[20.10 backport] update containerd binary v1.5.9, runc v1.0.3, and some script changes #43151
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Looks like we still have some test for the binary commits; need to check |
thaJeztah
force-pushed
the
20.10_backport_containerd_15
branch
from
87818ec
to
308c9f9
Compare
This reverts commit d47de2a. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This reverts commit 129a200. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This reverts commit 6835d15. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This reverts commit e8fb8f7. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This reverts commit 067918a. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This reverts commit 793340a. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This reverts commit 56541ec. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This reverts commit 01f734c. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Welcome to the v1.5.0 release of containerd!
The sixth major release of containerd includes many stability improvements
and code organization changes to make contribution easier and make future
features cleaner to develop. This includes bringing CRI development into the
main containerd repository and switching to Go modules. This release also
brings support for the Node Resource Interface (NRI).
Highlights
--------------------------------------------------------------------------------
*Project Organization*
- Merge containerd/cri codebase into containerd/containerd
- Move to Go modules
- Remove selinux build tag
- Add json log format output option for daemon log
*Snapshots*
- Add configurable overlayfs path
- Separate overlay implementation from plugin
- Native snapshotter configuration and plugin separation
- Devmapper snapshotter configuration and plugin separation
- AUFS snapshotter configuration and plugin separation
- ZFS snapshotter configuration and plugin separation
- Pass custom snapshot labels when creating snapshot
- Add platform check for snapshotter support when unpacking
- Handle loopback mounts
- Support userxattr mount option for overlay in user namespace
- ZFS snapshotter implementation of usage
*Distribution*
- Improve registry response errors
- Improve image pull performance over HTTP 1.1
- Registry configuration package
- Add support for layers compressed with zstd
- Allow arm64 to fallback to arm (v8, v7, v6, v5)
*Runtime*
- Add annotations to containerd task update API
- Add logging binary support when terminal is true
- Runtime support on FreeBSD
*Windows*
- Implement windowsDiff.Compare to allow outputting OCI images
- Optimize WCOW snapshotter to commit writable layers as read-only parent layers
- Optimize LCOW snapshotter use of scratch layers
*CRI*
- Add NRI injection points cri#1552
- Add support for registry host directory configuration
- Update privileged containers to use current capabilities instead of known capabilities
- Add pod annotations to CNI call
- Enable ocicrypt by default
- Support PID NamespaceMode_TARGET
Impactful Client Updates
--------------------------------------------------------------------------------
This release has changes which may affect projects which import containerd.
*Switch to Go modules*
containerd and all containerd sub-repositories are now using Go modules. This
should help make importing easier for handling transitive dependencies. As of
this release, containerd still does not guarantee client library compatibility
for 1.x versions, although best effort is made to minimize impact from changes
to exported Go packages.
*CRI plugin moved to main repository*
With the CRI plugin moving into the main repository, imports under github.com/containerd/cri/
can now be found github.com/containerd/containerd/pkg/cri/.
There are no changes required for end users of CRI.
*Library changes*
oci
The WithAllCapabilities has been removed and replaced with WithAllCurrentCapabilities
and WithAllKnownCapabilities. WithAllKnownCapabilities has similar
functionality to the previous WithAllCapabilities with added support for newer
capabilities. WithAllCurrentCapabilities can be used to give privileged
containers the same set of permissions as the calling process, preventing errors
when privileged containers attempt to get more permissions than given to the
caller.
*Configuration changes*
New registry.config_path for CRI plugin
registry.config_path specifies a directory to look for registry hosts
configuration. When resolving an image name during pull operations, the CRI
plugin will look in the <registry.config_path>/<image hostname>/ directory
for host configuration. An optional hosts.toml file in that directory may be
used to configure which hosts will be used for the pull operation as well
host-specific configurations. Updates under that directory do not require
restarting the containerd daemon.
Enable registry.config_path in the containerd configuration file.
[plugins."io.containerd.grpc.v1.cri".registry]
config_path = "/etc/containerd/certs.d"
Configure registry hosts, such as /etc/containerd/certs.d/docker.io/hosts.toml
for any image under the docker.io namespace (any image on Docker Hub).
server = "https://registry-1.docker.io"
[host."https://public-mirror.example.com"]
capabilities = ["pull"]
[host."https://docker-mirror.internal"]
capabilities = ["pull", "resolve"]
ca = "docker-mirror.crt"
If no hosts.toml configuration exists in the host directory, it will fallback
to check certificate files based on Docker's certificate file
pattern (".crt" files for CA certificates and ".cert"/".key" files for client
certificates).
*Deprecation of registry.mirrors and registry.configs in CRI plugin*
Mirroring and TLS can now be configured using the new registry.config_path
option. Existing configurations may be migrated to new host directory
configuration. These fields are only deprecated with no planned removal,
however, these configurations cannot be used while registry.config_path is
defined.
*Version 1 schema is deprecated*
Version 2 of the containerd configuration toml is recommended format and the
default. Starting this version, a deprecation warning will be logged when
version 1 is used.
