Update apparmor to allow confined runc to kill containers #10123
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Hi @woky. Thanks for your PR. I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Member
|
/ok-to-test |
AkihiroSuda
reviewed
Apr 23, 2024
| # runc may send signals to container processes. | ||
| signal (receive) peer=runc, | ||
| # crun may send signals to container processes. | ||
| signal (receive) peer=crun, |
Member
There was a problem hiding this comment.
Should this be set only when the corresponding profile exist?
Member
There was a problem hiding this comment.
Also, what about youki, gvisor, kata, etc ?
Contributor
Author
There was a problem hiding this comment.
Should this be set only when the corresponding profile exist?
I will update the template to check for known profiles.
Also, what about youki, gvisor, kata, etc ?
These currently don't have any default profiles, see https://gitlab.com/apparmor/apparmor/-/tree/master/profiles/apparmor.d.
I don't know much about gVisor and kata runtimes, but I think those run containers in virtual machines, so their kill shouldn't involve sending signals (to container processes).
Contributor
Author
There was a problem hiding this comment.
@AkihiroSuda What is the deadline for this change to be approved and merged to make it into v1.7.16?
I'm not sure what method would you recommend to conditionally add the signal receive rules. I can think of 4 ways:
- Abuse
macroExists(profile)to check if/etc/apparmor.d/$profileexists for each profile in a hardcoded list of OCI runtime profiles known to exist in latest AppArmor - Use
isLoaded(profile)to check if the profile is loaded for each profile as above. - Bring back
parseVersionthat was removed here contrib/apparmor: remove code related to apparmor_parser version #8069 and conditionally add profiles based on known OCI runtime profiles in the parsed AppArmor version. - Keep it as it is, rely on the fact that it's regular expression and it won't match profiles that are not loaded. This is almost like option 2.
Which option would you go with or do you know of a better way?
Member
There was a problem hiding this comment.
If you can confirm that signal (receive) peer=crun, does not cause an error when the crun profile is missing, I think we can just leave it as is and call it for a day.
If it causes an error, checking /etc/apparmor.d/$profile seems good
There was a problem hiding this comment.
If you can confirm that signal (receive) peer=crun, does not cause an error when the crun profile is missing, I think we can just leave it as is and call it for a day.
You can call it a day ;-) - the rule will just sit there and do nothing if the crun profile doesn't exist.
/usr/sbin/runc is confined with "runc" profile[1] introduced in AppArmor
v4.0.0. This change breaks stopping of containers, because the profile
assigned to containers doesn't accept signals from the "runc" peer.
AppArmor >= v4.0.0 is currently part of Ubuntu Mantic (23.10) and later.
The issue is reproducible both with nerdctl and ctr clients. In the case
of ctr, the --apparmor-default-profile flag has to be specified,
otherwise the container processes would inherit the runc profile, which
behaves as unconfined, and so the subsequent runc process invoked to
stop it would be able to signal it.
Test commands:
root@cloudimg:~# nerdctl run -d --name foo nginx:latest
3d1e74bfe6e7b2912d9223050ae8a81a8f4b73de0846e6d9c956c1e411cdd95a
root@cloudimg:~# nerdctl stop foo
FATA[0000] 1 errors:
unknown error after kill: runc did not terminate successfully: exit status 1: unable to signal init: permission denied
: unknown
or
root@cloudimg:~# ctr pull docker.io/library/nginx:latest
...
root@cloudimg:~# ctr run -d --apparmor-default-profile ctr-default docker.io/library/nginx:latest foo
root@cloudimg:~# ctr task kill foo
ctr: unknown error after kill: runc did not terminate successfully: exit status 1: unable to signal init: permission denied
: unknown
Relevant syslog messages (with long lines wrapped):
Apr 23 22:03:12 cloudimg kernel: audit:
type=1400 audit(1713909792.064:262): apparmor="DENIED"
operation="signal" class="signal" profile="nerdctl-default"
pid=13483 comm="runc" requested_mask="receive"
denied_mask="receive" signal=quit peer="runc"
or
Apr 23 22:05:32 cloudimg kernel: audit:
type=1400 audit(1713909932.106:263): apparmor="DENIED"
operation="signal" class="signal" profile="ctr-default"
pid=13574 comm="runc" requested_mask="receive"
denied_mask="receive" signal=quit peer="runc"
This change extends the default profile with rules that allow receiving
signals from processes that run confined with either runc or crun
profile (crun[2] is an alternative OCI runtime that's also confined in
AppArmor >= v4.0.0, see [1]). It is backward compatible because the peer
value is a regular expression (AARE) so the referenced profile doesn't
have to exist for this profile to successfully compile and load.
[1] https://gitlab.com/apparmor/apparmor/-/commit/2594d936
[2] https://github.com/containers/crun
Signed-off-by: Tomáš Virtus <[email protected]>
AkihiroSuda
added
cherry-pick/1.6.x
cherry-pick/1.7.x
AkihiroSuda
approved these changes
Apr 24, 2024
Member
|
I can't reproduce this failure with ctr on a Mantic system. Is there something I need to do to enable the new AppArmor profile? |
Contributor
Author
Did you run |
Member
|
Coming back from moby/moby#47749 (comment): It seems like this is either a bug in AppArmor or in the packaging that Ubuntu is doing for runc, rather than a containerd-specific bug. I don't object to taking this here, but it should also be fixed in either the upstream AppArmor repo or in Ubuntu's runc package. |
samuelkarp
approved these changes
Apr 24, 2024
Member
|
/cherrypick release/1.7 |
|
@samuelkarp: once the present PR merges, I will cherry-pick it on top of release/1.7 in a new PR and assign it to you. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Member
|
/cherrypick release/1.6 |
|
@samuelkarp: once the present PR merges, I will cherry-pick it on top of release/1.6 in a new PR and assign it to you. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Member
|
Yes, I have no strong objections, if this is urgently needed, but ultimately this would only affect containerd packages as packaged by Ubuntu / Debian, so could be a patch on their side. I've written a longer comment on the Moby ticket; moby/moby#47749 (comment) (quote below) Details
I guess (if possible);
|
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
|
@samuelkarp: new pull request created: #10129 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@samuelkarp: new pull request created: #10130 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Contributor
|
@AkihiroSuda @woky is this needed for containerd/1.7 ? If so, @woky could you cherry-pick and send a PR out? |
Member
|
Yes, the bot has already opened cherry-picks: |
Contributor
sounds good thanks! I think its good two sign offs - could we merge them? |
having packaging ship and maintain profiles is nice but doesn't actually fix the issue here. Some rules to communicate with those applications in the profile they ship still would be needed. Note having these run unconfined is no longer a viable option with the user namespace restrictions.
