Like stargz and nydus remote snapshotter, some snapshots
lables are introduced and passed to snapshotter from containerd
automatically. The label keys' length are all longer than 10.
The limitation of 10 characters makes it harder to debug what label
is not appropriate. So we'd better to print more of the wrong label.
Signed-off-by: Changwei Ge <gechangwei@bytedance.com>
This is the second patch release of the runc 1.1 release branch. It
fixes CVE-2022-29162, a minor security issue (which appears to not be
exploitable) related to process capabilities.
This is a similar bug to the ones found and fixed in Docker and
containerd recently (CVE-2022-24769).
- A bug was found in runc where runc exec --cap executed processes with
non-empty inheritable Linux process capabilities, creating an atypical Linux
environment. For more information, see GHSA-f3fp-gc8g-vw66 and CVE-2022-29162.
- runc spec no longer sets any inheritable capabilities in the created
example OCI spec (config.json) file.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
As we know, shim starts twice. The first time we execute the shim with the
`start` arguments, the `-debug` argument is passed to the shim
process correctly. But the second time we execute shim, the debug flag
is ignored.
Signed-off-by: wllenyj <wllenyj@linux.alibaba.com>
A container should not have access to tun/tap device, unless it is explicitly
specified in configuration.
This device was already removed from docker's default, and runc's default;
- 2ce40b6ad7
- 9c4570a958
Per the commit message in runc, this should also fix these messages;
> Apr 26 03:46:56 foo.bar systemd[1]: Couldn't stat device /dev/char/10:200: No such file or directory
coming from systemd on every container start, when the systemd cgroup driver
is used, and the system runs an old (< v240) version of systemd
(the message was presumably eliminated by [1]).
[1]: d5aecba6e0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Add exported `Wait(ctx context.Context) error` interface that waits on
the underlying command (or context cancellation) and returns the error.
This fixes a race condition between `.wait()` and `.Err error`:
https://github.com/containerd/containerd/issues/6914
Signed-off-by: Hamza El-Saawy <hamzaelsaawy@microsoft.com>
Following kubernetes-sigs/cri-tools#910 the Ginkgo reporters are left
configured with default settings and thus do not generate a JUnit report
file unless we explicitly pass a path for the outfile in the Windows
workflow when calling critest.exe.
Signed-off-by: Nashwan Azhari <nazhari@cloudbasesolutions.com>
Allow specifying specific versions of containerd for Kubernetes releases
and clarify recommendations and support policy.
Signed-off-by: Derek McGowan <derek@mcg.dev>
These tests are launching containerd and pulling busybox there, while
other tests are using busybox from TestMain().
This commit shares busybox at least between TestRestartMonitor and
TestRestartMonitorWithOnFailurePolicy to reduce the chance of
throttling from ghcr.io.
Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
Schema 1 has been substantially deprecated since circa. 2017 in favor of Schema 2 introduced in Docker 1.10 (Feb 2016)
and its successor OCI Image Spec v1, but we have not officially deprecated Schema 1.
One of the reasons was that Quay did not support Schema 2 so far, but it is reported that Quay has been
supporting Schema 2 since Feb 2020 (moby/buildkit issue 409).
This PR deprecates pulling Schema 1 images but the feature will not be removed before containerd 2.0.
Pushing Schema 1 images was never implemented in containerd (and its consumers such as BuildKit).
Docker/Moby already disabled pushing Schema 1 images in Docker 20.10 (moby/moby PR 41295),
but Docker/Moby has not yet disabled pulling Schema 1 as containerd has not yet deprecated Schema 1.
(See the comments in moby/moby PR 42300.)
Docker/Moby is expected to disable pulling Schema 1 images in future after this deprecation.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
