chore(deps): update module github.com/containerd/containerd to v1.6.26 [security] (release-1.12) - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/containerd/containerd	v1.6.18 -> v1.6.26

---

containerd allows RAPL to be accessible to a container

GHSA-7ww5-4wqc-m92c / GO-2023-2412

More information

Details

/sys/devices/virtual/powercap accessible by default to containers

Intel's RAPL (Running Average Power Limit) feature, introduced by the Sandy Bridge microarchitecture, provides software insights into hardware energy consumption. To facilitate this, Intel introduced the powercap framework in Linux kernel 3.13, which reads values via relevant MSRs (model specific registers) and provides unprivileged userspace access via sysfs. As RAPL is an interface to access a hardware feature, it is only available when running on bare metal with the module compiled into the kernel.

By 2019, it was realized that in some cases unprivileged access to RAPL readings could be exploited as a power-based side-channel against security features including AES-NI (potentially inside a SGX enclave) and KASLR (kernel address space layout randomization). Also known as the PLATYPUS attack, Intel assigned CVE-2020-8694 and CVE-2020-8695, and AMD assigned CVE-2020-12912.

Several mitigations were applied; Intel reduced the sampling resolution via a microcode update, and the Linux kernel prevents access by non-root users since 5.10. However, this kernel-based mitigation does not apply to many container-based scenarios:

• Unless using user namespaces, root inside a container has the same level of privilege as root outside the container, but with a slightly more narrow view of the system
• sysfs is mounted inside containers read-only; however only read access is needed to carry out this attack on an unpatched CPU

While this is not a direct vulnerability in container runtimes, defense in depth and safe defaults are valuable and preferred, especially as this poses a risk to multi-tenant container environments. This is provided by masking /sys/devices/virtual/powercap in the default mount configuration, and adding an additional set of rules to deny it in the default AppArmor profile.

While sysfs is not the only way to read from the RAPL subsystem, other ways of accessing it require additional capabilities such as CAP_SYS_RAWIO which is not available to containers by default, or perf paranoia level less than 1, which is a non-default kernel tunable.

References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8694
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8695
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12912
• https://platypusattack.com/
• https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=949dd0104c496fa7c14991a23c03c62e44637e71
• https://web.eece.maine.edu/~vweaver/projects/rapl/

Severity

Moderate

References

• https://github.com/containerd/containerd/security/advisories/GHSA-7ww5-4wqc-m92c
• https://github.com/containerd/containerd/commit/67d356cb3095f3e8f8ad7d36f9a733fea1e7e28c
• https://github.com/containerd/containerd/commit/746b910f05855c8bfdb4415a1c0f958b234910e5
• https://github.com/containerd/containerd

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

RAPL accessibility in github.com/containerd/containerd

GHSA-7ww5-4wqc-m92c / GO-2023-2412

More information

Details

RAPL accessibility in github.com/containerd/containerd

Severity

Unknown

References

• https://github.com/containerd/containerd/security/advisories/GHSA-7ww5-4wqc-m92c
• https://github.com/containerd/containerd/commit/67d356cb3095f3e8f8ad7d36f9a733fea1e7e28c
• https://github.com/containerd/containerd/commit/746b910f05855c8bfdb4415a1c0f958b234910e5

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Release Notes

containerd/containerd (github.com/containerd/containerd)

v1.6.26: containerd 1.6.26

Compare Source

Welcome to the v1.6.26 release of containerd!

The twenty-sixth patch release for containerd 1.6 contains various fixes and updates.

