Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): module github.com/containerd/containerd to v1.6.26 [security] #9

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 6, 2024

Chore Dependencies Request

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/containerd/containerd v1.6.15 -> v1.6.26 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-25173

Impact

A bug was found in containerd where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container.

Downstream applications that use the containerd client library may be affected as well.

Patches

This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions.

Workarounds

Ensure that the "USER $USERNAME" Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to ENTRYPOINT ["su", "-", "user"] to allow su to properly set up supplementary groups.

References

Note that CVE IDs apply to a particular implementation, even if an issue is common.

For more information

If you have any questions or comments about this advisory:

To report a security issue in containerd:

CVE-2023-25153

Impact

When importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service.

Patches

This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue.

Workarounds

Ensure that only trusted images are used and that only trusted users have permissions to import images.

Credits

The containerd project would like to thank David Korczynski and Adam Korczynski of ADA Logics for responsibly disclosing this issue in accordance with the containerd security policy during a security fuzzing audit sponsored by CNCF.

For more information

If you have any questions or comments about this advisory:

To report a security issue in containerd:

GHSA-7ww5-4wqc-m92c

/sys/devices/virtual/powercap accessible by default to containers

Intel's RAPL (Running Average Power Limit) feature, introduced by the Sandy Bridge microarchitecture, provides software insights into hardware energy consumption. To facilitate this, Intel introduced the powercap framework in Linux kernel 3.13, which reads values via relevant MSRs (model specific registers) and provides unprivileged userspace access via sysfs. As RAPL is an interface to access a hardware feature, it is only available when running on bare metal with the module compiled into the kernel.

By 2019, it was realized that in some cases unprivileged access to RAPL readings could be exploited as a power-based side-channel against security features including AES-NI (potentially inside a SGX enclave) and KASLR (kernel address space layout randomization). Also known as the PLATYPUS attack, Intel assigned CVE-2020-8694 and CVE-2020-8695, and AMD assigned CVE-2020-12912.

Several mitigations were applied; Intel reduced the sampling resolution via a microcode update, and the Linux kernel prevents access by non-root users since 5.10. However, this kernel-based mitigation does not apply to many container-based scenarios:

  • Unless using user namespaces, root inside a container has the same level of privilege as root outside the container, but with a slightly more narrow view of the system
  • sysfs is mounted inside containers read-only; however only read access is needed to carry out this attack on an unpatched CPU

While this is not a direct vulnerability in container runtimes, defense in depth and safe defaults are valuable and preferred, especially as this poses a risk to multi-tenant container environments. This is provided by masking /sys/devices/virtual/powercap in the default mount configuration, and adding an additional set of rules to deny it in the default AppArmor profile.

While sysfs is not the only way to read from the RAPL subsystem, other ways of accessing it require additional capabilities such as CAP_SYS_RAWIO which is not available to containers by default, or perf paranoia level less than 1, which is a non-default kernel tunable.

References


Release Notes

containerd/containerd (github.com/containerd/containerd)

v1.6.26: containerd 1.6.26

Compare Source

Welcome to the v1.6.26 release of containerd!

The twenty-sixth patch release for containerd 1.6 contains various fixes and updates.

Notable Updates
  • Fix windows default path overwrite issue (#​9441)
  • Update push to inherit distribution sources from parent (#​9453)
  • Mask /sys/devices/virtual/powercap path in runtime spec and deny in default apparmor profile (GHSA-7ww5-4wqc-m92c)
Deprecation Warnings
  • Emit deprecation warning for AUFS snapshotter usage (#​9448)
  • Emit deprecation warning for v1 runtime usage (#​9468)
  • Emit deprecation warning for CRI v1alpha1 usage (#​9468)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors
  • Samuel Karp
  • Derek McGowan
  • Kohei Tokunaga
  • Phil Estes
  • Bjorn Neergaard
  • Sebastiaan van Stijn
  • Brian Goff
  • Charity Kathure
  • Kazuyoshi Kato
  • Milas Bowman
  • Wei Fu
  • ruiwen-zhao
Changes
30 commits

