profile
viewpoint
Derek McGowan dmcgowan @docker @containerd maintainer

containerd/ttrpc 174

GRPC for low-memory environments

containerd/continuity 77

A transport-agnostic, filesystem metadata manifest system

dmcgowan/containerd-wasm 52

Implementation of containerd shim using wasm

containerd/release-tool 10

A release tool for generating detailed release notes

dmcgowan/dsdbench 6

Docker Storage Driver Benchmarks and Tests

dmcgowan/boost.php 1

Create your PHP extension in C++, in a minute.

dmcgowan/boto 1

Python interface to Amazon Web Services

dmcgowan/fsnotify 1

File system notification for Go

aaronlehmann/docker 0

Docker - the open-source application container engine

dmcgowan/aws-cli 0

Universal Command Line Interface for Amazon Web Services

create barnchdmcgowan/release-tool

branch : add-http-caching

created branch time in 3 days

Pull request review commentcontainerd/containerd

Add release GH Action triggered by signed tag

+on:+  push:+    tags:+      - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10++name: Containerd Release++jobs:+  check:+    name: Check Signed Tag+    runs-on: ubuntu-18.04+    timeout-minutes: 5++    steps:+      - name: Checkout code+        uses: actions/checkout@v2+        with:+          ref: ${{ github.ref }}+          path: src/github.com/containerd/containerd++      - name: Check signature+        run: |+          releasever=${{ github.ref }}+          releasever="${releasever#refs/tags/}"+          TAGCHECK=$(git tag -v ${releasever} 2>&1 >/dev/null) ||+          echo "${TAGCHECK}" | grep -q "error" && {+              echo "::error::tag ${releasever} is not a signed tag. Failing release process."+              exit 1+          } || {+              echo "Tag ${releasever} is signed."+              exit 0+          }+        working-directory: src/github.com/containerd/containerd++  build:+    name: Build Release Binaries+    runs-on: ${{ matrix.os }}+    needs: [check]+    timeout-minutes: 10++    strategy:+      matrix:+        os: [ubuntu-18.04, windows-2019]++    steps:+      - name: Install Go+        uses: actions/setup-go@v1+        with:+          go-version: '1.13.11'++      - name: Set env+        shell: bash+        run: |+          releasever=${{ github.ref }}+          releasever="${releasever#refs/tags/}"+          echo "::set-env name=RELEASE_VER::${releasever}"+          echo "::set-env name=GOPATH::${{ github.workspace }}"+          echo "::add-path::${{ github.workspace }}/bin"++      - name: Checkout+        uses: actions/checkout@v2+        with:+          repository: containerd/containerd+          ref: ${{ github.ref }}+          path: src/github.com/containerd/containerd++      - name: Install Linux dependencies+        if: startsWith(matrix.os, 'ubuntu')+        run: |+          sudo apt-get install -y btrfs-tools libseccomp-dev++      - name: Make+        shell: bash+        env:+          MOS: ${{ matrix.os }}+          OS: linux+        run: |+          make build+          make binaries+          [[ "${MOS}" =~ "windows" ]] && {+              OS=windows+          }+          TARFILE="containerd-${RELEASE_VER#v}-${OS}-amd64.tar.gz"+          tar czf ${TARFILE} bin/+          sha256sum ${TARFILE} >${TARFILE}.sha256sum+        working-directory: src/github.com/containerd/containerd++      - name: Save build binaries+        uses: actions/upload-artifact@v2+        with:+          name: containerd-binaries-${{ matrix.os }}+          path: src/github.com/containerd/containerd/*.tar.gz*++  release:+    name: Create Release+    runs-on: ubuntu-18.04+    timeout-minutes: 10+    needs: [build]++    steps:+      - name: Download builds+        uses: actions/download-artifact@v2+        with:+          path: builds+      - name: Catalog build assets for upload+        id: catalog+        run: |+          _filenum=1+          for i in "ubuntu-18.04" "windows-2019"; do+            for i in `ls builds/containerd-binaries-${i}`; do+              echo "::set-output name=file${_filenum}::${i}"+              let "_filenum+=1"+            done+          done+      - name: Create Release+        id: create_release+        uses: actions/create-release@v1

I still do at least 2 manual checks after the release tool runs, I check the output against previous tags to make sure there is nothing out of the ordinary with the output, also check authors for duplication. So running locally, doing those checks, creating the tag, then pushing the tag I think is still fine.

Currently the output from the release tool is used exactly as the content for the tag, then that output is also used for the Github release, except the first line is removed and used as the name of the release and the second line is blank and removed.

estesp

comment created time in 3 days

startedpion/webrtc

started time in 3 days

Pull request review commentcontainerd/cri

add a registry auth tutorial

 The registry credential in this config will only be used when auth config is not specified by Kubernetes via CRI.  After modify this config, you need restart the `containerd` service.++### Configure Registry Credentials Example - GCR with _json_key Authentication++Create a gcp account with gcr, do all the steps to enable receiving a+pushed image for a gcr instance, including the generation and download of a+new _json_key (for a new service account user.) Then:++```bash

What is this section necessary for?

mikebrow

comment created time in 3 days

pull request commentcontainerd/containerd

Add release GH Action triggered by signed tag

Can you create example releases in your fork?

estesp

comment created time in 3 days

Pull request review commentcontainerd/containerd

Add release GH Action triggered by signed tag

+on:+  push:+    tags:+      - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10++name: Containerd Release++jobs:+  check:+    name: Check Signed Tag+    runs-on: ubuntu-18.04+    timeout-minutes: 5++    steps:+      - name: Checkout code+        uses: actions/checkout@v2+        with:+          ref: ${{ github.ref }}+          path: src/github.com/containerd/containerd++      - name: Check signature+        run: |+          releasever=${{ github.ref }}+          releasever="${releasever#refs/tags/}"+          TAGCHECK=$(git tag -v ${releasever} 2>&1 >/dev/null) ||+          echo "${TAGCHECK}" | grep -q "error" && {+              echo "::error::tag ${releasever} is not a signed tag. Failing release process."+              exit 1+          } || {+              echo "Tag ${releasever} is signed."+              exit 0+          }+        working-directory: src/github.com/containerd/containerd++  build:+    name: Build Release Binaries+    runs-on: ${{ matrix.os }}+    needs: [check]+    timeout-minutes: 10++    strategy:+      matrix:+        os: [ubuntu-18.04, windows-2019]++    steps:+      - name: Install Go+        uses: actions/setup-go@v1+        with:+          go-version: '1.13.11'++      - name: Set env+        shell: bash+        run: |+          releasever=${{ github.ref }}+          releasever="${releasever#refs/tags/}"+          echo "::set-env name=RELEASE_VER::${releasever}"+          echo "::set-env name=GOPATH::${{ github.workspace }}"+          echo "::add-path::${{ github.workspace }}/bin"++      - name: Checkout+        uses: actions/checkout@v2+        with:+          repository: containerd/containerd+          ref: ${{ github.ref }}+          path: src/github.com/containerd/containerd++      - name: Install Linux dependencies+        if: startsWith(matrix.os, 'ubuntu')+        run: |+          sudo apt-get install -y btrfs-tools libseccomp-dev++      - name: Make+        shell: bash+        env:+          MOS: ${{ matrix.os }}+          OS: linux+        run: |+          make build+          make binaries+          [[ "${MOS}" =~ "windows" ]] && {+              OS=windows+          }+          TARFILE="containerd-${RELEASE_VER#v}-${OS}-amd64.tar.gz"+          tar czf ${TARFILE} bin/+          sha256sum ${TARFILE} >${TARFILE}.sha256sum+        working-directory: src/github.com/containerd/containerd++      - name: Save build binaries+        uses: actions/upload-artifact@v2+        with:+          name: containerd-binaries-${{ matrix.os }}+          path: src/github.com/containerd/containerd/*.tar.gz*++  release:+    name: Create Release+    runs-on: ubuntu-18.04+    timeout-minutes: 10+    needs: [build]++    steps:+      - name: Download builds+        uses: actions/download-artifact@v2+        with:+          path: builds+      - name: Catalog build assets for upload+        id: catalog+        run: |+          _filenum=1+          for i in "ubuntu-18.04" "windows-2019"; do+            for i in `ls builds/containerd-binaries-${i}`; do+              echo "::set-output name=file${_filenum}::${i}"+              let "_filenum+=1"+            done+          done+      - name: Create Release+        id: create_release+        uses: actions/create-release@v1+        env:+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}+        with:+          tag_name: ${{ github.ref }}+          release_name: Release ${{ github.ref }}+          draft: false+          prerelease: false

Can something run here against the tag?

