[20.10 backport] update containerd binary v1.5.9, runc v1.0.3, and some script changes #43151

This reverts commit d47de2a. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

This reverts commit 129a200. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

This reverts commit 6835d15. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

This reverts commit e8fb8f7. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

This reverts commit 067918a. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

This reverts commit 793340a. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

This reverts commit 56541ec. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

This reverts commit 01f734c. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

Welcome to the v1.5.0 release of containerd! The sixth major release of containerd includes many stability improvements and code organization changes to make contribution easier and make future features cleaner to develop. This includes bringing CRI development into the main containerd repository and switching to Go modules. This release also brings support for the Node Resource Interface (NRI). Highlights -------------------------------------------------------------------------------- *Project Organization* - Merge containerd/cri codebase into containerd/containerd - Move to Go modules - Remove selinux build tag - Add json log format output option for daemon log *Snapshots* - Add configurable overlayfs path - Separate overlay implementation from plugin - Native snapshotter configuration and plugin separation - Devmapper snapshotter configuration and plugin separation - AUFS snapshotter configuration and plugin separation - ZFS snapshotter configuration and plugin separation - Pass custom snapshot labels when creating snapshot - Add platform check for snapshotter support when unpacking - Handle loopback mounts - Support userxattr mount option for overlay in user namespace - ZFS snapshotter implementation of usage *Distribution* - Improve registry response errors - Improve image pull performance over HTTP 1.1 - Registry configuration package - Add support for layers compressed with zstd - Allow arm64 to fallback to arm (v8, v7, v6, v5) *Runtime* - Add annotations to containerd task update API - Add logging binary support when terminal is true - Runtime support on FreeBSD *Windows* - Implement windowsDiff.Compare to allow outputting OCI images - Optimize WCOW snapshotter to commit writable layers as read-only parent layers - Optimize LCOW snapshotter use of scratch layers *CRI* - Add NRI injection points cri#1552 - Add support for registry host directory configuration - Update privileged containers to use current capabilities instead of known capabilities - Add pod annotations to CNI call - Enable ocicrypt by default - Support PID NamespaceMode_TARGET Impactful Client Updates -------------------------------------------------------------------------------- This release has changes which may affect projects which import containerd. *Switch to Go modules* containerd and all containerd sub-repositories are now using Go modules. This should help make importing easier for handling transitive dependencies. As of this release, containerd still does not guarantee client library compatibility for 1.x versions, although best effort is made to minimize impact from changes to exported Go packages. *CRI plugin moved to main repository* With the CRI plugin moving into the main repository, imports under github.com/containerd/cri/ can now be found github.com/containerd/containerd/pkg/cri/. There are no changes required for end users of CRI. *Library changes* oci The WithAllCapabilities has been removed and replaced with WithAllCurrentCapabilities and WithAllKnownCapabilities. WithAllKnownCapabilities has similar functionality to the previous WithAllCapabilities with added support for newer capabilities. WithAllCurrentCapabilities can be used to give privileged containers the same set of permissions as the calling process, preventing errors when privileged containers attempt to get more permissions than given to the caller. *Configuration changes* New registry.config_path for CRI plugin registry.config_path specifies a directory to look for registry hosts configuration. When resolving an image name during pull operations, the CRI plugin will look in the <registry.config_path>/<image hostname>/ directory for host configuration. An optional hosts.toml file in that directory may be used to configure which hosts will be used for the pull operation as well host-specific configurations. Updates under that directory do not require restarting the containerd daemon. Enable registry.config_path in the containerd configuration file. [plugins."io.containerd.grpc.v1.cri".registry] config_path = "/etc/containerd/certs.d" Configure registry hosts, such as /etc/containerd/certs.d/docker.io/hosts.toml for any image under the docker.io namespace (any image on Docker Hub). server = "https://registry-1.docker.io" [host."https://public-mirror.example.com"] capabilities = ["pull"] [host."https://docker-mirror.internal"] capabilities = ["pull", "resolve"] ca = "docker-mirror.crt" If no hosts.toml configuration exists in the host directory, it will fallback to check certificate files based on Docker's certificate file pattern (".crt" files for CA certificates and ".cert"/".key" files for client certificates). *Deprecation of registry.mirrors and registry.configs in CRI plugin* Mirroring and TLS can now be configured using the new registry.config_path option. Existing configurations may be migrated to new host directory configuration. These fields are only deprecated with no planned removal, however, these configurations cannot be used while registry.config_path is defined. *Version 1 schema is deprecated* Version 2 of the containerd configuration toml is recommended format and the default. Starting this version, a deprecation warning will be logged when version 1 is used. To check version, see the version value in the containerd toml configuration. version=2 FreeBSD Runtime Support (Experimental) -------------------------------------------------------------------------------- This release includes changes that allow containerd to run on FreeBSD with a compatible runtime, such as runj. This support should be considered experimental and currently there are no official binary releases for FreeBSD. The runtimes used by containerd are maintained separately and have their own stability guarantees. The containerd project strives to be compatible with any runtime which aims to implement containerd's shim API and OCI runtime specification. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 9b2f55b) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

full diff: containerd/containerd@v1.5.0...v1.5.1 Notable Updates - Update runc to rc94 - Fix registry mirror authorization logic in CRI plugin - Fix regression in cri-cni-release to include cri tools Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 22c0291) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

full diff: containerd/containerd@v1.5.1...v1.5.2 The second patch release for containerd 1.5 is a security release to update runc for CVE-2021-30465 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 8e3186f) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

full diff: containerd/containerd@v1.5.2...v1.5.3 Welcome to the v1.5.3 release of containerd! The third patch release for containerd 1.5 updates runc to 1.0.0 and contains various other fixes. Notable Updates - Update runc binary to 1.0.0 - Send pod UID to CNI plugins as K8S_POD_UID - Fix invalid validation error checking - Fix error on image pull resume - Fix User Agent sent to registry authentication server - Fix symlink resolution for disk mounts on Windows Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 5ae2af4) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

Update to containerd 1.4.8 to address [CVE-2021-32760][1]. [1]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32760 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit cf1328c) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

Welcome to the v1.5.5 release of containerd! The fifth patch release for containerd 1.5 updates runc to 1.0.1 and contains other minor updates. Notable Updates - Update runc binary to 1.0.1 - Update pull logic to try next mirror on non-404 response - Update pull authorization logic on redirect Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 4a07b89) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

These checks were added when we required a specific version of containerd and runc (different versions were known to be incompatible). I don't think we had a similar requirement for tini, so this check was redundant. Let's remove the check altogether. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit b585c64) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

This build-tag was removed in opencontainers/runc@52390d6, which is part of runc v1.0.0-rc94 and up, so no longer relevant. the kmem options are now always disabled in runc. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 3c7c18a) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 3cec4b8) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

The golangci-lint, gotestsum, shfmt, and vndr utilities should generally be ok to be pinned by version instead of a specific sha. Also rename the corresponding env-vars / build-args accordingly: - GOLANGCI_LINT_COMMIT -> GOLANGCI_LINT_VERSION - GOTESTSUM_COMMIT -> GOTESTSUM_VERSION - SHFMT_COMMIT -> SHFMT_VERSION - VNDR_COMMIT -> VNDR_VERSION - CONTAINERD_COMMIT -> CONTAINERD_VERSION - RUNC_COMMIT -> RUNC_VERSION - ROOTLESS_COMMIT -> ROOTLESS_VERSION Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit a7a7c73) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 14ff070) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 1b8db06) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

- Install apparmor parser for arm64 and update seccomp to 2.5.1 - Update runc binary to 1.0.2 - Update hcsshim to v0.8.21 to fix layer issue on Windows Server 2019 - Add support for 'clone3' syscall to fix issue with certain images when seccomp is enabled - Add image config labels in CRI container creation - Fix panic in metadata content writer on copy error Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit b746a2b) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

The seventh patch release for containerd 1.5 is a security release to fix CVE-2021-41103. Notable Updates: - Fix insufficiently restricted permissions on container root and plugin directories GHSA-c2h3-6mxw-7mvq Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit fa4a970) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

The eighth patch release for containerd 1.5 contains a mitigation for CVE-2021-41190 as well as several fixes and updates. Notable Updates * Handle ambiguous OCI manifest parsing * Filter selinux xattr for image volumes in CRI plugin * Use DeactiveLayer to unlock layers that cannot be renamed in Windows snapshotter * Fix pull failure on unexpected EOF * Close task IO before waiting on delete * Log a warning for ignored invalid image labels rather than erroring * Update pull to handle of non-https urls in descriptors See the changelog for complete list of changes Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit aef782f) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> (cherry picked from commit 53397ac) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit df3ea5d) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[20.10 backport] update containerd binary v1.5.9, runc v1.0.3, and some script changes #43151

[20.10 backport] update containerd binary v1.5.9, runc v1.0.3, and some script changes #43151

Commits on Jan 20, 2022