Skip to content

[pull] main from containerd:main#307

Open
pull[bot] wants to merge 1233 commits into
fahedouch:mainfrom
containerd:main
Open

[pull] main from containerd:main#307
pull[bot] wants to merge 1233 commits into
fahedouch:mainfrom
containerd:main

Conversation

@pull

@pull pull Bot commented May 10, 2025

Copy link
Copy Markdown

See Commits and Changes for more details.


Created by pull[bot] (v2.0.0-alpha.1)

Can you help keep this open source service alive? 💖 Please sponsor : )

@pull pull Bot added the ⤵️ pull label May 10, 2025
AkihiroSuda and others added 29 commits May 21, 2026 02:22
….com/moby/moby/v2-2.0.0-beta.14

build(deps): bump github.com/moby/moby/v2 from 2.0.0-beta.13 to 2.0.0-beta.14
Bumps [github.com/containerd/containerd/v2](https://github.com/containerd/containerd) from 2.3.0 to 2.3.1.
- [Release notes](https://github.com/containerd/containerd/releases)
- [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md)
- [Commits](containerd/containerd@v2.3.0...v2.3.1)

---
updated-dependencies:
- dependency-name: github.com/containerd/containerd/v2
  dependency-version: 2.3.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps the docker group with 2 updates in the / directory: [github.com/docker/cli](https://github.com/docker/cli) and [github.com/moby/moby/v2](https://github.com/moby/moby).


Updates `github.com/docker/cli` from 29.5.0+incompatible to 29.5.2+incompatible
- [Commits](docker/cli@v29.5.0...v29.5.2)

Updates `github.com/moby/moby/v2` from 2.0.0-beta.14 to 2.0.0-beta.15
- [Release notes](https://github.com/moby/moby/releases)
- [Commits](moby/moby@v2.0.0-beta.14...v2.0.0-beta.15)

---
updated-dependencies:
- dependency-name: github.com/docker/cli
  dependency-version: 29.5.1+incompatible
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: docker
- dependency-name: github.com/moby/moby/v2
  dependency-version: 2.0.0-beta.14
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: docker
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: ChengyuZhu6 <hudson@cyzhu.com>
….com/containerd/containerd/v2-2.3.1

build(deps): bump github.com/containerd/containerd/v2 from 2.3.0 to 2.3.1
…-890c0f8f14

build(deps): bump the docker group across 1 directory with 2 updates
….com/compose-spec/compose-go/v2-2.11.0

build(deps): bump github.com/compose-spec/compose-go/v2 from 2.10.2 to 2.11.0
Bumps [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action) from 0.5.3 to 0.5.6.
- [Release notes](https://github.com/zizmorcore/zizmor-action/releases)
- [Commits](zizmorcore/zizmor-action@b1d7e1f...5f14fd0)

---
updated-dependencies:
- dependency-name: zizmorcore/zizmor-action
  dependency-version: 0.5.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 7.1.0 to 7.2.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](docker/build-push-action@bcafcac...f9f3042)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-version: 7.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [docker/login-action](https://github.com/docker/login-action) from 4.1.0 to 4.2.0.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](docker/login-action@4907a6d...650006c)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-version: 4.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [docker/metadata-action](https://github.com/docker/metadata-action) from 6.0.0 to 6.1.0.
- [Release notes](https://github.com/docker/metadata-action/releases)
- [Commits](docker/metadata-action@030e881...80c7e94)

---
updated-dependencies:
- dependency-name: docker/metadata-action
  dependency-version: 6.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps the golang-x group with 2 updates in the / directory: [golang.org/x/crypto](https://github.com/golang/crypto) and [golang.org/x/net](https://github.com/golang/net).


Updates `golang.org/x/crypto` from 0.51.0 to 0.52.0
- [Commits](golang/crypto@v0.51.0...v0.52.0)

Updates `golang.org/x/net` from 0.54.0 to 0.55.0
- [Commits](golang/net@v0.54.0...v0.55.0)

Updates `golang.org/x/sys` from 0.44.0 to 0.45.0
- [Commits](golang/sys@v0.44.0...v0.45.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-version: 0.52.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang-x
- dependency-name: golang.org/x/net
  dependency-version: 0.55.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang-x
- dependency-name: golang.org/x/sys
  dependency-version: 0.45.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang-x
...

