containerd 1.7.22

Welcome to the v1.7.22 release of containerd!

The twenty-second patch release for containerd 1.7 contains various fixes
and updates.

Highlights

Build and Release Toolchain

• Update to go1.22.7, go1.23.1 (#10679)

Container Runtime Interface (CRI)

• Cumulative stats can't decrease (#10670)

Runtime

• Fix bug where init exits were being dropped (#10675)
• Update runc binary to 1.1.14 (#10668)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Samuel Karp
• James Sturtevant
• Laura Brehm
• Maksym Pavlenko
• Akhil Mohan
• Akihiro Suda
• Cory Snider
• Derek McGowan
• Sebastiaan van Stijn

Changes

16 commits

• Prepare release notes for v1.7.22 (#10684)
  • 43174ee6a Prepare release notes for v1.7.22
• integration: regression test for issue 10589 (#10682)
  • 0c4ba21d8 integration: regression test for issue 10589
  • 1cc2cfa4b fifosync: cross-process synchronization
• Fix bug where init exits were being dropped (#10675)
  • f338717ed runc-shim: handle pending execs as running
  • 686c69490 runc-shim: refuse to start execs after init exits
  • 760935e52 runc-shim: remove misleading comment
• Update to go1.22.7, go1.23.1 (#10679)
  • 19d678f73 update to go1.22.7, go1.23.1
• Cumulative stats can't decrease (#10670)
  • 3658d5b40 Include change in cri server
  • 88d001c74 Cumulative stats can't decrease
• Update runc binary to 1.1.14 (#10668)
  • 33e8a2005 update runc binary to 1.1.14

Dependency Changes

This release has no dependency changes

Previous release can be found at v1.7.21

containerd 1.7.21

Welcome to the v1.7.21 release of containerd!

The twenty-first patch release for containerd 1.7 contains various fixes
and updates.

Highlights

• Regenerate introspection UUID if state is empty (#10510)
• Set stderr to empty string when using terminal on Windows (#10499)

Build and Release Toolchain

• Move builds to Go 1.22 and add support for testing with 1.23 (#10596)

Container Runtime Interface (CRI)

• Borrow latest wsstream from k8s v1.31.x to 1.7 (#10575)
• Ensure the CRIAPIV1Alpha2 warning's lastOccurrence is accurate (#10571)
• Make StopContainer idempotent (#10528)
• Make StopPodSandbox idempotent (#10527)

Go client

• Fix failed force deletion for tasks with PID 0 (#10523)

Runtime

• Fix packaged runc reporting incorrect version (#10559)
• Ensure /run/containerd gets created with correct perms (#10534)

Deprecations

• Ensure the CRIAPIV1Alpha2 warning's lastOccurrence is accurate (#10571)
• Update warnings for deprecated CRI config fields (#10512)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Davanum Srinivas
• Samuel Karp
• Sebastiaan van Stijn
• Phil Estes
• Maksym Pavlenko
• Akhil Mohan
• Chris Henzie
• Derek McGowan
• Kazuyoshi Kato
• Sascha Grunert
• Akihiro Suda
• Erikson Tung
• Iceber Gu
• Mauri de Souza Meneguzzo
• Mike Brown
• Shengjing Zhu
• TinaMor
• rongfu.leng

Changes

45 commits

• Prepare release notes for v1.7.21 (#10632)
  • 975f279ee Prepare release notes for v1.7.21
• go.mod: keep minimum go version at go1.21 (#10633)
  • d63bd8464 go.mod: keep minimum go version at go1.21
• Move builds to Go 1.22 and add support for testing with 1.23 (#10596)
  • c76028088 update golangci-lint to 1.60.1
  • 3b263d082 add go1.23.0, drop go1.21.x
• Fix TestNewBinaryIOCleanup on Go 1.23 and Linux 5.4 (#10590)
  • 09ca004de Fix TestNewBinaryIOCleanup on Go 1.23 and Linux 5.4
• Borrow latest wsstream from k8s v1.31.x to 1.7 (#10575)
  • 9269d97b1 hide wsstream under internal/ to prevent external use
  • 59815fa44 golangci-lint should only look for problems in new code
  • 1c431dc6f Run go mod tidy
  • 226f93d92 Add copyright headers
  • 6f3252733 switch over references to the new package
  • 0a85d476a Fix up some constant references
  • 82bfa44d0 Copy over wsstream from k8s v1.31.0-rc.1 release
• Ensure the CRIAPIV1Alpha2 warning's lastOccurrence is accurate (#10571)
  • 52b79f337 Update CRIAPIV1Alpha2 warning lastOccurrence every call
• pkg/userns: deprecate and migrate to github.com/moby/sys/userns (#10564)
  • dce0b5a6d migrate to github.com/moby/sys/userns
  • 65f7d0740 pkg/userns: deprecate and migrate to github.com/moby/sys/user/userns
  • f21675c27 vendor: github.com/moby/sys/user v0.2.0
• update to go1.21.13 / go1.22.6 (#10570)
  • 228914a5e update to go1.21.13 / go1.22.6
• Fix TestNewBinaryIOCleanup failing with gotip (#10554)
  • 3ff82ba0f Fix TestNewBinaryIOCleanup failing with gotip
• Fix packaged runc reporting incorrect version (#10559)
  • d51143f6f script/setup/install-runc: fix runc using incorrect version
• update auths code comment (#10536)
  • 7bb1455d8 update auths code comment
• Ensure /run/containerd gets created with correct perms (#10534)
  • 16c5fc768 Ensure /run/containerd is created with correct perms
• Make StopContainer idempotent (#10528)
  • 6da4e40b2 Make StopContainer RPC idempotent
• Make StopPodSandbox idempotent (#10527)
  • b3b6f1507 Make StopPodSandbox RPC idempotent
• Fix failed force deletion for tasks with PID 0 (#10523)
  • 0db46f664 client: fix tasks with PID 0 cannot be forced to delete
• Update warnings for deprecated CRI config fields (#10512)
  • 9afb8dcdf deprecation: update warnings for CRI config fields
• Regenerate introspection UUID if state is empty (#10510)
  • b140792e4 introspection: regenerate UUID if state is empty
• Set stderr to empty string when using terminal on Windows (#10499)
  • f9beac3db Set stderr to empty string when using terminal on Windows.

