github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity
13,800 Commits 3 Branches 2 Tags 112 MiB
93690baf4e
Commit Graph

13800 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
dependabot[bot]
93690baf4e
build(deps): bump github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus 
Bumps [github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus](https://github.com/grpc-ecosystem/go-grpc-middleware) from 1.0.0 to 1.0.1.
- [Release notes](https://github.com/grpc-ecosystem/go-grpc-middleware/releases)
- [Commits](https://github.com/grpc-ecosystem/go-grpc-middleware/compare/v1.0.0...providers/prometheus/v1.0.1)

---
updated-dependencies:
- dependency-name: github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-04-30 19:10:24 +00:00
Maksym Pavlenko
c2c8730596
Merge pull request #10150 from containerd/dependabot/go_modules/github.com/urfave/cli/v2-2.27.2 
build(deps): bump github.com/urfave/cli/v2 from 2.27.1 to 2.27.2
 2024-04-30 18:23:04 +00:00
Maksym Pavlenko
9e1ad56b41
Merge pull request #10152 from zouyee/log 
optimize error logs by providing absolute file paths
 2024-04-30 18:22:01 +00:00
Akihiro Suda
53160fb4b6
Merge pull request #10110 from AkihiroSuda/go-mod-1.22 
go.mod: go 1.22
 2024-04-30 09:19:17 +00:00
Derek McGowan
2c7b992ad4
Merge pull request #10146 from containerd/dependabot/github_actions/golangci/golangci-lint-action-5 
build(deps): bump golangci/golangci-lint-action from 4 to 5
 2024-04-30 04:53:29 +00:00
Akihiro Suda
15782881ee
go.mod: go 1.22 
Depended by k8s.io/cri-api >= v0.30.0 (Kubernetes v1.30, PR 10019)
https://github.com/kubernetes/cri-api/blob/v0.30.0/go.mod#L5

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2024-04-30 11:53:20 +09:00
Akihiro Suda
2d5689434d
CI: use Go 1.22 by default 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2024-04-30 11:52:36 +09:00
Akihiro Suda
fef78c1024
install-runc: pin Go to 1.21 
runc is incompatible with Go 1.22 on glibc-based distros
(opencontainers/runc issue 4233)

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2024-04-30 11:52:32 +09:00
zouyee
11d8beff80 optimize error logs by providing absolute file paths 
Signed-off-by: zouyee <zouyee1989@gmail.com>
 2024-04-30 09:08:01 +08:00
dependabot[bot]
81a9df625b
build(deps): bump github.com/urfave/cli/v2 from 2.27.1 to 2.27.2 
Bumps [github.com/urfave/cli/v2](https://github.com/urfave/cli) from 2.27.1 to 2.27.2.
- [Release notes](https://github.com/urfave/cli/releases)
- [Changelog](https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md)
- [Commits](https://github.com/urfave/cli/compare/v2.27.1...v2.27.2)

---
updated-dependencies:
- dependency-name: github.com/urfave/cli/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-04-29 23:38:41 +00:00
dependabot[bot]
6df759e243
build(deps): bump golangci/golangci-lint-action from 4 to 5 
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 4 to 5.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/v4...v5)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-04-29 23:19:10 +00:00
Maksym Pavlenko
7feb1f327d
Merge pull request #9853 from abel-von/make-shim-independent 
sandbox: make an independent shim plugin
 2024-04-29 21:07:21 +00:00
Maksym Pavlenko
b3dd6e3860
Merge pull request #10145 from thaJeztah/cri_startup_logs_step1 
pkg/cri/server/base: use structured log for CRI plugin startup and log config as embedded JSON
 2024-04-29 19:54:39 +00:00
Sebastiaan van Stijn
8a8c3e2215
pkg/cri/server/base: log CRI config as embedded JSON 
Use the JSON-encoded representation of the config used, which allows
users to reconstruct a (valid) config file from the logs, which may be
more useful for debugging purposes than the internal (Go) representation.

