containerd 1.7.2

Welcome to the v1.7.2 release of containerd!

The second patch release for containerd 1.7 includes enhancements to CRI sandbox mode,
Windows snapshot mounting support, and CRI and container IO bug fixes.

CRI/Sandbox Updates

• Publish sandbox events (#8613)
• Make stats respect sandbox's platform (#8604)

Other Notable Updates

• Mount snapshots on Windows (#8616)
• Notify readiness when registered plugins are ready (#8584)
• Fix cio.Cancel() should close pipes (#8624)
• CDI: Use CRI Config.CDIDevices field for CDI injection (#8519)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Gabriel Adrian Samfira
• Derek McGowan
• Paul "TBBle" Hampson
• Maksym Pavlenko
• Phil Estes
• Austin Vazquez
• Akihiro Suda
• Kazuyoshi Kato
• Danny Canter
• Samuel Karp
• Sebastiaan van Stijn
• Ed Bartosh
• Henry Wang
• Hsing-Yu (David) Chen
• Jan Dubois
• Mike Brown
• Wei Fu
• helen

Changes

59 commits

• [release/1.7] Prepare release notes for v1.7.2 (#8629)
  • 0e41daaea [release/1.7] Prepare release notes for v1.7.2
• [1.7 backport] Fix panic when remote differ returns empty result (#8631)
  • e134b6393 Fix panic when remote differ returns empty result
• [release/1.7 backport] Mount snapshots on Windows (#8616)
  • 313c226b8 Update continuity to a tagged version
  • 8dd16285a UnmountAll is a no-op for missing mount points
  • acff3eefa Improve error messages and remove check
  • b4dd3bf4e Make ReadOnly() available on all platforms
  • 08d8baf3f Increase integration test tmieout to 20m
  • 1f0dbd011 Remove bind code path in mount()
  • 8f37b1c63 Remove "bind" code path from diff
  • 9139208b3 Properly mount base layers
  • e61e7b312 Skip parent layer options on bind mounts
  • e4307926f Add ReadOnly() function
  • 0277b9b01 Remove escalated privileges
  • d5c18dfb7 Use DefaultSnapshotter
  • 853179366 use t.Fatal if we cannot enable process privileges
  • 5b3ee413f Update continuity
  • 375172604 Fix go.mod, simplify boolean logic, add logging
  • 600abd137 Ignore ERROR_NOT_FOUND error when removing mount
  • df7295dcd Update continuity, go-winio and hcsshim
  • 0db78c482 Remove unused function
  • 219058766 Grant needed privileges for snapshotter tests
  • 96fbe5bc8 Fix layer comparison and enable read-only checks
  • 279e0d3c9 Use bind filer for mounts
  • 93e94da40 Enable TestSnapshotterClient on Windows
  • 3a3da693a Run Windows snapshotter through the test suite
  • e7b62322f Fix misspelling of 'Native' as 'Naive'
  • e1f999a18 Add paired 'mount' log for 'unmount'
  • 5788d6e52 Don't use all-upper-case filenames in snapshot tests
  • 3cdcb2f10 Skip tests that do not apply to WCOW on Windows
  • b0968b8bb Ensure mounts are unmounted before leaving the test
  • b57424851 Unify testutil.Unmount on Windows and Unix
  • b9a8aad45 Implement Windows mounting for bind and windows-layer mounts
  • 1a64ee183 Implement WCOW parentless active snapshots and view snapshots
• [release/1.7] fix: cio.Cancel() should close the pipes (#8624)
  • 99582fb1a fix: cio.Cancel() should close the pipes
• [release/1.7 backport] remotes/docker: ResolverOptions: fix deprecation comments (#8621)
  • eeda70fb0 remotes/docker: ResolverOptions: fix deprecation comments
• [release/1.7] Publish sandbox events (#8613)
  • e21c8beee Post cherry-pick fixes
  • 246240f71 Move PLEG event back to CRI
  • 16f3726dd Generate sandbox exit events from CRI
  • 0c8cfb1a7 Move pod sandbox recovery to podsandbox/ package
  • 91d9f5c64 Publish sandbox events
  • 4b77683b4 Add sandbox events protos
• [release/1.7] notify readiness when registered plugins are ready (#8584)
  • 2c38cad77 notify readiness when registered plugins are ready
• [release/1.7] Backport CRI sandbox server stats changes (#8604)
  • 7851b0a9f CRI: Make stats respect sandbox's platform
  • 8d7c340ca [sbserver] handle missing cpu stats
  • d08b2a088 [sbserver] Refactor usageNanoCores be to used for all OSes
• [release/1.7] Cherry-pick: Update volume-ownership image with latest hashes (#8574)
  • 08de6e7b8 Update volume-ownership image with latest hashes
• [release/1.7] CDI: Use CRI Config.CDIDevices field for CDI injection (#8519)
  • 6a5e54c15 Get CDI devices from CRI Config.CDIDevices field
• [release/1.7 backport] snapshots/testsuite: Rename: fix fuse-overlayfs incompatibility (#8510)
  • 9e60300ea snapshots/testsuite: Rename: fix fuse-overlayfs incompatibility