Dependency Changes

• github.com/moby/sys/userns v0.1.0 new

Previous release can be found at v1.7.20

containerd 1.7.17

Welcome to the v1.7.17 release of containerd!

The seventeenth patch release for containerd 1.7 contains various fixes and updates.

Highlights

• Use LOOP_CONFIGURE when creating loop devices (#10209)
• Update unpacker to fetch all provided content (#10233)
• Preserve CL_UNPRIVILEGED locked flags during remount of bind mounts (#10210)
• Update metadata snapshotter to lease on already exists (#10198)
• Handle unsupported config versions (#10165)
• Fix deadlock when writing to pipe blocks (containerd/ttrpc#168)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Stefan Berger
• Derek McGowan
• Austin Vazquez
• Alexandru Matei
• Maksym Pavlenko
• Akihiro Suda
• Bryant Biggs
• Kevin Parsons
• Kirtana Ashok
• Phil Estes
• Kazuyoshi Kato
• Kohei Tokunaga
• Swagat Bora

Changes

43 commits

• Prepare release notes for v1.7.17 (#10235)
  • 114b07b97 Prepare release notes for v1.7.17
• Use LOOP_CONFIGURE when creating loop devices (#10209)
  • 803aaa680 Remove internal LoopConfig struct
  • 7bd3be948 Swap internal ioctl implementation with golang.org/x/sys
  • a0739dc0e Use LOOP_CONFIGURE when creating loop devices
• Update unpacker to fetch all provided content (#10233)
  • 1573ea598 Update ctr image pull all platforms
  • 32b594f1b Update unpacker to always fetch all
• Update hcsshim tag to v0.11.5 (#10232)
  • 5a03a3aee Update hcsshim tag to v0.11.5
• Update ttrpc tag to 1.2.4 (#10221)
  • 9a1eda40f update ttrpc tag to 1.2.4
• Preserve CL_UNPRIVILEGED locked flags during remount of bind mounts (#10210)
  • ad85652fa Preserve CL_UNPRIVILEGED locked flags during remount of bind mounts
• Update instrumentation fuzzer with new flag (#10229)
  • 582f3f43d Update instrumentation fuzzer with new flag
• vendor: github.com/containerd/imgcrypt@v1.1.8 (#10215)
  • a5d13689b vendor: github.com/containerd/imgcrypt@v1.1.8
• vendor: golang.org/x/net@v0.23.0 (#10211)
  • f853bc129 vendor: golang.org/x/net@v0.23.0
  • 837972979 vendor: golang.org/x/net@v0.21.0
  • 56aa87792 vendor: golang.org/x/net@v0.20.0
  • 4e6335ebd vendor: golang.org/x/net@v0.19.0
  • 1c6c745c6 vendor: golang.org/x/term@v0.17.0
  • 1077d38c9 vendor: golang.org/x/sys@v0.18.0
• Update tooling to Go 1.21.10, 1.22.3 for net/http bug fixes (#10207)
  • c53b635f9 Update toolchain to Go 1.21.10 and 1.22.3
• vendor: golang.org/x/crypto@v0.18.0 (#10204)
  • 4b52104f0 vendor: golang.org/x/crypto@v0.18.0
  • 2f65c83b0 vendor: golang.org/x/term@v0.16.0
  • 8a76171f7 vendor: golang.org/x/sys@v0.16.0
  • d45778523 vendor: golang.org/x/term@v0.15.0, golang.org/x/text@v0.14.0
  • 24038de8c vendor: golang.org/x/sys@v0.15.0
• Update metadata snapshotter to lease on already exists (#10198)
  • eb930375c Add lease test for metadata snapshotter
  • 9f6c61ab9 Update metadata snapshotter to lease on exists
• Update grpc and image-spec dependencies (#10180)
  • 24dd403ab Update image-spec to v1.1.0
  • 189b69e24 go.mod: github.com/opencontainers/image-spec v1.1.0-rc3
  • 388fb336b Update grpc to v1.59.0
• Handle unsupported config versions (#10165)
  • 00347b7fa Add check for unsupported config versions

