Open
Conversation
…ository. Signed-off-by: Shiming Zhang <wzshiming@hotmail.com>
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.43.0 to 0.45.0. - [Commits](golang/crypto@v0.43.0...v0.45.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-version: 0.45.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
v1.4.0 is the first release of the 1.4 release branch which is now encouraged by the maintainers. This update includes a fix for a regression introduced in CVE-2025-52881 mitigation patches where the `mode=` argument was incorrectly applied to tmpfs mounts regardless of whether the target path existed. Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
The otelgrpc.UnaryClientInterceptor and otelgrpc.StreamClientInterceptor options were deprecated and removed in favor of NewClientHandler. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
runc: Update runc binary to v1.4.0
…g.org/x/crypto-0.45.0 build(deps): bump golang.org/x/crypto from 0.43.0 to 0.45.0
core/runtime/v2: remove uses of otelgrpc.UnaryClientInterceptor
Map ctr --gpus requests to NVIDIA CDI device requests
Bumps [github.com/klauspost/compress](https://github.com/klauspost/compress) from 1.18.1 to 1.18.2. - [Release notes](https://github.com/klauspost/compress/releases) - [Commits](klauspost/compress@v1.18.1...v1.18.2) --- updated-dependencies: - dependency-name: github.com/klauspost/compress dependency-version: 1.18.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [softprops/action-gh-release](https://github.com/softprops/action-gh-release) from 2.4.2 to 2.5.0. - [Release notes](https://github.com/softprops/action-gh-release/releases) - [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md) - [Commits](softprops/action-gh-release@5be0e66...a06a81a) --- updated-dependencies: - dependency-name: softprops/action-gh-release dependency-version: 2.5.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.5 to 4.31.6. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@fdbfb4d...fe4161a) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.31.6 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
…ithub/codeql-action-4.31.6 build(deps): bump github/codeql-action from 4.31.5 to 4.31.6
…b.com/klauspost/compress-1.18.2 build(deps): bump github.com/klauspost/compress from 1.18.1 to 1.18.2
The original implementation provided a lot of unfilled or wrong filled metrics. This tries to do better by only setting things I am fairly certain are correct. Signed-off-by: Tim Windelschmidt <tim@monogon.tech> Co-authored-by: Mike Brown <brownwm@us.ibm.com>
Signed-off-by: Austin Vazquez <austin.vazquez@docker.com>
Signed-off-by: Austin Vazquez <austin.vazquez@docker.com>
ci: bump Go 1.24.11, 1.25.5
…oftprops/action-gh-release-2.5.0 build(deps): bump softprops/action-gh-release from 2.4.2 to 2.5.0
fix: refactor ListPodSandboxMetrics
Update the OSS-Fuzz CIFuzz action references from commit abe2c06d (Oct 2024) to c8c1b257 (Dec 2025) which includes support for Ubuntu 24.04 base images. The new version reads `base_os_version: ubuntu-24-04` from the containerd project.yaml. Signed-off-by: Davanum Srinivas <davanum@gmail.com>
…o-ubuntu-24-04 ci: update CIFuzz actions to support Ubuntu 24.04
Signed-off-by: ningmingxiao <ning.mingxiao@zte.com.cn>
add some log if blob is skipped to download
Bumps [github.com/containerd/zfs/v2](https://github.com/containerd/zfs) from 2.0.0-rc.0 to 2.0.0. - [Release notes](https://github.com/containerd/zfs/releases) - [Commits](containerd/zfs@v2.0.0-rc.0...v2.0.0) --- updated-dependencies: - dependency-name: github.com/containerd/zfs/v2 dependency-version: 2.0.0 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
vendor: go.opentelemetry.io/otel/exporters v1.38.0, go.opentelemetry.io/contrib v0.63.0
…b.com/containerd/zfs/v2-2.0.0 build(deps): bump github.com/containerd/zfs/v2 from 2.0.0-rc.0 to 2.0.0
adds a background stats collector that calculates `UsageNanoCores` for containers and pod sandboxes. - run in the background every second to collect CPU metrics for all containers and sandboxes (similar to what cAdvisor does) - keep a rolling buffer of CPU samples and calculates the instantaneous CPU usage rate from consecutive samples - read pod-level CPU stats from the parent cgroup rather than the pause container - add cgroupv2 Pressure Stall Information for CPU, memory, and IO - add missing `Timestamp` and `Interfaces` fields when Kubernetes runs with `PodAndContainerStatsFromCRI=true`, it expects `UsageNanoCores` to be set in stats responses. This value represents how much CPU is being used right now (as opposed to `UsageCoreNanoSeconds` which is cumulative). To calculate it, we need to compare CPU samples over time to replicate what is in cadvisor. we can't yet really test this in CI as some changes in kubernetes has to land for `--feature-gates=PodAndContainerStatsFromCRI=true` Signed-off-by: Davanum Srinivas <davanum@gmail.com>
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
Skip the OOMKilled test when running with systemd cgroups, regardless of the user-provided ginkgo skip list, to avoid this known issue. ``` critest '--ginkgo.skip=should prefer new apparmor field|should support apparmor field|should support deprecated apparmor_profile field|should support unsafe sysctls|should support safe sysctls|should allow privilege escalation when false' Jan 23 08:55:25 c48dfdc00254 bash[130]: Summarizing 1 Failure: Jan 23 08:55:25 c48dfdc00254 bash[130]: [FAIL] [k8s.io] Container OOM runtime should output OOMKilled reason [It] should terminate with exitCode 137 and reason OOMKilled Jan 23 08:55:25 c48dfdc00254 bash[130]: sigs.k8s.io/cri-tools/pkg/validate/container_linux.go:165 ``` REF: https://github.com/containerd/containerd/actions/runs/21280114724/job/61248062856 Signed-off-by: Wei Fu <fuweid89@gmail.com>
Signed-off-by: Akhil Mohan <akhilerm@gmail.com>
ci: bump go 1.24.12, 1.25.6
When a container image has a volumes attribute, currently the mount manager is not used here. This leads to issues with the EROFS snapshotter, notably that rwlayer.img is not present when the snapshotter is configured to create a writable block volume. This change implements mount manager as part of the image volumes processing, so that mount manager mounts are correctly processes before calling mount.All Fixes: #12834 Signed-off-by: Champ-Goblem <cameron@northflank.com>
image volume e2e tests in k/k uses containerd version to trigger tests for some features. ref: https://github.com/kubernetes/kubernetes/blob/bfafa32d90958a8fe7a2ce09ed553fdfef4edd98/test/e2e_node/image_volume.go#L64 The current CI builds have only the SHA as the version since the tags are not present. setting fetch-depth makes sure the tags are present and will be used while testing. Signed-off-by: Akhil Mohan <akhilerm@gmail.com>
ci: set fetch-depth for containerd to 0 for version parsing
The Fedora mirror can be flaky, causing 'Connection reset by peer' errors during the Vagrant box download. This change downloads the box file using curl with retry options before adding it to Vagrant: - --retry 5: Retry up to 5 times on transient failures - --retry-delay 5: Wait 5 seconds between retries - --retry-all-errors: Retry on all errors including connection resets - --connect-timeout 30: Fail if can't connect within 30 seconds - --max-time 600: 10 minute max for the entire download Signed-off-by: Aadhar Agarwal <aadagarwal@microsoft.com>
Bumps [github.com/coreos/go-systemd/v22](https://github.com/coreos/go-systemd) from 22.6.0 to 22.7.0. - [Release notes](https://github.com/coreos/go-systemd/releases) - [Commits](coreos/go-systemd@v22.6.0...v22.7.0) --- updated-dependencies: - dependency-name: github.com/coreos/go-systemd/v22 dependency-version: 22.7.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
…integration ci: add retry logic for Fedora Vagrant box download
