[pull] main from containerd:main #56
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.5 to 4.31.6. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@fdbfb4d...fe4161a) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.31.6 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
…ithub/codeql-action-4.31.6 build(deps): bump github/codeql-action from 4.31.5 to 4.31.6
…b.com/klauspost/compress-1.18.2 build(deps): bump github.com/klauspost/compress from 1.18.1 to 1.18.2
The original implementation provided a lot of unfilled or wrong filled metrics. This tries to do better by only setting things I am fairly certain are correct. Signed-off-by: Tim Windelschmidt <tim@monogon.tech> Co-authored-by: Mike Brown <brownwm@us.ibm.com>
Signed-off-by: Austin Vazquez <austin.vazquez@docker.com>
Signed-off-by: Austin Vazquez <austin.vazquez@docker.com>
ci: bump Go 1.24.11, 1.25.5
…oftprops/action-gh-release-2.5.0 build(deps): bump softprops/action-gh-release from 2.4.2 to 2.5.0
fix: refactor ListPodSandboxMetrics
Update the OSS-Fuzz CIFuzz action references from commit abe2c06d (Oct 2024) to c8c1b257 (Dec 2025) which includes support for Ubuntu 24.04 base images. The new version reads `base_os_version: ubuntu-24-04` from the containerd project.yaml. Signed-off-by: Davanum Srinivas <davanum@gmail.com>
…o-ubuntu-24-04 ci: update CIFuzz actions to support Ubuntu 24.04
Signed-off-by: ningmingxiao <ning.mingxiao@zte.com.cn>
add some log if blob is skipped to download
Bumps [github.com/containerd/zfs/v2](https://github.com/containerd/zfs) from 2.0.0-rc.0 to 2.0.0. - [Release notes](https://github.com/containerd/zfs/releases) - [Commits](containerd/zfs@v2.0.0-rc.0...v2.0.0) --- updated-dependencies: - dependency-name: github.com/containerd/zfs/v2 dependency-version: 2.0.0 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
vendor: go.opentelemetry.io/otel/exporters v1.38.0, go.opentelemetry.io/contrib v0.63.0
…b.com/containerd/zfs/v2-2.0.0 build(deps): bump github.com/containerd/zfs/v2 from 2.0.0-rc.0 to 2.0.0
adds a background stats collector that calculates `UsageNanoCores` for containers and pod sandboxes. - run in the background every second to collect CPU metrics for all containers and sandboxes (similar to what cAdvisor does) - keep a rolling buffer of CPU samples and calculates the instantaneous CPU usage rate from consecutive samples - read pod-level CPU stats from the parent cgroup rather than the pause container - add cgroupv2 Pressure Stall Information for CPU, memory, and IO - add missing `Timestamp` and `Interfaces` fields when Kubernetes runs with `PodAndContainerStatsFromCRI=true`, it expects `UsageNanoCores` to be set in stats responses. This value represents how much CPU is being used right now (as opposed to `UsageCoreNanoSeconds` which is cumulative). To calculate it, we need to compare CPU samples over time to replicate what is in cadvisor. we can't yet really test this in CI as some changes in kubernetes has to land for `--feature-gates=PodAndContainerStatsFromCRI=true` Signed-off-by: Davanum Srinivas <davanum@gmail.com>
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
Remove unnecessary variable extraction and Interfaces field, keeping only the Timestamp addition as originally intended. Signed-off-by: Davanum Srinivas <davanum@gmail.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.6 to 4.31.7. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@fe4161a...cf1bb45) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.31.7 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 9.0.0 to 9.2.0. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@0a35821...1e7e51e) --- updated-dependencies: - dependency-name: golangci/golangci-lint-action dependency-version: 9.2.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps the golang-x group with 3 updates: [golang.org/x/mod](https://github.com/golang/mod), [golang.org/x/sync](https://github.com/golang/sync) and [golang.org/x/sys](https://github.com/golang/sys). Updates `golang.org/x/mod` from 0.30.0 to 0.31.0 - [Commits](golang/mod@v0.30.0...v0.31.0) Updates `golang.org/x/sync` from 0.18.0 to 0.19.0 - [Commits](golang/sync@v0.18.0...v0.19.0) Updates `golang.org/x/sys` from 0.38.0 to 0.39.0 - [Commits](golang/sys@v0.38.0...v0.39.0) --- updated-dependencies: - dependency-name: golang.org/x/mod dependency-version: 0.31.