The additional []containerd.RemoteOpt is not used by ctr currently,
but planned to be used by nerdctl and also probably by stargz's ctr-remote.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
The "apparmor" build tag does not have any cgo dependency and can be removed safely.
Related: https://github.com/opencontainers/runc/issues/2704
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
zstd is a compression algorithm that has a very fast decoder, while
providing also good compression ratios. The fast decoder makes it
suitable for container images, as decompressing the tarballs is a very
expensive operation.
https://github.com/opencontainers/image-spec/pull/788 added support
for zstd to the OCI image specs.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Inclavare Containers is an innovation of container runtime with the
novel approach for launching protected containers in hardware-assisted
Trusted Execution Environment (TEE) technology, aka Enclave, which can
prevent the untrusted entity, such as Cloud Service Provider (CSP), from
accessing the sensitive and confidential assets in use.
Signed-off-by: Zhiguang Jia <jia_zhiguang@126.com>
When multiple clients are pulling the same image, we may have this
lock error. Short-lived locks are probably fine, but long-lived locks
may indicate that containerd has some issues.
Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
Specifically, all the functions above applyWindowsLayer are actually
used by the (generic) applyNaive code, while the functions below this
point are specific to applyWindowsLayer.
Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
applyFunc now takes an io.Reader instead of a tar.Reader because I'm
trying to mirror the API of the not-yet-exposed implementation of this
same behaviour in github.com/Microsoft/hcsshim/internal/ociwclayer,
with an eye to later moving to that implementation it is ever exposed.
Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
When a base runtime spec is being used, admins can configure defaults for the
spec so that default ulimits or other security related settings get applied for
all containers launched.
Signed-off-by: Michael Crosby <michael@thepasture.io>
If the shim has been killed and ttrpc connection has been
closed, the shimErr will not be nil. For this case, the event
subscriber, like moby/moby, might have received the exit or delete
events. Just in case, we should allow ttrpc-callback-on-close to
send the exit and delete events again. And the exit status will
depend on result of shimV2.Delete.
If not, the shim has been delivered the exit and delete events.
So we should remove the task record and prevent duplicate events from
ttrpc-callback-on-close.
Fix: #4769
Signed-off-by: Wei Fu <fuweid89@gmail.com>
For LCOW currently we copy (or create) the scratch.vhdx for every single snapshot
so there ends up being a sandbox.vhdx in every directory seemingly unnecessarily. With the default scratch
size of 20GB the size on disk is about 17MB so there's a 17MB overhead per layer plus the time to copy the
file with every snapshot. Only the final sandbox.vhdx is actually used so this would be a nice little
optimization.
For WCOW we essentially do the exact same except copy the blank vhdx from the base layer.
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
