This allows us to run CI with the containerd snapshotter enabled, without
patching the daemon.json, or changing how tests set up daemon flags.
A warning log is added during startup, to inform if this variable is set,
as it should only be used for our integration tests.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The pkg-imports validation prevents reusable library packages from
depending on the whole daemon, accidentally or intentionally. The
allowlist is overly restrictive as it also prevents us from reusing code
in both pkg/ and daemon/ unless that code is also made into a reusable
library package under pkg/. Allow pkg/ packages to import internal/
packages which do not transitively depend on disallowed packages.
Signed-off-by: Cory Snider <csnider@mirantis.com>
This adds a new filter argument to the volume prune endpoint "all".
When this is not set, or it is a false-y value, then only anonymous
volumes are considered for pruning.
When `all` is set to a truth-y value, you get the old behavior.
This is an API change, but I think one that is what most people would
want.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Remove the "deadcode", "structcheck", and "varcheck" linters, as they are
deprecated:
WARN [runner] The linter 'deadcode' is deprecated (since v1.49.0) due to: The owner seems to have abandoned the linter. Replaced by unused.
WARN [runner] The linter 'structcheck' is deprecated (since v1.49.0) due to: The owner seems to have abandoned the linter. Replaced by unused.
WARN [runner] The linter 'varcheck' is deprecated (since v1.49.0) due to: The owner seems to have abandoned the linter. Replaced by unused.
WARN [linters context] structcheck is disabled because of generics. You can track the evolution of the generics support by following the https://github.com/golangci/golangci-lint/issues/2649.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The 1.16 `io/fs` compatibility code was being built on 1.18 and 1.19.
Drop it completely as 1.16 is long EOL, and additionally drop 1.17 as it
has been EOL for a month and 1.18 is both the minimum Go supported by
the 20.10 branch, as well as a very easy jump from 1.17.
Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
see https://github.com/koalaman/shellcheck/wiki/SC2155
Looking at how these were used, I don't think we even need to
export them, so removing that.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
validate other YAML files, such as the ones used in the documentation,
and GitHub actions workflows, to prevent issues such as;
- 30295c1750
- 8e8d9a3650
With this patch:
hack/validate/yamllint
Congratulations! yamllint config file formatted correctly
Congratulations! YAML files are formatted correctly
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Suppresses warnings like:
LANG=C.UTF-8 yamllint -c hack/validate/yamllint.yaml -f parsable .github/workflows/*.yml
.github/workflows/ci.yml:7:1: [warning] truthy value should be one of [false, true] (truthy)
.github/workflows/windows.yml:7:1: [warning] truthy value should be one of [false, true] (truthy)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Before:
10030:81 error line too long (89 > 80 characters) (line-length)
After:
api/swagger.yaml:10030:81: [error] line too long (89 > 80 characters) (line-length)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Don't make the file hidden, and add .yaml extension, so that editors
pick up the right formatting :)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The legacy v1 is not supported by the containerd import
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/containerd/containerd/v1.6.6...v1.6.7
Welcome to the v1.6.7 release of containerd!
The seventh patch release for containerd 1.6 contains various fixes,
includes a new version of runc and adds support for ppc64le and riscv64
(requires unreleased runc 1.2) builds.
Notable Updates
- Update runc to v1.1.3
- Seccomp: Allow clock_settime64 with CAP_SYS_TIME
- Fix WWW-Authenticate parsing
- Support RISC-V 64 and ppc64le builds
- Windows: Update hcsshim to v0.9.4 to fix regression with HostProcess stats
- Windows: Fix shim logs going to panic.log file
- Allow ptrace(2) by default for kernels >= 4.8
See the changelog for complete list of changes
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Careful management of the journal read pointer is sufficient to ensure
that no entry is read more than once.
Unit test the journald logger without requiring a running journald by
using the systemd-journal-remote command to write arbitrary entries to
journal files.
Signed-off-by: Cory Snider <csnider@mirantis.com>
This was added in 6cdc4ba6cd in 2016, likely
because at the time we were still building for CentOS 6 and Ubuntu 14.04.
All currently supported distros appear to be on _at least_ 219 now, so it looks
safe to remove this;
```bash
docker run -it --rm centos:7
yum install -y systemd-devel
pkg-config 'libsystemd >= 209' && echo "OK" || echo "KO"
OK
pkg-config --print-provides 'libsystemd'
libsystemd = 219
pkg-config --print-provides 'libsystemd-journal'
libsystemd-journal = 219
```
And on a `debian:buster` (old stable)
```bash
docker run -it --rm debian:buster
apt-get update && apt-get install -y libsystemd-dev pkg-config
pkg-config 'libsystemd >= 209' && echo "OK" || echo "KO"
OK
pkg-config --print-provides 'libsystemd'
libsystemd = 241
pkg-config --print-provides 'libsystemd-journal'
Package libsystemd-journal was not found in the pkg-config search path.