Changes from containerd/imgcrypt

53 commits

• CHANGES: Updated CHANGES document for 1.1.8 release (containerd/imgcrypt#122)
  • 956b4d3 CHANGES: Updated CHANGES document for 1.1.8 release
• Synchronize enc-ctr with upstream ctr from containerd v1.6.23 and use containerd v1.6.23 in dependency (containerd/imgcrypt#120)
  • 9e8e1c1 ctr: Sync code with containerd v1.6.23 ctr
  • 7d2cca5 build(deps): bump containerd from 1.6.20 to 1.6.23
• Synchronize enc-ctr with upstream ctr from containerd v1.6.20 (containerd/imgcrypt#119)
  • 0f2559e ctr: Sync code with containerd v1.6.20 ctr
  • c48dd78 cmd: Copy IntToInt32Array into img package and use it
• Update to ocicrypt 1.1.8 and minimum go 1.20 (containerd/imgcrypt#118)
  • 6d48a4e build(deps): bump ocicrypt from 1.1.7 to 1.1.8
  • 1bc94a2 github: Use golangci-lint v1.54.1 and adjust config file
  • 9065f1d github: Test with go 1.21 and go 1.20
  • 74986f3 go.mod: Require go 1.20
• build(deps): bump google.golang.org/grpc from 1.47.0 to 1.53.0 (containerd/imgcrypt#117)
  • a2a8273 build(deps): bump google.golang.org/grpc from 1.47.0 to 1.53.0
• test: Test creating and running of container with key file missing (containerd/imgcrypt#116)
  • 286470a test: Test creating and running of container with key file missing
• Fix some issues in the test script (containerd/imgcrypt#115)
  • aa517cc test: Fix order of parameters and remove unnecessary key parameter
  • [ec72311](https://github.com/contai...

containerd 1.7.16

Welcome to the v1.7.16 release of containerd!

The sixteenth patch release for containerd 1.7 contains various fixes and updates.

Highlights

• Update AppArmor template to allow confined runc to kill containers (#10129)
• Fix config import relative path glob (#9834)
• Update AppArmor template to better support rootlesskit (#10116)
• Update HTTP fallback to better account for TLS timeout and previous attempts (#10112)
• Add support for HPC port forwarding (#10008)
• Prevent GC from schedule itself with 0 period. (#10102)
• Fix issue with using invalid token to retry fetching layer (#10065)
• Automatically decompress archives for transfer service import (#9989)
• Fix HTTPFallback fails when pushing manifest (#10044)
• Add support for configuring otel from env and config deprecation notice (#9992)
• Fix deadlock during NRI plugin registration (containerd/nri#79)

Build and Release Toolchain

• Update Go to 1.21.9 and 1.22.2 with net/http security fix (#10115)

Container Runtime Interface (CRI)

• Fix CRI snapshotter root path when not under containerd root (#10096)
• Fix network creation failure from CreatedAt time as 269 years ago (#10122)
• Include userns info in PodSandboxStatus (#9865)
• Fix default working directory Windows HostProcess containers (#10071)
• Fix ListPodSandboxStats to skip sandboxes with missing tasks (#10042)

Deprecations

• Add support for configuring otel from env and config deprecation notice (#9992)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Samuel Karp
• Wei Fu
• Danny Canter
• Kazuyoshi Kato
• Kirtana Ashok
• Maksym Pavlenko
• Phil Estes
• Sebastiaan van Stijn
• Brian Goff
• Rodrigo Campos
• Akihiro Suda
• Angelos Kolaitis
• Bin Tang
• David Porter
• Edgar Lee
• Evan Lezar
• Kirill A. Korinsky
• Kohei Tokunaga
• Maksim An
• Paweł Gronowski
• Tomáš Virtus
• 张钰10307750
• 沈陵

