github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity
14,070 Commits 3 Branches 2 Tags 112 MiB
231301c8f8
Commit Graph

14070 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Akihiro Suda
51d5544015
Merge pull request #10149 from containerd/dependabot/go_modules/github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus-1.0.1 
build(deps): bump github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus from 1.0.0 to 1.0.1
 2024-04-30 21:52:48 +00:00
dependabot[bot]
93690baf4e
build(deps): bump github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus 
Bumps [github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus](https://github.com/grpc-ecosystem/go-grpc-middleware) from 1.0.0 to 1.0.1.
- [Release notes](https://github.com/grpc-ecosystem/go-grpc-middleware/releases)
- [Commits](https://github.com/grpc-ecosystem/go-grpc-middleware/compare/v1.0.0...providers/prometheus/v1.0.1)

---
updated-dependencies:
- dependency-name: github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-04-30 19:10:24 +00:00
Maksym Pavlenko
97ea691538
Merge pull request #8250 from dmcgowan/update-release-process 
Update release process after 1.7
 2024-04-30 19:10:02 +00:00
Maksym Pavlenko
97dd9d508a
Merge pull request #10019 from AkihiroSuda/cri-api-v0.30.0-rc.0 
go.mod: k8s.io/cri-api v0.30.0
 2024-04-30 18:27:46 +00:00
Maksym Pavlenko
c2c8730596
Merge pull request #10150 from containerd/dependabot/go_modules/github.com/urfave/cli/v2-2.27.2 
build(deps): bump github.com/urfave/cli/v2 from 2.27.1 to 2.27.2
 2024-04-30 18:23:04 +00:00
Maksym Pavlenko
9e1ad56b41
Merge pull request #10152 from zouyee/log 
optimize error logs by providing absolute file paths
 2024-04-30 18:22:01 +00:00
Akihiro Suda
4c753d1242
go.mod: k8s.io/cri-api v0.30.0 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2024-04-30 20:40:22 +09:00
Akihiro Suda
53160fb4b6
Merge pull request #10110 from AkihiroSuda/go-mod-1.22 
go.mod: go 1.22
 2024-04-30 09:19:17 +00:00
Abel Feng
de38490ed6 sandbox: merge address and protocol to one url 
Signed-off-by: Abel Feng <fshb1988@gmail.com>
 2024-04-30 15:28:00 +08:00
Abel Feng
c3b306240e add task api endpoint in task create options 
Signed-off-by: Abel Feng <fshb1988@gmail.com>
 2024-04-30 15:22:44 +08:00
Abel Feng
72fe47b2a2 add task api endpoint in oci proto 
Signed-off-by: Abel Feng <fshb1988@gmail.com>
 2024-04-30 15:20:04 +08:00
Abel Feng
b1fefccc78 sandbox: store endpoint in cri sandboxStore 
Signed-off-by: Abel Feng <fshb1988@gmail.com>
 2024-04-30 15:20:03 +08:00
Abel Feng
f6e0cf1894 sandbox: add address info in Start and Status response 
Signed-off-by: Abel Feng <fshb1988@gmail.com>
 2024-04-30 15:20:03 +08:00
Derek McGowan
2c7b992ad4
Merge pull request #10146 from containerd/dependabot/github_actions/golangci/golangci-lint-action-5 
build(deps): bump golangci/golangci-lint-action from 4 to 5
 2024-04-30 04:53:29 +00:00
Akihiro Suda
15782881ee
go.mod: go 1.22 
Depended by k8s.io/cri-api >= v0.30.0 (Kubernetes v1.30, PR 10019)
https://github.com/kubernetes/cri-api/blob/v0.30.0/go.mod#L5

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2024-04-30 11:53:20 +09:00
Akihiro Suda
2d5689434d
CI: use Go 1.22 by default 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2024-04-30 11:52:36 +09:00
Akihiro Suda
fef78c1024
install-runc: pin Go to 1.21 
runc is incompatible with Go 1.22 on glibc-based distros
(opencontainers/runc issue 4233)

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2024-04-30 11:52:32 +09:00
zouyee
11d8beff80 optimize error logs by providing absolute file paths 
Signed-off-by: zouyee <zouyee1989@gmail.com>
 2024-04-30 09:08:01 +08:00
dependabot[bot]
81a9df625b
build(deps): bump github.com/urfave/cli/v2 from 2.27.1 to 2.27.2 
Bumps [github.com/urfave/cli/v2](https://github.com/urfave/cli) from 2.27.1 to 2.27.2.
- [Release notes](https://github.com/urfave/cli/releases)
- [Changelog](https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md)
- [Commits](https://github.com/urfave/cli/compare/v2.27.1...v2.27.2)

