4510eac00 Fix image pulling with Transfer service
• [release/1.7]Update hcsshim tag to v0.10.0-rc.8 (#8480)
  • aaa65e8c1 Update hcsshim tag to v0.10.0-rc.8
• [release/1.7] cri: Fix umarshal metrics (#8472)
  • 95ef67e19 Fix umarshal metrics for CRI server
• [release/1.7 backport] update go to go1.20.4, go1.19.9 (#8471)
  • 021bba28b update go to go1.20.4, go1.19.9
• [release/1.7] fix the task setting the runtime path (#8453)
  • c0e128624 skip TestContainerStartWithAbsRuntimePath if the runtime is v1
  • aa3c63c15 integration: add container start test using abs runtime path
  • d2d9eedb1 WithRuntimePath uses the TaskInfo.RuntimePath field
• [release/1.7] Remove entry for container from container store on error (#8457)
  • 6b3ae0129 Remove entry for container from container store on error
• [release/1.7 backport] update runc binary to v1.1.7 (#8451)
  • fae4b6223 update runc binary to v1.1.7
• [release/1.7] cri: Vendor v0.27.1 (#8444)
  • 571715a9d cri: Vendor v0.27.1
• [release/1.7 backport] oci: partially restore comment on read-only mounts for uid/gid uses (#8404)
  • 1bbf98e53 oci: partially restore comment on read-only mounts for uid/gid uses
• [release/1.7] Fix argsEscaped tests (#8405)
  • a6d336c1f Fix argsEscaped tests
• [release/1.7] Throw an error if the kubelet requests mounts with uid/gid mappings (#8211)
  • 7de8629be cri: Throw an error if idmap mounts is requested
  • 75ac7e0d8 cri: Vendor v0.27.0-beta.0 for mounts uid/gid mappings
• [release/1.7] go.mod: remove redundant replace, and some cleaning-up (#8396)
  • 8f6e86fec go.mod: add comment explaining go-fuzz-headers replace rule
  • 1ece0cb50 go.mod: remove replace for github.com/opencontainers/runtime-tools
  • e9f962187 go.mod: integration: use non-pre-release of containerd
  • 84393b005 go.mod: integration: move indirect dependencies to the right group
• [release/1.7 backport] update runc binary to v1.1.6 (#8386)
  • dec2595af update runc binary to v1.1.6
• [release/1.7 backport] oci: Use WithReadonlyTempMount when adding users/groups (#8358)
  • 54d12b872 oci: Use WithReadonlyTempMount when adding users/groups
• [release/1.7 backport] update go to go1.20.3, go1.19.8 (#8354)
  • 624327651 update go to go1.20.3, go1.19.8
• [release/1.7] archive: consistently respect value of WithSkipDockerManifest (#8344)
  • 1d6641b7c export: add test for WithSkipDockerManifest
  • 0e0d84f6b archive: consistently respect value of WithSkipDockerManifest
• [release/1.7] Add noexec nodev and nosuid to sandbox /etc/resolv.conf mount bind. (#8336)
  • 9b4935d86 Update sbserver to add noexec nodev and nosuid to /etc/resolv.conf mount bind.
  • ...

containerd 1.6.21

Welcome to the v1.6.21 release of containerd!

The twenty-first patch release for containerd 1.6 contains various fixes and updates.

Notable Updates

• **update runc binary to v1.1.7 (#8450)
• **Remove entry for container from container store on error (#8456)
• **oci: partially restore comment on read-only mounts for uid/gid uses (#8403)
• **windows: Add ArgsEscaped support for CRI (#8247)
• **oci: Use WithReadonlyTempMount when adding users/groups (#8357)
• **archive: consistently respect value of WithSkipDockerManifest (#8345)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Sebastiaan van Stijn
• Iceber Gu
• Kirtana Ashok
• Justin Chadwell
• Phil Estes
• Akihiro Suda
• Djordje Lukic
• Kazuyoshi Kato
• Mike Brown
• Wei Fu
• kiashok

Changes

26 commits

• [release/1.6] Prepare release notes for v1.6.21 (#8463)
  • 9226c362a Add release notes for v1.6.21
• [release/1.6] update go to go1.19.9 (#8469)
  • 39566aade [release/1.6] update go to go1.19.9
• [release/1.6] fix the task setting the runtime path (#8454)
  • e8840f688 skip TestContainerStartWithAbsRuntimePath if the runtime is v1
  • 75ab094de integration: add container start test using abs runtime path
  • f49254f0b WithRuntimePath uses the TaskInfo.RuntimePath field
• [release/1.6 backport] update runc binary to v1.1.7 (#8450)
  • ccb51ff26 update runc binary to v1.1.7
• [release/1.6] Remove entry for container from container store on error (#8456)
  • 95d31551d Remove entry for container from container store on error
• [release/1.6 backport] oci: partially restore comment on read-only mounts for uid/gid uses (#8403)
  • c33eb574d oci: partially restore comment on read-only mounts for uid/gid uses
• [release/1.6 ] Add ArgsEscaped support for CRI (#8247)
  • bc2e01303 Fix argsEscaped tests
  • 8b81d5acc Add ArgsEscaped support for CRI
• [release/1.6 backport] update runc binary to v1.1.6 (#8385)
  • 57d953482 update runc binary to v1.1.6
• [release/1.6 backport] oci: Use WithReadonlyTempMount when adding users/groups (#8357)
  • fb5e663d0 oci: Use WithReadonlyTempMount when adding users/groups
• [release/1.6] update go to go1.19.8 (#8353)
  • 26efb8fd5 [release/1.6] update go to go1.19.8
• [release/1.6] archive: consistently respect value of WithSkipDockerManifest (#8345)
  • ec13b497e export: add test for WithSkipDockerManifest
  • d1f3771c4 archive: consistently respect value of WithSkipDockerManifest