Notable Updates

• Fix windows default path overwrite issue (#​9441)
• Update push to inherit distribution sources from parent (#​9453)
• Mask /sys/devices/virtual/powercap path in runtime spec and deny in default apparmor profile (GHSA-7ww5-4wqc-m92c)

Deprecation Warnings

• Emit deprecation warning for AUFS snapshotter usage (#​9448)
• Emit deprecation warning for v1 runtime usage (#​9468)
• Emit deprecation warning for CRI v1alpha1 usage (#​9468)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Samuel Karp
• Derek McGowan
• Kohei Tokunaga
• Phil Estes
• Bjorn Neergaard
• Sebastiaan van Stijn
• Brian Goff
• Charity Kathure
• Kazuyoshi Kato
• Milas Bowman
• Wei Fu
• ruiwen-zhao

Changes

30 commits

• [release/1.6] Prepare release notes for v1.6.26 (#​9490)
  • ac5c5d3e0 Prepare release notes for v1.6.26
• Github Security Advisory GHSA-7ww5-4wqc-m92c
  • 02f07fe19 contrib/apparmor: deny /sys/devices/virtual/powercap
  • c94577e78 oci/spec: deny /sys/devices/virtual/powercap
• [release/1.6] update to go1.20.12, test go1.21.5 (#​9472)
  • 7cbdfc92e update to go1.20.12, test go1.21.5
  • 024b1cce6 update to go1.20.11, test go1.21.4
• [release/1.6] Add cri-api v1alpha2 usage warning to all api calls (#​9484)
  • 64e56bfde Add cri-api v1alpha2 usage warning to all api calls
• [release/1.6] tasks: emit warning for v1 runtime and runc v1 runtime (#​9468)
  • efefd3bf3 tasks: emit warning for runc v1 runtime
  • 7825689b4 tasks: emit warning for v1 runtime
• [release/1.6] snapshots: emit deprecation warning for aufs (#​9448)
  • 7cfe7052f snapshots: emit deprecation warning for aufs
• [release/1.6] cherry-pick/backport: Update golangci lint (#​9455)
  • a1ae572a2 Fix linter error with updated linter
  • b638791d6 ci: bump up golangci-lint to v1.55.0
  • 2370a2842 Fix linter issues for golangci-lint 1.54.2
  • 8a65e2e31 Bump up golangci-lint to v1.54.2
  • 969f8feb2 Bump up golangci-lint to v1.52.2
• [release/1.6] push: inherit distribution sources from parent (#​9453)
  • 66959fdf5 push: inherit distribution sources from parent
  • b4dcffcfb content: add InfoProvider interface
  • bef4145c1 Change PushContent to require only Provider
• [release/1.6] Bump google.golang.org/grpc to v1.58.3 (#​9408)
  • a5fc21060 vendor: google.golang.org/grpc v1.58.3
  • 4fa05b3d8 Upgrade github.com/klauspost/compress from v1.11.13 to v1.15.9
• [release/1.6] Windows default path overwrite fix (#​9441)
  • ede0ad5e1 Fix windows default path overwrite issue

Dependency Changes

• cloud.google.com/go/compute/metadata v0.2.3 new
• github.com/cespare/xxhash/v2 v2.1.2 -> v2.2.0
• github.com/golang/protobuf v1.5.2 -> v1.5.3
• github.com/klauspost/compress v1.11.13 -> v1.15.9
• go.opencensus.io v0.23.0 -> v0.24.0
• golang.org/x/oauth2 2bc19b1 -> v0.10.0
• golang.org/x/sync v0.1.0 -> v0.3.0
• google.golang.org/grpc v1.50.1 -> v1.58.3
• google.golang.org/protobuf v1.28.1 -> v1.31.0

Previous release can be found at v1.6.25

v1.6.25: containerd 1.6.25

Compare Source

Welcome to the v1.6.25 release of containerd!

The twenty-fifth patch release for containerd 1.6 contains various fixes and updates.