Signed-off-by: dependabot[bot] <support@github.com>
Replace the generated mocks under pkg/infoutil/infoutilmock and the
inline gomock-based MockParse in pkg/cmd/builder/build_test.go with
hand-rolled fakes that use function fields. This drops the
go.uber.org/mock require from go.mod / go.sum.

Fixes #3325

Signed-off-by: Metbcy <amirbredy1@gmail.com>
…zmorcore/zizmor-action-0.5.6

build(deps): bump zizmorcore/zizmor-action from 0.5.3 to 0.5.6
Signed-off-by: immanuwell <pchpr.00@list.ru>
docs: fix typo and missing import in tools.md
…-x-105f79c659

build(deps): bump the golang-x group across 1 directory with 3 updates
Bumps [github.com/opencontainers/selinux](https://github.com/opencontainers/selinux) from 1.14.1 to 1.15.0.
- [Release notes](https://github.com/opencontainers/selinux/releases)
- [Commits](opencontainers/selinux@v1.14.1...v1.15.0)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/selinux
  dependency-version: 1.15.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
…cker/login-action-4.2.0

build(deps): bump docker/login-action from 4.1.0 to 4.2.0
…cker/metadata-action-6.1.0

build(deps): bump docker/metadata-action from 6.0.0 to 6.1.0
…cker/build-push-action-7.2.0

build(deps): bump docker/build-push-action from 7.1.0 to 7.2.0
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 4.0.0 to 4.1.0.
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](docker/setup-buildx-action@4d04d5d...d7f5e7f)

---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
  dependency-version: 4.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
…cker/setup-buildx-action-4.1.0

build(deps): bump docker/setup-buildx-action from 4.0.0 to 4.1.0
`docker ps` displays the health check results for healthchecked containers
in the STATUS column:

```bash
$ docker run -d --name health --health-cmd=true --health-interval=3s alpine sleep inf
ace14dd125355ac04e8cbad9f1cf2eaaa7209d76cb648ccefb81e45b986c58f7

$ docker ps
CONTAINER ID   IMAGE     COMMAND       CREATED          STATUS                    PORTS     NAMES
ace14dd12535   alpine    "sleep inf"   23 seconds ago   Up 22 seconds (healthy)             health
```

However, `nerdctl ps` doesn't show the health status.

Therefore, to ensure compatibility with Docker, this change makes
`nerdctl ps` display the health check results in the STATUS column for
containers that perform health checks.

After this change, the output looks like:

```bash
$ sudo nerdctl ps
CONTAINER ID    IMAGE                              COMMAND                   CREATED          STATUS                   PORTS    NAMES
02c64243528a    docker.io/library/alpine:latest    "sleep inf"               7 seconds ago    Up (health: starting)             hoge
```

```bash
$ sudo nerdctl ps
CONTAINER ID    IMAGE                              COMMAND                   CREATED         STATUS          PORTS    NAMES
690aa502978c    docker.io/library/alpine:latest    "sleep inf"               1 second ago    Up (healthy)             hoge
```

```bash
$ sudo nerdctl ps
CONTAINER ID    IMAGE                              COMMAND                   CREATED         STATUS            PORTS    NAMES
02c64243528a    docker.io/library/alpine:latest    "sleep inf"               2 hours ago     Up (unhealthy)             hoge
```

Signed-off-by: Hayato Kiwata <dev@haytok.jp>
Suppose a container with healthcheck enabled has exited.

```bash
> sudo nerdctl ps -a --filter "name=hoge"
CONTAINER ID    IMAGE                              COMMAND      CREATED               STATUS                           PORTS    NAMES
dd94022f7dd0    docker.io/library/alpine:latest    "sleep 1"    About a minute ago    Exited (0) About a minute ago             hoge
```

When we try to run `nerdctl start` on that container, the following error
occurs, and the container cannot be started.

```bash
> sudo nerdctl start hoge
FATA[0000] 1 errors:
failed to create healthcheck timer: systemd-run failed: exit status 1
output: Failed to start transient timer unit: Unit dd94022f7dd0f8b60cb49e803c52de3a7a49c2b39276883ed7c606e13ca1a918.timer was already loaded or has a fragment file.
```

The cause of the failure is the presence of the systemd transient timer
unit used when executing health checks.

