containerd changelogs since containerd | diffwithgpt
AI Summary
The commit updates the version of the google-github-actions/auth action from 2.1.8 to 2.1.10 to include security patches or bug fixes. The change affects GitHub workflows that use this action, potentially improving reliability or security.
Commit Log
build(deps): bump google-github-actions/auth from 2.1.8 to 2.1.10 Bumps [google-github-actions/auth](https://github.com/google-github-actions/auth) from 2.1.8 to 2.1.10. - [Release notes](https://github.com/google-github-actions/auth/releases) - [Changelog](https://github.com/google-github-actions/auth/blob/main/CHANGELOG.md) - [Commits](https://github.com/google-github-actions/auth/compare/71f986410dfbc7added4569d411d040a91dc6935...ba79af03959ebeac9769e648f473a284504d9193) --- updated-dependencies: - dependency-name: google-github-actions/auth dependency-version: 2.1.10 dependency-type: direct:production update-type: version-update:semver-patch ...
AI Summary
The code updates containerd to use CNI version 1.7.1 and related dependencies, including netlink v1.3.1 and golang/x/net v0.38.0, with changes to installation scripts and vendor dependencies. The changes include modifying the setup scripts to dynamically fetch the CNI version from the go.mod file, and updating vendor dependencies to align with the new versions. Potential risks include compatibility issues with older systems or tools that rely on specific CNI or netlink versions, and possible breaking changes if the new versions introduce incompatible API changes.
Commit Log
bump:update cni to v1.7.1
AI Summary
The code change introduces a new resolver and fetcher system that sets download options for container image fetching, replacing the old configuration with a more structured approach using performance settings and limiter options. This change likely aims to improve concurrency control and download behavior during image pulls by centralizing configuration through resolver options, which are then passed to fetchers. Potential risks include compatibility issues with existing code that relied on the old configuration methods, and the need to ensure all dependent components are updated to use the new resolver interface and options.
Commit Log
set dl options on resolver
AI Summary
The code adds support for EROFS native image layers by checking if the media type ends with `.erofs` and copying the content as a blob if it matches. The `isErofsMediaType` function ensures that only media types ending with `.erofs` are considered valid EROFS layers, avoiding unsupported suffixes.
Commit Log
erofs-differ: support EROFS native image layers If the layer media type is expected as an EROFS native layer (ending with `.erofs`), copy the content as the layer blob.
AI Summary
The code introduces an HTTPDebug enum to allow more granular control over HTTP debugging and tracing in containerd, including streaming logs to a client. A new field 'logs_stream' is added to the RegistryResolver to specify the stream ID for HTTP logs, enabling client-side streaming of debug information. The code also updates several functions to use the new enum and stream handling, allowing for more flexible and detailed logging during HTTP operations.
Commit Log
Allow streaming to client
AI Summary
The code adds HTTP debug and trace fields to the OCI registry protocol definitions to enable debugging and tracing of HTTP requests. These fields are added to the RegistryResolver message in the transfer package and include getter methods for accessing the debug and trace flags.
Commit Log
Add http debug fields to OCI registry protos
AI Summary
The code moves HTTP debug functionality, including RoundTrip and NewDebugClientTrace, from the cmd directory to the pkg/httpdbg package to centralize and reuse debug logic across the project. This change improves code organization and maintainability by encapsulating HTTP debugging utilities in a dedicated package, reducing duplication across command implementations.
Commit Log
Move HTTP debug code to pkg
AI Summary
The diff replaces direct use of the standard regexp package with lazyregexp to compile regular expressions on first use, improving performance by deferring compilation. This change affects multiple packages in containerd, including CRI bandwidth, identifiers, progress, reference, and sys, to optimize regex handling.
Commit Log
use lazyregexp to compile regexes on first use - internal/cri/bandwidth: use lazyregexp to compile regexes on first use - pkg/identifiers: use lazyregexp to compile regexes on first use - pkg/progress: use lazyregexp to compile regexes on first use - pkg/reference: use lazyregexp to compile regexes on first use - pkg/sys: use lazyregexp to compile regexes on first use
AI Summary
The code introduces a way to customize BoltDB options for the MetaStore, allowing more flexible configuration of the underlying database. This change enables users to modify BoltDB settings such as file mode, maximum open files, or other options that affect performance and behavior.
Commit Log
Customzie BoltDB options in MetaStore
AI Summary
The code implements a fast differ for EROFS using DiffDirChanges() to improve performance by avoiding full directory traversal during `nerdctl commit`. The `Compare` method is customized to generate EROFS-formatted blobs and handle compression, labels, and content store operations. The `MountsToLayer` function is modified to correctly identify the EROFS snapshot layer directory for overlayfs mounts.
Commit Log
erofs-differ: implement fast differ with DiffDirChanges() Unlike the walking differ, which implements a generic method to accommodate all kinds of snapshotters, the EROFS differ is just implemented for EROFS and EROFS snapshotter so it can utilize the recent DiffDirChanges() [1] to avoid traversing the entire rootfs directory in order to improve `nerdctl commit` performance. Additionally, I think `baseDir` is unnecessary too (in principle, only `upperdir` is useful for OCI format convention). However, addressing this requires more work, so left as is for now. It's also useful to implement a customized Compare() method for EROFS differ so that we can dump the native EROFS-formatted blob to the content store later. [1] https://github.com/containerd/continuity/pull/145
AI Summary
The commit updates the GitHub Actions release workflow to use Ubuntu 24.04 as the runner instead of Ubuntu 20.04. This change ensures compatibility with newer dependencies and tools that may require a more recent Linux environment.
Commit Log
ci: update GitHub Actions release runner to ubuntu-24.04
AI Summary
The code change updates all references from deprecated Docker Registry documentation URLs to the new Distribution project documentation URLs. This ensures that all internal documentation links remain valid and point to the correct specification sources.
Commit Log
chore: fix broken links to https://docs.docker.com/registry https://docs.docker.com/registry is deprecated and doesn't have that content anymore, link to https://distribution.github.io/distribution instead.
