Merge tag 'v1.7.20'

containerd 1.7.20 Welcome to the v1.7.20 release of containerd! The twentieth patch release for containerd 1.7 contains various fixes and updates. * Support for dropping inheritable capabilities ([#10469](containerd/containerd#10469)) * Make PodSandboxStatus friendlier to shim crashes ([#10461](containerd/containerd#10461)) * Handle empty DNSConfig differently than unspecified ([#10462](containerd/containerd#10462)) * Fix for `[cri] ttrpc: closed` during ListPodSandboxStats ([#10423](containerd/containerd#10423)) Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues. * Derek McGowan * Akihiro Suda * Phil Estes * Akhil Mohan * Bryant Biggs * Danny Canter * Davanum Srinivas * Mike Brown * Samuel Karp * Tim Hockin <details><summary>16 commits</summary> <p> * Prepare release notes for v1.7.20 ([#10481](containerd/containerd#10481)) * [`7f2d4cd97`](containerd/containerd@7f2d4cd) Prepare release notes for v1.7.20 * deps: Update otelgrpc ([#10413](containerd/containerd#10413)) * [`3a02c523d`](containerd/containerd@3a02c52) deps: Update otelgrpc * Make PodSandboxStatus friendlier to shim crashes ([#10461](containerd/containerd#10461)) * [`df86bdd5d`](containerd/containerd@df86bdd) CRI Sbserver: Make PodSandboxStatus friendlier to shim crashes * Handle empty DNSConfig differently than unspecified ([#10462](containerd/containerd#10462)) * [`209ee4f10`](containerd/containerd@209ee4f) CRI: An empty DNSConfig != unspecified * Support for dropping inheritable capabilities ([#10469](containerd/containerd#10469)) * [`ce65228af`](containerd/containerd@ce65228) Support for dropping inheritable capabilities * Fix for `[cri] ttrpc: closed` during ListPodSandboxStats ([#10423](containerd/containerd#10423)) * [`610498df7`](containerd/containerd@610498d) Fix for `[cri] ttrpc: closed` during ListPodSandboxStats * update to go1.21.12 / go1.22.5 ([#10426](containerd/containerd#10426)) * [`e61c7932e`](containerd/containerd@e61c793) update to go1.21.12 / go1.22.5 * errdefs: denote deprecation as a godoc comment ([#10424](containerd/containerd#10424)) * [`c7d5e430a`](containerd/containerd@c7d5e43) errdefs: denote deprecation as a godoc comment </p> </details> * **github.com/go-logr/logr** v1.2.4 -> v1.3.0 * **github.com/google/go-cmp** v0.5.9 -> v0.6.0 * **github.com/google/uuid** v1.3.1 -> v1.4.0 * **go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc** v0.45.0 -> v0.46.1 * **go.opentelemetry.io/otel** v1.19.0 -> v1.21.0 * **go.opentelemetry.io/otel/metric** v1.19.0 -> v1.21.0 * **go.opentelemetry.io/otel/sdk** v1.19.0 -> v1.21.0 * **go.opentelemetry.io/otel/trace** v1.19.0 -> v1.21.0 * **google.golang.org/genproto** e6e6cdab5c13 -> 989df2bf70f3 * **google.golang.org/genproto/googleapis/api** 007df8e322eb -> 83a465c0220f * **google.golang.org/genproto/googleapis/rpc** d307bd883b97 -> 995d672761c0 Previous release can be found at [v1.7.19](https://github.com/containerd/containerd/releases/tag/v1.7.19)
open-beagle · Aug 26, 2024 · ed7b2f0 · ed7b2f0
2 parents edd33e3 + 8fc6bcf
commit ed7b2f0
Show file tree

