-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[20.10 backport] update containerd binary v1.5.9, runc v1.0.3, and some script changes #43151
[20.10 backport] update containerd binary v1.5.9, runc v1.0.3, and some script changes #43151
Commits on Jan 20, 2022
-
Revert "[20.10] update containerd binary to v1.4.12"
This reverts commit d47de2a. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Configuration menu - View commit details
-
Copy full SHA for 13de46f - Browse repository at this point
Copy the full SHA 13de46fView commit details -
Revert "[20.10] update containerd binary to v1.4.11"
This reverts commit 129a200. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Configuration menu - View commit details
-
Copy full SHA for 79fd9c1 - Browse repository at this point
Copy the full SHA 79fd9c1View commit details -
Revert "[20.10] update containerd binary to v1.4.10"
This reverts commit 6835d15. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Configuration menu - View commit details
-
Copy full SHA for 4e838e5 - Browse repository at this point
Copy the full SHA 4e838e5View commit details -
Revert "[20.10] update containerd binary to v1.4.9"
This reverts commit e8fb8f7. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Configuration menu - View commit details
-
Copy full SHA for eb2acf2 - Browse repository at this point
Copy the full SHA eb2acf2View commit details -
Revert "[20.10] update containerd binary v1.4.8"
This reverts commit 067918a. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Configuration menu - View commit details
-
Copy full SHA for 9e36f77 - Browse repository at this point
Copy the full SHA 9e36f77View commit details -
Revert "[20.10] update containerd binary to v1.4.7"
This reverts commit 793340a. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Configuration menu - View commit details
-
Copy full SHA for de656f9 - Browse repository at this point
Copy the full SHA de656f9View commit details -
Revert "[20.10] update containerd binary to v1.4.6"
This reverts commit 56541ec. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Configuration menu - View commit details
-
Copy full SHA for b097d29 - Browse repository at this point
Copy the full SHA b097d29View commit details -
Revert "[20.10] update containerd binary to v1.4.5"
This reverts commit 01f734c. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Configuration menu - View commit details
-
Copy full SHA for 1dd3775 - Browse repository at this point
Copy the full SHA 1dd3775View commit details -
update containerd binary to v1.5.0
Welcome to the v1.5.0 release of containerd! The sixth major release of containerd includes many stability improvements and code organization changes to make contribution easier and make future features cleaner to develop. This includes bringing CRI development into the main containerd repository and switching to Go modules. This release also brings support for the Node Resource Interface (NRI). Highlights -------------------------------------------------------------------------------- *Project Organization* - Merge containerd/cri codebase into containerd/containerd - Move to Go modules - Remove selinux build tag - Add json log format output option for daemon log *Snapshots* - Add configurable overlayfs path - Separate overlay implementation from plugin - Native snapshotter configuration and plugin separation - Devmapper snapshotter configuration and plugin separation - AUFS snapshotter configuration and plugin separation - ZFS snapshotter configuration and plugin separation - Pass custom snapshot labels when creating snapshot - Add platform check for snapshotter support when unpacking - Handle loopback mounts - Support userxattr mount option for overlay in user namespace - ZFS snapshotter implementation of usage *Distribution* - Improve registry response errors - Improve image pull performance over HTTP 1.1 - Registry configuration package - Add support for layers compressed with zstd - Allow arm64 to fallback to arm (v8, v7, v6, v5) *Runtime* - Add annotations to containerd task update API - Add logging binary support when terminal is true - Runtime support on FreeBSD *Windows* - Implement windowsDiff.Compare to allow outputting OCI images - Optimize WCOW snapshotter to commit writable layers as read-only parent layers - Optimize LCOW snapshotter use of scratch layers *CRI* - Add NRI injection points cri#1552 - Add support for registry host directory configuration - Update privileged containers to use current capabilities instead of known capabilities - Add pod annotations to CNI call - Enable ocicrypt by default - Support PID NamespaceMode_TARGET Impactful Client Updates -------------------------------------------------------------------------------- This release has changes which may affect projects which import containerd. *Switch to Go modules* containerd and all containerd sub-repositories are now using Go modules. This should help make importing easier for handling transitive dependencies. As of this release, containerd still does not guarantee client library compatibility for 1.x versions, although best effort is made to minimize impact from changes to exported Go packages. *CRI plugin moved to main repository* With the CRI plugin moving into the main repository, imports under github.com/containerd/cri/ can now be found github.com/containerd/containerd/pkg/cri/. There are no changes required for end users of CRI. *Library changes* oci The WithAllCapabilities has been removed and replaced with WithAllCurrentCapabilities and WithAllKnownCapabilities. WithAllKnownCapabilities has similar