estesp

comment created time in 3 days

Pull request review commentcontainerd/containerd

Add release GH Action triggered by signed tag

+on:+  push:+    tags:+      - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10++name: Containerd Release++jobs:+  check:+    name: Check Signed Tag+    runs-on: ubuntu-18.04+    timeout-minutes: 5++    steps:+      - name: Checkout code+        uses: actions/checkout@v2+        with:+          ref: ${{ github.ref }}+          path: src/github.com/containerd/containerd++      - name: Check signature+        run: |+          releasever=${{ github.ref }}+          releasever="${releasever#refs/tags/}"+          TAGCHECK=$(git tag -v ${releasever} 2>&1 >/dev/null) ||+          echo "${TAGCHECK}" | grep -q "error" && {+              echo "::error::tag ${releasever} is not a signed tag. Failing release process."+              exit 1+          } || {+              echo "Tag ${releasever} is signed."+              exit 0+          }+        working-directory: src/github.com/containerd/containerd++  build:+    name: Build Release Binaries+    runs-on: ${{ matrix.os }}+    needs: [check]+    timeout-minutes: 10++    strategy:+      matrix:+        os: [ubuntu-18.04, windows-2019]++    steps:+      - name: Install Go+        uses: actions/setup-go@v1+        with:+          go-version: '1.13.11'++      - name: Set env+        shell: bash+        run: |+          releasever=${{ github.ref }}+          releasever="${releasever#refs/tags/}"+          echo "::set-env name=RELEASE_VER::${releasever}"+          echo "::set-env name=GOPATH::${{ github.workspace }}"+          echo "::add-path::${{ github.workspace }}/bin"++      - name: Checkout+        uses: actions/checkout@v2+        with:+          repository: containerd/containerd+          ref: ${{ github.ref }}+          path: src/github.com/containerd/containerd++      - name: Install Linux dependencies+        if: startsWith(matrix.os, 'ubuntu')+        run: |+          sudo apt-get install -y btrfs-tools libseccomp-dev++      - name: Make+        shell: bash+        env:+          MOS: ${{ matrix.os }}+          OS: linux+        run: |+          make build+          make binaries+          [[ "${MOS}" =~ "windows" ]] && {+              OS=windows+          }+          TARFILE="containerd-${RELEASE_VER#v}-${OS}-amd64.tar.gz"+          tar czf ${TARFILE} bin/+          sha256sum ${TARFILE} >${TARFILE}.sha256sum+        working-directory: src/github.com/containerd/containerd++      - name: Save build binaries+        uses: actions/upload-artifact@v2+        with:+          name: containerd-binaries-${{ matrix.os }}+          path: src/github.com/containerd/containerd/*.tar.gz*++  release:+    name: Create Release+    runs-on: ubuntu-18.04+    timeout-minutes: 10+    needs: [build]++    steps:+      - name: Download builds+        uses: actions/download-artifact@v2+        with:+          path: builds+      - name: Catalog build assets for upload+        id: catalog+        run: |+          _filenum=1+          for i in "ubuntu-18.04" "windows-2019"; do+            for i in `ls builds/containerd-binaries-${i}`; do+              echo "::set-output name=file${_filenum}::${i}"+              let "_filenum+=1"+            done+          done+      - name: Create Release+        id: create_release+        uses: actions/create-release@v1+        env:+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}+        with:+          tag_name: ${{ github.ref }}+          release_name: Release ${{ github.ref }}

The release names are usuall containerd v1.x.y[-beta.n]

estesp

comment created time in 3 days

Pull request review commentcontainerd/containerd

Add release GH Action triggered by signed tag

+on:+  push:+    tags:+      - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10++name: Containerd Release++jobs:+  check:+    name: Check Signed Tag+    runs-on: ubuntu-18.04+    timeout-minutes: 5++    steps:+      - name: Checkout code+        uses: actions/checkout@v2+        with:+          ref: ${{ github.ref }}+          path: src/github.com/containerd/containerd++      - name: Check signature+        run: |+          releasever=${{ github.ref }}+          releasever="${releasever#refs/tags/}"+          TAGCHECK=$(git tag -v ${releasever} 2>&1 >/dev/null) ||+          echo "${TAGCHECK}" | grep -q "error" && {+              echo "::error::tag ${releasever} is not a signed tag. Failing release process."+              exit 1+          } || {+              echo "Tag ${releasever} is signed."+              exit 0+          }+        working-directory: src/github.com/containerd/containerd++  build:+    name: Build Release Binaries+    runs-on: ${{ matrix.os }}+    needs: [check]+    timeout-minutes: 10++    strategy:+      matrix:+        os: [ubuntu-18.04, windows-2019]++    steps:+      - name: Install Go+        uses: actions/setup-go@v1+        with:+          go-version: '1.13.11'++      - name: Set env+        shell: bash+        run: |+          releasever=${{ github.ref }}+          releasever="${releasever#refs/tags/}"+          echo "::set-env name=RELEASE_VER::${releasever}"+          echo "::set-env name=GOPATH::${{ github.workspace }}"+          echo "::add-path::${{ github.workspace }}/bin"++      - name: Checkout+        uses: actions/checkout@v2+        with:+          repository: containerd/containerd+          ref: ${{ github.ref }}+          path: src/github.com/containerd/containerd++      - name: Install Linux dependencies+        if: startsWith(matrix.os, 'ubuntu')+        run: |+          sudo apt-get install -y btrfs-tools libseccomp-dev++      - name: Make+        shell: bash+        env:+          MOS: ${{ matrix.os }}+          OS: linux+        run: |+          make build+          make binaries+          [[ "${MOS}" =~ "windows" ]] && {+              OS=windows+          }+          TARFILE="containerd-${RELEASE_VER#v}-${OS}-amd64.tar.gz"+          tar czf ${TARFILE} bin/+          sha256sum ${TARFILE} >${TARFILE}.sha256sum+        working-directory: src/github.com/containerd/containerd++      - name: Save build binaries+        uses: actions/upload-artifact@v2+        with:+          name: containerd-binaries-${{ matrix.os }}+          path: src/github.com/containerd/containerd/*.tar.gz*++  release:+    name: Create Release+    runs-on: ubuntu-18.04+    timeout-minutes: 10+    needs: [build]++    steps:+      - name: Download builds+        uses: actions/download-artifact@v2+        with:+          path: builds+      - name: Catalog build assets for upload+        id: catalog+        run: |+          _filenum=1+          for i in "ubuntu-18.04" "windows-2019"; do+            for i in `ls builds/containerd-binaries-${i}`; do+              echo "::set-output name=file${_filenum}::${i}"+              let "_filenum+=1"+            done+          done+      - name: Create Release+        id: create_release+        uses: actions/create-release@v1

Is this autofilling in the content?

estesp

comment created time in 3 days

pull request commentcontainerd/containerd

Registry config header support and fixes

The resolver itself already supports global level configuration. The per registry configuration format is just that, how to configure per registry. The global configurations (which include configuring where to get per-host configurations) would be done directly by the containerd client (or CRI plugin). Adding that would require no changes to current configuration code.

dmcgowan

comment created time in 3 days

issue commentdocker/distribution

Registry Token Remote Certs

Seems like it would just make sense to read from a local file. Reloading can be tricky to time correctly, but it doesn't make sense for the registry process itself to download certs. Normally in cases like this the local configuration may be handled by an external process and the registry should be able to reload configurations without bringing the whole service or container down.

FrankSpitulski

comment created time in 4 days

PR opened cloudflare/wrangler

Fix secret pipe input

Fixes bug where pipe input is always empty

This is my first PR in rust, so I wasn't quite sure if mut should be added to tmp or removed from read_to_string here. This fixed the issue I was seeing in 1.9.1 though

+2 -3

0 comment

1 changed file

pr created time in 4 days

create barnchdmcgowan/wrangler

branch : fix-secret-pipe-input

created branch time in 4 days

fork dmcgowan/wrangler

🤠 wrangle your cloudflare workers

https://workers.cloudflare.com

fork in 4 days

Pull request review commentcloudflare/wrangler

fixes more clippy warnings

 pub fn get_user_input_multi_line(prompt_string: &str) -> String {     println!("{}", prompt_string);     let mut input = String::new();     // are we reading from user input?-    if atty::is(Stream::Stdin) {-        input = read!("{}\n");+    let mut input = if atty::is(Stream::Stdin) {+        read!("{}\n")     } else {         // or is this data from a pipe? (support newlines)-        drop(io::stdin().read_to_string(&mut input));-    }+        let tmp = String::new();+        let _ = io::stdin().read_to_string(&mut input);+        tmp

Is this overwriting input with an empty string? I was trying to trace down an empty input when using pipe in 1.9.1, reverting back to 1.9.0 worked for me.

EverlastingBugstopper

comment created time in 4 days

issue commentdocker/distribution

Registry Token Remote Certs

Can you explain the use case here and what you are trying to accomplish?

FrankSpitulski

comment created time in 4 days

pull request commentcontainerd/containerd

cgroup2 CI

Does the Vagrantfile need to be in the root?