Perhaps you should add the directory containing `libsystemd-journal.pc'
to the PKG_CONFIG_PATH environment variable
No package 'libsystemd-journal' found
```
OpenSUSE leap (I think that's built for s390x)
```bash
docker run -it --rm docker.io/opensuse/leap:15
zypper install -y systemd-devel
pkg-config 'libsystemd >= 209' && echo "OK" || echo "KO"
OK
pkg-config --print-provides 'libsystemd'
libsystemd = 246
pkg-config --print-provides 'libsystemd-journal'
Package libsystemd-journal was not found in the pkg-config search path.
Perhaps you should add the directory containing `libsystemd-journal.pc'
to the PKG_CONFIG_PATH environment variable
No package 'libsystemd-journal' found
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
WARN [runner] The linter 'golint' is deprecated (since v1.41.0) due to: The repository of the linter has been archived by the owner. Replaced by revive.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/opencontainers/runc/compare/v1.1.2...v1.1.3
This is the third release of the 1.1.z series of runc, and contains
various minor improvements and bugfixes.
- Our seccomp `-ENOSYS` stub now correctly handles multiplexed syscalls on
s390 and s390x. This solves the issue where syscalls the host kernel did not
support would return `-EPERM` despite the existence of the `-ENOSYS` stub
code (this was due to how s390x does syscall multiplexing).
- Retry on dbus disconnect logic in libcontainer/cgroups/systemd now works as
intended; this fix does not affect runc binary itself but is important for
libcontainer users such as Kubernetes.
- Inability to compile with recent clang due to an issue with duplicate
constants in libseccomp-golang.
- When using systemd cgroup driver, skip adding device paths that don't exist,
to stop systemd from emitting warnings about those paths.
- Socket activation was failing when more than 3 sockets were used.
- Various CI fixes.
- Allow to bind mount `/proc/sys/kernel/ns_last_pid` to inside container.
- runc static binaries are now linked against libseccomp v2.5.4.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Welcome to the v1.6.5 release of containerd!
The fifth patch release for containerd 1.6 includes a few fixes and updated
version of runc.
Notable Updates
- Fix for older CNI plugins not reporting version
- Fix mount path handling for CRI plugin on Windows
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Similar to the (now removed) `apparmor` build tag, this build-time toggle existed for users who needed to build without the `libseccomp` library. That's no longer necessary, and given the importance of seccomp to the overall default security profile of Docker containers, it makes sense that any binary built for Linux should support (and use by default) seccomp if the underlying host does.
Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
This is the second patch release of the runc 1.1 release branch. It
fixes CVE-2022-29162, a minor security issue (which appears to not be
exploitable) related to process capabilities.
This is a similar bug to the ones found and fixed in Docker and
containerd recently (CVE-2022-24769).
- A bug was found in runc where runc exec --cap executed processes with
non-empty inheritable Linux process capabilities, creating an atypical Linux
environment. For more information, see GHSA-f3fp-gc8g-vw66 and CVE-2022-29162.
- runc spec no longer sets any inheritable capabilities in the created
example OCI spec (config.json) file.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Release notes:
Welcome to the v1.6.3 release of containerd!
The third patch release for containerd 1.6 includes various fixes and updates.
Notable Updates
- Fix panic when configuring tracing plugin
- Improve image pull performance in CRI plugin
- Check for duplicate nspath
- Fix deadlock in cgroup metrics collector
- Mount devmapper xfs file system with "nouuid" option
- Make the temp mount as ready only in container WithVolumes
- Fix deadlock from leaving transaction open in native snapshotter
- Monitor OOMKill events to prevent missing container events
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
pkg/urlutil (despite its poorly chosen name) is not really intended as a generic
utility to handle URLs, and should only be used by the builder to handle (remote)
build contexts.
- IsURL() only does a very rudimentary check for http(s):// prefixes, without any
other validation, but due to its name may give incorrect expectations.
- IsGitURL() is written specifically with docker build remote git contexts in
mind, and has handling for backward-compatibility, where strings that are
not URLs, but start with "github.com/" are accepted.
Because of the above, this patch:
- moves the package inside builder/remotecontext, close to where it's intended
to be used (ideally this would be part of build/remotecontext itself, but this
package imports many other dependencies, which would introduce those as extra
dependencies in the CLI).