Changes

50 commits

• Add release notes for v1.7.16 (#10124)
  • 1c623084f Add release notes for v1.7.16
• Update AppArmor template to allow confined runc to kill containers (#10129)
  • 18a2c36fa apparmor: Allow confined runc to kill containers
• Fix config import relative path glob (#9834)
  • 62e9535f2 Fix config import relative path glob
• Fix CRI snapshotter root path when not under containerd root (#10096)
  • a8ebceb97 CRI: "Fix" imageFSPath behavior
  • bd423bf84 Snapshotters: Export the root path
  • 8fb6bfa71 Add exports to proxy plugin config
  • 8916e2cf9 Add platform config to proxy plugins
• Fix network creation failure from CreatedAt time as 269 years ago (#10122)
  • 293f5151d pod: CreatedAt time will be 269 years ago while creating cri network failed.
• Update AppArmor template to better support rootlesskit (#10116)
  • af19e746e apparmor: add signal (receive) peer=/usr/local/bin/rootlesskit,
• Update Go to 1.21.9 and 1.22.2 with net/http security fix (#10115)
  • 637d259dd update to go1.21.9, go1.22.2
• Update HTTP fallback to better account for TLS timeout and previous attempts (#10112)
  • 794b0c723 Add deprecated HTTPFallback for package compatibility
  • 51c649d9d Update HTTPFallback to handle tls handshake timeout
  • aa14890ed Remove empty default tls configuration in ctr
• Add support for HPC port forwarding (#10008)
  • 3df5d4445 Add support for HPC port forwarding
• Prevent GC from schedule itself with 0 period. (#10102)
  • 5c15bf406 Prevent GC from schedule itself with 0 period.
• Include userns info in PodSandboxStatus (#9865)
  • b57dc9fd3 cri/server: Add userns tests in PodSandboxStatus
  • 6e809ef13 cri: Expose userns in PodSandboxStatus rpc
• mod: bump github.com/containerd/nri@v0.6.1 (#10097)
  • 395a31901 mod: bump github.com/containerd/nri@v0.6.1
• Fix issue with using invalid token to retry fetching layer (#10065)
  • f61de0864 fix bug that using invalid token to retry fetching layer
• Bump tags.cncf.io/container-device-interface to v0.7.2 (#10077)
  • 7a2f49f70 Bump tags.cncf.io/container-device-interface to v0.7.2
• Fix default working directory Windows HostProcess containers (#10071)
  • 989f1ec54 fix default working directory hostProcess
• Fix unexpected order of mounts since go 1.19 (#10063)
  • 9f774e438 fix(cri): fix unexpected order of mounts since go 1.19
• Automatically decompress archives for transfer service import (#9989)
  • 2aec52493 Automatically decompress archives for transfer service import
• Use different containerd sock address in tests (#10056)
  • 8c76e7948 Use different containerd sock address in tests
• Fix HTTPFallback fails when pushing manifest (#10044)
  • 18f4ad5ee remote: Fix HTTPFallback fails when pushing manifest
• Add support for configuring otel from env and config deprecation notice (#9992)
  • 600ba8612 vendor: revendor OTEL
  • 9360e3716 Changes to configuring otel from env only
  • f2354894f Deprecate otel configs
• Fix ListPodSandboxStats to skip sandboxes with missing tasks (#10042)
  • 90c309fe2 Add IsNotFound case to ListPodSandboxStats

Changes from containerd/nri

5 commits<...

containerd 1.7.11

Welcome to the v1.7.11 release of containerd!

The eleventh patch release for containerd 1.7 contains various fixes and updates including
one security issue.

Notable Updates

• Fix Windows default path overwrite issue (#9440)
• Update push to always inherit distribution sources from parent (#9452)
• Update shim to use net dial for gRPC shim sockets (#9458)
• Fix otel version incompatibility (#9483)
• Fix Windows snapshotter blocking snapshot GC on remove failure (#9482)
• Mask /sys/devices/virtual/powercap path in runtime spec and deny in default apparmor profile (GHSA-7ww5-4wqc-m92c)

Deprecation Warnings

• Emit deprecation warning for AUFS snapshotter (#9436)
• Emit deprecation warning for v1 runtime (#9450)
• Emit deprecation warning for deprecated CRI configs (#9469)
• Emit deprecation warning for CRI v1alpha1 usage (#9479)
• Emit deprecation warning for CRIU config in CRI (#9481)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Samuel Karp
• Derek McGowan
• Phil Estes
• Bjorn Neergaard
• Danny Canter
• Sebastiaan van Stijn
• ruiwen-zhao
• Akihiro Suda
• Amit Barve
• Charity Kathure
• Maksym Pavlenko
• Milas Bowman
• Paweł Gronowski
• Wei Fu

Changes

39 commits

• [release/1.7] Prepare release notes for v1.7.11 (#9491)
  • dfae68bc3 Prepare release notes for v1.7.11
• [release/1.7] update to go1.20.12, test go1.21.5 (#9352)
  • 0d314401d update to go1.20.12, test go1.21.5
  • 1ec1ae2c6 update to go1.20.11, test go1.21.4
• Github Security Advisory GHSA-7ww5-4wqc-m92c
  • cb804da21 contrib/apparmor: deny /sys/devices/virtual/powercap
  • 40162a576 oci/spec: deny /sys/devices/virtual/powercap
• [release/1.7] Don't block snapshot garbage collection on Remove failures (#9482)
  • ed7c6895b Don't block snapshot garbage collection on Remove failures
• [release/1.7] Add warning for CRIU config usage (#9481)
  • 1fdefdd22 Add warning for CRIU config usage
• [release/1.7] Fix otel version incompatibility (#9483)
  • f8f659e66 Add HTTP client update function to tracing library
  • 807ddd658 fix(tracing): use latest version of semconv
• [release/1.7] Add cri-api v1alpha2 usage warning to all api calls (#9479)
  • dc45bc838 Add cri-api v1alpha2 usage warning to all api calls
• [release/1.7] cri: add deprecation warnings for deprecated CRI configs (#9469)
  • 9d1bad62e deprecation: fix missing spaces in warnings
  • 51a604c07 cri: add deprecation warning for runtime_root
  • 8040e74bf cri: add deprecation warning for rutnime_engine
  • 99adc40eb cri: add deprecation warning for default_runtime
  • afef7ec64 cri: add warning for untrusted_workload_runtime
  • 6220dc190 cri: add warning for old form of systemd_cgroup
• [release/1.7] runtime/v2: net.Dial gRPC shim sockets before trying grpc (#9458)
  • 80f96cd18 runtime/v2: net.Dial gRPC shim sockets before trying grpc
• [release/1.7] tasks: emit warning for v1 runtime and runc v1 runtime (#9450)
  • f471bb2b8 tasks: emit warning for runc v1 runtime
  • 329e1d487 tasks: emit warning for v1 runtime
• [release/1.7] push: always inherit distribution sources from parent (#9452)
  • 4464fde12 push: always inherit distribution sources from parent
• [release/1.7] Update tar tests to run on Darwin (#9451)
  • 7e069ee25 Update tar tests to run on Darwin
• [release/1.7] ctr: Add sandbox flag to ctr run (#9449)
  • 5fc0e4e61 ctr: Add sandbox flag to ctr run
• [release/1.7] Windows default path overwrite fix (#9440)
  • 31fe03764 Fix windows default path overwrite issue
• [release/1.7] snapshots: emit deprecation warning for aufs (#9436)
  • 625b35e4b snapshots: emit deprecation warning for aufs