Before this:

    INFO[2023-12-07T15:33:39.914626385Z] starting cri plugin                           config="{PluginConfig:{ContainerdConfig:{Snapshotter:overlayfs DefaultRuntimeName:runc Runtimes:map[runc:{Type:io.containerd.runc.v2 Path: PodAnnotations:[] ContainerAnnotations:[] Options:map[BinaryName: CriuImagePath: CriuWorkPath: IoGid:0 IoUid:0 NoNewKeyring:false Root: ShimCgroup:] PrivilegedWithoutHostDevices:false PrivilegedWithoutHostDevicesAllDevicesAllowed:false BaseRuntimeSpec: NetworkPluginConfDir: NetworkPluginMaxConfNum:0 Snapshotter: Sandboxer:podsandbox}] DisableSnapshotAnnotations:true DiscardUnpackedLayers:false IgnoreBlockIONotEnabledErrors:false IgnoreRdtNotEnabledErrors:false} CniConfig:{NetworkPluginBinDir:/opt/cni/bin NetworkPluginConfDir:/etc/cni/net.d NetworkPluginMaxConfNum:1 NetworkPluginSetupSerially:false NetworkPluginConfTemplate: IPPreference:} Registry:{ConfigPath: Mirrors:map[] Configs:map[] Auths:map[] Headers:map[]} ImageDecryption:{KeyModel:node} DisableTCPService:true StreamServerAddress:127.0.0.1 StreamServerPort:0 StreamIdleTimeout:4h0m0s EnableSelinux:false SelinuxCategoryRange:1024 SandboxImage:registry.k8s.io/pause:3.9 StatsCollectPeriod:10 EnableTLSStreaming:false X509KeyPairStreaming:{TLSCertFile: TLSKeyFile:} MaxContainerLogLineSize:16384 DisableCgroup:false DisableApparmor:false RestrictOOMScoreAdj:false MaxConcurrentDownloads:3 DisableProcMount:false UnsetSeccompProfile: TolerateMissingHugetlbController:true DisableHugetlbController:true DeviceOwnershipFromSecurityContext:false IgnoreImageDefinedVolumes:false NetNSMountsUnderStateDir:false EnableUnprivilegedPorts:true EnableUnprivilegedICMP:true EnableCDI:false CDISpecDirs:[/etc/cdi /var/run/cdi] ImagePullProgressTimeout:5m0s DrainExecSyncIOTimeout:0s} ContainerdRootDir:/var/lib/docker/containerd/daemon ContainerdEndpoint:/var/run/docker/containerd/containerd.sock RootDir:/var/lib/docker/containerd/daemon/io.containerd.grpc.v1.cri StateDir:/var/run/docker/containerd/daemon/io.containerd.grpc.v1.cri}"

After this:

    INFO[2023-12-07T15:27:15.862946138Z] starting cri plugin                           config="{\"containerd\":{\"snapshotter\":\"overlayfs\",\"defaultRuntimeName\":\"runc\",\"runtimes\":{\"runc\":{\"runtimeType\":\"io.containerd.runc.v2\",\"runtimePath\":\"\",\"PodAnnotations\":null,\"ContainerAnnotations\":null,\"options\":{\"BinaryName\":\"\",\"CriuImagePath\":\"\",\"CriuWorkPath\":\"\",\"IoGid\":0,\"IoUid\":0,\"NoNewKeyring\":false,\"Root\":\"\",\"ShimCgroup\":\"\"},\"privileged_without_host_devices\":false,\"privileged_without_host_devices_all_devices_allowed\":false,\"baseRuntimeSpec\":\"\",\"cniConfDir\":\"\",\"cniMaxConfNum\":0,\"snapshotter\":\"\",\"sandboxer\":\"podsandbox\"}},\"disableSnapshotAnnotations\":true,\"discardUnpackedLayers\":false,\"ignoreBlockIONotEnabledErrors\":false,\"ignoreRdtNotEnabledErrors\":false},\"cni\":{\"binDir\":\"/opt/cni/bin\",\"confDir\":\"/etc/cni/net.d\",\"maxConfNum\":1,\"setupSerially\":false,\"confTemplate\":\"\",\"ipPref\":\"\"},\"registry\":{\"configPath\":\"\",\"mirrors\":null,\"configs\":null,\"auths\":null,\"headers\":null},\"imageDecryption\":{\"keyModel\":\"node\"},\"disableTCPService\":true,\"streamServerAddress\":\"127.0.0.1\",\"streamServerPort\":\"0\",\"streamIdleTimeout\":\"4h0m0s\",\"enableSelinux\":false,\"selinuxCategoryRange\":1024,\"sandboxImage\":\"registry.k8s.io/pause:3.9\",\"statsCollectPeriod\":10,\"enableTLSStreaming\":false,\"x509KeyPairStreaming\":{\"tlsCertFile\":\"\",\"tlsKeyFile\":\"\"},\"maxContainerLogSize\":16384,\"disableCgroup\":false,\"disableApparmor\":false,\"restrictOOMScoreAdj\":false,\"maxConcurrentDownloads\":3,\"disableProcMount\":false,\"unsetSeccompProfile\":\"\",\"tolerateMissingHugetlbController\":true,\"disableHugetlbController\":true,\"device_ownership_from_security_context\":false,\"ignoreImageDefinedVolumes\":false,\"netnsMountsUnderStateDir\":false,\"enableUnprivilegedPorts\":true,\"enableUnprivilegedICMP\":true,\"enableCDI\":false,\"cdiSpecDirs\":[\"/etc/cdi\",\"/var/run/cdi\"],\"imagePullProgressTimeout\":\"5m0s\",\"drainExecSyncIOTimeout\":\"0s\",\"containerdRootDir\":\"/var/lib/docker/containerd/daemon\",\"containerdEndpoint\":\"/var/run/docker/containerd/containerd.sock\",\"rootDir\":\"/var/lib/docker/containerd/daemon/io.containerd.grpc.v1.cri\",\"stateDir\":\"/var/run/docker/containerd/daemon/io.containerd.grpc.v1.cri\"}"

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2024-04-29 13:10:54 +02:00
Sebastiaan van Stijn
f62edda5a2
pkg/cri/server/base: use structured log for CRI plugin startup 
Log the config as a field instead of as part of the log message.

Before this:

    INFO[2023-12-07T14:58:43.515360429Z] loading plugin                                id=io.containerd.tracing.processor.v1.otlp type=io.containerd.tracing.processor.v1
    INFO[2023-12-07T14:58:43.515787512Z] loading plugin                                id=io.containerd.internal.v1.tracing type=io.containerd.internal.v1
    INFO[2023-12-07T14:58:43.515974429Z] loading plugin                                id=io.containerd.internal.v1.cri type=io.containerd.internal.v1
    INFO[2023-12-07T14:58:43.516037887Z] Start cri plugin with config {PluginConfig:{ContainerdConfig:{Snapshotter:overlayfs DefaultRuntimeName:runc Runtimes:map[runc:{Type:io.containerd.runc.v2 Path: PodAnnotations:[] ContainerAnnotations:[] Options:map[BinaryName: CriuImagePath: CriuWorkPath: IoGid:0 IoUid:0 NoNewKeyring:false Root: ShimCgroup:] PrivilegedWithoutHostDevices:false PrivilegedWithoutHostDevicesAllDevicesAllowed:false BaseRuntimeSpec: NetworkPluginConfDir: NetworkPluginMaxConfNum:0 Snapshotter: Sandboxer:podsandbox}] DisableSnapshotAnnotations:true DiscardUnpackedLayers:false IgnoreBlockIONotEnabledErrors:false IgnoreRdtNotEnabledErrors:false} CniConfig:{NetworkPluginBinDir:/opt/cni/bin NetworkPluginConfDir:/etc/cni/net.d NetworkPluginMaxConfNum:1 NetworkPluginSetupSerially:false NetworkPluginConfTemplate: IPPreference:} Registry:{ConfigPath: Mirrors:map[] Configs:map[] Auths:map[] Headers:map[]} ImageDecryption:{KeyModel:node} DisableTCPService:true StreamServerAddress:127.0.0.1 StreamServerPort:0 StreamIdleTimeout:4h0m0s EnableSelinux:false SelinuxCategoryRange:1024 SandboxImage:registry.k8s.io/pause:3.9 StatsCollectPeriod:10 EnableTLSStreaming:false X509KeyPairStreaming:{TLSCertFile: TLSKeyFile:} MaxContainerLogLineSize:16384 DisableCgroup:false DisableApparmor:false RestrictOOMScoreAdj:false MaxConcurrentDownloads:3 DisableProcMount:false UnsetSeccompProfile: TolerateMissingHugetlbController:true DisableHugetlbController:true DeviceOwnershipFromSecurityContext:false IgnoreImageDefinedVolumes:false NetNSMountsUnderStateDir:false EnableUnprivilegedPorts:true EnableUnprivilegedICMP:true EnableCDI:false CDISpecDirs:[/etc/cdi /var/run/cdi] ImagePullProgressTimeout:5m0s DrainExecSyncIOTimeout:0s} ContainerdRootDir:/var/lib/docker/containerd/daemon ContainerdEndpoint:/var/run/docker/containerd/containerd.sock RootDir:/var/lib/docker/containerd/daemon/io.containerd.grpc.v1.cri StateDir:/var/run/docker/containerd/daemon/io.containerd.grpc.v1.cri}

