[pull] main from containerd:main#56
Open
pull[bot] wants to merge 6077 commits into
Open
Conversation
AF_ALG (address family 38) exposes the Linux kernel crypto API to userspace via socket(2). Containers have no legitimate need for this interface under the default profile, and leaving it accessible widens the kernel attack surface unnecessarily (see https://copy.fail/). Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Update Go to 1.26.3
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
fix(erofs): set TMPDIR for mkfs.erofs on Windows
Bumps the golang-x group with 2 updates: [golang.org/x/mod](https://github.com/golang/mod) and [golang.org/x/sys](https://github.com/golang/sys). Updates `golang.org/x/mod` from 0.35.0 to 0.36.0 - [Commits](golang/mod@v0.35.0...v0.36.0) Updates `golang.org/x/sys` from 0.43.0 to 0.44.0 - [Commits](golang/sys@v0.43.0...v0.44.0) --- updated-dependencies: - dependency-name: golang.org/x/mod dependency-version: 0.36.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x - dependency-name: golang.org/x/sys dependency-version: 0.44.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x ... Signed-off-by: dependabot[bot] <support@github.com>
…rver server: tolerate failed gRPC plugins when starting listeners
Fix issue 13388 ``` [...] May 12 16:57:23 kind-control-plane kubelet[257]: failed to extract layer (application/vnd.docker.image.rootfs .diff.tar sha256:6f1cdceb6a3146f0ccb986521156bef8a422cdbb0863396f7f751f575ba308f4) to overlayfs as "extract-920875437 -7QPF sha256:31e64620332e54e3e4fb246d8325ed2c9f1c2cc64a95f0bb23b4b7e82834c95a": failed to mount /var/lib/containerd/t mpmounts/containerd-mount2180142388: mount source: "overlay", target: "/var/lib/containerd/tmpmounts/containerd-mount 2180142388", fstype: overlay, flags: 0, data: "upperdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/sn apshots/279/fs", err: invalid argument [...] ``` This was a regression introduced in PR 13115. Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Commit f9c80be removed varcheck linter, but some nolint:varcheck annotations are still there, resulting in golangci-lint warning: > WARN [runner/nolint_filter] Found unknown linters in //nolint directives: varcheck Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
…b.com/klauspost/compress-1.18.6 build(deps): bump github.com/klauspost/compress from 1.18.5 to 1.18.6
overlay: disable "rebase" capability when running in UserNS
seccomp: Block AF_ALG in default socket policy
pkg: remove unused nolint annotations
…b.com/pelletier/go-toml/v2-2.3.1 build(deps): bump github.com/pelletier/go-toml/v2 from 2.3.0 to 2.3.1
…g-x-46c647a010 build(deps): bump the golang-x group with 2 updates
RELEASES.md: 2.1 EOL (2026-05-05)
Signed-off-by: Mike Brown <brownwm@us.ibm.com> Co-authored-by: Sebastiaan van Stijn <github@gone.nl>
merge_group CI is primarily a final sanity check that queued changes still compose cleanly, not a place to rerun every expensive advisory suite. Skip Windows integration, Vagrant integration, and Kubernetes node e2e for merge_group because those jobs are costly and have recurring flakes, which wastes merge-queue capacity and delays unrelated merges. They still run on pull_request events for advisory coverage, and the existing aggregate required status check name is unchanged. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Signed-off-by: Austin Vazquez <austin.vazquez@docker.com>
…-logging cleanup the systemd debug notification logging
ci: skip advisory jobs in merge queue
openUserFile now stats the opened file, refuses anything that is not a regular file, and wraps the returned fs.File so reads are capped at maxUserFileBytes (10 MiB). All callers of openUserFile read either etc/passwd or etc/group; both are regular files on real systems, well under the cap. The cap and the regular-file check together bound parser memory use when reading user-database files of unexpected shape or size. Adds tests for the cap and for the non-regular file rejection. The cap test covers three boundary points: a small pad (trailing entry parsed), a pad placing the entry's last byte exactly on the cap (still parsed), and a pad past the cap (read returns an "exceeds" error). Assisted-by: Antigravity Signed-off-by: Chris Henzie <chrishenzie@gmail.com>
…ested toolchain Signed-off-by: Sergey Kanzhelev <S.Kanzhelev@live.com>
… the dependency Signed-off-by: Sergey Kanzhelev <S.Kanzhelev@live.com>
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
remove 1.26.2 from CI builds as it is not supported any longer due to…
Fix sandbox task API endpoints for non-runc runtimes
Detect strconv.ErrRange and validate uid/gid bounds to avoid falling back to username/group lookups. Signed-off-by: LEI WANG <ssst0n3@gmail.com>
use local go toolchain in CI to confirm that build actually uses requ…
Under slow network conditions (e.g., simulated 2 Mbps ingress bandwidth limits in CI), restoring a container from a checkpoint can fail if it requires pulling the base image again. During restore, crictl create is called. In test_from_oci, it used a 10-second timeout (crictl -t 10s create). Over a 2 Mbps connection, pulling the 2.8MB Alpine layer takes ~12-13 seconds, causing the operation to exceed the timeout and fail with context canceled. Increase the timeouts in both test_from_archive and test_from_oci to 30 seconds. This ensures the base image pull can complete successfully even in constrained CI environments. Tested: Ran the CRI integration tests on a GCE VM under a simulated 2 Mbps ingress bandwidth limit using traffic control (tc). Verified that both test_from_archive and test_from_oci passed successfully and container restore completed without timeout. Assisted-by: Antigravity Signed-off-by: Samuel Karp <samuelkarp@google.com>