Dependency Changes

• github.com/felixge/httpsnoop v1.0.3 new
• go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0 new

Previous release can be found at v1.7.10

containerd 1.7.10

Welcome to the v1.7.10 release of containerd!

The tenth patch release for containerd 1.7 contains various fixes and updates.

Notable Updates

• Enhance container image unpack client logs (#9379)
• cri: fix using the pinned label to pin image (#9381)
• fix: ImagePull should close http connection if there is no available data to read. (#9409)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Wei Fu
• Iceber Gu
• Austin Vazquez
• Derek McGowan
• Phil Estes
• Samuel Karp
• ruiwen-zhao

Changes

11 commits

• Add release notes for v1.7.10 (#9426)
  • a995fe3a8 Add release notes for v1.7.10
• [release/1.7] fix: ImagePull should close http connection if there is no available data to read. (#9409)
  • 206806128 remotes/docker: close connection if no more data
  • 328493962 integration: reproduce containerd#9347
  • d1aab27cb fix: deflake TestCRIImagePullTimeout/HoldingContentOpenWriter
• [release/1.7] cri: fix using the pinned label to pin image (#9381)
  • a2b16d7f9 cri: fix update of pinned label for images
  • 8dc861844 cri: fix using the pinned label to pin image
• [release/1.7] Enhance container image unpack client logs (#9379)
  • 5930a3750 Enhance container image unpack client logs

Dependency Changes

This release has no dependency changes

Previous release can be found at v1.7.9

containerd 1.7.9

Welcome to the v1.7.9 release of containerd!

The ninth patch release for containerd 1.7 contains various fixes and updates.

Notable Updates

• update runc binary to v1.1.10:: (#9359)
• vendor: upgrade OpenTelemetry to v1.19.0 / v0.45.0 (#9301)
• Expose usage of cri-api v1alpha2 (#9336)
• integration: deflake TestIssue9103 (#9354)
• fix: shimv1 leak issue (#9344)
• cri: add deprecation warnings for mirrors, auths, and configs (#9327)
• Update hcsshim tag to v0.11.4 (#9326)
• Expose usage of deprecated features (#9315)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Samuel Karp
• Kazuyoshi Kato
• Wei Fu
• Kirtana Ashok
• Derek McGowan
• Milas Bowman
• Sebastiaan van Stijn
• ruiwen-zhao

Changes

28 commits

• [release/1.7] Add release notes for v1.7.9 (#9333)
  • 4b912af52 Add release notes for v1.7.9
• [release/1.7 backport] update runc binary to v1.1.10 (#9359)
  • eff291713 update runc binary to v1.1.10
• [release/1.7] vendor: upgrade OpenTelemetry to v1.19.0 / v0.45.0 (#9301)
  • bd9428ff7 vendor: upgrade OpenTelemetry to v1.19.0 / v0.45.0
• [release/1.7] Expose usage of cri-api v1alpha2 (#9336)
  • d62cba40c Expose usage of cri-api v1alpha2
• [release/1.7] integration: deflake TestIssue9103 (#9354)
  • 5dbc258a8 integration: deflake TestIssue9103
• [release/1.7] fix: shimv1 leak issue (#9344)
  • 449912857 fix: shimv1 leak issue
• [release/1.7] cri: add deprecation warnings for mirrors, auths, and configs (#9327)
  • 152c57e91 cri: add deprecation warning for configs
  • 689a1036d cri: add deprecation warning for auths
  • 8c38975bf cri: add deprecation warning for mirrors
  • 1fbce40c4 cri: add ability to emit deprecation warnings
• [release/1.7] Update hcsshim tag to v0.11.4 (#9326)
  • 73f15bdb6 Update hcsshim tag to v0.11.4
• [release/1.7] Expose usage of deprecated features (#9315)
  • 60d48ffea ctr: new deprecations command
  • 74a06671a plugin: record deprecation for dynamic plugins
  • fa5f3c91a server: add ability to record config deprecations
  • f7880e7f0 pull: record deprecation warning for schema 1
  • 1dd2f2c02 introspection: add support for deprecations
  • aaf000c18 api/introspection: deprecation warnings in server
  • 9b7ceee54 warning: new service for deprecations
  • b708f8bfa deprecation: new package for deprecations