---
updated-dependencies:
- dependency-name: github.com/urfave/cli/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-04-29 23:38:41 +00:00
dependabot[bot]
c001a70562
build(deps): bump lycheeverse/lychee-action from 1.9.3 to 1.10.0 
Bumps [lycheeverse/lychee-action](https://github.com/lycheeverse/lychee-action) from 1.9.3 to 1.10.0.
- [Release notes](https://github.com/lycheeverse/lychee-action/releases)
- [Commits](https://github.com/lycheeverse/lychee-action/compare/v1.9.3...v1.10.0)

---
updated-dependencies:
- dependency-name: lycheeverse/lychee-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-04-29 23:19:13 +00:00
dependabot[bot]
6df759e243
build(deps): bump golangci/golangci-lint-action from 4 to 5 
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 4 to 5.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/v4...v5)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-04-29 23:19:10 +00:00
Maksym Pavlenko
7feb1f327d
Merge pull request #9853 from abel-von/make-shim-independent 
sandbox: make an independent shim plugin
 2024-04-29 21:07:21 +00:00
Maksym Pavlenko
b3dd6e3860
Merge pull request #10145 from thaJeztah/cri_startup_logs_step1 
pkg/cri/server/base: use structured log for CRI plugin startup and log config as embedded JSON
 2024-04-29 19:54:39 +00:00
Sebastiaan van Stijn
b7c9774140
container.Checkpoint(), WithRestoreImage(): use ocispec.AnnotationRefName 
instead of a locally defined const

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2024-04-29 13:26:21 +02:00
Sebastiaan van Stijn
8a8c3e2215
pkg/cri/server/base: log CRI config as embedded JSON 
Use the JSON-encoded representation of the config used, which allows
users to reconstruct a (valid) config file from the logs, which may be
more useful for debugging purposes than the internal (Go) representation.

Before this:

    INFO[2023-12-07T15:33:39.914626385Z] starting cri plugin                           config="{PluginConfig:{ContainerdConfig:{Snapshotter:overlayfs DefaultRuntimeName:runc Runtimes:map[runc:{Type:io.containerd.runc.v2 Path: PodAnnotations:[] ContainerAnnotations:[] Options:map[BinaryName: CriuImagePath: CriuWorkPath: IoGid:0 IoUid:0 NoNewKeyring:false Root: ShimCgroup:] PrivilegedWithoutHostDevices:false PrivilegedWithoutHostDevicesAllDevicesAllowed:false BaseRuntimeSpec: NetworkPluginConfDir: NetworkPluginMaxConfNum:0 Snapshotter: Sandboxer:podsandbox}] DisableSnapshotAnnotations:true DiscardUnpackedLayers:false IgnoreBlockIONotEnabledErrors:false IgnoreRdtNotEnabledErrors:false} CniConfig:{NetworkPluginBinDir:/opt/cni/bin NetworkPluginConfDir:/etc/cni/net.d NetworkPluginMaxConfNum:1 NetworkPluginSetupSerially:false NetworkPluginConfTemplate: IPPreference:} Registry:{ConfigPath: Mirrors:map[] Configs:map[] Auths:map[] Headers:map[]} ImageDecryption:{KeyModel:node} DisableTCPService:true StreamServerAddress:127.0.0.1 StreamServerPort:0 StreamIdleTimeout:4h0m0s EnableSelinux:false SelinuxCategoryRange:1024 SandboxImage:registry.k8s.io/pause:3.9 StatsCollectPeriod:10 EnableTLSStreaming:false X509KeyPairStreaming:{TLSCertFile: TLSKeyFile:} MaxContainerLogLineSize:16384 DisableCgroup:false DisableApparmor:false RestrictOOMScoreAdj:false MaxConcurrentDownloads:3 DisableProcMount:false UnsetSeccompProfile: TolerateMissingHugetlbController:true DisableHugetlbController:true DeviceOwnershipFromSecurityContext:false IgnoreImageDefinedVolumes:false NetNSMountsUnderStateDir:false EnableUnprivilegedPorts:true EnableUnprivilegedICMP:true EnableCDI:false CDISpecDirs:[/etc/cdi /var/run/cdi] ImagePullProgressTimeout:5m0s DrainExecSyncIOTimeout:0s} ContainerdRootDir:/var/lib/docker/containerd/daemon ContainerdEndpoint:/var/run/docker/containerd/containerd.sock RootDir:/var/lib/docker/containerd/daemon/io.containerd.grpc.v1.cri StateDir:/var/run/docker/containerd/daemon/io.containerd.grpc.v1.cri}"