- deprecates pkg/urlutil, but adds aliases as there are some external consumers.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This should help with CI being unstable when generating the types (due
to Go randomizing order). Unfortunately, the (file) names are a bit ugly,
but addressing that in a follow-up.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Welcome to the v1.5.10 release of containerd!
The tenth patch release for containerd 1.5 includes a fix for [CVE-2022-23648][1]
and other issues.
Notable Updates
- Use fs.RootPath when mounting volumes (GHSA-crp2-qrr5-8pq7)
- Return init pid when clean dead shim in runc.v1/v2 shims
- Handle sigint/sigterm in shimv2
- Use readonly mount to read user/group info
[1]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23648
[2]: https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
A copy of Go's archive/tar packge was vendored with a patch applied to
mitigate CVE-2019-14271. Vendoring standard library packages is not
supported by Go in module-aware mode, which is getting in the way of
maintenance. A different approach to mitigate the vulnerability is
needed which does not involve vendoring parts of the standard library.
glibc implements name service lookups such as users, groups and DNS
using a scheme known as Name Service Switch. The services are
implemented as modules, shared libraries which glibc dynamically links
into the process the first time a function requiring the module is
called. This is the crux of the vulnerability: if a process linked
against glibc chroots, then calls one of the functions implemented with
NSS for the first time, glibc may load NSS modules out of the chrooted
filesystem.
The API underlying the `docker cp` command is implemented by forking a
new process which chroots into the container's rootfs and writes a tar
stream of files from the container over standard output. It utilizes the
Go standard library's archive/tar package to write the tar stream. It
makes use of the tar.FileInfoHeader function to construct a tar.Header
value from an fs.FileInfo value. In modern versions of Go on *nix
platforms, FileInfoHeader will attempt to resolve the file's UID and GID
to their respective user and group names by calling the os/user
functions LookupId and LookupGroupId. The cgo implementation of os/user
on *nix performs lookups by calling the corresponding libc functions. So
when linked against glibc, calls to tar.FileInfoHeader after the
process has chrooted into the container's rootfs can have the side
effect of loading NSS modules from the container! Without any
mitigations, a malicious container image author can trivially get
arbitrary code execution by leveraging this vulnerability and escape the
chroot (which is not a sandbox) into the host.
Mitigate the vulnerability without patching or forking archive/tar by
hiding the OS-dependent file info from tar.FileInfoHeader which it needs
to perform the lookups. Without that information available it falls back
to populating the tar.Header with only the information obtainable
directly from the FileInfo value without making any calls into os/user.
Fixes#42402
Signed-off-by: Cory Snider <csnider@mirantis.com>
Looks like this may be needed for Go 1.18
Also updating the golangci-lint configuration to account for updated
exclusion rules.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The hack/vendor.sh script is used to (re)vendor dependencies. However, it did
not run `go mod tidy` before doing so, wheras the vendor _validation_ script
did.
This could result in vendor validation failing if go mod tidy resulted in
changes (which could be in `vendor.sum`).
In "usual" situations, this could be easily done by the user (`go mod tidy`
before running `go mod vendor`), but due to our (curent) uses of `vendor.mod`,
and having to first set up a (dummy) `go.mod`, this is more complicated.
Instead, just make the script do this, so that `hack/vendor.sh` will always
produce the expected result.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This test is verifying that the container has the right options set (through
`docker inspect`), but also checks if the cgroup-rules are set within the container
by reading `/sys/fs/cgroup/devices/devices`
Unlike cgroups v1, on cgroups v2, there is no file interface, and rules are handled
through ebpf, which means that the test will fail because this file is not present.
From the Linux documentation for cgroups v2: https://github.com/torvalds/linux/blob/v5.16/Documentation/admin-guide/cgroup-v2.rst#device-controller
> (...)
> Device controller manages access to device files. It includes both creation of
> new device files (using mknod), and access to the existing device files.
>
> Cgroup v2 device controller has no interface files and is implemented on top of
> cgroup BPF. To control access to device files, a user may create bpf programs
> of type BPF_PROG_TYPE_CGROUP_DEVICE and att>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- use `vendor.mod` instead of `go.mod` to avoid issues to do with
use of CalVer, not SemVer
- ensure most of the dependency versions do not change
- only zookeeper client has to change (via docker/libkv#218) as
previously used version is no longer maintained and has missing
dependencies
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The eighth patch release for containerd 1.5 contains a mitigation for CVE-2021-41190
as well as several fixes and updates.
