Containerd - v1.6.9

Security

Welcome to the v1.6.9 release of containerd!

The ninth patch release for containerd 1.6 contains various fixes, reorders the pod setup workflow in the CRI plugin to
prevent CNI resource leaks, and includes a new version of runc.

Notable Updates

  • Update oci.WithDefaultUnixDevices(): remove tun/tap from the default devices (#7268)
  • Fix CRI: Do not append []string{""} to command to preserve Docker compatibility (#7298)
  • Enhance CRI: ContainerStatus to return container resources (#7410)
  • Fix OCI resolver to skip TLS verification for localhost (#7438
  • Fix createTarFile: make xattr EPERM non-fatal (#7447)
  • Fix CRI plugin to setup pod network after creating the sandbox container (#7456)
  • Fix OCI pusher to retry request on writer reset (#7461)
  • Fix archive to validate digests before use (#7490)
  • Migrate from k8s.gcr.io to registry.k8s.io (#7549)
  • Fix CRI: PodSandboxStatus should tolerate missing task (#7551)
  • Fix io.containerd.runc.v1: Stats() shouldn't assume s.container is non-nil (#7557)
  • Enhance CRI plugin to add logging volume metrics (#7571)
  • Add support for CAP_BPF and CAP_PERFMON (#7574)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

  • Sebastiaan van Stijn
  • Akihiro Suda
  • Wei Fu
  • Samuel Karp
  • Kazuyoshi Kato
  • Maksym Pavlenko
  • Derek McGowan
  • Phil Estes
  • Qiutong Song
  • ruiwen-zhao
  • zounengren
  • Akhil Mohan
  • Andrey Klimentyev
  • Benjamin Elder
  • Henry Wang
  • Iceber Gu
  • Paco Xu
  • Sophie Liu
  • Ye Sijun
  • rongfu.leng