Dependency Changes

This release has no dependency changes

Previous release can be found at v1.6.20

containerd 1.6.20

Welcome to the v1.6.20 release of containerd!

The twentieth patch release for containerd 1.6 contains various fixes and updates.

Notable Updates

• Disable looking up usernames and groupnames on host (#8230)
• Add support for Windows ArgsEscaped images (#8273)
• Update hcsshim to v0.9.8 (#8274)
• Fix debug flag in shim (#8288)
• Add WithReadonlyTempMount to support readonly temporary mounts (#8299)
• Update ttrpc to fix file descriptor leak (#8308)
• Update runc binary to v1.1.5 (#8324)
• Update image config to support ArgsEscaped (#8306)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Sebastiaan van Stijn
• Derek McGowan
• Maksym Pavlenko
• Akihiro Suda
• Phil Estes
• Eng Zer Jun
• Justin Terry
• Kazuyoshi Kato
• Wei Fu
• Abirdcfly
• Gabriel Adrian Samfira
• Henry Wang
• Kang.Zhang
• Kirtana Ashok
• Laura Brehm
• Luca Comellini
• Paul "TBBle" Hampson
• liyuxuan.darfux
• ningmingxiao
• wanglei

Changes

48 commits

• [release/1.6] Prepare release notes for v1.6.20 (#8310)
  • a039a2b9c Prepare release notes for v1.6.20
• [release/1.6]Updates oci image config to support upstream ArgsEscaped (#8306)
  • 5dd94a7e6 Updates oci image config to support upstream ArgsEscaped
• [release/1.6] update runc binary to v1.1.5 (#8324)
  • 59fa6b191 update runc binary to v1.1.5
  • 0c0aad93e go.mod: github.com/opencontainers/runc v1.1.5
• [release/1.6] Update ttrpc to v1.1.1 (#8308)
  • 50a6be0b4 Update ttrpc to v1.1.1
• [release/1.6 backport] Add WithReadonlyTempMount to create readonly temporary mounts (#8299)
  • 8cead6594 Add WithReadonlyTempMount to create readonly temporary mounts
• [release/1.6] Adds support for Windows ArgsEscaped images (#8273)
  • f0dc0297d Adds support for Windows ArgsEscaped images
• [release/1.6]go.mod: Bump hcsshim tag to v0.9.8 (#8274)
  • 5981a24e2 Update hcsshim tag to v0.9.8
• [1.6] shim: fix debug flag not working (#8288)
  • 28f1e32e3 shim: fix debug flag not working
• [release/1.6] cherry-pick: Update go-restful to v3 (#8271)
  • 5a8ea75df Update go-restful to v3
  • 59bdc1d5a go.mod: update to github.com/emicklei/go-restful/v3 v3.7.3
• [release/1.6] Go 1.19.7 (#8238)
  • 86e0bd9e3 Go 1.19.7
• [release/1.6 backport] archive: disable looking up usernames and groupnames on the host (#8230)
  • 063ad2f19 archive: disable looking up usernames and groupnames on the host
• [release/1.6 backport] assorted linting, and golang update-related changes (#8229)
  • 9cbea6fe7 Enable dupword linter
  • c73f1abff Bump golangci-lint to v1.50.1
  • f198f7724 update golangci-lint to v1.49.0
  • e6179af1e remove unneeded nolint-comments (nolintlint), disable deprecated linters
  • 77160e6b5 [release/1.6] adjust some nolint comments
  • 95655f4ce clean-up "nolint" comments, remove unused ones
  • 9f0617ecc pkg/cri/(server|sbserver): criService.getTLSConfig() add TODO to verify nolint
  • e66397d83 golangci-lint: sort linters in config file
  • 682a567e9 linting: address gosec G112/G114
  • 627f563e6 chore: remove duplicate word in comments
  • efb88a8bb pkg/cri/streaming: increase ReadHeaderTimeout
  • 45f055df6 Update protobuf definitions
  • 584707524 Run gofmt 1.19
  • f33e38572 Switch to Go 1.19
  • fc10cd23a remove duplicate
  • 7cbb9e746 Update linters to use t.Setenv
  • 4347a3265 Use t.Setenv instead of os.Setenv
  • 10357eab5 Address some timeout issues in the Windows CI
  • 977ce8ef5 Enable gosec linter for golangci-lint
  • c23945c5f test: remove redundant mountPoint
  • 588ed91d3 test: use T.TempDir to create temporary test directory
  • c2ed63c86 Remove hardcoded /tmp in tempfile paths
  • 7e382c516 fix Implicit memory aliasing in for loop

