profile
viewpoint
Phil Estes estesp @IBM Virginia, USA https://estesp.dev Senior developer/technical leader at @IBM. Work on @docker, maintainer for @moby and @containerd. Focus on containers, cloud, Linux OS. CNCF Ambassador.

estesp/bucketbench 86

Go-based framework for running benchmarks against Docker, containerd, runc, or any CRI-compliant runtime

containerd/project 20

Cross-project utilities, scripts, etc.

containerd/containerd.io 11

Website repo for https://containerd.io

estesp/buildkit-cluster-example 11

Simple example for using an in-cluster BuildKit instance for container builds

c-ale/docker-containers 1

Intro to Docker and container technology

estesp/actions-playground 1

Playground for testing GitHub Actions changes

estesp/authz 1

Docker Authorization Plugin

estesp/deployscripts 1

Deployment scripts for IBM Container Service. Used as example scripts in the Pipeline to aid in continuous deployment of an application

estesp/about 0

Docker Captains and Our Projects

estesp/api 0

TripIt's API Documentation and Support Forum

PR opened containerd/containerd.io

Update to latest 1.3.6 release

Signed-off-by: Phil Estes estesp@linux.vnet.ibm.com

+1 -1

0 comment

1 changed file

pr created time in 4 days

create barnchestesp/containerd.io

branch : new-release

created branch time in 4 days

push eventestesp/containerd.io

Phil Estes

commit sha 3f193fe90be216034c96cfd0120eb9bc766c81ed

Update latest release to v1.3.5 Also update the wget command to use the correct filename format generated by the new GitHub Actions release step. Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>

view details

Phil Estes

commit sha 078f39873c66120192cb7f170466c422e0c0a240

Merge pull request #66 from estesp/new-release Update latest release to v1.3.5

view details

push time in 4 days

PR opened containerd/containerd

Minor actions fixes/updates
  • always apt-get update before installing packages
  • move to tagged official create_release action

The official GH create_release action now has support for body text from file.

Signed-off-by: Phil Estes estesp@linux.vnet.ibm.com

+4 -2

0 comment

2 changed files

pr created time in 4 days

create barnchestesp/containerd

branch : actions-fixes

created branch time in 4 days

pull request commentactions/create-release

create release with body text sourced from file

@mscoutermarsh successfully used the tagged version of create-release@v1.1.2 with body_path; no problems

jbolda

comment created time in 4 days

created tagestesp/actions-playground

tagv1.4.0-beta.1

Playground for testing GitHub Actions changes

created time in 4 days

push eventestesp/actions-playground

Phil Estes

commit sha cfc2dc609579813e7a2a499da9707a5f56724519

Update to the tagged GH actions create-release fix Can switch back to the main project now that the body from a file support PR is merged and tagged. Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>

view details

push time in 4 days

PR opened containerd/containerd

Prepare v1.3.6 fix release

Requires #4352 to be merged.

Signed-off-by: Phil Estes estesp@linux.vnet.ibm.com

+27 -1

0 comment

2 changed files

pr created time in 5 days

create barnchestesp/containerd

branch : prepare-1.3.6

created branch time in 5 days

issue commentcontainerd/containerd

containerd-1.3.5: undefined symbol: seccomp_api_set

Verified with #4352 that the example debian:buster can run the binary:

debconf: delaying package configuration, since apt-utils is not installed
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   648  100   648    0     0   2817      0 --:--:-- --:--:-- --:--:--  2817
100 38.1M  100 38.1M    0     0   9.8M      0  0:00:03  0:00:03 --:--:-- 12.5M
containerd github.com/containerd/containerd v1.3.5 9b6f3ec0307a825c38617b93ad55162b5bb94234

We will respin as 1.3.6 with this fix.

thepwagner

comment created time in 5 days

issue commentcontainerd/containerd

Containerd distributions should contain v2 shim binaries

we package both, so I think we are good:

$ tar ztf containerd-1.3.5-linux-amd64.tar.gz
bin/
bin/ctr
bin/containerd-shim-runc-v1
bin/containerd-stress
bin/containerd
bin/containerd-shim-runc-v2
bin/containerd-shim
Random-Liu

comment created time in 5 days

delete branch estesp/containerd.io

delete branch : new-release

delete time in 5 days

push eventcontainerd/containerd.io

Phil Estes

commit sha 3f193fe90be216034c96cfd0120eb9bc766c81ed

Update latest release to v1.3.5 Also update the wget command to use the correct filename format generated by the new GitHub Actions release step. Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>

view details

Phil Estes

commit sha 078f39873c66120192cb7f170466c422e0c0a240

Merge pull request #66 from estesp/new-release Update latest release to v1.3.5

view details

push time in 5 days

PR merged containerd/containerd.io

Update latest release to v1.3.5

Also update the wget command to use the correct filename format generated by the new GitHub Actions release step.

Signed-off-by: Phil Estes estesp@linux.vnet.ibm.com

+3 -3

1 comment

2 changed files

estesp

pr closed time in 5 days

pull request commentcontainerd/containerd

[release/1.3] Pin libseccomp to 2.3.3 for GH Actions release.yml

Assuming the playgrounds thing works :)

It is now; forgot the working directory the first commit. Second time's a charm; actions release worked and binary is linked to 2.3.3 libseccomp.

estesp

comment created time in 6 days

push eventestesp/containerd

Phil Estes

commit sha 7013f1fccc350c862ededb85125aefa133c0c987

Pin libseccomp to 2.3.3 for GH Actions release.yml Use the same pinning we were using in Travis CI to not force dependencies on the newer libseccomp 2.4.x in our binaries. Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>

view details

push time in 6 days

created tagestesp/actions-playground

tagv1.3.5

Playground for testing GitHub Actions changes

created time in 6 days

push eventestesp/actions-playground

Phil Estes

commit sha 96ee5894b97375948d1447596d02c263935d612c

Test pinning libseccomp for v1.3.x releases Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>

view details

push time in 6 days

delete tag estesp/actions-playground

delete tag : v1.3.5

delete time in 6 days

created tagestesp/actions-playground

tagv1.3.5

Playground for testing GitHub Actions changes

created time in 6 days

push eventestesp/actions-playground

Phil Estes

commit sha 27116968b9d28e7c7b81794f05692fc1b8eb470a

Test pinning libseccomp for v1.3.x releases Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>

view details

push time in 6 days

pull request commentcontainerd/containerd

Pin libseccomp to 2.3.3 for GH Actions release.yml

Going to verify this in my "actions playground" before we commit

estesp

comment created time in 6 days

PR opened containerd/containerd

Pin libseccomp to 2.3.3 for GH Actions release.yml

Use the same pinning we were using in Travis CI to not force dependencies on the newer libseccomp 2.4.x in our binaries.

Signed-off-by: Phil Estes estesp@linux.vnet.ibm.com

Fixes: #4349

+2 -1

0 comment

1 changed file

pr created time in 6 days

create barnchestesp/containerd

branch : pin-seccomp-release

created branch time in 6 days

push eventestesp/containerd

Florian Schmaus

commit sha e977564a8b2bcf57d0c45b0e12b0ecedaeb4debb

seccomp: allow 'rseq' syscall in default seccomp profile Restartable Sequences (rseq) are a kernel-based mechanism for fast update operations on per-core data in user-space. Some libraries, like the newest version of Google's TCMalloc, depend on it [1]. This also makes dockers default seccomp profile on par with systemd's, which enabled 'rseq' in early 2019 [2]. 1: https://google.github.io/tcmalloc/design.html 2: systemd/systemd@6fee3be Signed-off-by: Florian Schmaus <flo@geekplace.eu>

view details

Phil Estes

commit sha 01a53c24b383b4ad991825616a03395b76443434

Merge pull request #4347 from Flowdalic/allow-rseq-seccomp seccomp: allow 'rseq' syscall in default seccomp profile

view details

Brian Goff

commit sha aa191deff1ab80a0dd31538f04bb862591fce10b

Change log for unknown mt to debug This log message shows up in the client's logs. For any media type that the client doesn't know about it will wind up with a warning log. Downgrade this to debug since it is more of a development concern. We encountered this trying to fetch Docker plugins which has a media type for plugin configs. Signed-off-by: Brian Goff <cpuguy83@gmail.com>

view details

Phil Estes

commit sha 97a3f52c6335f24cf7b32e0fcdc8b58e2513d7a7

Merge pull request #4351 from cpuguy83/pull_mediatype_debug Change log for unknown mt to debug

view details

push time in 6 days

push eventcontainerd/containerd

Brian Goff

commit sha aa191deff1ab80a0dd31538f04bb862591fce10b

Change log for unknown mt to debug This log message shows up in the client's logs. For any media type that the client doesn't know about it will wind up with a warning log. Downgrade this to debug since it is more of a development concern. We encountered this trying to fetch Docker plugins which has a media type for plugin configs. Signed-off-by: Brian Goff <cpuguy83@gmail.com>

view details

Phil Estes

commit sha 97a3f52c6335f24cf7b32e0fcdc8b58e2513d7a7

Merge pull request #4351 from cpuguy83/pull_mediatype_debug Change log for unknown mt to debug

view details

push time in 6 days

PR merged containerd/containerd

Change log for unknown mt to debug

This log message shows up in the client's logs. For any media type that the client doesn't know about it will wind up with a warning log. Downgrade this to debug since it is more of a development concern.