Changes

68 commits

* [release/1.6] Prepare release notes for v1.6.9 ([#7573](https://github.com/containerd/containerd/pull/7573)) * [`f1493f665`](https://github.com/containerd/containerd/commit/f1493f6651bd1955217c6ae444761c73e49726f2) Prepare release notes for v1.6.9 * [`99578d1fc`](https://github.com/containerd/containerd/commit/99578d1fc794fb36f58f0cbaf54aea56a95c3c60) Update mailmap * [release/1.6] adding support of CAP_BPF and CAP_PERFMON ([#7574](https://github.com/containerd/containerd/pull/7574)) * [`346412f5a`](https://github.com/containerd/containerd/commit/346412f5aefdcec30908562716de70ffe4824b67) adding support of CAP_BPF and CAP_PERFMON * [release/1.6] Add logging volume metrics to Containerd CRI plugin ([#7571](https://github.com/containerd/containerd/pull/7571)) * [`a956d8415`](https://github.com/containerd/containerd/commit/a956d84158580c91253b4c54b879b1f2b3e98e0f) Add logging volume metrics to Containerd CRI plugin * [release/1.6] fix pusher concurrent close channel ([#7562](https://github.com/containerd/containerd/pull/7562)) * [`29e2dea50`](https://github.com/containerd/containerd/commit/29e2dea5083e9b257471db5380a1b8ff32ae9219) fix pusher concurrent close channel * [release/1.6] Stats() shouldn't assume s.container is non-nil ([#7557](https://github.com/containerd/containerd/pull/7557)) * [`8a9d69385`](https://github.com/containerd/containerd/commit/8a9d69385024854321ba806ea09cc0bbe1af87c3) [release/1.6] Stats() shouldn't assume s.container is non-nil * [release/1.6] cri: PodSandboxStatus should tolerate missing task ([#7551](https://github.com/containerd/containerd/pull/7551)) * [`a9adc7938`](https://github.com/containerd/containerd/commit/a9adc7938d98d292d7c2b598b1458551e275a507) cri: PodSandboxStatus should tolerate missing task * [release/1.6] migrate from k8s.gcr.io to registry.k8s.io ([#7549](https://github.com/containerd/containerd/pull/7549)) * [`b66eb726a`](https://github.com/containerd/containerd/commit/b66eb726a5bf968ac64f24de98f4065f19ede7f0) migrate from k8s.gcr.io to registry.k8s.io * [release/1.6] upgrade containerd/continuity from v0.2.2 to v0.3.0 ([#7518](https://github.com/containerd/containerd/pull/7518)) * [`5b40993a5`](https://github.com/containerd/containerd/commit/5b40993a5e525012b1e97121cdacccce6ced4d06) [release/1.6] upgrade containerd/continuity from v0.2.2 to v0.3.0 * [release/1.6] Update container with sandbox metadata after NetNS is created ([#7505](https://github.com/containerd/containerd/pull/7505)) * [`f2376e659`](https://github.com/containerd/containerd/commit/f2376e659ffa55e4ff2578baf4e4c7aab54042e4) Update container with sandbox metadata after NetNS is created * [release/1.6] archive: validate digests before use ([#7490](https://github.com/containerd/containerd/pull/7490)) * [`06f82efef`](https://github.com/containerd/containerd/commit/06f82efef4be5975e7e9a8c8f8d13480065aab9f) archive: validate digests before use * [release/1.6] Update go 1.18.7, addresses CVE-2022-2879, CVE-2022-2880, CVE-2022-41715 ([#7475](https://github.com/containerd/containerd/pull/7475)) * [`28324c529`](https://github.com/containerd/containerd/commit/28324c529fad2285d44ae5348377496cdf9c4926) [release/1.6] Update go 1.18.7, addresses CVE-2022-2879, CVE-2022-2880, CVE-2022-41715 * [`0aeeb62cb`](https://github.com/containerd/containerd/commit/0aeeb62cba15e383b9387424be5ae4758650afae) [release/1.6] update golangci-lint to v1.19.0 * [`7db9d1f76`](https://github.com/containerd/containerd/commit/7db9d1f76ffc16f970b6179a493caa008aeefef2) Fix linter warnings * [`4dc932e62`](https://github.com/containerd/containerd/commit/4dc932e620bd2931c57715dce8cc4ac9f9e1c2d0) [release/1.6] gofmt with go1.19 * [`7b8d679ad`](https://github.com/containerd/containerd/commit/7b8d679ad169fa1a0d1127bc49dff231087ac544) [release/1.6] integration: remove use of deprecated io/ioutil * [release/1.6] retry request on writer reset ([#7461](https://github.com/containerd/containerd/pull/7461)) * [`926b9c72f`](https://github.com/containerd/containerd/commit/926b9c72f61b5be6bf8d952512f1d0932fbaf898) retry request on writer reset * [release/1.6] Setup pod network after creating the sandbox container ([#7456](https://github.com/containerd/containerd/pull/7456)) * [`b9a35c6af`](https://github.com/containerd/containerd/commit/b9a35c6af9519630179b745e48bd29fd4d067c83) Add integration tests with failpoint * [`1f29fac48`](https://github.com/containerd/containerd/commit/1f29fac48ee356918663a4aa1f9880de3e2d6f1a) Persist container and sandbox if resource cleanup fails, like teardownPodNetwork * [release/1.6] test: introduce failpoint control to runc-shimv2 and cni ([#7455](https://github.com/containerd/containerd/pull/7455)) * [`a85709c6c`](https://github.com/containerd/containerd/commit/a85709c6c446b7a6fc49545b01d063473cf09432) integration: simplify CNI-fp and add README.md * [`d89a8d223`](https://github.com/containerd/containerd/commit/d89a8d22379f41adae7fd5e1d524c806a011deff) pkg/failpoint: add FreeBSD link and update pkg doc * [`b0ce2965a`](https://github.com/containerd/containerd/commit/b0ce2965aea5785f8f2930e358be84b86969a5e7) integration: Add injected failpoint testing for RunPodSandbox * [`a7f956d86`](https://github.com/containerd/containerd/commit/a7f956d86498c6066c1934215e64877602ac69f4) integration: CNI bridge wrapper with failpoint * [`07c479471`](https://github.com/containerd/containerd/commit/07c4794714db6af21f0bc5fdcd6fad89bd1f967c) pkg/failpoint: add DelegatedEval API * [`4a5bc05aa`](https://github.com/containerd/containerd/commit/4a5bc05aa00acd1c197f7547aec8f90f20c9a98f) runtime/v2/shim: return if error in load plugin * [`71ee7de24`](https://github.com/containerd/containerd/commit/71ee7de24818907dab4cdac39ba760008331f4a8) bin/ctr,integration: new runc-shim with failpoint * [`3e2e77849`](https://github.com/containerd/containerd/commit/3e2e7784907a9dba4af9de5fd81e2674b0a8cfee) runtime/v2: manager supports server interceptor * [`cb935bf49`](https://github.com/containerd/containerd/commit/cb935bf49a413c6624638ccc640146527bb05edb) pkg/failpoint: init failpoint package * [release/1.6] cherry-pick: make xattr EPERM non-fatal in createTarFile ([#7447](https://github.com/containerd/containerd/pull/7447)) * [`2fdfd564c`](https://github.com/containerd/containerd/commit/2fdfd564c180e01abe40463b6b6107f9ee2e1cf9) make xattr EPERM non-fatal in createTarFile * [release/1.6] remotes/docker/config: Skipping TLS verification for localhost ([#7438](https://github.com/containerd/containerd/pull/7438)) * [`89e49609d`](https://github.com/containerd/containerd/commit/89e49609d361f618aa1308e75e2fec57485697cc) remotes/docker/config: Skipping TLS verification for localhost * [release/1.6] .zuul: remove the zull because it is offline ([#7427](https://github.com/containerd/containerd/pull/7427)) * [`b720be2ce`](https://github.com/containerd/containerd/commit/b720be2ce3fa088b744dbfd185e615799b8e7bee) remove stray .zuul.yaml * [`6b30bc4b4`](https://github.com/containerd/containerd/commit/6b30bc4b4a8d0857e61e8324305c2ba97eba0716) .zuul: remove the zuul because it is offline * [release/1.6] cherry-pick: Set grpc code for unimplemented cri-api methods ([#7421](https://github.com/containerd/containerd/pull/7421)) * [`0f7e258ee`](https://github.com/containerd/containerd/commit/0f7e258eebbf1ebbc3b7fa87618547d1547df3cf) Set grpc code for unimplemented cri-api methods * [release/1.6] cherry-pick: ContainerStatus to return container resources ([#7410](https://github.com/containerd/containerd/pull/7410)) * [`fb753e5cd`](https://github.com/containerd/containerd/commit/fb753e5cd5a907710de673adf3dd5e5721a11fa9) update intergration * [`6ee5bb7ea`](https://github.com/containerd/containerd/commit/6ee5bb7eaad1420d6e57438b7a15853a7167e5b5) bump cri-api * [`ae8598615`](https://github.com/containerd/containerd/commit/ae85986151295afd08aeb7dcd1a30ca329682b11) ContainerStatus to return container resources * [`d3c7e31c8`](https://github.com/containerd/containerd/commit/d3c7e31c8a8f7dc3f0ef0d189fda5a7caca42ce2) Update CRI-API * [release/1.6] backport: vendor: golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd ([#7340](https://github.com/containerd/containerd/pull/7340)) * [`5b44c5271`](https://github.com/containerd/containerd/commit/5b44c5271136c5f1c4b6df4275c6ff3b124d731d) vendor: golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd * [release/1.6 backport] update runc binary to v1.1.4 ([#7333](https://github.com/containerd/containerd/pull/7333)) * [`3507d600b`](https://github.com/containerd/containerd/commit/3507d600b6f5db11f865b96d1ff319708656002d) update runc binary to v1.1.4 * [release/1.6] ci: remove GOPROXY environment variable due to https://github.com/go-… ([#7299](https://github.com/containerd/containerd/pull/7299)) * [`1efd8b947`](https://github.com/containerd/containerd/commit/1efd8b947393ce6911c13898ace01dd673e26633) ci: remove GOPROXY environment variable due to https://github.com/go-yaml/yaml/issues/887 * [release/1.6] Do not append []string{""} to command to preserve Docker compatibility ([#7298](https://github.com/containerd/containerd/pull/7298)) * [`0448673af`](https://github.com/containerd/containerd/commit/0448673af283588654f0197fefc33025cf371b6e) Do not append []string{""} to command to preserve Docker compatibility * [release 1.6 backport] Fix cleanup in critest ([#7274](https://github.com/containerd/containerd/pull/7274)) * [`5c230ece0`](https://github.com/containerd/containerd/commit/5c230ece0fa985fbc973d1e6dea743439ca2c527) Fix cleanup in critest * [release/1.6 backport] oci: WithDefaultUnixDevices(): remove tun/tap from the default devices ([#7268](https://github.com/containerd/containerd/pull/7268)) * [`ed9d3dc37`](https://github.com/containerd/containerd/commit/ed9d3dc37c7d1f3f4975faa6918d0d3d3056e753) oci: WithDefaultUnixDevices(): remove tun/tap from the default devices

