github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity
14,066 Commits 3 Branches 4 Tags
e1adfaeb921fce7e8098b6b43d24253597a68cf7
Commit Graph

14066 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Maksym Pavlenko
c2c8730596 Merge pull request #10150 from containerd/dependabot/go_modules/github.com/urfave/cli/v2-2.27.2 
build(deps): bump github.com/urfave/cli/v2 from 2.27.1 to 2.27.2
 2024-04-30 18:23:04 +00:00
Maksym Pavlenko
9e1ad56b41 Merge pull request #10152 from zouyee/log 
optimize error logs by providing absolute file paths
 2024-04-30 18:22:01 +00:00
Akihiro Suda
4c753d1242 go.mod: k8s.io/cri-api v0.30.0 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2024-04-30 20:40:22 +09:00
Akihiro Suda
53160fb4b6 Merge pull request #10110 from AkihiroSuda/go-mod-1.22 
go.mod: go 1.22
 2024-04-30 09:19:17 +00:00
Abel Feng
de38490ed6 sandbox: merge address and protocol to one url 
Signed-off-by: Abel Feng <fshb1988@gmail.com>
 2024-04-30 15:28:00 +08:00
Abel Feng
c3b306240e add task api endpoint in task create options 
Signed-off-by: Abel Feng <fshb1988@gmail.com>
 2024-04-30 15:22:44 +08:00
Abel Feng
72fe47b2a2 add task api endpoint in oci proto 
Signed-off-by: Abel Feng <fshb1988@gmail.com>
 2024-04-30 15:20:04 +08:00
Abel Feng
b1fefccc78 sandbox: store endpoint in cri sandboxStore 
Signed-off-by: Abel Feng <fshb1988@gmail.com>
 2024-04-30 15:20:03 +08:00
Abel Feng
f6e0cf1894 sandbox: add address info in Start and Status response 
Signed-off-by: Abel Feng <fshb1988@gmail.com>
 2024-04-30 15:20:03 +08:00
Derek McGowan
2c7b992ad4 Merge pull request #10146 from containerd/dependabot/github_actions/golangci/golangci-lint-action-5 
build(deps): bump golangci/golangci-lint-action from 4 to 5
 2024-04-30 04:53:29 +00:00
Akihiro Suda
15782881ee go.mod: go 1.22 
Depended by k8s.io/cri-api >= v0.30.0 (Kubernetes v1.30, PR 10019)
https://github.com/kubernetes/cri-api/blob/v0.30.0/go.mod#L5

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2024-04-30 11:53:20 +09:00
Akihiro Suda
2d5689434d CI: use Go 1.22 by default 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2024-04-30 11:52:36 +09:00
Akihiro Suda
fef78c1024 install-runc: pin Go to 1.21 
runc is incompatible with Go 1.22 on glibc-based distros
(opencontainers/runc issue 4233)

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2024-04-30 11:52:32 +09:00
zouyee
11d8beff80 optimize error logs by providing absolute file paths 
Signed-off-by: zouyee <zouyee1989@gmail.com>
 2024-04-30 09:08:01 +08:00
dependabot[bot]
81a9df625b build(deps): bump github.com/urfave/cli/v2 from 2.27.1 to 2.27.2 
Bumps [github.com/urfave/cli/v2](https://github.com/urfave/cli) from 2.27.1 to 2.27.2.
- [Release notes](https://github.com/urfave/cli/releases)
- [Changelog](https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md)
- [Commits](https://github.com/urfave/cli/compare/v2.27.1...v2.27.2)

---
updated-dependencies:
- dependency-name: github.com/urfave/cli/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-04-29 23:38:41 +00:00
dependabot[bot]
c001a70562 build(deps): bump lycheeverse/lychee-action from 1.9.3 to 1.10.0 
Bumps [lycheeverse/lychee-action](https://github.com/lycheeverse/lychee-action) from 1.9.3 to 1.10.0.
- [Release notes](https://github.com/lycheeverse/lychee-action/releases)
- [Commits](https://github.com/lycheeverse/lychee-action/compare/v1.9.3...v1.10.0)