We encountered this trying to fetch Docker plugins which has a media type for plugin configs.

Replacement for #4345

+1 -1

2 comments

1 changed file

cpuguy83

pr closed time in 6 days

pull request commentcontainerd/containerd.io

Update latest release to v1.3.5

You can verify that the release download page in the preview uses the artifact URLs directly from GitHub, so even with our change to 1.4.0 and above and 1.3.5 and above on the filename, the download links work properly across this transition. The canned "wget" command on the page is updated to the new format, as it will never show a command for the older releases now that our "latest" is past the changeover point.

estesp

comment created time in 6 days

PR opened containerd/containerd.io

Update latest release to v1.3.5

Also update the wget command to use the correct filename format generated by the new GitHub Actions release step.

Signed-off-by: Phil Estes estesp@linux.vnet.ibm.com

+3 -3

0 comment

2 changed files

pr created time in 6 days

create barnchestesp/containerd.io

branch : new-release

created branch time in 6 days

push eventestesp/containerd.io

Phil Estes

commit sha 7a3db7c5cd4f47971864674c9b94492ff92a6e29

keep releases.md in sync with containerd/containerd Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>

view details

lucperkins

commit sha 8c2774d87ed266f7496bddec165e13afc4a2d73b

Update footer text Signed-off-by: lucperkins <lucperkins@gmail.com>

view details

Phil Estes

commit sha f9a8defa0b28e2fdde4bf934548ca6d234987be4

Merge pull request #58 from lucperkins/lperkins/update-footer-text Update footer text

view details

Phil Estes

commit sha 5b3e1c5e49cf78c816363524ee6753d14a236fb1

Merge pull request #63 from containerd/dep-updates Automated RELEASES.md sync update

view details

Derek McGowan

commit sha 637990107a25c6793baa51762796fd18424c1e89

Use containerd slack link Redirects to CNCF slack which has containerd channels Signed-off-by: Derek McGowan <derek@mcg.dev>

view details

Wei Fu

commit sha 4c9e0ae7d1eebebb9b97f173a74231fcc080e124

Merge pull request #64 from dmcgowan/update-slack-link Use containerd slack link

view details

Derek McGowan

commit sha ddf42c8687386c99d5cb347dea9384006121d853

Update latest release to 1.3.4 Signed-off-by: Derek McGowan <derek@mcg.dev>

view details

Akihiro Suda

commit sha 53a00683dbef6aa3d8e32248d5de1314bd89f74b

Merge pull request #65 from dmcgowan/update-latest Update latest release to 1.3.4

view details

push time in 6 days

issue commentcontainerd/containerd

Artifact download links are slightly different between 1.3.3 and 1.3.5

In discussing with @dims, while this change was not intentional with the switch in release artifact methods, we prefer the hyphen-separated filename for consistency. Given that, if downstream users can handle the change, we already know that we've released 1.4.0 betas with this model, and will attempt not to make any future changes to the filename pattern.

dims

comment created time in 6 days

pull request commentcontainerd/containerd

Support helpers for label-based userns remapping

@AkihiroSuda done!

estesp

comment created time in 6 days

push eventestesp/containerd

Phil Estes

commit sha 45c28f56b2fe37c92752714fbed76d3d1b22dbb6

Add ability to use remapper labels versus remapping snapshot helper A simple starting point for testing the remapper labels with fuse-overlayfs snapshotter Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>

view details

push time in 6 days

push eventcontainerd/containerd

Florian Schmaus

commit sha e977564a8b2bcf57d0c45b0e12b0ecedaeb4debb

seccomp: allow 'rseq' syscall in default seccomp profile Restartable Sequences (rseq) are a kernel-based mechanism for fast update operations on per-core data in user-space. Some libraries, like the newest version of Google's TCMalloc, depend on it [1]. This also makes dockers default seccomp profile on par with systemd's, which enabled 'rseq' in early 2019 [2]. 1: https://google.github.io/tcmalloc/design.html 2: systemd/systemd@6fee3be Signed-off-by: Florian Schmaus <flo@geekplace.eu>

view details

Phil Estes

commit sha 01a53c24b383b4ad991825616a03395b76443434

Merge pull request #4347 from Flowdalic/allow-rseq-seccomp seccomp: allow 'rseq' syscall in default seccomp profile

view details

push time in 9 days

PR merged containerd/containerd

seccomp: allow 'rseq' syscall in default seccomp profile

Restartable Sequences (rseq) are a kernel-based mechanism for fast update operations on per-core data in user-space. Some libraries, like the newest version of Google's TCMalloc, depend on it [1].

This also makes dockers default seccomp profile on par with systemd's, which enabled 'rseq' in early 2019 [2].

1: https://google.github.io/tcmalloc/design.html 2: systemd/systemd@6fee3be

+1 -0

2 comments

1 changed file

Flowdalic

pr closed time in 9 days

pull request commentcontainerd/containerd

Support helpers for label-based userns remapping

@AkihiroSuda interestingly I started this branch from the PR I carried, which left me with the impression that there wasn't already support for running a container with UID/GID maps, but that PR (from the same contributor) was merged soon after this original PR was created.

Rebasing on master, I now have the uid/gid maps on ctr run, so all I've done in this PR is match on the fuse-overlayfs snapshotter name and use the labels instead of the WithRemappedSnapshot helper. Let me know if you think this should instead be a specific extra flag.

estesp

comment created time in 9 days

push eventestesp/containerd

Phil Estes

commit sha c76bf5504786ee4cfc7ba43c4ade1bae07c51ca2

Make unique snapshotter opt for label-assisted remapping Provide a snapshotter opt to add labels used by any supporting snapshotter to handle user namespace filesystem remapping. Currently supported by the fuse-overlayfs snapshotter, and others can use this information as well. Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>

view details

Phil Estes

commit sha 5ed614898e7f946d10a91fb3e7637a075f9e39bd

Add ability to use remapper labels versus remapping snapshot helper A simple starting point for testing the remapper labels with fuse-overlayfs snapshotter Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>

view details

push time in 9 days

push eventestesp/containerd

Phil Estes

commit sha f1b1f96d60d9898363f929e9e291b2043f283d54

Add ability to use remapper labels versus remapping snapshot helper A simple starting point for testing the remapper labels with fuse-overlayfs snapshotter Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>

view details

push time in 9 days

push eventestesp/containerd

Derek McGowan

commit sha 30d92eff1c61d012be0053467f619974ad841698

Defer layer download until unpack Moves the content fetching into the unpack process and defers the download until the snapshot needs it and is ready to apply. As soon as a layer is reached which requires fetching, all remaining layers are fetched. Signed-off-by: Derek McGowan <derek@mcgstyle.net>

view details

Akihiro Suda

commit sha 8f870c233f14fe9df47ef9defa42cf8517fb64e0

support cgroup2 * only shim v2 runc v2 ("io.containerd.runc.v2") is supported * only PID metrics is implemented. Others should be implemented in separate PRs. * lots of code duplication in v1 metrics and v2 metrics. Dedupe should be separate PR. Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Akihiro Suda

commit sha b02e20f12e4faa07d4fba741337921968d901e9d

cgroup2: enable controllers automatically Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Jie Hao Liao

commit sha 9862cb8f8544a3069add9a3b90e87e695d14b313

support user remapping in ctr * --uidmap support for one remapping * --gidmap support for one remapping * create IoUid and IoGid options for getNewTaskOpts Signed-off-by: Jie Hao Liao <liaojh1998@gmail.com>

view details

Joakim Roubert

commit sha e0011978fff03d6f7061ad709bbfffaf992a77ae

start.go: Improve help text Change-Id: I9adfc27868b246fb85823d18c65f95668e3fbc58 Signed-off-by: Joakim Roubert <joakimr@axis.com>

view details

Akihiro Suda

commit sha 55698e69428896661f288f031d1492f8fb2c4c92

Merge pull request #3886 from joakimr-axis/joakimr-axis_helptext start.go: Improve help text