Notable Updates

• Check whether content did not needs to be pushed to remote registry and cross-repo mounted or already existed (#​9111)
• Soft deprecate log package (#​9105)
• Always try to establish tls connection when tls configured (#​9189)
• CRI: stop recommending disable_cgroup (#​9169)
• Allow for images with artifacts layers to pull (#​9150)
• Require plugins to succeed after registering readiness (#​9166)
• Avoid potential deadlock in create handler in containerd-shim-runc-v2 (#​9210)
• Add handling for missing basic auth credentials (#​9236)
• Add a new image label if it is docker schema 1 (#​9267)
• Fix ambiguous tls fallback (#​9300)
• Expose usage of deprecated features (#​9329)
• Fix shimv1 leak issue (#​9345)
• Go version update to 1.20.10(#​9264)
• Update runc to v1.1.10 (#​9360)
• CRI: fix using the pinned label to pin image (#​9382)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Samuel Karp
• Derek McGowan
• Sebastiaan van Stijn
• Phil Estes
• Wei Fu
• Kazuyoshi Kato
• Akhil Mohan
• Akihiro Suda
• Chen Yiyang
• Fabian Hoffmann
• Iceber Gu
• Mike Brown
• Paweł Gronowski
• Austin Vazquez
• Fahed Dorgaa
• James Sturtevant
• Kern Walster
• Marat Radchenko
• Qiutong Song
• Tony Fouchard
• ruiwen-zhao