Dependency Changes

• github.com/Microsoft/hcsshim v0.11.1 -> v0.11.4
• github.com/cenkalti/backoff/v4 v4.2.0 -> v4.2.1
• github.com/go-logr/logr v1.2.3 -> v1.2.4
• github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0 -> v2.16.0
• go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.40.0 -> v0.45.0
• go.opentelemetry.io/otel v1.14.0 -> v1.19.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.14.0 -> v1.19.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.14.0 -> v1.19.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.14.0 -> v1.19.0
• go.opentelemetry.io/otel/metric v0.37.0 -> v1.19.0
• go.opentelemetry.io/otel/sdk v1.14.0 -> v1.19.0
• go.opentelemetry.io/otel/trace v1.14.0 -> v1.19.0
• go.opentelemetry.io/proto/otlp v0.19.0 -> v1.0.0

Previous release can be found at v1.7.8

containerd 1.7.8

Welcome to the v1.7.8 release of containerd!

The eighth patch release for containerd 1.7 contains various fixes and updates.

Notable Updates

• Fix ambiguous TLS fallback (#9299)
• Update Go to 1.20.10 (#9265)
• Add a new image label on converted schema 1 images (#9252)
• Fix handling for missing basic auth credentials (#9235)
• Fix potential deadlock in create handler for containerd-shim-runc-v2 (#9209)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Sebastiaan van Stijn
• Derek McGowan
• Phil Estes
• Chen Yiyang
• Wei Fu
• Akihiro Suda
• Maksym Pavlenko
• Marat Radchenko
• Milas Bowman
• Qiutong Song
• Samuel Karp

Changes

27 commits

• [release/1.7] Prepare release notes for v1.7.8 (#9278)
  • 48dbdf871 Prepare release notes for v1.7.8
• [release/1.7] Fix ambiguous tls fallback (#9299)
  • 68abc543b Check scheme and host of request on push redirect
  • 35c7634e3 Avoid TLS fallback when protocol is not ambiguous
• [release/1.7] vendor: google.golang.org/grpc v1.58.3 (#9281)
  • f36948cad vendor: gRPC v1.58.3
• [release/1.7 backport] vendor: golang.org/x/net v0.17.0 (#9276)
  • c67a53190 vendor: golang.org/x/net v0.17.0
  • 71f4b36ca vendor: golang.org/x/text v0.13.0
  • a7b3b7090 vendor: golang.org/x/sys v0.13.0
• [release/1.7] vendor: google.golang.org/grpc v1.56.3 (#9248)
  • 26736d6e1 vendor: google.golang.org/grpc v1.56.3
  • 54a69a6e4 vendor: golang.org/x/oauth2 v0.7.0
  • ac15a7f5b vendor: google.golang.org/protobuf v1.30.0
• [release/1.7] update to go1.20.10, test go1.21.3 (#9265)
  • 2479c3321 [release/1.7] update to go1.20.10, test go1.21.3
  • 11f40e9d8 [release/1.7] update to go1.20.9, test go1.21.2
• [release/1.7] Add a new image label if it is docker schema 1 (#9252)
  • cac1bab79 Add a new image label if it is docker schema 1
• [release/1.7] remotes: add handling for missing basic auth credentials (#9235)
  • 6cd2cc4a8 remotes: add handling for missing basic auth credentials
• [release/1.7 backport] containerd-shim-runc-v2: avoid potential deadlock in create handler (#9209)
  • d0a1fedb5 *: add runc-fp as runc wrapper to inject failpoint
  • 04491240a containerd-shim-runc-v2: avoid potential deadlock in create handler
  • 6982a0df5 containerd-shim-runc-v2: remove unnecessary s.getContainer()
  • 0e2320398 Uncopypaste parsing of OCI Bundle spec file

Dependency Changes

• golang.org/x/crypto v0.11.0 -> v0.14.0
• golang.org/x/mod v0.9.0 -> v0.11.0
• golang.org/x/net v0.13.0 -> v0.17.0
• golang.org/x/oauth2 v0.4.0 -> v0.10.0
• golang.org/x/sync v0.1.0 -> v0.3.0
• golang.org/x/sys v0.10.0 -> v0.13.0
• golang.org/x/term v0.10.0 -> v0.13.0
• golang.org/x/text v0.11.0 -> v0.13.0
• golang.org/x/tools v0.7.0 -> v0.10.0
• google.golang.org/genproto 7f2fa6fef1f4 -> 782d3b101e98
• google.golang.org/genproto/googleapis/api 782d3b101e98 new
• google.golang.org/genproto/googleapis/rpc 782d3b101e98 new
• google.golang.org/grpc v1.53.0 -> v1.58.3
• google.golang.org/protobuf v1.29.1 -> v1.31.0

Previous release can be found at v1.7.7

containerd 1.7.7

Welcome to the v1.7.7 release of containerd!

The seventh patch release for containerd 1.7 contains various fixes and updates.