Changes from containerd/continuity

28 commits

* go.mod: update dependencies (take 2) ([#204](https://github.com/containerd/continuity/pull/204)) * [`74a0169`](https://github.com/containerd/continuity/commit/74a016961cad4d635aeb6d4efb1bcc2268700d7a) go.mod: update dependencies (take 2) * Revert "go.mod: update dependencies" ([#205](https://github.com/containerd/continuity/pull/205)) * [`4ef02a2`](https://github.com/containerd/continuity/commit/4ef02a2f72d4ed5539010211e85cbe303eb192bd) Revert "go.mod: update dependencies" * [`e364868`](https://github.com/containerd/continuity/commit/e3648687add4203d03811191b4e5692f516d355b) go.mod: update dependencies * [`5df4731`](https://github.com/containerd/continuity/commit/5df4731d45253217b8fe4ebf823fffda8da5a7ae) cmd/continuity: remove FUSE for macOS * Various small fix-ups ([#202](https://github.com/containerd/continuity/pull/202)) * [`7fa1569`](https://github.com/containerd/continuity/commit/7fa1569efc4aa48f382a1c9ea565bcb62817f1b2) README: update badges and links * [`7917549`](https://github.com/containerd/continuity/commit/791754940833264651ac315318beb6998722731d) golangci-lint: replace "golint" with "revive" * [`de7fd6b`](https://github.com/containerd/continuity/commit/de7fd6b43f553b9b106ee818597404c2f408efc7) sysx: remove unused sysx/generate.sh script * [`e9ca807`](https://github.com/containerd/continuity/commit/e9ca807ed63bd76c91f56007883b62eea7d13dd0) fs: fix minor linting and gofmt issue * update authors and mailmap ([#201](https://github.com/containerd/continuity/pull/201)) * [`3df990d`](https://github.com/containerd/continuity/commit/3df990de70e9fdc47d0f27c38414bf0ee63ce9fa) update authors and mailmap * move cmd/continuity to its own go module ([#200](https://github.com/containerd/continuity/pull/200)) * [`9d49199`](https://github.com/containerd/continuity/commit/9d49199bde798d374a44dc1e522443c7ec7eb56e) move cmd/continuity to its own go module * [`5b38337`](https://github.com/containerd/continuity/commit/5b383371446465527de52c6880d4f5432327dcfb) remove version package * [`480f3bb`](https://github.com/containerd/continuity/commit/480f3bb0db8f1414e5190df5c30fcb94273e5dc7) move continuityfs -> cmd/continuity/continuityfs * [`071eff3`](https://github.com/containerd/continuity/commit/071eff3ae0a91e87e3985a862aa2f3445dd47314) move commands -> cmd/continuity/commands * [`840357f`](https://github.com/containerd/continuity/commit/840357fbaab4d0c486ce9656606d165d4d1c8839) go.mod: update logrus to v1.8.1 * CI: resolve Go path before sudoing ; Remove deprecated io/ioutil (except ioutil.ReadDir) ([#198](https://github.com/containerd/continuity/pull/198)) * [`9b78cc9`](https://github.com/containerd/continuity/commit/9b78cc9d2f5c55558269dfd6595a68c5ed383043) CI: resolve Go path before sudoing * [`d67721d`](https://github.com/containerd/continuity/commit/d67721dd765a1d31239c4a6459d3dfbeed088e5f) CI: modernize Go setup * [`5bf078f`](https://github.com/containerd/continuity/commit/5bf078f2f986072b65b2b1641f5abff8968c516f) Remove deprecated io/ioutil (except ioutil.ReadDir) * fs.CopyDir: support sockets and pipes ([#197](https://github.com/containerd/continuity/pull/197)) * [`ca52b93`](https://github.com/containerd/continuity/commit/ca52b934dd01ca5e16244bbe3643a5019360d11c) fs.CopyDir: support sockets and pipes * Fix wrapping errors ([#196](https://github.com/containerd/continuity/pull/196)) * [`def6729`](https://github.com/containerd/continuity/commit/def67296172f65f5827e5355efac79e0c1331a48) fs: fix wrapping nil err * [`b17bab4`](https://github.com/containerd/continuity/commit/b17bab433315a4936debf5c0c150d9f4e36d7088) fmt.Errorf: use %w, not %v to wrap errors

Dependency Changes

  • github.com/Microsoft/go-winio v0.5.1 -> v0.5.2
  • github.com/containerd/continuity v0.2.2 -> v0.3.0
  • golang.org/x/crypto 32db794688a5 -> 3147a52a75dd
  • golang.org/x/net fe4d6282115f -> a158d28d115b
  • golang.org/x/sys 33da011f77ad -> 8c9f86f7a55f
  • golang.org/x/term 6886f2dfbf5b -> 03fcf44c2211
  • google.golang.org/grpc v1.43.0 -> v1.47.0
  • google.golang.org/protobuf v1.27.1 -> v1.28.0
  • gopkg.in/yaml.v3 496545a6307b -> v3.0.1
  • k8s.io/cri-api v0.23.1 -> v0.25.0

Previous release can be found at v1.6.8

Details

date
Oct. 24, 2022, 5:46 p.m.
name
containerd 1.6.9
type
Patch
official page
https://github.com/containerd/containerd/releases/tag/v1.6.9
👇
Register or login to:
  • 🔍View and search all Containerd releases.
  • 🛠️Create and share lists to track your tools.
  • 🚨Setup notifications for major, security, feature or patch updates.
  • 🚀Much more coming soon!
Continue with GitHub
Continue with Google
or