Changes

82 commits

• [release/1.6] Prepare release notes for v1.6.25 (#​9394)
  • 723d26ab2 Prepare release notes for v1.6.25
  • 1f865eba1 update mailmap
• [release/1.6] cri: fix using the pinned label to pin image (#​9382)
  • b49815300 cri: fix update of pinned label for images
  • 751b0c186 cri: fix using the pinned label to pin image
• [Release/1.6] vendor: golang.org/x/net v0.17.0 (#​9387)
  • fb5568608 vendor: golang.org/x/net v0.17.0
  • 61ad86f6f vendor: golang.org/x/text v0.13.0
  • 4b431c844 vendor: golang.org/x/sys v0.13.0
• [Release/1.6] CVE-2022-1996 fix for go-restful (#​9385)
  • 62d402275 Remove CVE-2022-1996 from containerd binary upgrading go-restful to 2.16.0
• [release/1.6] Enhance container image unpack client logs (#​9380)
  • 3e68bf65a Enhance container image unpack client logs
• [release/1.6] update github.com/containerd/nri v0.1.1 (#​9107)
  • 0dd65c826 [release/1.6] update github.com/containerd/nri v0.1.1
• [release/1.6 backport] update runc binary to v1.1.10 (#​9360)
  • c73be2446 update runc binary to v1.1.10
• [release/1.6] Expose usage of cri-api v1alpha2 (#​9357)
  • 746bcf2eb Expose usage of cri-api v1alpha2
• [release/1.6] fix: shimv1 leak issue (#​9345)
  • 8b51a95fb fix: shimv1 leak issue
• [release/1.6] update to go1.20.10, test go1.21.3 (#​9264)
  • 6741f819b [release/1.6] update to go1.20.10, test go1.21.3
  • 49615a0e9 [release/1.6] update to go1.20.9, test go1.21.2
• [release/1.6] cri: add deprecation warnings for mirrors, auths, and configs (#​9355)
  • b68204e53 cri: add deprecation warning for configs
  • ae8c58319 cri: add deprecation warning for auths
  • 455edcad2 cri: add deprecation warning for mirrors
  • 878823f4d cri: add ability to emit deprecation warnings
• [release/1.6] deprecation: new package for deprecations (#​9329)
  • 477b7d6a1 ctr: new deprecations command
  • 24068b813 dynamic: record deprecation for dynamic plugins
  • 218c7a1df server: add ability to record config deprecations
  • dfb9e1deb pull: record deprecation warning for schema 1
  • 90b42da6f introspection: add support for deprecations
  • 0b6766b37 api/introspection: deprecation warnings in server
  • de3cb4c18 warning: new service for deprecations
  • da1b4419b deprecation: new package for deprecations
• [release/1.6] integration: deflake TestIssue9103 (#​9353)
  • bca8a3f65 integration: deflake TestIssue9103
• [release/1.6] ci: Use Vagrant on ubuntu-latest-4-cores (#​9332)
  • 0985f7a43 ci: Use Vagrant on ubuntu-latest-4-cores
• [release/1.6] Fix ambiguous tls fallback (#​9300)
  • 5dd64301c Check scheme and host of request on push redirect
  • 51df21d09 Avoid TLS fallback when protocol is not ambiguous
• [release/1.6] Add a new image label if it is docker schema 1 (#​9267)
  • 8108f0d03 Add a new image label if it is docker schema 1
• [release/1.6 backport] fix protobuf aarch64 (#​9284)
  • 5376afb3d fix protobuf aarch64
• [release/1.6] remotes: add handling for missing basic auth credentials (#​9236)
  • e529741d3 remotes: add handling for missing basic auth credentials
  • ca45b92f4 Add ErrUnexpectedStatus to resolver
  • 77c0175b4 Improve ErrUnexpectedStatus default string
• [release/1.6] Update x/net to 0.13 (#​9130)
  • 275fc594d Bump x/net to 0.13
• [release/1.6] Require plugins to succeed after registering readiness (#​9166)
  • 5223bf39a Require plugins to succeed after registering readiness
  • 8f5eba314 cri: call RegisterReadiness after NewCRIService
• [release/1.6 backport] containerd-shim-runc-v2: avoid potential deadlock in create handler (#​9210)
  • 7b61862e7 *: add runc-fp as runc wrapper to inject failpoint
  • 5238a6470 containerd-shim-runc-v2: avoid potential deadlock in create handler
  • 65e908ee1 containerd-shim-runc-v2: remove unnecessary s.getContainer()
  • 1dd9acecb Uncopypaste parsing of OCI Bundle spec file
  • 71c89ddf2 [release/1.6]: Vagrantfile: install failpoint binaries
• [release/1.6] cri: stop recommending disable_cgroup (#​9169)
  • 7a0c8b6b7 cri: stop recommending disable_cgroup
• [release/1.6] Allow for images with artifacts to pull (#​9150)
  • 8066dd81c Allow for images with artifacts to pull
• [release 1.6] remotes/docker: Fix MountedFrom prefixed with target repository (#​9192)
  • 2fffc344a remotes/docker: Fix MountedFrom prefixed with target repository
• [release/1.6] remotes: always try to establish tls connection when tls configured (#​9189)
  • 6b5912220 remotes: always try to establish tls connection when tls configured
• [release/1.6] Build binaries with 1.21.1 (#​9180)
  • 37c758de1 Build binaries with 1.21.1
• [release/1.6 backport] alias log package to github.com/containerd/log v0.1.0 (#​9105)
  • f1591cc9b alias log package to github.com/containerd/log v0.1.0
  • f68d2d93b vendor: golang.org/x/sys v0.7.0
  • f305fb233 vendor: github.com/stretchr/testify v1.8.4
  • 4e24a30af vendor: github.com/sirupsen/logrus v1.9.3
• [release/1.6] remotes/docker: Add MountedFrom and Exists push status (#​9111)
  • b66c818ba remotes/docker: Add MountedFrom and Exists push status

Changes from containerd/log

9 commits

• Update golangci to 1.49 (#​1)
  • 89c9a54 Update golangci to 1.49
  • cf26711 Update description in README
  • f9f250c Add project details
  • fb7fe3d Add github CI flow
  • 7e13034 Add go module
  • 16a3c76 Rename log import from logtest
  • 698c398 Add README
  • 87c83c4 Add license file

Changes from containerd/nri

3 commits

• [release/0.1 backport] remove containerd as dependency (#​58)
  • 4275101 Task: fix typo in godoc
  • f6acbf1 remove containerd as dependency

