containerd 1.5.9

Welcome to the v1.5.9 release of containerd!

The ninth patch release for containerd 1.5 is a security release to fix CVE-2021-43816.

Notable Updates

• Fix unprivileged pod using 'hostPath' bypassing SELinux labels (GHSA-mvff-h3cj-wj9c)
• Fix setting the "container_kvm_t" SELinux label (#6381)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Sebastiaan van Stijn
• Michael Crosby
• Phil Estes
• Akihiro Suda
• Fabiano Fidêncio
• Samuel Karp
• Wei Fu

Changes

13 commits

• Github Security Advisory GHSA-mvff-h3cj-wj9c
  • e4b62aaa5 Prepare release notes for v1.5.9
  • a41213fed only relabel cri managed host mounts
• [release/1.5] seutil: Fix setting the "container_kvm_t" label (#6381)
  • da5749b67 seutil: Fix setting the "container_kvm_t" label
• [release/1.5] Update Go to 1.16.12 (#6367)
  • 8c24a6199 [release/1.5] Update Go to 1.16.12
• [release/1.5] go.mod github.com/opencontainers/image-spec v1.0.2 (#6264)
  • 7ab52528b [release/1.5] go.mod github.com/opencontainers/image-spec v1.0.2
• [release/1.5] update runc binary to v1.0.3 (#6343)
  • 16b5aa2c8 update runc binary to v1.0.3
• [release/1.5] Update Go to 1.16.11 (#6334)
  • 3ff8be2d9 [release/1.5] Update Go to 1.16.11

Dependency Changes

• github.com/opencontainers/image-spec v1.0.1 -> v1.0.2

Previous release can be found at v1.5.8

containerd 1.5.8

Welcome to the v1.5.8 release of containerd!

The eighth patch release for containerd 1.5 contains a mitigation for CVE-2021-41190
as well as several fixes and updates.

Notable Updates

• Handle ambiguous OCI manifest parsing (GHSA-5j5w-g665-5m35)
• Filter selinux xattr for image volumes in CRI plugin (#5104)
• Use DeactiveLayer to unlock layers that cannot be renamed in Windows snapshotter (#5422)
• Fix pull failure on unexpected EOF (#5921)
• Close task IO before waiting on delete (#5974)
• Log a warning for ignored invalid image labels rather than erroring (#6124)
• Update pull to handle of non-https urls in descriptors (#6221)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Phil Estes
• Sebastiaan van Stijn
• Derek McGowan
• Kazuyoshi Kato
• Wei Fu
• Akihiro Suda
• Daniel Canter
• Kevin Parsons
• Kohei Tokunaga
• Samuel Karp
• Claudiu Belu
• Jacob Blain Christen
• Maksym Pavlenko
• Mike Brown
• Paul "TBBle" Hampson
• Sambhav Kothari
• zounengren

Changes

29 commits

• [release/1.5] Prepare release notes for v1.5.8 (#6260)
  • 2385fd14d Prepare release notes for v1.5.8
• [release/1.5] mailmap: Add Kevin Parsons (#6261)
  • ef071b07b mailmap: Add Kevin Parsons
• Merge Github Security Advisory GHSA-5j5w-g665-5m35
  • 15d8c03e3 schema1: reject ambiguous documents
  • 833407fbf images: validate document type before unmarshal
• [release/1.5] Fix containerd fails to pull OCI image with non-http(s):// urls (#6238)
  • 01428ec40 Fix containerd fails to pull OCI image with non-http(s):// urls
• [release/1.5] go.mod: Bump hcsshim to v0.8.23 (#6231)
  • 2bd3f18d9 [release/1.5] go.mod: Bump hcsshim to v0.8.23
• [release/1.5] go.mod: Bump ttrpc to 1.1.0 (#6229)
  • 047ea15d2 [release/1.5] go.mod: Bump ttrpc to 1.1.0
• [release/1.5] update Go to 1.16.10 (#6210)
  • 7b20299bc [release/1.5] update Go to 1.16.10
  • 641976bea [release/1.5] update Go to 1.16.9
• [release/1.5] Output a warning for label image labels instead of erroring (#6187)
  • b988fc918 Output a warning for label image labels instead of erroring
• [release/1.5] task delete: Closes task IO before waiting (#6129)
  • bf02a8330 task delete: Closes task IO before waiting
• [release/1.5] Update test timeout based on recent cancellations (#6134)
  • 3109820f5 Update test timeout based on recent cancellations
• [release/1.5] Use deactivatelayer to recover layers that we cannot rename (#6133)
  • 16762f3e5 Fix spelling mistake in Windows snapshotter
  • 6094bc770 Use DeactivateLayer to recover layers that we cannot rename
• [release/1.5] Fix pull fails on unexpected EOF (#6117)
  • aa7c9d9da Fix pull fails on unexpected EOF
• [release/1.5 backport] cri: filter selinux xattr for image volumes (#5104)
  • c0534c168 [release/1.5 backport] cri: filter selinux xattr for image volumes