After this:

    INFO[2023-12-07T15:27:15.862946138Z] starting cri plugin                           config="{\"containerd\":{\"snapshotter\":\"overlayfs\",\"defaultRuntimeName\":\"runc\",\"runtimes\":{\"runc\":{\"runtimeType\":\"io.containerd.runc.v2\",\"runtimePath\":\"\",\"PodAnnotations\":null,\"ContainerAnnotations\":null,\"options\":{\"BinaryName\":\"\",\"CriuImagePath\":\"\",\"CriuWorkPath\":\"\",\"IoGid\":0,\"IoUid\":0,\"NoNewKeyring\":false,\"Root\":\"\",\"ShimCgroup\":\"\"},\"privileged_without_host_devices\":false,\"privileged_without_host_devices_all_devices_allowed\":false,\"baseRuntimeSpec\":\"\",\"cniConfDir\":\"\",\"cniMaxConfNum\":0,\"snapshotter\":\"\",\"sandboxer\":\"podsandbox\"}},\"disableSnapshotAnnotations\":true,\"discardUnpackedLayers\":false,\"ignoreBlockIONotEnabledErrors\":false,\"ignoreRdtNotEnabledErrors\":false},\"cni\":{\"binDir\":\"/opt/cni/bin\",\"confDir\":\"/etc/cni/net.d\",\"maxConfNum\":1,\"setupSerially\":false,\"confTemplate\":\"\",\"ipPref\":\"\"},\"registry\":{\"configPath\":\"\",\"mirrors\":null,\"configs\":null,\"auths\":null,\"headers\":null},\"imageDecryption\":{\"keyModel\":\"node\"},\"disableTCPService\":true,\"streamServerAddress\":\"127.0.0.1\",\"streamServerPort\":\"0\",\"streamIdleTimeout\":\"4h0m0s\",\"enableSelinux\":false,\"selinuxCategoryRange\":1024,\"sandboxImage\":\"registry.k8s.io/pause:3.9\",\"statsCollectPeriod\":10,\"enableTLSStreaming\":false,\"x509KeyPairStreaming\":{\"tlsCertFile\":\"\",\"tlsKeyFile\":\"\"},\"maxContainerLogSize\":16384,\"disableCgroup\":false,\"disableApparmor\":false,\"restrictOOMScoreAdj\":false,\"maxConcurrentDownloads\":3,\"disableProcMount\":false,\"unsetSeccompProfile\":\"\",\"tolerateMissingHugetlbController\":true,\"disableHugetlbController\":true,\"device_ownership_from_security_context\":false,\"ignoreImageDefinedVolumes\":false,\"netnsMountsUnderStateDir\":false,\"enableUnprivilegedPorts\":true,\"enableUnprivilegedICMP\":true,\"enableCDI\":false,\"cdiSpecDirs\":[\"/etc/cdi\",\"/var/run/cdi\"],\"imagePullProgressTimeout\":\"5m0s\",\"drainExecSyncIOTimeout\":\"0s\",\"containerdRootDir\":\"/var/lib/docker/containerd/daemon\",\"containerdEndpoint\":\"/var/run/docker/containerd/containerd.sock\",\"rootDir\":\"/var/lib/docker/containerd/daemon/io.containerd.grpc.v1.cri\",\"stateDir\":\"/var/run/docker/containerd/daemon/io.containerd.grpc.v1.cri\"}"

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2024-04-29 13:10:54 +02:00
Sebastiaan van Stijn
f62edda5a2
pkg/cri/server/base: use structured log for CRI plugin startup 
Log the config as a field instead of as part of the log message.

Before this:

    INFO[2023-12-07T14:58:43.515360429Z] loading plugin                                id=io.containerd.tracing.processor.v1.otlp type=io.containerd.tracing.processor.v1
    INFO[2023-12-07T14:58:43.515787512Z] loading plugin                                id=io.containerd.internal.v1.tracing type=io.containerd.internal.v1
    INFO[2023-12-07T14:58:43.515974429Z] loading plugin                                id=io.containerd.internal.v1.cri type=io.containerd.internal.v1
    INFO[2023-12-07T14:58:43.516037887Z] Start cri plugin with config {PluginConfig:{ContainerdConfig:{Snapshotter:overlayfs DefaultRuntimeName:runc Runtimes:map[runc:{Type:io.containerd.runc.v2 Path: PodAnnotations:[] ContainerAnnotations:[] Options:map[BinaryName: CriuImagePath: CriuWorkPath: IoGid:0 IoUid:0 NoNewKeyring:false Root: ShimCgroup:] PrivilegedWithoutHostDevices:false PrivilegedWithoutHostDevicesAllDevicesAllowed:false BaseRuntimeSpec: NetworkPluginConfDir: NetworkPluginMaxConfNum:0 Snapshotter: Sandboxer:podsandbox}] DisableSnapshotAnnotations:true DiscardUnpackedLayers:false IgnoreBlockIONotEnabledErrors:false IgnoreRdtNotEnabledErrors:false} CniConfig:{NetworkPluginBinDir:/opt/cni/bin NetworkPluginConfDir:/etc/cni/net.d NetworkPluginMaxConfNum:1 NetworkPluginSetupSerially:false NetworkPluginConfTemplate: IPPreference:} Registry:{ConfigPath: Mirrors:map[] Configs:map[] Auths:map[] Headers:map[]} ImageDecryption:{KeyModel:node} DisableTCPService:true StreamServerAddress:127.0.0.1 StreamServerPort:0 StreamIdleTimeout:4h0m0s EnableSelinux:false SelinuxCategoryRange:1024 SandboxImage:registry.k8s.io/pause:3.9 StatsCollectPeriod:10 EnableTLSStreaming:false X509KeyPairStreaming:{TLSCertFile: TLSKeyFile:} MaxContainerLogLineSize:16384 DisableCgroup:false DisableApparmor:false RestrictOOMScoreAdj:false MaxConcurrentDownloads:3 DisableProcMount:false UnsetSeccompProfile: TolerateMissingHugetlbController:true DisableHugetlbController:true DeviceOwnershipFromSecurityContext:false IgnoreImageDefinedVolumes:false NetNSMountsUnderStateDir:false EnableUnprivilegedPorts:true EnableUnprivilegedICMP:true EnableCDI:false CDISpecDirs:[/etc/cdi /var/run/cdi] ImagePullProgressTimeout:5m0s DrainExecSyncIOTimeout:0s} ContainerdRootDir:/var/lib/docker/containerd/daemon ContainerdEndpoint:/var/run/docker/containerd/containerd.sock RootDir:/var/lib/docker/containerd/daemon/io.containerd.grpc.v1.cri StateDir:/var/run/docker/containerd/daemon/io.containerd.grpc.v1.cri}

After this:

    INFO[2023-12-07T15:33:39.914112719Z] loading plugin                                id=io.containerd.tracing.processor.v1.otlp type=io.containerd.tracing.processor.v1
    INFO[2023-12-07T15:33:39.914526135Z] loading plugin                                id=io.containerd.internal.v1.tracing type=io.containerd.internal.v1
    INFO[2023-12-07T15:33:39.914580427Z] loading plugin                                id=io.containerd.internal.v1.cri type=io.containerd.internal.v1
    INFO[2023-12-07T15:33:39.914626385Z] starting cri plugin                           config="{PluginConfig:{ContainerdConfig:{Snapshotter:overlayfs DefaultRuntimeName:runc Runtimes:map[runc:{Type:io.containerd.runc.v2 Path: PodAnnotations:[] ContainerAnnotations:[] Options:map[BinaryName: CriuImagePath: CriuWorkPath: IoGid:0 IoUid:0 NoNewKeyring:false Root: ShimCgroup:] PrivilegedWithoutHostDevices:false PrivilegedWithoutHostDevicesAllDevicesAllowed:false BaseRuntimeSpec: NetworkPluginConfDir: NetworkPluginMaxConfNum:0 Snapshotter: Sandboxer:podsandbox}] DisableSnapshotAnnotations:true DiscardUnpackedLayers:false IgnoreBlockIONotEnabledErrors:false IgnoreRdtNotEnabledErrors:false} CniConfig:{NetworkPluginBinDir:/opt/cni/bin NetworkPluginConfDir:/etc/cni/net.d NetworkPluginMaxConfNum:1 NetworkPluginSetupSerially:false NetworkPluginConfTemplate: IPPreference:} Registry:{ConfigPath: Mirrors:map[] Configs:map[] Auths:map[] Headers:map[]} ImageDecryption:{KeyModel:node} DisableTCPService:true StreamServerAddress:127.0.0.1 StreamServerPort:0 StreamIdleTimeout:4h0m0s EnableSelinux:false SelinuxCategoryRange:1024 SandboxImage:registry.k8s.io/pause:3.9 StatsCollectPeriod:10 EnableTLSStreaming:false X509KeyPairStreaming:{TLSCertFile: TLSKeyFile:} MaxContainerLogLineSize:16384 DisableCgroup:false DisableApparmor:false RestrictOOMScoreAdj:false MaxConcurrentDownloads:3 DisableProcMount:false UnsetSeccompProfile: TolerateMissingHugetlbController:true DisableHugetlbController:true DeviceOwnershipFromSecurityContext:false IgnoreImageDefinedVolumes:false NetNSMountsUnderStateDir:false EnableUnprivilegedPorts:true EnableUnprivilegedICMP:true EnableCDI:false CDISpecDirs:[/etc/cdi /var/run/cdi] ImagePullProgressTimeout:5m0s DrainExecSyncIOTimeout:0s} ContainerdRootDir:/var/lib/docker/containerd/daemon ContainerdEndpoint:/var/run/docker/containerd/containerd.sock RootDir:/var/lib/docker/containerd/daemon/io.containerd.grpc.v1.cri StateDir:/var/run/docker/containerd/daemon/io.containerd.grpc.v1.cri}"