Dependency Changes

• github.com/containerd/log v0.1.0 new
• github.com/containerd/nri v0.1.0 -> v0.1.1
• github.com/emicklei/go-restful v2.9.5 -> v2.16.0
• github.com/sirupsen/logrus v1.9.0 -> v1.9.3
• github.com/stretchr/testify v1.8.1 -> v1.8.4
• golang.org/x/crypto 3147a52 -> v0.14.0
• golang.org/x/net v0.8.0 -> v0.17.0
• golang.org/x/sys v0.6.0 -> v0.13.0
• golang.org/x/term v0.6.0 -> v0.13.0
• golang.org/x/text v0.8.0 -> v0.13.0

Previous release can be found at v1.6.24

v1.6.24: containerd 1.6.24

Compare Source

Welcome to the v1.6.24 release of containerd!

The twenty-fourth patch release for containerd 1.6 contains various fixes and updates.

Notable Updates

• CRI: fix leaked shim caused by high IO pressure (#​9004)
• Update to go1.20.8 (#​9073)
• Update runc to v1.1.9 (#​8966)
• Backport: add configurable mount options to overlay snapshotter (#​8961)
• log: cleanups and improvements to decouple more from logrus (#​9002)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Sebastiaan van Stijn
• Akihiro Suda
• Wei Fu
• Derek McGowan
• Akhil Mohan
• Cardy.Tang
• Danny Canter
• Kazuyoshi Kato
• Mike Brown
• Phil Estes
• Samuel Karp

Changes

45 commits

• [release/1.6] Prepare release notes for v1.6.24 (#​9087)
  • cdd59290d Prepare release notes for v1.6.24
• [release/1.6 backport] log: cleanups and improvements to decouple more from logrus (#​9002)
  • 33c2d88e7 Revert "log: define G() as a function instead of a variable"
  • 0a7f2975e log: swap logrus functions with their equivalent on default logger
  • 9d175a19b log: add package documentation and summary of package's purpose
  • 96fb65529 log: make Fields type a generic map[string]any
  • bace17e2e log: add log.Entry type
  • dd127885f log: define OutputFormat type
  • 5b4cf2329 log: define G() as a function instead of a variable
  • ee1b4a1e2 log: add all log-levels that are accepted
  • d563a411f log: group "enum" consts and touch-up docs
  • 6e8f4555b log: WithLogger: remove redundant intermediate var
  • c19325559 log: SetFormat: include returns in switch
  • c3c22f8cb log: remove gotest.tools dependency
• [release/1.6] update to go1.20.8 (#​9073)
  • a2c294800 [release/1.6] update to go1.20.8
• [release/1.6 backport] make repositories of install dependencies configurable (#​9024)
  • 0da8dcaa7 make repositories of install dependencies configurable
• [release/1.6 backport] update Golang to go1.20.7, minimum version go1.19 (#​9020)
  • 8e6a9de5b update to go1.20.7, go1.19.12
  • 8b2eb371f Update Go to 1.20.6,1.19.11
  • cff669c7a update go to go1.20.5, go1.19.10
  • f34a22de9 update go to go1.20.4, go1.19.9
  • e8e73065e update go to go1.20.3, go1.19.8
  • 9b3f950d6 Go 1.20.2
  • 17d03ac68 Go 1.20.1
  • 861f65447 go.mod: go 1.19
  • 81fa93784 Stop using math/rand.Read and rand.Seed (deprecated in Go 1.20)
  • 70dc11a6c lint: remove //nolint:dupword that are no longer needed
  • fec784a06 lint: silence "SA1019: tar.TypeRegA has been deprecated... (staticheck)"
  • 6648df1ad lint: silence "type HostFileConfig is unused (unused)"
  • e6b268bc7 golangci-lint v1.51.1
  • c552ccf67 go.mod: golang.org/x/sync v0.1.0
• [releases/1.6] *: fix leaked shim caused by high IO pressure (#​9004)
  • d00af5c3e integration: issue7496 case should work for runc.v2 only
  • 583696e4e Vagrantfile: add strace tool
  • ab21d60d2 pkg/cri/server: add criService as argument when handle exit event
  • a229883cb pkg/cri/server: fix leaked shim issue
  • d8f824200 integration: add case to reproduce #​7496
• [release/1.6] Cherry-pick: [overlay] add configurable mount options to overlay snapshotter (#​8961)
  • 8cd40e1d0 Add configurable mount options to overlay
  • 453fa397a feat: make overlay sync removal configurable
• [release/1.6 backport] update runc binary to v1.1.9 (#​8966)
  • 4cb7764df update runc binary to v1.1.9