#...

containerd 1.7.1

Welcome to the v1.7.1 release of containerd!

The first patch release for containerd 1.7 includes many fixes to CRI
sandbox mode, various other fixes, runc update, and important fixes in
core dependencies such as ttrpc and typeurl.

CRI/Sandbox Updates

• Throw not supported error when UID or GID mappings provided (#8211)
• Cleanup shim on start failure (#8282)
• Fix premature close of CRI service when there are no CNI configuration monitors (#8282)
• Avoid UID lookup from mount on Darwin (#8314)
• Keep Linux mounts for Linux sandboxes on non-Linux hosts (#8331)
• Add noexec,nodev,nosuid to /etc/resolv.conf bind mount (#8336)
• Remove entry for container from container store on error (#8457)
• Fix unmarshal in container metrics (#8472)

Other Notable Updates

• Use readonly for temporary mounts (#8300 #8358)
• Fix skip docker manifest option on image exporter (#8344)
• Update runc binary to v1.1.7 (#8451)
• Fix runtime path task option (#8453)
• Fix panic from nil checkpoint options (#8475)
• Fix transfer service configuration options (#8491)
• Fix server-side goroutine leak on receive message error (ttrpc#141)
• Fix panic caused by race to close send channel (ttrpc#140)
• Fix unmarshal to return non-nil object when nil value (ttrpc#140)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Sebastiaan van Stijn
• Akihiro Suda
• Iceber Gu
• Phil Estes
• Maksym Pavlenko
• Wei Fu
• Danny Canter
• Kirtana Ashok
• Rodrigo Campos
• Samuel Karp
• Vinayak Goyal
• Austin Vazquez
• Justin Chadwell
• Kazuyoshi Kato
• Brad Davidson
• Djordje Lukic
• Ethan Lowman
• Laura Brehm
• Michael Crosby