Changes from containerd/ttrpc

2 commits

• [release/1.1] server: Fix connection leak when receiving ECONNRESET (#136)
  • 8977f59 server: Fix connection leak when receiving ECONNRESET

Dependency Changes

• github.com/Microsoft/hcsshim v0.9.7 -> v0.9.8
• github.com/containerd/ttrpc v1.1.0 -> v1.1.1
• github.com/emicklei/go-restful/v3 v3.7.3 new
• github.com/opencontainers/image-spec c5a74bcca799 -> 3a7f492d3f1b
• github.com/opencontainers/runc v1.1.2 -> v1.1.5

Previous release can be found at v1.6.19

containerd 1.7.0

Welcome to the v1.7.0 release of containerd!

The eighth major release of containerd includes new functionality alongside many improvements.
This release is the last major release of containerd 1.x before 2.0.
Some functionality in this release may be considered experimental or unstable, but will become stable or default in 2.0.
This release still adheres to our backwards compatibility guarantees and users who do not use or enable new functionality should use this release with the same stability expectations.
The previous 1.6 release has also become a long term stable release for users who prefer releases with mostly stability improvements and wish to wait a few releases for new functionality.

Highlights

Sandbox API (experimental)

The sandbox API provides a new way of managing containerd's shim, providing more flexibility and functionality for multi-container environments such as Pods and VMs.
This API makes it easier to manage these groups of containers at a higher level and offers new extension points for shim implementations and clients.

• Sandbox API (#6703)
• CRI Sandbox API Implementation (#7228)

Transfer Service (experimental)

• Transfer Service (#7320)

The transfer service provides a simple interface to transfer artifact objects between any source and destination. This allows for
pull and push operations to be done in containerd whether requested from clients or plugins. It is experimental in this release
to allow for further plugin development and integration into existing plugins.

See the Transfer Docs

NRI (experimental)

• Extend NRI scope (nri#16)
• Support for updated NRI (#6019)

The Node Resource Interface is a common framework for plugging extensions into OCI-compatible container runtimes. It provides
basic mechanisms for plugins to track the state of containers and to make limited changes to their configuration.

This release introduces NRI v0.3.0 with an updated plugin interface to cover a wide range of use cases.

See the NRI Docs

Platform Support

• Linux containers on FreeBSD (#7000)

Runtime Features

• Add support for CDI device injection (#6654)
• Support for cgroups blockio (#5490)
• Add restart policy for enhanced restart manager (#6744)

gRPC Shim Support (experimental)

• Initial gRPC shim support (#8052)

Adds support for shims to use gRPC in addition to ttrpc. Existing ttrpc shim support is not going
away and will continue to be recommended for the best performance and lowest shim memory overhead.
The gRPC support allows implementation of a wider range of shim implementations which may not
have access to a stable ttrpc library in the implementation language. The shim protocol is also
updated to allow the shims to specify the protocol which is supported.

Road to 2.0

Refactoring

There are multiple places in the code today which are being targeted for refactoring to make long term support easier and to provide more extension points.

The CRI plugin is the most complex containerd plugin with a wide range of functionality. A major effort in this release and before 2.0 involves moving functionality
out of the single CRI plugin into smaller-scoped containerd plugins, such that they can be used and tested independently. The new sandbox and distribution interfaces provide one example of this,
but it also being done for image and network management.

The version of ttrpc has been updated this release to support streaming, allowing existing grpc services to use ttrpc.
Services are being refactored to allow ttrpc implementations, which can be served via shim and accessed using the new sandbox management capability.

• Remove gogoproto.customtype (#6699)
• Remove enumvalue_customname, goproto_enum_prefix and enum_customname (#6708)
• Remove all gogoproto extensions (#6829)
• Migrate off from github.com/gogo/protobuf (#6841)
• ttrpc streaming (ttrpc#107)
• Add unpack interface for client (#6749)
• Add collectible resources to metadata gc (#6804)
• Add version to shim protocol (#8177)

Configuration

Existing CRI configurations will be supported until 2.0.
Any functionality split out of CRI will have their configuration migrated to new plugins.
Deprecated configuration versions and configurations for deprecated features will be removed in 2.0.

Deprecation

The 2.0 release will remove any feature deprecated in 1.x. Features deprecated in this release include.