AI Summary
The code adds support for passing headers from hosts.toml to DockerAuthorizer, ensuring header overrides are included in auth requests. This change fixes an issue where headers from hosts.toml were not being applied to auth requests, potentially leading to incorrect or missing headers in the request. The test suite verifies that headers are correctly applied to registry and token servers based on the hosts.toml configuration.
Commit Log
Add hosts.toml headers to auth requests This patch fixed an issue that when we create a `DockerAuthorizer`, we didn't pass the headers read from hosts.toml to it, causing the headers are missing in auth requests.
AI Summary
The code adds a check to ensure the pipe is not nil before attempting to write or close it, preventing a panic in the Docker pusher. This change was made to address a potential panic caused by using a nil pipe, as identified by an issue in the Moby project.
Commit Log
Prevent panic in Docker pusher. Prevent a panic in the Docker pusher pushWriter, by checking that the pipe is non nil before attempting to use it. The panic was found by Moby issue #46746 (https://github.com/moby/moby/issues/46746). With this fix the panic no longer reproduces.
AI Summary
The commit updates the Azure login action from version 2.2.0 to 2.3.0 across multiple GitHub workflows to ensure compatibility with the latest features and security fixes. This change is likely to address potential security vulnerabilities, improve functionality, or align with new Azure API requirements.
Commit Log
build(deps): bump azure/login from 2.2.0 to 2.3.0 Bumps [azure/login](https://github.com/azure/login) from 2.2.0 to 2.3.0. - [Release notes](https://github.com/azure/login/releases) - [Commits](https://github.com/azure/login/compare/a65d910e8af852a8061c627c456678983e180302...a457da9ea143d694b1b9c7c869ebb04ebe844ef5) --- updated-dependencies: - dependency-name: azure/login dependency-version: 2.3.0 dependency-type: direct:production update-type: version-update:semver-minor ...
AI Summary
The code updates the dependency on containernetworking/cni from version 1.2.3 to 1.3.0, which includes structural changes to the API such as renaming NetworkConfig to PluginConfig and adding new fields like LoadOnlyInlinedPlugins. This change introduces backward compatibility issues as NetworkConfig is deprecated and will be removed in a future release, requiring updates to any code relying on the old API.
Commit Log
build(deps): bump github.com/containernetworking/cni from 1.2.3 to 1.3.0 Bumps [github.com/containernetworking/cni](https://github.com/containernetworking/cni) from 1.2.3 to 1.3.0. - [Release notes](https://github.com/containernetworking/cni/releases) - [Commits](https://github.com/containernetworking/cni/compare/v1.2.3...v1.3.0) --- updated-dependencies: - dependency-name: github.com/containernetworking/cni dependency-version: 1.3.0 dependency-type: direct:production update-type: version-update:semver-minor ...
AI Summary
The code change improves error messaging for the GetLocalListener function by providing a more descriptive error when creating a Unix socket. This change enhances debugging and troubleshooting by including the path and the original error in the error message.
Commit Log
pkg/sys: improve GetLocalListener/CreateUnixSocket error message
AI Summary
The code updates the version of the lychee-action GitHub action from 2.3.0 to 2.4.0 to benefit from new features or bug fixes. This change is likely to improve the reliability or functionality of link checking in the CI/CD workflow.
Commit Log
build(deps): bump lycheeverse/lychee-action from 2.3.0 to 2.4.0 Bumps [lycheeverse/lychee-action](https://github.com/lycheeverse/lychee-action) from 2.3.0 to 2.4.0. - [Release notes](https://github.com/lycheeverse/lychee-action/releases) - [Commits](https://github.com/lycheeverse/lychee-action/compare/f613c4a64e50d792e0b31ec34bbcbba12263c6a6...1d97d84f0bc547f7b25f4c2170d87d810dc2fb2c) --- updated-dependencies: - dependency-name: lycheeverse/lychee-action dependency-version: 2.4.0 dependency-type: direct:production update-type: version-update:semver-minor ...
AI Summary
The code change replaces the use of the original context with a shimCtx in log statements during the copy shim log process. This likely aims to ensure logs are associated with the shim context rather than the parent context, improving context tracking and debugging.
Commit Log
use shimCtx for fifo copy
AI Summary
The commit modifies the CRI KEP issue template to include a new section for rendering markdown. This change likely aims to improve the clarity and formatting of issue discussions related to CRI KEPs.
Commit Log
use type textarea
AI Summary
The code change replaces the metadata store with a memory service for the CRIImageService to ensure synchronous image deletion. This modification likely aims to improve consistency and performance by using a direct in-memory image service instead of a metadata-based approach.
Commit Log
*: CRIImageService should delete image synchronously Use memory service instead of metadata store.
AI Summary
The commit updates the golangci-lint-action dependency from version 6.5.2 to 7.0.0, which is a major version release. This change likely introduces new features, breaking changes, or configuration adjustments in the linter action.
Commit Log
build(deps): bump golangci/golangci-lint-action from 6.5.2 to 7.0.0 Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 6.5.2 to 7.0.0. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](https://github.com/golangci/golangci-lint-action/compare/55c2c1448f86e01eaae002a5a3a9624417608d84...1481404843c368bc19ca9406f87d6e0fc97bdcfd) --- updated-dependencies: - dependency-name: golangci/golangci-lint-action dependency-type: direct:production update-type: version-update:semver-major ...
AI Summary
The commit updates the runc binary version from v1.2.5 to v1.2.6. This change likely ensures compatibility with newer features or security fixes in runc.
Commit Log
Update runc binary to v1.2.6
AI Summary
The commit updates the runc binary version from v1.2.5 to v1.2.6. This change likely ensures compatibility with newer features or security fixes in runc.
Commit Log
Update runc binary to v1.2.6
AI Summary
The diff updates the version of the container-device-interface dependency from v1.0.0 to v1.0.1 and removes an older version of the yaml package. This change likely aims to ensure compatibility with the latest features or bug fixes in the container-device-interface library.