Changes

68 commits

• [release/1.7] Prepare release notes for v1.7.1 (#8501)
  • 27a0d957b Prepare release notes for v1.7.1
• [release/1.7] Update ttrpc v1.2.2 (#8499)
  • 7b288e2d7 Update ttrpc to v1.2.2
• [release/1.7] runtime/shim: fix the nil checkpoint options (#8475)
  • 3ef5b689a runtime/shim: fix the nil checkpoint options
• [release/1.7] bump typeurl to v2.1.1 (#8495)
  • 0e0532eb2 bump typeurl to v2.1.1
• [release/1.7] Transfer service backports (#8491)
  • 35e86f96c [transfer] avoid setting limiters when max is 0
  • f7233811f Update transfer configuration
  • 4510eac00 Fix image pulling with Transfer service
• [release/1.7]Update hcsshim tag to v0.10.0-rc.8 (#8480)
  • aaa65e8c1 Update hcsshim tag to v0.10.0-rc.8
• [release/1.7] cri: Fix umarshal metrics (#8472)
  • 95ef67e19 Fix umarshal metrics for CRI server
• [release/1.7 backport] update go to go1.20.4, go1.19.9 (#8471)
  • 021bba28b update go to go1.20.4, go1.19.9
• [release/1.7] fix the task setting the runtime path (#8453)
  • c0e128624 skip TestContainerStartWithAbsRuntimePath if the runtime is v1
  • aa3c63c15 integration: add container start test using abs runtime path
  • d2d9eedb1 WithRuntimePath uses the TaskInfo.RuntimePath field
• [release/1.7] Remove entry for container from container store on error (#8457)
  • 6b3ae0129 Remove entry for container from container store on error
• [release/1.7 backport] update runc binary to v1.1.7 (#8451)
  • fae4b6223 update runc binary to v1.1.7
• [release/1.7] cri: Vendor v0.27.1 (#8444)
  • 571715a9d cri: Vendor v0.27.1
• [release/1.7 backport] oci: partially restore comment on read-only mounts for uid/gid uses (#8404)
  • 1bbf98e53 oci: partially restore comment on read-only mounts for uid/gid uses
• [release/1.7] Fix argsEscaped tests (#8405)
  • a6d336c1f Fix argsEscaped tests
• [release/1.7] Throw an error if the kubelet requests mounts with uid/gid mappings (#8211)
  • 7de8629be cri: Throw an error if idmap mounts is requested
  • 75ac7e0d8 cri: Vendor v0.27.0-beta.0 for mounts uid/gid mappings
• [release/1.7] go.mod: remove redundant replace, and some cleaning-up (#8396)
  • 8f6e86fec go.mod: add comment explaining go-fuzz-headers replace rule
  • 1ece0cb50 go.mod: remove replace for github.com/opencontainers/runtime-tools
  • e9f962187 go.mod: integration: use non-pre-release of containerd
  • 84393b005 go.mod: integration: move indirect dependencies to the right group
• [release/1.7 backport] update runc binary to v1.1.6 (#8386)
  • dec2595af update runc binary to v1.1.6
• [release/1.7 backport] oci: Use WithReadonlyTempMount when adding users/groups (#8358)
  • 54d12b872 oci: Use WithReadonlyTempMount when adding users/groups
• [release/1.7 backport] update go to go1.20.3, go1.19.8 (#8354)
  • 624327651 update go to go1.20.3, go1.19.8
• [release/1.7] archive: consistently respect value of WithSkipDockerManifest (#8344)
  • 1d6641b7c export: add test for WithSkipDockerManifest
  • 0e0d84f6b archive: consistently respect value of WithSkipDockerManifest
• [release/1.7] Add noexec nodev and nosuid to sandbox /etc/resolv.conf mount bind. (#8336)
  • 9b4935d86 Update sbserver to add noexec nodev and nosuid to /etc/resolv.conf mount bind.
  • ...

containerd 1.6.21

Welcome to the v1.6.21 release of containerd!

The twenty-first patch release for containerd 1.6 contains various fixes and updates.

Notable Updates

• **update runc binary to v1.1.7 (#8450)
• **Remove entry for container from container store on error (#8456)
• **oci: partially restore comment on read-only mounts for uid/gid uses (#8403)
• **windows: Add ArgsEscaped support for CRI (#8247)
• **oci: Use WithReadonlyTempMount when adding users/groups (#8357)
• **archive: consistently respect value of WithSkipDockerManifest (#8345)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Sebastiaan van Stijn
• Iceber Gu
• Kirtana Ashok
• Justin Chadwell
• Phil Estes
• Akihiro Suda
• Djordje Lukic
• Kazuyoshi Kato
• Mike Brown
• Wei Fu
• kiashok