  • [release/1.6] Prepare release notes for v1.6.26 (#​9490)
    • ac5c5d3e0 Prepare release notes for v1.6.26
  • Github Security Advisory GHSA-7ww5-4wqc-m92c
    • 02f07fe19 contrib/apparmor: deny /sys/devices/virtual/powercap
    • c94577e78 oci/spec: deny /sys/devices/virtual/powercap
  • [release/1.6] update to go1.20.12, test go1.21.5 (#​9472)
    • 7cbdfc92e update to go1.20.12, test go1.21.5
    • 024b1cce6 update to go1.20.11, test go1.21.4
  • [release/1.6] Add cri-api v1alpha2 usage warning to all api calls (#​9484)
    • 64e56bfde Add cri-api v1alpha2 usage warning to all api calls
  • [release/1.6] tasks: emit warning for v1 runtime and runc v1 runtime (#​9468)
    • efefd3bf3 tasks: emit warning for runc v1 runtime
    • 7825689b4 tasks: emit warning for v1 runtime
  • [release/1.6] snapshots: emit deprecation warning for aufs (#​9448)
    • 7cfe7052f snapshots: emit deprecation warning for aufs
  • [release/1.6] cherry-pick/backport: Update golangci lint (#​9455)
    • a1ae572a2 Fix linter error with updated linter
    • b638791d6 ci: bump up golangci-lint to v1.55.0
    • 2370a2842 Fix linter issues for golangci-lint 1.54.2
    • 8a65e2e31 Bump up golangci-lint to v1.54.2
    • 969f8feb2 Bump up golangci-lint to v1.52.2
  • [release/1.6] push: inherit distribution sources from parent (#​9453)
    • 66959fdf5 push: inherit distribution sources from parent
    • b4dcffcfb content: add InfoProvider interface
    • bef4145c1 Change PushContent to require only Provider
  • [release/1.6] Bump google.golang.org/grpc to v1.58.3 (#​9408)
    • a5fc21060 vendor: google.golang.org/grpc v1.58.3
    • 4fa05b3d8 Upgrade github.com/klauspost/compress from v1.11.13 to v1.15.9
  • [release/1.6] Windows default path overwrite fix (#​9441)
    • ede0ad5e1 Fix windows default path overwrite issue

Dependency Changes
  • cloud.google.com/go/compute/metadata v0.2.3 new
  • github.com/cespare/xxhash/v2 v2.1.2 -> v2.2.0
  • github.com/golang/protobuf v1.5.2 -> v1.5.3
  • github.com/klauspost/compress v1.11.13 -> v1.15.9
  • go.opencensus.io v0.23.0 -> v0.24.0
  • golang.org/x/oauth2 2bc19b1 -> v0.10.0
  • golang.org/x/sync v0.1.0 -> v0.3.0
  • google.golang.org/grpc v1.50.1 -> v1.58.3
  • google.golang.org/protobuf v1.28.1 -> v1.31.0

Previous release can be found at v1.6.25

v1.6.25: containerd 1.6.25

Compare Source

Welcome to the v1.6.25 release of containerd!

The twenty-fifth patch release for containerd 1.6 contains various fixes and updates.

Notable Updates
  • Check whether content did not needs to be pushed to remote registry and cross-repo mounted or already existed (#​9111)
  • Soft deprecate log package (#​9105)
  • Always try to establish tls connection when tls configured (#​9189)
  • CRI: stop recommending disable_cgroup (#​9169)
  • Allow for images with artifacts layers to pull (#​9150)
  • Require plugins to succeed after registering readiness (#​9166)
  • Avoid potential deadlock in create handler in containerd-shim-runc-v2 (#​9210)
  • Add handling for missing basic auth credentials (#​9236)
  • Add a new image label if it is docker schema 1 (#​9267)
  • Fix ambiguous tls fallback (#​9300)
  • Expose usage of deprecated features (#​9329)
  • Fix shimv1 leak issue (#​9345)
  • Go version update to 1.20.10(#​9264)
  • Update runc to v1.1.10 (#​9360)
  • CRI: fix using the pinned label to pin image (#​9382)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors
  • Samuel Karp
  • Derek McGowan
  • Sebastiaan van Stijn
  • Phil Estes
  • Wei Fu
  • Kazuyoshi Kato
  • Akhil Mohan
  • Akihiro Suda
  • Chen Yiyang
  • Fabian Hoffmann
  • Iceber Gu
  • Mike Brown
  • Paweł Gronowski
  • Austin Vazquez
  • Fahed Dorgaa
  • James Sturtevant
  • Kern Walster
  • Marat Radchenko
  • Qiutong Song
  • Tony Fouchard
  • ruiwen-zhao
Changes
82 commits