Notable Updates
* Handle ambiguous OCI manifest parsing
* Filter selinux xattr for image volumes in CRI plugin
* Use DeactiveLayer to unlock layers that cannot be renamed in Windows snapshotter
* Fix pull failure on unexpected EOF
* Close task IO before waiting on delete
* Log a warning for ignored invalid image labels rather than erroring
* Update pull to handle of non-https urls in descriptors
See the changelog for complete list of changes
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The seventh patch release for containerd 1.5 is a security release to fix CVE-2021-41103.
Notable Updates:
- Fix insufficiently restricted permissions on container root and plugin directories
GHSA-c2h3-6mxw-7mvq
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- Install apparmor parser for arm64 and update seccomp to 2.5.1
- Update runc binary to 1.0.2
- Update hcsshim to v0.8.21 to fix layer issue on Windows Server 2019
- Add support for 'clone3' syscall to fix issue with certain images when seccomp is enabled
- Add image config labels in CRI container creation
- Fix panic in metadata content writer on copy error
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This moves installers that are only used during CI into the Dockerfile. Some
installers are still used in the release-pipeline, so keeping thos for now.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The golangci-lint, gotestsum, shfmt, and vndr utilities should generally
be ok to be pinned by version instead of a specific sha. Also rename
the corresponding env-vars / build-args accordingly:
- GOLANGCI_LINT_COMMIT -> GOLANGCI_LINT_VERSION
- GOTESTSUM_COMMIT -> GOTESTSUM_VERSION
- SHFMT_COMMIT -> SHFMT_VERSION
- VNDR_COMMIT -> VNDR_VERSION
- CONTAINERD_COMMIT -> CONTAINERD_VERSION
- RUNC_COMMIT -> RUNC_VERSION
- ROOTLESS_COMMIT -> ROOTLESS_VERSION
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This build-tag was removed in 52390d6804,
which is part of runc v1.0.0-rc94 and up, so no longer relevant.
the kmem options are now always disabled in runc.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Golang '.0' releases are released without a trailing .0 (i.e. go1.17
is equal to go1.17.0). For the base image, we want to specify the go
version including their patch release (golang:1.17 is equivalent to
go1.17.x), so adjust the script to also accept the trailing .0, because
otherwise the download-URL is not found:
hack/vendor.sh archive/tar
update vendored copy of archive/tar
downloading: https://golang.org/dl/go1.17.0.src.tar.gz
curl: (22) The requested URL returned error: 404
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These checks were added when we required a specific version of containerd
and runc (different versions were known to be incompatible). I don't think
we had a similar requirement for tini, so this check was redundant. Let's
remove the check altogether.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Run all tests within `libnetwork` namespace with `-p=1`
in a separate `gotestsum` invocation.
Signed-off-by: Roman Volosatovs <roman.volosatovs@docker.com>
Welcome to the v1.5.5 release of containerd!
The fifth patch release for containerd 1.5 updates runc to 1.0.1 and contains
other minor updates.
Notable Updates
- Update runc binary to 1.0.1
- Update pull logic to try next mirror on non-404 response
- Update pull authorization logic on redirect
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/containerd/containerd/compare/v1.5.2...v1.5.3
Welcome to the v1.5.3 release of containerd!
The third patch release for containerd 1.5 updates runc to 1.0.0 and contains
various other fixes.
Notable Updates
- Update runc binary to 1.0.0
- Send pod UID to CNI plugins as K8S_POD_UID
- Fix invalid validation error checking
- Fix error on image pull resume
- Fix User Agent sent to registry authentication server
- Fix symlink resolution for disk mounts on Windows
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- Fix the error message in hack/validate/vendor to specify that
hack/vendor.sh should be run instead of vndr.
- Fix hack/vendor.sh to also match on Windows paths for the whitelist.
This allows the script to be run on Windows via Git Bash.
Signed-off-by: Kevin Parsons <kevpar@microsoft.com>
Since this command is part of the official distribution and even
required for tests, let's move this up to the main cmd's.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This should make sure the link is still meaningful if that file drastically changes (which should make it easier to trace where the interesting block of code moved to and how it changes over time).
Also, add TODO items for Go 1.15+ and 1.16+ where we can "pie" more builds.
Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
It's already omitted for ppc64 in
hack/dockerfile/install/install.sh
not using wildcard, because GOARCH=ppc64le supports pie
Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>
The message changed from "is deprecated" to "has been deprecated":
client/hijack.go:85:16: SA1019: httputil.NewClientConn has been deprecated since Go 1.0: Use the Client or Transport in package net/http instead. (staticcheck)
clientconn := httputil.NewClientConn(conn, nil)
^
integration/plugin/authz/authz_plugin_test.go:180:7: SA1019: httputil.NewClientConn has been deprecated since Go 1.0: Use the Client or Transport in package net/http instead. (staticcheck)
c := httputil.NewClientConn(conn, nil)
^
integration/plugin/authz/authz_plugin_test.go:479:12: SA1019: httputil.NewClientConn has been deprecated since Go 1.0: Use the Client or Transport in package net/http instead. (staticcheck)
client := httputil.NewClientConn(conn, nil)
^
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The LCOW implementation in dockerd has been deprecated in favor of re-implementation
in containerd (in progress). Microsoft started removing the LCOW V1 code from the
build dependencies we use in Microsoft/opengcs (soon to be part of Microsoft/hcshhim),
which means that we need to start removing this code.
This first step removes the lcow graphdriver, the LCOW initialization code, and
some LCOW-related utilities.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
libnetwork does different stuff depending on if you are running the
tests in a container or not... without telling it we are in a container
a bunch of the tests actually fail.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Update libnetwork to make `docker run -p 80:80` functional again on environments
with kernel boot parameter `ipv6.disable=1`.
full diff: b3507428be...64b7a4574d
- fix port forwarding with ipv6.disable=1
- fixes moby/moby/42288 Docker 20.10.6: all containers stopped and cannot start if ipv6 is disabled on host
- fixes docker/libnetwork/2629 Network issue with IPv6 following update to version 20.10.6
- fixesdocker/for-linux/1233 Since 20.10.6 it's not possible to run docker on a machine with disabled IPv6 interfaces
- vendor: github.com/ishidawataru/sctp f2269e66cdee387bd321445d5d300893449805be
- Enforce order of lock acquisitions on network/controller, fixes#2632
- fixes docker/libnetwork/2632 Name resolution stuck due to deadlock between different network struct methods
- fixes moby/moby/42032 Docker deamon get's stuck, can't serve DNS requests
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/opencontainers/runc/compare/v1.0.0-rc94...v1.0.0-rc95
Release notes:
This release of runc contains a fix for CVE-2021-30465, and users are
strongly recommended to update (especially if you are providing
semi-limited access to spawn containers to untrusted users).
Aside from this security fix, only a few other changes were made since
v1.0.0-rc94 (the only user-visible change was the addition of support
for defaultErrnoRet in seccomp profiles).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
INFO: Running integration tests at 05/17/2021 12:54:50...
INFO: DOCKER_HOST at tcp://127.0.0.1:2357
INFO: Integration API tests being run from the host:
INFO: make.ps1 starting at 05/17/2021 12:54:50
powershell.exe : go: cannot find main module, but found vendor.conf in D:\gopath\src\github.com\docker\docker
At D:\gopath\src\github.com\docker\docker@tmp\durable-1ed00396\powershellWrapper.ps1:3 char:1
+ & powershell -NoProfile -NonInteractive -ExecutionPolicy Bypass -Comm ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (go: cannot find...m\docker\docker:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
to create a module there, run:
go mod init
INFO: make.ps1 ended at 05/17/2021 12:54:51
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Certificates were originally added in c000cb6471,
but did not include a script to generate them. Current versions of Go expect
certificates to use SAN instead of Common Name fields, so updating the script
to include those;
x509: certificate relies on legacy Common Name field, use SANs or temporarily
enable Common Name matching with GODEBUG=x509ignoreCN=0
Some fields were updated to be a bit more descriptive (instead of "replaceme"),
and the `-text` option was used to include a human-readable variant of the
content.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
We perform a DCO check before we run all other tests, so we can skip it
as part of the validate step.
Leaving the line in for visibility, and in case we switch from Jenkins
to (e.g.) GitHub actions.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/containerd/containerd/compare/v1.5.0...v1.5.1
Notable Updates
- Update runc to rc94
- Fix registry mirror authorization logic in CRI plugin
- Fix regression in cri-cni-release to include cri tools
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Welcome to the v1.5.0 release of containerd!
The sixth major release of containerd includes many stability improvements
and code organization changes to make contribution easier and make future
features cleaner to develop. This includes bringing CRI development into the
main containerd repository and switching to Go modules. This release also
brings support for the Node Resource Interface (NRI).