Hide file tree

Showing 1,357 changed files with 50,303 additions and 24,776 deletions.
diff --git a/.cirrus.yml b/.cirrus.yml
diff --git a/.github/actions/install-go/action.yml b/.github/actions/install-go/action.yml
@@ -3,7 +3,7 @@ description: "Reusable action to install Go, so there is one place to bump Go ve
 inputs:
   go-version:
     required: true
-    default: "1.21.8"
+    default: "1.21.12"
     description: "Go version to install"
 
 runs:

diff --git a/.github/workflows/api-release.yml b/.github/workflows/api-release.yml
@@ -0,0 +1,80 @@
+on:
+  push:
+    tags:
+      - "api/v*" # Push events to matching api/v*, i.e. api/v1.0, api/v20.15.10
+
+name: API Release
+
+env:
+  GO_VERSION: "1.21.12"
+
+permissions: # added using https://github.com/step-security/secure-workflows
+  contents: read
+
+jobs:
+  check:
+    name: Check Signed Tag
+    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/api/v')
+    runs-on: ubuntu-20.04
+    timeout-minutes: 5
+    outputs:
+      stringver: ${{ steps.contentrel.outputs.stringver }}
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref }}
+          path: src/github.com/containerd/containerd
+
+      - name: Check signature
+        run: |
+          releasever=${{ github.ref }}
+          releasever="${releasever#refs/tags/}"
+          TAGCHECK=$(git tag -v ${releasever} 2>&1 >/dev/null) ||
+          echo "${TAGCHECK}" | grep -q "error" && {
+              echo "::error::tag ${releasever} is not a signed tag. Failing release process."
+              exit 1
+          } || {
+              echo "Tag ${releasever} is signed."
+              exit 0
+          }
+        working-directory: src/github.com/containerd/containerd
+
+      - name: Release content
+        id: contentrel
+        run: |
+          RELEASEVER=${{ github.ref }}
+          echo "stringver=${RELEASEVER#refs/tags/api/v}" >> $GITHUB_OUTPUT
+          git tag -l ${RELEASEVER#refs/tags/} -n20000 | tail -n +3 | cut -c 5- >release-notes.md
+        working-directory: src/github.com/containerd/containerd
+
+      - name: Save release notes
+        uses: actions/upload-artifact@v4
+        with:
+          name: containerd-release-notes
+          path: src/github.com/containerd/containerd/release-notes.md
+
+  release:
+    name: Create containerd Release
+    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/api/v')
+    permissions:
+      contents: write
+    runs-on: ubuntu-20.04
+    timeout-minutes: 10
+    needs: [check]
+    steps:
+      - name: Download release notes
+        uses: actions/download-artifact@v4
+        with:
+          path: builds
+      - name: Create Release
+        uses: softprops/action-gh-release@v2
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          fail_on_unmatched_files: true
+          name: containerd API ${{ needs.check.outputs.stringver }}
+          draft: false
+          make_latest: false
+          prerelease: ${{ contains(github.ref, 'beta') || contains(github.ref, 'rc') }}
+          body_path: ./builds/containerd-release-notes/release-notes.md
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -191,7 +191,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-20.04, actuated-arm64-4cpu-16gb, macos-12, windows-2019, windows-2022]
-        go-version: ["1.21.8", "1.22.1"]
+        go-version: ["1.21.12", "1.22.5"]
     steps:
       - uses: actions/checkout@v4
       - uses: ./.github/actions/install-go
@@ -528,6 +528,85 @@ jobs:
             ${{github.workspace}}/report/*.xml
             ${{github.workspace}}/report/*.log
 