Changes from containerd/ttrpc

34 commits

• Add protoc-gen-go-ttrpc (#96)
  • 6eabacc Add protoc-gen-go-ttrpc
• client: Handle sending/receiving in separate goroutines (#94)
  • 4f0aeb5 client: Handle sending/receiving in separate goroutines
• Run Protobuild in GitHub Actions (#95)
  • e621cd1 Run Protobuild in GitHub Actions
  • 35cd240 Re-generate example.pb.go
• replace pkg/errors (#93)
  • 81faa3e replace pkg/errors from vendor
• Rename branch from master to main (#86)
  • a143311 Rename branch from master to main
• Make "go test" and "go build" work on macOS (#85)
  • 2368990 Make the example command buildable on macOS
  • 616d54c Run GitHub Actions on macOS
  • a4b18e0 Make "go test" work on macOS
• Return Unimplemented when services or methods are not implemented (#83)
  • fede9db Return Unimplemented when services or methods are not implemented
• Remove "Very new" and checked TODO items (#84)
  • dcc7d39 Remove "Very new" and checked TODO items
• removing glide from ignore (#82)
  • 2776d3f removing glide from ignore
• go.mod: update dependencies (#79)
  • 849845f go.mod: github.com/prometheus/procfs v0.6.0
  • 3ea5780 go.mod: google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63
  • 4640e27 go.mod: google.golang.org/grpc v1.27.1
  • 7c78be3 go.mod: github.com/gogo/protobuf v1.3.2
• remove travis, add codecov badge (#78)
  • 88f2525 CI: add codecov badge to readme
  • 6773702 CI: remove travis
• Use GitHub Actions for CI (#77)
  • 5bab91b Use GitHub Actions for CI
• go.mod: sirupsen/logrus v1.7.0 (#76)
  • a2f306d go.mod: sirupsen/logrus v1.7.0
  • f0fad07 go mod tidy

Dependency Changes

• github.com/Microsoft/hcsshim v0.8.21 -> v0.8.23
• github.com/containerd/ttrpc v...

containerd 1.4.12

Welcome to the v1.4.12 release of containerd!

The twelfth patch release for containerd 1.4 contains a few minor bug fixes
and an update to mitigate CVE-2021-41190.

Notable Updates

• Handle ambiguous OCI manifest parsing (GHSA-5j5w-g665-5m35)
• Update pull to try next mirror for non-404 errors (#5275)
• Update pull to handle of non-https urls in descriptors (#6221)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Maksym Pavlenko
• Samuel Karp
• Sebastiaan van Stijn
• Kohei Tokunaga
• Phil Estes
• Sebastian Hasler

Changes

13 commits

• [release/1.4] Prepare release notes for v1.4.12 (#6259)
  • 540b70454 Prepare release notes for v1.4.12
• Merge Github Security Advisory GHSA-5j5w-g665-5m35
  • eb875416e schema1: reject ambiguous documents
  • 53e0c8c35 images: validate document type before unmarshal
• [release/1.4] Try next mirror in case of non-404 errors, too (#6244)
  • 9b538c7c7 Try next mirror in case of non-404 errors, too
• [release/1.4] Fix containerd fails to pull OCI image with non-http(s):// urls (#6239)
  • e9f59a95e Fix containerd fails to pull OCI image with non-http(s):// urls
• [release/1.4] update Go to 1.16.10 (#6212)
  • 16921116b [release/1.4] update Go to 1.16.10
• [release/1.4] update Go to 1.16.9 (#6103)
  • b742b36fb [release/1.4] update Go to 1.16.9

Dependency Changes

This release has no dependency changes

Previous release can be found at v1.4.11

containerd 1.5.7

Welcome to the v1.5.7 release of containerd!