Changes

26 commits

• [release/1.6] Prepare release notes for v1.6.21 (#8463)
  • 9226c362a Add release notes for v1.6.21
• [release/1.6] update go to go1.19.9 (#8469)
  • 39566aade [release/1.6] update go to go1.19.9
• [release/1.6] fix the task setting the runtime path (#8454)
  • e8840f688 skip TestContainerStartWithAbsRuntimePath if the runtime is v1
  • 75ab094de integration: add container start test using abs runtime path
  • f49254f0b WithRuntimePath uses the TaskInfo.RuntimePath field
• [release/1.6 backport] update runc binary to v1.1.7 (#8450)
  • ccb51ff26 update runc binary to v1.1.7
• [release/1.6] Remove entry for container from container store on error (#8456)
  • 95d31551d Remove entry for container from container store on error
• [release/1.6 backport] oci: partially restore comment on read-only mounts for uid/gid uses (#8403)
  • c33eb574d oci: partially restore comment on read-only mounts for uid/gid uses
• [release/1.6 ] Add ArgsEscaped support for CRI (#8247)
  • bc2e01303 Fix argsEscaped tests
  • 8b81d5acc Add ArgsEscaped support for CRI
• [release/1.6 backport] update runc binary to v1.1.6 (#8385)
  • 57d953482 update runc binary to v1.1.6
• [release/1.6 backport] oci: Use WithReadonlyTempMount when adding users/groups (#8357)
  • fb5e663d0 oci: Use WithReadonlyTempMount when adding users/groups
• [release/1.6] update go to go1.19.8 (#8353)
  • 26efb8fd5 [release/1.6] update go to go1.19.8
• [release/1.6] archive: consistently respect value of WithSkipDockerManifest (#8345)
  • ec13b497e export: add test for WithSkipDockerManifest
  • d1f3771c4 archive: consistently respect value of WithSkipDockerManifest

Dependency Changes

This release has no dependency changes

Previous release can be found at v1.6.20

containerd 1.5.18

Welcome to the v1.5.18 release of containerd!

The eighteenth patch release for containerd 1.5 includes fixes for CVE-2023-25153 and CVE-2023-25173
along with a security update for Go.

Notable Updates

• Fix supplementary groups not being set up properly (GHSA-hmfx-3pcx-653p)
• Fix OCI image importer memory exhaustion (GHSA-259w-8hf6-59c2)
• Update Go to 1.19.6 (#8112)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Akihiro Suda
• Derek McGowan
• Ye Sijun
• Samuel Karp
• Phil Estes
• Swagat Bora
• Wei Fu

Changes

17 commits

• [release/1.5] Prepare release notes for v1.5.18 (#8117)
  • ddf9de6cb Prepare release notes for v1.5.18
• Github Security Advisory GHSA-hmfx-3pcx-653p
  • a62c38bf2 oci: fix additional GIDs
  • 3b89da580 oci: fix loop iterator aliasing
  • b07ec6b25 oci: skip checking gid for WithAppendAdditionalGroups
  • 356672cb5 refactor: reduce duplicate code
  • 6a7b7617c add WithAdditionalGIDs test
  • 832bcf300 add WithAppendAdditionalGroups helper
• Github Security Advisory GHSA-259w-8hf6-59c2
  • 19a347e45 importer: stream oci-layout and manifest.json
• [release/1.5] Go 1.19.6 (#8112)
  • 4209dc243 Go 1.19.6
• [release/1.5] Fix retry logic within devmapper device deactivation (#8089)
  • 0d16d045d Fix retry logic within devmapper device deactivation
• [release/1.5] CI: skip some jobs when repo != containerd/containerd (#8084)
  • 34451bc66 CI: skip some jobs when repo != containerd/containerd

Dependency Changes

This release has no dependency changes

Previous release can be found at v1.5.17

containerd 1.5.17

Welcome to the v1.5.17 release of containerd!

