Merge tag 'v1.7.9'

containerd 1.7.9

Welcome to the v1.7.9 release of containerd!

The ninth patch release for containerd 1.7 contains various fixes and updates.

* **update runc binary to v1.1.10::** ([#9359](containerd/containerd#9359))
* **vendor: upgrade OpenTelemetry to v1.19.0 / v0.45.0** ([#9301](containerd/containerd#9301))
* **Expose usage of cri-api v1alpha2** ([#9336](containerd/containerd#9336))
* **integration: deflake TestIssue9103** ([#9354](containerd/containerd#9354))
* **fix: shimv1 leak issue** ([#9344](containerd/containerd#9344))
* **cri: add deprecation warnings for mirrors, auths, and configs** ([#9327](containerd/containerd#9327))
* **Update hcsshim tag to v0.11.4** ([#9326](containerd/containerd#9326))
* **Expose usage of deprecated features** ([#9315](containerd/containerd#9315))

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

* Samuel Karp
* Kazuyoshi Kato
* Wei Fu
* Kirtana Ashok
* Derek McGowan
* Milas Bowman
* Sebastiaan van Stijn
* ruiwen-zhao
<details><summary>28 commits</summary>
<p>

* [release/1.7] Add release notes for v1.7.9 ([#9333](containerd/containerd#9333))
  * [`4b912af52`](containerd/containerd@4b912af) Add release notes for v1.7.9
* [release/1.7 backport] update runc binary to v1.1.10 ([#9359](containerd/containerd#9359))
  * [`eff291713`](containerd/containerd@eff2917) update runc binary to v1.1.10
* [release/1.7] vendor: upgrade OpenTelemetry to v1.19.0 / v0.45.0 ([#9301](containerd/containerd#9301))
  * [`bd9428ff7`](containerd/containerd@bd9428f) vendor: upgrade OpenTelemetry to v1.19.0 / v0.45.0
* [release/1.7] Expose usage of cri-api v1alpha2 ([#9336](containerd/containerd#9336))
  * [`d62cba40c`](containerd/containerd@d62cba4) Expose usage of cri-api v1alpha2
* [release/1.7] integration: deflake TestIssue9103 ([#9354](containerd/containerd#9354))
  * [`5dbc258a8`](containerd/containerd@5dbc258) integration: deflake TestIssue9103
* [release/1.7] fix: shimv1 leak issue ([#9344](containerd/containerd#9344))
  * [`449912857`](containerd/containerd@4499128) fix: shimv1 leak issue
* [release/1.7] cri: add deprecation warnings for mirrors, auths, and configs ([#9327](containerd/containerd#9327))
  * [`152c57e91`](containerd/containerd@152c57e) cri: add deprecation warning for configs
  * [`689a1036d`](containerd/containerd@689a103) cri: add deprecation warning for auths
  * [`8c38975bf`](containerd/containerd@8c38975) cri: add deprecation warning for mirrors
  * [`1fbce40c4`](containerd/containerd@1fbce40) cri: add ability to emit deprecation warnings
* [release/1.7] Update hcsshim tag to v0.11.4 ([#9326](containerd/containerd#9326))
  * [`73f15bdb6`](containerd/containerd@73f15bd) Update hcsshim tag to v0.11.4
* [release/1.7] Expose usage of deprecated features ([#9315](containerd/containerd#9315))
  * [`60d48ffea`](containerd/containerd@60d48ff) ctr: new deprecations command
  * [`74a06671a`](containerd/containerd@74a0667) plugin: record deprecation for dynamic plugins
  * [`fa5f3c91a`](containerd/containerd@fa5f3c9) server: add ability to record config deprecations
  * [`f7880e7f0`](containerd/containerd@f7880e7) pull: record deprecation warning for schema 1
  * [`1dd2f2c02`](containerd/containerd@1dd2f2c) introspection: add support for deprecations
  * [`aaf000c18`](containerd/containerd@aaf000c) api/introspection: deprecation warnings in server
  * [`9b7ceee54`](containerd/containerd@9b7ceee) warning: new service for deprecations
  * [`b708f8bfa`](containerd/containerd@b708f8b) deprecation: new package for deprecations
</p>
</details>