view details

Joakim Roubert

commit sha 499fbb0337c9138b5360117e0b25a7a1428f9667

Improve install scripts * Only use bash where needed (scripts with pipes that use -o pipefail) * Make string comparisons POSIX compatible * Handle whitespace(s) in GOPATH * Remove superfluous quotes in variable assignments Change-Id: If1ea55f06f402ded646b5085d4837c0996f90fab Signed-off-by: Joakim Roubert <joakimr@axis.com>

view details

Derek McGowan

commit sha 08517e586485ef3b977b641c7dcc3ea33f6a6148

Allow empty scope authorization Registries may allow using token authorization without explicitly setting the scope. This may cover use cases where no scope is required for an endpoint or the registry is only covering authentication using the token. This aligns with the oauth2 spec which specifies the scope as optional. Signed-off-by: Derek McGowan <derek@mcgstyle.net>

view details

Michael Crosby

commit sha 1649e8e43b2bede35b8cc56d2bd41e59e1e97469

Merge pull request #3848 from liaojh1998/master support user remapping in ctr

view details

Michael Crosby

commit sha 5d93ece75875c030b6b9dd76a7facfc9c3bf7a29

Merge pull request #3799 from AkihiroSuda/cgroup2 support cgroup2

view details

Phil Estes

commit sha ff91f225fa0e3c795b7365af7cefad22ca845d4b

Merge pull request #3889 from dmcgowan/allow-empty-scope Allow empty scope authorization

view details

Phil Estes

commit sha fa62b6d2380817f9baef36944289d826398a0999

Use logrus instead of printf for warning Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>

view details

Alex Price

commit sha a022c218194c05449ad69b69c48fc6cac9d6f0b3

Improve host fallback behaviour in docker remote This commit improves the fallback behaviour when resolving and fetching images with multiple hosts. If an error is encountered when resolving and fetching images, and more than one host is being used, we will try the same operation on the next host. The error from the first host is preserved so that if all hosts fail, we can display the error from the first host. fixes #3850 Signed-off-by: Alex Price <aprice@atlassian.com>

view details

Michael Crosby

commit sha 082f7e3aed57ae0a3cec3cd82e41d3bf4e553428

Merge pull request #3890 from estesp/printf-to-log Use logrus instead of printf for warning

view details

Akihiro Suda

commit sha 43fca9eba242e3f019369bcc4a0b4243899e319a

metrics: rename pids_v2 to pids dicussed in #3726 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Joakim Roubert

commit sha 9eef69e3ae145e0e442d9107cabcfa569029bbdd

Update after review comments Change-Id: Ic566e4857436409cdf1cdd7a635dfeee809b91a9 Signed-off-by: Joakim Roubert <joakimr@axis.com>

view details

Maksym Pavlenko

commit sha 75efbaf67859c85471a40643d79bd7d5fdd6fa77

Attempt to make device mapper snapshotter tests less flaky Signed-off-by: Maksym Pavlenko <makpav@amazon.com>

view details

Phil Estes

commit sha 6c82fe5429931ced190b5b1f38e25573ca00c195

Merge pull request #3891 from AkihiroSuda/rename-pids-v2 metrics: rename pids_v2 to pids

view details

Akihiro Suda

commit sha 5473637144496250e4221c9103568d96c33ca29b

Merge pull request #3892 from mxpv/dm-retry Attempt to make device mapper snapshotter tests less flaky

view details

bpopovschi

commit sha b98cc7918446427e4b2de7b975c65c1f44451a56

Added memory and cpu metrics for cgroupv2 Signed-off-by: bpopovschi <zyqsempai@mail.ru>

view details

push time in 9 days

push eventestesp/containerd

Johannes Frey

commit sha 87f9fdb06519594d8f26d6a20f85e79b9a35d8bf

Cope with double quotes in Linux Mountinfo Signed-off-by: Johannes Frey <me@johannes-frey.de>

view details

Johannes Frey

commit sha cb91b1724dec212db7ba68958f2b7aba8a4ceee9

Add testcase containing mountpoint with escaped backslash Signed-off-by: Johannes Frey <me@johannes-frey.de>

view details

Johannes Frey

commit sha 8897e152030ec3d6076558388f84e447a7be1b64

Add more test cases with single quotes Signed-off-by: Johannes Frey <me@johannes-frey.de>

view details

Johannes Frey

commit sha ee734e867ab9732a7c42028be1e8a8a76ac3da84

Add test case with backticks Signed-off-by: Johannes Frey <me@johannes-frey.de>

view details

Akihiro Suda

commit sha 1a83f9a63883010a958b26b058fc4645f8838578

Bump Golang 1.13.12 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Akihiro Suda

commit sha bebfbab03163da35300c360504ce5df33a19a40d

vendor: update bbolt to v1.3.5 We had once updated bbolt from v1.3.3 to v1.3.4 in #4134, but reverted to v1.3.3 in #4156 due to "fatal error: sweep increased allocation count" (etcd-io/bbolt#214). The issue was fixed in bbolt v1.3.5 (etcd-io/bbolt#220). Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Davanum Srinivas

commit sha 2b0a994ccc1693bb55fe050f8213ea73407c8c3e

explicitly fail apparmor when !linux Signed-off-by: Davanum Srinivas <davanum@gmail.com>

view details

Akihiro Suda

commit sha 20b0e5b9d02955318c46e12911a3942b975f045b

Merge pull request #4336 from dims/explicitly-fail-apparmor-when-not-running-on-linux Explicitly fail apparmor when not running on linux

view details

Wei Fu

commit sha e89500bcb0121365986f0404972ced64189e528a

Merge pull request #4333 from AkihiroSuda/golang-1.13.12 Bump Golang 1.13.12

view details

Michael Crosby

commit sha c2f8011ff84dc584f821f155d17f36bdf550a157

Merge pull request #4334 from AkihiroSuda/bbolt-1.3.5 vendor: update bbolt to v1.3.5

view details

Akihiro Suda

commit sha fd99b6566be4f2303e71274976e2cd6eee4553c0

decrease log level of cgroup2 ToggleController error when running in UserNS Fix #4312 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Sebastiaan van Stijn

commit sha b96f5f4b524f58755ea18540513f80c99cc07b76

Fix deprecation warnings in CRI tests due to missing unix:// scheme [BeforeEach] [k8s.io] Security Context /home/runner/work/containerd/containerd/src/github.com/kubernetes-sigs/cri-tools/pkg/framework/framework.go:50 W0624 12:26:28.532644 30569 util_unix.go:103] Using "/var/run/containerd/containerd.sock" as endpoint is deprecated, please consider using full url format "unix:///var/run/containerd/containerd.sock". W0624 12:26:28.532700 30569 util_unix.go:103] Using "/var/run/containerd/containerd.sock" as endpoint is deprecated, please consider using full url format "unix:///var/run/containerd/containerd.sock". Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Phil Estes

commit sha f85375bbbd91a13774086065aaf97889a7d428dd

Merge pull request #4341 from thaJeztah/fix_cri_warnings Fix deprecation warnings in CRI tests due to missing unix:// scheme

view details

Avi Deitcher

commit sha e7f069e2c337bf77d31b7460bda980482fdaf508

describe content flow and dependencies Signed-off-by: Avi Deitcher <avi@deitcher.net>

view details

Derek McGowan

commit sha 1127ffc7400e2d1b438979fd782b7ed9c73e5c9b

Merge pull request #4207 from deitch/doc-content describe content flow and dependencies

view details

Michael Crosby

commit sha 492c014136a301eff66a970311cd480d1d31228b

Merge pull request #4340 from AkihiroSuda/fix-4312 decrease log level of cgroup2 ToggleController error when running in UserNS

view details

Michael Crosby

commit sha c75180740937d4b2d44b9c1edc1c27b208e66e32

Merge pull request #4325 from c445/mountinfo-linux-double-quotes Cope with double quotes in Linux Mountinfo

view details

push time in 9 days

push eventestesp/containerd

Phil Estes

commit sha aaa4142d0889954fbd9a776a6bcc72625d62bdbd

Add ctr --userns to test/utilize user namespace mappings A simple starting point for testing the remapper labels and/or remapping snapshot options. Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>

view details

push time in 9 days

pull request commentcontainerd/containerd

Support helpers for label-based userns remapping

@AkihiroSuda yes, working on it today (a ctr flag)

estesp

comment created time in 9 days

issue commentcontainerd/containerd

Failure to pull docker image that docker has no problem with

I'm curious if you can tell us about the registry at docker.forio.com? I don't see any reason packer would create schema1 images, so I'm wondering if the registry only supports schema1 and did a translation when they were pushed after the packer build? Looking at packer, it just uses the Docker engine on the system to create/build the image, which should have in any modern Docker release been a schema v2.2 image.