The seventeenth patch release for containerd 1.5 includes various fixes and updates.

Notable Updates

• Update shim to fail fast on dial error (#7953)
• Fix no CNI info for pod sandbox on restart (#7849)
• Fix push error propagation (#7998)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Akihiro Suda
• Wei Fu
• Danny Canter
• Justin Chadwell
• Kirtana Ashok
• Phil Estes
• Samuel Karp
• Sebastiaan van Stijn

Changes

14 commits

• [release/1.5] Prepare release notes for v1.5.17 (#8017)
  • 40a4d58de Prepare release notes for v1.5.17
• [release/1.5] integration/images: switch away from Docker Hub to avoid rate limit (#8009)
  • d44769ad6 integration/images: switch away from Docker Hub to avoid rate limit
• [release/1.5 backport] pushWriter: correctly propagate errors (#7998)
  • 1e848038d pushWriter: correctly propagate errors
• [release/1.5] update to go1.18.10 (#7993)
  • 464c2fb7a [release/1.5] update to go1.18.10
• [release/1.5] runtime: should fail fast if dial error on shim (#7953)
  • 7473711de runtime: should fail fast if dial error on shim
• [release/1.5] CRI: Fix no CNI info for pod sandbox on restart (#7849)
  • 23c2a863e CRI: Fix no CNI info for pod sandbox on restart
• [release/1.5] go.mod: Bump hcsshim to v0.8.25 (#7817)
  • 1c5d8d142 [release/1.5] Bump shim tag to v0.8.25

Dependency Changes

• github.com/Microsoft/hcsshim v0.8.24 -> v0.8.25

Previous release can be found at v1.5.16

containerd 1.6.15

Welcome to the v1.6.15 release of containerd!

The fifteenth patch release for containerd 1.6 fixes an issue with CNI in the CRI plugin

Notable Updates

• Fix no CNI info for pod sandbox on restart in CRI plugin (#7848)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Akihiro Suda
• Danny Canter
• Kevin Parsons
• Samuel Karp
• Wei Fu

Changes

8 commits

• [release/1.6] Prepare release notes for v1.6.15 (#7924)
  • 883899eae Prepare release notes for v1.6.15
• [release/1.6] CI: Pass GITHUB_TOKEN to containerd/project-checks (#7919)
  • b57367020 CI: Pass GITHUB_TOKEN to containerd/project-checks
• [release/1.6] integration/images: switch away from Docker Hub to avoid rate limit (#7900)
  • 0f4062c9b integration/images: switch away from Docker Hub to avoid rate limit
• [release/1.6] CRI: Fix no CNI info for pod sandbox on restart (#7848)
  • f16447e2d CRI: Fix no CNI info for pod sandbox on restart

Dependency Changes

This release has no dependency changes

Previous release can be found at v1.6.14

containerd 1.6.14

Welcome to the v1.6.14 release of containerd!

The fourteenth patch release for containerd 1.6 fixes a regression in the CRI plugin related to swap

Notable Updates

• Fix memory.memsw.limit_in_bytes: no such file or directory error in CRI plugin (#7838)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Phil Estes
• Derek McGowan
• Akihiro Suda
• Cameron Sparr
• Akhil Mohan
• Kazuyoshi Kato
• Sebastiaan van Stijn
• Serge Logvinov
• Wang Bing
• Wei Fu
• cathaysia
• shi yixue
• wusong

Changes

6 commits

• Prepare release notes for v1.6.14 (#7841)
  • 1347d7c87 Prepare release notes for v1.6.14
• [release/1.6] cri: fix memory.memsw.limit_in_bytes: no such file or directory (#7838)
  • 53c733e0b cri: fix memory.memsw.limit_in_bytes: no such file or directory
• Revert "[release/1.6] support fetching containerd from non public GCS buckets" (#7830)
  • e8b22c100 Revert "[release/1.6] support fetching containerd from non public GCS buckets"