* **github.com/Microsoft/hcsshim**                                                 v0.11.1 -> v0.11.4
* **github.com/cenkalti/backoff/v4**                                               v4.2.0 -> v4.2.1
* **github.com/go-logr/logr**                                                      v1.2.3 -> v1.2.4
* **github.com/grpc-ecosystem/grpc-gateway/v2**                                    v2.7.0 -> v2.16.0
* **go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc**  v0.40.0 -> v0.45.0
* **go.opentelemetry.io/otel**                                                     v1.14.0 -> v1.19.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace**                            v1.14.0 -> v1.19.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc**              v1.14.0 -> v1.19.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp**              v1.14.0 -> v1.19.0
* **go.opentelemetry.io/otel/metric**                                              v0.37.0 -> v1.19.0
* **go.opentelemetry.io/otel/sdk**                                                 v1.14.0 -> v1.19.0
* **go.opentelemetry.io/otel/trace**                                               v1.14.0 -> v1.19.0
* **go.opentelemetry.io/proto/otlp**                                               v0.19.0 -> v1.0.0

Previous release can be found at [v1.7.8](https://github.com/containerd/containerd/releases/tag/v1.7.8)

.github/workflows/build-test-images.yml

@@ -43,7 +43,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v3
         with:
-          go-version: "1.20.7"
+          go-version: "1.20.10"
 
       - uses: actions/checkout@v3
         with:

.github/workflows/ci.yml

@@ -12,7 +12,7 @@ on:
 env:
   # Go version we currently use to build containerd across all CI.
   # Note: don't forget to update `Binaries` step, as it contains the matrix of all supported Go versions.
-  GO_VERSION: "1.20.7"
+  GO_VERSION: "1.20.10"
 
 permissions: # added using https://github.com/step-security/secure-workflows
   contents: read
@@ -207,7 +207,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-20.04, macos-12, windows-2019, windows-2022]
-        go-version: ["1.20.7", "1.19.12"]
+        go-version: ["1.20.10", "1.21.3"]
     steps:
       - uses: actions/setup-go@v3
         with:

.github/workflows/codeql.yml

@@ -34,7 +34,7 @@ jobs:
 
       - uses: actions/setup-go@v3
         with:
-          go-version: 1.20.7
+          go-version: 1.20.10
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL

.github/workflows/images.yml

@@ -28,7 +28,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v3
         with:
-          go-version: "1.20.7"
+          go-version: "1.20.10"
 
       - uses: actions/checkout@v3
         with:

.github/workflows/nightly.yml

@@ -7,7 +7,7 @@ on:
       - ".github/workflows/nightly.yml"
 
 env:
-  GO_VERSION: "1.20.7"
+  GO_VERSION: "1.20.10"
 
 permissions: # added using https://github.com/step-security/secure-workflows
   contents: read

.github/workflows/release.yml

@@ -13,7 +13,7 @@ on:
 name: Release
 
 env:
-  GO_VERSION: "1.20.7"
+  GO_VERSION: "1.20.10"
 
 permissions: # added using https://github.com/step-security/secure-workflows
   contents: read

.golangci.yml

@@ -33,6 +33,15 @@ issues:
       # conversion is necessary on Linux, unnecessary on macOS
       text: "unnecessary conversion"
 
+    # FIXME temporarily suppress deprecation warnings for the logs package. See https://github.com/containerd/containerd/pull/9086
+    - text: "SA1019: log\\.(G|L|Fields|Entry|RFC3339NanoFixed|Level|TraceLevel|DebugLevel|InfoLevel|WarnLevel|ErrorLevel|FatalLevel|PanicLevel|SetLevel|GetLevel|OutputFormat|TextFormat|JSONFormat|SetFormat|WithLogger|GetLogger)"
+      linters:
+        - staticcheck
+    - text: "SA1019: logtest\\.WithT"
+      linters:
+        - staticcheck
+
+
 linters-settings:
   gosec:
     # The following issues surfaced when `gosec` linter

Makefile

@@ -235,6 +235,11 @@ bin/cni-bridge-fp: integration/failpoint/cmd/cni-bridge-fp FORCE
 	@echo "$(WHALE) $@"
 	@$(GO) build ${GO_BUILD_FLAGS} -o $@ ./integration/failpoint/cmd/cni-bridge-fp
 
+# build runc-fp as runc wrapper to support failpoint, only used by integration test
+bin/runc-fp: integration/failpoint/cmd/runc-fp FORCE
+	@echo "$(WHALE) $@"
+	@$(GO) build ${GO_BUILD_FLAGS} -o $@ ./integration/failpoint/cmd/runc-fp
+
 benchmark: ## run benchmarks tests
 	@echo "$(WHALE) $@"
 	@$(GO) test ${TESTFLAGS} -bench . -run Benchmark -test.root