When checking the output of `systemctl status`, the status of the
transient timer unit is `active`, but an error has occurred in the
transient service unit that executes the healthcheck command.

In nerdctl, container health check is performed by running the `systemd-run`
command to periodically execute the `exec` command on the target container
via a transient service unit and a transient timer unit, and executing the
command specified with the `--health-cmd` option.

However, the current implementation does not account for the case where
the container has exited.

Therefore, this commit will ensure that transient units are deleted when a
container with a health check enabled exits. It will also ensure that the
system checks for the presence of transient units when restarting a
stopped container with a health check enabled.

The specific approach is as follows:

- Use the `--collect` option of the `systemd-run` command so that the
  transient service unit can be garbage-collected even when it is in a
  failed state.
- Delete the transient timer unit when the process exits and the container
  is in a stopped state.
- Before creating a new transient timer unit in CreateTimer, check whether
  a transient timer unit with the same name already exists and remove it
  if so.

Note that if the `--collect` option is specified when executing the
`systemd-run` command, deleting the transient timer unit will cause it to
be unloaded by systemd's garbage collection.

References:
- https://www.freedesktop.org/software/systemd/man/latest/systemd-run.html#-G
- https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#CollectMode=

Signed-off-by: Hayato Kiwata <dev@haytok.jp>
Signed-off-by: Hayato Kiwata <dev@haytok.jp>
chore: remove go.uber.org/mock dependency
AkihiroSuda and others added 30 commits July 8, 2026 21:45
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Signed-off-by: Daniel Benjamin <benjamindaniel706@gmail.com>
Bumps the golang-x group with 6 updates:

| Package | From | To |
| --- | --- | --- |
| [golang.org/x/crypto](https://github.com/golang/crypto) | `0.53.0` | `0.54.0` |
| [golang.org/x/net](https://github.com/golang/net) | `0.56.0` | `0.57.0` |
| [golang.org/x/sync](https://github.com/golang/sync) | `0.21.0` | `0.22.0` |
| [golang.org/x/sys](https://github.com/golang/sys) | `0.46.0` | `0.47.0` |
| [golang.org/x/term](https://github.com/golang/term) | `0.44.0` | `0.45.0` |
| [golang.org/x/text](https://github.com/golang/text) | `0.39.0` | `0.40.0` |


Updates `golang.org/x/crypto` from 0.53.0 to 0.54.0
- [Commits](golang/crypto@v0.53.0...v0.54.0)

Updates `golang.org/x/net` from 0.56.0 to 0.57.0
- [Commits](golang/net@v0.56.0...v0.57.0)

Updates `golang.org/x/sync` from 0.21.0 to 0.22.0
- [Commits](golang/sync@v0.21.0...v0.22.0)

Updates `golang.org/x/sys` from 0.46.0 to 0.47.0
- [Commits](golang/sys@v0.46.0...v0.47.0)

Updates `golang.org/x/term` from 0.44.0 to 0.45.0
- [Commits](golang/term@v0.44.0...v0.45.0)

Updates `golang.org/x/text` from 0.39.0 to 0.40.0
- [Release notes](https://github.com/golang/text/releases)
- [Commits](golang/text@v0.39.0...v0.40.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-version: 0.54.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang-x
- dependency-name: golang.org/x/net
  dependency-version: 0.57.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang-x
- dependency-name: golang.org/x/sync
  dependency-version: 0.22.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang-x
- dependency-name: golang.org/x/sys
  dependency-version: 0.47.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang-x
- dependency-name: golang.org/x/term
  dependency-version: 0.45.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang-x
- dependency-name: golang.org/x/text
  dependency-version: 0.40.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang-x
...

Signed-off-by: dependabot[bot] <support@github.com>
….com/ipfs/go-cid-0.6.2

build(deps): bump github.com/ipfs/go-cid from 0.6.1 to 0.6.2
…-x-357f6793ed

build(deps): bump the golang-x group with 6 updates
…ork-base-test-to-tigron

test: refactor container_run_network_base_test.go to use Tigron
…t-linux-test-to-tigron

test: refactor container_run_mount_linux_test.go to use Tigron
Read-only bind and volume mounts (`-v src:dst:ro`, `--mount ...,readonly`)
are now made recursively read-only when the kernel (>= 5.12) and the OCI
runtime (runc >= 1.1, crun >= 1.8.6) support the "rro" mount option,
following Docker v25 (moby/moby#45278).

