Skip to content

[pull] main from containerd:main#56

Open
pull[bot] wants to merge 6077 commits into
fahedouch:mainfrom
containerd:main
Open

[pull] main from containerd:main#56
pull[bot] wants to merge 6077 commits into
fahedouch:mainfrom
containerd:main

Conversation

@pull

@pull pull Bot commented Aug 2, 2022

Copy link
Copy Markdown

See Commits and Changes for more details.


Created by pull[bot]

Can you help keep this open source service alive? 💖 Please sponsor : )

vvoland and others added 30 commits May 11, 2026 13:19
AF_ALG (address family 38) exposes the Linux kernel crypto API to
userspace via socket(2). Containers have no legitimate need for this
interface under the default profile, and leaving it accessible widens
the kernel attack surface unnecessarily (see https://copy.fail/).

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
fix(erofs): set TMPDIR for mkfs.erofs on Windows
Bumps the golang-x group with 2 updates: [golang.org/x/mod](https://github.com/golang/mod) and [golang.org/x/sys](https://github.com/golang/sys).


Updates `golang.org/x/mod` from 0.35.0 to 0.36.0
- [Commits](golang/mod@v0.35.0...v0.36.0)

Updates `golang.org/x/sys` from 0.43.0 to 0.44.0
- [Commits](golang/sys@v0.43.0...v0.44.0)

---
updated-dependencies:
- dependency-name: golang.org/x/mod
  dependency-version: 0.36.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang-x
- dependency-name: golang.org/x/sys
  dependency-version: 0.44.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang-x
...

Signed-off-by: dependabot[bot] <support@github.com>
…rver

server: tolerate failed gRPC plugins when starting listeners
Fix issue 13388

```
[...]
May 12 16:57:23 kind-control-plane kubelet[257]:         failed to extract layer (application/vnd.docker.image.rootfs
.diff.tar sha256:6f1cdceb6a3146f0ccb986521156bef8a422cdbb0863396f7f751f575ba308f4) to overlayfs as "extract-920875437
-7QPF sha256:31e64620332e54e3e4fb246d8325ed2c9f1c2cc64a95f0bb23b4b7e82834c95a": failed to mount /var/lib/containerd/t
mpmounts/containerd-mount2180142388: mount source: "overlay", target: "/var/lib/containerd/tmpmounts/containerd-mount
2180142388", fstype: overlay, flags: 0, data: "upperdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/sn
apshots/279/fs", err: invalid argument
[...]
```

This was a regression introduced in PR 13115.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Commit f9c80be removed varcheck linter, but some nolint:varcheck
annotations are still there, resulting in golangci-lint warning:

> WARN [runner/nolint_filter] Found unknown linters in //nolint directives: varcheck

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
…b.com/klauspost/compress-1.18.6

build(deps): bump github.com/klauspost/compress from 1.18.5 to 1.18.6
overlay: disable "rebase" capability when running in UserNS
seccomp: Block AF_ALG in default socket policy
pkg: remove unused nolint annotations
…b.com/pelletier/go-toml/v2-2.3.1

build(deps): bump github.com/pelletier/go-toml/v2 from 2.3.0 to 2.3.1
…g-x-46c647a010

build(deps): bump the golang-x group with 2 updates
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
Co-authored-by: Sebastiaan van Stijn <github@gone.nl>
merge_group CI is primarily a final sanity check that queued changes still compose cleanly, not a place to rerun every expensive advisory suite.

Skip Windows integration, Vagrant integration, and Kubernetes node e2e for merge_group because those jobs are costly and have recurring flakes, which wastes merge-queue capacity and delays unrelated merges.

They still run on pull_request events for advisory coverage, and the existing aggregate required status check name is unchanged.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Signed-off-by: Austin Vazquez <austin.vazquez@docker.com>
…-logging

cleanup the systemd debug notification logging
ci: skip advisory jobs in merge queue
openUserFile now stats the opened file, refuses anything that is not a
regular file, and wraps the returned fs.File so reads are capped at
maxUserFileBytes (10 MiB). All callers of openUserFile read either
etc/passwd or etc/group; both are regular files on real systems, well
under the cap.

