containerd 1.5.5

Welcome to the v1.5.5 release of containerd!

The fifth patch release for containerd 1.5 updates runc to 1.0.1 and contains
other minor updates.

Notable Updates

• Update runc binary to 1.0.1 #5751
• Update pull logic to try next mirror on non-404 response #5275
• Update pull authorization logic on redirect #5504

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Akihiro Suda
• Phil Estes
• Shiming Zhang
• Kazuyoshi Kato
• Sebastian Hasler

Changes

14 commits

• 72cec4be5 Merge pull request #5805 from dmcgowan/prepare-1.5.5
• 677fade0f Prepare release notes for v1.5.5
• 1c13c54ca Merge pull request #5764 from thaJeztah/1.5_backport_dm_log
• 883750151 Merge pull request #5772 from thaJeztah/1.5_backport_fix_missing_body_close
• 7b17268fd remotes/docker/pusher.go: Fix missing Close()
• 2f11d5855 remotes/docker/fetcher.go: Fix missing Close()
• bc12da7f6 Merge pull request #5766 from thaJeztah/1.5_backport_fix_authorization_on_redirect
• 4c1722e2b Update docker resolver to authorize redirects
• 166a81f88 snapshot/devmapper: log exported methods correctly
• 47d0f52cb Merge pull request #5747 from fuweid/cp-15-5275
• c355601d3 Merge pull request #5752 from AkihiroSuda/runc-v1.0.1-15
• d2cb9949b go.mod: runc v1.0.1
• 6807d070e update runc binary to v1.0.1
• d9b284bfd Try next mirror in case of non-404 errors, too

Dependency Changes

• github.com/bits-and-blooms/bitset v1.2.0 new
• github.com/cilium/ebpf v0.4.0 -> v0.6.2
• github.com/google/go-cmp v0.5.4 -> v0.5.5
• github.com/opencontainers/runc v1.0.0-rc93 -> v1.0.1
• github.com/opencontainers/runtime-spec e6143ca7d51d -> 1c3f411f0417
• github.com/opencontainers/selinux v1.8.0 -> v1.8.2
• github.com/sirupsen/logrus v1.7.0 -> v1.8.1
• golang.org/x/sys 47abb6519492 -> d19ff857e887

Previous release can be found at v1.5.4

containerd 1.4.9

Welcome to the v1.4.9 release of containerd!

The ninth patch release for containerd 1.4 updates runc to 1.0.1 and contains
other minor updates.

Notable Updates

• Update runc binary to 1.0.1 #5751
• Update pull authorization logic on redirect #5504
• Fix user agent used for fetching registry authentication tokens #5761

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Shiming Zhang
• Akihiro Suda
• Kazuyoshi Kato
• Maksym Pavlenko
• Sebastiaan van Stijn

Changes

13 commits

• e25210fe3 Merge pull request #5806 from dmcgowan/prepare-v1.4.9
• ad26f4713 Prepare release notes for v1.4.9
• 11996c194 Merge pull request #5765 from thaJeztah/1.4_backport_dm_log
• 53add4cde Merge pull request #5773 from thaJeztah/1.4_backport_fix_missing_body_close
• a5cefbaac Merge pull request #5767 from thaJeztah/1.4_backport_fix_authorization_on_redirect
• 14c3a8e21 remotes/docker/pusher.go: Fix missing Close()
• 06c90e7b5 remotes/docker/fetcher.go: Fix missing Close()
• e4418dbea Merge pull request #5761 from thaJeztah/1.4_backport_fix_auth_ua
• 30d0c9199 Update docker resolver to authorize redirects
• 55794673b snapshot/devmapper: log exported methods correctly
• 67a0576df [release/1.4] Fix incorrect UA used for registry authentication
• a368d2872 Merge pull request #5753 from AkihiroSuda/runc-v1.0.1-14
• 34861f1aa update runc binary to v1.0.1

Dependency Changes

This release has no dependency changes

Previous release can be found at v1.4.8

v1.4.8-k3s1

go.mod: bump CRI replacement version and match vendor changes in upst…

v1.4.4-k3s2

[backport 1.4] oci.WithPrivileged: set current caps (#17)

Backport of containerd/containerd#5017

Signed-off-by: Jacob Blain Christen <[email protected]>

v1.3.10-k3s4

Merge pull request #16 from galal-hussein/bumping_continuity

[release/1.3] bump up continuity

v1.3.10-k3s3

Merge pull request #15 from galal-hussein/backport_cri_fix

[release/1.3] bump up cri version

v1.3.10-k3s2

apparmor: handle signal mediation

On newer kernels and systems, AppArmor will block sending signals in
many scenarios by default resulting in strange behaviours (container
programs cannot signal each other, or host processes like containerd
cannot signal containers).

The reason this happens only on some distributions (and is not a kernel
regression) is that the kernel doesn't enforce signal mediation unless
the profile contains signal rules. However because our profies #include
the distribution-managed <abstractions/base>, some distributions added
signal rules -- which results in AppArmor enforcing signal mediation and
thus a regression. On these systems, containers cannot send and receive
signals at all -- meaning they cannot signal each other and the
container runtime cannot kill them either.

This issue was fixed in Docker in 2018[1] but this code was copied
before then and thus the patches weren't carried. It also contains a new
fix for a more esoteric case[2]. Ideally this code should live in a
project like "containerd/apparmor" so that Docker, libpod, and
containerd can share it, but that's probably something to do separately.

In addition, the copyright header is updated to reference that the code
is copied from Docker (and thus was not written entirely by the
containerd authors).

[1]: https://github.com/docker/docker/pull/37831
[2]: https://github.com/docker/docker/pull/41337

Signed-off-by: Aleksa Sarai <[email protected]>
(cherry picked from commit d8572b6ca6a34ab079d4d3530022030ace782cf4)
Signed-off-by: Brad Davidson <[email protected]>

v1.4.4-k3s1

cri: bump replacement version

k3s-io/cri v1.4.0-k3s.5

Signed-off-by: Jacob Blain Christen <[email protected]>

v1.3.10-k3s1

bump our cri replacement

v1.3.0-k3s.10

Signed-off-by: Jacob Blain Christen <[email protected]>

v1.4.3-k3s5

[backport 1.4] mirror repository rewrites pt 2 (#12)

Remainder of the adaptation of containerd#5171 to 1.4.x

Signed-off-by: Jacob Blain Christen <[email protected]>