---
updated-dependencies:
- dependency-name: lycheeverse/lychee-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-04-29 23:19:13 +00:00
dependabot[bot]
6df759e243 build(deps): bump golangci/golangci-lint-action from 4 to 5 
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 4 to 5.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/v4...v5)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-04-29 23:19:10 +00:00
Maksym Pavlenko
7feb1f327d Merge pull request #9853 from abel-von/make-shim-independent 
sandbox: make an independent shim plugin
 2024-04-29 21:07:21 +00:00
Maksym Pavlenko
b3dd6e3860 Merge pull request #10145 from thaJeztah/cri_startup_logs_step1 
pkg/cri/server/base: use structured log for CRI plugin startup and log config as embedded JSON
 2024-04-29 19:54:39 +00:00
Sebastiaan van Stijn
b7c9774140 container.Checkpoint(), WithRestoreImage(): use ocispec.AnnotationRefName 
instead of a locally defined const

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2024-04-29 13:26:21 +02:00
Sebastiaan van Stijn
8a8c3e2215 pkg/cri/server/base: log CRI config as embedded JSON 
Use the JSON-encoded representation of the config used, which allows
users to reconstruct a (valid) config file from the logs, which may be
more useful for debugging purposes than the internal (Go) representation.

Before this:

    INFO[2023-12-07T15:33:39.914626385Z] starting cri plugin                           config="{PluginConfig:{ContainerdConfig:{Snapshotter:overlayfs DefaultRuntimeName:runc Runtimes:map[runc:{Type:io.containerd.runc.v2 Path: PodAnnotations:[] ContainerAnnotations:[] Options:map[BinaryName: CriuImagePath: CriuWorkPath: IoGid:0 IoUid:0 NoNewKeyring:false Root: ShimCgroup:] PrivilegedWithoutHostDevices:false PrivilegedWithoutHostDevicesAllDevicesAllowed:false BaseRuntimeSpec: NetworkPluginConfDir: NetworkPluginMaxConfNum:0 Snapshotter: Sandboxer:podsandbox}] DisableSnapshotAnnotations:true DiscardUnpackedLayers:false IgnoreBlockIONotEnabledErrors:false IgnoreRdtNotEnabledErrors:false} CniConfig:{NetworkPluginBinDir:/opt/cni/bin NetworkPluginConfDir:/etc/cni/net.d NetworkPluginMaxConfNum:1 NetworkPluginSetupSerially:false NetworkPluginConfTemplate: IPPreference:} Registry:{ConfigPath: Mirrors:map[] Configs:map[] Auths:map[] Headers:map[]} ImageDecryption:{KeyModel:node} DisableTCPService:true StreamServerAddress:127.0.0.1 StreamServerPort:0 StreamIdleTimeout:4h0m0s EnableSelinux:false SelinuxCategoryRange:1024 SandboxImage:registry.k8s.io/pause:3.9 StatsCollectPeriod:10 EnableTLSStreaming:false X509KeyPairStreaming:{TLSCertFile: TLSKeyFile:} MaxContainerLogLineSize:16384 DisableCgroup:false DisableApparmor:false RestrictOOMScoreAdj:false MaxConcurrentDownloads:3 DisableProcMount:false UnsetSeccompProfile: TolerateMissingHugetlbController:true DisableHugetlbController:true DeviceOwnershipFromSecurityContext:false IgnoreImageDefinedVolumes:false NetNSMountsUnderStateDir:false EnableUnprivilegedPorts:true EnableUnprivilegedICMP:true EnableCDI:false CDISpecDirs:[/etc/cdi /var/run/cdi] ImagePullProgressTimeout:5m0s DrainExecSyncIOTimeout:0s} ContainerdRootDir:/var/lib/docker/containerd/daemon ContainerdEndpoint:/var/run/docker/containerd/containerd.sock RootDir:/var/lib/docker/containerd/daemon/io.containerd.grpc.v1.cri StateDir:/var/run/docker/containerd/daemon/io.containerd.grpc.v1.cri}"