• Docker Schema 1 Image Deprecation (#6884)

CRI Updates

• Fix CRI plugin to setup pod network after creating the sandbox container (#5904)
• Support image pull progress timeout (#6150)
• Add experimental support for runtime specific snapshotters (#6899)
• Pass all TOML runtime configuration options from CRI to the runtime (#7764)
• Support for user namespaces in stateless pods (KEP-127) (experimental) (#7679)
• Add timeout option for drain exec io (#7832)
• Add network plugin metrics (#7858)
• CRI v1alpha2 is deprecated and will be removed from containerd in containerd v2.0; if you are using the CRI API please move up to CRI v1; Kubernetes supports CRI v1 since Kubernetes 1.23 (#7863)

Other

• Support shallow content copy by adding reader option to local content reader at (#7414)
• Add NoSameOwner option when unpacking tars (#7386)
• Add FetcherByDigest for fetching blobs without fetching a manifest (#7460)
• Update default seccomp profile to block socket calls to AF_VSOCK (#7510)
• Replace fork on mount logic with CLONE_FS (#7513)
• Add support for default registry host configuration (#7607)
• Use github.com/minio/sha256-simd for more efficient sha256 calculation (#7732)
• Make OCI options cross-platform (#7928)
• Update release builds to build from Ubuntu 20.04 with glibc 2.31 (#8021)
• Use data field from OCI descriptor when provided for fetch (#8076)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Kazuyoshi Kato
• Maksym Pavlenko
• Wei Fu
• Phil Estes
• Akihiro Suda
• Sebastiaan van Stijn
• Samuel Karp
• Krisztian Litkey
• Mike Brown
• Stefan Berger
• Danny Canter
• Austin Vazquez
• Daniel Canter
• yanggang
• Iceber Gu
• Ye Sijun
• Ed Bartosh
• Luca Comellini
• Adam Korcz
• Nashwan Azhari
• Tony Fang
• ruiwen-zhao
• xin.li
• Brian Goff
• Gabriel Adrian Samfira
• Paul "TBBle" Hampson
• Henry Wang
• Kevin Parsons
• Rodrigo Campos
• zounengren
• Justin Terry
• Paco Xu
• Shengjing Zhu
• Swagat Bora
• wanglei
• Gavin Inglis
• Akhil Mohan
• Hsing-Yu (David) Chen
• Zechun Chen
• guodong
• lengrongfu
• James Jenkins
• James Sturtevant
• Kirtana Ashok
• Michael Crosby
• Qiutong Song
• Shiming Zhang
• Vincent Batts
• Antonio Ojea
• Cameron Sparr
• Casey Callendrello
• Changwei Ge
• Jian Zeng
• Josh Seba
• Junyu Liu
• Kohei Tokunaga
• Michael Zappa
• Qasim Sarfraz
• Tobias Klauser
• Zhang Tianyang
• pigletfly
• yaoyinnan
• Abirdcfly
• Aditi Sharma
• Amit Barve
• Bennett-White
• Bjorn Neergaard
• Cory Snider
• Craig Ingram
• Eng Zer Jun
• Eric Lin
• Ethan Lowman
• Fabian Hoffmann
• Jess
• Jiongchi Yu
• Jonny Stoten
• Juan Hoyos
• Kang.Zhang
• Kay Yan
• Markus Lehtonen
• Mikko Ylinen
• Mohit Sharma
• Paul Cacheux
• Paul S. Schweigert
• Qian Zhang
• Tõnis Tiigi
• Yasin Turan
• bin liu
• helen
• yulng
• Aman Sharma
• Anastassios Nanos
• Andrew G. Morgan
• Andrey Klimentyev
• Ani...

containerd 1.7.0-rc.3

Welcome to the v1.7.0-rc.3 release of containerd!
This is a pre-release of containerd

The eighth major release of containerd includes new functionality alongside many improvements.
This release is the last major release of containerd 1.x before 2.0.
Some functionality in this release may be considered experimental or unstable, but will become stable or default in 2.0.
This release still adheres to our backwards compatibility guarantees and users who do not use or enable new functionality should use this release with the same stability expectations.
The previous 1.6 release has also become a long term stable release for users who prefer releases with mostly stability improvements and wish to wait a few releases for new functionality.

Highlights

Sandbox API (experimental)

The sandbox API provides a new way of managing containerd's shim, providing more flexibility and functionality for multi-container environments such as Pods and VMs.
This API makes it easier to manage these groups of containers at a higher level and offers new extension points for shim implementations and clients.

• Sandbox API (#6703)
• CRI Sandbox API Implementation (#7228)

Transfer Service (experimental)

• Transfer Service (#7320)

The transfer service provides a simple interface to transfer artifact objects between any source and destination. This allows for
pull and push operations to be done in containerd whether requested from clients or plugins. It is experimental in this release
to allow for further plugin development and integration into existing plugins.

See the Transfer Docs

NRI (experimental)

• Extend NRI scope (nri#16)
• Support for updated NRI (#6019)

The Node Resource Interface is a common framework for plugging extensions into OCI-compatible container runtimes. It provides
basic mechanisms for plugins to track the state of containers and to make limited changes to their configuration.

This release introduces NRI v0.3.0 with an updated plugin interface to cover a wide range of use cases.

See the NRI Docs

Platform Support

• Linux containers on FreeBSD (#7000)

Runtime Features

• Add support for CDI device injection (#6654)
• Support for cgroups blockio (#5490)
• Add restart policy for enhanced restart manager (#6744)

gRPC Shim Support (experimental)

• Initial gRPC shim support (#8052)

Adds support for shims to use gRPC in addition to ttrpc. Existing ttrpc shim support is not going
away and will continue to be recommended for the best performance and lowest shim memory overhead.
The gRPC support allows implementation of a wider range of shim implementations which may not
have access to a stable ttrpc library in the implementation language. The shim protocol is also
updated to allow the shims to specify the protocol which is supported.