Notable Updates

• Require plugins to succeed after registering readiness (#9165)
• Handle unexpected shim kill events (#9132)
• Build binaries with Go 1.21.1 (#9167)
• cri: Stop recommending disable_cgroup (#9168)
• remotes/docker: Fix MountedFrom prefixed with target repository (#9193)
• remotes: always try to establish tls connection when tls configured (#9188)
• NRI: Add support for rlimits (#48)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Samuel Karp
• Krisztian Litkey
• Wei Fu
• Phil Estes
• Sebastiaan van Stijn
• Iceber Gu
• Mike Brown
• Akihiro Suda
• Paweł Gronowski
• Steve Griffith
• Aditya Ramani
• Austin Vazquez
• Danny Canter
• James Sturtevant
• Kern Walster
• ZP-AlwaysWin

Changes

31 commits

• [release/1.7] Prepare release notes for v1.7.7 (#9194)
  • a34fa5681 Prepare release notes for v1.7.7
• [release/1.7] Allow for images with artifacts to pull (#9149)
  • 6ca0aebf0 Allow for images with artifacts to pull
• [release 1.7] remotes/docker: Fix MountedFrom prefixed with target repository (#9193)
  • 7df492a95 remotes/docker: Fix MountedFrom prefixed with target repository
• [release/1.7] Update x/net to 0.13 (#9134)
  • b3db314a5 Bump x/net to 0.13
• [release/1.7] remotes: always try to establish tls connection when tls configured (#9188)
  • 7779ce64e remotes: always try to establish tls connection when tls configured
• [release/1.7] cri: stop recommending disable_cgroup (#9168)
  • 6013b5e03 cri: stop recommending disable_cgroup
• [release/1.7] Require plugins to succeed after registering readiness (#9165)
  • a83c66813 Require plugins to succeed after registering readiness
  • 171d76849 cri: call RegisterReadiness after NewCRIService
• [release/1.7] Handle unexpected shim kill events (#9132)
  • 3d27bc738 Handle unexpected shim kill events
• [release/1.7] Build binaries with 1.21.1 (#9167)
  • 4ffa3ed29 Build binaries with 1.21.1
• [release/1.7] vendor: github.com/Microsoft/hcsshim v0.11.1 (#9127)
  • 5756f6064 [release/1.7] vendor: github.com/Microsoft/hcsshim v0.11.1
• [release/1.7 backport] alias log package to github.com/containerd/log v0.1.0 (#9106)
  • 09633b539 deprecate logs package, but disable linter (for transitioning)
  • cb201519f alias log package to github.com/containerd/log v0.1.0
  • a5024e6dd vendor: github.com/stretchr/testify v1.8.4
  • 7bd976af3 vendor: github.com/sirupsen/logrus v1.9.3
• [release/1.7] remotes/docker: Add MountedFrom and Exists push status (#9097)
  • 8cd2d33c2 [release/1.7] remotes/docker: Add MountedFrom and Exists push status
• [release/1.7] vendor: update github.com/containerd/nri@v0.4.0 (#9099)
  • 3ca015e55 nri: update mock plugin handlers
  • 4cd208c1f vendor: update github.com/containerd/nri@v0.4.0

Changes from containerd/log

9 commits

• Update golangci to 1.49 (#1)
  • 89c9a54 Update golangci to 1.49
  • cf26711 Update description in README
  • f9f250c Add project details
  • fb7fe3d Add github CI flow
  • 7e13034 Add go module
  • 16a3c76 Rename log import from logtest
  • 698c398 Add README
  • 87c83c4 Add license file

Changes from containerd/nri

35 commits

• releases: update note about 0.4.0 (#50)
  • 5f13915 releases: update note about 0.4.0
• Add support for rlimits (#48)
  • 5ecea04 ulimit-adjuster: add validation for hard limits
  • db3de10 test: exclude ulimit-adjuster from ginkgo
  • f0deb59 ulimit-adjuster: new sample plugin
  • d2dd708 Add support for rlimits
  • efaf36e api: add POSIXRlimit type
• .github: add test build to CI workflow. (#47)
  • 3f092c2 .github: add test build to CI workflow.
• stub: pass context to plugins, pass updated resources to UpdateContainers. (#40)
  • 01d5f14 Add a note about NRI API stability and release notes.
  • ea9976d adaptation: add UpdateContainer tests.
  • d042d24 stub: fix plugin UpdateContainerInterface.
  • f5d0f51 plugins: update plugins for stub changes.
  • b4bd301 adaptation: update tests with stub changes.
  • 9d86150 stub: pass context to plugin event handlers.
• Updated the OCI Hook Injector README to resovle broken links to the p… (#34)
  • 5eee915 removed link
  • c783fc7 Resolves broken podman links and adds details to help better guide people in testing.
• Fix ParseEventMask to produce proper masks for 'pod' and 'container' shorthand event notations. (#39)
  • da291a6 Fix ParseEventMask to produce proper masks
• fix the NRI_PLUGIN_NAME env value when launching a pre...

containerd 1.7.3

Welcome to the v1.7.3 release of containerd!

The third patch release for containerd 1.7 contains various fixes and updates.