  • [release/1.6] Prepare release notes for v1.6.25 (#​9394)
  • [release/1.6] cri: fix using the pinned label to pin image (#​9382)
    • b49815300 cri: fix update of pinned label for images
    • 751b0c186 cri: fix using the pinned label to pin image
  • [Release/1.6] vendor: golang.org/x/net v0.17.0 (#​9387)
  • [Release/1.6] CVE-2022-1996 fix for go-restful (#​9385)
  • [release/1.6] Enhance container image unpack client logs (#​9380)
    • 3e68bf65a Enhance container image unpack client logs
  • [release/1.6] update github.com/containerd/nri v0.1.1 (#​9107)
    • 0dd65c826 [release/1.6] update github.com/containerd/nri v0.1.1
  • [release/1.6 backport] update runc binary to v1.1.10 (#​9360)
  • [release/1.6] Expose usage of cri-api v1alpha2 (#​9357)
  • [release/1.6] fix: shimv1 leak issue (#​9345)
  • [release/1.6] update to go1.20.10, test go1.21.3 (#​9264)
    • 6741f819b [release/1.6] update to go1.20.10, test go1.21.3
    • 49615a0e9 [release/1.6] update to go1.20.9, test go1.21.2
  • [release/1.6] cri: add deprecation warnings for mirrors, auths, and configs (#​9355)
    • b68204e53 cri: add deprecation warning for configs
    • ae8c58319 cri: add deprecation warning for auths
    • 455edcad2 cri: add deprecation warning for mirrors
    • 878823f4d cri: add ability to emit deprecation warnings
  • [release/1.6] deprecation: new package for deprecations (#​9329)
    • 477b7d6a1 ctr: new deprecations command
    • 24068b813 dynamic: record deprecation for dynamic plugins
    • 218c7a1df server: add ability to record config deprecations
    • dfb9e1deb pull: record deprecation warning for schema 1
    • 90b42da6f introspection: add support for deprecations
    • 0b6766b37 api/introspection: deprecation warnings in server
    • de3cb4c18 warning: new service for deprecations
    • da1b4419b deprecation: new package for deprecations
  • [release/1.6] integration: deflake TestIssue9103 (#​9353)
    • bca8a3f65 integration: deflake TestIssue9103
  • [release/1.6] ci: Use Vagrant on ubuntu-latest-4-cores (#​9332)
    • 0985f7a43 ci: Use Vagrant on ubuntu-latest-4-cores
  • [release/1.6] Fix ambiguous tls fallback (#​9300)
    • 5dd64301c Check scheme and host of request on push redirect
    • 51df21d09 Avoid TLS fallback when protocol is not ambiguous
  • [release/1.6] Add a new image label if it is docker schema 1 (#​9267)
    • 8108f0d03 Add a new image label if it is docker schema 1
  • [release/1.6 backport] fix protobuf aarch64 (#​9284)
  • [release/1.6] remotes: add handling for missing basic auth credentials (#​9236)
    • e529741d3 remotes: add handling for missing basic auth credentials
    • ca45b92f4 Add ErrUnexpectedStatus to resolver
    • 77c0175b4 Improve ErrUnexpectedStatus default string
  • [release/1.6] Update x/net to 0.13 (#​9130)
  • [release/1.6] Require plugins to succeed after registering readiness (#​9166)
    • 5223bf39a Require plugins to succeed after registering readiness
    • 8f5eba314 cri: call RegisterReadiness after NewCRIService
  • [release/1.6 backport] containerd-shim-runc-v2: avoid potential deadlock in create handler (#​9210)
    • 7b61862e7 *: add runc-fp as runc wrapper to inject failpoint
    • 5238a6470 containerd-shim-runc-v2: avoid potential deadlock in create handler
    • 65e908ee1 containerd-shim-runc-v2: remove unnecessary s.getContainer()
    • 1dd9acecb Uncopypaste parsing of OCI Bundle spec file
    • 71c89ddf2 [release/1.6]: Vagrantfile: install failpoint binaries
  • [release/1.6] cri: stop recommending disable_cgroup (#​9169)
    • 7a0c8b6b7 cri: stop recommending disable_cgroup
  • [release/1.6] Allow for images with artifacts to pull (#​9150)
    • 8066dd81c Allow for images with artifacts to pull
  • [release 1.6] remotes/docker: Fix MountedFrom prefixed with target repository (#​9192)
    • 2fffc344a remotes/docker: Fix MountedFrom prefixed with target repository
  • [release/1.6] remotes: always try to establish tls connection when tls configured (#​9189)
    • 6b5912220 remotes: always try to establish tls connection when tls configured
  • [release/1.6] Build binaries with 1.21.1 (#​9180)
  • [release/1.6 backport] alias log package to github.com/containerd/log v0.1.0 (#​9105)
    • f1591cc9b alias log package to github.com/containerd/log v0.1.0
    • f68d2d93b vendor: golang.org/x/sys v0.7.0
    • f305fb233 vendor: github.com/stretchr/testify v1.8.4
    • 4e24a30af vendor: github.com/sirupsen/logrus v1.9.3
  • [release/1.6] remotes/docker: Add MountedFrom and Exists push status (#​9111)
    • b66c818ba remotes/docker: Add MountedFrom and Exists push status