Road to 2.0

Refactoring

There are multiple places in the code today which are being targeted for refactoring to make long term support easier and to provide more extension points.

The CRI plugin is the most complex containerd plugin with a wide range of functionality. A major effort in this release and before 2.0 involves moving functionality
out of the single CRI plugin into smaller-scoped containerd plugins, such that they can be used and tested independently. The new sandbox and distribution interfaces provide one example of this,
but it also being done for image and network management.

The version of ttrpc has been updated this release to support streaming, allowing existing grpc services to use ttrpc.
Services are being refactored to allow ttrpc implementations, which can be served via shim and accessed using the new sandbox management capability.

• Remove gogoproto.customtype (#6699)
• Remove enumvalue_customname, goproto_enum_prefix and enum_customname (#6708)
• Remove all gogoproto extensions (#6829)
• Migrate off from github.com/gogo/protobuf (#6841)
• ttrpc streaming (ttrpc#107)
• Add unpack interface for client (#6749)
• Add collectible resources to metadata gc (#6804)
• Add version to shim protocol (#8177)

Configuration

Existing CRI configurations will be supported until 2.0.
Any functionality split out of CRI will have their configuration migrated to new plugins.
Deprecated configuration versions and configurations for deprecated features will be removed in 2.0.

Deprecation

The 2.0 release will remove any feature deprecated in 1.x. Features deprecated in this release include.

• Docker Schema 1 Image Deprecation (#6884)

CRI Updates

• Fix CRI plugin to setup pod network after creating the sandbox container (#5904)
• Support image pull progress timeout (#6150)
• Add experimental support for runtime specific snapshotters (#6899)
• Pass all TOML runtime configuration options from CRI to the runtime (#7764)
• Support for user namespaces in stateless pods (KEP-127) (experimental) (#7679)
• Add timeout option for drain exec io (#7832)
• Add network plugin metrics (#7858)
• CRI v1alpha2 is deprecated and will be removed from containerd in containerd v2.0; if you are using the CRI API please move up to CRI v1; Kubernetes supports CRI v1 since Kubernetes 1.23 (#7863)

Other

• Support shallow content copy by adding reader option to local content reader at (#7414)
• Add NoSameOwner option when unpacking tars (#7386)
• Add FetcherByDigest for fetching blobs without fetching a manifest (#7460)
• Update default seccomp profile to block socket calls to AF_VSOCK (#7510)
• Replace fork on mount logic with CLONE_FS (#7513)
• Add support for default registry host configuration (#7607)
• Use github.com/minio/sha256-simd for more efficient sha256 calculation (#7732)
• Make OCI options cross-platform (#7928)
• Update release builds to build from Ubuntu 20.04 with glibc 2.31 (#8021)
• Use data field from OCI descriptor when provided for fetch (#8076)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Kazuyoshi Kato
• Maksym Pavlenko
• Wei Fu
• Phil Estes
• Akihiro Suda
• Sebastiaan van Stijn
• Samuel Karp
• Krisztian Litkey
• Mike Brown
• Stefan Berger
• Danny Canter
• Austin Vazquez
• Daniel Canter
• yanggang
• Iceber Gu
• Ye Sijun
• Ed Bartosh
• Luca Comellini
• Adam Korcz
• Nashwan Azhari
• Tony Fang
• ruiwen-zhao
• xin.li
• Brian Goff
• Gabriel Adrian Samfira
• Paul "TBBle" Hampson
• Henry Wang
• Kevin Parsons
• Rodrigo Campos
• zounengren
• Justin Terry
• Paco Xu
• Shengjing Zhu
• Swagat Bora
• wanglei
• Gavin Inglis
• Akhil Mohan
• Zechun Chen
• guodong
• lengrongfu
• Hsing-Yu (David) Chen
• James Jenkins
• James Sturtevant
• Kirtana Ashok
• Michael Crosby
• Qiutong Song
• Shiming Zhang
• Vincent Batts
• dependabot[bot]
• Antonio Ojea
• Cameron Sparr
• Casey Callendrello
• Changwei Ge
• Jian Zeng
• Josh Seba
• Junyu Liu
• Kohei Tokunaga
• Michael Zappa
• Qasim Sarfraz
• Tobias Klauser
• Zhang Tianyang
• pigletfly
• yaoyinnan
• Abirdcfly
• Aditi Sharma
• Amit Barve
• Bennett-White
• Bjorn Neergaard
• Cory Snider
• Craig Ingram
• Eng Zer Jun
• Eric Lin
• Ethan Lowman
• Fabian Hoffmann
• Jess
• Jiongchi Yu
• Jonny Stoten
• Juan Hoyos
• Kang.Zhang
• Kay Yan
• Markus Lehtonen
• Mikko Ylinen
• Mohit Sharma
• Paul Cacheux
• Paul S. Schweigert
• Qian Zhang
• Tõnis Tiigi
• Yasin Turan
• bin liu
• helen
• yulng
• Aman Sharma
• Anastassios Nanos
• Andrew G. Morgan
• Andrey Klimentyev
• Aniruddha Basak
• Anthony Nandaa
• Antti Kervinen
• Aviral Takkar
• Baoshuo
• Benjamin Elder
• Benjamin Wang
• Brandon Lum
• Chao Dai
• Chuanying Du
• Claudiu Bel...