After this:

    INFO[2023-12-07T15:27:15.862946138Z] starting cri plugin                           config="{\"containerd\":{\"snapshotter\":\"overlayfs\",\"defaultRuntimeName\":\"runc\",\"runtimes\":{\"runc\":{\"runtimeType\":\"io.containerd.runc.v2\",\"runtimePath\":\"\",\"PodAnnotations\":null,\"ContainerAnnotations\":null,\"options\":{\"BinaryName\":\"\",\"CriuImagePath\":\"\",\"CriuWorkPath\":\"\",\"IoGid\":0,\"IoUid\":0,\"NoNewKeyring\":false,\"Root\":\"\",\"ShimCgroup\":\"\"},\"privileged_without_host_devices\":false,\"privileged_without_host_devices_all_devices_allowed\":false,\"baseRuntimeSpec\":\"\",\"cniConfDir\":\"\",\"cniMaxConfNum\":0,\"snapshotter\":\"\",\"sandboxer\":\"podsandbox\"}},\"disableSnapshotAnnotations\":true,\"discardUnpackedLayers\":false,\"ignoreBlockIONotEnabledErrors\":false,\"ignoreRdtNotEnabledErrors\":false},\"cni\":{\"binDir\":\"/opt/cni/bin\",\"confDir\":\"/etc/cni/net.d\",\"maxConfNum\":1,\"setupSerially\":false,\"confTemplate\":\"\",\"ipPref\":\"\"},\"registry\":{\"configPath\":\"\",\"mirrors\":null,\"configs\":null,\"auths\":null,\"headers\":null},\"imageDecryption\":{\"keyModel\":\"node\"},\"disableTCPService\":true,\"streamServerAddress\":\"127.0.0.1\",\"streamServerPort\":\"0\",\"streamIdleTimeout\":\"4h0m0s\",\"enableSelinux\":false,\"selinuxCategoryRange\":1024,\"sandboxImage\":\"registry.k8s.io/pause:3.9\",\"statsCollectPeriod\":10,\"enableTLSStreaming\":false,\"x509KeyPairStreaming\":{\"tlsCertFile\":\"\",\"tlsKeyFile\":\"\"},\"maxContainerLogSize\":16384,\"disableCgroup\":false,\"disableApparmor\":false,\"restrictOOMScoreAdj\":false,\"maxConcurrentDownloads\":3,\"disableProcMount\":false,\"unsetSeccompProfile\":\"\",\"tolerateMissingHugetlbController\":true,\"disableHugetlbController\":true,\"device_ownership_from_security_context\":false,\"ignoreImageDefinedVolumes\":false,\"netnsMountsUnderStateDir\":false,\"enableUnprivilegedPorts\":true,\"enableUnprivilegedICMP\":true,\"enableCDI\":false,\"cdiSpecDirs\":[\"/etc/cdi\",\"/var/run/cdi\"],\"imagePullProgressTimeout\":\"5m0s\",\"drainExecSyncIOTimeout\":\"0s\",\"containerdRootDir\":\"/var/lib/docker/containerd/daemon\",\"containerdEndpoint\":\"/var/run/docker/containerd/containerd.sock\",\"rootDir\":\"/var/lib/docker/containerd/daemon/io.containerd.grpc.v1.cri\",\"stateDir\":\"/var/run/docker/containerd/daemon/io.containerd.grpc.v1.cri\"}"

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2024-04-29 13:10:54 +02:00
Sebastiaan van Stijn
f62edda5a2 pkg/cri/server/base: use structured log for CRI plugin startup 
Log the config as a field instead of as part of the log message.