Highlights
--------------------------------------------------------------------------------
*Project Organization*
- Merge containerd/cri codebase into containerd/containerd
- Move to Go modules
- Remove selinux build tag
- Add json log format output option for daemon log
*Snapshots*
- Add configurable overlayfs path
- Separate overlay implementation from plugin
- Native snapshotter configuration and plugin separation
- Devmapper snapshotter configuration and plugin separation
- AUFS snapshotter configuration and plugin separation
- ZFS snapshotter configuration and plugin separation
- Pass custom snapshot labels when creating snapshot
- Add platform check for snapshotter support when unpacking
- Handle loopback mounts
- Support userxattr mount option for overlay in user namespace
- ZFS snapshotter implementation of usage
*Distribution*
- Improve registry response errors
- Improve image pull performance over HTTP 1.1
- Registry configuration package
- Add support for layers compressed with zstd
- Allow arm64 to fallback to arm (v8, v7, v6, v5)
*Runtime*
- Add annotations to containerd task update API
- Add logging binary support when terminal is true
- Runtime support on FreeBSD
*Windows*
- Implement windowsDiff.Compare to allow outputting OCI images
- Optimize WCOW snapshotter to commit writable layers as read-only parent layers
- Optimize LCOW snapshotter use of scratch layers
*CRI*
- Add NRI injection points cri#1552
- Add support for registry host directory configuration
- Update privileged containers to use current capabilities instead of known capabilities
- Add pod annotations to CNI call
- Enable ocicrypt by default
- Support PID NamespaceMode_TARGET
Impactful Client Updates
--------------------------------------------------------------------------------
This release has changes which may affect projects which import containerd.
*Switch to Go modules*
containerd and all containerd sub-repositories are now using Go modules. This
should help make importing easier for handling transitive dependencies. As of
this release, containerd still does not guarantee client library compatibility
for 1.x versions, although best effort is made to minimize impact from changes
to exported Go packages.
*CRI plugin moved to main repository*
With the CRI plugin moving into the main repository, imports under github.com/containerd/cri/
can now be found github.com/containerd/containerd/pkg/cri/.
There are no changes required for end users of CRI.
*Library changes*
oci
The WithAllCapabilities has been removed and replaced with WithAllCurrentCapabilities
and WithAllKnownCapabilities. WithAllKnownCapabilities has similar
functionality to the previous WithAllCapabilities with added support for newer
capabilities. WithAllCurrentCapabilities can be used to give privileged
containers the same set of permissions as the calling process, preventing errors
when privileged containers attempt to get more permissions than given to the
caller.
*Configuration changes*
New registry.config_path for CRI plugin
registry.config_path specifies a directory to look for registry hosts
configuration. When resolving an image name during pull operations, the CRI
plugin will look in the <registry.config_path>/<image hostname>/ directory
for host configuration. An optional hosts.toml file in that directory may be
used to configure which hosts will be used for the pull operation as well
host-specific configurations. Updates under that directory do not require
restarting the containerd daemon.
Enable registry.config_path in the containerd configuration file.
[plugins."io.containerd.grpc.v1.cri".registry]
config_path = "/etc/containerd/certs.d"
Configure registry hosts, such as /etc/containerd/certs.d/docker.io/hosts.toml
for any image under the docker.io namespace (any image on Docker Hub).
server = "https://registry-1.docker.io"
[host."https://public-mirror.example.com"]
capabilities = ["pull"]
[host."https://docker-mirror.internal"]
capabilities = ["pull", "resolve"]
ca = "docker-mirror.crt"
If no hosts.toml configuration exists in the host directory, it will fallback
to check certificate files based on Docker's certificate file
pattern (".crt" files for CA certificates and ".cert"/".key" files for client
certificates).
*Deprecation of registry.mirrors and registry.configs in CRI plugin*
Mirroring and TLS can now be configured using the new registry.config_path
option. Existing configurations may be migrated to new host directory
configuration. These fields are only deprecated with no planned removal,
however, these configurations cannot be used while registry.config_path is
defined.
*Version 1 schema is deprecated*
Version 2 of the containerd configuration toml is recommended format and the
default. Starting this version, a deprecation warning will be logged when
version 1 is used.
To check version, see the version value in the containerd toml configuration.
version=2
FreeBSD Runtime Support (Experimental)
--------------------------------------------------------------------------------
This release includes changes that allow containerd to run on FreeBSD with a
compatible runtime, such as runj. This
support should be considered experimental and currently there are no official
binary releases for FreeBSD. The runtimes used by containerd are maintained
separately and have their own stability guarantees. The containerd project
strives to be compatible with any runtime which aims to implement containerd's
shim API and OCI runtime specification.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The github.com/BurntSushi/toml project is no longer maintained,
and containerd is switching to this project instead, so start
moving our code as well.
This patch only changes the binary used during validation (tbh,
we could probably remove this validation step, but leaving that
for now).