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x - dependency-name: golang.org/x/sync dependency-version: 0.19.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x - dependency-name: golang.org/x/sys dependency-version: 0.39.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/stale](https://github.com/actions/stale) from 10.1.0 to 10.1.1. - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](actions/stale@5f858e3...9971854) --- updated-dependencies: - dependency-name: actions/stale dependency-version: 10.1.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.0 to 6.0.1. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@1af3b93...8e8c483) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Commit 00a11e9 added these exclude rules as a temporary workaround until these transitive dependency versions would be gone; > downgrade go-difflib and go-spew to tagged releases > > These dependencies were updated to "master" in some modules we depend on, > but have no code-changes since their last release. Unfortunately, this also > causes a ripple effect, forcing all users of the containerd module to also > update these dependencies to an unrelease / un-tagged version. > > Both these dependencies will unlikely do a new release in the near future, > so exclude these versions so that we can downgrade to the current release. Commit fb8c01d updated the containerd/zfs module to v2.0.0, which was the remaining dependency using these untagged versions, so we can remove these exclude rules again. This reverts commit 00a11e9. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
go.mod: remove exclude rules
…ctions/checkout-6.0.1 build(deps): bump actions/checkout from 6.0.0 to 6.0.1
Bumps [github.com/coreos/go-systemd/v22](https://github.com/coreos/go-systemd) from 22.6.0 to 22.7.0. - [Release notes](https://github.com/coreos/go-systemd/releases) - [Commits](coreos/go-systemd@v22.6.0...v22.7.0) --- updated-dependencies: - dependency-name: github.com/coreos/go-systemd/v22 dependency-version: 22.7.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
…integration ci: add retry logic for Fedora Vagrant box download
Bumps [docker/login-action](https://github.com/docker/login-action) from 3.6.0 to 3.7.0. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@5e57cd1...c94ce9f) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: 3.7.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.10 to 4.32.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@cdefb33...6bc82e0) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.32.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/cache](https://github.com/actions/cache) from 5.0.2 to 5.0.3. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@8b402f5...cdf6c1f) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 5.0.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
…s-container-host-user pkg/sys: Create user namespace as the container's initial user namesp…
…b.com/coreos/go-systemd/v22-22.7.0 build(deps): bump github.com/coreos/go-systemd/v22 from 22.6.0 to 22.7.0
…ctions/cache-5.0.3 build(deps): bump actions/cache from 5.0.2 to 5.0.3
…ithub/codeql-action-4.32.1 build(deps): bump github/codeql-action from 4.31.10 to 4.32.1
…ocker/login-action-3.7.0 build(deps): bump docker/login-action from 3.6.0 to 3.7.0
Signed-off-by: qiuxue <liuyutao36@gmail.com>
script/critest.sh: always skip OOMKilled on systemd cgroup
…unt-manager cri: use mount manager when image has volumes
Use buf to format proto files