The cap and the regular-file check together bound parser memory use
when reading user-database files of unexpected shape or size.

Adds tests for the cap and for the non-regular file rejection. The cap
test covers three boundary points: a small pad (trailing entry parsed),
a pad placing the entry's last byte exactly on the cap (still parsed),
and a pad past the cap (read returns an "exceeds" error).

Assisted-by: Antigravity
Signed-off-by: Chris Henzie <chrishenzie@gmail.com>
…ested toolchain

Signed-off-by: Sergey Kanzhelev <S.Kanzhelev@live.com>
… the dependency

Signed-off-by: Sergey Kanzhelev <S.Kanzhelev@live.com>
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
remove 1.26.2 from CI builds as it is not supported any longer due to…
Fix sandbox task API endpoints for non-runc runtimes
Detect strconv.ErrRange and validate uid/gid bounds to avoid falling back to username/group lookups.

Signed-off-by: LEI WANG <ssst0n3@gmail.com>
use local go toolchain in CI to confirm that build actually uses requ…
Under slow network conditions (e.g., simulated 2 Mbps ingress bandwidth
limits in CI), restoring a container from a checkpoint can fail if it
requires pulling the base image again.

During restore, crictl create is called. In test_from_oci, it used a
10-second timeout (crictl -t 10s create). Over a 2 Mbps connection,
pulling the 2.8MB Alpine layer takes ~12-13 seconds, causing the
operation to exceed the timeout and fail with context canceled.

Increase the timeouts in both test_from_archive and test_from_oci to
30 seconds. This ensures the base image pull can complete successfully
even in constrained CI environments.

Tested:
Ran the CRI integration tests on a GCE VM under a simulated 2 Mbps
ingress bandwidth limit using traffic control (tc). Verified that
both test_from_archive and test_from_oci passed successfully and
container restore completed without timeout.

Assisted-by: Antigravity
Signed-off-by: Samuel Karp <samuelkarp@google.com>
Signed-off-by: Sergey Kanzhelev <S.Kanzhelev@live.com>
samuelkarp and others added 30 commits July 6, 2026 17:26
Add dockerfile for the whiteout-test test image
Add loong64 (LoongArch) architecture support to the build system and CI:

- Makefile.linux: add loong64 to architectures that don't use -buildmode=pie
  (consistent with other non-amd64 architectures like mips, ppc64)
- ci.yml: add linux/loong64 to crossbuild matrix with CGO_ENABLED=0
- RELEASES.md: add linux/loong64 as Tier 3 (Build-verified) platform

The linux/loong64 release build and nightly build entries are intentionally
excluded — the cross-compilation toolchain is not yet available in Ubuntu 22.04
apt repositories (no crossbuild-essential-loong64 package). The crossbuild CI
check uses CGO_ENABLED=0. Nightly and release builds will be re-enabled once
the upstream tonistiigi/xx base image provides the loong64 cross-compilation
toolchain.

Go has supported GOARCH=loong64 as a first-class port since Go 1.21.
The seccomp default profile already includes loong64 support (contrib/seccomp).

Tracked by: #13641

Signed-off-by: 徐晓伟 <xuxiaowei@xuxiaowei.com.cn>
feat: add loong64 (LoongArch) build support
When a registry returns 403 Forbidden on a HEAD request (e.g., manifest
resolve or push existence check), the diagnostic error body is lost
because HEAD responses carry no body per HTTP spec. This leaves users
with an opaque "403 Forbidden" message and no actionable guidance.

Add a follow-up GET on HEAD 403 to retrieve the registry's OCI error
body. The existing unexpectedResponseErr machinery already parses the
body into structured errors — it just needs the body to be present. The
fallback lives in a shared withGETErrorBody helper used by both the
pusher and resolver: it only enriches when the GET also returns 403, and
preserves the original HEAD request's method and status while borrowing
just the body, so the resulting error's status and body stay consistent.