I don't think the Docker engine tries to do a conversion from old schema1 images, which could explain the difference in pull behavior, but we should still figure out why this particular flow (packer + your registry) is leading to schema1 images which are missing the expected signatures section.

zenbones

comment created time in 10 days

pull request commentcontainerd/containerd

describe content flow and dependencies

Thanks @deitch!

deitch

comment created time in 11 days

push eventcontainerd/containerd

Sebastiaan van Stijn

commit sha b96f5f4b524f58755ea18540513f80c99cc07b76

Fix deprecation warnings in CRI tests due to missing unix:// scheme [BeforeEach] [k8s.io] Security Context /home/runner/work/containerd/containerd/src/github.com/kubernetes-sigs/cri-tools/pkg/framework/framework.go:50 W0624 12:26:28.532644 30569 util_unix.go:103] Using "/var/run/containerd/containerd.sock" as endpoint is deprecated, please consider using full url format "unix:///var/run/containerd/containerd.sock". W0624 12:26:28.532700 30569 util_unix.go:103] Using "/var/run/containerd/containerd.sock" as endpoint is deprecated, please consider using full url format "unix:///var/run/containerd/containerd.sock". Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Phil Estes

commit sha f85375bbbd91a13774086065aaf97889a7d428dd

Merge pull request #4341 from thaJeztah/fix_cri_warnings Fix deprecation warnings in CRI tests due to missing unix:// scheme

view details

push time in 11 days

PR merged containerd/containerd

Fix deprecation warnings in CRI tests due to missing unix:// scheme
[BeforeEach] [k8s.io] Security Context
  /home/runner/work/containerd/containerd/src/github.com/kubernetes-sigs/cri-tools/pkg/framework/framework.go:50
 W0624 12:26:28.532644   30569 util_unix.go:103] Using "/var/run/containerd/containerd.sock" as endpoint is deprecated, please consider using full url format "unix:///var/run/containerd/containerd.sock".
 W0624 12:26:28.532700   30569 util_unix.go:103] Using "/var/run/containerd/containerd.sock" as endpoint is deprecated, please consider using full url format "unix:///var/run/containerd/containerd.sock".
+1 -1

1 comment

1 changed file

thaJeztah

pr closed time in 11 days

pull request commentcontainerd/containerd

Prepare release v1.3.5

Do we want to bring the release GH Action from master to this branch before releasing now that we have tested & validated it works?

AkihiroSuda

comment created time in 11 days

pull request commentcontainerd/containerd

Explicitly fail apparmor when not running on linux

The linter doesn't like the (lack of) formatting of the imports in your new file. :)

dims

comment created time in 13 days

pull request commentopencontainers/tob

projects: add ORAS proposal

@cyphar at this hour in my timezone there is way too much text to respond to for completeness, but let me summarize that it seems like there is a huge disconnect when the ORAS proposal goes out of its way to use phrases like "custom content", "artifacts", "other types of content" and consistently never talks about implementing any functionality related to the image-spec in reference to ORAS, yet almost the entire review revolves around (drum-roll please): ORAS doesn't seem to work with the image-spec! Yes, exactly. We already have plenty of tools for that all over the container ecosystem.

ORAS is a library to handle the client-side interactions with any given distribution-spec implementation, and provides a common library of functionality on which people can implement and explore the ideas and media types being hashed out in the OCI artifacts project. It has no default purpose, nor would it make sense for it to handle pulling OCI image-spec bundles as it was never designed or even recommended as a tool for that purpose. It would take about 15 minutes of code to use ORAS to make an image-spec "compliant" client (I've actually done this with ORAS and a custom image handler function which properly walks the image-spec), but given that wasn't the purpose, I'm confused as to why that has to be the "default mode" of ORAS when it wasn't designed to be a container image client.

jdolitsky

comment created time in 17 days

push eventestesp/manifest-tool

Justin J. Novack

commit sha f0314f491deda4fb90f336ba6bfb69e82cb93b25

Update README.md Add documentation for using VARIANT.

view details

Phil Estes

commit sha a6bcfe046be6729b5800523b1b0850af3f05f858

Merge pull request #96 from jnovack/patch-1 Add VARIANT Documentation

view details

push time in 17 days

PR merged estesp/manifest-tool

Add VARIANT Documentation

Add documentation for using VARIANT, had to dig through the code for this, but this is exactly what I needed!

+13 -2

1 comment

1 changed file

jnovack

pr closed time in 17 days

pull request commentestesp/manifest-tool

Add VARIANT Documentation

Thanks; totally missed this was never added.

jnovack

comment created time in 17 days

issue commentestesp/manifest-tool

Documentation Notice: `push from-args` is overwrite, not append.

These are some good questions, and I'm sure the documentation in this repo could be more clear on the usage side for various scenarios. Mostly the topic of "how do I?" has been shared in other venues like talks about multi-arch build pipelines and/or specific users (like how manifest-tool is used by the official images update scripts for DockerHub). I should probably add a section to link to some of those resources to give folks a jumping off point to learn some of the practices others are using.

To respond to a few specifics, although it sounds like you are getting most of this:

  • the from-args usage makes the most sense when you have a set of images you have already built and used a very specific naming structure such that you can use the template with replacement values for OS, ARCH, and VARIANT and manifest-tool does the work of going and looking up those image references and assembling the final multi-platform image specified as the target.
  • There is no real way to "append" to a manifest-list; image references and content changing the manifest JSON will create a new image with a new cryptographic hash/identifier, so just like rebuilding a (non-multiarch) image and pushing it to the same tag overwrites what the registry already has for that tag, the same thing happens when writing a manifest list object to a registry.
  • To have the semblance of a growing manifest list entry as architecture builds complete requires using the YAML file input option alongside the "--ignore-missing" option so that you can keep doing manifest-list push after each build completes with the same YAML listing all images you expect to be part of the final manifest list, and it will keep writing it with the ones which are complete and ignoring (with a WARN output) ones which are missing. The official image build tools use this model so that, for example, "busybox:latest" will have as many architectures are done, and will update as often as necessary until the last architecture build is complete, which could be hours after the first one completes.
  • The same official images team (and @tianon can chime in here if he has other details) also asked for the feature within the YAML input to list an additional set of tags you want to update to also point to the manifest list object, so you can update "latest" and "2.3.1" and "2.3" and "2" all at the same time. This is not available on the command line from-args model, but only in the YAML input.

All my projects which use manifest-tool are using the model you noted in your last comment: you build all images in one go and then run manifest-tool to compile them into the manifest list object entry in the registry. I use that here in this project (you can see the CI configuration and how I do it), in my mquery tool repo, and also @StefanScherer has some good resources like this blog post on his model of build, push, then push multiplatform manifest. Note that he is using the experimental docker manifest command, which was written from the code here in manifest-tool.

jnovack

comment created time in 17 days

Pull request review commentopencontainers/tob

projects: add ORAS proposal

 https://groups.google.com/a/opencontainers.org/forum/#!forum/tob (tob@opencontai * [Image Format Spec](proposals/image-format) * [SELinux](proposals/selinux.md) * [Tools](proposals/tools.md)+* [ORAS](proposals/oras.md)

@jdolitsky if you could rebase on master to pick up the conflict in this list (umoci was merged) that would be good so this is mergeable when necessary.

jdolitsky

comment created time in 18 days

pull request commentopencontainers/tob

projects: add ORAS proposal

What are the remaining questions from TOB members? We need to finalize questions today (and a maximum of maybe 24 hrs from now IMHO) so that answers can be provided and we give the ORAS experts at least a day to provide answers.

I haven't seen any substantial feedback or responses since we extended the vote, but we need a conscious acknowledgement from TOB members that their specific questions are answered and they are all comfortable to make a voting decision.

jdolitsky

comment created time in 18 days

pull request commentcontainerd/containerd

vendor: golang.org/x/text v0.3.3 (CVE-2020-14040)

Similar thoughts from me in the 1.2 backport PR: https://github.com/containerd/containerd/pull/4331#issuecomment-645566465

thaJeztah

comment created time in 18 days

pull request commentcontainerd/containerd

[release/1.2 backport] vendor: golang.org/x/text v0.3.3

The CVE text is not public yet (just a reserved number) so the only current info is in the golang issue (#39491). It appears it is limited to the UTF-16 text decoder and a specific case of using it with a single character.

Looking across the codebase, I see no direct import of x/text anywhere in containerd, and the reason for import seems to be use in x/net to be able to properly parse unicode-encoded hostnames in the internals of the HTTP implementation; which again is not used by anything in containerd, but tangentially used when using the HTTP implementation in a few imported libraries (the kubernetes API seems to be one place).