Changes from containerd/log
9 commits

Changes from containerd/nri
3 commits

  • [release/0.1 backport] remove containerd as dependency (#​58)
    • 4275101 Task: fix typo in godoc
    • f6acbf1 remove containerd as dependency

Dependency Changes
  • github.com/containerd/log v0.1.0 new
  • github.com/containerd/nri v0.1.0 -> v0.1.1
  • github.com/emicklei/go-restful v2.9.5 -> v2.16.0
  • github.com/sirupsen/logrus v1.9.0 -> v1.9.3
  • github.com/stretchr/testify v1.8.1 -> v1.8.4
  • golang.org/x/crypto 3147a52 -> v0.14.0
  • golang.org/x/net v0.8.0 -> v0.17.0
  • golang.org/x/sys v0.6.0 -> v0.13.0
  • golang.org/x/term v0.6.0 -> v0.13.0
  • golang.org/x/text v0.8.0 -> v0.13.0

Previous release can be found at v1.6.24

v1.6.24: containerd 1.6.24

Compare Source

Welcome to the v1.6.24 release of containerd!

The twenty-fourth patch release for containerd 1.6 contains various fixes and updates.

Notable Updates
  • CRI: fix leaked shim caused by high IO pressure (#​9004)
  • Update to go1.20.8 (#​9073)
  • Update runc to v1.1.9 (#​8966)
  • Backport: add configurable mount options to overlay snapshotter (#​8961)
  • log: cleanups and improvements to decouple more from logrus (#​9002)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors
  • Sebastiaan van Stijn
  • Akihiro Suda
  • Wei Fu
  • Derek McGowan
  • Akhil Mohan
  • Cardy.Tang
  • Danny Canter
  • Kazuyoshi Kato
  • Mike Brown
  • Phil Estes
  • Samuel Karp
Changes
45 commits