AkihiroSuda

comment created time in 4 days

issue commentcloudflare/wrangler

[dev] Support for local configuration

@ashleymichal yeah, I think #1064 would also solve my use case

dmcgowan

comment created time in 4 days

pull request commentcontainerd/containerd.io

Update latest release to 1.3.4

@estesp it was just garbage, must have been a development leftover to use for reference when the downloads table was being developed

dmcgowan

comment created time in 4 days

push eventcontainerd/containerd

Phil Estes

commit sha fc2579849a507099f7879ccc48b36bd7c94f5929

Disable travis and codecov comments Now that release/1.3 has working GH Actions for CI we can disable Travis on PRs for this branch. Also copied the codecov comment disable setting from master. Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>

view details

Derek McGowan

commit sha cb32a60351d218d2f069e7091767e4de024ecbef

Merge pull request #4281 from estesp/disable-travis-1.3 [release/1.3] Disable TravisCI and Codecov comments

view details

push time in 4 days

PR merged containerd/containerd

[release/1.3] Disable TravisCI and Codecov comments

Now that release/1.3 has working GH Actions for CI we can disable Travis on PRs for this branch. Also copied the codecov comment disable setting from master.

Signed-off-by: Phil Estes estesp@linux.vnet.ibm.com

+6 -0

1 comment

2 changed files

estesp

pr closed time in 4 days

PR opened containerd/containerd.io

Update latest release to 1.3.4

Updates latest pointer on downloads page

+1 -75

0 comment

2 changed files

pr created time in 4 days

create barnchdmcgowan/containerd.io

branch : update-latest

created branch time in 4 days

pull request commentcontainerd/containerd

[release/1.3] Enable GH Actions for release/1.3 branch

Travis will be disabled in follow up?

estesp

comment created time in 4 days

push eventcontainerd/containerd

Lucas Kanashiro

commit sha e34bf08e5891bb805aba7b80a35d4267721eaa0e

riscv64 arch does not support -buildmode=pie Signed-off-by: Lucas Kanashiro <lucas.kanashiro@canonical.com>

view details

Derek McGowan

commit sha 1c58c5d440f424e2d192f35f02306c5dc1a1e8c9

Merge pull request #4277 from lucaskanashiro/fix-build-on-riscv64 riscv64 arch does not support -buildmode=pie

view details

push time in 5 days

PR merged containerd/containerd

riscv64 arch does not support -buildmode=pie

While trying to update the containerd package in Ubuntu to version 1.3.4 I faced a build failure on riscv64 (full build log here):

make[2]: Entering directory '/<<PKGBUILDDIR>>'
+ bin/ctr
-buildmode=pie not supported on linux/riscv64

This PR simply filters out riscv64 arch when adding the -buildmode=pie option, as it is already done for other architectures.

+1 -1

3 comments

1 changed file

lucaskanashiro

pr closed time in 5 days

pull request commentcontainerd/containerd

riscv64 arch does not support -buildmode=pie

Please sign your commit using git commit -s, see https://github.com/containerd/project/blob/master/CONTRIBUTING.md#sign-your-work

lucaskanashiro

comment created time in 5 days

issue commentcontainerd/cri

Please support dynamic AuthConfig (needed to pull sandbox from Amazon ECR)

I think we want to be careful with this one and probably implement it not as CRI specific way or trying to re-use docker credential helpers. The credential helper model doesn't fit well here since it assumes a pre-fetch of the credentials and per-user calling from a client. I've been thinking about this during the registry configuration updates I am making, but I can't see a good way to fetch credentials securely through a simple configuration file. Making a plugin interface may end up being best here.

jmillikin-stripe

comment created time in 5 days

issue closeddocker/distribution

Why push permission is required for GET v2/_catalog ?

Hi Recently I configured token auth and acl access for our new registry, and faced a problem getting list of images without admin rights? User with only pull permission gets "401 Unauthorized" for GET /v2/_catalog, though no problem getting image info or downloading images. The following acl fixed a problem

- match: {account: "name", type: "registry", name: "catalog"}
    actions: ["*"]
    comment: "user may work with catalog"

For me it looks like a bug. R/O access requires full permissions (actions: ["*"]) If it was intentional for some reason please provide a link to relevant discussion. Otherwise please fix. // it's the case for both registry:2 and registry:2.7.1

closed time in 5 days

akrasnov-drv

issue commentdocker/distribution

Why push permission is required for GET v2/_catalog ?

Read permission is scoped per repository. The catalog endpoint is considered an administrative action as it spans all repositories. The scopes themselves are not wildcards as that can be difficult to do securely.

akrasnov-drv

comment created time in 5 days

PR closed containerd/containerd

vendor: containerd/cri 40071878d7392be4193b33b556a69827710b00b1

full diff: https://github.com/containerd/cri/compare/64aa9da76fc0ab333119f455f3b292244c1fae8c...40071878d7392be4193b33b556a69827710b00b1

+114 -88

5 comments

8 changed files

thaJeztah

pr closed time in 5 days

pull request commentcontainerd/containerd

vendor: containerd/cri 40071878d7392be4193b33b556a69827710b00b1

Updating the dependencies is certainly part of the release process. There are still in flight changes in cri that are expected for the next beta, let's synchronize updating cri when we ship the next beta, probably next week.

thaJeztah

comment created time in 5 days

push eventcontainerd/containerd

Phil Estes

commit sha 0c9b05fa60e9b3a8ab2b0eb0254833741a73db74

Fix image usage calculation error Including snapshotter usage in total calculation should be gated by the option `snapshotter` boolean. Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>

view details

Derek McGowan

commit sha 7ef3c0f47d322a12c543fbd96cdcb14b3c561644

Merge pull request #4275 from estesp/fix-image-usage Fix image usage calculation error

view details

push time in 5 days

PR merged containerd/containerd

Fix image usage calculation error

Including snapshotter usage in total calculation should be gated by the option snapshotter boolean.

Sometimes a flaky test is trying to tell you something 😄 The intermittent failures of TestImageUsage were actually always reporting the same "offset"; turns out that offset was the exact size of the unpacked root fs of the busybox amd64 build. What was happening is since busybox is used throughout other tests, a snapshot was created that was sometimes not garbage collected by the time TestImageUsage ran, and therefore since the label was associated with the amd64 manifest, it would be added to the size calculation and cause this test to fail.

// cc: @fuweid since I know you had tried to fix this at one point; I also added a deferred deletion of the image reference pinned to the sha256 in the test as when you run it locally multiple times you still get wrong results unless both images are removed. A possibly more "stable" result would be to use a totally different image name that isn't used by any other tests.

Signed-off-by: Phil Estes estesp@linux.vnet.ibm.com

+18 -15

1 comment

2 changed files

estesp

pr closed time in 5 days

PR opened containerd/containerd

Registry config header support and fixes

Fixes a few unresolved bugs in the host config code including a few uninitialized values.

Adds support for per registry host HTTP headers. (Related to https://github.com/containerd/cri/issues/1400)

+99 -41

0 comment

4 changed files

pr created time in 6 days

push eventdmcgowan/containerd

Derek McGowan

commit sha 06b0cd45ba7b40a80e239d66827f421c674f6e49

Fix nil pointer errors Signed-off-by: Derek McGowan <derek@mcg.dev>

view details

Derek McGowan

commit sha 84619ee99812fa865e19da85ffebcfaf890bbcb2

Fix configurations with no server provided When a server is specified at the top level, there is a bug that prevents the keys from being checked properly. When no server is provided, the server attempts to parse with an empty host, leaving partial values and a defaulted skip verify configuration. Signed-off-by: Derek McGowan <derek@mcg.dev>

view details

Derek McGowan

commit sha 154e7545f27cda11c9eaf91af8e3b307cc4d7a2a

Add host specific headers Allows configuring headers per registry host Signed-off-by: Derek McGowan <derek@mcg.dev>

view details

push time in 6 days

delete branch dmcgowan/containerd.io

delete branch : update-slack-link

delete time in 6 days

create barnchdmcgowan/containerd

branch : update-registry-host-config

created branch time in 6 days

issue closeddocker/distribution

Docker Registry "token signed by untrusted key with ID"

Hi there,

I am trying to spin up a private docker registry. Still found this library to create the kid given in your detailed implementation documentation: https://github.com/keycloak/keycloak/blob/master/services/src/test/java/org/keycloak/procotol/docker/installation/DockerKeyIdentifierTest.java https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/protocol/docker/DockerKeyIdentifier.java

But whenever I am going to return a given token like this:

        final File file = new File("auth.key");