Dependency Changes

• golang.org/x/sync 036812b -> v0.1.0

Previous release can be found at v1.6.23

v1.6.23: containerd 1.6.23

Compare Source

Welcome to the v1.6.23 release of containerd!

The twenty-third patch release for containerd 1.6 contains various fixes and updates.

Notable Updates

• **Add stable ABI support in windows platform matcher + update hcsshim tag (#​8854)
• **cri: Don't use rel path for image volumes (#​8927)
• **Upgrade GitHub actions packages in release workflow (#​8908)
• **update to go1.19.12 (#​8905)
• **backport: ro option for userxattr mount check + cherry-pick: Fix ro mount option being passed (#​8888)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Kirtana Ashok
• Maksym Pavlenko
• Austin Vazquez
• Ben Foster
• Derek McGowan
• Mike Brown
• Phil Estes
• Rodrigo Campos
• Sebastiaan van Stijn
• Wei Fu

Changes

13 commits

• [release/1.6] Add release notes for v1.6.23 (#​8939)
  • e297a668f Add release notes for v1.6.23
• [release/1.6] Add stable ABI support in windows platform matcher + update hcsshim tag (#​8854)
  • f51bf1960 Add support for stable ABI windows versions
  • 43a02c0b2 Update hcsshim tag to v0.9.10
• [release/1.6] cri: Don't use rel path for image volumes (#​8927)
• cc5b0a21b cri: Don't use rel path for image volumes
• [release/1.6 backport] Upgrade GitHub actions packages in release workflow (#​8908)
  • 4238cff1c Upgrade GitHub actions packages in release workflow
• [release/1.6] update to go1.19.12 (#​8905)
  • 00d1092b7 update to go1.19.12
• [release/1.6] backport: ro option for userxattr mount check + cherry-pick: Fix ro mount option being passed (#​8888)
  • 47d73b2de Fix ro mount option being passed

Dependency Changes

• github.com/Microsoft/hcsshim v0.9.8 -> v0.9.10

Previous release can be found at v1.6.22

v1.6.22: containerd 1.6.22

Compare Source

Welcome to the v1.6.22 release of containerd!

The twenty-second patch release for containerd 1.6 contains various fixes and updates.