Changes from containerd/cgroups

21 commits

• ParseCgroupFile: fix wrong comment about unified hierarchy ; add ParseCgroupFileUnified to get the unified path (#232)
  • dd81920 add ParseCgroupFileUnified to get the unified path
  • dae6735 ParseCgroupFile: fix wrong comment about unified hierarchy
• Bump go version to 1.17 in go.mod (#230)
  • e5baf6b Bump go version to 1.17 in go.mod
• make cmd/ a separate module (as it's only for testing) (#226)
  • 66f3f56 make cmd/ a separate module (as it's only for testing)
• feat(v2): add Update method for v2.Manager (#225)
  • 0592512 feat(v2): add Update method for v2.Manager
• feat: add memory.min param (#211)
  • 8276db2 feat: add memory.min param
• modified the dereference null pointer value. (#218)
  • a76c4fb modified the dereference null pointer value.
• update readme for cpu cgroup demo (#217)
  • f39d7da update readme for cpu cgroup demo
• Fix systemd full path (#221)
  • aa8003c Fix systemd full path
• Update Go version and fedora base (#223)
  • d7918f2 Update Go version and fedora base
• Fix panic in NewSystemd on nil values (#219)
  • 65478b8 Fix panic in NewSystemd on nil values

Dependency Changes

• github.com/containerd/cgroups v1.0.3 -> v1.0.4

Previous release can be found at v1.6.13

containerd 1.6.13

Welcome to the v1.6.13 release of containerd!

The thirteenth patch release for containerd 1.6 contains various fixes and updates.

Notable Updates

• Update overlay snapshotter to check for tmpfs when evaluating usage of userxattr (#7788)
• Update hcsschim to v0.9.6 to fix resource leak on exec (#7808)
• Make swapping disabled with memory limit in CRI plugin (#7815)
• Allow clients to remove created tasks with PID 0 (#7816)
• Fix concurrent map iteration and map write in CRI port forwarding (#7819)
• Check for nil HugepageLimits to avoid panic in CRI plugin (#7820)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Akhil Mohan
• Phil Estes
• Kazuyoshi Kato
• Maksym Pavlenko
• Akihiro Suda
• Gavin Inglis
• Kirtana Ashok
• Mike Brown
• Qasim Sarfraz
• Shinichi Morimoto
• chaunceyjiang
• mathis-m

Changes

25 commits

• [release/1.6] Prepare release notes for v1.6.13 (#7821)
  • Prepare release notes for v1.6.13
• [release/1.6] support fetching containerd from non public GCS buckets (#7823)
  • disable tracing while handling token
  • support fetching containerd from non public GCS buckets
• [release/1.6] nil check to avoid panic on upgrade (#7820)
  • nil check to avoid panic on upgrade
• [release/1.6] concurrent map iteration and map write (#7819)
  • fatal error: concurrent map iteration and map write
• [release/1.6] allow client to remove created tasks with PID 0 (#7816)
  • allow client to remove created tasks with PID 0
• [release/1.6] cri: make swapping disabled with memory limit (#7815)
  • cri: make swapping disabled with memory limit
• [release/1.6] go.mod: Bump hcsshim to v0.9.6 (#7808)
  • Bump hcsshim to v0.9.6
• [release/1.6] Cherry pick GitHub actions workflow updates 1.6 (#7713)
  • update codeql-action to v2
  • Upgrade actions/upload-artifact from v2 to v3
  • Move up actions versions to prep for deprecation
  • CI: update GHA instances from Ubuntu 18.04 to 20.04
  • Use global env variable to specify Go version on CI
  • Rework permission handling in scripts
  • fix pool_device_test.go
• [release/1.6] fix: check for tmpfs when evaluating if userxattr should be used (#7788)
  • fix: check for tmpfs when evaluating if userxattr should be used

Dependency Changes

• github.com/Microsoft/hcsshim v0.9.5 -> v0.9.6

Previous release can be found at v1.6.12

containerd 1.6.10

Welcome to the v1.6.10 release of containerd!