containerd 1.7.0-rc.2

Welcome to the v1.7.0-rc.2 release of containerd!
This is a pre-release of containerd

The eighth major release of containerd includes new functionality alongside many improvements.
This release is intended to be the last major release of containerd 1.x before 2.0.
Some functionality in this release may be considered experimental or unstable, but will become stable or default in 2.0.
This release still adheres to our backwards compatibility guarantees and users who do not use or enable new functionality should use this release with the same stability expectations.
The previous 1.6 release has also become a long term stable release for users who prefer releases with mostly stability improvements and wish to wait a few releases for new functionality.

Highlights

Sandbox API (experimental)

The sandbox API provides a new way of managing containerd's shim, providing more flexibility and functionality for multi-container environments such as Pods and VMs.
This API makes it easier to manage these groups of containers at a higher level and offers new extension points for shim implementations and clients.

• Sandbox API (#6703)
• CRI Sandbox API Implementation (#7228)

Transfer Service (experimental)

• Transfer Service (#7320)

The transfer service provides a simple interface to transfer artifact objects between any source and destination. This allows for
pull and push operations to be done in containerd whether requested from clients or plugins. It is experimental in this release
to allow for further plugin development and integration into existing plugins.

See the Transfer Docs

NRI (experimental)

• Extend NRI scope (nri#16)
• Support for updated NRI (#6019)

The Node Resource Interface is a common framework for plugging extensions into OCI-compatible container runtimes. It provides
basic mechanisms for plugins to track the state of containers and to make limited changes to their configuration.

This release introduces NRI v0.3.0 with an updated plugin interface to cover a wide range of use cases.

See the NRI Docs

Platform Support

• Linux containers on FreeBSD (#7000)

Runtime Features

• Add support for CDI device injection (#6654)
• Support for cgroups blockio (#5490)
• Add restart policy for enhanced restart manager (#6744)

gRPC Shim Support (experimental)

• Initial gRPC shim support (#8052)

Adds support for shims to use gRPC in addition to ttrpc. Existing ttrpc shim support is not going
away and will continue to be recommended for the best performance and lowest shim memory overhead.
The gRPC support allows implementation of a wider range of shim implementations which may not
have access to a stable ttrpc library in the implementation language. The shim protocol is also
updated to allow the shims to specify the protocol which is supported.

Road to 2.0

Refactoring

There are multiple places in the code today which are being targeted for refactoring to make long term support easier and to provide more extension points.

The CRI plugin is the most complex containerd plugin with a wide range of functionality. A major effort in this release and before 2.0 involves moving functionality
out of the single CRI plugin into smaller-scoped containerd plugins, such that they can be used and tested independently. The new sandbox and distribution interfaces provide one example of this,
but it also being done for image and network management.

The version of ttrpc has been updated this release to support streaming, allowing existing grpc services to use ttrpc.
Services are being refactored to allow ttrpc implementations, which can be served via shim and accessed using the new sandbox management capability.

• Remove gogoproto.customtype (#6699)
• Remove enumvalue_customname, goproto_enum_prefix and enum_customname (#6708)
• Remove all gogoproto extensions (#6829)
• Migrate off from github.com/gogo/protobuf (#6841)
• ttrpc streaming (ttrpc#107)
• Add unpack interface for client (#6749)
• Add collectible resources to metadata gc (#6804)
• Add version to shim protocol (#8177)

Configuration

Existing CRI configurations will be supported until 2.0.
Any functionality split out of CRI will have their configuration migrated to new plugins.
Deprecated configuration versions and configurations for deprecated features will be removed in 2.0.

Deprecation

The 2.0 release will remove any feature deprecated in 1.x. Features deprecated in this release include.

• Docker Schema 1 Image Deprecation (#6884)

CRI Updates

• Fix CRI plugin to setup pod network after creating the sandbox container (#5904)
• Support image pull progress timeout (#6150)
• Add experimental support for runtime specific snapshotters (#6899)
• Pass all TOML runtime configuration options from CRI to the runtime (#7764)
• Support for user namespaces in stateless pods (KEP-127) (experimental) (#7679)
• Add timeout option for drain exec io (#7832)
• Add network plugin metrics (#7858)
• CRI v1alpha2 is deprecated and will be removed from containerd in containerd v2.0; if you are using the CRI API please move up to CRI v1; Kubernetes supports CRI v1 since Kubernetes 1.23 (#7863)