Commit Log
go.mod: tags.cncf.io/container-device-interface v1.0.1
AI Summary
The code updates the version of the golang.org/x/oauth2 package from v0.23.0 to v0.28.0, likely to include bug fixes, security patches, or new features. This change may affect compatibility with existing code that relies on specific behaviors or APIs from the older version.
Commit Log
go.mod: golang.org/x/oauth2 v0.28.0
AI Summary
The diff updates the dependency of github.com/containerd/imgcrypt/v2 from version 2.0.0 to 2.0.1, which is a patch release, likely containing bug fixes and minor improvements. It also updates golang.org/x/net from version 0.35.0 to 0.36.0, which may include bug fixes, performance improvements, or compatibility changes. The code changes in vendor/golang.org/x/net involve refactoring and replacing http.Header with a custom structure, which may improve consistency or address specific issues in HTTP header handling.
Commit Log
build(deps): bump github.com/containerd/imgcrypt/v2 from 2.0.0 to 2.0.1 Bumps [github.com/containerd/imgcrypt/v2](https://github.com/containerd/imgcrypt) from 2.0.0 to 2.0.1. - [Release notes](https://github.com/containerd/imgcrypt/releases) - [Changelog](https://github.com/containerd/imgcrypt/blob/main/CHANGES) - [Commits](https://github.com/containerd/imgcrypt/compare/v2.0.0...v2.0.1) --- updated-dependencies: - dependency-name: github.com/containerd/imgcrypt/v2 dependency-type: direct:production update-type: version-update:semver-patch ...
AI Summary
The code change removes redundant comments in the WithUser function to fix a CI lint error. The change is a minor cleanup and does not alter the functionality of the WithUser function.
Commit Log
Fix CI lint error (cherry picked from commit c8effff1a823bed757194584a80a043c3a69da1a)
AI Summary
The commit updates the docker/login-action dependency from version 3.3.0 to 3.4.0 in the GitHub Actions workflow file. This change likely introduces new features or bug fixes from the minor version update of the login-action.
Commit Log
build(deps): bump docker/login-action from 3.3.0 to 3.4.0 Bumps [docker/login-action](https://github.com/docker/login-action) from 3.3.0 to 3.4.0. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](https://github.com/docker/login-action/compare/9780b0c442fbb1117ed29e0efdff1e18412f7567...74a5d142397b4f367a81961eba4e8cd7edddf772) --- updated-dependencies: - dependency-name: docker/login-action dependency-type: direct:production update-type: version-update:semver-minor ...
AI Summary
The release notes for v2.0.4 include bug fixes and updates, with instructions on which files to download and dependencies to install. The version number in the code has been updated from 2.0.3 to 2.0.4, indicating a patch release.
Commit Log
Prepare release notes for v2.0.4
AI Summary
The release notes for v1.7.27 are being prepared, including a new commit reference, project details, dependency matching pattern, and a preface describing the release as a patch release with various fixes and updates. The version number in the version.go file has been updated from 1.7.26 to 1.7.27, indicating a new patch release.
Commit Log
Prepare release notes for v1.7.27
AI Summary
The code change adds support for attestation media types in the Children function to avoid processing them as unknown types. This prevents unnecessary debug logs when traversing image children and ensures attestation layers are ignored.
Commit Log
core/images: Ignore attestations when traversing children Before this patch, calling `image.Children` on an image built with BuildKit would produce unnecessary `encountered unknown type application/vnd.in-toto+json; children may not be fetched` debug logs, because the media type is neither a known layer or config type. Make the `image.Children` aware of the attestation layers and don't attempt to traverse them. (cherry picked from commit e751b6bb1db7936ee111322ff199d9f708c27428)
AI Summary
The code removes a test case for issue 10467, which was related to an upgrade in containerd version 1.7 and is no longer needed in the latest version. The test verified that the 'k8s.io' bucket was removed from the boltdb after an upgrade, which is now considered redundant or unnecessary.
Commit Log
Remove test for issue 10467 This test relates to an upgrade in 1.7 and not needed in latest version
AI Summary
The code adds UID and GID validation limits to the WithUser function to ensure they do not exceed math.MaxInt32, aligning with runc's implementation. A new test case for WithUser is introduced to validate various user and group ID scenarios, including edge cases like invalid values and out-of-range IDs.
Commit Log
(cherry picked from commit de1341c201ffb0effebbf51d00376181968c8779)
AI Summary
The code adds validation for UID and GID values to ensure they are within the range of valid integer values (0 to 2^31 - 1), aligning with runc's implementation limitations. A new test case is introduced to validate the behavior of WithUser with various input formats and edge cases, including invalid UIDs/GIDs and non-existent users/groups.
Commit Log
validate uid/gid
AI Summary
The code adds a case for 'v2.1' in the `ctrdPreviousMajorMinor` function to return 'v2.0', likely to handle version upgrade logic correctly. This change ensures compatibility with version 2.1 by mapping it to the previous major-minor version for upgrade testing.
Commit Log
integration: update TestUpgrade for 2.1
AI Summary
The commit updates golangci-lint to version 1.60.1 to improve code quality and fix potential issues. It also modifies the .golangci.yml configuration to use 'govet' instead of 'vet' and adjusts the exclusion settings for the linter runs.
Commit Log
update golangci-lint to 1.60.1
AI Summary
The code removes an unnecessary unwrap of join errors, simplifying error handling by directly returning the joined error. This change likely improves readability and reduces potential for error handling bugs by eliminating redundant logic.
Commit Log
Remove unnecessary joinError unwrap
AI Summary
The code diff removes the hashicorp/go-multierror dependency and replaces its usage with standard error handling and the errors package, simplifying error management across multiple files. This change likely aims to reduce external dependencies and improve maintainability by using Go's standard error handling features instead of the multierror library.