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2024-04-29 13:10:51 +02:00
Avi Deitcher
e07b63d845 document usage and design of blockfile snapshotter 
Signed-off-by: Avi Deitcher <avi@deitcher.net>
 2024-04-28 11:44:03 +03:00
Samuel Karp
7cd7a5c82f
Merge pull request #10140 from lucasrattz/fix-actuated-in-adopters 
ADOPTERS.md: Fix Actuated italics
 2024-04-27 04:45:37 +00:00
Samuel Karp
f343b51809
Merge pull request #10139 from syself/add-syself-autopilot-to-adopters 
Add Syself Autopilot to adopters
 2024-04-27 00:46:36 +00:00
Lucas Rattz
b6bd12f13d Add Syself Autopilot to adopters 
Syself Autopilot is a managed kubernetes solution, added at the end since it's a commercial adopter.

Signed-off-by: Lucas Rattz <lucas.rattz@syself.com>
 2024-04-26 13:48:57 -03:00
Lucas Rattz
7bc4760017 ADOPTERS.md: Fix Actuated italics 
The italicization of Actuated was broken. This commit fixes it by addin a missing underscore.

Signed-off-by: Lucas Rattz <lucasrattz999@gmail.com>
 2024-04-26 13:31:23 -03:00
Xinyang Ge
4167416754 Perform file sync outside of lock on Commit 
Signed-off-by: Xinyang Ge <xinyang.ge@databricks.com>
 2024-04-26 05:42:01 -07:00
Akihiro Suda
0426e3c2eb
Merge pull request #10133 from AkihiroSuda/fix-10062 
cri: introspectRuntimeFeatures: fix nil panic
 2024-04-25 08:28:09 +00:00
Akihiro Suda
c27bcdc564
cri: introspectRuntimeFeatures: fix nil panic 
Fix issue 10062

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2024-04-25 08:36:38 +09:00
Samuel Karp
01ed3ff123
Merge pull request #10123 from woky/apparmor-runc 
apparmor: Allow confined runc to kill containers
 2024-04-24 22:01:12 +00:00
Derek McGowan
dfdfa206f9
Update for latest updates to release tool 
Mention use of pull request labels

Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-04-24 11:19:45 -07:00
Derek McGowan
53c9e6f862
Update release process after 1.7 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-04-24 10:17:11 -07:00
Akihiro Suda
c4c3c6ea56
Merge pull request #10125 from sandy-lcq/main 
Makefile: update default PACKAGE to v2
 2024-04-24 15:13:17 +00:00
Changqing Li
c5ba71d117 Makefile: update default PACKAGE to v2 
Signed-off-by: Changqing Li <changqing.li@windriver.com>
 2024-04-24 18:02:37 +08:00
Abel Feng
a12acedfad sandbox: make a independent shim plugin 
Signed-off-by: Abel Feng <fshb1988@gmail.com>
 2024-04-24 14:27:20 +08:00
Akihiro Suda
9d108fa83b
Merge pull request #9894 from profnandaa/docs/fix-windows-instructions-2 
fix(docs): fix duplicate instructions for windows installation
 2024-04-23 23:54:59 +00:00
Tomáš Virtus
094bafe2a3
apparmor: Allow confined runc to kill containers 
/usr/sbin/runc is confined with "runc" profile[1] introduced in AppArmor
v4.0.0. This change breaks stopping of containers, because the profile
assigned to containers doesn't accept signals from the "runc" peer.
AppArmor >= v4.0.0 is currently part of Ubuntu Mantic (23.10) and later.