Other

• Support shallow content copy by adding reader option to local content reader at (#7414)
• Add NoSameOwner option when unpacking tars (#7386)
• Add FetcherByDigest for fetching blobs without fetching a manifest (#7460)
• Update default seccomp profile to block socket calls to AF_VSOCK (#7510)
• Replace fork on mount logic with CLONE_FS (#7513)
• Add support for default registry host configuration (#7607)
• Use github.com/minio/sha256-simd for more efficient sha256 calculation (#7732)
• Make OCI options cross-platform (#7928)
• Update release builds to build from Ubuntu 20.04 with glibc 2.31 (#8021)
• Use data field from OCI descriptor when provided for fetch (#8076)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Kazuyoshi Kato
• Maksym Pavlenko
• Wei Fu
• Phil Estes
• Akihiro Suda
• Sebastiaan van Stijn
• Samuel Karp
• Krisztian Litkey
• Mike Brown
• Stefan Berger
• Danny Canter
• Daniel Canter
• Austin Vazquez
• yanggang
• Iceber Gu
• Ye Sijun
• Ed Bartosh
• Luca Comellini
• Adam Korcz
• Nashwan Azhari
• Tony Fang
• ruiwen-zhao
• xin.li
• Brian Goff
• Gabriel Adrian Samfira
• Paul "TBBle" Hampson
• Henry Wang
• Kevin Parsons
• Rodrigo Campos
• zounengren
• Justin Terry
• Paco Xu
• Shengjing Zhu
• Swagat Bora
• wanglei
• Gavin Inglis
• Akhil Mohan
• Zechun Chen
• guodong
• lengrongfu
• Hsing-Yu (David) Chen
• James Jenkins
• James Sturtevant
• Kirtana Ashok
• Michael Crosby
• Qiutong Song
• Shiming Zhang
• Vincent Batts
• Antonio Ojea
• Cameron Sparr
• Casey Callendrello
• Changwei Ge
• Jian Zeng
• Josh Seba
• Junyu Liu
• Kohei Tokunaga
• Michael Zappa
• Qasim Sarfraz
• Tobias Klauser
• dependabot[bot]
• pigletfly
• yaoyinnan
• Abirdcfly
• Aditi Sharma
• Amit Barve
• Bennett-White
• Bjorn Neergaard
• Cory Snider
• Craig Ingram
• Eng Zer Jun
• Eric Lin
• Ethan Lowman
• Fabian Hoffmann
• Jess
• Jiongchi Yu
• Jonny Stoten
• Juan Hoyos
• Kang.Zhang
• Kay Yan
• Markus Lehtonen
• Mikko Ylinen
• Mohit Sharma
• Paul Cacheux
• Paul S. Schweigert
• Qian Zhang
• Tõnis Tiigi
• Yasin Turan
• Zhang Tianyang
• bin liu
• helen
• yulng
• Aman Sharma
• Anastassios Nanos
• Andrew G. Morgan
• Andrey Klimentyev
• Aniruddha Basak
• Anthony Nandaa
• Antti Kervinen
• Aviral Takkar
• Baoshuo
• Benjamin Elder
• Benjamin Wang
• Brandon Lum
• Chao Dai
• Chuanying D...

containerd 1.7.0-rc.1

Welcome to the v1.7.0-rc.1 release of containerd!
This is a pre-release of containerd

The eighth major release of containerd includes new functionality alongside many improvements.
This release is intended to be the last major release of containerd 1.x before 2.0.
Some functionality in this release may be considered experimental or unstable, but will become stable or default in 2.0.
This release still adheres to our backwards compability guarantees and users who do not use or enable new functionality should use this release with the same stability expectations.
The previous 1.6 release has also become a long term stable release for users who prefer releases with mostly stability improvements and wish to wait a few releases for new functionality.

Highlights

Sandbox API (experimental)

The sandbox API provides a new way of managing containerd's shim, providing more flexibility and functionality for multi-container environments such as Pods and VMs.
This API makes it easier to manage these groups of containers at a higher level and offers new extension points for shim implementations and clients.

• Sandbox API (#6703)
• CRI Sandbox API Implementation (#7228)

Transfer Service (experimental)

• Transfer Service (#7320)

The transfer service provides a simple interface to transfer artifact objects between any source and destination. This allows for
pull and push operations to be done in containerd whether requested from clients or plugins. It is experimental in this release
to allow for further plugin development and integration into existing plugins.

See the Transfer Docs

NRI (experimental)

• Extend NRI scope (nri#16)
• Support for updated NRI (#6019)

The Node Resource Interface is a common framework for plugging extensions into OCI-compatible container runtimes. It provides
basic mechanisms for plugins to track the state of containers and to make limited changes to their configuration.

This release introduces NRI v0.3.0 with an updated plugin interface to cover a wide range of use cases.

See the NRI Docs

Platform Support

• Linux containers on FreeBSD (#7000)

Runtime Features

• Add support for CDI device injection (#6654)
• Support for cgroups blockio (#5490)
• Add restart policy for enhanced restart manager (#6744)

gRPC Shim Support (experimental)

• Initial gRPC shim support (#8052)

Adds support for shims to use gRPC in addition to ttrpc. Existing ttrpc shim support is not going
away and will continue to be recommended for the best performance and lowest shim memory overhead.
The gRPC support allows implementation of a wider range of shim implementations which may not
have access to a stable ttrpc library in the implementation language. The shim protocol is also
updated to allow the shims to specify the protocol which is supported.

Road to 2.0

Refactoring

There are multiple places in the code today which are being targeted for refactoring to make long term support easier and to provide more extension points.