Notable Updates

• RunC: Update runc binary to v1.1.8 (#​8842)
• CRI: Fix additionalGids: it should fallback to imageConfig.User when securityContext.RunAsUser,RunAsUsername are empty (#​8823)
• CRI: Write generated CNI config atomically (#​8826)
• Fix concurrent writes for UpdateContainerStats (#​8819)
• Make checkContainerTimestamps less strict on Windows (#​8827)
• Port-Forward: Correctly handle known errors (#​8805)
• Resolve docker.NewResolver race condition (#​8800)
• SecComp: Always allow name_to_handle_at (#​8754)
• Adding support to run hcsshim from local clone (#​8713)
• Pinned image support (#​8720)
• Runtime/V2/RunC: Handle early exits w/o big locks (#​8695)
• CRITool: Move up to CRI-TOOLS v1.27.0 (#​7997)
• Fix cpu architecture detection issue on emulated ARM platform (#​8533)
• Task: Don't close() io before cancel() (#​8659)
• Fix panic when remote differ returns empty result (#​8640)
• Plugins: Notify readiness when registered plugins are ready (#​8583)
• Unwrap io errors in server connection receive error handling (ttrpc#143)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Akihiro Suda
• Phil Estes
• Sebastiaan van Stijn
• Derek McGowan
• Wei Fu
• Kazuyoshi Kato
• Austin Vazquez
• Samuel Karp
• dependabot[bot]
• Jin Dong
• Maksym Pavlenko
• Mike Brown
• Shingo Omura
• Akhil Mohan
• Bjorn Neergaard
• Laura Brehm
• Tony Fang
• Aditi Sharma
• Andrey Epifanov
• Benjamin Wang
• Brian Goff
• Cory Snider
• Daniel Canter
• Daniel Lenar
• Henry Wang
• Luca Comellini
• Madhav Jivrajani
• Mahamed Ali
• Mohit Sharma
• Oliver Radwell
• Priyanka Saggu
• Qasim Sarfraz
• Takumasa Sakao
• wangxiang
• zounengren