  • [release/1.6] Prepare release notes for v1.6.24 (#​9087)
    • cdd59290d Prepare release notes for v1.6.24
  • [release/1.6 backport] log: cleanups and improvements to decouple more from logrus (#​9002)
    • 33c2d88e7 Revert "log: define G() as a function instead of a variable"
    • 0a7f2975e log: swap logrus functions with their equivalent on default logger
    • 9d175a19b log: add package documentation and summary of package's purpose
    • 96fb65529 log: make Fields type a generic map[string]any
    • bace17e2e log: add log.Entry type
    • dd127885f log: define OutputFormat type
    • 5b4cf2329 log: define G() as a function instead of a variable
    • ee1b4a1e2 log: add all log-levels that are accepted
    • d563a411f log: group "enum" consts and touch-up docs
    • 6e8f4555b log: WithLogger: remove redundant intermediate var
    • c19325559 log: SetFormat: include returns in switch
    • c3c22f8cb log: remove gotest.tools dependency
  • [release/1.6] update to go1.20.8 (#​9073)
  • [release/1.6 backport] make repositories of install dependencies configurable (#​9024)
    • 0da8dcaa7 make repositories of install dependencies configurable
  • [release/1.6 backport] update Golang to go1.20.7, minimum version go1.19 (#​9020)
    • 8e6a9de5b update to go1.20.7, go1.19.12
    • 8b2eb371f Update Go to 1.20.6,1.19.11
    • cff669c7a update go to go1.20.5, go1.19.10
    • f34a22de9 update go to go1.20.4, go1.19.9
    • e8e73065e update go to go1.20.3, go1.19.8
    • 9b3f950d6 Go 1.20.2
    • 17d03ac68 Go 1.20.1
    • 861f65447 go.mod: go 1.19
    • 81fa93784 Stop using math/rand.Read and rand.Seed (deprecated in Go 1.20)
    • 70dc11a6c lint: remove //nolint:dupword that are no longer needed
    • fec784a06 lint: silence "SA1019: tar.TypeRegA has been deprecated... (staticheck)"
    • 6648df1ad lint: silence "type HostFileConfig is unused (unused)"
    • e6b268bc7 golangci-lint v1.51.1
    • c552ccf67 go.mod: golang.org/x/sync v0.1.0
  • [releases/1.6] *: fix leaked shim caused by high IO pressure (#​9004)
    • d00af5c3e integration: issue7496 case should work for runc.v2 only
    • 583696e4e Vagrantfile: add strace tool
    • ab21d60d2 pkg/cri/server: add criService as argument when handle exit event
    • a229883cb pkg/cri/server: fix leaked shim issue
    • d8f824200 integration: add case to reproduce #​7496
  • [release/1.6] Cherry-pick: [overlay] add configurable mount options to overlay snapshotter (#​8961)
    • 8cd40e1d0 Add configurable mount options to overlay
    • 453fa397a feat: make overlay sync removal configurable
  • [release/1.6 backport] update runc binary to v1.1.9 (#​8966)

Dependency Changes
  • golang.org/x/sync 036812b -> v0.1.0

Previous release can be found at v1.6.23

v1.6.23: containerd 1.6.23

Compare Source

Welcome to the v1.6.23 release of containerd!

The twenty-third patch release for containerd 1.6 contains various fixes and updates.

Notable Updates
  • **Add stable ABI support in windows platform matcher + update hcsshim tag (#​8854)
  • **cri: Don't use rel path for image volumes (#​8927)
  • **Upgrade GitHub actions packages in release workflow (#​8908)
  • **update to go1.19.12 (#​8905)
  • **backport: ro option for userxattr mount check + cherry-pick: Fix ro mount option being passed (#​8888)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors
  • Kirtana Ashok
  • Maksym Pavlenko
  • Austin Vazquez
  • Ben Foster
  • Derek McGowan
  • Mike Brown
  • Phil Estes
  • Rodrigo Campos
  • Sebastiaan van Stijn
  • Wei Fu
Changes
13 commits

  • [release/1.6] Add release notes for v1.6.23 (#​8939)
  • [release/1.6] Add stable ABI support in windows platform matcher + update hcsshim tag (#​8854)
    • f51bf1960 Add support for stable ABI windows versions
    • 43a02c0b2 Update hcsshim tag to v0.9.10
  • [release/1.6] cri: Don't use rel path for image volumes (#​8927)
  • cc5b0a21b cri: Don't use rel path for image volumes
  • [release/1.6 backport] Upgrade GitHub actions packages in release workflow (#​8908)
    • 4238cff1c Upgrade GitHub actions packages in release workflow
  • [release/1.6] update to go1.19.12 (#​8905)
  • [release/1.6] backport: ro option for userxattr mount check + cherry-pick: Fix ro mount option being passed (#​8888)

Dependency Changes
  • github.com/Microsoft/hcsshim v0.9.8 -> v0.9.10

Previous release can be found at v1.6.22

v1.6.22: containerd 1.6.22

Compare Source

Welcome to the v1.6.22 release of containerd!