Signed-off-by: Sergey Kanzhelev <S.Kanzhelev@live.com>
Add dockerfile for the whiteout-test test image
Add loong64 (LoongArch) architecture support to the build system and CI: - Makefile.linux: add loong64 to architectures that don't use -buildmode=pie (consistent with other non-amd64 architectures like mips, ppc64) - ci.yml: add linux/loong64 to crossbuild matrix with CGO_ENABLED=0 - RELEASES.md: add linux/loong64 as Tier 3 (Build-verified) platform The linux/loong64 release build and nightly build entries are intentionally excluded — the cross-compilation toolchain is not yet available in Ubuntu 22.04 apt repositories (no crossbuild-essential-loong64 package). The crossbuild CI check uses CGO_ENABLED=0. Nightly and release builds will be re-enabled once the upstream tonistiigi/xx base image provides the loong64 cross-compilation toolchain. Go has supported GOARCH=loong64 as a first-class port since Go 1.21. The seccomp default profile already includes loong64 support (contrib/seccomp). Tracked by: #13641 Signed-off-by: 徐晓伟 <xuxiaowei@xuxiaowei.com.cn>
feat: add loong64 (LoongArch) build support
When a registry returns 403 Forbidden on a HEAD request (e.g., manifest resolve or push existence check), the diagnostic error body is lost because HEAD responses carry no body per HTTP spec. This leaves users with an opaque "403 Forbidden" message and no actionable guidance. Add a follow-up GET on HEAD 403 to retrieve the registry's OCI error body. The existing unexpectedResponseErr machinery already parses the body into structured errors — it just needs the body to be present. The fallback lives in a shared withGETErrorBody helper used by both the pusher and resolver: it only enriches when the GET also returns 403, and preserves the original HEAD request's method and status while borrowing just the body, so the resulting error's status and body stay consistent. Scoped to 403 only because it is rare (CMK key disabled, IP firewall, RBAC misconfiguration) and its body is highly diagnostic, while other status codes either already use GET or have bodies that add no value. Fixes #8969 Signed-off-by: Andrew Au <cshung@gmail.com>
Includes security fixes to the crypto/tls and os packages. Assisted-by: Antigravity Signed-off-by: Chris Henzie <chrishenzie@gmail.com>
Update go to 1.26.5
Disable checkpoint restore codepath when CRIU is not installed
Vagrant is no longer well maintained: e.g., its apt repository does not provide packages for Ubuntu 26.04 (hashicorp/vagrant#13811), and recent Fedora boxes are no longer published to HashiCorp's registry, so the CI had to download the box file manually from Fedora mirrors. The test scripts in the Vagrantfile were split out to script/vm/*.sh . The scripts depend on neither Vagrant nor Lima, and can be used with other VM environments too. Assisted-by: Claude Fable 5 <noreply@anthropic.com> Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
remotes: surface OCI error body in registry 4xx responses
Signed-off-by: Wei Fu <fuweid89@gmail.com>
Signed-off-by: Jordan Liggitt <liggitt@google.com>
RELEASES.md: mark 2.1 EOL and update latest 1.7/2.0/2.1/2.2/2.3 tags
CI: migrate Vagrant to Lima
Go can report context deadline exceeded when a duration-based fuzz limit expires (https://go.dev/issue/75804). Use a 50,000-execution limit based on the roughly 47,000 executions FuzzImageStore completed in 30 seconds in CI. This keeps work stable across runners and avoids the duration issue. Assisted-by: Codex Signed-off-by: Chris Henzie <chrishenzie@gmail.com>
Bumps [github.com/klauspost/compress](https://github.com/klauspost/compress) from 1.18.6 to 1.19.0. - [Release notes](https://github.com/klauspost/compress/releases) - [Commits](klauspost/compress@v1.18.6...v1.19.0) --- updated-dependencies: - dependency-name: github.com/klauspost/compress dependency-version: 1.19.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
build(deps): bump github.com/containerd/ttrpc to v1.2.9
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.81.1 to 1.82.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.81.1...v1.82.0) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-version: 1.82.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps the golang-x group with 2 updates in the / directory: [golang.org/x/sync](https://github.com/golang/sync) and [golang.org/x/sys](https://github.com/golang/sys). Updates `golang.org/x/sync` from 0.21.0 to 0.22.0 - [Commits](golang/sync@v0.21.0...v0.22.0) Updates `golang.org/x/sys` from 0.46.0 to 0.47.0 - [Commits](golang/sys@v0.46.0...v0.47.0) --- updated-dependencies: - dependency-name: golang.org/x/sync dependency-version: 0.22.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x - dependency-name: golang.org/x/sys dependency-version: 0.47.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x ... Signed-off-by: dependabot[bot] <support@github.com>
…e.golang.org/grpc-1.82.0 build(deps): bump google.golang.org/grpc from 1.81.1 to 1.82.0
…g-x-c40dbcb055 build(deps): bump the golang-x group across 1 directory with 2 updates
…b.com/klauspost/compress-1.19.0 build(deps): bump github.com/klauspost/compress from 1.18.6 to 1.19.0
fix(cri): introspect OCI runtime features for non-runc runtimes
ci: bound Go fuzzing by execution count
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
release notes: https://github.com/opencontainers/runc/releases/tag/v1.5.1 Signed-off-by: Paco Xu <paco.xu@daocloud.io>
update runc to v1.5.1
Signed-off-by: Aysha Afrah Ziya <aysha26@digiscrypt.com>
blockcim config and plugin initialization changes
pkg/archive: reject out-of-range device numbers in layer headers
Raise stale bot limits
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot]
Can you help keep this open source service alive? 💖 Please sponsor : )