Changes

95 commits

• [release/1.6] Prepare release notes for v1.6.22 (#​8863)
  • 0770a4601 [release/1.6] Add release notes for v1.6.22
• [release/1.6] migrate to community owned bucket for node e2e tests (#​8876)
  • 512a672af migrate to community owned bucket
• [release/1.6] cri: memory.memsw.limit_in_bytes: no such file or directory (#​8870)
  • b585ff155 cri: memory.memsw.limit_in_bytes: no such file or directory
• [release/1.6] Update go-restful to v3.10.1 (#​8412)
  • a322077bf go.mod: github.com/emicklei/go-restful/v3 v3.10.1
• [release/1.6 backport] update runc binary to v1.1.8 (#​8842)
  • b3ac068eb update runc binary to v1.1.8
• [release/1.6 backport] ci: remove libseccomp-dev installation for nightly (#​8773)
  • 6e2bcb6dd ci: remove libseccomp-dev installation for nightly
• [release/1.6 backport] [CRI] fix additionalGids: it should fallback to imageConfig.User when securityContext.RunAsUser,RunAsUsername are empty (#​8823)
  • cd06f23af capture desc variable in range variable just in case that it run in parallel mode
  • 30f5c6a1f Use t.TempDir instead of os.MkdirTemp
  • 59d8363ef fix userstr for dditionalGids on Linux
• [release/1.6 backport] cri: write generated CNI config atomically (#​8826)
  • d75bf78c2 ctr: update WritePidFile to use atomicfile
  • 5f70b23c1 shim: WritePidFile & WriteAddress use atomicfile
  • 505d444b0 cri: write generated CNI config atomically on Unix
  • b2d2d3829 atomicfile: new package for atomic file writes
• [release/1.6 backport] Fix concurrent writes for UpdateContainerStats (#​8819)
  • 9f650143f Fix concurrent writes for UpdateContainerStats
• [release/1.6 backport] Make checkContainerTimestamps less strict on Windows (#​8827)
  • 568ce91ca Make checkContainerTimestamps less strict on Windows
• [release/1.6 backport] dependency: bump go.etcd.io/bbolt to v1.3.7 (#​8817)
  • d2f47192a dependency: bump go.etcd.io/bbolt to v1.3.7
  • fb56dc245 [release/1.6] vendor: github.com/stretchr/testify v1.8.1
• [release/1.6 backport] Move logrus setup code to log package (#​8832)
  • 7fbd5dc89 Move logrus setup code to log package
• [release/1.6 backport] release: Add "cri-containerd.DEPRECATED.txt" in the deprecated cri-containerd-* bundles (#​8820)
  • 59a143670 release: Add "cri-containerd.DEPRECATED.txt" in the deprecated cri-containerd-* bundles
• [release/1.6 backport] Use version 2 configuration format in docs (#​8821)
  • 5b51b79e2 [release/1.6] fix remaining "v1 config" plugin IDs
  • b7cf26d8d docs: Fix sample config.toml syntax
  • fcdaf0966 docs: migrate config v1 to v2
  • 728d5c5f0 Use version 2 config and mention containerd config command
• [release/1.6] update go to go1.19.11 (#​8816)
  • 81aa14718 [release/1.6] update go to go1.19.11
• [release/1.6] update go to go1.19.10 (#​8715)
  • 17cd86629 [release/1.6] update go to go1.19.10
• [release/1.6 backport] bugfix(port-forward): Correctly handle known errors (#​8805)
  • fdb65f214 bugfix(port-forward): Correctly handle known errors
• [release/1.6] Resolve docker.NewResolver race condition (#​8800)
  • b5784af66 Change http.Header copy to builtin Clone
  • 31c466f82 Resolve docker.NewResolver race condition
• [release/1.6 backport] vendor: github.com/containerd/zfs v1.1.0 (#​8781)
  • be6406ca6 vendor: github.com/containerd/zfs v1.1.0
  • 9f1260074 [release/1.6] vendor gotest.tools/v3 v3.5.0
  • 526e9e0ce Bump grpc to v1.50.1
  • 0e7d2d121 go.mod: github.com/sirupsen/logrus v1.9.0
  • 5b153c621 go.mod: github.com/moby/sys/mountinfo v0.6.2
  • 9dee60960 go.mod: github.com/moby/sys/mountinfo v0.6.0
• [release/1.6 backport] seccomp: always allow name_to_handle_at (#​8754)
  • 07ea7b9e7 seccomp: always allow name_to_handle_at
• [release/1.6 backport] Update ginkgo to match cri-tools' version (#​8759)
  • 1dae51fed Update ginkgo to match cri-tools' version
• [release/1.6 backport] integration/client: add timeout to TestShimOOMScore (#​8749)
  • bd76ab978 integration/client: add timeout to TestShimOOMScore
• [release/1.6 backport] Adding support to run hcsshim from local clone (#​8713)
  • 8e14eccb2 Adding support to run hcsshim from local clone
• [1.6] Add Fields type alias to log package (#​8739)
  • 9f2cdd589 Add Fields type alias to log package
• [release/1.6] Pinned image support (#​8720)
  • f4713aad0 Pinned image support
• [release/1.6 backport] runtime/v2/runc: handle early exits w/o big locks (#​8695)
  • dbeec47b4 runtime/v2/runc: handle early exits w/o big locks
• [release/1.6 backport] move up to CRI-TOOLS v1.27.0 (#​7997)
  • a8e01e40a move to CRI-TOOLS v1.27.0
  • 755f80698 move up to CRI-TOOLS v1.26.0
  • b29cc035f bump critools into ca1571e
  • 9138999f5 Upgrade critools from 1.24.1 to 1.25.0
• [release/1.6] cherry-pick: No more nondistributable layers in MS registry (#​8691)
  • 712ff8eb3 No more nondistributable layers in MS registry
• [release/1.6] Fix cpu architecture detection issue on emulated ARM platform (#​8533)
  • 2b16e4bfa Add unit test to function GetCPUVariantFromArch
  • 106e36ec3 Use uname machine field to get CPU variant if fails at /proc/cpuinfo
• [release/1.6] Update lint timeout (#​8679)
  • 287fdfea6 Update linter timeout to match main branch
• [release/1.6 backport] task: don't close() io before cancel() (#​8659)
  • b27f7daa5 task: don't close() io before cancel()
• [release/1.6] update test box to fedora 37 (#​8660)
  • 8b4c69248 update test box to fedora 37
• [release/1.6] Revert "Downgrade MinGW to version 10.2.0" (#​8668)
  • [81d6085af](https://togithub.com/containerd/containerd/commit/81d60

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.