The seventh patch release for containerd 1.5 is a security release to fix CVE-2021-41103.

Notable Updates

• Fix insufficiently restricted permissions on container root and plugin directories GHSA-c2h3-6mxw-7mvq

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Samuel Karp

Changes

5 commits

• 8686ededf Merge pull request from GHSA-c2h3-6mxw-7mvq
• bc2f973ff Prepare release notes for v1.5.7
• f95fca079 btrfs: reduce permissions on plugin directories
• 68119b417 v1 runtime: reduce permissions for bundle dir
• 97db45e83 v2 runtime: reduce permissions for bundle dir

Dependency Changes

This release has no dependency changes

Previous release can be found at v1.5.6

containerd 1.4.11

Welcome to the v1.4.11 release of containerd!

The eleventh patch release for containerd 1.4 is a security release to fix CVE-2021-41103.

Notable Updates

• Fix insufficiently restricted permissions on container root and plugin directories GHSA-c2h3-6mxw-7mvq

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Samuel Karp
• Phil Estes

Changes

7 commits

• 5b46e404f Merge pull request from GHSA-c2h3-6mxw-7mvq
• adc279b83 Prepare release notes for v1.4.11
• 0b1bde385 btrfs: reduce permissions on plugin directories
• 38532c6ed v1 runtime: reduce permissions for bundle dir
• 403846c95 v2 runtime: reduce permissions for bundle dir
• 8a3cfaf33 Merge pull request #6075 from dmcgowan/1.4-update-test-images
• 3cd12c7d4 Update test images to use Github package registry

Dependency Changes

This release has no dependency changes

Previous release can be found at v1.4.10

containerd 1.5.6

Welcome to the v1.5.6 release of containerd!

The sixth patch release for containerd 1.5 contains minor fixes and updates
including an updated runc and hcsshim.

Notable Updates

• Install apparmor parser for arm64 and update seccomp to 2.5.1 #5763
• Update runc binary to 1.0.2 #5899
• Update hcsshim to v0.8.21 to fix layer issue on Windows Server 2019 #5942
• Add support for 'clone3' syscall to fix issue with certain images when seccomp is enabled #5982
• Add image config labels in CRI container creation #6012
• Fix panic in metadata content writer on copy error #6043

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Akihiro Suda
• Wei Fu
• Phil Estes
• Alexandre Peixoto Ferreira
• Daniel Canter
• Sebastiaan van Stijn
• Davanum Srinivas
• Gunju Kim
• Jayme Howard
• Kohei Tokunaga
• Mike Brown
• wanglei
• zhanglei