Yes a more generic way is possible. They could each define the oci-runtime profile, but this would cause issues if they were both installed at the same time. There could also be a variable defined which could be updated locally. It can even support having multiple values. eg crun, and runc however the best way for packaging to update it would be to setup the definition of oci_runtime to be extended by files in a subdir, and have the packaging drop a file into the policy with the extension and the generated profile would need to include the variable define, then proposed rule could use that instead. Ubuntu/the upstream apparmor other packaging would need to carry the base variable define
yes removing unconfined would be good, or at least hiding it behind a variable when it is used so at least the semantics of who you want to allow are preserved. On systems with the user namespace restrictions unconfined isn't even a viable peer any more. Support for unconfined in some form has to stay atm for systems that are still using it for the peer. Short term I am fine with the idea of Ubuntu distro patching their fix in. I am more concerned right now with getting this right so containerd et al, only have to be patched once and it works going forward. |
woky
added a commit
to woky/common
that referenced
this pull request
Apr 28, 2024
…op, kill)") This makes projects using AppArmor bits from golang-github-containers-common (notably podman) work with AppArmor v4.0.0. There is a similar issue with containerd clients and docker. The fix to containerd was merged in upstream[1]. The fix to moby (docker) was submitted but seems to have stalled[2]. Upstream notes we should fix regressions we introduced in Ubuntu or perhaps at least introduce a generic way to refer to OCI runtimes under a single peer name. I suspect we would get similar objections in containers/common. That's why I haven't yet submitted a patch to upstream. In the meantime, patch this library so that podman can work with OCI runtimes we currently confine. [1] containerd/containerd#10123 [2] moby/moby#47749 Bug: https://bugs.launchpad.net/ubuntu/+source/libpod/+bug/2040483
woky
added a commit
to woky/common
that referenced
this pull request
Apr 28, 2024
…op, kill)") This makes projects using AppArmor bits from golang-github-containers-common (notably podman) work with AppArmor v4.0.0. There is a similar issue with containerd clients and docker. The fix was merged to the containerd upstream[1]. The fix to moby (docker) was submitted but seems to have stalled[2]. Upstream notes we should fix regressions we introduced in Ubuntu or perhaps at least introduce a generic way to refer to OCI runtimes under a single peer name. I suspect we would get similar objections in containers/common. That's why I haven't yet submitted the patch to the upstream. In the meantime, patch this library so that podman can work with OCI runtimes we currently confine. [1] containerd/containerd#10123 [2] moby/moby#47749 Bug: https://bugs.launchpad.net/ubuntu/+source/libpod/+bug/2040483
woky
added a commit
to woky/common
that referenced
this pull request
Apr 28, 2024
…op, kill)") This makes projects using AppArmor bits from golang-github-containers-common (notably podman) work with AppArmor v4.0.0. There is a similar issue with containerd clients and docker. The fix was merged to the containerd upstream[1]. The fix to moby (docker) was submitted but seems to have stalled[2]. Upstream notes we should fix regressions we introduced in Ubuntu or perhaps at least introduce a generic way to refer to OCI runtimes under a single peer name. I suspect we would get similar objections in containers/common. That's why I haven't yet submitted the patch to the upstream. In the meantime, patch this library so that podman can work with OCI runtimes we currently confine. [1] containerd/containerd#10123 [2] moby/moby#47749 Bug: https://bugs.launchpad.net/ubuntu/+source/libpod/+bug/2040483
dmcgowan
changed the title
dmcgowan
changed the title
thaJeztah
added
cherry-picked/1.6.x
Mengkzhaoyun
pushed a commit
to open-beagle/containerd
that referenced
this pull request
Oct 11, 2024
containerd 2.0.0-rc.5 Welcome to the v2.0.0-rc.5 release of containerd! *This is a pre-release of containerd* The first major release of containerd 2.x focuses on the continued stability of containerd's core feature set with an easy upgrade from containerd 1.x. This release includes the stabilization of new features added in the last 1.x release as well as the removal of features which were deprecated in 1.x. The goal is to support the vast community of containerd users well into the future along with their ever increasing deployment footprints and variety of use cases. * Add Update API for sandbox controller ([#9903](containerd/containerd#9903)) * Configure otel from env instead of config.toml ([#8970](containerd/containerd#8970)) * Enable NRI by default ([#9744](containerd/containerd#9744)) * Add PluginInfo to introspection API ([#9442](containerd/containerd#9442)) * Remove overlayfs volatile option on temp mounts ([#9555](containerd/containerd#9555)) * Expose usage of deprecated features ([#9258](containerd/containerd#9258)) * Use Intel ISA-L's igzip if available ([#9200](containerd/containerd#9200)) * Introduce top level config migration ([#9223](containerd/containerd#9223)) * Add image delete target ([#8989](containerd/containerd#8989)) * Remove `LimitNOFILE` from `containerd.service` ([#8924](containerd/containerd#8924)) * Add support for image expiration during garbage collection ([#9022](containerd/containerd#9022)) * Reduce the contention between ref lock and boltdb lock in content store ([#8792](containerd/containerd#8792)) * Remove "containerd.io/restart.logpath" label ([#8264](containerd/containerd#8264)) * Remove `aufs` snapshotter ([#8263](containerd/containerd#8263)) * Fix deadlock during NRI plugin registration ([containerd/nri#79](containerd/nri#79)) * Fix deadlock when writing to pipe blocks ([containerd/ttrpc#168](containerd/ttrpc#168)) * Generate attestation for artifacts during release ([#10543](containerd/containerd#10543)) * Use 'UserSpecifiedImage' from CRI to set the image-name annotation ([#10747](containerd/containerd#10747)) * Add support to set loopback to up ([#10238](containerd/containerd#10238)) * Add support for multiple subscribers to CRI container events ([#9661](containerd/containerd#9661)) * Enable CDI by default ([#9621](containerd/containerd#9621)) * Remove non-sandboxed CRI implementation ([#9228](containerd/containerd#9228)) * Add support for userns in stateless and stateful pods with idmap mounts (KEP-127, k8s >= 1.27) ([#8287](containerd/containerd#8287)) * Use sandboxed CRI by default ([#8994](containerd/containerd#8994)) * Implement RuntimeConfig CRI call ([#8722](containerd/containerd#8722)) * Add support for user namespaces (KEP-127) ([#8803](containerd/containerd#8803)) * Remove CRI v1alpha2 ([#8276](containerd/containerd#8276)) * Add api Go module and move all protos under api ([#10151](containerd/containerd#10151)) * Move packages based on contributing guide ([#9365](containerd/containerd#9365)) * Generalize plugin library ([#9214](containerd/containerd#9214)) * Use github.com/containerd/log ([#9086](containerd/containerd#9086)) * Support to syncfs after pull by using diff plugin ([#10284](containerd/containerd#10284)) * Skip "unknown" in image platform listing ([#10257](containerd/containerd#10257)) * Update unpacker to fetch all provided content ([#10202](containerd/containerd#10202)) * Enable Transfer service API to support plain HTTP ([#10024](containerd/containerd#10024)) * Enable Transfer service to use registry configuration directory ([#9908](containerd/containerd#9908)) * Disable the support for Schema 1 images ([#9765](containerd/containerd#9765)) * Update