        Security.addProvider(new BouncyCastleProvider());
        final PrivateKey privateKey = PemUtils.readPrivateKeyFromFile(file.getPath(), "RSA");
        final long time = System.currentTimeMillis() / 1000;

        final JWTCreator.Builder builder = JWT.create();
        final Map<String, Object> headerMap = new HashMap<>();
        headerMap.put("kid", new DockerKeyIdentifier(privateKey).toString());

        builder.withClaim("iss", "test");
        builder.withClaim("aud", "localhost:5000");
        builder.withClaim("sub", subject);
        builder.withClaim("nbf", time - 60);
        builder.withClaim("exp", time + 3600 * 2);
        builder.withClaim("iat", time);
        builder.withClaim("jti", UUID.randomUUID().toString());
        builder.withClaim("access", access);

        return builder
                .withHeader(headerMap)
                .sign(Algorithm.RSA256(null, (RSAPrivateKey) privateKey));

My docker registry says "level=error msg="token signed by untrusted key with ID: \"XROC:JDIA:2AIC:OX2O:AP44:GC6V:N3AV:FAMT:N2VA:TAZN:AIW6:GGNO\"""

And I am now wondering why. My token still looks like this: eyJraWQiOiJYUk9DOkpESUE6MkFJQzpPWDJPOkFQNDQ6R0M2VjpOM0FWOkZBTVQ6TjJWQTpUQVpOOkFJVzY6R0dOTyIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJhdWQiOiJsb2NhbGhvc3Q6NTAwMCIsInN1YiI6ImFkbWluIiwibmJmIjoxNTg3NjAyOTY0LCJhY2Nlc3MiOlt7Im5hbWUiOiJzYW1hbGJhL215LWFwcCIsInR5cGUiOiJyZXBvc2l0b3J5IiwiYWN0aW9ucyI6WyJwdXNoIl19XSwiaXNzIjoidGVzdCIsImV4cCI6MTU4NzYxMDIyNCwiaWF0IjoxNTg3NjAzMDI0LCJqdGkiOiJlYjYxNTJhMi1kNzk3LTRiYmMtYTVjNS03OTE0YzY5M2RkMDYifQ.AsR1dRAUtDgYABVEf6WakcBZN_g0JJjvVQQ1-R15oD_7buLD6RDkC1HEOBEhK4Rzwc3GEvh3-ji5mQX7P_hB7rOZX1KBuPPkMHlq8gP_VuNcKZwLu4NwkGulr6MR0LJVt2zlYZ5-CFhG-5y6WttKdAwnHoED2OvsUt9xlHu19fFQEs331tr5BgYEMIZDxJyXaJ78_1e8ovbf5h40HdqsSEMTFdLTLcs0IsndUExaNgRl7qiD8EcUAe7GTccVo8Cu5FmzlRxFldXwehfltxO_3bseH32E-CyDRDZBQRN_VfX1x8uEthxzjT1ALm19pf7-e032x-FiN_wlt6FoueHO-v5wYNEV-l5alZAzP7xxUlA4Qxp9iGyfPhkuRp9bJEGuNAGnj1S_URmU2VTOEO2PpguiszwKR27Y-tYFpGHqMdv_kf6FTqwylFTNg8RVm8UdA7fmZHZgkxdym4SlvkexAKDBASqBm8_3fiIZwjbgrLTVKKVPj5p6yADSBo9aVyN1jEuRI2Y4zubHhysAhHovciZF76kiW2AR8NDQUp3RZ5jLjhk9HpHmfCyslF61MHNik_YEjThL2lrcTxSbg1TelvsUOtDYaun0_gK7dMqRwxtvbHJnWFDL-L6PP9IFtxkomGwEN7MUjrjd0MSDf0LkdrAJ_xs-mQPUyqKr57mkjTM

closed time in 6 days

PascalKu

issue commentdocker/distribution

Docker Registry "token signed by untrusted key with ID"

I suggest requesting help on slack or from keycloak. It is hard to track down and debug an external tools generation. This likely an error on the generation or configuration side rather than a registry bug, feel free to re-open if you think this can be traced back to a bug. When opening the bug report, please include configuration, registry version, and sample token which produced the error.

PascalKu

comment created time in 6 days

issue closeddocker/distribution

Inconsistent CLI and Docker Engine on Centos

When installing docker-ce version 18.09.9 via the yum repository the automatically installed docker-ce-cli is of version 19. When using the cli I get the following error message:

Error response from daemon: client version 1.40 is too new

I can manually fix this by first installing docker-cli in the proper version but it would be nice if this would work correctly out of the box.

closed time in 6 days

soemeier

issue commentdocker/distribution

Inconsistent CLI and Docker Engine on Centos

Please file Docker related issues at https://github.com/docker/for-linux

soemeier

comment created time in 6 days

PR closed docker/distribution

update golang to 1.14.2
+1 -1

1 comment

1 changed file

ducksecops

pr closed time in 6 days

pull request commentdocker/distribution

update golang to 1.14.2

Go version will get updated before the release

ducksecops

comment created time in 6 days

issue closedcontainerd/cri

Send X-Forwarded-Host when using wildcard mirror

Now that CRI supports a wildcard header for mirrors, we can have a problem implementing a pull through cache because of the ambiguity of the requested host (two different images with the same name on different backing registries). It also requires configuring the pull through cache to check all possible registries, since it does not know where the original image should be sourced.

If CRI were to set the X-Forwarded-Host header on the request, we could use that to solve both problems.

closed time in 6 days

dmayle

issue commentcontainerd/cri

Send X-Forwarded-Host when using wildcard mirror

See https://github.com/containerd/containerd/issues/3734

This needs to be implemented in the containerd libraries and done in a consistent way. Closing this one as it is tracked already in containerd and OCI distribution spec.

dmayle

comment created time in 6 days

issue closeddocker/distribution

Docker armhf unable to run arm64v8 containers

I reported this on the forums some years ago: https://forums.docker.com/t/unable-to-run-aarch64-containers-from-armv7-docker/67187

The problem is still there, but it's easier to reproduce now that the Raspberry Pi Foundation provides an aarch64 kernel. To repro on Raspbian Buster:

  1. Install Docker CE.

  2. Run sudo rpi-update to download the latest 64-bit kernel.

  3. Edit /boot/config.txt add the line arm_64bit=1, ideally under the [pi4] section if this is being tested on a Pi 4.

  4. Reboot, and confirm uname -m shows you're now running an aarch64 kernel.

pi@raspberrypi:~ $ docker run -it arm64v8/debian
pi@raspberrypi:~ $ echo $?
159

LXC, systemd-nspawn, or plain chroot do not have this problem. They are able to seamlessly jump from a 32-bit userland to a 64-bit container/chroot.

If there is a fundamental reason that this cannot work with Docker's design, it should be documented and the command should provide a more informative message than null output with return code 159.

64-bit Docker containers on Raspberry Pi have a number of use-cases. At this time it seems that it's only practical to run these on non-Raspbian distros that possess a native 64-bit userland.

closed time in 6 days

jdonald

issue commentdocker/distribution

Docker armhf unable to run arm64v8 containers

Please file Docker related issues at https://github.com/docker/for-linux

jdonald

comment created time in 6 days

issue closeddocker/distribution

network rm can not delete config only network

using (filling in ... with network specific things) docker network create --config-only --subnet... --ip-range... -o parent... macvlan-config docker network create -d macvlan --scope swarm --config-from macvlan-config macnet

later when using docker network rm macnet docker network rm macvlan-config I am told that macvlan-config is in use. when I inspect it lists no attachments this is an issue only solved by removing all docker folders from my hard-drive manually. Its not fixed by a reinstall and restart.

I would suggest that ANY removal command that CAN be rejected MUST be force-able. ie add "-f" to all "rm" commands also if its of interest I'm on RHEL 7

closed time in 6 days

sirdemios

issue commentdocker/distribution

network rm can not delete config only network

File docker issues here https://github.com/docker/for-linux

sirdemios

comment created time in 6 days

pull request commentcontainerd/containerd

vendor: containerd/cri 40071878d7392be4193b33b556a69827710b00b1

If we don't have a reason, we can just synchronize with the next beta release

thaJeztah

comment created time in 6 days

PR opened containerd/containerd.io

Use containerd slack link

Redirects to CNCF slack which has containerd channels.

This link was recently updated and no longer goes to an empty containerd-only slack account.

+1 -1

0 comment

1 changed file

pr created time in 6 days

create barnchdmcgowan/containerd.io

branch : update-slack-link

created branch time in 6 days

issue closedcontainerd/containerd

[Regression] unsupported protocol scheme

[Environment]

Kubernetes 1.16.17 Containerd 1.3.3 Ubuntu Bionic

[Description]

The following endpoint description works with containerd 1.2.X without defining a protocol scheme. (/etc/containerd/config.toml).

    [plugins."io.containerd.grpc.v1.cri".registry.mirrors."niedbalski-bastion.cloud.sts:5000"]
      endpoint = ["niedbalski-bastion.cloud.sts:5000"]

This stopped working on 1.3.X , scheduling pods with k8s 1.16-1.17 doesn't works using the same registry mirror definition.