Given all that, and given UTF-16 characters are probably not used (UTF-8 would be much more likely), and not in the very special case needed, I would say this is an extremely low-impact CVE and probably not worth bringing to 1.2, and maybe even debatable for 1.3 release, in my opinion.

thaJeztah

comment created time in 18 days

push eventestesp/containerd

Gaurav Singh

commit sha ae08491bff2fdef7a91ff9c2d9e532d2f63d4bbd

waitForPid: fix goroutine leak Signed-off-by: Gaurav Singh <gaurav1086@gmail.com>

view details

Gaurav Singh

commit sha 7213cd89d659876c31468dd1c9f5c98ec16ecdcb

Process I/O: Fix goroutine leak Signed-off-by: Gaurav Singh <gaurav1086@gmail.com>

view details

Rudy Zhang

commit sha d36810d66d87f08b09003b2e2455bcabe116ab08

overlay: use index=off to fix EBUSY on mount kernel version > 4.13rc1 support index=on feature, it will be failed with EBUSY when trying to mount. Related: https://github.com/moby/moby/pull/37993 Signed-off-by: Rudy Zhang <rudyflyzhang@gmail.com>

view details

Michael Crosby

commit sha 0f831093ce6ed28a9bb21f839d3f369ca6be9113

Update usage of whitelist in project Signed-off-by: Michael Crosby <michael@thepasture.io>

view details

Derek McGowan

commit sha 4e6d38606cd3dd6dfaabd48b8eb4baaa63c9a140

Merge pull request #4313 from crosbymichael/allow-list Update usage of whitelist in project

view details

Michael Crosby

commit sha 7fdcd07febba0aea18b543587897efd6744f62d1

Merge pull request #4310 from gaurav1086/process_io_fix_goroutine_leak Process I/O: Fix goroutine leak

view details

Michael Crosby

commit sha 7868e8d6aab20a44dafe6f330aa8e2afadf3b750

Merge pull request #4309 from gaurav1086/waitForPid_fix_goroutine_leak waitForPid: fix goroutine leak

view details

Wei Fu

commit sha 834665d9db028c8733479b5063e4fd477e549364

Merge pull request #4311 from rudyfly/upsteam_overlay_indexoff overlay: use index=off to fix EBUSY on mount

view details

Wei Fu

commit sha d656fa38ca32fc0e08f31b74169552f371bbd4e0

restart plugin: support binary log uri Introduce LogURIGenerator helper function in cio package. It is used in the restart options, like WithBinaryLogURI and WithFileLogURI. And restart.LogPathLabel might be used in production and work well. In order to reduce breaking change, the LogPathLabel is still recognized if new LogURILabel is not set. In next release 1.5, the LogPathLabel will be removed. Signed-off-by: Wei Fu <fuweid89@gmail.com>

view details

Kenta Tada

commit sha 730b7a932e36472428e0c4147b6f794963c87033

Change the type of PdeathSignal Use x/sys as same as runtime/v1/linux/runtime.go Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>

view details

Michael Crosby

commit sha 185ea541d2254c734a5d123797868e8d3ac399f4

Merge pull request #4317 from KentaTada/modify-pdeathsignal-type Change the type of PdeathSignal

view details

Michael Crosby

commit sha ae2f3fdfd1a435fe83fb083e4db9fa63a9e0a13e

Merge pull request #4315 from fuweid/fix-4294 restart plugin: support binary log uri

view details

Michael Crosby

commit sha 785f4c5cd98f4b9aa11401b229c33f53512ce08d

Bump CRI for 1.4x release includes selinux bump. Signed-off-by: Michael Crosby <michael@thepasture.io>

view details

Phil Estes

commit sha 705b8527d4945db601954246972674a25ed49347

Merge pull request #4323 from crosbymichael/cri-bump1.4x Bump CRI for 1.4x release

view details

Akihiro Suda

commit sha 4c49ff88c5b901fc3b45077c88af932fb7ad4e76

integration: assume TEST_RUNTIME to be io.containerd.runc.v2 by default containerd 1.4 uses io.containerd.runc.v2 as the default runtime for both CRI and non-CRI. The test is updated to assume v2 shim by default. Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Phil Estes

commit sha 49b0743c1c07500a062a6996c8afba2dafc8c64e

Merge pull request #4324 from AkihiroSuda/fix-get-runtimeversion integration: assume TEST_RUNTIME to be io.containerd.runc.v2 by default

view details

Akihiro Suda

commit sha f1a469a03578b061af0991228fdd3171a75fc2c8

shim v2 runc: propagate options.Root to Cleanup Previously shim v2 (`io.containerd.runc.{v1,v2}`) always used `/run/containerd/runc` as the runc root. Fix #4326 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Sebastiaan van Stijn

commit sha ea06877696c7c54606a3ff630e931696c96d4888

vendor: golang.org/x/text v0.3.3 full diff: https://github.com/golang/text/compare/19e51611da83d6be54ddafce4a4af510cb3e9ea4...v0.3.3 includes a fix for [CVE-2020-14040][1] [1]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14040 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Phil Estes

commit sha fb80a49ec111d11d2cd50743c00ecd8ebbb27c3a

Merge pull request #4327 from AkihiroSuda/fix-4326 shim v2 runc: propagate options.Root to Cleanup

view details

Akihiro Suda

commit sha bf672cccee2a0baf4720ec534a738f6003c0e5a7

Merge pull request #4328 from thaJeztah/bump_x_text vendor: golang.org/x/text v0.3.3 (CVE-2020-14040)

view details

push time in 18 days

PR merged containerd/containerd

[release/1.3 backport] shim v2 runc: propagate options.Root to Cleanup

Previously shim v2 (io.containerd.runc.{v1,v2}) always used /run/containerd/runc as the runc root.

backport of https://github.com/containerd/containerd/pull/4327

fixes https://github.com/containerd/containerd/issues/4326 fixes https://github.com/containerd/containerd/issues/2767

+58 -2

2 comments

3 changed files

thaJeztah

pr closed time in 18 days

push eventcontainerd/containerd

Akihiro Suda

commit sha 1ceb0a815a30411f3ab38b8a398dfd69a009f5b3

shim v2 runc: propagate options.Root to Cleanup Previously shim v2 (`io.containerd.runc.{v1,v2}`) always used `/run/containerd/runc` as the runc root. Fix #4326 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> (cherry picked from commit f1a469a03578b061af0991228fdd3171a75fc2c8) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Phil Estes

commit sha 885ab8fb0ff6a6de052ecd8d4089373f5dfd7cb1

Merge pull request #4329 from thaJeztah/1.3_backport_fix_4326 [release/1.3 backport] shim v2 runc: propagate options.Root to Cleanup

view details

push time in 18 days

push eventcontainerd/containerd

Akihiro Suda

commit sha f1a469a03578b061af0991228fdd3171a75fc2c8

shim v2 runc: propagate options.Root to Cleanup Previously shim v2 (`io.containerd.runc.{v1,v2}`) always used `/run/containerd/runc` as the runc root. Fix #4326 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Phil Estes

commit sha fb80a49ec111d11d2cd50743c00ecd8ebbb27c3a

Merge pull request #4327 from AkihiroSuda/fix-4326 shim v2 runc: propagate options.Root to Cleanup

view details

push time in 18 days

PR merged containerd/containerd

shim v2 runc: propagate options.Root to Cleanup cherry-pick/1.3.x kind/bug

Previously shim v2 (io.containerd.runc.{v1,v2}) always used /run/containerd/runc as the runc root.

Fix #4326 Fix https://github.com/containerd/containerd/issues/2767

+58 -2

2 comments

3 changed files

AkihiroSuda

pr closed time in 18 days

issue closedcontainerd/containerd

shim v2 doesn't pass Moby test `TestContainerStartOnDaemonRestart` (because shim v2 uses hard-coded RuncRoot)

<!-- If you are reporting a new issue, make sure that we do not have any duplicates already open. You can ensure this by searching the issue list for this repository. If there is a duplicate, please close your issue and add a comment to the existing issue instead. -->

Description

<!-- Briefly describe the problem you are having in a few paragraphs. -->

shim v2 io.containerd.runc.v2 doesn't pass Moby test TestContainerStartOnDaemonRestart: https://github.com/moby/moby/blob/88241b99893cce78a7734a19b38d468d0dcb6156/integration/container/daemon_linux_test.go#L20-L68 (https://github.com/moby/moby/issues/36145)

Steps to reproduce the issue:

  1. Checkout moby/moby@88241b99893cce78a7734a19b38d468d0dcb6156
  2. Apply the following patch to ensure that the daemon uses shim v2. This step is not needed on the cgroup v2 hosts, as cgroup v2 mode always uses shim v2.
diff --git a/daemon/daemon_unix.go b/daemon/daemon_unix.go
index 1a577276ef..1fdb924f77 100644
--- a/daemon/daemon_unix.go
+++ b/daemon/daemon_unix.go
@@ -1757,7 +1757,7 @@ func (daemon *Daemon) setupSeccompProfile() error {
 }
 
 func (daemon *Daemon) useShimV2() bool {
-       return cgroups.IsCgroup2UnifiedMode()
+       return true
 }
 
 // RawSysInfo returns *sysinfo.SysInfo .
  1. DOCKER_BUILD_ARGS="--build-arg CONTAINERD_COMMIT=705b8527d4945db601954246972674a25ed49347" TESTFLAGS="-test.run TestContainerStartOnDaemonRestart" TEST_SKIP_INTEGRATION_CLI=1 make test-integration

Describe the results you received:

--- FAIL: TestContainerStartOnDaemonRestart (2.37s)
    daemon_linux_test.go:67: assertion failed: error is not nil: Error response from daemon: OCI runtime create failed: container with id exists: 2585935e9bb8c9e5678466e4c7d001082abeacc6945d5c00cdc8f1cb713ebdd0: unknown: failed to start test container
FAIL

Describe the results you expected:

The test should succeed

Output of containerd --version: 705b8527d4945db601954246972674a25ed49347 (master as of June 16).