+  integration-vagrant:
+    name: Vagrant integration
+    runs-on: ubuntu-22.04
+    timeout-minutes: 60
+    needs: [project, linters, protos, man]
+
+    strategy:
+      fail-fast: false
+      matrix:
+        box:
+          - fedora/39-cloud-base
+          # We have to keep EL8 to test old glibc, cgroup, kernel, etc.
+          # The image was changed from rockylinux/8 to almalinux/8,
+          # as the former one no longer works:
+          # https://github.com/containerd/containerd/pull/10297
+          - almalinux/8
+          - rockylinux/9@4.0.0
+    env:
+      BOX: ${{ matrix.box }}
+
+    steps:
+      - name: Show the host info
+        run: |
+          set -x
+          uname -a
+          cat /etc/os-release
+          cat /proc/cpuinfo
+          free -mt
+      - uses: actions/checkout@v4
+      - uses: actions/cache@v4
+        with:
+          path: /root/.vagrant.d
+          key: vagrant-${{ matrix.box }}
+      - name: Set up vagrant
+        run: |
+          # Canonical's Vagrant 2.2.19 dpkg cannot download Fedora 38 image: https://bugs.launchpad.net/vagrant/+bug/2017828
+          # So we have to install Vagrant >= 2.3.1 from the upstream: https://github.com/opencontainers/runc/blob/v1.1.8/.cirrus.yml#L41-L49
+          curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
+          echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
+          sudo sed -i 's/^# deb-src/deb-src/' /etc/apt/sources.list
+          sudo apt-get update
+          sudo apt-get install -y libvirt-daemon libvirt-daemon-system vagrant
+          sudo systemctl enable --now libvirtd
+          sudo apt-get build-dep -y vagrant ruby-libvirt
+          sudo apt-get install -y --no-install-recommends libxslt-dev libxml2-dev libvirt-dev ruby-bundler ruby-dev zlib1g-dev
+          sudo vagrant plugin install vagrant-libvirt
+      - name: Boot VM
+        run: sudo BOX=$BOX vagrant up --no-tty
+      - name: test-integration
+        run: sudo BOX=$BOX vagrant up --provision-with=selinux,install-runc,install-gotestsum,test-integration
+      - name: test-cri-integration
+        run: sudo BOX=$BOX vagrant up --provision-with=selinux,install-runc,install-gotestsum,test-cri-integration
+      - name: test-cri
+        run: sudo BOX=$BOX vagrant up --provision-with=selinux,install-runc,install-gotestsum,test-cri
+
+  tests-cri-in-userns:
+    name: "CRI-in-UserNS"
+
+    runs-on: ubuntu-22.04
+    timeout-minutes: 40
+    needs: [project, linters, protos, man]
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up cgroup v2 delegation
+        run: |
+          sudo mkdir -p /etc/systemd/system/user@.service.d
+          cat <<EOF | sudo tee /etc/systemd/system/user@.service.d/delegate.conf
+          [Service]
+          Delegate=cpu cpuset io memory pids
+          EOF
+          sudo systemctl daemon-reload
+      - name: Build cri-in-userns image
+        run: podman build --target cri-in-userns -t cri-in-userns -f ./contrib/Dockerfile.test .
+      - name: Run cri-in-userns image
+        # Rootless Podman is used for testing CRI-in-UserNS
+        # (We could use rootless Docker or rootless nerdctl, but we are using Podman here because it is preinstalled)
+        run: podman run --rm --privileged cri-in-userns
+
   tests-mac-os:
     name: MacOS unit tests
     runs-on: macos-12

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -13,7 +13,7 @@ on:
 name: Release
 
 env:
-  GO_VERSION: "1.21.8"
+  GO_VERSION: "1.21.12"
 
 permissions: # added using https://github.com/step-security/secure-workflows
   contents: read
@@ -146,7 +146,7 @@ jobs:
         with:
           path: builds
       - name: Create Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           fail_on_unmatched_files: true
@@ -156,3 +156,4 @@ jobs:
           body_path: ./builds/containerd-release-notes/release-notes.md
           files: |
             builds/release-tars-**/*
+          make_latest: true
diff --git a/.golangci.yml b/.golangci.yml
@@ -1,5 +1,6 @@
 linters:
   enable:
+    - depguard      # Checks for imports that shouldn't be used.
     - exportloopref # Checks for pointers to enclosing loop variables
     - gofmt
     - goimports
@@ -61,6 +62,16 @@ issues:
 
 
 linters-settings:
+  depguard:
+    rules:
+      main:
+        deny:
+          - pkg: "github.com/containerd/containerd/errdefs"
+            desc: The containerd errdefs package was migrated to a separate module. Use github.com/containerd/errdefs instead.
+          - pkg: "github.com/containerd/containerd/log"
+            desc: The containerd log package was migrated to a separate module. Use github.com/containerd/log instead.
+          - pkg: "github.com/containerd/containerd/platforms"
+            desc: The containerd platforms package was migrated to a separate module. Use github.com/containerd/platforms instead.
   gosec:
     # The following issues surfaced when `gosec` linter
     # was enabled. They are temporarily excluded to unblock

diff --git a/Makefile b/Makefile
@@ -150,7 +150,7 @@ GOTEST ?= $(GO) test
 OUTPUTDIR = $(join $(ROOTDIR), _output)
 CRIDIR=$(OUTPUTDIR)/cri
 