The tenth patch release for containerd 1.6 contains various fixes, including a CVE fix for Windows platforms.

Notable Updates

• Always check userxattr for overlay on kernels >= 5.11 (#7646)
• Bump hcsshim to 0.9.5 to fix container shutdown bug on Windows (#7610
• Bump Go version to 1.18.8 to address CVE-2022-41716 (#7634)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Akihiro Suda
• Danny Canter
• Kazuyoshi Kato
• Austin Vazquez
• Derek McGowan
• Gavin Inglis
• Kathryn Baldauf
• Kevin Parsons
• Phil Estes
• Sebastiaan van Stijn
• Yasin Turan

Changes

14 commits

• [release/1.6] Prepare release notes for v1.6.10 (#7664)
  • Prepare release notes for v1.6.10
• [release/1.6] overlayutils: Add fastpath for userxattr check (#7646)
  • overlayutils: Add fastpath for userxattr check
• [release/1.6] update to Go 1.18.8 to address CVE-2022-41716 (#7634)
  • [release/1.6] update to Go 1.18.8 to address CVE-2022-41716
• [release/1.6] ctr export strictly match default platform (#7627)
  • ctr export strictly match default platform
• [release/1.6] go.mod: Bump hcsshim to v0.9.5 (#7610)
  • [release/1.6] go.mod: Bump hcsshim to v0.9.5
• [release/1.6] ctr import: strictly match platform (#7594)
  • ctr import: strictly match platform
• [release/1.6] cherry-pick: Migrate away from GitHub actions set-output (#7582)
  • Migrate away from GitHub actions set-output

Dependency Changes

• github.com/Microsoft/hcsshim v0.9.4 -> v0.9.5

Previous release can be found at v1.6.9

containerd 1.6.9

Welcome to the v1.6.9 release of containerd!

The ninth patch release for containerd 1.6 contains various fixes, reorders the pod setup workflow in the CRI plugin to
prevent CNI resource leaks, and includes a new version of runc.

Notable Updates

• Update oci.WithDefaultUnixDevices(): remove tun/tap from the default devices (#7268)
• Fix CRI: Do not append []string{""} to command to preserve Docker compatibility (#7298)
• Enhance CRI: ContainerStatus to return container resources (#7410)
• Fix OCI resolver to skip TLS verification for localhost (#7438
• Fix createTarFile: make xattr EPERM non-fatal (#7447)
• Fix CRI plugin to setup pod network after creating the sandbox container (#7456)
• Fix OCI pusher to retry request on writer reset (#7461)
• Fix archive to validate digests before use (#7490)
• Migrate from k8s.gcr.io to registry.k8s.io (#7549)
• Fix CRI: PodSandboxStatus should tolerate missing task (#7551)
• Fix io.containerd.runc.v1: Stats() shouldn't assume s.container is non-nil (#7557)
• Enhance CRI plugin to add logging volume metrics (#7571)
• Add support for CAP_BPF and CAP_PERFMON (#7574)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Sebastiaan van Stijn
• Akihiro Suda
• Wei Fu
• Samuel Karp
• Kazuyoshi Kato
• Maksym Pavlenko
• Derek McGowan
• Phil Estes
• Qiutong Song
• ruiwen-zhao
• zounengren
• Akhil Mohan
• Andrey Klimentyev
• Benjamin Elder
• Henry Wang
• Iceber Gu
• Paco Xu
• Sophie Liu
• Ye Sijun
• rongfu.leng

