Open
Conversation
add go1.26.0 into test matrix and remove go1.24 Signed-off-by: Akhil Mohan <[email protected]>
go 1.26 removes support for windows/arm (NOT windows/arm64) ref: https://tip.golang.org/doc/go1.26#windows Signed-off-by: Akhil Mohan <[email protected]>
Signed-off-by: Akhil Mohan <[email protected]>
when a higher version of drop in config is used than the root containerd config, do not load the config. When config is merged, the higher version takes precedence preventing the root config from getting migrated to the newer version. Signed-off-by: Akhil Mohan <[email protected]>
When the local transfer plugin is instantiated, it loads verifiers through `ic.GetByType()` which returns ErrPluginNotFound if no plugins of the given type is available. This would happen if users explicitly disabled the bindir plugin. Users may wish to disable that plugin to prevent containerd from executing arbitrary binaries on the host (e.g. when running rootless). Currently, the only way to achieve that is to set bindir's param `bin_dir` to the empty string but that seems more fragile than disabling the plugin altogether. The local transfer plugin is already checking if there are no plugins available, and take action accordingly. Thus, not handling `ErrPluginNotFound` seems to be an oversight. Signed-off-by: Albin Kerouanton <[email protected]>
If docker in the host is configured to use the containerd image format,
then the docker pull/save commands above download the multi-platform
image. IOW, the index.json has references to the other platforms SHAs.
This references to things that are not present (the artifacts for other
platforms) is what make `ctr` fail. However, if we specify a platform,
then ctr ignores the other platforms and the import works just fine.
To try this locally, you can:
$ docker pull ghcr.io/containerd/busybox:1.36
$ docker save ghcr.io/containerd/busybox:1.36 -o image.tar
$ ctr images import --local=true image.tar
The last command will fail if you are using the containerd image store
in docker. If you specify the platform with --platform, it works fine.
With docker overlayfs2 storage driver, if you untar the image you get only
things relevant for your platform:
```
$ cat index.json | jq
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.index.v1+json",
"manifests": [
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"digest": "sha256:4d6b13f2ddbe87da8d9dee3719df1723a6d768e511802e70d42ab15370c6eb24",
"size": 401,
"annotations": {
"io.containerd.image.name": "ghcr.io/containerd/busybox:1.36",
"org.opencontainers.image.ref.name": "1.36"
}
}
]
}
$ cat blobs/sha256/4d6b13f2ddbe87da8d9dee3719df1723a6d768e511802e70d42ab15370c6eb24 | jq
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"config": {
"mediaType": "application/vnd.oci.image.config.v1+json",
"digest": "sha256:66ba00ad3de8677a3fa4bc4ea0fc46ebca0f14db46ca365e7f60833068dd0148",
"size": 1457
},
"layers": [
{
"mediaType": "application/vnd.oci.image.layer.v1.tar",
"digest": "sha256:b64792c17e4ad443d16b218afb3a8f5d03ca0f4ec49b11c1a7aebe17f6c3c1d2",
"size": 5096448
}
]
}
```
But with the other you get for lot of other platforms too:
```
$ cat index.json | jq
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.index.v1+json",
"manifests": [
{
"mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
"digest": "sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c",
"size": 2295,
"annotations": {
"containerd.io/distribution.source.ghcr.io": "containerd/busybox",
"io.containerd.image.name": "ghcr.io/containerd/busybox:1.36",
"org.opencontainers.image.ref.name": "1.36"
}
}
]
}
$ cat blobs/sha256/7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c | jq
{
"manifests": [
{
"digest": "sha256:907ca53d7e2947e849b839b1cd258c98fd3916c60f2e6e70c30edbf741ab6754",
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"platform": {
"architecture": "amd64",
"os": "linux"
},
"size": 528
},
{
"digest": "sha256:dde8e930c7b6a490f728e66292bc9bce42efc9bbb5278bae40e4f30f6e00fe8c",
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"platform": {
"architecture": "arm",
"os": "linux",
"variant": "v5"
},
"size": 528
},
{
...
```
You can switch to the containerd snapshotter in docker by adding this to the daemon.json:
```
{
"features": {
"containerd-snapshotter": true
}
}
```
Signed-off-by: Rodrigo Campos <[email protected]>
integration: Fix TestImageLoad() failure on CI
This downstreams the patch from [moby@b4a6ccb]: > drop useless apparmor denies > These files don't exist under proc so this rule does nothing. > > They are protected against by docker's default cgroup devices since they're > both character devices and not explicitly allowed. [moby@b4a6ccb]: moby/moby@b4a6ccb Co-authored-by: Tycho Andersen <[email protected]> Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Sebastiaan van Stijn <[email protected]>
Fix dupwords
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.32.2 to 4.32.3. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@45cbd0c...9e907b5) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.32.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [github.com/containerd/cgroups/v3](https://github.com/containerd/cgroups) from 3.1.2 to 3.1.3. - [Release notes](https://github.com/containerd/cgroups/releases) - [Commits](containerd/cgroups@v3.1.2...v3.1.3) --- updated-dependencies: - dependency-name: github.com/containerd/cgroups/v3 dependency-version: 3.1.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.78.0 to 1.79.1. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.78.0...v1.79.1) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-version: 1.79.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Align with the version of ttrpc used. full diff: containerd/ttrpc@v1.2.5...v1.2.7 Signed-off-by: Sebastiaan van Stijn <[email protected]>
The current AppArmor profile intends to block write access to everything
in `/proc`, except for `/proc/<pid>` and `/proc/sys/kernel/shm*`.