To check version, see the version value in the containerd toml configuration.
version=2
FreeBSD Runtime Support (Experimental)
--------------------------------------------------------------------------------
This release includes changes that allow containerd to run on FreeBSD with a
compatible runtime, such as runj. This
support should be considered experimental and currently there are no official
binary releases for FreeBSD. The runtimes used by containerd are maintained
separately and have their own stability guarantees. The containerd project
strives to be compatible with any runtime which aims to implement containerd's
shim API and OCI runtime specification.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 9b2f55b)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: containerd/containerd@v1.5.0...v1.5.1 Notable Updates - Update runc to rc94 - Fix registry mirror authorization logic in CRI plugin - Fix regression in cri-cni-release to include cri tools Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 22c0291) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: containerd/containerd@v1.5.1...v1.5.2 The second patch release for containerd 1.5 is a security release to update runc for CVE-2021-30465 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 8e3186f) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: containerd/containerd@v1.5.2...v1.5.3 Welcome to the v1.5.3 release of containerd! The third patch release for containerd 1.5 updates runc to 1.0.0 and contains various other fixes. Notable Updates - Update runc binary to 1.0.0 - Send pod UID to CNI plugins as K8S_POD_UID - Fix invalid validation error checking - Fix error on image pull resume - Fix User Agent sent to registry authentication server - Fix symlink resolution for disk mounts on Windows Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 5ae2af4) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Update to containerd 1.4.8 to address [CVE-2021-32760][1]. [1]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32760 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit cf1328c) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Welcome to the v1.5.5 release of containerd! The fifth patch release for containerd 1.5 updates runc to 1.0.1 and contains other minor updates. Notable Updates - Update runc binary to 1.0.1 - Update pull logic to try next mirror on non-404 response - Update pull authorization logic on redirect Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 4a07b89) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These checks were added when we required a specific version of containerd and runc (different versions were known to be incompatible). I don't think we had a similar requirement for tini, so this check was redundant. Let's remove the check altogether. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit b585c64) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This build-tag was removed in opencontainers/runc@52390d6, which is part of runc v1.0.0-rc94 and up, so no longer relevant. the kmem options are now always disabled in runc. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 3c7c18a) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 3cec4b8) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The golangci-lint, gotestsum, shfmt, and vndr utilities should generally be ok to be pinned by version instead of a specific sha. Also rename the corresponding env-vars / build-args accordingly: - GOLANGCI_LINT_COMMIT -> GOLANGCI_LINT_VERSION - GOTESTSUM_COMMIT -> GOTESTSUM_VERSION - SHFMT_COMMIT -> SHFMT_VERSION - VNDR_COMMIT -> VNDR_VERSION - CONTAINERD_COMMIT -> CONTAINERD_VERSION - RUNC_COMMIT -> RUNC_VERSION - ROOTLESS_COMMIT -> ROOTLESS_VERSION Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit a7a7c73) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 14ff070) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 1b8db06) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- Install apparmor parser for arm64 and update seccomp to 2.5.1 - Update runc binary to 1.0.2 - Update hcsshim to v0.8.21 to fix layer issue on Windows Server 2019 - Add support for 'clone3' syscall to fix issue with certain images when seccomp is enabled - Add image config labels in CRI container creation - Fix panic in metadata content writer on copy error Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit b746a2b) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The seventh patch release for containerd 1.5 is a security release to fix CVE-2021-41103. Notable Updates: - Fix insufficiently restricted permissions on container root and plugin directories GHSA-c2h3-6mxw-7mvq Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit fa4a970) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The eighth patch release for containerd 1.5 contains a mitigation for CVE-2021-41190 as well as several fixes and updates. Notable Updates * Handle ambiguous OCI manifest parsing * Filter selinux xattr for image volumes in CRI plugin * Use DeactiveLayer to unlock layers that cannot be renamed in Windows snapshotter * Fix pull failure on unexpected EOF * Close task IO before waiting on delete * Log a warning for ignored invalid image labels rather than erroring * Update pull to handle of non-https urls in descriptors See the changelog for complete list of changes Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit aef782f) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> (cherry picked from commit 53397ac) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit df3ea5d) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
thaJeztah
force-pushed
the
20.10_backport_containerd_15
branch
from
308c9f9
to
829f071
Compare
|
whoop; CI is green now. I'm moving this out of draft, but we can discuss further |
AkihiroSuda
approved these changes
Jan 21, 2022
|
containerd v1.4 reached EOL: https://github.com/containerd/containerd/pull/6614/files Can we have Docker 20.10.13 with containerd v1.5 rpms/debs soon? |
|
Yes, working on that; I'll push some final packages of containerd.io 1.4, and doing test-builds of 20.10.13 (and containerd.io 1.5) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Per discussion on #43138 #43138 (comment);
This backports the containerd binary changes to the 20.10 branch for testing, first roling back / reverting the 20.10-only commits, then cherry-picking the updates from master (to preserve history of those commits)
revert [20.10] update containerd binary to v1.4.12 #43024
revert [20.10] update containerd binary to v1.4.11 #42901
revert [20.10] update containerd binary to v1.4.9 #42695
revert [20.10] update containerd binary v1.4.8 #42657
revert [20.10] update containerd binary to v1.4.7 #42637
revert [20.10] update containerd binary to v1.4.6 #42398
revert [20.10] update containerd binary to v1.4.5 #42372
cherry-pick update containerd binary to v1.5.0 #42149
cherry-pick update containerd binary to v1.5.1 #42383
cherry-pick update containerd binary to v1.5.2 #42399
cherry-pick Update containerd binary and vendor to v1.5.3 #42636
cherry-pick Update containerd v1.5.4 #42656
cherry-pick Update to containerd v1.5.5 #42697
cherry-pick info: remove "expected" check for tini version #42776
cherry-pick Dockerfile: simplify utility-install script, and update gotestsum to v1.7.0 #42674
cherry-pick Update containerd binary to v1.5.7 #42902
cherry-pick Update containerd binary and vendor to v1.5.8 #43025
cherry-pick Bump up runc v1.0.3 #43062
cherry-pick update containerd binary to v1.5.9 #43138
details below:
Conflicts in
a7a7c732c0dc02ee5b5515f4ca868ef50cafa4a1, and cherry-picks after that due to Dockerfile.windows not yet having CONTAINERD_VERSION in it in the 20.10 branch;