The twenty-second patch release for containerd 1.6 contains various fixes and updates.

Notable Updates
  • RunC: Update runc binary to v1.1.8 (#​8842)
  • CRI: Fix additionalGids: it should fallback to imageConfig.User when securityContext.RunAsUser,RunAsUsername are empty (#​8823)
  • CRI: Write generated CNI config atomically (#​8826)
  • Fix concurrent writes for UpdateContainerStats (#​8819)
  • Make checkContainerTimestamps less strict on Windows (#​8827)
  • Port-Forward: Correctly handle known errors (#​8805)
  • Resolve docker.NewResolver race condition (#​8800)
  • SecComp: Always allow name_to_handle_at (#​8754)
  • Adding support to run hcsshim from local clone (#​8713)
  • Pinned image support (#​8720)
  • Runtime/V2/RunC: Handle early exits w/o big locks (#​8695)
  • CRITool: Move up to CRI-TOOLS v1.27.0 (#​7997)
  • Fix cpu architecture detection issue on emulated ARM platform (#​8533)
  • Task: Don't close() io before cancel() (#​8659)
  • Fix panic when remote differ returns empty result (#​8640)
  • Plugins: Notify readiness when registered plugins are ready (#​8583)
  • Unwrap io errors in server connection receive error handling (ttrpc#143)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors
  • Akihiro Suda
  • Phil Estes
  • Sebastiaan van Stijn
  • Derek McGowan
  • Wei Fu
  • Kazuyoshi Kato
  • Austin Vazquez
  • Samuel Karp
  • dependabot[bot]
  • Jin Dong
  • Maksym Pavlenko
  • Mike Brown
  • Shingo Omura
  • Akhil Mohan
  • Bjorn Neergaard
  • Laura Brehm
  • Tony Fang
  • Aditi Sharma
  • Andrey Epifanov
  • Benjamin Wang
  • Brian Goff
  • Cory Snider
  • Daniel Canter
  • Daniel Lenar
  • Henry Wang
  • Luca Comellini
  • Madhav Jivrajani
  • Mahamed Ali
  • Mohit Sharma
  • Oliver Radwell
  • Priyanka Saggu
  • Qasim Sarfraz
  • Takumasa Sakao
  • wangxiang
  • zounengren
Changes
95 commits

