Fix issue 11228
`ctr images import --all-platforms` w/o `--local` was failing due to
`unable to initialize unpacker: no unpack platforms defined` error.
W/ `--local`, it unpacks the layers for the strict-default platform.
Now `ctr images import --all-platforms` w/o `--local` unpacks the layers
for the non-strict default platform.
This behavior still differs from `--local`.
i.e., on an arm64 host, arm/v{5,6,7} layers are unpacked too.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
These dependencies were updated to "master" in some modules we depend on,
but have no code-changes since their last release. Unfortunately, this also
causes a ripple effect, forcing all users of the containerd module to also
update these dependencies to an unrelease / un-tagged version.
Both these dependencies will unlikely do a new release in the near future,
so exclude these versions so that we can downgrade to the current release.
For additional details, see [this PR][1] and links mentioned in it.
[1]: https://github.com/kubernetes-sigs/kustomize/pull/5830#issuecomment-2569960859
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This fixes compatibility with alpine 3.21 and file 5.46+
- Fix additional possible `xx-cc`/`xx-cargo` compatibility issue with Alpine 3.21
- Support for Alpine 3.21
- Fix `xx-verify` with `file` 5.46+
- Fix possible error taking lock in `xx-apk` in latest Alpine without `coreutils`
full diff: https://github.com/tonistiigi/xx/compare/v1.2.1...v1.6.1
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
When kubelet enables UserNamespaceSupport feature gate, kubelet always
uses non-empty UsernsOptions to setup pods. In this case, the gVisor shim is
unable to parse runc.Option so that it will be unable to start container.
This change is to avoid adding IoOwner options if the UsernsOptions is
for node level. Since gVisor hasn't feature subcommand yet, CRI status
will report that gVisor runtime doesn't support user namespace. So it's
kind of workaround to avoid compatible issue.
REF: #11091
Signed-off-by: Wei Fu <fuweid89@gmail.com>
This is the third patch release of the 1.2.z release branch of runc. It
primarily fixes some minor regressions introduced in 1.2.0.
- Fixed a regression in use of securejoin.MkdirAll, where multiple
runc processes racing to create the same mountpoint in a shared rootfs
would result in spurious EEXIST errors. In particular, this regression
caused issues with BuildKit.
- Fixed a regression in eBPF support for pre-5.6 kernels after upgrading
Cilium's eBPF library version to 0.16 in runc.
full diff: https://github.com/opencontainers/runc/compare/v1.2.2...v1.2.3
release notes: https://github.com/opencontainers/runc/releases/tag/v1.2.3
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 981414521baf578a313c7b7af034ade6cb92b10d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Jin Dong <djdongjin95@gmail.com>
(cherry picked from commit 288001f68c5fd34cfbdc7284f14375a3762b8ff4)
Signed-off-by: Jin Dong <djdongjin95@gmail.com>
The containerd-shim creates pipes and passes them to the init container as
stdin, stdout, and stderr for logging purposes. By default, these pipes are
owned by the root user (UID/GID: 0/0). The init container can access them
directly through inheritance.
However, if the init container attempts to open any files pointing to these
pipes (e.g., /proc/1/fd/2, /dev/stderr), it will encounter a permission issue
since it is not the owner. To avoid this, we need to align the ownership of
the pipes with the init process.
Fixes: #10598
Signed-off-by: Wei Fu <fuweid89@gmail.com>