The issue is reproducible both with nerdctl and ctr clients. In the case
of ctr, the --apparmor-default-profile flag has to be specified,
otherwise the container processes would inherit the runc profile, which
behaves as unconfined, and so the subsequent runc process invoked to
stop it would be able to signal it.

  Test commands:

    root@cloudimg:~# nerdctl run -d --name foo nginx:latest
    3d1e74bfe6e7b2912d9223050ae8a81a8f4b73de0846e6d9c956c1e411cdd95a
    root@cloudimg:~# nerdctl stop foo
    FATA[0000] 1 errors:
    unknown error after kill: runc did not terminate successfully: exit status 1: unable to signal init: permission denied
    : unknown

    or

    root@cloudimg:~# ctr pull docker.io/library/nginx:latest
    ...
    root@cloudimg:~# ctr run -d --apparmor-default-profile ctr-default docker.io/library/nginx:latest foo
    root@cloudimg:~# ctr task kill foo
    ctr: unknown error after kill: runc did not terminate successfully: exit status 1: unable to signal init: permission denied
    : unknown

  Relevant syslog messages (with long lines wrapped):

    Apr 23 22:03:12 cloudimg kernel: audit:
      type=1400 audit(1713909792.064:262): apparmor="DENIED"
      operation="signal" class="signal" profile="nerdctl-default"
      pid=13483 comm="runc" requested_mask="receive"
      denied_mask="receive" signal=quit peer="runc"

    or

    Apr 23 22:05:32 cloudimg kernel: audit:
      type=1400 audit(1713909932.106:263): apparmor="DENIED"
      operation="signal" class="signal" profile="ctr-default"
      pid=13574 comm="runc" requested_mask="receive"
      denied_mask="receive" signal=quit peer="runc"

This change extends the default profile with rules that allow receiving
signals from processes that run confined with either runc or crun
profile (crun[2] is an alternative OCI runtime that's also confined in
AppArmor >= v4.0.0, see [1]). It is backward compatible because the peer
value is a regular expression (AARE) so the referenced profile doesn't
have to exist for this profile to successfully compile and load.

[1] https://gitlab.com/apparmor/apparmor/-/commit/2594d936
[2] https://github.com/containers/crun

Signed-off-by: Tomáš Virtus <nechtom@gmail.com>
 2024-04-24 00:17:40 +02:00
Derek McGowan
2d19e9b473
Merge pull request #10098 from dmcgowan/prepare-v2.0.0-rc.1 
Prepare release notes for v2.0.0-rc.1
 2024-04-23 21:32:24 +00:00
Derek McGowan
3781d8757a
Merge pull request #10107 from containerd/dependabot/go_modules/tags.cncf.io/container-device-interface-0.7.2 
build(deps): bump tags.cncf.io/container-device-interface from 0.7.1 to 0.7.2
 2024-04-23 21:32:13 +00:00
Derek McGowan
df5d9603c7
Merge pull request #10121 from ZhangShuaiyi/bugfix/configMigration 
fix migrateConfig for io.containerd.cri.v1.images
 2024-04-23 20:34:50 +00:00
Shuaiyi Zhang
e461a59ae6 fix migrateConfig for io.containerd.cri.v1.images 
Signed-off-by: Shuaiyi Zhang <zhang_syi@qq.com>
 2024-04-23 12:59:50 +00:00
Fu Wei
2dd6fa3b6d
Merge pull request #10111 from AkihiroSuda/nerdctl-issue-2730 
apparmor: add `signal (receive) peer=/usr/local/bin/rootlesskit,`
 2024-04-23 05:03:12 +00:00
Maksym Pavlenko
444679c883
Merge pull request #10109 from dmcgowan/fix-fallback-explicit-tls 
Update HTTP fallback to better account for TLS timeout and previous attempts
 2024-04-23 04:10:39 +00:00
Maksym Pavlenko
7020acbf09
Merge pull request #10100 from ChengenH/main 
chore: use errors.New to replace fmt.Errorf with no parameters will much better
 2024-04-23 04:09:58 +00:00
Maksym Pavlenko
f9b17063b3
Merge pull request #10106 from dmcgowan/update-cni-1.2.0 
Update CNI to v1.2.0
 2024-04-23 04:07:25 +00:00