The CRI plugin is the most complex containerd plugin with a wide range of functionality. A major effort in this release and before 2.0 involves moving functionality
out of the single CRI plugin into smaller-scoped containerd plugins, such that they can be used and tested independently. The new sandbox and distribution interfaces provide one example of this,
but it also being done for image and network management.

The version of ttrpc has been updated this release to support streaming, allowing existing grpc services to use ttrpc.
Services are being refactored to allow ttrpc implementations, which can be served via shim and accessed using the new sandbox management capability.

• Remove gogoproto.customtype (#6699)
• Remove enumvalue_customname, goproto_enum_prefix and enum_customname (#6708)
• Remove all gogoproto extensions (#6829)
• Migrate off from github.com/gogo/protobuf (#6841)
• ttrpc streaming (ttrpc#107)
• Add unpack interface for client (#6749)
• Add collectible resources to metadata gc (#6804)
• Add version to shim protocol (#8177)

Configuration

Existing CRI configurations will be supported until 2.0.
Any functionality split out of CRI will have their configuration migrated to new plugins.
Deprecated configuration versions and configurations for deprecated features will be removed in 2.0.

Deprecation

The 2.0 release will remove any feature deprecated in 1.x. Features deprecated in this release include.

• Docker Schema 1 Image Deprecation (#6884)

CRI Updates

• Fix CRI plugin to setup pod network after creating the sandbox container (#5904)
• Support image pull progress timeout (#6150)
• Add experimental support for runtime specific snapshotters (#6899)
• Pass all TOML runtime configuration options from CRI to the runtime (#7764)
• Support for user namespaces in stateless pods (KEP-127) (experimental) (#7679)
• Add network plugin metrics (#7858)
• CRI v1alpha2 is deprecated and will be removed from containerd in containerd v2.0; if you are using the CRI API please move up to CRI v1; Kubernetes supports CRI v1 since Kubernetes 1.23 (#7863)

Other

• Support shallow content copy by adding reader option to local content reader at (#7414)
• Add NoSameOwner option when unpacking tars (#7386)
• Add FetcherByDigest for fetching blobs without fetching a manifest (#7460)
• Update default seccomp profile to block socket calls to AF_VSOCK (#7510)
• Replace fork on mount logic with CLONE_FS (#7513)
• Add support for default registry host configuration (#7607)
• Use github.com/minio/sha256-simd for more efficient sha256 calculation (#7732)
• Make OCI options cross-platform (#7928)
• Update release builds to build from Ubuntu 20.04 with glibc 2.31 (#8021)
• Use data field from OCI descriptor when provided for fetch (#8076)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Kazuyoshi Kato
• Maksym Pavlenko
• Phil Estes
• Wei Fu
• Akihiro Suda
• Sebastiaan van Stijn
• Samuel Karp
• Krisztian Litkey
• Mike Brown
• Danny Canter
• Daniel Canter
• Austin Vazquez
• yanggang
• Iceber Gu
• Ye Sijun
• Ed Bartosh
• Adam Korcz
• Luca Comellini
• Nashwan Azhari
• Stefan Berger
• Tony Fang
• ruiwen-zhao
• xin.li
• Brian Goff
• Gabriel Adrian Samfira
• Paul "TBBle" Hampson
• Henry Wang
• Rodrigo Campos
• Justin Terry
• Kevin Parsons
• Paco Xu
• Shengjing Zhu
• Swagat Bora
• wanglei
• zounengren
• Gavin Inglis
• Akhil Mohan
• Zechun Chen
• guodong
• lengrongfu
• James Jenkins
• Michael Crosby
• Qiutong Song
• Shiming Zhang
• Vincent Batts
• Antonio Ojea
• Cameron Sparr
• Casey Callendrello
• Changwei Ge
• Hsing-Yu (David) Chen
• Josh Seba
• Junyu Liu
• Kirtana Ashok
• Kohei Tokunaga
• Michael Zappa
• Qasim Sarfraz
• Tobias Klauser
• pigletfly
• yaoyinnan
• Abirdcfly
• Aditi Sharma
• Amit Barve
• Bennett-White
• Bjorn Neergaard
• Craig Ingram
• Eng Zer Jun
• Eric Lin
• Ethan Lowman
• Fabian Hoffmann
• James Sturtevant
• Jess
• Jian Zeng
• Jiongchi Yu
• Jonny Stoten
• Juan Hoyos
• Kang.Zhang
• Kay Yan
• Markus Lehtonen
• Mikko Ylinen
• Mohit Sharma
• Paul Cacheux
• Paul S. Schweigert
• Qian Zhang
• Yasin Turan
• Zhang Tianyang
• bin liu
• dependabot[bot]
• helen
• yulng
• Aman Sharma
• Anastassios Nanos
• Andrew G. Morgan
• Andrey Klimentyev
• Aniruddha Basak
• Anthony Nandaa
• Antti Kervinen
• Aviral Takkar
• Baoshuo
• Benjamin Elder
• Benjamin Wang
• Chao Dai
• Chuanying Du
• Claudiu Belu
• Cory Snider
• Daniel Lenar
• Danielle Lancashire
• Dat Nguyen
• Davanum Srinivas
• Dave
• David Leadbeater
• David Porter
• Dmitry...