After this:

    INFO[2023-12-07T15:33:39.914112719Z] loading plugin                                id=io.containerd.tracing.processor.v1.otlp type=io.containerd.tracing.processor.v1
    INFO[2023-12-07T15:33:39.914526135Z] loading plugin                                id=io.containerd.internal.v1.tracing type=io.containerd.internal.v1
    INFO[2023-12-07T15:33:39.914580427Z] loading plugin                                id=io.containerd.internal.v1.cri type=io.containerd.internal.v1
    INFO[2023-12-07T15:33:39.914626385Z] starting cri plugin                           config="{PluginConfig:{ContainerdConfig:{Snapshotter:overlayfs DefaultRuntimeName:runc Runtimes:map[runc:{Type:io.containerd.runc.v2 Path: PodAnnotations:[] ContainerAnnotations:[] Options:map[BinaryName: CriuImagePath: CriuWorkPath: IoGid:0 IoUid:0 NoNewKeyring:false Root: ShimCgroup:] PrivilegedWithoutHostDevices:false PrivilegedWithoutHostDevicesAllDevicesAllowed:false BaseRuntimeSpec: NetworkPluginConfDir: NetworkPluginMaxConfNum:0 Snapshotter: Sandboxer:podsandbox}] DisableSnapshotAnnotations:true DiscardUnpackedLayers:false IgnoreBlockIONotEnabledErrors:false IgnoreRdtNotEnabledErrors:false} CniConfig:{NetworkPluginBinDir:/opt/cni/bin NetworkPluginConfDir:/etc/cni/net.d NetworkPluginMaxConfNum:1 NetworkPluginSetupSerially:false NetworkPluginConfTemplate: IPPreference:} Registry:{ConfigPath: Mirrors:map[] Configs:map[] Auths:map[] Headers:map[]} ImageDecryption:{KeyModel:node} DisableTCPService:true StreamServerAddress:127.0.0.1 StreamServerPort:0 StreamIdleTimeout:4h0m0s EnableSelinux:false SelinuxCategoryRange:1024 SandboxImage:registry.k8s.io/pause:3.9 StatsCollectPeriod:10 EnableTLSStreaming:false X509KeyPairStreaming:{TLSCertFile: TLSKeyFile:} MaxContainerLogLineSize:16384 DisableCgroup:false DisableApparmor:false RestrictOOMScoreAdj:false MaxConcurrentDownloads:3 DisableProcMount:false UnsetSeccompProfile: TolerateMissingHugetlbController:true DisableHugetlbController:true DeviceOwnershipFromSecurityContext:false IgnoreImageDefinedVolumes:false NetNSMountsUnderStateDir:false EnableUnprivilegedPorts:true EnableUnprivilegedICMP:true EnableCDI:false CDISpecDirs:[/etc/cdi /var/run/cdi] ImagePullProgressTimeout:5m0s DrainExecSyncIOTimeout:0s} ContainerdRootDir:/var/lib/docker/containerd/daemon ContainerdEndpoint:/var/run/docker/containerd/containerd.sock RootDir:/var/lib/docker/containerd/daemon/io.containerd.grpc.v1.cri StateDir:/var/run/docker/containerd/daemon/io.containerd.grpc.v1.cri}"