The issue happens with v1.3.4 as well.

Any other relevant information: Moby PR https://github.com/moby/moby/pull/41115 is blocked due to this.

closed time in 18 days

AkihiroSuda

issue closedcontainerd/containerd

v2 runtime should support runtime_root

<!-- If you are reporting a new issue, make sure that we do not have any duplicates already open. You can ensure this by searching the issue list for this repository. If there is a duplicate, please close your issue and add a comment to the existing issue instead.

If you suspect your issue is a bug, please edit your issue description to include the BUG REPORT INFORMATION shown below. If you fail to provide this information within 7 days, we cannot debug your issue and will close it. We will, however, reopen it if you later provide the information.


BUG REPORT INFORMATION

Use the commands below to provide key information from your environment: You do NOT have to include this information if this is a FEATURE REQUEST -->

Description

<!-- Briefly describe the problem you are having in a few paragraphs. -->

v2 runtime should support custom runtime_root configuration like v1

[plugins]
  [plugins.linux]
    runtime_root = ...

closed time in 18 days

AkihiroSuda

pull request commentcontainerd/project

Add security advisor role

SGTM. The only open question in my mind is whether there is yet another "receive only" role for end user/vendors who don't feel they have the ability/interest to be more actively involved in security issues and only want to be part of a "disclose" list for a heads up on potential CVEs and mitigations for their production systems? Or do we want to make sure that all end users end up with at least one "security advisor" here? I haven't formed a strong opinion either way, but I wonder if we need to call that out specifically if we aren't going to have another (mailing list?) avenue for security disclosure awareness and announces.

dmcgowan

comment created time in 19 days

push eventcontainerd/containerd

Akihiro Suda

commit sha 4c49ff88c5b901fc3b45077c88af932fb7ad4e76

integration: assume TEST_RUNTIME to be io.containerd.runc.v2 by default containerd 1.4 uses io.containerd.runc.v2 as the default runtime for both CRI and non-CRI. The test is updated to assume v2 shim by default. Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Phil Estes

commit sha 49b0743c1c07500a062a6996c8afba2dafc8c64e

Merge pull request #4324 from AkihiroSuda/fix-get-runtimeversion integration: assume TEST_RUNTIME to be io.containerd.runc.v2 by default

view details

push time in 19 days

PR merged containerd/containerd

integration: assume TEST_RUNTIME to be io.containerd.runc.v2 by default

containerd 1.4 uses io.containerd.runc.v2 as the default runtime for both CRI and non-CRI. The test is updated to assume v2 shim by default.

+3 -3

2 comments

1 changed file

AkihiroSuda

pr closed time in 19 days

push eventcontainerd/containerd

Michael Crosby

commit sha 785f4c5cd98f4b9aa11401b229c33f53512ce08d

Bump CRI for 1.4x release includes selinux bump. Signed-off-by: Michael Crosby <michael@thepasture.io>

view details

Phil Estes

commit sha 705b8527d4945db601954246972674a25ed49347

Merge pull request #4323 from crosbymichael/cri-bump1.4x Bump CRI for 1.4x release

view details

push time in 20 days

PR merged containerd/containerd

Bump CRI for 1.4x release

includes selinux bump.

Signed-off-by: Michael Crosby michael@thepasture.io

+68 -18

1 comment

13 changed files

crosbymichael

pr closed time in 20 days

pull request commentopencontainers/tob

projects: add ORAS proposal

Thanks @SteveLasker; I did pass the extension by Amy and Chris A. today to make sure there were no governance issues I was unaware of with a decision to extend. I will send a note to the TOB list just to make sure it is clear.

jdolitsky

comment created time in 23 days

pull request commentopencontainers/tob

projects: add ORAS proposal

I could be swayed either way (delay vote conclusion by one week or try and get people to vote in the next 3+ hours with @SteveLasker's reasonable point about ongoing discussion/PRs to clarify any open questions). I think the issue is at this point I assume the vote may fail given 2 participants will be in the middle of their night at vote close.

I would like everyone on the TOB to feel comfortable that any larger questions are put to rest (with total agreement that there will always be nuance and changes over time that can be handled post-vote), and it feels like trying to get a complete vote will effectively have to be rushed at this point.

It is a bit troublesome that after months of discussion most questions have come up in the 48 hours before the vote, but that's life in open source! :) Agree with @cyphar that given a lot of questions were raised on both proposals running them in parallel may have added to the difficulty there.

Thoughts? Opinions?

jdolitsky

comment created time in 23 days

issue commentcontainerd/containerd

containerd make protos failed

See this commit as we hit the same problem in containerd when an upstream dependency changed: https://github.com/containerd/containerd/commit/041545cd6ad53bd8a5279c3ea0ede101865cdc83#diff-d98e74ce745850ffad46c65422462751

Most importantly you cannot pass -u to go get when retrieving protobuild as it will look for latest tagged releases and pull mismatched versions than in the go.mod (which also was updated to fix this issue) in the protobuild repo.

ZhizhouTian

comment created time in 24 days

pull request commentopencontainers/tob

projects: add ORAS proposal

Just a quick note that we may have a vote close and timezone issue here as @cyphar has made comments and requested changes, but it is now the day of the vote close and I assume @cyphar doesn't stay up all night in his timezone :) So, I'm not sure how that will be resolved prior to noon US Pacific today. I have replaced @vbatts LGTM vote that was lost during the commit squash/edit; I assume no one else has voted yet?

jdolitsky

comment created time in 24 days

Pull request review commentopencontainers/tob

projects: add umoci proposal

+# OCI umoci Project Proposal #++## Abstract ##+The need for a "works out of the box" image tool that is supported by OCI has been clear for several years.+umoci was initially developed to fulfil this requirement, and after several years of development and wide-spread production usage, we feel it is time to include it within the OCI.+The following proposal outlines how this would be achieved.++## Background ##+To quote the description of umoci from [the project website][umoci]:++> umoci is a free software tool for manipulating and interacting with container+> images in the standardised Open Container Initiative’s image format. It+> provides one of the most flexible image management toolsets, requiring+> neither a daemon nor any particular filesystem setup. It is already used in a+> variety of different projects and by several companies.++umoci is primarily used as a command-line tool, and can be used to perform fundamental operations on an OCI container image.+An example session looks like++```shell+$ umoci unpack --image opensuse:leap bundle+$ runc run -b bundle ctr+# # make some changes...+$ umoci repack --image opensuse:leap bundle+```++Where `opensuse` is an OCI image layout stored as a directory, and `leap` is a "tag" in the OCI image.+The above session extracted (`umoci unpack`) the image as an OCI Runtime Specification bundle, spawned a container using the bundle (`runc run ...`), and then updated the image to create a new image layer based on any changes made (`umoci repack`).++umoci has a fairly minimal feature set, and was intended from the outset to implement all of the key features which are needed from a reference implementation of the OCI Image Specifications.+The help page for the latest version of `umoci` (`0.4.5` at the time of writing) is provided below:++```+NAME:+   umoci - umoci modifies Open Container images++USAGE:+   umoci [global options] command [command options] [arguments...]++VERSION:+   0.4.5++AUTHOR:+   Aleksa Sarai <asarai@suse.com>++COMMANDS:+   raw      advanced internal image tooling+   help, h  Shows a list of commands or help for one command++   image:+     config      modifies the image configuration of an OCI image+     unpack      unpacks a reference into an OCI runtime bundle+     repack      repacks an OCI runtime bundle into a reference+     new         creates a blank tagged OCI image+     tag         creates a new tag in an OCI image+     remove, rm  removes a tag from an OCI image+     stat        displays status information of an image manifest+     insert      insert content into an OCI image++   layout:+     gc        garbage-collects an OCI image's blobs+     init      create a new OCI layout+     list, ls  lists the set of tags in an OCI layout++GLOBAL OPTIONS:+   --verbose      alias for --log=info+   --log value    set the log level (debug, info, [warn], error, fatal) (default: "warn")+   --help, -h     show help+   --version, -v  print the version+```++For a more detailed explanation of umoci, see the [project website's guide][umoci-guide].++[umoci]: https://umo.ci/+[umoci-guide]: https://umo.ci/quick-start/++## Proposal ##+Change the ownership of the existing umoci project from openSUSE:++  https://github.com/openSUSE/umoci++And move it inside the `opencontainers` organisation:++  https://github.com/opencontainers/umoci++The import paths will correspondingly be "github.com/opencontainers/umoci" (umoci does have some Go API users, but since the project will be renamed -- and GitHub will add a redirect -- there will be no significant downstream impact of the change).+In the future we may opt to use vanity imports (such as "umo.ci/cmd/umoci").++The project's domain "umo.ci" will also be transferred to the Linux Foundation so that it can be managed by someone other than the maintainers (though maintainers must maintain the necessary administrative access to maintain the website).++### Initial Maintainers ###+Initial maintainers of the umoci project would be:++* Aleksa Sarai <cyphar@cyphar.com> (@cyphar)+* Tycho Andersen <tycho@tycho.ws> (@tych0)+* Vincent Batts <vbatts@hashbangbash.com> (@vbatts)++### Code of Conduct ###+This project would incorporate (by reference) the OCI [Code of Conduct][code-of-conduct].++[code-of-conduct]: https://github.com/opencontainers/org/blob/master/CODE_OF_CONDUCT.md++### Governance and Releases ###+This project would initially incorporate the Governance and Release processes from [the OCI project template][oci-template].+In the future, umoci may choose to modify the Governance and Release processes to better fit the needs of the umoci project.++It should be noted that since umoci is not a specification, it is not bound by the ordinary quorum and voting rules for specification release.+As such, new versions will be released as regularly as needed without the need for a quorum vote.+This is to avoid the serious delays in releases encountered within the runc project.++Until there are enough additional maintainers, PRs will be merged with only one maintainer LGTM required.

Thanks for updating the proposed governance; IMO it strikes a good balance between the reality of a small maintainer group and baking in some reasonable protections for the future. Thanks.

cyphar

comment created time in 24 days

Pull request review commentopencontainers/tob

projects: add umoci proposal

+# OCI umoci Project Proposal #++## Abstract ##+The need for a "works out of the box" image tool that is supported by OCI has been clear for several years.+umoci was initially developed to fulfil this requirement, and after several years of development and wide-spread production usage, we feel it is time to include it within the OCI.+The following proposal outlines how this would be achieved.++## Background ##+To quote the description of umoci from [the project website][umoci]:++> umoci is a free software tool for manipulating and interacting with container+> images in the standardised Open Container Initiative’s image format. It+> provides one of the most flexible image management toolsets, requiring+> neither a daemon nor any particular filesystem setup. It is already used in a+> variety of different projects and by several companies.++umoci is primarily used as a command-line tool, and can be used to perform fundamental operations on an OCI container image.+An example session looks like++```shell+$ umoci unpack --image opensuse:leap bundle+$ runc run -b bundle ctr+# # make some changes...+$ umoci repack --image opensuse:leap bundle+```++Where `opensuse` is an OCI image layout stored as a directory, and `leap` is a "tag" in the OCI image.+The above session extracted (`umoci unpack`) the image as an OCI Runtime Specification bundle, spawned a container using the bundle (`runc run ...`), and then updated the image to create a new image layer based on any changes made (`umoci repack`).++umoci has a fairly minimal feature set, and was intended from the outset to implement all of the key features which are needed from a reference implementation of the OCI Image Specifications.+The help page for the latest version of `umoci` (`0.4.5` at the time of writing) is provided below:++```+NAME:+   umoci - umoci modifies Open Container images++USAGE:+   umoci [global options] command [command options] [arguments...]++VERSION:+   0.4.5++AUTHOR:+   Aleksa Sarai <asarai@suse.com>++COMMANDS:+   raw      advanced internal image tooling+   help, h  Shows a list of commands or help for one command++   image:+     config      modifies the image configuration of an OCI image+     unpack      unpacks a reference into an OCI runtime bundle+     repack      repacks an OCI runtime bundle into a reference+     new         creates a blank tagged OCI image+     tag         creates a new tag in an OCI image+     remove, rm  removes a tag from an OCI image+     stat        displays status information of an image manifest+     insert      insert content into an OCI image++   layout:+     gc        garbage-collects an OCI image's blobs+     init      create a new OCI layout+     list, ls  lists the set of tags in an OCI layout++GLOBAL OPTIONS:+   --verbose      alias for --log=info+   --log value    set the log level (debug, info, [warn], error, fatal) (default: "warn")+   --help, -h     show help+   --version, -v  print the version+```++For a more detailed explanation of umoci, see the [project website's guide][umoci-guide].++[umoci]: https://umo.ci/+[umoci-guide]: https://umo.ci/quick-start/++## Proposal ##+Change the ownership of the existing umoci project from openSUSE:++  https://github.com/openSUSE/umoci++And move it inside the `opencontainers` organisation:++  https://github.com/opencontainers/umoci++The import paths will correspondingly be "github.com/opencontainers/umoci" (umoci does have some Go API users, but since the project will be renamed -- and GitHub will add a redirect -- there will be no significant downstream impact of the change).+In the future we may opt to use vanity imports (such as "umo.ci/cmd/umoci").++The project's domain "umo.ci" will also be transferred to the Linux Foundation so that it can be managed by someone other than the maintainers (though maintainers must maintain the necessary administrative access to maintain the website).++### Initial Maintainers ###+Initial maintainers of the umoci project would be:++* Aleksa Sarai <cyphar@cyphar.com> (@cyphar)+* Tycho Andersen <tycho@tycho.ws> (@tych0)+* Vincent Batts <vbatts@hashbangbash.com> (@vbatts)++### Code of Conduct ###+This project would incorporate (by reference) the OCI [Code of Conduct][code-of-conduct].++[code-of-conduct]: https://github.com/opencontainers/org/blob/master/CODE_OF_CONDUCT.md++### Governance and Releases ###+This project would initially incorporate the Governance and Release processes from [the OCI project template][oci-template].+In the future, umoci may choose to modify the Governance and Release processes to better fit the needs of the umoci project.++It should be noted that since umoci is not a specification, it is not bound by the ordinary quorum and voting rules for specification release.+As such, new versions will be released as regularly as needed without the need for a quorum vote.+This is to avoid the serious delays in releases encountered within the runc project.++Until there are enough additional maintainers, PRs will be merged with only one maintainer LGTM required.

Given since the start of this proposal you are now up to 3 maintainers, what is "enough additional maintainers"? If you adopt the OCI project template, it defaults to the defacto standard "2 LGTMs" I understand a small project with one core maintainer can't even follow a 2 LGTM rule, but at what point is the growth enough? My concern here is that without any clear definition you have the potential for a future situation where someone changes the maintainers without needing any further approval. Yes, with oversight by the TOB that can be corrected, but that's an ugly situation to have to wade into and would love it if we can protect it out of the gate.

cyphar

comment created time in 25 days

push eventestesp/cgroups

Phil Estes

commit sha 350791b421edcf85ccb9fbc68487c1a22d788c6f

Update build status badge to Actions CI Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>

view details

Akihiro Suda

commit sha 80c669f4bad05817dd13e448a47783d6bb38811a

Merge pull request #166 from estesp/actions-badge Update build status badge to Actions CI

view details

push time in a month

pull request commentopencontainers/tob

projects: add umoci proposal

I don't believe there is any reason to restart the voting. Thanks!

cyphar

comment created time in a month

PR opened containerd/cgroups

Update build status badge to Actions CI

Signed-off-by: Phil Estes estesp@linux.vnet.ibm.com

+1 -1

0 comment

1 changed file

pr created time in a month

create barnchestesp/cgroups

branch : actions-badge

created branch time in a month

PR merged estesp/cgroups

Migrate CI to GitHub Actions

testing, testing

Signed-off-by: Phil Estes estesp@linux.vnet.ibm.com

+153 -46

0 comment

3 changed files

estesp

pr closed time in a month

push eventestesp/cgroups

Phil Estes

commit sha 1388c909d1286b9da8ff55872c18268720dcc2c0

Migrate CI to GitHub Actions Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>

view details

Phil Estes

commit sha 07e657ceed64c8686c7ffe0d35efc34fd806c1a6

Merge pull request #165 from estesp/move-to-ghactions Migrate CI to GitHub Actions

view details

push time in a month

pull request commentcontainerd/cgroups

Migrate CI to GitHub Actions

Merge to master run shows actions CI now active: https://github.com/containerd/cgroups/runs/754016151

estesp

comment created time in a month

push eventcontainerd/cgroups

Phil Estes

commit sha 1388c909d1286b9da8ff55872c18268720dcc2c0

Migrate CI to GitHub Actions Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>

view details

Phil Estes

commit sha 07e657ceed64c8686c7ffe0d35efc34fd806c1a6

Merge pull request #165 from estesp/move-to-ghactions Migrate CI to GitHub Actions

view details

push time in a month

PR merged containerd/cgroups

Migrate CI to GitHub Actions

Since the Vagrantfile was also being used by Travis this PR removes Travis at the same time as adding Actions, given Travis would simply fail given the changes to the Vagrantfile which are aligned with using the MacOS instance in GH Actions.

You can see a successful run of these changes in my fork here

Fixes: #164 (which was a result of the matrix setup in Travis overriding the standard script section--GH Actions allows us to have a common project check area for DCO and headers, and then run 2 dependent jobs after that for v1 and v2 respectively)

Signed-off-by: Phil Estes estesp@linux.vnet.ibm.com

+153 -46

2 comments

3 changed files

estesp

pr closed time in a month

issue closedcontainerd/cgroups

DCO check isn't working

We should have DCO checking like this: https://github.com/containerd/go-cni/blob/0553354f0046ccd41a02e724826040491a3d8998/.travis.yml#L18

closed time in a month

AkihiroSuda

pull request commentcontainerd/cgroups

Migrate CI to GitHub Actions

2 LGTMs so merging to enable full CI again in this repo. Thanks!

estesp

comment created time in a month

Pull request review commentcontainerd/cgroups

Migrate CI to GitHub Actions

 Vagrant.configure("2") do |config|     v.cpus = 2   end   config.vm.provision "shell", inline: <<-SHELL-    cat << EOF | dnf -y shell-config exclude kernel,kernel-core-config install_weak_deps false-update-install git golang-go-ts run+    set -eux -o pipefail+    # configuration+    GO_VERSION="1.13.11"++	# install gcc and Golang

thanks! fixed

estesp

comment created time in a month

push eventestesp/cgroups

Phil Estes

commit sha 1388c909d1286b9da8ff55872c18268720dcc2c0

Migrate CI to GitHub Actions Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>

view details

push time in a month

pull request commentcontainerd/cgroups

Migrate CI to GitHub Actions

Note that no CI will run on this PR because Travis's config file is removed, and actions only run in the fork, so until this merged, PRs won't run the actions defined here within the PR as a security measure. See the link above to see the output from these exact changes in my fork.

estesp

comment created time in a month

PR opened containerd/cgroups

Migrate CI to GitHub Actions

Since the Vagrantfile was also being used by Travis this PR removes Travis at the same time as adding Actions, given Travis would simply fail given the changes to the Vagrantfile which are aligned with using the MacOS instance in GH Actions.

You can see a successful run of these changes in my fork here

Fixes: #164 (which was a result of the matrix setup in Travis overriding the standard script section--GH Actions allows us to have a common project check area for DCO and headers, and then run 2 dependent jobs after that for v1 and v2 respectively)

Signed-off-by: Phil Estes estesp@linux.vnet.ibm.com

+153 -46

0 comment

3 changed files

pr created time in a month

push eventestesp/cgroups

Phil Estes

commit sha 11531bfcb3b03522b2da1b7ade167225c1f188e4

Migrate CI to GitHub Actions Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>

view details

push time in a month

push eventestesp/cgroups

Phil Estes

commit sha 3c4263d5569f6917d080a3f4da2d8b677cc254d0

Migrate CI to GitHub Actions Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>

view details

push time in a month

push eventestesp/cgroups

Phil Estes

commit sha 98d2cf93f69a3e21f828505828a2d6fa94d3bc5a

Migrate CI to GitHub Actions Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>

view details

push time in a month

push eventestesp/cgroups

Phil Estes

commit sha caca5433bdc819f9f51415c5c2d91cfe470fa58c

Migrate CI to GitHub Actions Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>

view details

push time in a month

PR opened estesp/cgroups

Migrate CI to GitHub Actions

testing, testing

Signed-off-by: Phil Estes estesp@linux.vnet.ibm.com

+157 -7

0 comment

2 changed files

pr created time in a month

create barnchestesp/cgroups

branch : move-to-ghactions

created branch time in a month

pull request commentopencontainers/tob

projects: add ORAS proposal

@SteveLasker can you add the same voting markdown from #67 to the top comment so we can align these 2 proposals with the Friday vote deadline?

Thanks!

jdolitsky

comment created time in a month

push eventestesp/cgroups

Sebastiaan van Stijn

commit sha 3fa15cd969e077f83b09c3ef86ce9c957ce7fbb8

update runtime-spec v1.0.2 full diff: https://github.com/opencontainers/runtime-spec/compare/5b71a03e2700...v1.0.2 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Maksym Pavlenko

commit sha 53ba5634dc0f0e43af83e83fd486311d2051b939

Merge pull request #155 from thaJeztah/bump_runtime_spec update runtime-spec v1.0.2

view details

Daniel Canter

commit sha 0b707e8f3451569eca9a8e81a80d1fc484133b1b

Implement registering for other memory notifications besides oom * Implement funcs to register for events for the other memory cgroup files that support the notification API (memory.usage_in_bytes, memory.memsw.usage_in_bytes, memory.pressure_limit). * Small typo fix in hierarchy.go. enableds -> enables Signed-off-by: Daniel Canter <dcanter@microsoft.com>

view details

Michael Crosby

commit sha 7fc7a507c04cc4c10f439c904e3bcd785ec37003

Merge pull request #154 from dcantah/v1_register_memory_events Implement registering for other memory notifications besides oom

view details

Akihiro Suda

commit sha 45229ee60b6d744a01351e14d6948c44aca15672

fix Vagrant on Travis (switch to KVM) Installation of VirtualBox was failing because of "gpg: no valid OpenPGP data found." error, and yet VirtualBox is less preferred over KVM. The new script is from runc: https://github.com/opencontainers/runc/blob/b207d578ec2d70e20ca6cfa8a32e49ef59dd48dd/.travis.yml#L23-L42 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Akihiro Suda

commit sha 7a4b4074b7d191f77c127d185d7d04488f961962

v2: fix EventChan EventChan() was completely broken: * [critical] `err == nil` comparison was flipped in the opposite way * [critical] `var out map[string]interface{}` was not initialized with `make()` * [non-critical] `.(uint64)` conversin errors were not caught Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Wei Fu

commit sha d77cdc42998ffb8adc38cb14962b1ef14ae733cf

Merge pull request #159 from AkihiroSuda/fix-vagrant fix Vagrant on Travis (switch to KVM)

view details

Phil Estes

commit sha 666f4a009ffb2741d4d3884aead4dfc17497c2d6

Merge pull request #158 from AkihiroSuda/fix-event-chan v2: fix EventChan

view details

Jordan Karaze

commit sha 33c0891e862dcdcdd90984cecd6167cae4770b69

add nil check Signed-off-by: Jordan Karaze <jordan.karaze@ibm.com>

view details

Maksym Pavlenko

commit sha 5d2757656685d9b3fa1e9fe2ac0eb7e391ee7380

Merge pull request #162 from Jordy24/add-parameter-validation-checks add nil check

view details

Boris Popovschi

commit sha a71db092e405de1fd4db43b78e5f6f6b628cb33a

Added support fo memory.events stats - failCnt Signed-off-by: Boris Popovschi <zyqsempai@mail.ru>

view details

Boris Popovschi

commit sha 31aeab73ea3efb8564714654e80e8cdb1920aaf9

rename fail_cnt to events_max Signed-off-by: Boris Popovschi <zyqsempai@mail.ru>

view details

Akihiro Suda

commit sha f9dd6352282798d3f6aa892553181c015c6a4103

v2/stats: add all fields of memory.events Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Wei Fu

commit sha 0dbf7f05ba59274095946e2c0c89540726e8a8aa

Merge pull request #160 from AkihiroSuda/carry-150 [Carry #150] Added support for memory.events stats

view details

dingdongx

commit sha 905dd2db645798658bb49d9ac7d8a13ffc1854b0

Update README.md Signed-off-by: chenjiandong <chenjiandongx@qq.com>

view details

Akihiro Suda

commit sha 56813a8f106c2608077e2c7d3caf9e4f65719013

Merge pull request #163 from chenjiandongx/master Update README.md

view details

push time in a month

more