edb3e08 removed `script/setup/install-protobuf` and the tools are now installed through `script/setup/install-dev-tools` Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This change sets the AppArmor policy used by containerd to indicate it is `abi/3.0`. This was chosen based on some code archeology which indicated that containerd 1.7 came out in March 2023, before the AppArmor 4.0 ABI. The AppArmor policies themselves date to much older; the last apparmor version-checks were removed in 4baa187 and c990e3f, and both were looking for AppArmor 2.8.96 or older, pointing to abi/3.0 being the "correct" one to pick. Nothing is preventing containerd from migrating to a newer AppArmor ABI; note, however, that anything newer than `abi/4.0` will need modifications to preserve UNIX domain sockets. This was tested by building a custom k3s v1.35.0+k3s3, with the following modification: ``` diff --git a/go.mod b/go.mod index 4e7bacd204..0fcaf76b8f 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ replace ( github.com/cilium/ebpf => github.com/cilium/ebpf v0.12.3 github.com/cloudnativelabs/kube-router/v2 => github.com/k3s-io/kube-router/v2 v2.6.3-k3s1 github.com/containerd/containerd/api => github.com/containerd/containerd/api v1.9.0 - github.com/containerd/containerd/v2 => github.com/k3s-io/containerd/v2 v2.1.5-k3s1 + github.com/containerd/containerd/v2 => github.com/achernya/containerd/v2 v2.0.0-20260206214308-5e0dce89c422 github.com/containerd/imgcrypt => github.com/containerd/imgcrypt v1.1.11 github.com/containerd/stargz-snapshotter => github.com/k3s-io/stargz-snapshotter v0.17.0-k3s1 github.com/docker/distribution => github.com/docker/distribution v2.8.3+incompatible ``` to use a precursor to this commit. Once built, the resulting k3s was tested on a brand-new Proxmox installation: ``` root@containerd-test:~# uname -a Linux containerd-test 6.17.2-1-pve #1 SMP PREEMPT_DYNAMIC PMX 6.17.2-1 (2025-10-21T11:55Z) x86_64 GNU/Linux root@containerd-test:~# pveversion pve-manager/9.1.1/42db4a6cf33dac83 (running kernel: 6.17.2-1-pve) ``` Files were copied over: ``` achernya@achernya-dev:~/src/k3s$ scp -r dist/artifacts/ root@containerd-test: ``` and installed ``` root@containerd-test:~# mkdir -p /var/lib/rancher/k3s/agent/images/ /usr/local/bin root@containerd-test:~# cp artifacts/k3s /usr/local/bin/ root@containerd-test:~# cp artifacts/k3s-airgap-images-amd64.tar.zst /var/lib/rancher/k3s/agent/images/ ``` then finally started with `k3s server`. Argo CD was then installed: ``` root@containerd-test:~# k3s kubectl create namespace argocd namespace/argocd created root@containerd-test:~# k3s kubectl apply -n argocd --server-side --force-conflicts -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml [elided] root@containerd-test:~# k3s kubectl get pods -A NAMESPACE NAME READY STATUS RESTARTS AGE argocd argocd-application-controller-0 1/1 Running 0 31s argocd argocd-applicationset-controller-77475dfcf-6b4cb 1/1 Running 0 32s argocd argocd-dex-server-6485c5ddf5-ckp5s 1/1 Running 0 32s argocd argocd-notifications-controller-758f795776-djx69 1/1 Running 0 32s argocd argocd-redis-6cc4bb5db5-lt9fh 1/1 Running 0 32s argocd argocd-repo-server-c76cf57cd-mr4mc 1/1 Running 0 32s argocd argocd-server-6f85b59c87-w6cns 0/1 Running 0 32s kube-system coredns-6b4688786f-pnds2 1/1 Running 0 4m1s kube-system helm-install-traefik-crd-cn28g 0/1 Completed 0 4m1s kube-system helm-install-traefik-hc9gp 0/1 Completed 2 4m1s kube-system local-path-provisioner-6bc6568469-7wglx 1/1 Running 0 4m1s kube-system metrics-server-77dbbf84b-nqzsc 1/1 Running 0 4m1s kube-system svclb-traefik-fe6d3a0b-z7jsp 2/2 Running 0 3m14s kube-system traefik-5fdc878c8d-cjhx5 1/1 Running 0 3m15s ``` Fixes: #12726 Signed-off-by: Alex Chernyakhovsky <alex@achernya.com>
go1.25.7 (released 2026-02-04) includes security fixes to the go command and the crypto/tls package, as well as bug fixes to the compiler and the crypto/x509 package. See the Go 1.25.7 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.25.7+label%3ACherryPickApproved full diff: golang/go@go1.25.6...go1.25.7 From the security mailing list: > Hello gophers, > > We have just released Go versions 1.25.7 and 1.24.13, minor point releases. > > These releases include 2 security fixes following the security policy: > > - cmd/cgo: remove user-content from doc strings in cgo ASTs > > A discrepancy between how Go and C/C++ comments > were parsed allowed for code smuggling into the > resulting cgo binary. > > To prevent this