Transfer service to add OCI descriptors to Progress structure ([#9630](containerd/containerd#9630)) * Update import and export to allow references to missing content ([#9554](containerd/containerd#9554)) * Add option to perform syncfs after pull ([#9401](containerd/containerd#9401)) * Add image verifier transfer service plugin system based on a binary directory ([#8493](containerd/containerd#8493)) * Implement RuntimeStatus.features.supplemental_groups_policy from KEP-3619 ([#10410](containerd/containerd#10410)) * Add pprof to runc-shim ([#10242](containerd/containerd#10242)) * Provide runtime options in plugin info ([#10251](containerd/containerd#10251)) * Store bootstrap parameters in sandbox metadata ([#9736](containerd/containerd#9736)) * Update apparmor to allow confined runc to kill containers ([#10123](containerd/containerd#10123)) * Support vsock connection to task api ([#9738](containerd/containerd#9738)) * Update RuntimeDefault seccomp profile to disallow io_uring related syscalls ([#9320](containerd/containerd#9320)) * Switch runc shim to task service v3 and fix restore ([#9233](containerd/containerd#9233)) * Add sandboxer configuration and move sandbox controllers to plugins ([#8268](containerd/containerd#8268)) * Add annotations to CreateSandbox request ([#8960](containerd/containerd#8960)) * Add SandboxMetrics ([#8680](containerd/containerd#8680)) * Publish sandbox events ([#8602](containerd/containerd#8602)) * Remove the CriuPath field from runc's options ([#8279](containerd/containerd#8279)) * Remove `io.containerd.runtime.v1.linux` and `io.containerd.runc.v1` ([#8262](containerd/containerd#8262)) * [medium] RAPL accessible to a container [GHSA-7ww5-4wqc-m92c](GHSA-7ww5-4wqc-m92c) * Remove `disable_cgroup` from CRI config ([#10594](containerd/containerd#10594)) * Disable the support for Schema 1 images ([#9765](containerd/containerd#9765)) * Update RuntimeDefault seccomp profile to disallow io_uring related syscalls ([#9320](containerd/containerd#9320)) * Move client to subpackage ([#9316](containerd/containerd#9316)) * Remove `LimitNOFILE` from `containerd.service` ([#8924](containerd/containerd#8924)) * Remove CRI v1alpha2 ([#8276](containerd/containerd#8276)) * Remove `io.containerd.runtime.v1.linux` and `io.containerd.runc.v1` ([#8262](containerd/containerd#8262)) * Remove "containerd.io/restart.logpath" label ([#8264](containerd/containerd#8264)) * Remove `aufs` snapshotter ([#8263](containerd/containerd#8263)) * Update warnings for deprecated CRI config fields ([#10509](containerd/containerd#10509)) * Add type alias for event Envelope ([#10279](containerd/containerd#10279)) * Postpone removal of deprecated CRI config properties ([#9966](containerd/containerd#9966)) * Deprecate go-plugin configuration option ([#9238](containerd/containerd#9238)) * CNI conf_template in CRI is no longer deprecated ([#8637](containerd/containerd#8637)) Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues. * Derek McGowan * Akihiro Suda * Maksym Pavlenko * Wei Fu * Phil Estes * Sebastiaan van Stijn * Samuel Karp * Stefan Berger * Kazuyoshi Kato * Rodrigo Campos * Danny Canter * Abel Feng * Akhil Mohan * Kirtana Ashok * Gabriel Adrian Samfira * Austin Vazquez * Iceber Gu * Krisztian Litkey * Kohei Tokunaga * Mike Brown * Jin Dong * Bjorn Neergaard * Justin Chadwell * rongfu.leng * James Sturtevant * Davanum Srinivas * Paul "TBBle" Hampson * Henry Wang * Brian Goff * Enrico Weigelt * Laura Brehm * Marat Radchenko * Paweł Gronowski * Shingo Omura * Hsing-Yu (David) Chen * Ilya Hanov * Cardy.Tang * Swagat Bora * Aditi Sharma * Amit Barve * Bryant Biggs * Evan Lezar * James Jenkins * Jordan Liggitt * Kay Yan * Markus Lehtonen * Nashwan Azhari * Shuaiyi Zhang * Vinayak Goyal * helen * Alexandru Matei * Anthony Nandaa * Avi Deitcher * Charity Kathure * Cory Snider * Ed Bartosh * Etienne Champetier * Kevin Parsons * Michael Zappa * Milas Bowman * ningmingxiao * yanggang * zounengren * Aditya Ramani * Adrian Reber * Amir M. Ghazanfari * Artem Khramov * Brad Davidson * Chen Yiyang * Christian Muehlhaeuser * Djordje Lukic * Edgar Lee * Eric Lin * Ethan Lowman * Jiang Liu * June Rhodes * Kern Walster * Lucas Rattz * Mahamed Ali * Maksim An * Michael Crosby * Peteris Rudzusiks * Sam Edwards * Samruddhi Khandale * Sascha Grunert * Steve Griffith * Tony Fang * VERNOU Cédric * Vishal Reddy Gurrala * hang.jiang * harshitasao * jerryzhuang * lengrongfu * roman-kiselenko * zhanluxianshen * Aaron Lehmann * Adrien Delorme * Alex Couture-Beil * Alex Ellis * Alex Rodriguez * Angelos Kolaitis * Antonio Huete Jimenez * Arash Haghighat * Ben Foster * Bin Tang * Bin Xin * BinBin He * Brennan Kinney * Changqing Li * ChengenH * ChengyuZhu6 * Christian Stewart * Colin O'Dell * Craig Ingram * Daisy Rong * David Porter * Derek Nola * Eng Zer Jun * Erikson Tung * Fabiano Fidêncio * Fahed Dorgaa * Gary McDonald * Iain Macdonald * James Lakin * Jan Dubois * Jaroslav Jindrak * Javier Maestro * Jian Wang * Jiongchi Yu * Julien Balestra * Kir Kolyshkin * Kirill A. Korinsky * Konstantin Khlebnikov * Mauri de Souza Meneguzzo * Pan Yibo * Paul Meyer * Qasim Sarfraz * Qiutong Song * Reinhard Tartler * Robbie Buxton * Robert-André Mauchin * Ruihua Wen * Sameer * Shengjing Zhu * Shiming Zhang * Shukui Yang * Talon * Tariq Ibrahim * Tianon Gravi * Tim Hockin * TinaMor * Tobias Klauser * Tomáš Virtus * Tõnis Tiigi * Wang Xinwen * William Chen * Xinyang Ge * Yibo Zhuang * Yury Gargay * Zechun Chen * Zhang Tianyang * Zoe * baijia * bo.jiang * bzsuni * charles-chenzz * chschumacher1994 * guangli.bao * guangwu * jinda.ljd * krglosse * pigletfly * rokkiter * wangxiang * zhangpeng * zhaojizhuang * 吴小白 * 张钰 * 沈陵 * 谭九鼎 * **dario.cat/mergo** v1.0.1 **_new_** * **github.com/AdaLogics/go-fuzz-headers** 1f10f66a31bf -> ced1acdcaa24 * **github.com/AdamKorcz/go-118-fuzz-build** 5330a85ea652 -> 8075edf89bb0 * **github.com/Microsoft/go-winio** v0.6.0 -> v0.6.2 * **github.com/Microsoft/hcsshim** v0.10.0-rc.7 -> v0.12.6 * **github.com/cenkalti/backoff/v4** v4.2.0 -> v4.3.0 * **github.com/cespare/xxhash/v2** v2.2.0 -> v2.3.0 * **github.com/checkpoint-restore/checkpointctl** v1.2.1 **_new_** * **github.com/checkpoint-restore/go-criu/v7** v7.2.0 **_new_** * **github.com/cilium/ebpf** v0.9.1 -> v0.11.0 * **github.com/containerd/cgroups/v3** v3.0.1 -> v3.0.3 * **github.com/containerd/console** v1.0.3 -> v1.0.4 * **github.com/containerd/containerd/api** v1.8.0-rc.3 **_new_** * **github.com/containerd/continuity** v0.3.0 -> v0.4.3 * **github.com/containerd/errdefs** v0.1.0 **_new_** * **github.com/containerd/go-cni** v1.1.9 -> v1.1.10 * **github.com/containerd/go-runc** v1.0.0 -> v1.1.0 * **github.com/containerd/imgcrypt** v1.1.7 -> v1.2.0-rc1 * **github.com/containerd/log** v0.1.0 **_new_** * **github.com/containerd/nri** v0.3.0 -> v0.6.1 * **github.com/containerd/otelttrpc** ea5083fda723 **_new_** * **github.com/containerd/platforms** v0.2.1 **_new_** * **github.com/containerd/plugin** v0.1.0 **_new_** * **github.com/containerd/ttrpc** v1.2.1 -> v1.2.5 * **github.com/containerd/typeurl/v2** v2.1.0 -> v2.2.0 * **github.com/containernetworking/cni** v1.1.2 -> v1.2.3 * **github.com/containernetworking/plugins** v1.2.0 -> v1.5.1 * **github.com/containers/ocicrypt** v1.1.6 -> v1.2.0 * **github.com/cpuguy83/go-md2man/v2** v2.0.2 -> v2.0.4 * **github.com/davecgh/go-spew** v1.1.1 -> d8f796af33cc * **github.com/distribution/reference** v0.6.0 **_new_** * **github.com/emicklei/go-restful/v3** v3.10.1 -> v3.11.0 * **github.com/felixge/httpsnoop** v1.0.4 **_new_** * **github.com/fsnotify/fsnotify** v1.6.0 -> v1.7.0 * **github.com/fxamacker/cbor/v2** v2.7.0 **_new_** * **github.com/go-jose/go-jose/v4** v4.0.2 **_new_** * **github.com/go-logr/logr** v1.2.3 -> v1.4.2 * **github.com/golang/protobuf** v1.5.2 -> v1.5.4 * **github.com/google/go-cmp** v0.5.9 -> v0.6.0 * **github.com/google/uuid** v1.3.0 -> v1.6.0 * **github.com/gorilla/websocket** v1.5.0 **_new_** * **github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus** v1.0.1 **_new_** * **github.com/grpc-ecosystem/go-grpc-middleware/v2** v2.1.0 **_new_** * **github.com/grpc-ecosystem/grpc-gateway/v2** v2.7.0 -> v2.22.0 * **github.com/intel/goresctrl** v0.3.0 -> v0.7.0 * **github.com/klauspost/compress** v1.16.0 -> v1.17.10 * **github.com/mdlayher/socket** v0.4.1 **_new_** * **github.com/mdlayher/vsock** v1.2.1 **_new_** * **github.com/moby/spdystream** v0.2.0 -> v0.4.0 * **github.com/moby/sys/mountinfo** v0.6.2 -> v0.7.2 * **github.com/moby/sys/sequential** v0.5.0 -> v0.6.0 * **github.com/moby/sys/signal** v0.7.0 -> v0.7.1 * **github.com/moby/sys/symlink** v0.2.0 -> v0.3.0 * **github.com/moby/sys/user** v0.3.0 **_new_** * **github.com/moby/sys/userns** v0.1.0 **_new_** * **github.com/munnerz/goautoneg** a7dc8b61c822 **_new_** * **github.com/mxk/go-flowrate** cca7078d478f **_new_** * **github.com/opencontainers/image-spec** 3a7f492d3f1b -> v1.1.0 * **github.com/opencontainers/runtime-spec** v1.1.0-rc.1 -> v1.2.0 * **github.com/opencontainers/runtime-tools** 946c877fa809 -> 2e043c6bd626 * **github.com/pelletier/go-toml/v2** v2.2.3 **_new_** * **github.com/pmezard/go-difflib** v1.0.0 -> 5d4384ee4fb2 * **github.com/prometheus/client_golang** v1.14.0 -> v1.20.4 * **github.com/prometheus/client_model** v0.3.0 -> v0.6.1 * **github.com/prometheus/common** v0.37.0 -> v0.55.0 * **github.com/prometheus/procfs** v0.8.0 -> v0.15.1 * **github.com/sirupsen/logrus** v1.9.0 -> v1.9.3 * **github.com/stretchr/testify** v1.8.2 -> v1.9.0 * **github.com/urfave/cli/v2** v2.27.4 **_new_** * **github.com/vishvananda/netlink** v1.2.1-beta.2 -> v1.3.0 * **github.com/vishvananda/netns** 2eb08e3e575f -> v0.0.4 * **github.com/x448/float16** v0.8.4 **_new_** * **github.com/xrash/smetrics** 686a1a2994c1 **_new_** * **go.etcd.io/bbolt** v1.3.7 -> v1.3.11 * **go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc** v0.40.0 -> v0.55.0 * **go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp** v0.55.0 **_new_** * **go.opentelemetry.io/otel** v1.14.0 -> v1.30.0 * **go.opentelemetry.io/otel/exporters/otlp/otlptrace** v1.14.0 -> v1.30.0 * **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc** v1.14.0 -> v1.30.0 * **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp** v1.14.0 -> v1.30.0 * **go.opentelemetry.io/otel/metric** v0.37.0 -> v1.30.0 * **go.opentelemetry.io/otel/sdk** v1.14.0 -> v1.30.0 * **go.opentelemetry.io/otel/trace** v1.14.0 -> v1.30.0 * **go.opentelemetry.io/proto/otlp** v0.19.0 -> v1.3.1 * **golang.org/x/crypto** v0.1.0 -> v0.27.0 * **golang.org/x/exp** aacd6d4b4611 **_new_** * **golang.org/x/mod** v0.7.0 -> v0.21.0 * **golang.org/x/net** v0.7.0 -> v0.29.0 * **golang.org/x/oauth2** v0.4.0 -> v0.22.0 * **golang.org/x/sync** v0.1.0 -> v0.8.0 * **golang.org/x/sys** v0.6.0 -> v0.25.0 * **golang.org/x/term** v0.5.0 -> v0.24.0 * **golang.org/x/text** v0.7.0 -> v0.18.0 * **golang.org/x/time** 90d013bbcef8 -> v0.3.0 * **google.golang.org/genproto/googleapis/api** 8af14fe29dc1 **_new_** * **google.golang.org/genproto/googleapis/rpc** 8af14fe29dc1 **_new_** * **google.golang.org/grpc** v1.53.0 -> v1.67.0 * **google.golang.org/protobuf** v1.28.1 -> v1.34.2 * **k8s.io/api** v0.26.2 -> v0.31.1 * **k8s.io/apimachinery** v0.26.2 -> v0.31.1 * **k8s.io/apiserver** v0.26.2 -> v0.31.1 * **k8s.io/client-go** v0.26.2 -> v0.31.1 * **k8s.io/component-base** v0.26.2 -> v0.31.1 * **k8s.io/cri-api** v0.26.2 -> v0.32.0-alpha.0 * **k8s.io/klog/v2** v2.90.1 -> v2.130.1 * **k8s.io/kubelet** v0.31.1 **_new_** * **k8s.io/utils** a5ecb0141aa5 -> 18e509b52bc8 * **sigs.k8s.io/json** f223a00ba0e2 -> bc3834ca7abd * **sigs.k8s.io/structured-merge-diff/v4** v4.2.3 -> v4.4.1 * **sigs.k8s.io/yaml** v1.3.0 -> v1.4.0 * **tags.cncf.io/container-device-interface** v0.8.0 **_new_** * **tags.cncf.io/container-device-interface/specs-go** v0.8.0 **_new_** Previous release can be found at [v1.7.0](https://github.com/containerd/containerd/releases/tag/v1.7.0) * `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`: ✅Recommended. Dynamically linked with glibc 2.31 (Ubuntu 20.04). * `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`: Statically linked. Expected to be used on non-glibc Linux distributions. Not position-independent. In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases) and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too. See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.
kiashok
added a commit
to kiashok/containerd
that referenced
this pull request
Oct 23, 2024
containerd 2.0.0-rc.5 Welcome to the v2.0.0-rc.5 release of containerd! *This is a pre-release of containerd* The first major release of containerd 2.x focuses on the continued stability of containerd's core feature set with an easy upgrade from containerd 1.x. This release includes the stabilization of new features added in the last 1.x release as well as the removal of features which were deprecated in 1.x. The goal is to support the vast community of containerd users well into the future along with their ever increasing deployment footprints and variety of use cases. * Add Update API for sandbox controller ([containerd#9903](containerd#9903)) * Configure otel from env instead of config.toml ([containerd#8970](containerd#8970)) * Enable NRI by default ([containerd#9744](containerd#9744)) * Add PluginInfo to introspection API ([containerd#9442](containerd#9442)) * Remove overlayfs volatile option on temp mounts ([containerd#9555](containerd#9555)) * Expose usage of deprecated features ([containerd#9258](containerd#9258)) * Use Intel ISA-L's igzip if available ([containerd#9200](containerd#9200)) * Introduce top level config migration ([containerd#9223](containerd#9223)) * Add image delete target ([containerd#8989](containerd#8989)) * Remove `LimitNOFILE` from `containerd.service` ([containerd#8924](containerd#8924)) * Add support for image expiration during garbage collection ([containerd#9022](containerd#9022)) * Reduce the contention between ref lock and boltdb lock in content store ([containerd#8792](containerd#8792)) * Remove "containerd.io/restart.logpath" label ([containerd#8264](containerd#8264)) * Remove `aufs` snapshotter ([containerd#8263](containerd#8263)) * Fix deadlock during NRI plugin registration ([containerd/nri#79](containerd/nri#79)) * Fix deadlock when writing to pipe blocks ([containerd/ttrpc#168](containerd/ttrpc#168)) * Generate attestation for artifacts during release ([containerd#10543](containerd#10543)) * Use 'UserSpecifiedImage' from CRI to set the image-name annotation ([containerd#10747](containerd#10747)) * Add support to set loopback to up ([containerd#10238](containerd#10238)) * Add support for multiple subscribers to CRI container events ([containerd#9661](containerd#9661)) * Enable CDI by default ([containerd#9621](containerd#9621)) * Remove non-sandboxed CRI implementation ([containerd#9228](containerd#9228)) * Add support for userns in stateless and stateful pods with idmap mounts (KEP-127, k8s >= 1.27) ([containerd#8287](containerd#8287)) * Use sandboxed CRI by default ([containerd#8994](containerd#8994)) * Implement RuntimeConfig CRI call ([containerd#8722](containerd#8722)) * Add support for user namespaces (KEP-127) ([containerd#8803](containerd#8803)) * Remove CRI v1alpha2 ([containerd#8276](containerd#8276)) * Add api Go module and move all protos under api ([containerd#10151](containerd#10151)) * Move packages based on contributing guide ([containerd#9365](containerd#9365)) * Generalize plugin library ([containerd#9214](containerd#9214)) * Use github.com/containerd/log ([containerd#9086](containerd#9086)) * Support to syncfs after pull by using diff plugin ([containerd#10284](containerd#10284)) * Skip "unknown" in