Bumps [docker/login-action](https://github.com/docker/login-action) from 3.6.0 to 3.7.0. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@5e57cd1...c94ce9f) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: 3.7.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.10 to 4.32.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@cdefb33...6bc82e0) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.32.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/cache](https://github.com/actions/cache) from 5.0.2 to 5.0.3. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@8b402f5...cdf6c1f) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 5.0.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
…s-container-host-user pkg/sys: Create user namespace as the container's initial user namesp…
…b.com/coreos/go-systemd/v22-22.7.0 build(deps): bump github.com/coreos/go-systemd/v22 from 22.6.0 to 22.7.0
…ctions/cache-5.0.3 build(deps): bump actions/cache from 5.0.2 to 5.0.3
…ithub/codeql-action-4.32.1 build(deps): bump github/codeql-action from 4.31.10 to 4.32.1
…ocker/login-action-3.7.0 build(deps): bump docker/login-action from 3.6.0 to 3.7.0
script/critest.sh: always skip OOMKilled on systemd cgroup
…unt-manager cri: use mount manager when image has volumes
Use buf to format proto files
edb3e08 removed `script/setup/install-protobuf` and the tools are now installed through `script/setup/install-dev-tools` Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This change sets the AppArmor policy used by containerd to indicate it is `abi/3.0`. This was chosen based on some code archeology which indicated that containerd 1.7 came out in March 2023, before the AppArmor 4.0 ABI. The AppArmor policies themselves date to much older; the last apparmor version-checks were removed in 4baa187 and c990e3f, and both were looking for AppArmor 2.8.96 or older, pointing to abi/3.0 being the "correct" one to pick. Nothing is preventing containerd from migrating to a newer AppArmor ABI; note, however, that anything newer than `abi/4.0` will need modifications to preserve UNIX domain sockets. This was tested by building a custom k3s v1.35.0+k3s3, with the following modification: ``` diff --git a/go.mod b/go.mod index 4e7bacd204..0fcaf76b8f 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ replace ( github.com/cilium/ebpf => github.com/cilium/ebpf v0.12.3 github.com/cloudnativelabs/kube-router/v2 => github.com/k3s-io/kube-router/v2 v2.6.3-k3s1 github.com/containerd/containerd/api => github.com/containerd/containerd/api v1.9.0 - github.com/containerd/containerd/v2 => github.com/k3s-io/containerd/v2 v2.1.5-k3s1 + github.com/containerd/containerd/v2 => github.com/achernya/containerd/v2 v2.0.0-20260206214308-5e0dce89c422 github.com/containerd/imgcrypt => github.com/containerd/imgcrypt v1.1.11 github.com/containerd/stargz-snapshotter => github.com/k3s-io/stargz-snapshotter v0.17.0-k3s1 github.com/docker/distribution => github.com/docker/distribution v2.8.3+incompatible ``` to use a precursor to this commit. Once built, the resulting k3s was tested on a brand-new Proxmox installation: ``` root@containerd-test:~# uname -a Linux containerd-test 6.17.2-1-pve #1 SMP PREEMPT_DYNAMIC PMX 6.17.2-1 (2025-10-21T11:55Z) x86_64 GNU/Linux root@containerd-test:~# pveversion pve-manager/9.1.1/42db4a6cf33dac83 (running kernel: 6.17.2-1-pve) ``` Files were copied over: ``` achernya@achernya-dev:~/src/k3s$ scp -r dist/artifacts/ root@containerd-test: ``` and installed ``` root@containerd-test:~# mkdir -p /var/lib/rancher/k3s/agent/images/ /usr/local/bin root@containerd-test:~# cp artifacts/k3s /usr/local/bin/ root@containerd-test:~# cp artifacts/k3s-airgap-images-amd64.tar.zst /var/lib/rancher/k3s/agent/images/ ``` then finally started with `k3s server`. Argo CD was then installed: ``` root@containerd-test:~# k3s kubectl create namespace argocd namespace/argocd created root@containerd-test:~# k3s kubectl apply -n argocd --server-side --force-conflicts -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml [elided] root@containerd-test:~# k3s kubectl get pods -A NAMESPACE NAME READY STATUS RESTARTS AGE argocd argocd-application-controller-0 1/1 Running 0 31s argocd argocd-applicationset-controller-77475dfcf-6b4cb 1/1 Running 0 32s argocd argocd-dex-server-6485c5ddf5-ckp5s 1/1 Running 0 32s argocd argocd-notifications-controller-758f795776-djx69 1/1 Running 0 32s argocd argocd-redis-6cc4bb5db5-lt9fh 1/1 Running 0 32s argocd argocd-repo-server-c76cf57cd-mr4mc 1/1 Running 0 32s argocd argocd-server-6f85b59c87-w6cns 0/1 Running 0 32s kube-system coredns-6b4688786f-pnds2 1/1 Running 0 4m1s kube-system helm-install-traefik-crd-cn28g 0/1 Completed 0 4m1s kube-system helm-install-traefik-hc9gp 0/1 Completed 2 4m1s kube-system local-path-provisioner-6bc6568469-7wglx 1/1 Running 0 4m1s kube-system metrics-server-77dbbf84b-nqzsc 1/1 Running 0 4m1s kube-system svclb-traefik-fe6d3a0b-z7jsp 2/2 Running 0 3m14s kube-system traefik-5fdc878c8d-cjhx5 1/1 Running 0 3m15s ``` Fixes: #12726 Signed-off-by: Alex Chernyakhovsky <alex@achernya.com>
go1.25.7 (released 2026-02-04) includes security fixes to the go command and the crypto/tls package, as well as bug fixes to the compiler and the crypto/x509 package. See the Go 1.25.7 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.25.7+label%3ACherryPickApproved full diff: golang/go@go1.25.6...go1.25.7 From the security mailing list: > Hello gophers, > > We have just released Go versions 1.25.7 and 1.24.13, minor point releases. > > These releases include 2 security fixes following the security policy: > > - cmd/cgo: remove user-content from doc strings in cgo ASTs > > A discrepancy between how Go and C/C++ comments > were parsed allowed for code smuggling into the > resulting cgo binary. > > To prevent this behavior, the cgo compiler > will no longer parse user-provided doc > comments. > > Thank you to RyotaK (https://ryotak.net) of > GMO Flatt Security Inc. for reporting this issue. > > This is CVE-2025-61732 and https://go.dev/issue/76697. > > - crypto/tls: unexpected session resumption when using Config.GetConfigForClient > > Config.GetConfigForClient is documented to use the original Config's session > ticket keys unless explicitly overridden. This can cause unexpected behavior if > the returned Config modifies authentication parameters, like ClientCAs: a > connection initially established with the parent (or a sibling) Config can be > resumed, bypassing the modified authentication requirements. > > If ClientAuth is VerifyClientCertIfGiven or RequireAndVerifyClientCert (on the > server) or InsecureSkipVerify is false (on the client), crypto/tls now checks > that the root of the previously-verified chain is still in ClientCAs/RootCAs > when resuming a connection. > > Go 1.26 Release Candidate 2, Go 1.25.6, and Go 1.24.12 had fixed a similar issue > related to session ticket keys being implicitly shared by Config.Clone. Since > this fix is broader, the Config.Clone behavior change has been reverted. > > Note that VerifyPeerCertificate still behaves as documented: it does not apply > to resumed connections. Applications that use Config.GetConfigForClient or > Config.Clone and do not wish to blindly resume connections established with the > original Config must use VerifyConnection instead (or SetSessionTicketKeys or > SessionTicketsDisabled). > > Thanks to Coia Prant (github.com/rbqvq) for reporting this issue. > > This updates CVE-2025-68121 and Go issue https://go.dev/issue/77217. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Bumps [github.com/checkpoint-restore/checkpointctl](https://github.com/checkpoint-restore/checkpointctl) from 1.4.0 to 1.5.0. - [Release notes](https://github.com/checkpoint-restore/checkpointctl/releases) - [Commits](checkpoint-restore/checkpointctl@v1.4.0...v1.5.0) --- updated-dependencies: - dependency-name: github.com/checkpoint-restore/checkpointctl dependency-version: 1.5.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
…b.com/checkpoint-restore/checkpointctl-1.5.0 build(deps): bump github.com/checkpoint-restore/checkpointctl from 1.4.0 to 1.5.0
update to go1.24.13, go1.25.7
contrib/Dockerfile: remove proto3 (protobuf) stage
apparmor: explicitly set abi/3.0
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot]
Can you help keep this open source service alive? 💖 Please sponsor : )