Changes

38 commits

• 1a1b383ad Merge pull request #6068 from dmcgowan/prepare-1.5.6
• bc8fdf832 Update release notes and mailmap
• 77dafa20c Prepare release notes for v1.5.6
• 063195739 Merge pull request #6045 from dmcgowan/1.5-fix-metadata-content-panic
• a4b51d119 Fix panic in metadata content writer on copy error
• 4de759ab5 Merge pull request #6041 from dmcgowan/backport-1.5-use-ghcr-test-images
• 147705920 Use github images for integration tests
• 3f4f6bca9 Merge pull request #5981 from scuzhanglei/release-1.5-privileged-device
• 980646e3c Merge pull request #6024 from estesp/cp-6012
• 514137aa0 cri: add devices for privileged container
• 6bfd09f7c Enable image config labels in ctr and CRI container creation
• 00e5fbe2a Merge pull request #6013 from AkihiroSuda/cherrypick-5982-1.5
• 2726be136 Merge pull request #5983 from AkihiroSuda/runc-v1.0.2-15
• 79e05529e Merge pull request #5999 from dmcgowan/1.5-fix-unexpected-eof-handling
• 923088852 seccomp: support "clone3" (return ENOSYS unless SYS_ADMIN is granted)
• 4133c775c go.mod: update runc to v1.0.2
• 011fb4c0b update runc binary to v1.0.2
• 78a5a2c16 Merge pull request #6008 from thaJeztah/1.5_update_go
• 210d3bc15 Fix content copy to not ignore unexpected EOF
• a863339c5 [release/1.5] update Go to 1.16.8
• 217ab73b1 Merge pull request #6007 from AkihiroSuda/cherrypick-5987-1.5
• f3d46f828 CI: Switch to available latest images
• 36d09a433 Merge pull request #5941 from alexandref75/release/1.5
• f40ee0785 Merge pull request #5942 from dcantah/15-hcsshim-backport
• c7ed09d55 Adding testing of two devices in a directory
• 0ca2e2751 Fix dir support for devices V3 (containerd#4847)
• 0fd19511e go.mod: Update hcsshim to v0.8.21
• 69e5db821 Merge pull request #5893 from gjkim42/cherry-pick-of-#5878
• 27e164648 Allow expanded DNS configuration
• 337ede532 Merge pull request #5894 from estesp/cp-5625
• 8cfab161f CI: Switch to available latest images
• 25ad9449c Merge pull request #5763 from thaJeztah/1.5_backport_install_apparmor_parser_for_arm64_env
• 84cfadfa4 Merge pull request #5843 from thaJeztah/1.5_backport_update_go_116
• b9d5cff5d Update Go to 1.16.7
• 8b22de9e4 Merge pull request #5816 from estesp/cp-5809
• fe195c343 mergo: Upgrade to 0.3.12 to fix panic
• eb4ba99fe Install apparmor parser for arm64 environment
• 0bc1e1d8a update seccomp version

Dependency Changes

• github.com/Microsoft/hcsshim v0.8.18 -> v0.8.21
• github.com/imdario/mergo v0.3.11 -> v0.3.12
• github.com/opencontainers/runc v1.0.1 -> v1.0.2

Previous release can be found at v1.5.5

containerd 1.4.10

Welcome to the v1.4.10 release of containerd!

The tenth patch release for containerd 1.4 contains minor fixes and updates
including an updated runc and hcsshim.

Notable Updates

• Update runc to v1.0.2 #5899
• Update hcsshim to v0.8.21 #5957
• Support "clone3" in default seccomp profile #5982
• Fix panic in metadata content writer on copy error #6043

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Sebastiaan van Stijn
• Akihiro Suda
• Phil Estes
• Derek McGowan
• Daniel Canter
• Jintao Zhang
• Michael Crosby
• Wei Fu

Changes

26 commits

• 8848fdb7c Merge pull request #6062 from dmcgowan/prepare-1.4.10
• 87d81c4f2 Update release notes for v1.4.10
• 16c175576 Prepare release notes for v1.4.10
• f8a9b3b61 Merge pull request #6010 from thaJeztah/1.4_update_golang_1.16
• 9b712ec73 Merge pull request #6044 from dmcgowan/1.4-fix-metadata-content-panic
• 6dddee4c8 Fix panic in metadata content writer on copy error
• 780289586 Merge pull request #6014 from AkihiroSuda/cherrypick-5982-1.4
• 668960dd3 seccomp: support "clone3" (return ENOSYS unless SYS_ADMIN is granted)
• bfe529e43 [release/1.4] update Go to 1.16.8
• 46f70c5d8 Update Go to 1.16.7
• 6b98d33b8 Update Go to 1.16.6
• 8cc99a88d Update Go to 1.16.4
• c1a8d3b4f Update Go to 1.16.3
• 80cbe4160 Update to Go 1.16.2
• ef6ce6c0c Update to Go 1.16.1
• c9f216407 [release/1.4] disable go modules where needed
• b9cc6ec62 Revert "[release/1.4] update Go to 1.15.11"
• 8d271b339 Revert "[release/1.4] Update Go to 1.15.13"
• afaa37975 Revert "Update Go to 1.15.14"
• 4ce1ce6f7 Revert "[release/1.4] Update Go to 1.15.15"
• f961e7b3c Merge pull request #5984 from AkihiroSuda/runc-v1.0.2-14
• b9d8ae17f update runc binary to v1.0.2
• e25371f79 Merge pull request #5957 from dcantah/hcsshim-backport-1.4
• a503d4c11 [release/1.4] go.mod: Update hcsshim to v0.8.21
• d30f83879 Merge pull request #5841 from thaJeztah/1.4_update_golang
• 2009fa71e [release/1.4] Update Go to 1.15.15

Dependency Changes

• github.com/Microsoft/hcsshim v0.8.16 -> v0.8.21

Previous release can be found at v1.4.9

v1.4.9-k3s1

v1.4.9-k3s1

containerd 1.5.5

Welcome to the v1.5.5 release of containerd!