Before this:

    INFO[2023-12-07T14:58:43.515360429Z] loading plugin                                id=io.containerd.tracing.processor.v1.otlp type=io.containerd.tracing.processor.v1
    INFO[2023-12-07T14:58:43.515787512Z] loading plugin                                id=io.containerd.internal.v1.tracing type=io.containerd.internal.v1
    INFO[2023-12-07T14:58:43.515974429Z] loading plugin                                id=io.containerd.internal.v1.cri type=io.containerd.internal.v1
    INFO[2023-12-07T14:58:43.516037887Z] Start cri plugin with config {PluginConfig:{ContainerdConfig:{Snapshotter:overlayfs DefaultRuntimeName:runc Runtimes:map[runc:{Type:io.containerd.runc.v2 Path: PodAnnotations:[] ContainerAnnotations:[] Options:map[BinaryName: CriuImagePath: CriuWorkPath: IoGid:0 IoUid:0 NoNewKeyring:false Root: ShimCgroup:] PrivilegedWithoutHostDevices:false PrivilegedWithoutHostDevicesAllDevicesAllowed:false BaseRuntimeSpec: NetworkPluginConfDir: NetworkPluginMaxConfNum:0 Snapshotter: Sandboxer:podsandbox}] DisableSnapshotAnnotations:true DiscardUnpackedLayers:false IgnoreBlockIONotEnabledErrors:false IgnoreRdtNotEnabledErrors:false} CniConfig:{NetworkPluginBinDir:/opt/cni/bin NetworkPluginConfDir:/etc/cni/net.d NetworkPluginMaxConfNum:1 NetworkPluginSetupSerially:false NetworkPluginConfTemplate: IPPreference:} Registry:{ConfigPath: Mirrors:map[] Configs:map[] Auths:map[] Headers:map[]} ImageDecryption:{KeyModel:node} DisableTCPService:true StreamServerAddress:127.0.0.1 StreamServerPort:0 StreamIdleTimeout:4h0m0s EnableSelinux:false SelinuxCategoryRange:1024 SandboxImage:registry.k8s.io/pause:3.9 StatsCollectPeriod:10 EnableTLSStreaming:false X509KeyPairStreaming:{TLSCertFile: TLSKeyFile:} MaxContainerLogLineSize:16384 DisableCgroup:false DisableApparmor:false RestrictOOMScoreAdj:false MaxConcurrentDownloads:3 DisableProcMount:false UnsetSeccompProfile: TolerateMissingHugetlbController:true DisableHugetlbController:true DeviceOwnershipFromSecurityContext:false IgnoreImageDefinedVolumes:false NetNSMountsUnderStateDir:false EnableUnprivilegedPorts:true EnableUnprivilegedICMP:true EnableCDI:false CDISpecDirs:[/etc/cdi /var/run/cdi] ImagePullProgressTimeout:5m0s DrainExecSyncIOTimeout:0s} ContainerdRootDir:/var/lib/docker/containerd/daemon ContainerdEndpoint:/var/run/docker/containerd/containerd.sock RootDir:/var/lib/docker/containerd/daemon/io.containerd.grpc.v1.cri StateDir:/var/run/docker/containerd/daemon/io.containerd.grpc.v1.cri}

After this:

    INFO[2023-12-07T15:33:39.914112719Z] loading plugin                                id=io.containerd.tracing.processor.v1.otlp type=io.containerd.tracing.processor.v1
    INFO[2023-12-07T15:33:39.914526135Z] loading plugin                                id=io.containerd.internal.v1.tracing type=io.containerd.internal.v1
    INFO[2023-12-07T15:33:39.914580427Z] loading plugin                                id=io.containerd.internal.v1.cri type=io.containerd.internal.v1
    INFO[2023-12-07T15:33:39.914626385Z] starting cri plugin                           config="{PluginConfig:{ContainerdConfig:{Snapshotter:overlayfs DefaultRuntimeName:runc Runtimes:map[runc:{Type:io.containerd.runc.v2 Path: PodAnnotations:[] ContainerAnnotations:[] Options:map[BinaryName: CriuImagePath: CriuWorkPath: IoGid:0 IoUid:0 NoNewKeyring:false Root: ShimCgroup:] PrivilegedWithoutHostDevices:false PrivilegedWithoutHostDevicesAllDevicesAllowed:false BaseRuntimeSpec: NetworkPluginConfDir: NetworkPluginMaxConfNum:0 Snapshotter: Sandboxer:podsandbox}] DisableSnapshotAnnotations:true DiscardUnpackedLayers:false IgnoreBlockIONotEnabledErrors:false IgnoreRdtNotEnabledErrors:false} CniConfig:{NetworkPluginBinDir:/opt/cni/bin NetworkPluginConfDir:/etc/cni/net.d NetworkPluginMaxConfNum:1 NetworkPluginSetupSerially:false NetworkPluginConfTemplate: IPPreference:} Registry:{ConfigPath: Mirrors:map[] Configs:map[] Auths:map[] Headers:map[]} ImageDecryption:{KeyModel:node} DisableTCPService:true StreamServerAddress:127.0.0.1 StreamServerPort:0 StreamIdleTimeout:4h0m0s EnableSelinux:false SelinuxCategoryRange:1024 SandboxImage:registry.k8s.io/pause:3.9 StatsCollectPeriod:10 EnableTLSStreaming:false X509KeyPairStreaming:{TLSCertFile: TLSKeyFile:} MaxContainerLogLineSize:16384 DisableCgroup:false DisableApparmor:false RestrictOOMScoreAdj:false MaxConcurrentDownloads:3 DisableProcMount:false UnsetSeccompProfile: TolerateMissingHugetlbController:true DisableHugetlbController:true DeviceOwnershipFromSecurityContext:false IgnoreImageDefinedVolumes:false NetNSMountsUnderStateDir:false EnableUnprivilegedPorts:true EnableUnprivilegedICMP:true EnableCDI:false CDISpecDirs:[/etc/cdi /var/run/cdi] ImagePullProgressTimeout:5m0s DrainExecSyncIOTimeout:0s} ContainerdRootDir:/var/lib/docker/containerd/daemon ContainerdEndpoint:/var/run/docker/containerd/containerd.sock RootDir:/var/lib/docker/containerd/daemon/io.containerd.grpc.v1.cri StateDir:/var/run/docker/containerd/daemon/io.containerd.grpc.v1.cri}"

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2024-04-29 13:10:51 +02:00
Avi Deitcher
e07b63d845 document usage and design of blockfile snapshotter 
Signed-off-by: Avi Deitcher <avi@deitcher.net>
 2024-04-28 11:44:03 +03:00
Samuel Karp
7cd7a5c82f Merge pull request #10140 from lucasrattz/fix-actuated-in-adopters 
ADOPTERS.md: Fix Actuated italics
 2024-04-27 04:45:37 +00:00
Samuel Karp
f343b51809 Merge pull request #10139 from syself/add-syself-autopilot-to-adopters 
Add Syself Autopilot to adopters
 2024-04-27 00:46:36 +00:00
Lucas Rattz
b6bd12f13d Add Syself Autopilot to adopters 
Syself Autopilot is a managed kubernetes solution, added at the end since it's a commercial adopter.

Signed-off-by: Lucas Rattz <lucas.rattz@syself.com>
 2024-04-26 13:48:57 -03:00
Lucas Rattz
7bc4760017 ADOPTERS.md: Fix Actuated italics 
The italicization of Actuated was broken. This commit fixes it by addin a missing underscore.