Scoped to 403 only because it is rare (CMK key disabled, IP firewall,
RBAC misconfiguration) and its body is highly diagnostic, while other
status codes either already use GET or have bodies that add no value.

Fixes #8969

Signed-off-by: Andrew Au <cshung@gmail.com>
Includes security fixes to the crypto/tls and os packages.

Assisted-by: Antigravity
Signed-off-by: Chris Henzie <chrishenzie@gmail.com>
Disable checkpoint restore codepath when CRIU is not installed
Vagrant is no longer well maintained: e.g., its apt repository does not
provide packages for Ubuntu 26.04 (hashicorp/vagrant#13811), and recent
Fedora boxes are no longer published to HashiCorp's registry, so the CI
had to download the box file manually from Fedora mirrors.

The test scripts in the Vagrantfile were split out to script/vm/*.sh .
The scripts depend on neither Vagrant nor Lima, and can be used with
other VM environments too.

Assisted-by: Claude Fable 5 <noreply@anthropic.com>
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
remotes: surface OCI error body in registry 4xx responses
Signed-off-by: Jordan Liggitt <liggitt@google.com>
RELEASES.md: mark 2.1 EOL and update latest 1.7/2.0/2.1/2.2/2.3 tags
CI: migrate Vagrant to Lima
Go can report context deadline exceeded when a duration-based fuzz limit
expires (https://go.dev/issue/75804).

Use a 50,000-execution limit based on the roughly 47,000 executions
FuzzImageStore completed in 30 seconds in CI. This keeps work stable
across runners and avoids the duration issue.

Assisted-by: Codex
Signed-off-by: Chris Henzie <chrishenzie@gmail.com>
Bumps [github.com/klauspost/compress](https://github.com/klauspost/compress) from 1.18.6 to 1.19.0.
- [Release notes](https://github.com/klauspost/compress/releases)
- [Commits](klauspost/compress@v1.18.6...v1.19.0)

---
updated-dependencies:
- dependency-name: github.com/klauspost/compress
  dependency-version: 1.19.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
build(deps): bump github.com/containerd/ttrpc to v1.2.9
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.81.1 to 1.82.0.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](grpc/grpc-go@v1.81.1...v1.82.0)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-version: 1.82.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps the golang-x group with 2 updates in the / directory: [golang.org/x/sync](https://github.com/golang/sync) and [golang.org/x/sys](https://github.com/golang/sys).


Updates `golang.org/x/sync` from 0.21.0 to 0.22.0
- [Commits](golang/sync@v0.21.0...v0.22.0)

Updates `golang.org/x/sys` from 0.46.0 to 0.47.0
- [Commits](golang/sys@v0.46.0...v0.47.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sync
  dependency-version: 0.22.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang-x
- dependency-name: golang.org/x/sys
  dependency-version: 0.47.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang-x
...

Signed-off-by: dependabot[bot] <support@github.com>
…e.golang.org/grpc-1.82.0

build(deps): bump google.golang.org/grpc from 1.81.1 to 1.82.0
…g-x-c40dbcb055

build(deps): bump the golang-x group across 1 directory with 2 updates
…b.com/klauspost/compress-1.19.0

build(deps): bump github.com/klauspost/compress from 1.18.6 to 1.19.0
fix(cri): introspect OCI runtime features for non-runc runtimes
ci: bound Go fuzzing by execution count
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
release notes: https://github.com/opencontainers/runc/releases/tag/v1.5.1

Signed-off-by: Paco Xu <paco.xu@daocloud.io>
Signed-off-by: Aysha Afrah Ziya <aysha26@digiscrypt.com>
blockcim config and plugin initialization changes
pkg/archive: reject out-of-range device numbers in layer headers
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.