Welcome to the v1.2.8 release of containerd!

The eighth patch release for containerd 1.2 provides a series of bug fixes, many
of them backported from the master branch to correct several known issues around
manifest lists/indexes and pulling multi-arch, CVEs related to Golang/http2,
fd leakage in the Golang runtime, a shim hang, process and image environment config
handling, and finally mount cleanup related to Cloud Foundry's use of containerd
with rootless containers. A set of bug fixes/updates for the CRI plugin are also
included; details for the CRI issues and fixes are shown below.

Notable Updates

• Skip rootfs unmount when no mounts are provided. Fixed by PR #3148 {cherry-picked as PR #3402}.
• Close inherited socket file descriptor. Fixed in PR #3359 {cherry-picked as PR #3364}.
• Call CloseIO when stdin closes in ctr. Fixed by PR #3462 {cherry-picked as PR 3490}.
• Several multi-arch image fixes, including: ARM platform matching, selecting the proper manifest, and limited to best matched manifest to solve discrepancies with multi-arch image operations. Backported PR #3270 as PR #3404, PR #3484 as PR #3512, and added PR #3421.
• Override image's environment config with process config; including backport of fixes and tests for merging/replacing env variables; fix in PR #3542, backported via PR #3546 which included a backport of PR #2887. Additional fix to logic for override re: image $PATH cherry-picked in PR #3565.
• Shim hang fix in master via PR #3540 backported to release/1.2 via PR #3561.
• Updated Golang version to 1.12.9 patch release:
  • Resolves CVE-2019-9512 and CVE-2019-9514 from the 1.12.8 security release. Originally fixed via PR #3531 which lists the details of the Golang CVEs, backported via PR #3532 to release/1.2.
  • Resolves fd leaks reported via golang/go#33405 and resolved in the 1.12.9 patch release, updated via PR #3544. This fd leak bug was initially reported in containerd issue #3481.
• CRI: Fix a bug that if an image is deleted immediately after being pulled, the image may still exist after the deletion finishes successfully. (containerd/cri#1161)
• CRI: Fix a bug that runc and crictl binaries shipped in https://storage.googleapis.com/cri-containerd-release are versioned with the containerd version. (containerd/cri#1193)
• CRI: Fix a bug that the images become unusable if 2 images have the same image ID and RepoTag, but different RepoDigests. (#3401)
• CRI: Fix ProcMount support (containerd/cri#1216). NOTE: To use containerd 1.2.8+ with Kubernetes 1.11 or below, you MUST set disable_proc_mount=true in the cri plugin config. (containerd/cri#1208)
• CRI: Fix a bug that containerd tries to connect image registry with https even if the http endpoint is configured. (containerd/cri#1201)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Michael Crosby
• Lantao Liu
• Sebastiaan van Stijn
• Wei Fu
• Mike Brown
• Phil Estes
• Shukui Yang
• Derek McGowan
• Akihiro Suda
• Andrey Kolomentsev
• Darren Shepherd
• Eric Ren
• Georgi Sabev
• Jaime Caamaño Ruiz
• Jintao Zhang
• Justin Terry
• Yangyang