Notable Updates

• RunC: Update runc binary to v1.1.8 (#8843)
• CRI: Fix additionalGids: it should fallback to imageConfig.User when securityContext.RunAsUser,RunAsUsername are empty (#8824)
• CRI: write generated CNI config atomically (#8825)
• Port-Forward: Correctly handle known errors (#8806)
• Resolve docker.NewResolver race condition (#8799)
• Fix net.ipv4.ping_group_range with userns (#8786)
• Runtime/V2/RunC: handle early exits w/o big locks (#8712)
• SecComp: always allow name_to_handle_at (#8753)
• CRI: Windows Pod Stats: Add a check to skip stats for containers that are not running (#8654)
• Task: don't close() io before cancel() (#8658)
• Remove CNI conf_template deprecation (#8638)
• Fix issue for HPC pod metrics (#8634)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Akihiro Suda
• Phil Estes
• Sebastiaan van Stijn
• Wei Fu
• Derek McGowan
• Kazuyoshi Kato
• Austin Vazquez
• Samuel Karp
• Shingo Omura
• Jin Dong
• Maksym Pavlenko
• Aditi Sharma
• Danny Canter
• James Sturtevant
• Laura Brehm
• Rodrigo Campos
• Akhil Mohan
• Andrey Epifanov
• Bjorn Neergaard
• Cory Snider
• Madhav Jivrajani
• Mahamed Ali
• Priyanka Saggu
• Qasim Sarfraz
• wangxiang
• zounengren

Changes

63 commits

• [release/1.7] Prepare release notes for v1.7.3 (#8871)
  • 4cb2f1515 [release/1.7] Add release notes for v1.7.3
• [release/1.7] cri: memory.memsw.limit_in_bytes: no such file or directory (#8869)
  • b461ecacf cri: memory.memsw.limit_in_bytes: no such file or directory
• [release/1.7] migrate to community owned bucket for node e2e tests (#8875)
  • 14328ae03 migrate to community owned bucket
• [release/1.7 backport] update runc binary to v1.1.8 (#8843)
  • b985f7ef1 update runc binary to v1.1.8
• [release/1.7 backport] [CRI] fix additionalGids: it should fallback to imageConfig.User when securityContext.RunAsUser,RunAsUsername are empty (#8824)
  • 083f57160 capture desc variable in range variable just in case that it run in parallel mode
  • a9440ce6b Use t.TempDir instead of os.MkdirTemp
  • eea3440d8 use strings.Cut instead of strings.Split for parsing imageConfig.User
  • eace67180 fix userstr for dditionalGids on Linux
• [release/1.7 backport] cri: write generated CNI config atomically (#8825)
  • 7353c0286 ctr: update WritePidFile to use atomicfile
  • ae7021300 shim: WritePidFile & WriteAddress use atomicfile
  • 186eb64b7 cri: write generated CNI config atomically on Unix
  • 64c3dcd8e atomicfile: new package for atomic file writes
• [release/1.7 backport] Move logrus setup code to log package (#8831)
  • f7a20e17c Move logrus setup code to log package
• [release/1.7 backport] Cirrus CI: configure apt-get to wait for locks (#8814)
  • 60a6db9c2 Cirrus CI: configure apt-get to wait for locks
• [release/1.7 backport] Update Go to 1.20.6,1.19.11 (#8815)
  • 973778193 Update Go to 1.20.6,1.19.11
• [release/1.7 backport] update go to go1.20.5, go1.19.10 (#8716)
  • 403033e52 update go to go1.20.5, go1.19.10
• [release/1.7 backport] bugfix(port-forward): Correctly handle known errors (#8806)
  • 6b6b0c828 bugfix(port-forward): Correctly handle known errors
• [release/1.7] Resolve docker.NewResolver race condition (#8799)
  • 898eca21e Change http.Header copy to builtin Clone
  • fa2efc406 Resolve docker.NewResolver race condition
• [release/1.7] Fix net.ipv4.ping_group_range with userns (#8786)
  • 241514815 pkg/cri/server: Test net.ipv4.ping_group_range works with userns
  • 801e8c806 pkg/cri/server: Fix net.ipv4.ping_group_range with userns
• [release/1.7 backport] vendor: github.com/containerd/zfs v1.1.0 (#8782)
  • d5639a5a8 vendor: github.com/containerd/zfs v1.1.0
• [release/1.7 backport] ci: remove libseccomp-dev installation for nightly (#8772)
  • 15d65709e ci: remove libseccomp-dev installation for nightly
• [release/1.7] go.mod: Update cgroups to 3.0.2 (#8769)
  • a08ae718c [release/1.7] go.mod: Update cgroups to 3.0.2
• [release/1.7 backport] runtime/v2/runc: handle early exits w/o big locks (#8712)
  • 18c6503d9 runtime/v2/runc: handle early exits w/o big locks
• [release/1.7 backport] integration/client: add timeout to TestShimOOMScore (#8750)
  • 3bf3996d9 integration/client: add timeout to TestShimOOMScore
• [release/1.7 backport] Update ginkgo to match cri-tools' version (#8760)
  • c2c54af9d Update ginkgo to match cri-tools' version
• [release/1.7 backport] seccomp: always allow name_to_handle_at (#8753)
  • 6281d46df seccomp: always allow name_to_handle_at
• [release/1.7] Pinned image support (#8718)
  • 699d6701a Pinned image support
• [release/1.7] cherry-pick: No more nondistributable layers in MS registry (#8690)
  • dafbeb5b1 No more nondistributable layers in MS registry
• [release/1.7] [cri] Windows Pod Stats: Add a check to skip stats for containers that are not running (#8654)
  • 58b6b99cd Add a check to skip stats for containe...