-.PHONY: clean all AUTHORS build binaries test integration generate protos check-protos coverage ci check help install uninstall vendor release static-release mandir install-man genman install-cri-deps cri-release cri-cni-release cri-integration install-deps bin/cri-integration.test
+.PHONY: clean all AUTHORS build binaries test integration generate protos check-protos coverage ci check help install uninstall vendor release static-release mandir install-man genman install-cri-deps cri-release cri-cni-release cri-integration install-deps bin/cri-integration.test remove-replace clean-vendor
 .DEFAULT: default
 
 # Forcibly set the default goal to all, in case an include above brought in a rule definition.
@@ -181,6 +181,8 @@ protos: bin/protoc-gen-go-fieldpath
 	@mv ${TMPDIR}/vendor ${ROOTDIR}
 	@rm -rf ${TMPDIR}
 	go-fix-acronym -w -a '(Id|Io|Uuid|Os)$$' $(shell find api/ runtime/ -name '*.pb.go')
+	@test -z "$$(git status --short | grep "api/next.pb.txt" | tee /dev/stderr)" || \
+		$(GO) mod edit -replace=github.com/containerd/containerd/api=./api
 
 check-protos: protos ## check if protobufs needs to be generated again
 	@echo "$(WHALE) $@"
@@ -471,23 +473,31 @@ root-coverage: ## generate coverage profiles for unit tests that require root
 		fi; \
 	done )
 
+remove-replace:
+	@echo "$(WHALE) $@"
+	@$(GO) mod edit -dropreplace=github.com/containerd/containerd/api
+
 vendor: ## ensure all the go.mod/go.sum files are up-to-date including vendor/ directory
 	@echo "$(WHALE) $@"
 	@$(GO) mod tidy
 	@$(GO) mod vendor
 	@$(GO) mod verify
 	@(cd ${ROOTDIR}/integration/client && ${GO} mod tidy)
+	@(cd ${ROOTDIR}/api && ${GO} mod tidy)
 
 verify-vendor: ## verify if all the go.mod/go.sum files are up-to-date
 	@echo "$(WHALE) $@"
 	$(eval TMPDIR := $(shell mktemp -d))
 	@cp -R ${ROOTDIR} ${TMPDIR}
 	@(cd ${TMPDIR}/containerd && ${GO} mod tidy)
+	@(cd ${TMPDIR}/containerd/api && ${GO} mod tidy)
 	@(cd ${TMPDIR}/containerd/integration/client && ${GO} mod tidy)
 	@diff -r -u -q ${ROOTDIR} ${TMPDIR}/containerd
 	@rm -rf ${TMPDIR}
 	@${ROOTDIR}/script/verify-go-modules.sh integration/client
 
+clean-vendor: remove-replace vendor
+
 
 help: ## this help
 	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_-]+:.*?## / {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST) | sort
diff --git a/RELEASES.md b/RELEASES.md
@@ -394,6 +394,9 @@ The deprecated properties in [`config.toml`](./docs/cri/config.md) are shown in
 |`[plugins."io.containerd.grpc.v1.cri".registry]`                      | `auths`                      | containerd v1.3     | containerd v2.0            | Use [`ImagePullSecrets`](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). See also [#8228](https://github.com/containerd/containerd/issues/8228). |
 |`[plugins."io.containerd.grpc.v1.cri".registry]`                      | `configs`                    | containerd v1.5     | containerd v2.0            | Use [`config_path`](./docs/hosts.md)            |
 |`[plugins."io.containerd.grpc.v1.cri".registry]`                      | `mirrors`                    | containerd v1.5     | containerd v2.0            | Use [`config_path`](./docs/hosts.md)            |
+|`[plugins."io.containerd.tracing.processor.v1.otlp"]`                 | `endpoint`, `protocol`, `insecure` | containerd v1.6.29 | containerd v2.0       | Use [OTLP environment variables](https://opentelemetry.io/docs/specs/otel/protocol/exporter/), e.g. OTEL_EXPORTER_OTLP_TRACES_ENDPOINT, OTEL_EXPORTER_OTLP_PROTOCOL, OTEL_SDK_DISABLED    |
+|`[plugins."io.containerd.internal.v1.tracing"]`                       | `service_name`, `sampling_ratio`   | containerd v1.6.29 | containerd v2.0       | Instead use [OTel environment variables](https://opentelemetry.io/docs/specs/otel/configuration/sdk-environment-variables/), e.g. OTEL_SERVICE_NAME, OTEL_TRACES_SAMPLER*  |
+
 
 > **Note**
 >