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2024-04-29 13:10:51 +02:00
Samuel Karp
7cd7a5c82f
Merge pull request #10140 from lucasrattz/fix-actuated-in-adopters 
ADOPTERS.md: Fix Actuated italics
 2024-04-27 04:45:37 +00:00
Samuel Karp
f343b51809
Merge pull request #10139 from syself/add-syself-autopilot-to-adopters 
Add Syself Autopilot to adopters
 2024-04-27 00:46:36 +00:00
Lucas Rattz
b6bd12f13d Add Syself Autopilot to adopters 
Syself Autopilot is a managed kubernetes solution, added at the end since it's a commercial adopter.

Signed-off-by: Lucas Rattz <lucas.rattz@syself.com>
 2024-04-26 13:48:57 -03:00
Lucas Rattz
7bc4760017 ADOPTERS.md: Fix Actuated italics 
The italicization of Actuated was broken. This commit fixes it by addin a missing underscore.

Signed-off-by: Lucas Rattz <lucasrattz999@gmail.com>
 2024-04-26 13:31:23 -03:00
Akihiro Suda
0426e3c2eb
Merge pull request #10133 from AkihiroSuda/fix-10062 
cri: introspectRuntimeFeatures: fix nil panic
 2024-04-25 08:28:09 +00:00
Akihiro Suda
c27bcdc564
cri: introspectRuntimeFeatures: fix nil panic 
Fix issue 10062

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2024-04-25 08:36:38 +09:00
Samuel Karp
01ed3ff123
Merge pull request #10123 from woky/apparmor-runc 
apparmor: Allow confined runc to kill containers
 2024-04-24 22:01:12 +00:00
Akihiro Suda
c4c3c6ea56
Merge pull request #10125 from sandy-lcq/main 
Makefile: update default PACKAGE to v2
 2024-04-24 15:13:17 +00:00
Changqing Li
c5ba71d117 Makefile: update default PACKAGE to v2 
Signed-off-by: Changqing Li <changqing.li@windriver.com>
 2024-04-24 18:02:37 +08:00
Abel Feng
a12acedfad sandbox: make a independent shim plugin 
Signed-off-by: Abel Feng <fshb1988@gmail.com>
 2024-04-24 14:27:20 +08:00
Akihiro Suda
9d108fa83b
Merge pull request #9894 from profnandaa/docs/fix-windows-instructions-2 
fix(docs): fix duplicate instructions for windows installation
 2024-04-23 23:54:59 +00:00
Tomáš Virtus
094bafe2a3
apparmor: Allow confined runc to kill containers 
/usr/sbin/runc is confined with "runc" profile[1] introduced in AppArmor
v4.0.0. This change breaks stopping of containers, because the profile
assigned to containers doesn't accept signals from the "runc" peer.
AppArmor >= v4.0.0 is currently part of Ubuntu Mantic (23.10) and later.

The issue is reproducible both with nerdctl and ctr clients. In the case
of ctr, the --apparmor-default-profile flag has to be specified,
otherwise the container processes would inherit the runc profile, which
behaves as unconfined, and so the subsequent runc process invoked to
stop it would be able to signal it.

  Test commands:

    root@cloudimg:~# nerdctl run -d --name foo nginx:latest
    3d1e74bfe6e7b2912d9223050ae8a81a8f4b73de0846e6d9c956c1e411cdd95a
    root@cloudimg:~# nerdctl stop foo
    FATA[0000] 1 errors:
    unknown error after kill: runc did not terminate successfully: exit status 1: unable to signal init: permission denied
    : unknown

    or

    root@cloudimg:~# ctr pull docker.io/library/nginx:latest
    ...
    root@cloudimg:~# ctr run -d --apparmor-default-profile ctr-default docker.io/library/nginx:latest foo
    root@cloudimg:~# ctr task kill foo
    ctr: unknown error after kill: runc did not terminate successfully: exit status 1: unable to signal init: permission denied
    : unknown

  Relevant syslog messages (with long lines wrapped):