image platform listing ([containerd#10257](containerd#10257)) * Update unpacker to fetch all provided content ([containerd#10202](containerd#10202)) * Enable Transfer service API to support plain HTTP ([containerd#10024](containerd#10024)) * Enable Transfer service to use registry configuration directory ([containerd#9908](containerd#9908)) * Disable the support for Schema 1 images ([containerd#9765](containerd#9765)) * Update Transfer service to add OCI descriptors to Progress structure ([containerd#9630](containerd#9630)) * Update import and export to allow references to missing content ([containerd#9554](containerd#9554)) * Add option to perform syncfs after pull ([containerd#9401](containerd#9401)) * Add image verifier transfer service plugin system based on a binary directory ([containerd#8493](containerd#8493)) * Implement RuntimeStatus.features.supplemental_groups_policy from KEP-3619 ([containerd#10410](containerd#10410)) * Add pprof to runc-shim ([containerd#10242](containerd#10242)) * Provide runtime options in plugin info ([containerd#10251](containerd#10251)) * Store bootstrap parameters in sandbox metadata ([containerd#9736](containerd#9736)) * Update apparmor to allow confined runc to kill containers ([containerd#10123](containerd#10123)) * Support vsock connection to task api ([containerd#9738](containerd#9738)) * Update RuntimeDefault seccomp profile to disallow io_uring related syscalls ([containerd#9320](containerd#9320)) * Switch runc shim to task service v3 and fix restore ([containerd#9233](containerd#9233)) * Add sandboxer configuration and move sandbox controllers to plugins ([containerd#8268](containerd#8268)) * Add annotations to CreateSandbox request ([containerd#8960](containerd#8960)) * Add SandboxMetrics ([containerd#8680](containerd#8680)) * Publish sandbox events ([containerd#8602](containerd#8602)) * Remove the CriuPath field from runc's options ([containerd#8279](containerd#8279)) * Remove `io.containerd.runtime.v1.linux` and `io.containerd.runc.v1` ([containerd#8262](containerd#8262)) * [medium] RAPL accessible to a container [GHSA-7ww5-4wqc-m92c](GHSA-7ww5-4wqc-m92c) * Remove `disable_cgroup` from CRI config ([containerd#10594](containerd#10594)) * Disable the support for Schema 1 images ([containerd#9765](containerd#9765)) * Update RuntimeDefault seccomp profile to disallow io_uring related syscalls ([containerd#9320](containerd#9320)) * Move client to subpackage ([containerd#9316](containerd#9316)) * Remove `LimitNOFILE` from `containerd.service` ([containerd#8924](containerd#8924)) * Remove CRI v1alpha2 ([containerd#8276](containerd#8276)) * Remove `io.containerd.runtime.v1.linux` and `io.containerd.runc.v1` ([containerd#8262](containerd#8262)) * Remove "containerd.io/restart.logpath" label ([containerd#8264](containerd#8264)) * Remove `aufs` snapshotter ([containerd#8263](containerd#8263)) * Update warnings for deprecated CRI config fields ([containerd#10509](containerd#10509)) * Add type alias for event Envelope ([containerd#10279](containerd#10279)) * Postpone removal of deprecated CRI config properties ([containerd#9966](containerd#9966)) * Deprecate go-plugin configuration option ([containerd#9238](containerd#9238)) * CNI conf_template in CRI is no longer deprecated ([containerd#8637](containerd#8637)) Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues. * Derek McGowan * Akihiro Suda * Maksym Pavlenko * Wei Fu * Phil Estes * Sebastiaan van Stijn * Samuel Karp * Stefan Berger * Kazuyoshi Kato * Rodrigo Campos * Danny Canter * Abel Feng * Akhil Mohan * Kirtana Ashok * Gabriel Adrian Samfira * Austin Vazquez * Iceber Gu * Krisztian Litkey * Kohei Tokunaga * Mike Brown * Jin Dong * Bjorn Neergaard * Justin Chadwell * rongfu.leng * James Sturtevant * Davanum Srinivas * Paul "TBBle" Hampson * Henry Wang * Brian Goff * Enrico Weigelt * Laura Brehm * Marat Radchenko * Paweł Gronowski * Shingo Omura * Hsing-Yu (David) Chen * Ilya Hanov * Cardy.Tang * Swagat Bora * Aditi Sharma * Amit Barve * Bryant Biggs * Evan Lezar * James Jenkins * Jordan Liggitt * Kay Yan * Markus Lehtonen * Nashwan Azhari * Shuaiyi Zhang * Vinayak Goyal * helen * Alexandru Matei * Anthony Nandaa * Avi Deitcher * Charity Kathure * Cory Snider * Ed Bartosh * Etienne Champetier * Kevin Parsons * Michael Zappa * Milas Bowman * ningmingxiao * yanggang * zounengren * Aditya Ramani * Adrian Reber * Amir M. Ghazanfari * Artem Khramov * Brad Davidson * Chen Yiyang * Christian Muehlhaeuser * Djordje Lukic * Edgar Lee * Eric Lin * Ethan Lowman * Jiang Liu * June Rhodes * Kern Walster * Lucas Rattz * Mahamed Ali * Maksim An * Michael Crosby * Peteris Rudzusiks * Sam Edwards * Samruddhi Khandale * Sascha Grunert * Steve Griffith * Tony Fang * VERNOU Cédric * Vishal Reddy Gurrala * hang.jiang * harshitasao * jerryzhuang * lengrongfu * roman-kiselenko * zhanluxianshen * Aaron Lehmann * Adrien Delorme * Alex Couture-Beil * Alex Ellis * Alex Rodriguez * Angelos Kolaitis * Antonio Huete Jimenez * Arash Haghighat * Ben Foster * Bin Tang * Bin Xin * BinBin He * Brennan Kinney * Changqing Li * ChengenH * ChengyuZhu6 * Christian Stewart * Colin O'Dell * Craig Ingram * Daisy Rong * David Porter * Derek Nola * Eng Zer Jun * Erikson Tung * Fabiano Fidêncio * Fahed Dorgaa * Gary McDonald * Iain Macdonald * James Lakin * Jan Dubois * Jaroslav Jindrak * Javier Maestro * Jian Wang * Jiongchi Yu * Julien Balestra * Kir Kolyshkin * Kirill A. Korinsky * Konstantin Khlebnikov * Mauri de Souza Meneguzzo * Pan Yibo * Paul Meyer * Qasim Sarfraz * Qiutong Song * Reinhard Tartler * Robbie Buxton * Robert-André Mauchin * Ruihua Wen * Sameer * Shengjing Zhu * Shiming Zhang * Shukui Yang * Talon * Tariq Ibrahim * Tianon Gravi * Tim Hockin * TinaMor * Tobias Klauser * Tomáš Virtus * Tõnis Tiigi * Wang Xinwen * William Chen * Xinyang Ge * Yibo Zhuang * Yury Gargay * Zechun Chen * Zhang Tianyang * Zoe * baijia * bo.jiang * bzsuni * charles-chenzz * chschumacher1994 * guangli.bao * guangwu * jinda.ljd * krglosse * pigletfly * rokkiter * wangxiang * zhangpeng * zhaojizhuang * 吴小白 * 张钰 * 沈陵 * 谭九鼎 * **dario.cat/mergo** v1.0.1 **_new_** * **github.com/AdaLogics/go-fuzz-headers** 1f10f66a31bf -> ced1acdcaa24 * **github.com/AdamKorcz/go-118-fuzz-build** 5330a85ea652 -> 8075edf89bb0 * **github.com/Microsoft/go-winio** v0.6.0 -> v0.6.2 * **github.com/Microsoft/hcsshim** v0.10.0-rc.7 -> v0.12.6 * **github.com/cenkalti/backoff/v4** v4.2.0 -> v4.3.0 * **github.com/cespare/xxhash/v2** v2.2.0 -> v2.3.0 * **github.com/checkpoint-restore/checkpointctl** v1.2.1 **_new_** * **github.com/checkpoint-restore/go-criu/v7** v7.2.0 **_new_** * **github.com/cilium/ebpf** v0.9.1 -> v0.11.0 * **github.com/containerd/cgroups/v3** v3.0.1 -> v3.0.3 * **github.com/containerd/console** v1.0.3 -> v1.0.4 * **github.com/containerd/containerd/api** v1.8.0-rc.3 **_new_** * **github.com/containerd/continuity** v0.3.0 -> v0.4.3 * **github.com/containerd/errdefs** v0.1.0 **_new_** * **github.com/containerd/go-cni** v1.1.9 -> v1.1.10 * **github.com/containerd/go-runc** v1.0.0 -> v1.1.0 * **github.com/containerd/imgcrypt** v1.1.7 -> v1.2.0-rc1 * **github.com/containerd/log** v0.1.0 **_new_** * **github.com/containerd/nri** v0.3.0 -> v0.6.1 * **github.com/containerd/otelttrpc** ea5083fda723 **_new_** * **github.com/containerd/platforms** v0.2.1 **_new_** * **github.com/containerd/plugin** v0.1.0 **_new_** * **github.com/containerd/ttrpc** v1.2.1 -> v1.2.5 * **github.com/containerd/typeurl/v2** v2.1.0 -> v2.2.0 * **github.com/containernetworking/cni** v1.1.2 -> v1.2.3 * **github.com/containernetworking/plugins** v1.2.0 -> v1.5.1 * **github.com/containers/ocicrypt** v1.1.6 -> v1.2.0 * **github.com/cpuguy83/go-md2man/v2** v2.0.2 -> v2.0.4 * **github.com/davecgh/go-spew** v1.1.1 -> d8f796af33cc * **github.com/distribution/reference** v0.6.0 **_new_** * **github.com/emicklei/go-restful/v3** v3.10.1 -> v3.11.0 * **github.com/felixge/httpsnoop** v1.0.4 **_new_** * **github.com/fsnotify/fsnotify** v1.6.0 -> v1.7.0 * **github.com/fxamacker/cbor/v2** v2.7.0 **_new_** * **github.com/go-jose/go-jose/v4** v4.0.2 **_new_** * **github.com/go-logr/logr** v1.2.3 -> v1.4.2 * **github.com/golang/protobuf** v1.5.2 -> v1.5.4 * **github.com/google/go-cmp** v0.5.9 -> v0.6.0 * **github.com/google/uuid** v1.3.0 -> v1.6.0 * **github.com/gorilla/websocket** v1.5.0 **_new_** * **github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus** v1.0.1 **_new_** * **github.com/grpc-ecosystem/go-grpc-middleware/v2** v2.1.0 **_new_** * **github.com/grpc-ecosystem/grpc-gateway/v2** v2.7.0 -> v2.22.0 * **github.com/intel/goresctrl** v0.3.0 -> v0.7.0 * **github.com/klauspost/compress** v1.16.0 -> v1.17.10 * **github.com/mdlayher/socket** v0.4.1 **_new_** * **github.com/mdlayher/vsock** v1.2.1 **_new_** * **github.com/moby/spdystream** v0.2.0 -> v0.4.0 * **github.com/moby/sys/mountinfo** v0.6.2 -> v0.7.2 * **github.com/moby/sys/sequential** v0.5.0 -> v0.6.0 * **github.com/moby/sys/signal** v0.7.0 -> v0.7.1 * **github.com/moby/sys/symlink** v0.2.0 -> v0.3.0 * **github.com/moby/sys/user** v0.3.0 **_new_** * **github.com/moby/sys/userns** v0.1.0 **_new_** * **github.com/munnerz/goautoneg** a7dc8b61c822 **_new_** * **github.com/mxk/go-flowrate** cca7078d478f **_new_** * **github.com/opencontainers/image-spec** 3a7f492d3f1b -> v1.1.0 * **github.com/opencontainers/runtime-spec** v1.1.0-rc.1 -> v1.2.0 * **github.com/opencontainers/runtime-tools** 946c877fa809 -> 2e043c6bd626 * **github.com/pelletier/go-toml/v2** v2.2.3 **_new_** * **github.com/pmezard/go-difflib** v1.0.0 -> 5d4384ee4fb2 * **github.com/prometheus/client_golang** v1.14.0 -> v1.20.4 * **github.com/prometheus/client_model** v0.3.0 -> v0.6.1 * **github.com/prometheus/common** v0.37.0 -> v0.55.0 * **github.com/prometheus/procfs** v0.8.0 -> v0.15.1 * **github.com/sirupsen/logrus** v1.9.0 -> v1.9.3 * **github.com/stretchr/testify** v1.8.2 -> v1.9.0 * **github.com/urfave/cli/v2** v2.27.4 **_new_** * **github.com/vishvananda/netlink** v1.2.1-beta.2 -> v1.3.0 * **github.com/vishvananda/netns** 2eb08e3e575f -> v0.0.4 * **github.com/x448/float16** v0.8.4 **_new_** * **github.com/xrash/smetrics** 686a1a2994c1 **_new_** * **go.etcd.io/bbolt** v1.3.7 -> v1.3.11 * **go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc** v0.40.0 -> v0.55.0 * **go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp** v0.55.0 **_new_** * **go.opentelemetry.io/otel** v1.14.0 -> v1.30.0 * **go.opentelemetry.io/otel/exporters/otlp/otlptrace** v1.14.0 -> v1.30.0 * **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc** v1.14.0 -> v1.30.0 * **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp** v1.14.0 -> v1.30.0 * **go.opentelemetry.io/otel/metric** v0.37.0 -> v1.30.0 * **go.opentelemetry.io/otel/sdk** v1.14.0 -> v1.30.0 * **go.opentelemetry.io/otel/trace** v1.14.0 -> v1.30.0 * **go.opentelemetry.io/proto/otlp** v0.19.0 -> v1.3.1 * **golang.org/x/crypto** v0.1.0 -> v0.27.0 * **golang.org/x/exp** aacd6d4b4611 **_new_** * **golang.org/x/mod** v0.7.0 -> v0.21.0 * **golang.org/x/net** v0.7.0 -> v0.29.0 * **golang.org/x/oauth2** v0.4.0 -> v0.22.0 * **golang.org/x/sync** v0.1.0 -> v0.8.0 * **golang.org/x/sys** v0.6.0 -> v0.25.0 * **golang.org/x/term** v0.5.0 -> v0.24.0 * **golang.org/x/text** v0.7.0 -> v0.18.0 * **golang.org/x/time** 90d013bbcef8 -> v0.3.0 * **google.golang.org/genproto/googleapis/api** 8af14fe29dc1 **_new_** * **google.golang.org/genproto/googleapis/rpc** 8af14fe29dc1 **_new_** * **google.golang.org/grpc** v1.53.0 -> v1.67.0 * **google.golang.org/protobuf** v1.28.1 -> v1.34.2 * **k8s.io/api** v0.26.2 -> v0.31.1 * **k8s.io/apimachinery** v0.26.2 -> v0.31.1 * **k8s.io/apiserver** v0.26.2 -> v0.31.1 * **k8s.io/client-go** v0.26.2 -> v0.31.1 * **k8s.io/component-base** v0.26.2 -> v0.31.1 * **k8s.io/cri-api** v0.26.2 -> v0.32.0-alpha.0 * **k8s.io/klog/v2** v2.90.1 -> v2.130.1 * **k8s.io/kubelet** v0.31.1 **_new_** * **k8s.io/utils** a5ecb0141aa5 -> 18e509b52bc8 * **sigs.k8s.io/json** f223a00ba0e2 -> bc3834ca7abd * **sigs.k8s.io/structured-merge-diff/v4** v4.2.3 -> v4.4.1 * **sigs.k8s.io/yaml** v1.3.0 -> v1.4.0 * **tags.cncf.io/container-device-interface** v0.8.0 **_new_** * **tags.cncf.io/container-device-interface/specs-go** v0.8.0 **_new_** Previous release can be found at [v1.7.0](https://github.com/containerd/containerd/releases/tag/v1.7.0) * `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`: ✅Recommended. Dynamically linked with glibc 2.31 (Ubuntu 20.04). * `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`: Statically linked. Expected to be used on non-glibc Linux distributions. Not position-independent. In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases) and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too. See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.
Mengkzhaoyun
pushed a commit
to open-beagle/containerd
that referenced
this pull request
Nov 11, 2024
containerd 2.0.0 Welcome to the v2.0.0 release of containerd! The first major release of containerd 2.x focuses on the continued stability of containerd's core feature set with an easy upgrade from containerd 1.x. This release includes the stabilization of new features added in the last 1.x release as well as the removal of features which were deprecated in 1.x. The goal is to support the vast community of containerd users well into the future along with their ever increasing deployment footprints and variety of use cases. See [containerd 2.0](https://github.com/containerd/containerd/blob/main/docs/containerd-2.0.md) documentation for details on what is new and has changed in this release. * Allow sections of Plugins to be merged, and not overwritten as entire sections. ([#9982](containerd/containerd#9982)) * Add Update API for sandbox controller ([#9903](containerd/containerd#9903)) * Configure otel from env instead of config.toml ([#8970](containerd/containerd#8970)) * Enable NRI by default ([#9744](containerd/containerd#9744)) * Add PluginInfo to introspection API ([#9442](containerd/containerd#9442)) * Remove overlayfs volatile option on temp mounts ([#9555](containerd/containerd#9555)) * Expose usage of deprecated features ([#9258](containerd/containerd#9258)) * Use Intel ISA-L's igzip if available ([#9200](containerd/containerd#9200)) * Introduce top level config migration ([#9223](containerd/containerd#9223)) * Add image delete target ([#8989](containerd/containerd#8989)) * Remove `LimitNOFILE` from `containerd.service` ([#8924](containerd/containerd#8924)) * Add support for image expiration during garbage collection ([#9022](containerd/containerd#9022)) * Reduce the contention between ref lock and boltdb lock in content store ([#8792](containerd/containerd#8792)) * Remove "containerd.io/restart.logpath" label ([#8264](containerd/containerd#8264)) * Remove `aufs` snapshotter ([#8263](containerd/containerd#8263)) * Fix deadlock during NRI plugin registration ([containerd/nri#79](containerd/nri#79)) * Support arm64/v9 and minor variants ([containerd/platforms#8](containerd/platforms#8)) * Fix deadlock when writing to pipe blocks ([containerd/ttrpc#168](containerd/ttrpc#168)) * Generate attestation for artifacts during release ([#10543](containerd/containerd#10543)) * Remove `cri-containerd-*.tar.gz` release bundles ([#9096](containerd/containerd#9096)) * Use 'UserSpecifiedImage' from CRI to set the image-name annotation ([#10747](containerd/containerd#10747)) * Fine-grained SupplementalGroups control ([#9737](containerd/containerd#9737)) * Add support to set loopback to up ([#10238](containerd/containerd#10238)) * KEP-3857: Recursive Read-only (RRO) mounts ([#9787](containerd/containerd#9787)) * Add support for multiple subscribers to CRI