Signed-off-by: Lucas Rattz <lucasrattz999@gmail.com>
 2024-04-26 13:31:23 -03:00
Xinyang Ge
4167416754 Perform file sync outside of lock on Commit 
Signed-off-by: Xinyang Ge <xinyang.ge@databricks.com>
 2024-04-26 05:42:01 -07:00
Akihiro Suda
0426e3c2eb Merge pull request #10133 from AkihiroSuda/fix-10062 
cri: introspectRuntimeFeatures: fix nil panic
 2024-04-25 08:28:09 +00:00
Akihiro Suda
c27bcdc564 cri: introspectRuntimeFeatures: fix nil panic 
Fix issue 10062

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2024-04-25 08:36:38 +09:00
Samuel Karp
01ed3ff123 Merge pull request #10123 from woky/apparmor-runc 
apparmor: Allow confined runc to kill containers
 2024-04-24 22:01:12 +00:00
Derek McGowan
dfdfa206f9 Update for latest updates to release tool 
Mention use of pull request labels

Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-04-24 11:19:45 -07:00
Derek McGowan
53c9e6f862 Update release process after 1.7 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-04-24 10:17:11 -07:00
Akihiro Suda
c4c3c6ea56 Merge pull request #10125 from sandy-lcq/main 
Makefile: update default PACKAGE to v2
 2024-04-24 15:13:17 +00:00
Changqing Li
c5ba71d117 Makefile: update default PACKAGE to v2 
Signed-off-by: Changqing Li <changqing.li@windriver.com>
 2024-04-24 18:02:37 +08:00
Abel Feng
a12acedfad sandbox: make a independent shim plugin 
Signed-off-by: Abel Feng <fshb1988@gmail.com>
 2024-04-24 14:27:20 +08:00
Akihiro Suda
9d108fa83b Merge pull request #9894 from profnandaa/docs/fix-windows-instructions-2 
fix(docs): fix duplicate instructions for windows installation
 2024-04-23 23:54:59 +00:00
Tomáš Virtus
094bafe2a3 apparmor: Allow confined runc to kill containers 
/usr/sbin/runc is confined with "runc" profile[1] introduced in AppArmor
v4.0.0. This change breaks stopping of containers, because the profile
assigned to containers doesn't accept signals from the "runc" peer.
AppArmor >= v4.0.0 is currently part of Ubuntu Mantic (23.10) and later.

The issue is reproducible both with nerdctl and ctr clients. In the case
of ctr, the --apparmor-default-profile flag has to be specified,
otherwise the container processes would inherit the runc profile, which
behaves as unconfined, and so the subsequent runc process invoked to
stop it would be able to signal it.

  Test commands:

    root@cloudimg:~# nerdctl run -d --name foo nginx:latest
    3d1e74bfe6e7b2912d9223050ae8a81a8f4b73de0846e6d9c956c1e411cdd95a
    root@cloudimg:~# nerdctl stop foo
    FATA[0000] 1 errors:
    unknown error after kill: runc did not terminate successfully: exit status 1: unable to signal init: permission denied
    : unknown

    or

    root@cloudimg:~# ctr pull docker.io/library/nginx:latest
    ...
    root@cloudimg:~# ctr run -d --apparmor-default-profile ctr-default docker.io/library/nginx:latest foo
    root@cloudimg:~# ctr task kill foo
    ctr: unknown error after kill: runc did not terminate successfully: exit status 1: unable to signal init: permission denied
    : unknown

  Relevant syslog messages (with long lines wrapped):

    Apr 23 22:03:12 cloudimg kernel: audit:
      type=1400 audit(1713909792.064:262): apparmor="DENIED"
      operation="signal" class="signal" profile="nerdctl-default"
      pid=13483 comm="runc" requested_mask="receive"
      denied_mask="receive" signal=quit peer="runc"

    or

    Apr 23 22:05:32 cloudimg kernel: audit:
      type=1400 audit(1713909932.106:263): apparmor="DENIED"
      operation="signal" class="signal" profile="ctr-default"
      pid=13574 comm="runc" requested_mask="receive"
      denied_mask="receive" signal=quit peer="runc"

This change extends the default profile with rules that allow receiving
signals from processes that run confined with either runc or crun
profile (crun[2] is an alternative OCI runtime that's also confined in
AppArmor >= v4.0.0, see [1]). It is backward compatible because the peer
value is a regular expression (AARE) so the referenced profile doesn't
have to exist for this profile to successfully compile and load.