Commit Log
Remove hashicorp/go-multierror append
AI Summary
The commit updates the containerd/project-checks action from version 1.1.0 to 1.2.1 in the CI workflow to ensure compatibility with newer tooling or features. This change likely aims to benefit from bug fixes, security patches, or new functionality introduced in version 1.2.1 of project-checks.
Commit Log
update containerd/project-checks to 1.2.1
AI Summary
The code updates the golang.org/x/oauth2 dependency from version 0.24.0 to 0.27.0 to address a security vulnerability (CVE-2025-22868). This change includes updating the go.mod and go.sum files, as well as modifying some comments in the vendor directory to reflect the new version.
Commit Log
CVE-2025-22868: upgrade golang.org/x/oauth2 to v0.27.0
AI Summary
The commit updates the actions/cache dependency from version 4.2.1 to 4.2.2 in the CI workflow configuration. This change is likely to address bug fixes, security patches, or minor improvements in the cache action without introducing major functional changes.
Commit Log
build(deps): bump actions/cache from 4.2.1 to 4.2.2 Bumps [actions/cache](https://github.com/actions/cache) from 4.2.1 to 4.2.2. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/0c907a75c2c80ebcb7f088228285e798b750cf8f...d4323d4df104b026a6aa633fdb11d772146be0bf) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-patch ...
AI Summary
The commit updates the actions/attest-build-provenance action from version 2.2.0 to 2.2.2 to include bug fixes or improvements. This change is likely to enhance the reliability or security of the build provenance attestation process in the release workflow.
Commit Log
build(deps): bump actions/attest-build-provenance from 2.2.0 to 2.2.2 Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) from 2.2.0 to 2.2.2. - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](https://github.com/actions/attest-build-provenance/compare/520d128f165991a6c774bcb264f323e3d70747f4...bd77c077858b8d561b7a36cbe48ef4cc642ca39d) --- updated-dependencies: - dependency-name: actions/attest-build-provenance dependency-type: direct:production update-type: version-update:semver-patch ...
AI Summary
The code updates the dependency github.com/klauspost/compress from version 1.17.11 to 1.18.0, which includes performance improvements and bug fixes. The change introduces new functionality and optimizations, particularly in the zstd and flate packages, with potential impacts on compression speed and memory usage.
Commit Log
build(deps): bump github.com/klauspost/compress from 1.17.11 to 1.18.0 Bumps [github.com/klauspost/compress](https://github.com/klauspost/compress) from 1.17.11 to 1.18.0. - [Release notes](https://github.com/klauspost/compress/releases) - [Changelog](https://github.com/klauspost/compress/blob/master/.goreleaser.yml) - [Commits](https://github.com/klauspost/compress/compare/v1.17.11...v1.18.0) --- updated-dependencies: - dependency-name: github.com/klauspost/compress dependency-type: direct:production update-type: version-update:semver-minor ...
AI Summary
The code change replaces references to the standard 'bolt' package's error constants with those from 'go.etcd.io/bbolt/errors', ensuring consistent error handling across the containerd project. This change is likely to improve error consistency and compatibility with etcd's bbolt library, which may have updated or renamed error constants.
Commit Log
Swap to go.etcd.io/bbolt/errors for bbolt errors
AI Summary
The code updates the CDI dependency to version 0.8.1, which likely includes bug fixes or new features. The addition of a check for a nil watcher in the cache.go file suggests an improvement to handle edge cases like resource limits or unexpected failures.
Commit Log
Update CDI dependency to v0.8.1.
AI Summary
The code increases the base image size for XFS from 16MB to 300MB to comply with xfsprogs 5.19.0 requirements. This change ensures compatibility with newer versions of xfsprogs that enforce a minimum volume size of 300MB.
Commit Log
increase xfs base image size to 300Mb from xfsprogs 5.19.0, minimum size of xfs volume has to be 300MB Ref: https://git.kernel.org/pub/scm/fs/xfs/xfsprogs-dev.git/commit/?id=6e0ed3d19c54603f0f7d628ea04b550151d8a262 (cherry picked from commit 624aa49d4b9b832ca6309182aab006e6097c15b1)
AI Summary
The code change removes dependency on the shim package and replaces it with the events package to handle OOM watcher functionality. This change likely aims to decouple the OOM watcher from the shim package, improving modularity and reducing coupling between components.
Commit Log
prevent oom watcher depend on shim pkg.
AI Summary
The code change removes dependency on the shim package and replaces it with the events package to handle OOM watcher functionality. This change aims to decouple the OOM watcher from the shim package, potentially improving modularity and reducing coupling.
Commit Log
[improve] prevent oom watcher depend on shim pkg.
AI Summary
The code upgrades the x/net package to version 0.33.0, which includes various HTTP/2 protocol improvements and bug fixes. This change introduces new features like support for the ENABLE_CONNECT_PROTOCOL setting and enhancements to HTTP/2 client and server implementations. Potential risks include compatibility issues with older versions of Go or dependent libraries that may not support the new features or changes in behavior.
Commit Log
Upgrade x/net to 0.33.0
AI Summary
The release notes for v1.6.37 are being prepared with a new TOML file specifying the release details, including the commit, project name, dependencies, and preface. The version number in version.go has been updated from 1.6.36 to 1.6.37, indicating a patch release.
Commit Log
Prepare release notes for v1.6.37
AI Summary
The commit updates the ossf/scorecard-action dependency from version 2.4.0 to 2.4.1 in the GitHub Actions workflow file. This change likely aims to incorporate bug fixes, security patches, or minor improvements from the new version of the scorecard-action.
Commit Log
build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.4.0 to 2.4.1. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](https://github.com/ossf/scorecard-action/compare/62b2cac7ed8198b15735ed49ab1e5cf35480ba46...f49aabe0b5af0936a0987cfb85d86b75731b0186) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-type: direct:production update-type: version-update:semver-patch ...
AI Summary
The commit updates the version of the GitHub CodeQL Action from 3.28.9 to 3.28.10 across multiple workflows to benefit from the latest patch release. This change likely includes bug fixes, security patches, or minor improvements without introducing breaking changes.