The pod definition is:

apiVersion: v1
kind: Pod
metadata:
  name: busybox
  namespace: default
spec:
  containers:
    - name: busybox
      image: niedbalski-bastion.cloud.sts:5000/busybox:latest
      command:
        - sleep
        - "3600"
  imagePullSecrets:
    - name: regcred
  restartPolicy: Always

New pods fail with the following error:

" failed to do request: Head niedbalski-bastion.cloud.sts:///v2/busybox/manifests/latest: unsupported protocol scheme "niedbalski-bastion.cloud.sts"

Normal Scheduled <unknown> default-scheduler Successfully assigned default/busybox to juju-3a79d2-00268738-4 Normal Pulling 8m39s (x4 over 10m) kubelet, juju-3a79d2-00268738-4 Pulling image "niedbalski-bastion.cloud.sts:5000/busybox:latest" Warning Failed 8m39s (x4 over 10m) kubelet, juju-3a79d2-00268738-4 Failed to pull image "niedbalski-bastion.cloud.sts:5000/busybox:latest": rpc error: code = Unknown desc = failed to pull and unpack image "niedbalski-bastion.cloud.sts:5000/busybox:latest": failed to resolve reference "niedbalski-bastion.cloud.sts:5000/busybox:latest": failed to do request: Head niedbalski-bastion.cloud.sts:///v2/busybox/manifests/latest: unsupported protocol scheme "niedbalski-bastion.cloud.sts" Warning Failed 8m39s (x4 over 10m) kubelet, juju-3a79d2-00268738-4 Error: ErrImagePull Warning Failed 8m27s (x6 over 10m) kubelet, juju-3a79d2-00268738-4 Error: ImagePullBackOff Normal BackOff 4m56s (x21 over 10m) kubelet, juju-3a79d2-00268738-4 Back-off pulling image "niedbalski-bastion.cloud.sts:5000/busybox:latest"

[Steps to reproduce]

  1. Configure a private docker repository repository

  2. Modify the containerd registry mirror config as follows: ** http://paste.ubuntu.com/p/yP63WMkVT6/

  3. Execute the following pod (http://paste.ubuntu.com/p/BVYQFMfCmk/)

  4. Status of the scheduled pod should be ImagePullBackOff and the before mentioned error should be raised.

[Possible workaround and solution]

  1. As a workaround change the endpoint to support the scheme (https://)
  2. Provide a fallback mechanism for URL parsing validation to fallback to http or https.

I suspect that this change introduced on 1.3.3 through https://github.com/containerd/containerd/commit/0b29c9c37116e402f61a5d6766bbb3fc0b451ec9) may be the offending commit.

closed time in 6 days

niedbalski

issue commentcontainerd/containerd

[Regression] unsupported protocol scheme

1.3.4 has since been released

niedbalski

comment created time in 6 days

issue closedcontainerd/containerd

can't run container in container for reason 'failed to mount /tmp/containerd-mount: read-only file system'

<!-- If you are reporting a new issue, make sure that we do not have any duplicates already open. You can ensure this by searching the issue list for this repository. If there is a duplicate, please close your issue and add a comment to the existing issue instead. -->

mount ctr and containerd sock file into container, and try ctr run in container, but it failed

<!-- Briefly describe the problem you are having in a few paragraphs. -->

Steps to reproduce the issue:

  1. in host terminal, ctr run --privileged -t --mount type=bind,src=/home/xxx/gopath/bin,dst=/usr/local/bin,options=rbind:ro --mount type=bind,src=/run,dst=/run,options=rbind:ro kubernetes-entrypoint:v0.3.1 foo bash
  2. in container foo, try run another container, ctr run --mount type=bind,src=/tmp,dst=/tmp,options=rbind:ro docker.io/library/busybox:glibc bar sh

Describe the results you received: ctr: failed to mount /tmp/containerd-mount369866465: read-only file system

Describe the results you expected: success

Output of containerd --version:

$ ./bin/containerd -v
containerd github.com/containerd/containerd v1.3.0-540-gb1f51464 b1f514641f328ad20d0444ad3837947105c76434

Any other relevant information:

closed time in 6 days

yylt

issue commentcontainerd/containerd

can't run container in container for reason 'failed to mount /tmp/containerd-mount: read-only file system'

The question here seems to be solved. Please feel free to follow up on Slack related running clients not directly on the host.

yylt

comment created time in 6 days

issue closedcontainerd/containerd

Can't pull image because "no such host" / host can not be resolved.

This is probably more of a question than a bug report, but I could not figure out how to tag it appropriately :-(

Description

containerd can't pull an image from a local repository, stating that there is "no such host", even though the host is resolvable on that machine. I am using containerd as part of a k3s installation on a Raspberry Pi.

Steps to reproduce the issue:

  1. sudo ctr --debug images pull comp.local/weg17api-arm:develop

Describe the results you received:

DEBU[2020-05-04T19:51:04.330191488+02:00] fetching                                      image="comp.local/weg17api-arm:develop"
DEBU[2020-05-04T19:51:04.330587373+02:00] resolving                                     host=comp.local
DEBU[2020-05-04T19:51:04.330788987+02:00] do request                                    host=comp.local request.header.accept="application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, */*" request.header.user-agent=containerd/v1.3.3-k3s2 request.method=HEAD url="https://comp.local/v2/weg17api-arm/manifests/develop"
ctr: failed to resolve reference "comp.local/weg17api-arm:develop": failed to do request: Head https://comp.local/v2/weg17api-arm/manifests/develop: dial tcp: lookup comp.local: no such host

ping comp.local gives the correct result. curl --insecure "https://comp.local/v2/weg17api-arm/manifests/develop" (I am using a self signed certificate here) also returns the proper json.

Describe the results you expected: That the image could be pulled ;-).

Output of containerd --version: (using ctr --version)

ctr github.com/rancher/containerd v1.3.3-k3s2 

Any other relevant information:

closed time in 6 days

lutzmi

issue commentcontainerd/containerd

Can't pull image because "no such host" / host can not be resolved.

I'm going to close this one since there doesn't seem to be anything actionable here in containerd. Please feel free to continue to conversation here or on Slack related to the resolution issue.

lutzmi

comment created time in 6 days

issue commentcontainerd/containerd

Containerd image layer cleanup during unpacking

12GB + 12GB = 24GB

It's hard to give a rule here that can apply universally based on size, but it is accurate to say that containerd will hold onto the compressed artifacts and unpacked layers for at least the length of the pull process and by default the lifespan of the image. The compressed blobs may be removed simply by pointing the image reference at the image configuration, rather than the image manifest. By default we point at image manifests as these are used to transfer the images, but if the image is not going to be pushed, pointing at the image config will allow containerd to remove the compressed blob artifacts which are no longer needed.

Are you using containerd directly or through CRI?

haikuoliu

comment created time in 6 days

issue closedcontainerd/containerd

Pushing with ctr 1.2.13 (only) to the docker registry - a 400 with "manifest invalid" will fail the deploy

Description

ctr version 1.2.13 appears to be sending wrong header with a manifest deploy (PUT) which fails an image deploy with the below error:

ctr: failed commit on ref "manifest-sha256:4c144ac2333af5526dfe7f53cc0ceb31f89aae78583fcba33fd743ef95fc9e3d": unexpected status: 400 Bad Request

This does not happen with neither 1.2.12 nor with the 1.3.4 versions.

This is the captured request and response from the manifest push:

PUT /v2/busybox/manifests/latest HTTP/1.1
Host: 192.168.56.1:5000
User-Agent: containerd/v1.2.13
Content-Length: 527
Content-Type: application/octet-stream
Accept-Encoding: gzip

{
   "schemaVersion": 2,
   "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
   "config": {
      "mediaType": "application/vnd.docker.container.image.v1+json",
      "size": 1507,
      "digest": "sha256:d27c8abadd3df2e4c4f4f0529f7437317876974184375e4582ee32a3c388b62e"
   },
   "layers": [
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 715153,
         "digest": "sha256:e8bcc4b83f9c57e3ef7c831803d30ccc9ca2017915b309451ce5437e4f6a5247"
      }
   ]
}HTTP/1.1 400 Bad Request
Content-Type: application/json; charset=utf-8
Docker-Distribution-Api-Version: registry/2.0
X-Content-Type-Options: nosniff
Date: Wed, 13 May 2020 11:10:16 GMT
Content-Length: 82

{"errors":[{"code":"MANIFEST_INVALID","message":"manifest invalid","detail":{}}]}

It seems the reason behind is the changed behaviour of sending the application/octet-stream media type/content-type header (apparently on all cases and not just to /blobs) starting with 1.2.13:

https://github.com/containerd/containerd/pull/4028

Prior to this an appropriate manifest header was sent, e.g.:

PUT /v2/busybox/manifests/latest HTTP/1.1
Host: 192.168.56.1:5000
User-Agent: containerd/v1.2.12
Content-Length: 527
Content-Type: application/vnd.docker.distribution.manifest.v2+json
Accept-Encoding: gzip

another example:

PUT /v2/hello-world/manifests/latest HTTP/1.1
Host: 192.168.56.1:5000
User-Agent: containerd/v1.2.12
Content-Length: 525
Content-Type: application/vnd.docker.distribution.manifest.v2+json
Accept-Encoding: gzip

ctr 1.2.13 comes bundled with the latest docker-ce versions:

docker version

Client: Docker Engine - Community
 Version:           19.03.8
 API version:       1.40
 Go version:        go1.12.17
 Git commit:        afacb8b
 Built:             Wed Mar 11 01:27:04 2020
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.8
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.12.17
  Git commit:       afacb8b
  Built:            Wed Mar 11 01:25:42 2020
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.2.13
  GitCommit:        7ad184331fa3e55e52b890ea95e65ba581ae3429
 runc:
  Version:          1.0.0-rc10
  GitCommit:        dc9208a3303feef5b3839f4323d9beb36df0a9dd
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

Steps to reproduce the issue:

  1. Install latest docker, e.g. on CentOS7

sudo yum install docker-ce docker-ce-cli containerd.io

  1. Deploy latest docker registry version (2.7.1) used

docker run -d -p 5000:5000 --restart always --name registry registry:2

  1. Attempt to pull and push an image using:
ctr images pull docker.io/library/busybox:1.27.0

ctr images push --plain-http 192.168.56.1:5000/busybox:latest docker.io/library/busybox:1.27.0

ctr: failed commit on ref "manifest-sha256:4c144ac2333af5526dfe7f53cc0ceb31f89aae78583fcba33fd743ef95fc9e3d": unexpected status: 400 Bad Request

Output of containerd --version:

ctr github.com/containerd/containerd v1.2.13

Docker Registry version: time="2020-05-13T10:59:35.704677369Z" level=warning msg="No HTTP secret provided - generated random secret. This may cause problems with uploads if multiple registries are behind a load-balancer. To provide a shared secret, fill in http.secret in the configuration file or set the REGISTRY_HTTP_SECRET environment variable." go.version=go1.11.2 instance.id=ef927b22-7d6b-4937-8083-6012474f9196 service=registry version=v2.7.1

closed time in 6 days

andreikom

issue commentcontainerd/containerd

Pushing with ctr 1.2.13 (only) to the docker registry - a 400 with "manifest invalid" will fail the deploy

We fixed this in the 1.2 branch, however since it only effects ctr which is not supported, we are not going to do a special release for it. I recommend using a new version of ctr from 1.3 or asking to carry the patch into Docker's shipped build of containerd.

andreikom

comment created time in 6 days

push eventdmcgowan/containerd

Phil Estes

commit sha 17a506c94f453ca678fc4bb844fa918a9a29481a

golangci-lint update and fix Backported test code fix from master, checkout specific version of golangci-lint, and set timeout to 3m like master Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>

view details

Derek McGowan

commit sha d4242f0d3c09b47c5a483807291ec3a2564bbc19

Merge pull request #4270 from estesp/travis-ci-fixes [release/1.2] golangci-lint update and fix

view details

Derek McGowan

commit sha f8ae167780e2f00df6d1f58f0833e11ff487c57c

Fix incorrect backport of setting octet-stream In master the change added the header set inside the block which created the blob request. This got incorrectly backported outside of the block, overriding the correctly set manifest header with the incorrect octet-stream header on manifest push. This fix only applies to the 1.2 branch, and other branches were correctly backported and this bug does not happen in master. Fixes #4252 Signed-off-by: Derek McGowan <derek@mcg.dev>

view details

push time in 6 days

push eventcontainerd/containerd

Phil Estes

commit sha 17a506c94f453ca678fc4bb844fa918a9a29481a

golangci-lint update and fix Backported test code fix from master, checkout specific version of golangci-lint, and set timeout to 3m like master Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>

view details

Derek McGowan

commit sha d4242f0d3c09b47c5a483807291ec3a2564bbc19

Merge pull request #4270 from estesp/travis-ci-fixes [release/1.2] golangci-lint update and fix

view details

push time in 6 days

PR merged containerd/containerd

[release/1.2] golangci-lint update and fix

Backported test code fix from master, checkout specific version of golangci-lint, and set timeout to 3m like master

Signed-off-by: Phil Estes estesp@linux.vnet.ibm.com

+12 -9

0 comment

3 changed files

estesp

pr closed time in 6 days

push eventdmcgowan/containerd

Derek McGowan

commit sha 5594aea2dff46d558363c983fa9a145e5d215015

Update install dev tools Mirror master script Signed-off-by: Derek McGowan <derek@mcg.dev>

view details

push time in 7 days

push eventdmcgowan/containerd

Wei Fu

commit sha 971ad613c5b75c8f9386dadc5eeffb34346ee408

bugfix: cleanup dangling shim by brand new context When there is timeout or cancel for create container, killShim will fail because of canceled context. The shim will be dangling and unmanageable. Need to use new context to do cleanup. Signed-off-by: Wei Fu <fuweid89@gmail.com> (cherry picked from commit 18e581dd91fd671aaeba86dcae2b6c97142a1cb0) Signed-off-by: Wei Fu <fuweid89@gmail.com>

view details

Phil Estes

commit sha 4fcbc810e9415070215f7ef3c73cff87ee2fd999

Merge pull request #4055 from fuweid/cp12-4048 [release/1.2 backport] bugfix: cleanup dangling shim by brand new context

view details

Maksym Pavlenko

commit sha a386eb648eb099d087ea50ea999713a0e8f61575

Fix linter errors Signed-off-by: Maksym Pavlenko <makpav@amazon.com> (cherry picked from commit ef7f46eb7bff5fad55b108027332a2938f77066a) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Ted Yu

commit sha 961c23a5700b194455a64172217e4d837afdd6d7

fix killall when use pidnamespace Signed-off-by: Ted Yu <yuzhihong@gmail.com> (cherry picked from commit 4105135e368071ece17f46484e3b5d84921d8161) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Michael Crosby

commit sha 82ddedea200a9d1964010421e0a0dbde761bff0d

Ensure close in content test Signed-off-by: Michael Crosby <crosbymichael@gmail.com> (cherry picked from commit 4f6ba8286d754c1e7b94249ac6baffab2ddfc089) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Michael Crosby

commit sha c1ceae5793f7d6e45002c512363df413ba7a328a

Update timestamp atomic write Signed-off-by: Michael Crosby <crosbymichael@gmail.com> (cherry picked from commit cf7fb14efaa7527403e3369eeb53fd0239d716fd) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha a18c083471e070e601289852c807cdb35e7a80ef

fix additional linting failures ``` GOGC=75 golangci-lint run services\containers\service.go:97:2: unreachable: unreachable code (govet) return nil ^ content\local\store.go:549:75: nilness: impossible condition: nil != nil (govet) if writeTimestampFile(filepath.Join(path, "startedat"), startedAt); err != nil { ^ content\local\store.go:553:75: nilness: impossible condition: nil != nil (govet) if writeTimestampFile(filepath.Join(path, "updatedat"), startedAt); err != nil { ^ signals.go:29: File is not `goimports`-ed (goimports) "github.com/opencontainers/image-spec/specs-go/v1" task.go:44: File is not `goimports`-ed (goimports) "github.com/opencontainers/image-spec/specs-go/v1" container_opts_unix.go:37: File is not `goimports`-ed (goimports) "github.com/opencontainers/image-spec/specs-go/v1" runtime/v1/linux/runtime.go:44: File is not `goimports`-ed (goimports) "github.com/containerd/containerd/runtime/v1" ``` Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Maksym Pavlenko

commit sha dfff5b146ed81e0af87b0c0a8c9beec814ec5200

Switch to golangci-lint Signed-off-by: Maksym Pavlenko <makpav@amazon.com> (cherry picked from commit 2b521e25a72a5a480e139f28446c6138cc5adaba) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Michael Crosby

commit sha 598f7a7b5757d279bd6975985af0174898b2d942

Try set GOGC for golint Signed-off-by: Michael Crosby <crosbymichael@gmail.com> (cherry picked from commit 3bc99755d4a873569a475133e9b34977a6fc8b64) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Wei Fu

commit sha 469320d9281cd38e01b333f15270a98890ade459

Merge pull request #4067 from thaJeztah/1.2_backport_content_close [release/1.2 backport] Ensure close in content test

view details

Wei Fu

commit sha 80914476e2cb9518a170cbb33a9d41b3fa68253b

Merge pull request #4061 from thaJeztah/1.2_backport_golang_ci_lint [release/1.2 backport] Switch from gometalinter to golangci-lint

view details

Phil Estes

commit sha e7583ca96e82f48f7fd61df156dacf35a9cc37f5

Merge pull request #4064 from thaJeztah/1.2_backport_namespace_path [release/1.2 backport] fix killall when use pidnamespace

view details

Michael Crosby

commit sha 591f6f491442dbd05356e60fb23972eac1f5284f

Move flag.Parse in tests to TestMain This this fixes issues with custom and testing flags in Go 1.3 and should work in previous go versions. Signed-off-by: Michael Crosby <crosbymichael@gmail.com> (cherry picked from commit d5b7bf51aa7dc6217fea04e3e3b6e43289a25746) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Tobias Klauser

commit sha 30267a8da09e59cc3feb9da9430167d461bacc8a

platforms: update known OS and arch values Update the lists in isKnownOS and isKnownOS according to goosList and goarchList taken from Go 1.13, see https://github.com/golang/go/blob/release-branch.go1.13/src/go/build/syslist.go Signed-off-by: Tobias Klauser <tklauser@distanz.ch> (cherry picked from commit c8cb864ce026316e68a149be9fbcdb0c68afab9d) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 012c4c0afc0ec9eb7ff43a2cfab048a3aebb4399

Revert "Update Golang 1.12.17" This reverts commit 2a0ca2d077f2a792e5752c1513e706a7bb00ed0e. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha c5843f944c5ab73dfe223fd3f265e4166da6dd92

Revert "Update Golang 1.12.16 (CVE-2020-0601, CVE-2020-7919)" This reverts commit 44b5bac0c08a0b296cd4e16f0055187b0dfb00d7. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 9d53ba9301b84c5c898fffd2684dd0b94189b561

Revert "Update Golang 1.12.15" This reverts commit f106ae4ab5815564d8a0c8b7e738d5f44896caf8. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 2adf308a249fd33760189fc9adcff8c0cff76d7c

Revert "Update Golang 1.12.14" This reverts commit e7b06baa68ff3554c4dc08e8d29b776698cce9ad. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 77499e24eed68fede7c41e32787bf62802a4de45

Update to Golang 1.13.4 go1.13.4 (released 2019/10/31) includes fixes to the net/http and syscall packages. It also fixes an issue on macOS 10.15 Catalina where the non- notarized installer and binaries were being rejected by Gatekeeper. See the Go 1.13.4 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.13.4 Update to Golang 1.13.3: go1.13.3 (released 2019/10/17) includes fixes to the go command, the toolchain, the runtime, syscall, net, net/http, and crypto/ecdsa packages. See the Go 1.13.3 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.13.3 Update to Golang 1.13.2: go1.13.2 (released 2019/10/17) includes security fixes to the crypto/dsa package and the compiler. See the Go 1.13.2 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.13.2 Update to Golang 1.13.1: go1.13.1 (released 2019/09/25) includes security fixes to the net/http and net/textproto packages. See the Go 1.13.1 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.13.1 Update to Golang 1.13.0: Full diff: https://github.com/golang/go/compare/go1.12.9...go1.13 Milestone: https://github.com/golang/go/milestone/83?closed=1 Today the Go team is very happy to announce the release of Go 1.13. You can get it from the download page. Some of the highlights include: - The go command now downloads and authenticates modules using the Go module mirror and Go checksum database by default (https://golang.org/doc/go1.13#introduction) - Improvements to number literals (https://golang.org/doc/go1.13#language) - Error wrapping (https://golang.org/doc/go1.13#error_wrapping) - TLS 1.3 on by default (https://golang.org/doc/go1.13#tls_1_3) - Improved modules support (https://golang.org/doc/go1.13#modules) For the complete list of changes and more information about the improvements above, see the Go 1.13 release notes: https://golang.org/doc/go1.13 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 608791bfc34ead497cdae9851a572fc78552a864) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha fc95ae8ed46eda3db2cee4f5b93b92109a0cbc54

Update Golang 1.13.5 go1.13.5 (released 2019/12/04) includes fixes to the go command, the runtime, the linker, and the net/http package. See the Go 1.13.5 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.13.5+label%3ACherryPickApproved Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit c07e356d293895fa52f7dd215922861291d3d799) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

push time in 7 days

PR opened containerd/containerd

[release/1.2] fix regression caused by pushing manifests as octet stream

In master the change added the header set inside the block which created the blob request. This got incorrectly backported outside of the block, overriding the correctly set manifest header with the incorrect octet-stream header on manifest push.

This fix only applies to the 1.2 branch, and other branches were correctly backported and this bug does not happen in master.

Fixes #4252

+1 -2

0 comment

1 changed file

pr created time in 7 days

create barnchdmcgowan/containerd

branch : 1.2-fix-bad-backport-push-octet-stream

created branch time in 7 days

issue closedcontainerd/containerd

Pull default tag

What is the problem you're trying to solve What I want to expose with this ticket is to active default tag if no reference ( tag + digest) exist when pulling image.

example : ctr i pull docker/libray/busybox ==> ctr i pull docker/libray/busybox:latest

I checked the moby project and I found that docker implements this option using TagNameOnly function : here

Describe the solution you'd like Replace the reference.ErrObjectRequired here by TagNameOnly in order to set a default latesttag.

Cordially

closed time in 7 days

fahedouch

issue commentcontainerd/containerd

Pull default tag

Since ctr is not a supported tool and is not intended for delivering an end user experience, adding these sort of features is out of scope. The goal of the ctr tool is to exercise containerd internals for developers or those wanting to understand how containerd works. As such, containerd has no opinion about default tags and does not alter reference input. There are efforts to build end user tools on top of containerd which provide a more complete experience, but will likely never be ctr. I'm going to close this one as out of scope.

fahedouch

comment created time in 7 days

pull request commentcontainerd/containerd

Support helpers for label-based userns remapping

I stick with my original recommendation https://github.com/containerd/containerd/pull/3885/files#r363429777 in. To just provide the function as a snapshot option rather than a new container option. A snapshot option is the more composable type as it can be used with other snapshot options. The original remapper could not do this since it had to own the snapshot creation.

estesp

comment created time in 7 days

PR closed containerd/containerd

metadata_db: Remove unnecessary mutex lock on snapshotD map

Signed-off-by: Gaurav Singh gaurav1086@gmail.com Don't need a lock on snapshotD since every goroutine is updating a unique snapshot

+1 -4

5 comments

1 changed file

gaurav1086

pr closed time in 7 days

pull request commentcontainerd/containerd

metadata_db: Remove unnecessary mutex lock on snapshotD map

I'm going to close this one since we can't merge it as is. There is probably still improvements that could be made here if interested. Please include benchmarks/profiling along with the change to show the improvement as lock-free designs often have their own set of trade-offs.

gaurav1086

comment created time in 7 days

Pull request review commentcontainerd/containerd

metadata_db: Remove unnecessary mutex lock on snapshotD map

 func (m *DB) GarbageCollect(ctx context.Context) (gc.Stats, error) { 	m.dirty = 0  	if len(m.dirtySS) > 0 {-		var sl sync.Mutex 		stats.SnapshotD = map[string]time.Duration{} 		wg.Add(len(m.dirtySS)) 		for snapshotterName := range m.dirtySS { 			log.G(ctx).WithField("snapshotter", snapshotterName).Debug("schedule snapshotter cleanup") 			go func(snapshotterName string) { 				st1 := time.Now() 				m.cleanupSnapshotter(snapshotterName)--				sl.Lock()+				// Don't need a lock here since every goroutine is updating a unique snapshot 				stats.SnapshotD[snapshotterName] = time.Since(st1)

Go's race detector is not going to be OK with this. The built-in map type does not consider these sort of unlocked map writes as safe, no matter the key values.

If the map were pre-allocated with pointers, then accessing and updating would be safe, however, that is probably not more efficient. What is the performance issue you are running into today?

gaurav1086

comment created time in 7 days

issue commentcontainerd/containerd

Windows binaries missing from the release page

The release-tool just generates the tag and release notes. Travis doing the builds today. Since Travis is broken I have been building locally and pushing up. We hope to get these moved over to Github actions by 1.4 final. Hopefully ideally building windows and linux, and arm64 but that is a stretch goal right now.

rgl

comment created time in 11 days

release containerd/containerd

v1.4.0-beta.0

released time in 11 days

created tagcontainerd/containerd

tagv1.4.0-beta.0

An open and reliable container runtime

created time in 11 days

push eventcontainerd/containerd

Derek McGowan

commit sha 77ab0104e246861334075a0e238a799ba3469aa4

Add release notes for 1.4 beta Signed-off-by: Derek McGowan <derek@mcg.dev>

view details

Derek McGowan

commit sha 32985949d4f2f38a484c5021766251250764322b

Merge pull request #4242 from dmcgowan/1.4-beta Add release notes for 1.4 beta

view details

push time in 11 days

PR merged containerd/containerd

Add release notes for 1.4 beta

Generated release notes at https://gist.github.com/dmcgowan/74e0b9fd6d1c93da2a954ee8e5c6894f

+103 -2

9 comments

3 changed files

dmcgowan

pr closed time in 11 days

issue commentcontainerd/cri

Merge CRI code into upstream containerd

This repo does have the k8s bot, setting up permission and webhooks on the main repo would be easy.

The test infra configuration is in this repo, https://github.com/kubernetes/test-infra/search?q=%22containerd%2Fcri%22&type=Code

I am a bit concerned about supporting release branches though. If the k8s tests build from another repository, will that make older branches without testing. Or would those changes just be able to be tested when they are vendored back into containerd. Setting a whole new configuration to test both repos doesn't seem very easy.

Let me call over the experts to opine here @spiffxp @Random-Liu @dims

crosbymichael

comment created time in 11 days

push eventdmcgowan/containerd

Phil Estes

commit sha 7cdacdda815c6281f0552eeb240584f238213c67

Set codecov to not comment on PRs Until we totally remove codecov, this will keep it from commenting on PRs but reports will still be available on codecov.io Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>

view details

Derek McGowan

commit sha 7207226e9d9aa6af9b48b681137139873b7c692d

Merge pull request #4253 from estesp/no-codecov-comment Set codecov to not comment on PRs

view details

Sebastiaan van Stijn

commit sha 6eeed18cb4eade64ef89820ecd7b54683616f3e8

vendor: opencontainers/go-digest v1.0.0 full diff: https://github.com/opencontainers/go-digest/compare/28d3ccc31a47933556673856d9807b4ca436108e...v1.0.0 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Maksym Pavlenko

commit sha 7fd23fe1430966f6d4d3de44f84d866681d8ca8f

Merge pull request #4254 from thaJeztah/bump_go_digest vendor: opencontainers/go-digest v1.0.0

view details

Derek McGowan

commit sha 77ab0104e246861334075a0e238a799ba3469aa4

Add release notes for 1.4 beta Signed-off-by: Derek McGowan <derek@mcg.dev>

view details

push time in 11 days

PR closed containerd/containerd

Add article to pull access denied error message

The spelling fix was suggested to me by Grammarly when I pasted such error in our internal issue tracker.

+1 -1

5 comments

1 changed file

glensc

pr closed time in 11 days

pull request commentcontainerd/containerd

Add article to pull access denied error message

pasted such error in our internal issue tracker

This is why we don't make non-functional or changes which don't correct the statement. Having an error message searchable is often more valuable than it being grammatically correct. We bias toward error messages being short as long as they remain unambiguous. Non clarifying grammar articles are often on the chopping block there.

glensc

comment created time in 11 days

issue commentcontainerd/cri

Option to pass http headers to registry

I would really like to just completely solve the problem to cover any possible configuration. Take the mirrors endpoints for example, they solve most use cases but still not all. So broken down, I want to be able to define at 3 levels...

  1. global
    • http headers
    • TLS configurations (ca, algorithms)
    • authorizer
  2. per-namespace level (i.e docker.io)
    • http headers
    • TLS configurations (ca, client, skip verify)
    • host capabilities (pull, push, resolve)
    • endpoint scheme://host/path
    • mirrors
    • authorizer
  3. per-host level (upstream and mirrors)
    • http headers
    • TLS configurations (ca, client, skip verify)
    • host capabilities (pull, push, resolve)
    • endpoint scheme://host/path
    • authorizer

For the per namespace/host level, having an /etc/docker/conf.d approach is really useful. It allows changing those configurations without restarting and not have to make the global toml config super complicated.

cpuguy83

comment created time in 11 days

issue commentcontainerd/cri

Option to pass http headers to registry

Beta isn't a closed door. I forgot I still want to get the new namespace-specific config files into CRI before 1.4. If we want namespace/host-specific header support, we can probably add that there too with little effort. I think the RegistryHost type will have to support it anyway.

cpuguy83

comment created time in 11 days

PR closed docker/spdystream

Add more robust debug mode with server

The debug server is still a work in progress but it has immediate benefits for debugging.

Usage:

Run Server

go run contrib/debugserver/main.go

Run tests

SPDYSTREAM_DEBUG=localhost:9399 go test -v .
+222 -3

1 comment

4 changed files

dmcgowan

pr closed time in 11 days

release opencontainers/go-digest

v1.0.0

released time in 12 days

created tagopencontainers/go-digest

tagv1.0.0

Common digest package used across the container ecosystem

created time in 12 days

push eventopencontainers/go-digest

Derek McGowan

commit sha 43cccb7fb83cfd821f17d87df05202f77e85a706

Add release notes for v1.0.0 Signed-off-by: Derek McGowan <derek@mcg.dev>

view details

Derek McGowan

commit sha ea51bea511f75cfa3ef6098cc253c5c3609b037a

Merge pull request #56 from dmcgowan/release-1.0 Add release notes for v1.0.0

view details

push time in 12 days

PR merged opencontainers/go-digest

Reviewers
Add release notes for v1.0.0

The release tag will be created from the merge commit of this PR. Applying an LGTM to this PR is voting for the release. Let's wait for a quorum to merge.

fixes https://github.com/opencontainers/go-digest/issues/46

+79 -1

7 comments

3 changed files

dmcgowan

pr closed time in 12 days

issue closedopencontainers/go-digest

Cut new release that includes #38

Essentially this request is just for a new tag that includes #38. Go modules won't fetch the license file update because it isn't included in a tagged version.

closed time in 12 days

micahhausler

Pull request review commentopencontainers/go-digest

Add release notes for v1.0.0

-Stephen J Day <stephen.day@docker.com> <stevvooe@users.noreply.github.com> Aaron Lehmann <aaronl@vitelus.com> <aaron.lehmann@docker.com>+Derek McGowan <derek@mcg.dev> <derek@mcgstyle.net>+Stephen J Day <stephen.day@docker.com> <stevvooe@users.noreply.github.com>+zhouhaibing <zhouhaibing089@gmail.com>

Just in time :)

dmcgowan

comment created time in 12 days

push eventdmcgowan/go-digest

Derek McGowan

commit sha 43cccb7fb83cfd821f17d87df05202f77e85a706

Add release notes for v1.0.0 Signed-off-by: Derek McGowan <derek@mcg.dev>

view details

push time in 12 days

Pull request review commentcontainerd/release-tool

Cleanup output when no previous version

 https://github.com/{{.GithubRepo}}/issues. {{- end}}  ### Dependency Changes-{{range $dep := .Dependencies}}+{{if .Dependencies}}+{{- range $dep := .Dependencies}} * **{{$dep.Name}}**	{{if $dep.Previous}}{{$dep.Previous}} -> {{$dep.Ref}}{{else}}{{$dep.Ref}} **_new_**{{end}} {{- end}}+{{- else}}+This release has no dependency changes

To me, no dependency changes is a good feature too ;)

dmcgowan

comment created time in 12 days

Pull request review commentcontainerd/release-tool

Cleanup output when no previous version

 https://github.com/{{.GithubRepo}}/issues. {{- end}}  ### Dependency Changes-{{range $dep := .Dependencies}}+{{if .Dependencies}}+{{- range $dep := .Dependencies}} * **{{$dep.Name}}**	{{if $dep.Previous}}{{$dep.Previous}} -> {{$dep.Ref}}{{else}}{{$dep.Ref}} **_new_**{{end}} {{- end}}+{{- else}}+This release has no dependency changes

I was thinking that, but since it is a top level header, I feel like it is better to say it explicitly. Otherwise you might scroll to the bottom looking for it and wonder if you missed it or was excluded

dmcgowan

comment created time in 12 days

pull request commentopencontainers/go-digest

Add release notes for v1.0.0

For release note output, opened https://github.com/containerd/release-tool/pull/13

See https://gist.github.com/dmcgowan/e8830adb764c4ee31ea3fc4428ee8333 for test generation of release notes

dmcgowan

comment created time in 12 days

pull request commentcontainerd/release-tool

Cleanup output when no previous version

We should also do 1.0 of this project, it would help for that :laughing:

dmcgowan

comment created time in 12 days

PR opened containerd/release-tool

Cleanup output when no previous version

Remove dead link at bottom when no previous version. Don't keep dependency section empty when no dependencies, mention no dependencies but keep section header for consistency.

This will help use this tool for projects reaching 1.0

+8 -1

0 comment

1 changed file

pr created time in 12 days

create barnchdmcgowan/release-tool

branch : cleanup-no-previous-output

created branch time in 12 days

push eventdmcgowan/containerd

Derek McGowan

commit sha 2b84f57d1af3eb064b0f33375fce95664c5996e4

Add release notes for 1.4 beta Signed-off-by: Derek McGowan <derek@mcg.dev>

view details

push time in 12 days

more