The behavior is customizable with the `bind-recursive` option of `--mount`
(docker/cli#4316):
- `enabled` (default): recursive bind; recursively read-only when supported
- `disabled`: non-recursive bind
- `writable`: submounts of a read-only mount are kept writable (Docker v24 behavior)
- `readonly`: force recursively read-only, or raise an error

The boolean aliases of `bind-recursive` (unreleased) are removed,
following docker/cli#4671.

Whether the OCI runtime supports RRO mounts is detected by running
`$RUNTIME features`, with the result cached in the XDG cache directory
(e.g., ~/.cache/nerdctl/oci-runtime-features), invalidated when the
runtime binary is modified.

The old `rro` option of `-v` and `--mount`, introduced in nerdctl v0.14
ahead of Docker, is now deprecated in favor of the Docker v25 form:
`--mount type=bind,src=...,dst=...,readonly,bind-propagation=rprivate,bind-recursive=readonly`.
It now raises an error (instead of silently degrading to plain "ro")
when RRO mounts are not supported.

`nerdctl cp` now recognizes the "rro" mount option when refusing to
copy into a read-only location.

Fix issue 2651

Assisted-by: Claude Fable 5 <noreply@anthropic.com>
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
mount: support the Docker v25 form of recursive read-only (RRO) mounts
feat: label-based filtering added to `nerdctl events`
…range

network create: match each --ip-range to its subnet for dual-stack
Docker's network create takes --ipv4 (default on) so that --ipv4=false
together with --ipv6 yields an IPv6-only network. nerdctl had no
equivalent: generateIPAM always appended a default IPv4 range when no v4
subnet was given, so every bridge network ended up with IPv4.

Add the flag and carry it as a positive IPv4 option, matching the
existing IPv6 field and docker's EnableIPv4. When IPv4 is off, skip the
default v4 range, switch the host-local default route to ::/0, and reject
an IPv4 subnet. Require at least one address family (docker's "IPv4 or
IPv6 must be enabled"), and require an explicit IPv6 subnet since nerdctl
does not auto-allocate one. Reject the combination on Windows where
IPv6-only is unsupported.

Part of #5012.

Signed-off-by: Mayur Das <mayur.das@neevcloud.com>
Bumps [github.com/containerd/containerd/v2](https://github.com/containerd/containerd) from 2.3.2 to 2.3.3.
- [Release notes](https://github.com/containerd/containerd/releases)
- [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md)
- [Commits](containerd/containerd@v2.3.2...v2.3.3)

---
updated-dependencies:
- dependency-name: github.com/containerd/containerd/v2
  dependency-version: 2.3.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github.com/rootless-containers/rootlesskit/v3](https://github.com/rootless-containers/rootlesskit) from 3.0.1 to 3.0.2.
- [Release notes](https://github.com/rootless-containers/rootlesskit/releases)
- [Commits](rootless-containers/rootlesskit@v3.0.1...v3.0.2)

---
updated-dependencies:
- dependency-name: github.com/rootless-containers/rootlesskit/v3
  dependency-version: 3.0.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
….com/rootless-containers/rootlesskit/v3-3.0.2

build(deps): bump github.com/rootless-containers/rootlesskit/v3 from 3.0.1 to 3.0.2
….com/containerd/containerd/v2-2.3.3

build(deps): bump github.com/containerd/containerd/v2 from 2.3.2 to 2.3.3
Signed-off-by: Mujib Ahasan <ahasanmujib8@gmail.com>

test case added

Signed-off-by: Mujib Ahasan <ahasanmujib8@gmail.com>
update containerd (2.3.3)
Signed-off-by: akshitguptaa <akshitguptaa29@gmail.com>
Signed-off-by: akshitguptaa <akshitguptaa29@gmail.com>
feat(network): add --ipv4 to allow IPv6-only networks
feat(run): add support for `--expose` and `--publish-all`
fix: hide internal alias flags from help output
rootless: enable IPv6 in RootlessKit network namespace
Signed-off-by: s3onghyun <s3onghyun@users.noreply.github.com>
save: add --quiet/-q to suppress progress output
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.