Comparing changes
Open a pull request
- 13 commits
- 25 files changed
- 8 contributors
Commits on Dec 6, 2021
-
[release/1.5] Update Go to 1.16.11
go1.16.11 (released 2021-12-02) includes fixes to the compiler, runtime, and the net/http, net/http/httptest, and time packages. See the Go 1.16.11 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.16.11+label%3ACherryPickApproved Signed-off-by: Sebastiaan van Stijn <[email protected]>
-
Merge pull request #6334 from thaJeztah/1.5_bump_go_1.16.11
[release/1.5] Update Go to 1.16.11
Commits on Dec 7, 2021
-
Signed-off-by: Akihiro Suda <[email protected]> (cherry picked from commit 44995d4) Signed-off-by: Akihiro Suda <[email protected]>
Commits on Dec 8, 2021
-
Merge pull request #6343 from AkihiroSuda/runc-1.0.3-15
[release/1.5] update runc binary to v1.0.3
Commits on Dec 9, 2021
-
only relabel cri managed host mounts
Co-authored-by: Samuel Karp <[email protected]> Signed-off-by: Michael Crosby <[email protected]> Signed-off-by: Samuel Karp <[email protected]> (cherry picked from commit 9b03039) Signed-off-by: Samuel Karp <[email protected]>
Commits on Dec 10, 2021
-
[release/1.5] go.mod github.com/opencontainers/image-spec v1.0.2
- Bring mediaType out of reserved status - specs-go: adding mediaType to the index and manifest structures full diff: opencontainers/image-spec@v1.0.1...v1.0.2 This also contains the local changes from commit fc81384, which fix conflicts between the types that were used locally (which added MediaType) and the re-introduced MediaType field in the image-spec. Signed-off-by: Sebastiaan van Stijn <[email protected]>
-
Merge pull request #6264 from thaJeztah/1.5_bump_oci_spec
[release/1.5] go.mod github.com/opencontainers/image-spec v1.0.2
Commits on Dec 12, 2021
-
[release/1.5] Update Go to 1.16.12
go1.16.12 (released 2021-12-09) includes security fixes to the syscall and net/http packages. See the Go 1.16.12 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.16.12+label%3ACherryPickApproved Signed-off-by: Sebastiaan van Stijn <[email protected]>
-
Merge pull request #6367 from thaJeztah/1.5_bump_go_1.16.12
[release/1.5] Update Go to 1.16.12
Commits on Dec 15, 2021
-
seutil: Fix setting the "container_kvm_t" label
The ability to handle KVM based runtimes with SELinux has been added as part of d715d00. However, that commit introduced some logic to check whether the "container_kvm_t" label would or not be present in the system, and while the intentions were good, there's two major issues with the approach: 1. Inspecting "/etc/selinux/targeted/contexts/customizable_types" is not the way to go, as it doesn't list the "container_kvm_t" at all. 2. There's no need to check for the label, as if the label is invalid an "Invalid Label" error will be returned and that's it. With those two in mind, let's simplify the logic behind setting the "container_kvm_t" label, removing all the unnecessary code. Here's an output of VMM process running, considering: * The state before this patch: ``` $ containerd --version containerd github.com/containerd/containerd v1.6.0-beta.3-88-g7fa44fc98 7fa44fc $ kubectl apply -f ~/simple-pod.yaml pod/nginx created $ ps -auxZ | grep cloud-hypervisor system_u:system_r:container_runtime_t:s0 root 609717 4.0 0.5 2987512 83588 ? Sl 08:32 0:00 /usr/bin/cloud-hypervisor --api-socket /run/vc/vm/be9d5cbabf440510d58d89fc8a8e77c27e96ddc99709ecaf5ab94c6b6b0d4c89/clh-api.sock ``` * The state after this patch: ``` $ containerd --version containerd github.com/containerd/containerd v1.6.0-beta.3-89-ga5f2113c9 a5f2113c9fc15b19b2c364caaedb99c22de4eb32 $ kubectl apply -f ~/simple-pod.yaml pod/nginx created $ ps -auxZ | grep cloud-hypervisor system_u:system_r:container_kvm_t:s0:c638,c999 root 614842 14.0 0.5 2987512 83228 ? Sl 08:40 0:00 /usr/bin/cloud-hypervisor --api-socket /run/vc/vm/f8ff838afdbe0a546f6995fe9b08e0956d0d0cdfe749705d7ce4618695baa68c/clh-api.sock ``` Note, the tests were performed using the following configuration snippet: ``` [plugins] [plugins.cri] enable_selinux = true [plugins.cri.containerd] [plugins.cri.containerd.runtimes] [plugins.cri.containerd.runtimes.kata] runtime_type = "io.containerd.kata.v2" privileged_without_host_devices = true ``` And using the following pod yaml: ``` apiVersion: v1 kind: Pod metadata: name: nginx spec: runtimeClassName: kata containers: - name: nginx image: nginx:1.14.2 ports: - containerPort: 80 ``` Fixes: #6371 Backports: #6372 Signed-off-by: Fabiano Fidêncio <[email protected]> (cherry picked from commit f1c7993)
-
Merge pull request #6381 from fidencio/wip/backport-seutil-fix-contai…
…ner_kvm_t-type-detection-to-release-1.5 [release/1.5] seutil: Fix setting the "container_kvm_t" label
Commits on Jan 5, 2022
-
Prepare release notes for v1.5.9
Signed-off-by: Derek McGowan <[email protected]>
-
Merge pull request from GHSA-mvff-h3cj-wj9c
[release/1.5] only relabel cri managed host mounts
This comparison is taking too long to generate.
Unfortunately it looks like we can’t render this comparison for you right now. It might be too big, or there might be something weird with your repository.
You can try running this command locally to see the comparison on your machine:
git diff v1.5.8...v1.5.9