behavior, the cgo compiler > will no longer parse user-provided doc > comments. > > Thank you to RyotaK (https://ryotak.net) of > GMO Flatt Security Inc. for reporting this issue. > > This is CVE-2025-61732 and https://go.dev/issue/76697. > > - crypto/tls: unexpected session resumption when using Config.GetConfigForClient > > Config.GetConfigForClient is documented to use the original Config's session > ticket keys unless explicitly overridden. This can cause unexpected behavior if > the returned Config modifies authentication parameters, like ClientCAs: a > connection initially established with the parent (or a sibling) Config can be > resumed, bypassing the modified authentication requirements. > > If ClientAuth is VerifyClientCertIfGiven or RequireAndVerifyClientCert (on the > server) or InsecureSkipVerify is false (on the client), crypto/tls now checks > that the root of the previously-verified chain is still in ClientCAs/RootCAs > when resuming a connection. > > Go 1.26 Release Candidate 2, Go 1.25.6, and Go 1.24.12 had fixed a similar issue > related to session ticket keys being implicitly shared by Config.Clone. Since > this fix is broader, the Config.Clone behavior change has been reverted. > > Note that VerifyPeerCertificate still behaves as documented: it does not apply > to resumed connections. Applications that use Config.GetConfigForClient or > Config.Clone and do not wish to blindly resume connections established with the > original Config must use VerifyConnection instead (or SetSessionTicketKeys or > SessionTicketsDisabled). > > Thanks to Coia Prant (github.com/rbqvq) for reporting this issue. > > This updates CVE-2025-68121 and Go issue https://go.dev/issue/77217. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Bumps [github.com/checkpoint-restore/checkpointctl](https://github.com/checkpoint-restore/checkpointctl) from 1.4.0 to 1.5.0. - [Release notes](https://github.com/checkpoint-restore/checkpointctl/releases) - [Commits](checkpoint-restore/checkpointctl@v1.4.0...v1.5.0) --- updated-dependencies: - dependency-name: github.com/checkpoint-restore/checkpointctl dependency-version: 1.5.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
…b.com/checkpoint-restore/checkpointctl-1.5.0 build(deps): bump github.com/checkpoint-restore/checkpointctl from 1.4.0 to 1.5.0
update to go1.24.13, go1.25.7
contrib/Dockerfile: remove proto3 (protobuf) stage
apparmor: explicitly set abi/3.0
…ctions/attest-build-provenance-3.2.0 build(deps): bump actions/attest-build-provenance from 3.1.0 to 3.2.0
Bumps the golang-x group with 2 updates: [golang.org/x/mod](https://github.com/golang/mod) and [golang.org/x/sys](https://github.com/golang/sys). Updates `golang.org/x/mod` from 0.32.0 to 0.33.0 - [Commits](golang/mod@v0.32.0...v0.33.0) Updates `golang.org/x/sys` from 0.40.0 to 0.41.0 - [Commits](golang/sys@v0.40.0...v0.41.0) --- updated-dependencies: - dependency-name: golang.org/x/mod dependency-version: 0.33.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x - dependency-name: golang.org/x/sys dependency-version: 0.41.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github.com/klauspost/compress](https://github.com/klauspost/compress) from 1.18.3 to 1.18.4. - [Release notes](https://github.com/klauspost/compress/releases) - [Commits](klauspost/compress@v1.18.3...v1.18.4) --- updated-dependencies: - dependency-name: github.com/klauspost/compress dependency-version: 1.18.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.32.1 to 4.32.2. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@6bc82e0...45cbd0c) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.32.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
…ithub/codeql-action-4.32.2 build(deps): bump github/codeql-action from 4.32.1 to 4.32.2
cri: Fix image volumes with user namespaces
…g-x-61fd2b86fc build(deps): bump the golang-x group with 2 updates
…b.com/klauspost/compress-1.18.4 build(deps): bump github.com/klauspost/compress from 1.18.3 to 1.18.4
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot]
Can you help keep this open source service alive? 💖 Please sponsor : )