Currently the rules block access to everything in `/proc/sys`, and do
not successfully allow access to `/proc/sys/kernel/shm*`. Specifically,
a path like /proc/sys/kernel/shmmax matches this part of the pattern:
deny @{PROC}/{[^1-9][^0-9][^0-9][^0-9]* }/** w,
/proc / s y s / kernel /shmmax
This downstreams the patch from [moby@66f14e4] to the containerd profile,
and updates the rule so that it works as intended.
[moby@66f14e4]: moby/moby@66f14e4
Co-authored-by: Phil Sphicas <[email protected]>
Signed-off-by: Sebastiaan van Stijn <[email protected]>
generating protos produced a warning:
WARN plugin "protoc-gen-go-fieldpath" does not support required features. Feature "proto3 optional" is required by 1 file(s): services/images/v1/images.proto
Implement handling for optional fields (nillable / pointer)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
install-dev-tools: update protoc-gen-go-ttrpc to v1.2.7
…b.com/containerd/cgroups/v3-3.1.3 build(deps): bump github.com/containerd/cgroups/v3 from 3.1.2 to 3.1.3
…e.golang.org/grpc-1.79.1 build(deps): bump google.golang.org/grpc from 1.78.0 to 1.79.1
…ithub/codeql-action-4.32.3 build(deps): bump github/codeql-action from 4.32.2 to 4.32.3
contrib/apparmor: remove non-matching rules for /proc/mem, /proc/kmem
Signed-off-by: Maksym Pavlenko <[email protected]>
Signed-off-by: Maksym Pavlenko <[email protected]>
Signed-off-by: Maksym Pavlenko <[email protected]>
Signed-off-by: Maksym Pavlenko <[email protected]>
Signed-off-by: Maksym Pavlenko <[email protected]>
ci: add build/test go1.26.0, drop go1.24
Remove Container field from sandbox metadata
Privileged containers don't have a cgroup namespace and share the host's cgroup namespace. Mounting cgroup2 inside these containers can inadvertently alter the host's cgroup2 VFS superblock mount options because they are shared. To prevent this, update WithMounts to read the host's /sys/fs/cgroup mount options and explicitly propagate nsdelegate and memory_recursiveprot into the container's mount spec. This avoids stripping them on the host when they are not in the hardcoded default set. Signed-off-by: Chris Henzie <[email protected]>
Update Vagrantfile and cri-integration test runner to forward RUNC_FLAVOR to the test environment. Allows integration tests to conditionally skip testing certain cgroup mount setups when running against other runtimes that may not support them yet. Signed-off-by: Chris Henzie <[email protected]>
Verifies that running a privileged container does not alter host cgroup mount options (specifically nsdelegate and memory_recursiveprot). Creates a privileged sandbox and container, starts it, and compares the host's /sys/fs/cgroup mount options before and after execution to guarantee safety. Signed-off-by: Chris Henzie <[email protected]>
Propagate diff ID and parent chain ID via labels in Prepare RPC
transfer: fix the differ selection if differ is ""
Bumps the k8s group with 3 updates: [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery), [k8s.io/client-go](https://github.com/kubernetes/client-go) and [k8s.io/cri-api](https://github.com/kubernetes/cri-api). Updates `k8s.io/apimachinery` from 0.35.2 to 0.35.3 - [Commits](kubernetes/apimachinery@v0.35.2...v0.35.3) Updates `k8s.io/client-go` from 0.35.2 to 0.35.3 - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](kubernetes/client-go@v0.35.2...v0.35.3) Updates `k8s.io/cri-api` from 0.35.2 to 0.35.3 - [Commits](kubernetes/cri-api@v0.35.2...v0.35.3) --- updated-dependencies: - dependency-name: k8s.io/apimachinery dependency-version: 0.35.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s - dependency-name: k8s.io/client-go dependency-version: 0.35.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s - dependency-name: k8s.io/cri-api dependency-version: 0.35.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [github.com/containerd/platforms](https://github.com/containerd/platforms) from 1.0.0-rc.2 to 1.0.0-rc.3. - [Release notes](https://github.com/containerd/platforms/releases) - [Commits](containerd/platforms@v1.0.0-rc.2...v1.0.0-rc.3) --- updated-dependencies: - dependency-name: github.com/containerd/platforms dependency-version: 1.0.0-rc.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps the otel group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc](https://github.com/open-telemetry/opentelemetry-go-contrib) | `0.64.0` | `0.67.0` | | [go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp](https://github.com/open-telemetry/opentelemetry-go-contrib) | `0.64.0` | `0.67.0` | | [go.opentelemetry.io/otel/exporters/otlp/otlptrace](https://github.com/open-telemetry/opentelemetry-go) | `1.39.0` | `1.42.0` | | [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc](https://github.com/open-telemetry/opentelemetry-go) | `1.39.0` | `1.42.0` | | [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp](https://github.com/open-telemetry/opentelemetry-go) | `1.39.0` | `1.42.0` | Updates `go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc` from 0.64.0 to 0.67.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go-contrib@zpages/v0.64.0...zpages/v0.67.0) Updates `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` from 0.64.0 to 0.67.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go-contrib@zpages/v0.64.0...zpages/v0.67.0) Updates `go.opentelemetry.io/otel/exporters/otlp/otlptrace` from 1.39.0 to 1.42.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.39.0...v1.42.0) Updates `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc` from 1.39.0 to 1.42.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.39.0...v1.42.0) Updates `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp` from 1.39.0 to 1.42.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.39.0...v1.42.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc dependency-version: 0.67.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: otel - dependency-name: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp dependency-version: 0.67.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: otel - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace dependency-version: 1.42.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: otel - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc dependency-version: 1.42.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: otel - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp dependency-version: 1.42.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: otel ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [github.com/klauspost/compress](https://github.com/klauspost/compress) from 1.18.4 to 1.18.5. - [Release notes](https://github.com/klauspost/compress/releases) - [Commits](klauspost/compress@v1.18.4...v1.18.5) --- updated-dependencies: - dependency-name: github.com/klauspost/compress dependency-version: 1.18.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
The X-containerd.* prefix is reserved for containerd-internal mount options that are processed by containerd components (such as mount transformers and handlers). These options must not be passed to the kernel mount syscall. This change adds filtering at the core mount layer as a safety net to prevent kernel errors if components forget to clean up their options. Signed-off-by: Aadhar Agarwal <[email protected]>
While incoming gRPC requests are already being traced via the server-side handler, outgoing RPCs to proxy plugins are missing the client-side equivalent. Adding otelgrpc.NewClientHandler() ensures trace context is successfully propagated to the plugins. Signed-off-by: Hasan Siddiqui <[email protected]>
…b.com/containerd/platforms-1.0.0-rc.3 build(deps): bump github.com/containerd/platforms from 1.0.0-rc.2 to 1.0.0-rc.3
…b.com/klauspost/compress-1.18.5 build(deps): bump github.com/klauspost/compress from 1.18.4 to 1.18.5
Signed-off-by: Sergey Kanzhelev <[email protected]>
…a1fd4a22d2 build(deps): bump the otel group across 1 directory with 5 updates
…7f7b3663c build(deps): bump the k8s group with 3 updates
Signed-off-by: Henry Wang <[email protected]>
Signed-off-by: Henry Wang <[email protected]>
Preserve cgroup mount options for privileged containers
Provides test coverage for existing UpdatePodSandboxResources behavior. Assisted-by: Antigravity Signed-off-by: Chris Henzie <[email protected]>
Integrates CRI container resource updates with core Sandbox API plugin. Delegates payload to out-of-tree controllers via UpdateSandbox API. Gracefully tolerates ErrNotImplemented to preserve backwards compatibility for legacy sandboxers. Assisted-by: Antigravity Signed-off-by: Chris Henzie <[email protected]>
Propagate OpenTelemetry traces in outgoing RPCs from plugin clients
Wire UpdatePodSandboxResources to Sandbox API
…tainerd core/mount: Reject X-containerd.* options before kernel mount
The `push` function below assumes that digest and mediatypes are populated and set. If they aren't, then the requests made are malformed, attempting to invoke `HEAD /blobs/` (instead of `HEAD /blobs/<digest>`). Additionally, if we *were* to move past this point, we'd then populate an empty digest in the query parameter, and even provide invalid HTTP mediatypes. However, the `WithDescriptor` `WriterOpt` specifically notes that "Write does not require any field of desc to be set". It's very easy for the caller to read this as an optional field, to skip it, and then get confusing HTTP errors from inside the `push` function. We can avoid this by explicitly validating that the descriptor is valid and provide early feedback. Signed-off-by: Justin Chadwell <[email protected]>
Fix send stream data with EOF
chore: Add explicit digest requirement to docker pusher
fix: avoid content storage pollution by limiting the fallback on ref resolution
Tweak mount info for overlayfs in case of parallel unpack
allow to pass multiple extra arguments to critest
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot]
Can you help keep this open source service alive? 💖 Please sponsor : )