Changes

• a4bc1d432a Merge pull request #3534 from estesp/prep-v1.2.8
• 5e060c4246 Merge pull request #3565 from estesp/cp-3551
• a9ba2e681c Prepare v1.2.8 point release
• 1c309d804d Remove the process default ENV
• de8fa9b614 Merge pull request #3561 from keloyang/shim-hung-1.2
• f1c661f787 Change bufferSize back to 32
• d161ab6327 Try to preserve exit event order
• 7e2864b8f0 Add retry and non-blocking send for exit events
• dbf9a50175 Unifi reaper logic into package
• 9b5b55b142 Fix shim hung
• b21e4f466e Merge pull request #3546 from estesp/cp-3542
• c8d75ca5ed do not mutate defaults in replaceOrAppendEnvValues
• 6c6b7e2976 bugfix: override image.Env with process.Env, rather than be contrary
• a0526340f7 Merge pull request #3544 from thaJeztah/1.2_backport_bump_golang_1.12.9
• 17690cc2fe AppVeyor: update to go 1.12.9
• c5bca64cd1 Merge pull request #3538 from thaJeztah/1.2_revert_bump_libseccomp
• 8c0ec3c35e Revert "bump libseccomp-golang v0.9.1"
• eed8acd47c Merge pull request #3535 from Random-Liu/update-cri-release-1.2
• 941dd9f2c3 Update cri to d928a4dd337fd2a992dbe72380eff2063c3ec62f.
• e70728b659 Merge pull request #3532 from thaJeztah/1.2_backport_bump_golang_1.12.8
• 4097217bbd AppVeyor: update to go 1.12.8 (CVE-2019-9512, CVE-2019-9514)
• bb238e05a1 AppVeyor: update to go 1.12.7
• 150468fcc7 contrib: Dockerfile: bump go 1.12
• c675ea30c4 contrib: Dockerfile: add a base stage
• 59134eb991 contrib: Dockerfile: reformat, and use --no-install-recommends
• ad3bfc9e32 contrib: Dockerfile: use build-arg for go-version
• 3d8ca756ab Merge pull request #3527 from estesp/cp-2828-isolated
• 11a25c8a62 Move ctr run --isolation to Windows only
• 99ba29cbd5 Merge pull request #3512 from fuweid/cp-3484
• 47e5d5fd44 Limit multiple platform manifests to one for size check
• 6e4353d6a9 Merge pull request #3490 from estesp/cp3462
• 116e770a8a Call CloseIO when stdin closes in ctr
• becb04a793 Merge pull request #3437 from fuweid/cb-3025
• c8bbceb4ed metadata: merge snapshot labels with metadata's labels
• 4579a892be Merge pull request #3428 from AkihiroSuda/fix-task-start-1.2
• 227ebf36a9 runtime/v1/linux: ignore ErrCgroupDeleted in Task.Start
• 18100a35eb Merge pull request #3421 from fuweid/cherry-pick-manifest
• d528a69a42 images: only fetch the best matched manifest info
• ef9f3a5316 Merge pull request #3413 from crosbymichael/snapshot-test
• 46920a60fa test/snapshots: umount before committing snapshot
• e12b7078f2 Merge pull request #3404 from crosbymichael/cherry-arm
• 452e9c532b Improve ARM platform matching
• 682f6e730f Merge pull request #3402 from masters-of-cats/release/1.2
• b207b33292 Skip rootfs unmount when no mounts are provided
• fd103cb716 Merge pull request #3376 from thaJeztah/1.2_backport_bump_libseccomp
• d8f4da4fef bump libseccomp-golang v0.9.1
• 524eb23af6 Merge pull request #3364 from keloyang/close-socket-fd-1.2
• ed35eec321 Close the inherited socket fd
• 5ca28c1d0f Merge pull request #3342 from thaJeztah/1.2_backport_travis_and_golang
• 4b2dc65cf2 Merge pull request #3346 from crosbymichael/cherry-diff-panic
• b2d260c4f4 Ensure labels is not nil in differ
• 1b2230eb33 AppVeyor: Bump golang 1.12.6
• d0b89fd57e Add travis_wait to prevent vndr timing out
• aab8e9d135 Update to Golang 1.12, and prepare for ppc64le
• 56f8ef8ced Update travis to xenial worker

Changes from containerd/cri

• d928a4dd Merge pull request #1230 from Random-Liu/fix-https-release-1.2
• ecd021d4 Fix unnecessary https trial in release/1.2.
• 789b26f3 Merge pull request #1216 from Random-Liu/cherrypick-1209-release-1.2
• c54f640f Add test for disable_proc_mount.
• 21343bf7 Fix proc mount support.
• 106dfbde Merge pull request #1210 from Random-Liu/cherrypick-1202-release-1.2
• dcdfa8f2 Do not cache image handler.
• 7fb9c17c Merge pull request #1191 from thaJeztah/1.2_backport_bump_libseccomp
• f68a182b Merge pull request #1193 from thaJeztah/1.2_backport_fix_version
• 0c86149e Fix runc and critools version in release.
• 8738fd62 bump libseccomp-golang v0.9.1
• 0bb5f8ed Merge pull request #1186 from mikebrow/revert-1179-update-containerd-release-1.2
• 489dd6af Revert "[release/1.2] Update containerd to v1.2.7"
• 38ab32bf Merge pull request #1179 from Random-Liu/update-containerd-release-1.2
• 30e14d9d Update containerd to v1.2.7
• ec3609df Merge pull request #1167 from Random-Liu/cherrypick-#1162-release-1.2
• cb317ddf Add cri managed image label when pulling the image.

Dependency Changes

Previous release can be found at v1.2.7

• github.com/containerd/cri 49ca74043390bc2eeea7a45a46005fbec58a3f88 -> d928a4dd337fd2a992dbe72380eff2063c3ec62f