Vagrantfile

@@ -102,7 +102,7 @@ EOF
   config.vm.provision "install-golang", type: "shell", run: "once" do |sh|
     sh.upload_path = "/tmp/vagrant-install-golang"
     sh.env = {
-        'GO_VERSION': ENV['GO_VERSION'] || "1.20.7",
+        'GO_VERSION': ENV['GO_VERSION'] || "1.20.10",
     }
     sh.inline = <<~SHELL
         #!/usr/bin/env bash

api/next.pb.txt

@@ -4240,6 +4240,7 @@ file {
   dependency: "github.com/containerd/containerd/api/types/platform.proto"
   dependency: "google/rpc/status.proto"
   dependency: "google/protobuf/empty.proto"
+  dependency: "google/protobuf/timestamp.proto"
   message_type {
     name: "Plugin"
     field {
@@ -4359,6 +4360,39 @@ file {
       type: TYPE_UINT64
       json_name: "pidns"
     }
+    field {
+      name: "deprecations"
+      number: 4
+      label: LABEL_REPEATED
+      type: TYPE_MESSAGE
+      type_name: ".containerd.services.introspection.v1.DeprecationWarning"
+      json_name: "deprecations"
+    }
+  }
+  message_type {
+    name: "DeprecationWarning"
+    field {
+      name: "id"
+      number: 1
+      label: LABEL_OPTIONAL
+      type: TYPE_STRING
+      json_name: "id"
+    }
+    field {
+      name: "message"
+      number: 2
+      label: LABEL_OPTIONAL
+      type: TYPE_STRING
+      json_name: "message"
+    }
+    field {
+      name: "last_occurrence"
+      number: 3
+      label: LABEL_OPTIONAL
+      type: TYPE_MESSAGE
+      type_name: ".google.protobuf.Timestamp"
+      json_name: "lastOccurrence"
+    }
   }
   service {
     name: "Introspection"

api/services/introspection/v1/introspection.proto

@@ -21,6 +21,7 @@ package containerd.services.introspection.v1;
 import "github.com/containerd/containerd/api/types/platform.proto";
 import "google/rpc/status.proto";
 import "google/protobuf/empty.proto";
+import "google/protobuf/timestamp.proto";
 
 option go_package = "github.com/containerd/containerd/api/services/introspection/v1;introspection";
 
@@ -102,4 +103,11 @@ message ServerResponse {
 	string uuid = 1;
 	uint64 pid = 2;
 	uint64 pidns = 3; // PID namespace, such as 4026531836
+	repeated DeprecationWarning deprecations = 4;
 }
+
+message DeprecationWarning {
+	string id = 1;
+	string message = 2;
+	google.protobuf.Timestamp last_occurrence = 3;
+}

cmd/containerd/builtins/builtins.go

@@ -45,4 +45,5 @@ import (
 	_ "github.com/containerd/containerd/services/tasks"
 	_ "github.com/containerd/containerd/services/transfer"
 	_ "github.com/containerd/containerd/services/version"
+	_ "github.com/containerd/containerd/services/warning"
 )

cmd/containerd/command/oci-hook.go

@@ -25,7 +25,8 @@ import (
 	"syscall"
 	"text/template"
 
-	specs "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/containerd/containerd/oci"
+	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/urfave/cli"
 )
 
@@ -37,7 +38,8 @@ var ociHook = cli.Command{
 		if err != nil {
 			return err
 		}
-		spec, err := loadSpec(state.Bundle)
+		specFile := filepath.Join(state.Bundle, oci.ConfigFilename)
+		spec, err := loadSpec(specFile)
 		if err != nil {
 			return err
 		}
@@ -56,14 +58,16 @@ var ociHook = cli.Command{
 	},
 }
 
+// hookSpec is a shallow version of [oci.Spec] containing only the
+// fields we need for the hook. We use a shallow struct to reduce
+// the overhead of unmarshaling.
 type hookSpec struct {
-	Root struct {
-		Path string `json:"path"`
-	} `json:"root"`
+	// Root configures the container's root filesystem.
+	Root *specs.Root `json:"root,omitempty"`
 }
 
-func loadSpec(bundle string) (*hookSpec, error) {
-	f, err := os.Open(filepath.Join(bundle, "config.json"))
+func loadSpec(path string) (*hookSpec, error) {
+	f, err := os.Open(path)
 	if err != nil {
 		return nil, err
 	}

cmd/ctr/app/main.go

@@ -22,6 +22,7 @@ import (
 
 	"github.com/containerd/containerd/cmd/ctr/commands/containers"
 	"github.com/containerd/containerd/cmd/ctr/commands/content"
+	"github.com/containerd/containerd/cmd/ctr/commands/deprecations"
 	"github.com/containerd/containerd/cmd/ctr/commands/events"
 	"github.com/containerd/containerd/cmd/ctr/commands/images"
 	"github.com/containerd/containerd/cmd/ctr/commands/info"
@@ -118,6 +119,7 @@ containerd CLI
 		ociCmd.Command,
 		sandboxes.Command,
 		info.Command,
+		deprecations.Command,
 	}, extraCmds...)
 	app.Before = func(context *cli.Context) error {
 		if context.GlobalBool("debug") {

cmd/ctr/commands/deprecations/deprecations.go

@@ -0,0 +1,113 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package deprecations
+
+import (
+	"fmt"
+	"os"
+	"text/tabwriter"
+	"time"
+
+	"github.com/urfave/cli"
+
+	api "github.com/containerd/containerd/api/services/introspection/v1"
+	"github.com/containerd/containerd/cmd/ctr/commands"
+	"github.com/containerd/containerd/protobuf"
+	ptypes "github.com/containerd/containerd/protobuf/types"
+)
+
+// Command is the parent for all commands under "deprecations"
+var Command = cli.Command{
+	Name: "deprecations",
+	Subcommands: []cli.Command{
+		listCommand,
+	},
+}
+var listCommand = cli.Command{
+	Name:  "list",
+	Usage: "Print warnings for deprecations",
+	Flags: []cli.Flag{
+		cli.StringFlag{
+			Name:  "format",
+			Usage: "output format to use (Examples: 'default', 'json')",
+		},
+	},
+	Action: func(context *cli.Context) error {
+		client, ctx, cancel, err := commands.NewClient(context)
+		if err != nil {
+			return err
+		}
+		defer cancel()
+
+		resp, err := client.IntrospectionService().Server(ctx, &ptypes.Empty{})
+		if err != nil {
+			return err
+		}
+		wrn := warnings(resp)
+		if len(wrn) > 0 {
+			switch context.String("format") {
+			case "json":
+				commands.PrintAsJSON(warnings(resp))
+				return nil
+			default:
+				w := tabwriter.NewWriter(os.Stdout, 4, 8, 4, ' ', 0)
+				fmt.Fprintln(w, "ID\tLAST OCCURRENCE\tMESSAGE\t")
+				for _, dw := range wrn {
+					if _, err := fmt.Fprintf(w, "%s\t%s\t%s\n",
+						dw.ID,
+						dw.LastOccurrence.Format(time.RFC3339Nano),
+						dw.Message,
+					); err != nil {
+						return err
+					}
+				}
+				return w.Flush()
+			}
+
+		}
+		return nil
+	},
+}
+
+type deprecationWarning struct {
+	ID             string    `json:"id"`
+	Message        string    `json:"message"`
+	LastOccurrence time.Time `json:"lastOccurrence"`
+}
+
+func warnings(in *api.ServerResponse) []deprecationWarning {
+	var warnings []deprecationWarning
+	for _, dw := range in.Deprecations {
+		wrn := deprecationWarningFromPB(dw)
+		if wrn == nil {
+			continue
+		}
+		warnings = append(warnings, *wrn)
+	}
+	return warnings
+}
+func deprecationWarningFromPB(in *api.DeprecationWarning) *deprecationWarning {
+	if in == nil {
+		return nil
+	}
+	lo := protobuf.FromTimestamp(in.LastOccurrence)
+	return &deprecationWarning{
+		ID:             in.ID,
+		Message:        in.Message,
+		LastOccurrence: lo,
+	}
+}

content/content.go

@@ -87,9 +87,6 @@ type IngestManager interface {
 }
 
 // Info holds content specific information
-//
-// TODO(stevvooe): Consider a very different name for this struct. Info is way
-// to general. It also reads very weird in certain context, like pluralization.
 type Info struct {
 	Digest    digest.Digest
 	Size      int64
@@ -111,12 +108,17 @@ type Status struct {
 // WalkFunc defines the callback for a blob walk.
 type WalkFunc func(Info) error
 
-// Manager provides methods for inspecting, listing and removing content.
-type Manager interface {
+// InfoProvider provides info for content inspection.
+type InfoProvider interface {
 	// Info will return metadata about content available in the content store.
 	//
 	// If the content is not present, ErrNotFound will be returned.
 	Info(ctx context.Context, dgst digest.Digest) (Info, error)
+}
+
+// Manager provides methods for inspecting, listing and removing content.
+type Manager interface {
+	InfoProvider
 
 	// Update updates mutable information related to content.
 	// If one or more fieldpaths are provided, only those

contrib/Dockerfile.test

@@ -29,7 +29,7 @@
 #   docker run --privileged containerd-test
 # ------------------------------------------------------------------------------
 
-ARG GOLANG_VERSION=1.20.7
+ARG GOLANG_VERSION=1.20.10
 ARG GOLANG_IMAGE=golang
 
 FROM ${GOLANG_IMAGE}:${GOLANG_VERSION} AS golang