You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We changed the default setting for `enable_unprivileged_ports` and
`enable_unprivileged_icmp` in the CRI plugin in
#9348, but missed including
this change in the release notes.
Signed-off-by: Samuel Karp <[email protected]>
Copy file name to clipboardExpand all lines: docs/containerd-2.0.md
+4Lines changed: 4 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -87,6 +87,10 @@ This features needs [runc](https://github.com/opencontainers/runc) v1.2.0 or lat
87
87
88
88
The CRI plugin now supports [recursive read-only mounts](https://kubernetes.io/docs/concepts/storage/volumes/#read-only-mounts) so as to prohibit accidentally having writable submounts.
89
89
90
+
### Unprivileged ports and ICMP by default for CRI
91
+
92
+
The CRI plugin now enables `net.ipv4.ip_unprivileged-port-start=0` and `net.ipv4.ping_group_range=0 2147483647` for containers that do not use the host network namespace or user namespaces. This enables containers to bind to ports below 1024 without granting `CAP_NET_BIND_SERVICE` and to run `ping` without `CAP_NET_RAW`. This default behavior change can be reverted by setting the `enable_unprivileged_ports` and `enable_unprivileged_icmp` options to `false` in the CRI plugin configuration.
93
+
90
94
### Deprecation warnings can now be discovered via the Introspection API
91
95
92
96
Deprecations warnings have been added to the `ServerResponse` for the introspection service (`/containerd.services.introspection.v1.Introspection/Server`) and to the `ctr` tool via `ctr deprecation list`.
0 commit comments