I manually verified that the hack/verify/toml still works by adding a commit
that makes the MAINTAINERS file invalid;
diff --git a/MAINTAINERS b/MAINTAINERS
index b739e7e20c..81ababd8de 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -23,7 +23,7 @@
# a subsystem, they are responsible for doing so and holding the
# subsystem maintainers accountable. If ownership is unclear, they are the de facto owners.
- people = [
+ people =
"akihirosuda",
"anusha",
"coolljt0725",
Running `hack/verify/toml` was able to detect the broken format;
hack/validate/toml
(27, 4): keys cannot contain , characterThese files are not valid TOML:
- MAINTAINERS
Please reformat the above files as valid TOML
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: fa125a3512...b3507428be
- fixed IPv6 iptables rules for enabled firewalld (libnetwork#2609)
- fixes "Docker uses 'iptables' instead of 'ip6tables' for IPv6 NAT rule, crashes"
- Fix regression in docker-proxy
- introduced in "Fix IPv6 Port Forwarding for the Bridge Driver" (libnetwork#2604)
- fixes/addresses: "IPv4 and IPv6 addresses are not bound by default anymore" (libnetwork#2607)
- fixes/addresses "IPv6 is no longer proxied by default anymore" (moby#41858)
- Use hostIP to decide on Portmapper version
- fixes docker-proxy not being stopped correctly
Port mapping of containers now contain separatet mappings for IPv4 and IPv6 addresses, when
listening on "any" IP address. Various tests had to be updated to take multiple mappings into
account.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Since rootlesskit removed vendor folder, building it has to rely on go mod.
Dockerfile in docker-ce-packaging uses GOPROXY=direct, which makes "go mod"
commands use git to fetch modules. "go mod" in Go versions before 1.14.1 are
incompatible with older git versions, including the version of git that ships
with CentOS/RHEL 7 (which have git 1.8), see golang/go#38373
This patch switches rootlesskit install script to set GOPROXY to
https://proxy.golang.org so that git is not required for downloading modules.
Once all our code has upgraded to Go 1.14+, this workaround should be
removed.
Signed-off-by: Tibor Vass <tibor@docker.com>
full diff: https://github.com/rootless-containers/rootlesskit/compare/v0.13.1...v0.14.0
v0.14.0 Changes (since v0.13.2)
--------------------------------------
- CLI: improve --help output
- API: support GET /info
- Port API: support specifying IP version explicitly ("tcp4", "tcp6")
- rootlesskit-docker-proxy: support libnetwork >= 20201216 convention
- Allow vendoring with moby/sys/mountinfo@v0.1.3 as well as @v0.4.0
- Remove socat port driver
- socat driver has been deprecated since v0.7.1 (Dec 2019)
- New experimental flag: --ipv6
- Enables IPv6 routing (slirp4netns --enable-ipv6). Unrelated to port driver.
v0.13.2
--------------------------------------
- Fix cleaning up crashed state dir
- Update Go to 1.16
- Misc fixes
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/containerd/containerd/compare/v1.4.3...v1.4.4
Release notes:
The fourth patch release for `containerd` 1.4 contains a fix for CVE-2021-21334
along with various other minor issues.
See [GHSA-36xw-fx78-c5r4](https://github.com/containerd/containerd/security/advisories/GHSA-36xw-fx78-c5r4)
for more details related to CVE-2021-21334.
Notable Updates
- Fix container create in CRI to prevent possible environment variable leak between containers
- Update shim server to return grpc NotFound error
- Add bounds on max `oom_score_adj` value for shim's AdjustOOMScore
- Update task manager to use fresh context when calling shim shutdown
- Update Docker resolver to avoid possible concurrent map access panic
- Update shim's log file open flags to avoid containerd hang on syscall open
- Fix incorrect usage calculation
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
v0.13.1
- Refactor `ParsePortSpec` to handle IPv6 addresses, and improve validation
v0.13.0
- `rootlesskit --pidns`: fix propagating exit status
- Support cgroup2 evacuation, e.g., `systemd-run -p Delegate=yes --user -t rootlesskit --cgroupns --pidns --evacuate-cgroup2=evac --net=slirp4netns bash`
v0.12.0
- Port forwarding API now supports setting `ChildIP`
- The `vendor` directory is no longer included in this repo. Run `go mod vendor` if you need
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/opencontainers/runc/compare/v1.0.0-rc92...v1.0.0-rc93
release notes: https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc93
Release notes for runc v1.0.0-rc93
-------------------------------------------------
This is the last feature-rich RC release and we are in a feature-freeze until
1.0. 1.0.0~rc94 will be released in a few weeks with minimal bug fixes only,
and 1.0.0 will be released soon afterwards.
- runc's cgroupv2 support is no longer considered experimental. It is now
believed to be fully ready for production deployments. In addition, runc's
cgroup code has been improved:
- The systemd cgroup driver has been improved to be more resilient and
handle more systemd properties correctly.
- We now make use of openat2(2) when possible to improve the security of
cgroup operations (in future runc will be wholesale ported to libpathrs to
get this protection in all codepaths).
- runc's mountinfo parsing code has been reworked significantly, making
container startup times significantly faster and less wasteful in general.
- runc now has special handling for seccomp profiles to avoid making new
syscalls unusable for glibc. This is done by installing a custom prefix to
all seccomp filters which returns -ENOSYS for syscalls that are newer than
any syscall in the profile (meaning they have a larger syscall number).
This should not cause any regressions (because previously users would simply
get -EPERM rather than -ENOSYS, and the rule applied above is the most
conservative rule possible) but please report any regressions you find as a
result of this change -- in particular, programs which have special fallback
code that is only run in the case of -EPERM.
- runc now supports the following new runtime-spec features:
- The umask of a container can now be specified.
- The new Linux 5.9 capabilities (CAP_PERFMON, CAP_BPF, and
CAP_CHECKPOINT_RESTORE) are now supported.
- The "unified" cgroup configuration option, which allows users to explicitly
specify the limits based on the cgroup file names rather than abstracting
them through OCI configuration. This is currently limited in scope to
cgroupv2.
- Various rootless containers improvements:
- runc will no longer cause conflicts if a user specifies a custom device
which conflicts with a user-configured device -- the user device takes
precedence.
- runc no longer panics if /sys/fs/cgroup is missing in rootless mode.
- runc --root is now always treated as local to the current working directory.
- The --no-pivot-root hardening was improved to handle nested mounts properly
(please note that we still strongly recommend that users do not use
--no-pivot-root -- it is still an insecure option).
- A large number of code cleanliness and other various cleanups, including
fairly large changes to our tests and CI to make them all run more
efficiently.
For packagers the following changes have been made which will have impact on
your packaging of runc:
- The "selinux" and "apparmor" buildtags have been removed, and now all runc
builds will have SELinux and AppArmor support enabled. Note that "seccomp"
is still optional (though we very highly recommend you enable it).
- make install DESTDIR= now functions correctly.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
NOTE: the Dockerfile currently uses a single version of Golang for all
stages. This means that currently, all binaries are built with Go
1.13.x, including the containerd binary; upstream containerd switched
to use Go 1.15.
full diff: https://github.com/containerd/containerd/compare/v1.4.1...v1.4.2
Release notes:
Welcome to the v1.4.2 release of containerd!
------------------------------------------------------
The second patch release for containerd 1.4 includes multiple minor fixes
and updates.
Notable Updates
- Fix bug limiting the number of layers by default containerd/cri#1602
- Fix selinux shared memory issue by relabeling /dev/shm containerd/cri#1605
- Fix unknown state preventing removal of containers containerd/containerd#4656
- Fix nil pointer error when restoring checkpoint containerd/containerd#4754
- Improve image pull performance when using HTTP 1.1 containerd/containerd#4653
- Update default seccomp profile for pidfd containerd/containerd#4730
- Update Go to 1.15
Windows
- Fix integer overflow on Windows containerd/containerd#4589
- Fix lcow snapshotter to read trailing tar data containerd/containerd#4628
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This test validates that `RUN` and `COPY` both target a read-write
sandbox on Windows that is configured according to the daemon's
`storage-opts` setting.
Sadly, this is a slow test, so we need to bump the timeout to 60 minutes
from the default of 10 minutes.
Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
It turns out that the Finally block does not see the exit code from the
`exit` call that triggered it, but from an earlier state. And it seems
that actions take in the Finally block other than `exit` will not affect
the $LastErrorCode set by the `exit` that triggered the Finally block.
Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
Otherwise the cache gets written to bundles instead of to the volume
that we setup in the Makefile as expected.
Found this because vscode did not like having these huge objects in
bundles/ (didn't harm anything, just that it noticed and said hey I don't
like that).
This enables cache-reuse when building the test binaries.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
We were using "go get", whith would try to fetch some dependencies
that are not in the version we're installing,
go get -d github.com/golangci/golangci-lint/cmd/golangci-lint
Causing the build to fail;
package 4d63.com/gochecknoglobals/checknoglobals: unrecognized import path "4d63.com/gochecknoglobals/checknoglobals" (parse https://4d63.com/gochecknoglobals/checknoglobals?go-get=1: no go-import meta tags ())
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>