The fifth patch release for containerd 1.5 updates runc to 1.0.1 and contains
other minor updates.

Notable Updates

• Update runc binary to 1.0.1 #5751
• Update pull logic to try next mirror on non-404 response #5275
• Update pull authorization logic on redirect #5504

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Akihiro Suda
• Phil Estes
• Shiming Zhang
• Kazuyoshi Kato
• Sebastian Hasler

Changes

14 commits

• 72cec4be5 Merge pull request #5805 from dmcgowan/prepare-1.5.5
• 677fade0f Prepare release notes for v1.5.5
• 1c13c54ca Merge pull request #5764 from thaJeztah/1.5_backport_dm_log
• 883750151 Merge pull request #5772 from thaJeztah/1.5_backport_fix_missing_body_close
• 7b17268fd remotes/docker/pusher.go: Fix missing Close()
• 2f11d5855 remotes/docker/fetcher.go: Fix missing Close()
• bc12da7f6 Merge pull request #5766 from thaJeztah/1.5_backport_fix_authorization_on_redirect
• 4c1722e2b Update docker resolver to authorize redirects
• 166a81f88 snapshot/devmapper: log exported methods correctly
• 47d0f52cb Merge pull request #5747 from fuweid/cp-15-5275
• c355601d3 Merge pull request #5752 from AkihiroSuda/runc-v1.0.1-15
• d2cb9949b go.mod: runc v1.0.1
• 6807d070e update runc binary to v1.0.1
• d9b284bfd Try next mirror in case of non-404 errors, too

Dependency Changes

• github.com/bits-and-blooms/bitset v1.2.0 new
• github.com/cilium/ebpf v0.4.0 -> v0.6.2
• github.com/google/go-cmp v0.5.4 -> v0.5.5
• github.com/opencontainers/runc v1.0.0-rc93 -> v1.0.1
• github.com/opencontainers/runtime-spec e6143ca7d51d -> 1c3f411f0417
• github.com/opencontainers/selinux v1.8.0 -> v1.8.2
• github.com/sirupsen/logrus v1.7.0 -> v1.8.1
• golang.org/x/sys 47abb6519492 -> d19ff857e887

Previous release can be found at v1.5.4

containerd 1.4.9

Welcome to the v1.4.9 release of containerd!

The ninth patch release for containerd 1.4 updates runc to 1.0.1 and contains
other minor updates.

Notable Updates

• Update runc binary to 1.0.1 #5751
• Update pull authorization logic on redirect #5504
• Fix user agent used for fetching registry authentication tokens #5761

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Shiming Zhang
• Akihiro Suda
• Kazuyoshi Kato
• Maksym Pavlenko
• Sebastiaan van Stijn

Changes

13 commits

• e25210fe3 Merge pull request #5806 from dmcgowan/prepare-v1.4.9
• ad26f4713 Prepare release notes for v1.4.9
• 11996c194 Merge pull request #5765 from thaJeztah/1.4_backport_dm_log
• 53add4cde Merge pull request #5773 from thaJeztah/1.4_backport_fix_missing_body_close
• a5cefbaac Merge pull request #5767 from thaJeztah/1.4_backport_fix_authorization_on_redirect
• 14c3a8e21 remotes/docker/pusher.go: Fix missing Close()
• 06c90e7b5 remotes/docker/fetcher.go: Fix missing Close()
• e4418dbea Merge pull request #5761 from thaJeztah/1.4_backport_fix_auth_ua
• 30d0c9199 Update docker resolver to authorize redirects
• 55794673b snapshot/devmapper: log exported methods correctly
• 67a0576df [release/1.4] Fix incorrect UA used for registry authentication
• a368d2872 Merge pull request #5753 from AkihiroSuda/runc-v1.0.1-14
• 34861f1aa update runc binary to v1.0.1

Dependency Changes

This release has no dependency changes

Previous release can be found at v1.4.8