  • [release/1.6] Prepare release notes for v1.6.22 (#​8863)
    • 0770a4601 [release/1.6] Add release notes for v1.6.22
  • [release/1.6] migrate to community owned bucket for node e2e tests (#​8876)
    • 512a672af migrate to community owned bucket
  • [release/1.6] cri: memory.memsw.limit_in_bytes: no such file or directory (#​8870)
    • b585ff155 cri: memory.memsw.limit_in_bytes: no such file or directory
  • [release/1.6] Update go-restful to v3.10.1 (#​8412)
    • a322077bf go.mod: github.com/emicklei/go-restful/v3 v3.10.1
  • [release/1.6 backport] update runc binary to v1.1.8 (#​8842)
  • [release/1.6 backport] ci: remove libseccomp-dev installation for nightly (#​8773)
    • 6e2bcb6dd ci: remove libseccomp-dev installation for nightly
  • [release/1.6 backport] [CRI] fix additionalGids: it should fallback to imageConfig.User when securityContext.RunAsUser,RunAsUsername are empty (#​8823)
    • cd06f23af capture desc variable in range variable just in case that it run in parallel mode
    • 30f5c6a1f Use t.TempDir instead of os.MkdirTemp
    • 59d8363ef fix userstr for dditionalGids on Linux
  • [release/1.6 backport] cri: write generated CNI config atomically (#​8826)
    • d75bf78c2 ctr: update WritePidFile to use atomicfile
    • 5f70b23c1 shim: WritePidFile & WriteAddress use atomicfile
    • 505d444b0 cri: write generated CNI config atomically on Unix
    • b2d2d3829 atomicfile: new package for atomic file writes
  • [release/1.6 backport] Fix concurrent writes for UpdateContainerStats (#​8819)
    • 9f650143f Fix concurrent writes for UpdateContainerStats
  • [release/1.6 backport] Make checkContainerTimestamps less strict on Windows (#​8827)
    • 568ce91ca Make checkContainerTimestamps less strict on Windows
  • [release/1.6 backport] dependency: bump go.etcd.io/bbolt to v1.3.7 (#​8817)
    • d2f47192a dependency: bump go.etcd.io/bbolt to v1.3.7
    • fb56dc245 [release/1.6] vendor: github.com/stretchr/testify v1.8.1
  • [release/1.6 backport] Move logrus setup code to log package (#​8832)
    • 7fbd5dc89 Move logrus setup code to log package
  • [release/1.6 backport] release: Add "cri-containerd.DEPRECATED.txt" in the deprecated cri-containerd-* bundles (#​8820)
    • 59a143670 release: Add "cri-containerd.DEPRECATED.txt" in the deprecated cri-containerd-* bundles
  • [release/1.6 backport] Use version 2 configuration format in docs (#​8821)
    • 5b51b79e2 [release/1.6] fix remaining "v1 config" plugin IDs
    • b7cf26d8d docs: Fix sample config.toml syntax
    • fcdaf0966 docs: migrate config v1 to v2
    • 728d5c5f0 Use version 2 config and mention containerd config command
  • [release/1.6] update go to go1.19.11 (#​8816)
    • 81aa14718 [release/1.6] update go to go1.19.11
  • [release/1.6] update go to go1.19.10 (#​8715)
    • 17cd86629 [release/1.6] update go to go1.19.10
  • [release/1.6 backport] bugfix(port-forward): Correctly handle known errors (#​8805)
    • fdb65f214 bugfix(port-forward): Correctly handle known errors
  • [release/1.6] Resolve docker.NewResolver race condition (#​8800)
    • b5784af66 Change http.Header copy to builtin Clone
    • 31c466f82 Resolve docker.NewResolver race condition
  • [release/1.6 backport] vendor: github.com/containerd/zfs v1.1.0 (#​8781)
    • be6406ca6 vendor: github.com/containerd/zfs v1.1.0
    • 9f1260074 [release/1.6] vendor gotest.tools/v3 v3.5.0
    • 526e9e0ce Bump grpc to v1.50.1
    • 0e7d2d121 go.mod: github.com/sirupsen/logrus v1.9.0
    • 5b153c621 go.mod: github.com/moby/sys/mountinfo v0.6.2
    • 9dee60960 go.mod: github.com/moby/sys/mountinfo v0.6.0
  • [release/1.6 backport] seccomp: always allow name_to_handle_at (#​8754)
    • 07ea7b9e7 seccomp: always allow name_to_handle_at
  • [release/1.6 backport] Update ginkgo to match cri-tools' version (#​8759)
    • 1dae51fed Update ginkgo to match cri-tools' version
  • [release/1.6 backport] integration/client: add timeout to TestShimOOMScore (#​8749)
    • bd76ab978 integration/client: add timeout to TestShimOOMScore
  • [release/1.6 backport] Adding support to run hcsshim from local clone (#​8713)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

…rity]

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot added area/go Programming language go area/package Package bot Automation dependencies Pull requests that update a dependency priority/p2 P2 status/0-triage Triage labels Aug 6, 2024
Copy link
Contributor Author

renovate bot commented Aug 6, 2024

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 8 additional dependencies were updated

Details:

Package Change
github.com/golang/protobuf v1.5.2 -> v1.5.3
github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 -> v1.1.0-rc2.0.20221005185240-3a7f492d3f1b
github.com/sirupsen/logrus v1.8.1 -> v1.9.3
golang.org/x/sys v0.3.0 -> v0.13.0
golang.org/x/text v0.3.7 -> v0.13.0
google.golang.org/genproto v0.0.0-20220502173005-c8bf987b8c21 -> v0.0.0-20230711160842-782d3b101e98
google.golang.org/grpc v1.47.0 -> v1.58.3
google.golang.org/protobuf v1.28.0 -> v1.31.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/go Programming language go area/package Package bot Automation dependencies Pull requests that update a dependency priority/p2 P2 status/0-triage Triage
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants