We changed the default setting for `enable_unprivileged_ports` and
`enable_unprivileged_icmp` in the CRI plugin in
https://github.com/containerd/containerd/pull/9348, but missed including
this change in the release notes.
Signed-off-by: Samuel Karp <samuelkarp@google.com>
- CRI support for user namespaces (PR 8803)
- CRI support for recursive read-only mounts (PR 9787)
- CDI is now enabled by default (PR 9621)
Co-authored-by: Samuel Karp <me@samuelkarp.com>
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
While some warnings were available in earlier versions, the first
"complete" implementation was in 1.7.12 and 1.6.27.
https://github.com/containerd/containerd/issues/9312 tracks that initial
set of warnings.
Signed-off-by: Samuel Karp <samuelkarp@google.com>
This commit fixes the duplicate copy and configure steps for
the Windows powershell scripts.
fixes#9887
It also adds the architecture as a variable in preparation for
the ARM64 support that is coming.
Signed-off-by: Anthony Nandaa <profnandaa@gmail.com>
This commit adds an extra (optional) step for the Windows
installation/set-up to include the containerd binaries in
the $env:Path so that later executions especially
for `ctr.exe` if needed, do not require to specify the full path.
It also further fixes the previous steps to be absolute and
also work with re-installations and upgrades.
Signed-off-by: Anthony Nandaa <profnandaa@gmail.com>
Prior to this commit, `readOnly` volumes were not recursively read-only and
could result in compromise of data;
e.g., even if `/mnt` was mounted as read-only, its submounts such as
`/mnt/usbstorage` were not read-only.
This commit utilizes runc's "rro" bind mount option to make read-only bind
mounts literally read-only. The "rro" bind mount options is implemented by
calling `mount_setattr(2)` with `MOUNT_ATTR_RDONLY` and `AT_RECURSIVE`.
The "rro" bind mount options requires kernel >= 5.12, with runc >= 1.1 or
a compatible runtime such as crun >= 1.4.
When the "rro" bind mount options is not available, containerd falls back
to the legacy non-recursive read-only mounts by default.
The behavior is configurable via `/etc/containerd/config.toml`:
```toml
version = 2
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
# treat_ro_mounts_as_rro ("Enabled"|"IfPossible"|"Disabled")
# treats read-only mounts as recursive read-only mounts.
# An empty string means "IfPossible".
# "Enabled" requires Linux kernel v5.12 or later.
# This configuration does not apply to non-volume mounts such as "/sys/fs/cgroup".
treat_ro_mounts_as_rro = ""
```
Replaces:
- kubernetes/enhancements issue 3857
- kubernetes/enhancements PR 3858
Note: this change does not affect non-CRI clients such as ctr, nerdctl, and Docker/Moby.
RRO mounts have been supported since nerdctl v0.14 (containerd/nerdctl PR 511)
and Docker v25 (moby/moby PR 45278).
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
The file was replaced with the "Please update your bookmark" page on
Apr 1, 2022 (PR 6758).
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