Commit Log
build(deps): bump github/codeql-action from 3.28.9 to 3.28.10 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.28.9 to 3.28.10. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0...b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ...
AI Summary
The code updates the runc binary version from v1.2.4 to v1.2.5 to address a regression in systemd v230 affecting GPU workloads. This change ensures compatibility with systemd's behavior and fixes issues related to device rule restrictions requiring a daemon-reload.
Commit Log
Update runc binary to v1.2.5 This is the fifth patch release in the 1.2.z series of runc. It primarily fixes an issue caused by an upstream systemd bug. There was a regression in systemd v230 which made the way we define device rule restrictions require a systemctl daemon-reload for our transient units. This caused issues for workloads using NVIDIA GPUs. Workaround the upstream regression by re-arranging how the unit properties are defined. Dependency github.com/cyphar/filepath-securejoin is updated to v0.4.1, to allow projects that vendor runc to bump it as well. CI: fixed criu-dev compilation. Dependency golang.org/x/net is updated to 0.33.0. diff: opencontainers/[email protected]
AI Summary
The code adds support for OCI/Image Volume Source by introducing new test cases, helper functions, and integration with container runtime to handle image volume mounts. It includes test functions for image mounting with and without SELinux, as well as helper functions to manage image volume mounts, leases, and cleanup. The implementation ensures that image volumes are properly mounted, handled with SELinux labels, and cleaned up when the sandbox is removed.
Commit Log
Add OCI/Image Volume Source support
AI Summary
The code introduces a mechanism to block NRI plugin synchronization during CRI event processing to prevent inconsistent states caused by missing pods, containers, or missed events. It adds `BlockPluginSync` and `Unblock` methods to control synchronization, with `BlockPluginSync` being deferred in various CRI operations to ensure plugins are not synchronized during critical operations. The change aims to improve consistency by preventing NRI plugins from registering or syncing during events that could lead to data inconsistency.
Commit Log
cri,nri: block NRI plugin sync. during event processing. Block the synchronization of registering NRI plugins during CRI events to avoid the plugin ending up in an inconsistent starting state after initial sync (missing pods, containers or missed events for some pods or containers).
AI Summary
The diff updates the protobuf library from version 1.36.3 to 1.36.5, primarily to address bug fixes and minor improvements. The change removes support for weak fields across multiple files, which were a legacy feature from proto1, and updates related code to reflect this removal.
Commit Log
build(deps): bump google.golang.org/protobuf from 1.36.3 to 1.36.5 Bumps google.golang.org/protobuf from 1.36.3 to 1.36.5. --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: direct:production update-type: version-update:semver-patch ...
AI Summary
The code updates the dependency github.com/vishvananda/netns from version 0.0.4 to 0.0.5, which is a semver-patch update. The change includes minor version updates to the netns library, which may include bug fixes or small improvements. Several function signatures were modified to return error types explicitly, improving type safety and clarity.
Commit Log
build(deps): bump github.com/vishvananda/netns from 0.0.4 to 0.0.5 Bumps [github.com/vishvananda/netns](https://github.com/vishvananda/netns) from 0.0.4 to 0.0.5. - [Release notes](https://github.com/vishvananda/netns/releases) - [Commits](https://github.com/vishvananda/netns/compare/v0.0.4...v0.0.5) --- updated-dependencies: - dependency-name: github.com/vishvananda/netns dependency-type: direct:production update-type: version-update:semver-patch ...
AI Summary
The commit updates the docker/setup-buildx-action dependency from version 3.8.0 to 3.9.0. This change likely introduces new features or bug fixes from the latest version of the action.
Commit Log
build(deps): bump docker/setup-buildx-action from 3.8.0 to 3.9.0 Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3.8.0 to 3.9.0. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/6524bf65af31da8d45b59e8c27de4bd072b392f5...f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-minor ...
AI Summary
The commit updates the lychee-action dependency from version 2.2.0 to 2.3.0 in the GitHub Actions workflow file. This change likely introduces new features or bug fixes from the minor version update of the action.
Commit Log
build(deps): bump lycheeverse/lychee-action from 2.2.0 to 2.3.0 Bumps [lycheeverse/lychee-action](https://github.com/lycheeverse/lychee-action) from 2.2.0 to 2.3.0. - [Release notes](https://github.com/lycheeverse/lychee-action/releases) - [Commits](https://github.com/lycheeverse/lychee-action/compare/f796c8b7d468feb9b8c0a46da3fac0af6874d374...f613c4a64e50d792e0b31ec34bbcbba12263c6a6) --- updated-dependencies: - dependency-name: lycheeverse/lychee-action dependency-type: direct:production update-type: version-update:semver-minor ...
AI Summary
The code adds tests and logic to ensure privileged containers can access sysfs as read-write when the pod is also privileged, while handling errors when a privileged container is created in a non-privileged pod. It modifies the sandbox start logic to change sysfs mount options to 'rw' if the container is privileged, addressing a compatibility issue where sysfs was read-only by default.
Commit Log
Fix privileged container sysfs can't be rw because pod is ro by default
AI Summary
The code change allows the installation of imgcrypt from a customizable repository by introducing an environment variable IMGCRYPT_REPO. This provides flexibility to use a different repository than the default GitHub one, similar to other installation scripts.
Commit Log
Update install-imgcrypt to allow change install repo Add repo env similar to other install script
AI Summary
The code update upgrades the go-cni dependency from version 1.1.11 to 1.1.12 and adds the goid and go-deadlock libraries to address a race condition and improve deadlock detection. The changes include replacing sync.RWMutex with deadlock.RWMutex to detect and prevent deadlocks, and adding goid for retrieving goroutine IDs to enhance debugging capabilities.
Commit Log
fix go-cni race condition
AI Summary
The code adds functionality to pass the OCI spec to NRI plugins during the StopPodSandbox hook, allowing plugins to access pod networking information. It introduces helper functions to retrieve network namespaces and IPs, which are used in test cases to validate NRI plugin behavior during pod lifecycle events.
Commit Log
nri: make OCI spec available on StopPodSandbox The NRI plugins define hooks on the Pod and the Container lifecycle and provide contextual information for each of them in the corresponding hooks. The StopPodSandbox hook already has the namespaces created and the plugins using that hook may require that information, so we should be able to do a best effort to pass it down to the NRI plugins.
AI Summary
The code change swaps the order of 'state' and 'root' parameters in the LoadExistingShims function call to fix a state/root bug in the shim sandbox controller. This adjustment likely ensures that the correct state and root are passed to load existing shims, resolving an issue with how the sandbox controller manages container states and root directories.
Commit Log
Fix state/root bug in shim sandbox controller
AI Summary
The commit updates the actions/attest-build-provenance action from version 2.1.0 to 2.2.0 to benefit from new features or bug fixes. This change is likely to improve build provenance tracking in the release workflow, ensuring better traceability and security.
Commit Log
build(deps): bump actions/attest-build-provenance from 2.1.0 to 2.2.0 Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) from 2.1.0 to 2.2.0. - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](https://github.com/actions/attest-build-provenance/compare/7668571508540a607bdfd90a87a560489fe372eb...520d128f165991a6c774bcb264f323e3d70747f4) --- updated-dependencies: - dependency-name: actions/attest-build-provenance dependency-type: direct:production update-type: version-update:semver-minor ...
AI Summary
The code change updates the error logging in the portForward function to include more detailed information about the failed port forwarding operation. This change improves debugging by providing a more informative error message, which includes the connection pointer, request ID, port, and the actual error.
Commit Log
fix fatal error: concurrent map iteration and map write
AI Summary
The commit updates multiple configuration files to use Go versions 1.23.5 and 1.22.11, aligning with the latest security and bug fix releases. This change ensures that the project uses the most recent stable Go versions, improving security and stability across development and CI environments.
Commit Log
update to go1.23.5 / go1.22.11 - go1.23.5 (released 2025-01-16) includes security fixes to the crypto/x509 and net/http packages, as well as bug fixes to the compiler, the runtime, and the net package. See the Go 1.23.5 milestone on our issue tracker for details. - go1.22.11 (released 2025-01-16) includes security fixes to the crypto/x509 and net/http packages, as well as bug fixes to the runtime. See the Go 1.22.11 milestone on our issue tracker for details.
AI Summary
The commit updates the version of the GitHub CodeQL Action from 3.27.9 to 3.28.1 across multiple workflows to benefit from new features or bug fixes. This change is likely aimed at improving security analysis, performance, or compatibility with new GitHub features in the CodeQL Action.
Commit Log
build(deps): bump github/codeql-action from 3.27.9 to 3.28.1 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.27.9 to 3.28.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/df409f7d9260372bd5f19e5b04e83cb3c43714ae...b6a472f63d85b9c78a3ac5e89422239fc15e9b3c) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-minor ...
AI Summary
The commit updates the version of the go-patricia library from 2.3.1 to 2.3.2 to include a patch release. This change ensures the project uses the latest bug fixes and security patches from the go-patricia library.
Commit Log
build(deps): bump github.com/tchap/go-patricia/v2 from 2.3.1 to 2.3.2 Bumps [github.com/tchap/go-patricia/v2](https://github.com/tchap/go-patricia) from 2.3.1 to 2.3.2. - [Commits](https://github.com/tchap/go-patricia/compare/v2.3.1...v2.3.2) --- updated-dependencies: - dependency-name: github.com/tchap/go-patricia/v2 dependency-type: direct:production update-type: version-update:semver-patch ...
AI Summary
The commit updates multiple configuration files to use Go versions 1.23.5 and 1.22.11, aligning with the latest security and bug fixes. This change ensures compatibility with the latest Go releases and addresses potential vulnerabilities in the crypto/x509 and net/http packages.
Commit Log
update to go1.23.5 / go1.22.11 - go1.23.5 (released 2025-01-16) includes security fixes to the crypto/x509 and net/http packages, as well as bug fixes to the compiler, the runtime, and the net package. See the Go 1.23.5 milestone on our issue tracker for details. - go1.22.11 (released 2025-01-16) includes security fixes to the crypto/x509 and net/http packages, as well as bug fixes to the runtime. See the Go 1.22.11 milestone on our issue tracker for details.
AI Summary
The code removes the `noinline` directive from functions related to seccomp profile generation, likely to allow inlining for performance optimization. The test case was modified to handle nil checks and perform a deep comparison of seccomp specOpts to ensure correctness.
Commit Log
Remove noinline in seccomp SpecOpts
AI Summary
The code removes the `noinline` directive from a test function in the apparmor package, likely to allow inlining for performance or testing purposes. The change also modifies the test to handle nil specOpts more gracefully and adds a deep copy comparison to ensure expected and actual specOpts match.
Commit Log
Remove noinline in apparmor SpecOpts
AI Summary
The code enables remote snapshotters by importing the snapshotters package and checking for a configuration flag to apply remote snapshot annotations. It wraps the handler with an info handler wrapper if the remote snapshot annotations are enabled, potentially allowing remote snapshotter integration.
Commit Log
Transfer Service: enable remote snapshotters
AI Summary
The code change modifies the log message to use the String() method on the 'cmd' field to avoid using an unsupported field in logrus. This change ensures compatibility with logrus by preventing the use of a field that may not be supported in certain versions.
Commit Log
log: avoid using unsupported field by logrus
AI Summary
The code adds basic tests for the EROFS snapshotter in containerd, ensuring it can be initialized and closed properly. The test suite uses a helper function to skip tests if required tools or kernel support are not available.
Commit Log
Add tests for EROFS snapshotter Some basic tests for now.
AI Summary
The code introduces an EROFS snapshotter for containerd, allowing EROFS blob layers to be mounted independently or used with unpacked directories, providing an alternative to the overlay snapshotter. The implementation includes functions for checking EROFS filesystem support, managing snapshot layers, and handling mount operations, with a focus on compatibility and isolation from existing overlay logic. Potential risks include dependency on the EROFS kernel module, which must be loaded, and possible incompatibilities with systems that do not support EROFS or overlayfs.