functionality to the previous WithAllCapabilities with added support for newer capabilities. WithAllCurrentCapabilities can be used to give privileged containers the same set of permissions as the calling process, preventing errors when privileged containers attempt to get more permissions than given to the caller. *Configuration changes* New registry.config_path for CRI plugin registry.config_path specifies a directory to look for registry hosts configuration. When resolving an image name during pull operations, the CRI plugin will look in the <registry.config_path>/<image hostname>/ directory for host configuration. An optional hosts.toml file in that directory may be used to configure which hosts will be used for the pull operation as well host-specific configurations. Updates under that directory do not require restarting the containerd daemon. Enable registry.config_path in the containerd configuration file. [plugins."io.containerd.grpc.v1.cri".registry] config_path = "/etc/containerd/certs.d" Configure registry hosts, such as /etc/containerd/certs.d/docker.io/hosts.toml for any image under the docker.io namespace (any image on Docker Hub). server = "https://registry-1.docker.io" [host."https://public-mirror.example.com"] capabilities = ["pull"] [host."https://docker-mirror.internal"] capabilities = ["pull", "resolve"] ca = "docker-mirror.crt" If no hosts.toml configuration exists in the host directory, it will fallback to check certificate files based on Docker's certificate file pattern (".crt" files for CA certificates and ".cert"/".key" files for client certificates). *Deprecation of registry.mirrors and registry.configs in CRI plugin* Mirroring and TLS can now be configured using the new registry.config_path option. Existing configurations may be migrated to new host directory configuration. These fields are only deprecated with no planned removal, however, these configurations cannot be used while registry.config_path is defined. *Version 1 schema is deprecated* Version 2 of the containerd configuration toml is recommended format and the default. Starting this version, a deprecation warning will be logged when version 1 is used. To check version, see the version value in the containerd toml configuration. version=2 FreeBSD Runtime Support (Experimental) -------------------------------------------------------------------------------- This release includes changes that allow containerd to run on FreeBSD with a compatible runtime, such as runj. This support should be considered experimental and currently there are no official binary releases for FreeBSD. The runtimes used by containerd are maintained separately and have their own stability guarantees. The containerd project strives to be compatible with any runtime which aims to implement containerd's shim API and OCI runtime specification. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 9b2f55b) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Configuration menu - View commit details
-
Copy full SHA for f036a34 - Browse repository at this point
Copy the full SHA f036a34View commit details -
update containerd binary to v1.5.1
full diff: containerd/containerd@v1.5.0...v1.5.1 Notable Updates - Update runc to rc94 - Fix registry mirror authorization logic in CRI plugin - Fix regression in cri-cni-release to include cri tools Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 22c0291) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Configuration menu - View commit details
-
Copy full SHA for 23f23c9 - Browse repository at this point
Copy the full SHA 23f23c9View commit details -
update containerd binary to v1.5.2
full diff: containerd/containerd@v1.5.1...v1.5.2 The second patch release for containerd 1.5 is a security release to update runc for CVE-2021-30465 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 8e3186f) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Configuration menu - View commit details
-
Copy full SHA for 5f09d5c - Browse repository at this point
Copy the full SHA 5f09d5cView commit details -
Update containerd binary to v1.5.3
full diff: containerd/containerd@v1.5.2...v1.5.3 Welcome to the v1.5.3 release of containerd! The third patch release for containerd 1.5 updates runc to 1.0.0 and contains various other fixes. Notable Updates - Update runc binary to 1.0.0 - Send pod UID to CNI plugins as K8S_POD_UID - Fix invalid validation error checking - Fix error on image pull resume - Fix User Agent sent to registry authentication server - Fix symlink resolution for disk mounts on Windows Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 5ae2af4) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Configuration menu - View commit details
-
Copy full SHA for 1cd13dc - Browse repository at this point
Copy the full SHA 1cd13dcView commit details -
update containerd binary v1.4.8
Update to containerd 1.4.8 to address [CVE-2021-32760][1]. [1]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32760 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit cf1328c) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Configuration menu - View commit details
-
Copy full SHA for 3021146 - Browse repository at this point
Copy the full SHA 3021146View commit details -
update containerd binary to v1.5.5
Welcome to the v1.5.5 release of containerd! The fifth patch release for containerd 1.5 updates runc to 1.0.1 and contains other minor updates. Notable Updates - Update runc binary to 1.0.1 - Update pull logic to try next mirror on non-404 response - Update pull authorization logic on redirect Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 4a07b89) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Configuration menu - View commit details