[1] https://gitlab.com/apparmor/apparmor/-/commit/2594d936
[2] https://github.com/containers/crun

Signed-off-by: Tomáš Virtus <nechtom@gmail.com>
 2024-04-24 00:17:40 +02:00
Derek McGowan
2d19e9b473 Merge pull request #10098 from dmcgowan/prepare-v2.0.0-rc.1 
Prepare release notes for v2.0.0-rc.1
 2024-04-23 21:32:24 +00:00
Derek McGowan
3781d8757a Merge pull request #10107 from containerd/dependabot/go_modules/tags.cncf.io/container-device-interface-0.7.2 
build(deps): bump tags.cncf.io/container-device-interface from 0.7.1 to 0.7.2
 2024-04-23 21:32:13 +00:00
Derek McGowan
df5d9603c7 Merge pull request #10121 from ZhangShuaiyi/bugfix/configMigration 
fix migrateConfig for io.containerd.cri.v1.images
 2024-04-23 20:34:50 +00:00
Shuaiyi Zhang
e461a59ae6 fix migrateConfig for io.containerd.cri.v1.images 
Signed-off-by: Shuaiyi Zhang <zhang_syi@qq.com>
 2024-04-23 12:59:50 +00:00
Fu Wei
2dd6fa3b6d Merge pull request #10111 from AkihiroSuda/nerdctl-issue-2730 
apparmor: add `signal (receive) peer=/usr/local/bin/rootlesskit,`
 2024-04-23 05:03:12 +00:00
Maksym Pavlenko
444679c883 Merge pull request #10109 from dmcgowan/fix-fallback-explicit-tls 
Update HTTP fallback to better account for TLS timeout and previous attempts
 2024-04-23 04:10:39 +00:00
Maksym Pavlenko
7020acbf09 Merge pull request #10100 from ChengenH/main 
chore: use errors.New to replace fmt.Errorf with no parameters will much better
 2024-04-23 04:09:58 +00:00
Maksym Pavlenko
f9b17063b3 Merge pull request #10106 from dmcgowan/update-cni-1.2.0 
Update CNI to v1.2.0
 2024-04-23 04:07:25 +00:00
Akihiro Suda
eb5a0c04b4 apparmor: add signal (receive) peer=/usr/local/bin/rootlesskit, 
Fix containerd/nerdctl issue 2730
> [Rootless] `nerdctl rm` fails when AppArmor is loaded:
> `error="unknown error after kill: runc did not terminate successfully: exit status 1:
> unable to signal init: permission denied\n: unknown"`

Caused by:
> kernel: audit: type=1400 audit(1713840662.766:122): apparmor="DENIED" operation="signal" class="signal"
> profile="nerdctl-default" pid=366783 comm="runc" requested_mask="receive" denied_mask="receive" signal=kill
> peer="/usr/local/bin/rootlesskit"

The issue is known to happen on Ubuntu 23.10 and 24.04 LTS.
Doesn't seem to happen on Ubuntu 22.04 LTS.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2024-04-23 12:21:26 +09:00
Derek McGowan
5e470e1cae Update HTTPFallback to handle tls handshake timeout 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-04-22 18:53:27 -07:00
dependabot[bot]
a37b451cde build(deps): bump tags.cncf.io/container-device-interface 
Bumps [tags.cncf.io/container-device-interface](https://github.com/cncf-tags/container-device-interface) from 0.7.1 to 0.7.2.
- [Release notes](https://github.com/cncf-tags/container-device-interface/releases)
- [Commits](https://github.com/cncf-tags/container-device-interface/compare/v0.7.1...v0.7.2)

---
updated-dependencies:
- dependency-name: tags.cncf.io/container-device-interface
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-04-22 23:45:02 +00:00
Derek McGowan
1412a255ec Merge pull request #10068 from kiashok/portForwardingWindows-ipv6 
Account for ipv6 localhost in windows port forwarding
 2024-04-22 21:14:18 +00:00