    Apr 23 22:03:12 cloudimg kernel: audit:
      type=1400 audit(1713909792.064:262): apparmor="DENIED"
      operation="signal" class="signal" profile="nerdctl-default"
      pid=13483 comm="runc" requested_mask="receive"
      denied_mask="receive" signal=quit peer="runc"

    or

    Apr 23 22:05:32 cloudimg kernel: audit:
      type=1400 audit(1713909932.106:263): apparmor="DENIED"
      operation="signal" class="signal" profile="ctr-default"
      pid=13574 comm="runc" requested_mask="receive"
      denied_mask="receive" signal=quit peer="runc"

This change extends the default profile with rules that allow receiving
signals from processes that run confined with either runc or crun
profile (crun[2] is an alternative OCI runtime that's also confined in
AppArmor >= v4.0.0, see [1]). It is backward compatible because the peer
value is a regular expression (AARE) so the referenced profile doesn't
have to exist for this profile to successfully compile and load.

[1] https://gitlab.com/apparmor/apparmor/-/commit/2594d936
[2] https://github.com/containers/crun

Signed-off-by: Tomáš Virtus <nechtom@gmail.com>
 2024-04-24 00:17:40 +02:00
Derek McGowan
2d19e9b473
Merge pull request #10098 from dmcgowan/prepare-v2.0.0-rc.1 
Prepare release notes for v2.0.0-rc.1
 2024-04-23 21:32:24 +00:00
Derek McGowan
3781d8757a
Merge pull request #10107 from containerd/dependabot/go_modules/tags.cncf.io/container-device-interface-0.7.2 
build(deps): bump tags.cncf.io/container-device-interface from 0.7.1 to 0.7.2
 2024-04-23 21:32:13 +00:00
Derek McGowan
df5d9603c7
Merge pull request #10121 from ZhangShuaiyi/bugfix/configMigration 
fix migrateConfig for io.containerd.cri.v1.images
 2024-04-23 20:34:50 +00:00
Shuaiyi Zhang
e461a59ae6 fix migrateConfig for io.containerd.cri.v1.images 
Signed-off-by: Shuaiyi Zhang <zhang_syi@qq.com>
 2024-04-23 12:59:50 +00:00
Fu Wei
2dd6fa3b6d
Merge pull request #10111 from AkihiroSuda/nerdctl-issue-2730 
apparmor: add `signal (receive) peer=/usr/local/bin/rootlesskit,`
 2024-04-23 05:03:12 +00:00
Maksym Pavlenko
444679c883
Merge pull request #10109 from dmcgowan/fix-fallback-explicit-tls 
Update HTTP fallback to better account for TLS timeout and previous attempts
 2024-04-23 04:10:39 +00:00
Maksym Pavlenko
7020acbf09
Merge pull request #10100 from ChengenH/main 
chore: use errors.New to replace fmt.Errorf with no parameters will much better
 2024-04-23 04:09:58 +00:00
Maksym Pavlenko
f9b17063b3
Merge pull request #10106 from dmcgowan/update-cni-1.2.0 
Update CNI to v1.2.0
 2024-04-23 04:07:25 +00:00
Akihiro Suda
eb5a0c04b4
apparmor: add signal (receive) peer=/usr/local/bin/rootlesskit, 
Fix containerd/nerdctl issue 2730
> [Rootless] `nerdctl rm` fails when AppArmor is loaded:
> `error="unknown error after kill: runc did not terminate successfully: exit status 1:
> unable to signal init: permission denied\n: unknown"`

Caused by:
> kernel: audit: type=1400 audit(1713840662.766:122): apparmor="DENIED" operation="signal" class="signal"
> profile="nerdctl-default" pid=366783 comm="runc" requested_mask="receive" denied_mask="receive" signal=kill
> peer="/usr/local/bin/rootlesskit"

The issue is known to happen on Ubuntu 23.10 and 24.04 LTS.
Doesn't seem to happen on Ubuntu 22.04 LTS.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2024-04-23 12:21:26 +09:00
Derek McGowan
5e470e1cae
Update HTTPFallback to handle tls handshake timeout 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-04-22 18:53:27 -07:00
dependabot[bot]
a37b451cde
build(deps): bump tags.cncf.io/container-device-interface 
Bumps [tags.cncf.io/container-device-interface](https://github.com/cncf-tags/container-device-interface) from 0.7.1 to 0.7.2.
- [Release notes](https://github.com/cncf-tags/container-device-interface/releases)
- [Commits](https://github.com/cncf-tags/container-device-interface/compare/v0.7.1...v0.7.2)

---
updated-dependencies:
- dependency-name: tags.cncf.io/container-device-interface
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-04-22 23:45:02 +00:00
Derek McGowan
1412a255ec
Merge pull request #10068 from kiashok/portForwardingWindows-ipv6 
Account for ipv6 localhost in windows port forwarding
 2024-04-22 21:14:18 +00:00
Derek McGowan
888fd315fd
Update CNI to v1.2.0 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-04-22 14:12:15 -07:00
Phil Estes
6d1ae8b439
Merge pull request #10104 from thaJeztah/go1.21.9 
update to go1.21.9, go1.22.2
 2024-04-22 20:12:51 +00:00
Sebastiaan van Stijn
13e6b2b686
update to go1.21.9, go1.22.2 
go1.21.9 (released 2024-04-03) includes a security fix to the net/http
package, as well as bug fixes to the linker, and the go/types and
net/http packages. See the Go 1.21.9 milestone for more details;
https://github.com/golang/go/issues?q=milestone%3AGo1.21.9+label%3ACherryPickApproved

These minor releases include 1 security fixes following the security policy:

- http2: close connections when receiving too many headers

Maintaining HPACK state requires that we parse and process all HEADERS
and CONTINUATION frames on a connection. When a request's headers exceed
MaxHeaderBytes, we don't allocate memory to store the excess headers but
we do parse them. This permits an attacker to cause an HTTP/2 endpoint
to read arbitrary amounts of header data, all associated with a request
which is going to be rejected. These headers can include Huffman-encoded
data which is significantly more expensive for the receiver to decode
than for an attacker to send.

Set a limit on the amount of excess header frames we will process before
closing a connection.

Thanks to Bartek Nowotarski (https://nowotarski.info/) for reporting this issue.

This is CVE-2023-45288 and Go issue https://go.dev/issue/65051.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.22.2

- https://github.com/golang/go/issues?q=milestone%3AGo1.21.9+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.8...go1.21.9

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2024-04-22 19:43:32 +02:00
Derek McGowan
42e4de9c54
Prepare release notes for v2.0.0-rc.1 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-04-22 10:13:11 -07:00
Derek McGowan
17294e5816
Merge pull request #10047 from containerd/dependabot/go_modules/golang-x-5cf8641f85 
build(deps): bump the golang-x group with 3 updates
 2024-04-22 16:18:12 +00:00
ChengenH
4a31bd606d chore: use errors.New to replace fmt.Errorf with no parameters will much better 
Signed-off-by: ChengenH <hce19970702@gmail.com>
 2024-04-21 21:49:31 +08:00
Fu Wei
8936631603
Merge pull request #10099 from kiashok/updateHcsshim-main 
Update hcsshim to v0.12.3
 2024-04-21 12:55:17 +00:00
Kirtana Ashok
a6a82c1023 Update hcsshim to v0.12.3 
Signed-off-by: Kirtana Ashok <kiashok@microsoft.com>
 2024-04-19 15:26:47 -07:00
Kirtana Ashok
7e60d5a074 Account for ipv4 vs ipv6 localhost 
in windows port forwarding

Signed-off-by: Kirtana Ashok <kiashok@microsoft.com>
 2024-04-19 11:30:49 -07:00
Kazuyoshi Kato
6e0dc9f50f
Merge pull request #10089 from samuelkarp/bump-nri-v0.6.1 
mod: bump github.com/containerd/nri@v0.6.1
 2024-04-18 23:07:13 +00:00
Samuel Karp
a153b2cd32
mod: bump github.com/containerd/nri@v0.6.1 
Fixes https://github.com/containerd/containerd/issues/10085

Signed-off-by: Samuel Karp <samuelkarp@google.com>
 2024-04-18 15:00:34 -07:00