-
Copy full SHA for fd32c70 - Browse repository at this point
Copy the full SHA fd32c70View commit details -
info: remove "expected" check for tini version
These checks were added when we required a specific version of containerd and runc (different versions were known to be incompatible). I don't think we had a similar requirement for tini, so this check was redundant. Let's remove the check altogether. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit b585c64) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Configuration menu - View commit details
-
Copy full SHA for fb45fe6 - Browse repository at this point
Copy the full SHA fb45fe6View commit details -
remove deprecated "nokmem" build-tag for runc
This build-tag was removed in opencontainers/runc@52390d6, which is part of runc v1.0.0-rc94 and up, so no longer relevant. the kmem options are now always disabled in runc. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 3c7c18a) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Configuration menu - View commit details
-
Copy full SHA for 0f925d5 - Browse repository at this point
Copy the full SHA 0f925d5View commit details -
Dockerfile: remove GOPROXY override (was for go < 1.14)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 3cec4b8) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Configuration menu - View commit details
-
Copy full SHA for 2a18825 - Browse repository at this point
Copy the full SHA 2a18825View commit details -
Dockerfile: use version for some utilities instead of commit-sha
The golangci-lint, gotestsum, shfmt, and vndr utilities should generally be ok to be pinned by version instead of a specific sha. Also rename the corresponding env-vars / build-args accordingly: - GOLANGCI_LINT_COMMIT -> GOLANGCI_LINT_VERSION - GOTESTSUM_COMMIT -> GOTESTSUM_VERSION - SHFMT_COMMIT -> SHFMT_VERSION - VNDR_COMMIT -> VNDR_VERSION - CONTAINERD_COMMIT -> CONTAINERD_VERSION - RUNC_COMMIT -> RUNC_VERSION - ROOTLESS_COMMIT -> ROOTLESS_VERSION Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit a7a7c73) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Configuration menu - View commit details
-
Copy full SHA for b35a170 - Browse repository at this point
Copy the full SHA b35a170View commit details -
Dockerfile: use "go install" to install utilities
Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 14ff070) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Configuration menu - View commit details
-
Copy full SHA for 2716336 - Browse repository at this point
Copy the full SHA 2716336View commit details -
Dockerfile: update gotestsum to v1.7.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 1b8db06) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Configuration menu - View commit details
-
Copy full SHA for 0f37f29 - Browse repository at this point
Copy the full SHA 0f37f29View commit details -
Update containerd binary to v1.5.6
- Install apparmor parser for arm64 and update seccomp to 2.5.1 - Update runc binary to 1.0.2 - Update hcsshim to v0.8.21 to fix layer issue on Windows Server 2019 - Add support for 'clone3' syscall to fix issue with certain images when seccomp is enabled - Add image config labels in CRI container creation - Fix panic in metadata content writer on copy error Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit b746a2b) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Configuration menu - View commit details
-
Copy full SHA for 3700adb - Browse repository at this point
Copy the full SHA 3700adbView commit details -
Update containerd binary to v1.5.7
The seventh patch release for containerd 1.5 is a security release to fix CVE-2021-41103. Notable Updates: - Fix insufficiently restricted permissions on container root and plugin directories GHSA-c2h3-6mxw-7mvq Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit fa4a970) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Configuration menu - View commit details
-
Copy full SHA for 3fd0b8d - Browse repository at this point
Copy the full SHA 3fd0b8dView commit details -
update containerd binary to v1.5.8
The eighth patch release for containerd 1.5 contains a mitigation for CVE-2021-41190 as well as several fixes and updates. Notable Updates * Handle ambiguous OCI manifest parsing * Filter selinux xattr for image volumes in CRI plugin * Use DeactiveLayer to unlock layers that cannot be renamed in Windows snapshotter * Fix pull failure on unexpected EOF * Close task IO before waiting on delete * Log a warning for ignored invalid image labels rather than erroring * Update pull to handle of non-https urls in descriptors See the changelog for complete list of changes Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit aef782f) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Configuration menu - View commit details
-
Copy full SHA for bd42e17 - Browse repository at this point
Copy the full SHA bd42e17View commit details -
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> (cherry picked from commit 53397ac) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Configuration menu - View commit details
-
Copy full SHA for 3e5eea4 - Browse repository at this point
Copy the full SHA 3e5eea4View commit details -
update containerd binary to v1.5.9
Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit df3ea5d) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Configuration menu - View commit details
-
Copy full SHA for 829f071 - Browse repository at this point
Copy the full SHA 829f071View commit details