Changes

68 commits

• [release/1.6] Prepare release notes for v1.6.9 (#7573)
  • f1493f665 Prepare release notes for v1.6.9
  • 99578d1fc Update mailmap
• [release/1.6] adding support of CAP_BPF and CAP_PERFMON (#7574)
  • 346412f5a adding support of CAP_BPF and CAP_PERFMON
• [release/1.6] Add logging volume metrics to Containerd CRI plugin (#7571)
  • a956d8415 Add logging volume metrics to Containerd CRI plugin
• [release/1.6] fix pusher concurrent close channel (#7562)
  • 29e2dea50 fix pusher concurrent close channel
• [release/1.6] Stats() shouldn't assume s.container is non-nil (#7557)
  • 8a9d69385 [release/1.6] Stats() shouldn't assume s.container is non-nil
• [release/1.6] cri: PodSandboxStatus should tolerate missing task (#7551)
  • a9adc7938 cri: PodSandboxStatus should tolerate missing task
• [release/1.6] migrate from k8s.gcr.io to registry.k8s.io (#7549)
  • b66eb726a migrate from k8s.gcr.io to registry.k8s.io
• [release/1.6] upgrade containerd/continuity from v0.2.2 to v0.3.0 (#7518)
  • 5b40993a5 [release/1.6] upgrade containerd/continuity from v0.2.2 to v0.3.0
• [release/1.6] Update container with sandbox metadata after NetNS is created (#7505)
  • f2376e659 Update container with sandbox metadata after NetNS is created
• [release/1.6] archive: validate digests before use (#7490)
  • 06f82efef archive: validate digests before use
• [release/1.6] Update go 1.18.7, addresses CVE-2022-2879, CVE-2022-2880, CVE-2022-41715 (#7475)
  • 28324c529 [release/1.6] Update go 1.18.7, addresses CVE-2022-2879, CVE-2022-2880, CVE-2022-41715
  • 0aeeb62cb [release/1.6] update golangci-lint to v1.19.0
  • 7db9d1f76 Fix linter warnings
  • 4dc932e62 [release/1.6] gofmt with go1.19
  • 7b8d679ad [release/1.6] integration: remove use of deprecated io/ioutil
• [release/1.6] retry request on writer reset (#7461)
  • 926b9c72f retry request on writer reset
• [release/1.6] Setup pod network after creating the sandbox container (#7456)
  • b9a35c6af Add integration tests with failpoint
  • 1f29fac48 Persist container and sandbox if resource cleanup fails, like teardownPodNetwork
• [release/1.6] test: introduce failpoint control to runc-shimv2 and cni (#7455)
  • a85709c6c integration: simplify CNI-fp and add README.md
  • d89a8d223 pkg/failpoint: add FreeBSD link and update pkg doc
  • b0ce2965a integration: Add injected failpoint testing for RunPodSandbox
  • a7f956d86 integration: CNI bridge wrapper with failpoint
  • 07c479471 pkg/failpoint: add DelegatedEval API
  • 4a5bc05aa runtime/v2/shim: return if error in load plugin
  • 71ee7de24 bin/ctr,integration: new runc-shim with failpoint
  • 3e2e77849 runtime/v2: manager supports server interceptor
  • cb935bf49 pkg/failpoint: init failpoint package
• [release/1.6] cherry-pick: make xattr EPERM non-fatal in createTarFile (#7447)
  • 2fdfd564c make xattr EPERM non-fatal in createTarFile
• [release/1.6] remotes/docker/config: Skipping TLS verification for localhost (#7438)
  • 89e49609d remotes/docker/config: Skipping TLS verification for localhost
• [release/1.6] .zuul: remove the zull because it is offline (#7427)
  • b720be2ce remove stray .zuul.yaml
  • 6b30bc4b4 .zuul: remove the zuul because it is offline
• [release/1.6] cherry-pick: Set grpc code for unimplemented cri-api methods (#7421)
  • 0f7e258ee Set grpc code for unimplemented cri-api methods
• [release/1.6] cherry-pick: ContainerStatus to return container resources (#7410)
  • [fb753e5cd](https://github.com/contain...