Commit Log
Introduce EROFS Snapshotter It allows us to mount each EROFS blob layer (generated by the EROFS differ) independently, or use the "unpacked" fs/ directories (if some other differ is used.) Currently, it's somewhat like the overlay snapshotter, but I tend to separate the new EROFS logic into a self-contained component, rather than keeping it tangled in the very beginning. Existing users who use the overlay snapshotter won't be impacted at all but they have a chance to use this new snapshotter to leverage the EROFS filesystem.
AI Summary
The code adds an integration test to verify that TTY resources are properly released after a container exits, preventing TTY leaks. It tests both TTY-only and interactive container configurations to ensure TTYs are correctly managed during container lifecycle events.
Commit Log
Add integ test to check tty leak
AI Summary
The code adds a lock and deletes the container from the containerInitExit map to prevent a tty leak caused by a lingering init container object. This change ensures that the init container's state is properly cleaned up, avoiding resource leaks and potential conflicts in container lifecycle management.
Commit Log
fix master tty leak due to leaking init container object
AI Summary
The diff updates the version of the otelttrpc package from 0.0.0-20240305015340-ea5083fda723 to 0.1.0, likely to include new features or bug fixes. A change in the metadata_supplier.go file adds a Clone() call to avoid concurrent read/write panics, indicating potential concurrency improvements or bug fixes in the package.
Commit Log
Bump up otelttrpc to 0.1.0
AI Summary
The code update upgrades the go-cni dependency from version 1.1.11 to 1.1.12 and adds the goid and go-deadlock libraries to address a race condition. The changes include mutex refactorings and deadlock detection logic to prevent race conditions in concurrent operations.
Commit Log
fix go-cni race condition
AI Summary
The commit updates the runc binary version from v1.2.3 to v1.2.4 to address a regression related to the default device list. The change re-adds tun/tap devices to the built-in allowed devices list, reverting a previous removal that caused user regressions.
Commit Log
update runc binary to v1.2.4 This is the fourth patch release of the 1.2.z release branch of runc. It includes a fix for a regression introduced in 1.2.0 related to the default device list. - Re-add tun/tap devices to built-in allowed devices lists. In runc 1.2.0 we removed these devices from the default allow-list (which were added seemingly by accident early in Docker's history) as a precaution in order to try to reduce the attack surface of device inodes available to most containers. At the time we thought that the vast majority of users using tun/tap would already be specifying what devices they need (such as by using --device with Docker/Podman) as opposed to doing the mknod manually, and thus there would've been no user-visible change. Unfortunately, it seems that this regressed a noticeable number of users (and not all higher-level tools provide easy ways to specify devices to allow) and so this change needed to be reverted. Users
AI Summary
The code change ensures that IPv4 addresses are listed before IPv6 addresses in the test case for TestSelectPodIP. This aligns the test with the expected behavior of preferring IPv4 over IPv6 in certain contexts.
Commit Log
Fix "even if IPv4 comes first" test to have IPv4 first (cherry picked from commit f77185f9e8e2090486897c2240e5f6b945e3f234)
AI Summary
The commit downgrades go-spew and go-difflib to their latest tagged releases to avoid dependency conflicts caused by untagged versions in other modules. It also adds exclude directives in go.mod to prevent future automatic upgrades to these untagged versions.
Commit Log
downgrade go-difflib and go-spew to tagged releases These dependencies were updated to "master" in some modules we depend on, but have no code-changes since their last release. Unfortunately, this also causes a ripple effect, forcing all users of the containerd module to also update these dependencies to an unrelease / un-tagged version. Both these dependencies will unlikely do a new release in the near future, so exclude these versions so that we can downgrade to the current release. For additional details, see [this PR][1] and links mentioned in it. [1]: https://github.com/kubernetes-sigs/kustomize/pull/5830#issuecomment-2569960859
AI Summary
The code adds a build tag `no_dynamic_plugins` to disable dynamic plugin imports in containerd. This change modifies build constraints in plugin files to include the new tag, allowing conditional compilation based on the presence of the tag.
Commit Log
chore: add a build tag to disable containerd plugin import
AI Summary
The code is moving fuzz tests to use native fuzzing with the testing.F framework, which allows for better integration with fuzzing tools like OSS-Fuzz. This change involves updating test functions to use the new testing.F API, which provides more control and better error handling during fuzzing. Potential risks include compatibility issues with older versions of Go that do not support the testing.F API, and the need to ensure all fuzz tests are properly adapted to the new API.
Commit Log
Move fuzz tests to go native fuzz [part1]
AI Summary
The code change modifies the IDMapMount function to make overlay idmap mounts read-only by using MOUNT_ATTR_RDONLY instead of MNT_DETACH during unmount. This change increases the risk of unmount failures due to EBUSY but prevents inadvertent modification of the underlying data through leaked bind mounts. The change includes tests to ensure the lifecycle of temporary idmap mounts and data integrity in both normal and failed unmount scenarios.
Commit Log
Make ovl idmap mounts read-only This is a planned follow-on from #10721 primarily at the request of @fuweid, exchanging MNT_DETACH at unmount time for MOUNT_ATTR_RDONLY at mount time. The effect is to increase risk of unmount failure due to EBUSY (as observed in the wild) but add an additional protection that the then-leaked bind mount does not act as a conduit for inadvertent modification of the underlying data, including our own efforts to clean up the mountpoint. Tests covering the lifecycle of the temporary idmap mounts and integrity of the underlying lower layer data is also included in the normal and failed-unmount case. Fixes #10704
AI Summary
The diff updates dependencies for golang.org/x/crypto, x/net, x/sync, x/sys, x/term, and x/text to newer versions, including updates to the vendor directory and go.sum file. This change likely aims to incorporate bug fixes, security patches, and new features from the latest versions of these packages. Potential risks include compatibility issues with existing code that relies on older versions of these packages, especially if the new versions introduce breaking changes.