container events ([#9661](containerd/containerd#9661)) * Enable CDI by default ([#9621](containerd/containerd#9621)) * Remove non-sandboxed CRI implementation ([#9228](containerd/containerd#9228)) * Add support for userns in stateless and stateful pods with idmap mounts (KEP-127, k8s >= 1.27) ([#8287](containerd/containerd#8287)) * Use sandboxed CRI by default ([#8994](containerd/containerd#8994)) * Implement RuntimeConfig CRI call ([#8722](containerd/containerd#8722)) * Add support for user namespaces (KEP-127) ([#8803](containerd/containerd#8803)) * Remove CRI v1alpha2 ([#8276](containerd/containerd#8276)) * Add api Go module and move all protos under api ([#10151](containerd/containerd#10151)) * Move packages based on contributing guide ([#9365](containerd/containerd#9365)) * Generalize plugin library ([#9214](containerd/containerd#9214)) * Use github.com/containerd/log ([#9086](containerd/containerd#9086)) * Support to syncfs after pull by using diff plugin ([#10284](containerd/containerd#10284)) * Skip "unknown" in image platform listing ([#10257](containerd/containerd#10257)) * Update unpacker to fetch all provided content ([#10202](containerd/containerd#10202)) * Enable Transfer service API to support plain HTTP ([#10024](containerd/containerd#10024)) * Enable Transfer service to use registry configuration directory ([#9908](containerd/containerd#9908)) * Disable the support for Schema 1 images ([#9765](containerd/containerd#9765)) * Update Transfer service to add OCI descriptors to Progress structure ([#9630](containerd/containerd#9630)) * Update import and export to allow references to missing content ([#9554](containerd/containerd#9554)) * Add option to perform syncfs after pull ([#9401](containerd/containerd#9401)) * Add image verifier transfer service plugin system based on a binary directory ([#8493](containerd/containerd#8493)) * Implement RuntimeStatus.features.supplemental_groups_policy from KEP-3619 ([#10410](containerd/containerd#10410)) * Add pprof to runc-shim ([#10242](containerd/containerd#10242)) * Provide runtime options in plugin info ([#10251](containerd/containerd#10251)) * Store bootstrap parameters in sandbox metadata ([#9736](containerd/containerd#9736)) * Update apparmor to allow confined runc to kill containers ([#10123](containerd/containerd#10123)) * Support vsock connection to task api ([#9738](containerd/containerd#9738)) * Update RuntimeDefault seccomp profile to disallow io_uring related syscalls ([#9320](containerd/containerd#9320)) * Switch runc shim to task service v3 and fix restore ([#9233](containerd/containerd#9233)) * Add sandboxer configuration and move sandbox controllers to plugins ([#8268](containerd/containerd#8268)) * Add annotations to CreateSandbox request ([#8960](containerd/containerd#8960)) * Add SandboxMetrics ([#8680](containerd/containerd#8680)) * Publish sandbox events ([#8602](containerd/containerd#8602)) * Remove the CriuPath field from runc's options ([#8279](containerd/containerd#8279)) * Remove `io.containerd.runtime.v1.linux` and `io.containerd.runc.v1` ([#8262](containerd/containerd#8262)) * [medium] RAPL accessible to a container [GHSA-7ww5-4wqc-m92c](GHSA-7ww5-4wqc-m92c) * Remove `disable_cgroup` from CRI config ([#10594](containerd/containerd#10594)) * Disable the support for Schema 1 images ([#9765](containerd/containerd#9765)) * Update RuntimeDefault seccomp profile to disallow io_uring related syscalls ([#9320](containerd/containerd#9320)) * Move client to subpackage ([#9316](containerd/containerd#9316)) * Remove `LimitNOFILE` from `containerd.service` ([#8924](containerd/containerd#8924)) * Remove CRI v1alpha2 ([#8276](containerd/containerd#8276)) * Remove `io.containerd.runtime.v1.linux` and `io.containerd.runc.v1` ([#8262](containerd/containerd#8262)) * Remove "containerd.io/restart.logpath" label ([#8264](containerd/containerd#8264)) * Remove `aufs` snapshotter ([#8263](containerd/containerd#8263)) * Update warnings for deprecated CRI config fields ([#10509](containerd/containerd#10509)) * Add type alias for event Envelope ([#10279](containerd/containerd#10279)) * Postpone removal of deprecated CRI config properties ([#9966](containerd/containerd#9966)) * Deprecate go-plugin configuration option ([#9238](containerd/containerd#9238)) * CNI conf_template in CRI is no longer deprecated ([#8637](containerd/containerd#8637)) Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues. * Derek McGowan * Akihiro Suda * Maksym Pavlenko * Wei Fu * Phil Estes * Sebastiaan van Stijn * Samuel Karp * Krisztian Litkey * Kazuyoshi Kato * Austin Vazquez * Rodrigo Campos * Danny Canter * Abel Feng * Mike Brown * Kirtana Ashok * Akhil Mohan * Iceber Gu * Gabriel Adrian Samfira * Jin Dong * Kohei Tokunaga * Bjorn Neergaard * Brian Goff * Justin Chadwell * rongfu.leng * James Sturtevant * Davanum Srinivas * Paul "TBBle" Hampson * Henry Wang * Enrico Weigelt * Laura Brehm * Marat Radchenko * Paweł Gronowski * Shingo Omura * Hsing-Yu (David) Chen * Ilya Hanov * Cardy.Tang * Swagat Bora * Aditi Sharma * Amit Barve * Bryant Biggs * Evan Lezar * James Jenkins * Jordan Liggitt * Kay Yan * Markus Lehtonen * Nashwan Azhari * Shuaiyi Zhang * Vinayak Goyal * helen * Alexandru Matei * Anthony Nandaa * Avi Deitcher * Charity Kathure * Cory Snider * Ed Bartosh * Etienne Champetier * Kevin Parsons * Michael Zappa * Milas Bowman * lengrongfu * ningmingxiao * yanggang * zounengren * Aditya Ramani * Adrian Reber * Amir M. Ghazanfari * Antonio Ojea * Artem Khramov * Brad Davidson * Chen Yiyang * Chongyi Zheng * Christian Muehlhaeuser * Djordje Lukic * Edgar Lee * Eric Lin * Ethan Lowman * Jiang Liu * June Rhodes * Kern Walster * Lei Jitang * Lucas Rattz * Mahamed Ali * Maksim An * Michael Crosby * Peteris Rudzusiks * Ray Burgemeestre * Sam Edwards * Samruddhi Khandale * Sascha Grunert * Steve Griffith * Tony Fang * Tõnis Tiigi * VERNOU Cédric * Vishal Reddy Gurrala * Xiaojin Zhang * Yang Yang * hang.jiang * harshitasao * jerryzhuang * roman-kiselenko * zhanluxianshen * Aaron Lehmann * AbdelrahmanElawady * Adrien Delorme * Alex Couture-Beil * Alex Ellis * Alex Rodriguez * Angelos Kolaitis * Antonio Huete Jimenez * Antti Kervinen * Arash Haghighat * Arkin Modi * Ben Foster * Benjamin Peterson * Bin Tang * Bin Xin * BinBin He * Brennan Kinney * Changqing Li * ChengenH * ChengyuZhu6 * Christian Stewart * Colin O'Dell * Craig Ingram * Daisy Rong * David Porter * David Son * Derek Nola * Eng Zer Jun * Erikson Tung * Fabiano Fidêncio * Fahed Dorgaa * Gabriela Cervantes * Gary McDonald * Iain Macdonald * James Lakin * Jan Dubois * Jaroslav Jindrak * Javier Maestro * Jian Wang * Jiongchi Yu * Julien Balestra * Kir Kolyshkin * Kirill A. Korinsky * Konstantin Khlebnikov * Lei Liu * Matteo Pulcini * Mauri de Souza Meneguzzo * Mike Baynton * Niklas Gehlen * Pan Yibo * Paul Meyer * Qasim Sarfraz * Qiutong Song * Reinhard Tartler * Robbie Buxton * Robert-André Mauchin * Ruihua Wen * Saket Jajoo * Sameer * Shengjing Zhu * Shiming Zhang * Shukui Yang * StepSecurity Bot * Talon * Tariq Ibrahim * Tianon Gravi * Tim Hockin * TinaMor * Tobias Klauser * Tomáš Virtus * Wang Xinwen * William Chen * Xinyang Ge * Yibo Zhuang * Yuhang Wei * Yury Gargay * Zechun Chen * Zhang Tianyang * Zoe * baijia * bo.jiang * bzsuni * charles-chenzz * chschumacher1994 * cormick * guangli.bao * guangwu * jinda.ljd * jingtao.liang * krglosse * pigletfly * rokkiter * wangxiang * zhangpeng * zhaojizhuang * 吴小白 * 张钰 * 沈陵 * 谭九鼎 * **dario.cat/mergo** v1.0.1 **_new_** * **github.com/AdaLogics/go-fuzz-headers** 1f10f66a31bf -> e8a1dd7889d6 * **github.com/AdamKorcz/go-118-fuzz-build** 5330a85ea652 -> 2b5cbb29f3e2 * **github.com/Microsoft/go-winio** v0.6.0 -> v0.6.2 * **github.com/Microsoft/hcsshim** v0.10.0-rc.7 -> v0.12.9 * **github.com/cenkalti/backoff/v4** v4.2.0 -> v4.3.0 * **github.com/cespare/xxhash/v2** v2.2.0 -> v2.3.0 * **github.com/checkpoint-restore/checkpointctl** v1.3.0 **_new_** * **github.com/checkpoint-restore/go-criu/v7** v7.2.0 **_new_** * **github.com/cilium/ebpf** v0.9.1 -> v0.11.0 * **github.com/containerd/cgroups/v3** v3.0.1 -> v3.0.3 * **github.com/containerd/console** v1.0.3 -> v1.0.4 * **github.com/containerd/containerd/api** v1.8.0 **_new_** * **github.com/containerd/continuity** v0.3.0 -> v0.4.4 * **github.com/containerd/errdefs** v1.0.0 **_new_** * **github.com/containerd/errdefs/pkg** v0.3.0 **_new_** * **github.com/containerd/go-cni** v1.1.9 -> v1.1.10 * **github.com/containerd/go-runc** v1.0.0 -> v1.1.0 * **github.com/containerd/imgcrypt/v2** v2.0.0-rc.1 **_new_** * **github.com/containerd/log** v0.1.0 **_new_** * **github.com/containerd/nri** v0.3.0 -> v0.8.0 * **github.com/containerd/otelttrpc** ea5083fda723 **_new_** * **github.com/containerd/platforms** v1.0.0-rc.0 **_new_** * **github.com/containerd/plugin** v1.0.0 **_new_** * **github.com/containerd/ttrpc** v1.2.1 -> v1.2.6 * **github.com/containerd/typeurl/v2** v2.1.0 -> v2.2.2 * **github.com/containerd/zfs/v2** v2.0.0-rc.0 **_new_** * **github.com/containernetworking/cni** v1.1.2 -> v1.2.3 * **github.com/containernetworking/plugins** v1.2.0 -> v1.5.1 * **github.com/containers/ocicrypt** v1.1.6 -> v1.2.0 * **github.com/cpuguy83/go-md2man/v2** v2.0.2 -> v2.0.5 * **github.com/davecgh/go-spew** v1.1.1 -> d8f796af33cc * **github.com/distribution/reference** v0.6.0 **_new_** * **github.com/emicklei/go-restful/v3** v3.10.1 -> v3.11.0 * **github.com/felixge/httpsnoop** v1.0.4 **_new_** * **github.com/fsnotify/fsnotify** v1.6.0 -> v1.7.0 * **github.com/fxamacker/cbor/v2** v2.7.0 **_new_** * **github.com/go-jose/go-jose/v4** v4.0.4 **_new_** * **github.com/go-logr/logr** v1.2.3 -> v1.4.2 * **github.com/golang/protobuf** v1.5.2 -> v1.5.4 * **github.com/google/go-cmp** v0.5.9 -> v0.6.0 * **github.com/google/uuid** v1.3.0 -> v1.6.0 * **github.com/gorilla/websocket** v1.5.0 **_new_** * **github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus** v1.0.1 **_new_** * **github.com/grpc-ecosystem/go-grpc-middleware/v2** v2.1.0 **_new_** * **github.com/grpc-ecosystem/grpc-gateway/v2** v2.7.0 -> v2.22.0 * **github.com/intel/goresctrl** v0.3.0 -> v0.8.0 * **github.com/klauspost/compress** v1.16.0 -> v1.17.11 * **github.com/mdlayher/socket** v0.4.1 **_new_** * **github.com/mdlayher/vsock** v1.2.1 **_new_** * **github.com/mistifyio/go-zfs/v3** v3.0.1 **_new_** * **github.com/moby/spdystream** v0.2.0 -> v0.4.0 * **github.com/moby/sys/mountinfo** v0.6.2 -> v0.7.2 * **github.com/moby/sys/sequential** v0.5.0 -> v0.6.0 * **github.com/moby/sys/signal** v0.7.0 -> v0.7.1 * **github.com/moby/sys/symlink** v0.2.0 -> v0.3.0 * **github.com/moby/sys/user** v0.3.0 **_new_** * **github.com/moby/sys/userns** v0.1.0 **_new_** * **github.com/munnerz/goautoneg** a7dc8b61c822 **_new_** * **github.com/mxk/go-flowrate** cca7078d478f **_new_** * **github.com/opencontainers/image-spec** 3a7f492d3f1b -> v1.1.0 * **github.com/opencontainers/runtime-spec** v1.1.0-rc.1 -> v1.2.0 * **github.com/opencontainers/runtime-tools** 946c877fa809 -> 2e043c6bd626 * **github.com/opencontainers/selinux** v1.11.0 -> v1.11.1 * **github.com/pelletier/go-toml/v2** v2.2.3 **_new_** * **github.com/pmezard/go-difflib** v1.0.0 -> 5d4384ee4fb2 * **github.com/prometheus/client_golang** v1.14.0 -> v1.20.5 * **github.com/prometheus/client_model** v0.3.0 -> v0.6.1 * **github.com/prometheus/common** v0.37.0 -> v0.55.0 * **github.com/prometheus/procfs** v0.8.0 -> v0.15.1 * **github.com/sirupsen/logrus** v1.9.0 -> v1.9.3 * **github.com/stefanberger/go-pkcs11uri** 78d3cae3a980 -> 78284954bff6 * **github.com/stretchr/testify** v1.8.2 -> v1.9.0 * **github.com/urfave/cli/v2** v2.27.5 **_new_** * **github.com/vishvananda/netlink** v1.2.1-beta.2 -> v1.3.0 * **github.com/vishvananda/netns** 2eb08e3e575f -> v0.0.4 * **github.com/x448/float16** v0.8.4 **_new_** * **github.com/xrash/smetrics** 686a1a2994c1 **_new_** * **go.etcd.io/bbolt** v1.3.7 -> v1.3.11 * **go.mozilla.org/pkcs7** 432b2356ecb1 -> v0.9.0 * **go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc** v0.40.0 -> v0.56.0 * **go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp** v0.56.0 **_new_** * **go.opentelemetry.io/otel** v1.14.0 -> v1.31.0 * **go.opentelemetry.io/otel/exporters/otlp/otlptrace** v1.14.0 -> v1.31.0 * **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc** v1.14.0 -> v1.31.0 * **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp** v1.14.0 -> v1.31.0 * **go.opentelemetry.io/otel/metric** v0.37.0 -> v1.31.0 * **go.opentelemetry.io/otel/sdk** v1.14.0 -> v1.31.0 * **go.opentelemetry.io/otel/trace** v1.14.0 -> v1.31.0 * **go.opentelemetry.io/proto/otlp** v0.19.0 -> v1.3.1 * **golang.org/x/crypto** v0.1.0 -> v0.28.0 * **golang.org/x/exp** aacd6d4b4611 **_new_** * **golang.org/x/mod** v0.7.0 -> v0.21.0 * **golang.org/x/net** v0.7.0 -> v0.30.0 * **golang.org/x/oauth2** v0.4.0 -> v0.22.0 * **golang.org/x/sync** v0.1.0 -> v0.8.0 * **golang.org/x/sys** v0.6.0 -> v0.26.0 * **golang.org/x/term** v0.5.0 -> v0.25.0 * **golang.org/x/text** v0.7.0 -> v0.19.0 * **golang.org/x/time** 90d013bbcef8 -> v0.3.0 * **google.golang.org/genproto/googleapis/api** 5fefd90f89a9 **_new_** * **google.golang.org/genproto/googleapis/rpc** 324edc3d5d38 **_new_** * **google.golang.org/grpc** v1.53.0 -> v1.67.1 * **google.golang.org/protobuf** v1.28.1 -> v1.35.1 * **k8s.io/api** v0.26.2 -> v0.31.2 * **k8s.io/apimachinery** v0.26.2 -> v0.31.2 * **k8s.io/apiserver** v0.26.2 -> v0.31.2 * **k8s.io/client-go** v0.26.2 -> v0.31.2 * **k8s.io/component-base** v0.26.2 -> v0.31.2 * **k8s.io/cri-api** v0.26.2 -> v0.31.2 * **k8s.io/klog/v2** v2.90.1 -> v2.130.1 * **k8s.io/kubelet** v0.31.2 **_new_** * **k8s.io/utils** a5ecb0141aa5 -> 18e509b52bc8 * **sigs.k8s.io/json** f223a00ba0e2 -> bc3834ca7abd * **sigs.k8s.io/structured-merge-diff/v4** v4.2.3 -> v4.4.1 * **sigs.k8s.io/yaml** v1.3.0 -> v1.4.0 * **tags.cncf.io/container-device-interface** v0.8.0 **_new_** * **tags.cncf.io/container-device-interface/specs-go** v0.8.0 **_new_** Previous release can be found at [v1.7.0](https://github.com/containerd/containerd/releases/tag/v1.7.0) * `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`: ✅Recommended. Dynamically linked with glibc 2.31 (Ubuntu 20.04). * `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`: Statically linked. Expected to be used on non-glibc Linux distributions. Not position-independent. In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases) and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too. See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
/usr/sbin/runc is confined with "runc" profile[1] introduced in AppArmor v4.0.0. This change breaks stopping of containers, because the profile assigned to containers doesn't accept signals from the "runc" peer. AppArmor >= v4.0.0 is currently part of Ubuntu Mantic (23.10) and later.
The issue is reproducible both with nerdctl and ctr clients. In the case of ctr, the --apparmor-default-profile flag has to be specified, otherwise the container processes would inherit the runc profile, which behaves as unconfined, and so the subsequent runc process invoked to stop it would be able to signal it.
Test commands:
Relevant syslog messages (with long lines wrapped):
This change extends the default profile with rules that allow receiving signals from processes that run confined with either runc or crun profile (crun[2] is an alternative OCI runtime that's also confined in AppArmor >= v4.0.0, see [1]). It is backward compatible because the peer value is a regular expression (AARE) so the referenced profile doesn't have to exist for this profile to successfully compile and load.
[1] https://gitlab.com/apparmor/apparmor/-/commit/2594d936
[2] https://github.com/containers/crun