Commit Log
vendor: update golang.org/x/crypto dependencies
AI Summary
The commit updates golangci-lint from version 1.60.1 to 1.60.3 to benefit from the latest bug fixes and improvements. It also disables the 'copyloopvar' linter rule, which is relevant for Go 1.22+ and may be unnecessary or conflicting with other rules.
Commit Log
Update golangci to 1.60.3
AI Summary
The code adds an integration test to verify containerd's cgroup writable behavior under different configurations. It tests whether containers can create directories in cgroups when cgroup_writable is set to true or false.
Commit Log
Add integration test
AI Summary
The diff updates the google.golang.org/protobuf dependency from version 1.35.2 to 1.36.0, introducing new API features like APILevel support for Opaque API. New files and code additions implement lazy unmarshaling, presence tracking, and API level configuration for the Opaque API, which may affect how protobuf messages are processed and decoded. Potential risks include compatibility issues with existing code that relies on the previous API behavior, and possible breaking changes if the new API is not properly adopted.
Commit Log
build(deps): bump google.golang.org/protobuf from 1.35.2 to 1.36.0 Bumps google.golang.org/protobuf from 1.35.2 to 1.36.0. --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: direct:production update-type: version-update:semver-minor ...
AI Summary
The commit updates the docker/setup-buildx-action dependency from version 3.7.1 to 3.8.0. This change likely introduces new features or bug fixes from the minor version update.
Commit Log
build(deps): bump docker/setup-buildx-action from 3.7.1 to 3.8.0 Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3.7.1 to 3.8.0. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/c47758b77c9736f4b2ef4073d4d51994fabfe349...6524bf65af31da8d45b59e8c27de4bd072b392f5) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-minor ...
AI Summary
The code change removes the application of IoOwner options when UsernsOptions is set to NODE mode, to avoid compatibility issues with gVisor. This is a workaround to prevent container startup failures in gVisor when UserNamespaceSupport is enabled, as gVisor does not support runc.Options.
Commit Log
internal/cri: should not apply IoOwner options When kubelet enables UserNamespaceSupport feature gate, kubelet always uses non-empty UsernsOptions to setup pods. In this case, the gVisor shim is unable to parse runc.Option so that it will be unable to start container. This change is to avoid adding IoOwner options if the UsernsOptions is for node level. Since gVisor hasn't feature subcommand yet, CRI status will report that gVisor runtime doesn't support user namespace. So it's kind of workaround to avoid compatible issue. REF: #11091
AI Summary
The commit updates the golang.org/x/crypto dependency to version 0.31.0 to address a security vulnerability (CVE-2024-45337) related to an authorization bypass in the SSH package. The change is made to the go.mod and go.sum files, and the vendor directory is updated to reflect the new version, though the functionality is not used directly in the project.
Commit Log
vendor: golang.org/x/crypto v0.31.0 update to the latest version of this dependency, which has a fix for a authorization bypass in the ssh package. We don't use this functionality, so there's no need to backport this change (other than de-noising false positives). This is CVE-2024-45337 and Go issue https://go.dev/issue/70779. full diff: https://github.com/golang/crypto/compare/v0.28.0...v0.31.0
AI Summary
The commit updates the vendored version of golang.org/x/text from v0.19.0 to v0.21.0. This change likely reflects a dependency upgrade to benefit from new features, bug fixes, or security patches in the newer version.
Commit Log
vendor: golang.org/x/text v0.21.0 no changes in vendored code full diff: https://github.com/golang/text/compare/v0.19.0...v0.21.0
AI Summary
The code diff upgrades golang.org/x/sys from version 0.27.0 to 0.28.0, introducing new constants and types for Linux and Darwin systems, as well as new Windows API functions related to named pipes. The changes include new constants for system calls, structures for network-related data, and additions to support new features or system updates, likely to improve compatibility and functionality across different platforms.
Commit Log
vendor: golang.org/x/sys v0.28.0 full diff: https://github.com/golang/sys/compare/v0.27.0...v0.28.0
AI Summary
The code updates the ID mapping functionality to support multiple uid/gid mappings by modifying the parseIDMapping function to return a single SysProcIDMap instead of a slice and introducing parseIDMappingList to handle multiple mappings. The change allows for more flexible user namespace configuration by parsing comma-separated mappings, which is essential for container runtime scenarios requiring complex ID mappings.
Commit Log
Update idmapped mount to support multiple uid/gid mappings
AI Summary
The code updates the go-cni library to version 1.1.11 to support the CNI STATUS feature. The changes include adding a `ready()` method to check if the CNI is initialized and modifying several methods to call `ready()` before performing operations.
Commit Log
feat: update go-cni version for CNI STATUS
AI Summary
The code adds a 'sync-fs' flag to several containerd commands (import, mount, pull, run) to control filesystem synchronization during image unpacking. This flag is passed to the image.Unpack function via the diff.WithSyncFs option, allowing users to enable or disable filesystem synchronization when unpacking images.
Commit Log
cmd: add syncfs option to ctr command
AI Summary
The commit updates multiple configuration files to use Go versions 1.23.4 and 1.22.10, aligning with the latest stable releases. This change ensures compatibility with the latest Go fixes and security patches, improving reliability and performance across the project's CI, development, and testing environments.
Commit Log
update to go1.23.4 / go1.22.10 - go1.23.4 (released 2024-12-03) includes fixes to the compiler, the runtime, the trace command, and the syscall package. See the Go 1.23.4 milestone on our issue tracker for details. https://github.com/golang/go/issues?q=milestone%3AGo1.23.4+label%3ACherryPickApproved - go1.22.10 (released 2024-12-03) includes fixes to the runtime and the syscall package. See the Go 1.22.10 milestone on our issue tracker for details. https://github.com/golang/go/issues?q=milestone%3AGo1.22.10+label%3ACherryPickApproved