profile
viewpoint
Phil Estes estesp @IBM Virginia, USA https://estesp.dev Senior developer/technical leader at @IBM. Work on @docker, maintainer for @moby and @containerd. Focus on containers, cloud, Linux OS. CNCF Ambassador.

estesp/bucketbench 80

Go-based framework for running benchmarks against Docker, containerd, runc, or any CRI-compliant runtime

containerd/project 17

Cross-project utilities, scripts, etc.

estesp/Dockerfiles 11

hold useful dockerfiles for testing various Docker changes

containerd/containerd.io 10

Website repo for https://containerd.io

estesp/buildkit-cluster-example 10

Simple example for using an in-cluster BuildKit instance for container builds

c-ale/docker-containers 1

Intro to Docker and container technology

estesp/authz 1

Docker Authorization Plugin

estesp/deployscripts 1

Deployment scripts for IBM Container Service. Used as example scripts in the Pipeline to aid in continuous deployment of an application

estesp/dockercon 1

Demos and content for DockerCon EU 2017 - Copenhagen

estesp/about 0

Docker Captains and Our Projects

delete branch estesp/containerd

delete branch : cp-1.2-4017

delete time in 3 hours

push eventcontainerd/containerd

Josh Dolitsky

commit sha 567ca6785c0d88a4cce8f84c7685c9162bf1fb3a

Set octet-stream content-type on put request Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com>

view details

Phil Estes

commit sha 1f6ea50be7d7864e982d04342593803ceaff08e9

Merge pull request #4028 from estesp/cp-1.2-4017 [release/1.2] backport: Set octet-stream content-type on put request

view details

push time in 3 hours

PR merged containerd/containerd

[release/1.2] backport: Set octet-stream content-type on put request

Backport #4017 to release/1.2.

Signed-off-by: Josh Dolitsky 393494+jdolitsky@users.noreply.github.com

+1 -0

3 comments

1 changed file

estesp

pr closed time in 3 hours

push eventestesp/containerd

Laurent Bernaille

commit sha 25a806c508455c3572a1538b953cc0fcdd3b9a11

bump cgroups dependency to address blkio issue Signed-off-by: Laurent Bernaille <laurent.bernaille@datadoghq.com>

view details

Michael Crosby

commit sha 6ad255383ada1c93e7c43998444daa75b6dcf1d7

Pin to libseccomp 2.3.3 lib seccomp 2.4 has huge performance regressions. This change pins to 2.3.3 where that is not an issue Signed-off-by: Michael Crosby <crosbymichael@gmail.com> (cherry picked from commit b5f03eacd34c7beffe5c8cc2a5cfee852335f681) Signed-off-by: Ciprian Hacman <ciprian.hacman@sematext.com>

view details

Phil Estes

commit sha a7c9b7605cc62772851802ac0c653fc4e2f556c8

Fix incorrect comment from copy/paste of starting script Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (cherry picked from commit 75d0c5f2e74b44353da357c5603a52871bea3940) Signed-off-by: Ciprian Hacman <ciprian.hacman@sematext.com>

view details

Sebastiaan van Stijn

commit sha 2a0ca2d077f2a792e5752c1513e706a7bb00ed0e

Update Golang 1.12.17 full diff: https://github.com/golang/go/compare/go1.12.16...go1.12.17 go1.12.17 (released 2020/02/12) includes a fix to the runtime. See the Go 1.12.17 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.12.17+label%3ACherryPickApproved Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 6a3416449ee8dbc1ccc01887108465435c38b6bb) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Phil Estes

commit sha 01edb7cddb34221a3121b709ae6c7c9db45fdea3

Merge pull request #4015 from hakman/fix-libseccomp-ver [release/1.2 backport] Pin to libseccomp 2.3.3

view details

Phil Estes

commit sha 5bead4582c05b5bf383be4cb038a152ffcbd4e32

Merge pull request #4001 from DataDog/lbernail/upgrade-cgroups [release/1.2] bump cgroups dependency to address blkio issue

view details

Wei Fu

commit sha 28eb964b008c54e024d1e3cacc154a4d92493344

script: use github.com/kubernetes-sigs/cri-tools directly When we call `go get -d -v github.com/kubernetes-incubator/cri-tools/...` which repos has been moved to `github.com/kubernetes-sigs/cri-tools`, `go get` will create package `github.com/kubernetes-sigs/cri-tools`. ``` go get -d -v github.com/kubernetes-incubator/cri-tools/... github.com/kubernetes-incubator/cri-tools (download) github.com/kubernetes-sigs/cri-tools (download) ``` According to old version of `github.com/kubernetes-incubator/cri-tools` Makefile, if there is no `github.com/kubernetes-sigs/cri-tools` package, it will create softlink self to `github.com/kubernetes-sigs/cri-tools`. But `go get` will create `github.com/kubernetes-sigs/cri-tools` and there is no softlink. Therefore, the critools are always latest one, not specific version. So, use `github.com/kubernetes-sigs/cri-tools` will be better and save traffic from `go get`. Signed-off-by: Wei Fu <fuweid89@gmail.com> (cherry picked from commit 246a560edb19ef9220bb452d0a3c82c7770213fb) Signed-off-by: Wei Fu <fuweid89@gmail.com>

view details

Wei Fu

commit sha c9524284e4fe48ae0a963dfd48b4a62509736ce2

Merge pull request #4031 from thaJeztah/1.2_bump_golang_1.12.17 [release/1.2 backport] Update Golang 1.12.17

view details

Phil Estes

commit sha 89c46ed5799fe7c687f8cf039b70624a55ca5b76

Merge pull request #4035 from fuweid/cp12-246a560e [release/1.2 backport] script: use github.com/kubernetes-sigs/cri-tools directly

view details

Josh Dolitsky

commit sha 567ca6785c0d88a4cce8f84c7685c9162bf1fb3a

Set octet-stream content-type on put request Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com>

view details

push time in 5 hours

push eventestesp/containerd

Wei Fu

commit sha 246a560edb19ef9220bb452d0a3c82c7770213fb

script: use github.com/kubernetes-sigs/cri-tools directly When we call `go get -d -v github.com/kubernetes-incubator/cri-tools/...` which repos has been moved to `github.com/kubernetes-sigs/cri-tools`, `go get` will create package `github.com/kubernetes-sigs/cri-tools`. ``` go get -d -v github.com/kubernetes-incubator/cri-tools/... github.com/kubernetes-incubator/cri-tools (download) github.com/kubernetes-sigs/cri-tools (download) ``` According to old version of `github.com/kubernetes-incubator/cri-tools` Makefile, if there is no `github.com/kubernetes-sigs/cri-tools` package, it will create softlink self to `github.com/kubernetes-sigs/cri-tools`. But `go get` will create `github.com/kubernetes-sigs/cri-tools` and there is no softlink. Therefore, the critools are always latest one, not specific version. So, use `github.com/kubernetes-sigs/cri-tools` will be better and save traffic from `go get`. Signed-off-by: Wei Fu <fuweid89@gmail.com>

view details

Phil Estes

commit sha 48d998f52cc119cdc414268b39f5bfb391e291f5

Merge pull request #4034 from fuweid/me-use-current-git-for-critools script: use github.com/kubernetes-sigs/cri-tools directly

view details

push time in 5 hours

push eventcontainerd/containerd

Wei Fu

commit sha 28eb964b008c54e024d1e3cacc154a4d92493344

script: use github.com/kubernetes-sigs/cri-tools directly When we call `go get -d -v github.com/kubernetes-incubator/cri-tools/...` which repos has been moved to `github.com/kubernetes-sigs/cri-tools`, `go get` will create package `github.com/kubernetes-sigs/cri-tools`. ``` go get -d -v github.com/kubernetes-incubator/cri-tools/... github.com/kubernetes-incubator/cri-tools (download) github.com/kubernetes-sigs/cri-tools (download) ``` According to old version of `github.com/kubernetes-incubator/cri-tools` Makefile, if there is no `github.com/kubernetes-sigs/cri-tools` package, it will create softlink self to `github.com/kubernetes-sigs/cri-tools`. But `go get` will create `github.com/kubernetes-sigs/cri-tools` and there is no softlink. Therefore, the critools are always latest one, not specific version. So, use `github.com/kubernetes-sigs/cri-tools` will be better and save traffic from `go get`. Signed-off-by: Wei Fu <fuweid89@gmail.com> (cherry picked from commit 246a560edb19ef9220bb452d0a3c82c7770213fb) Signed-off-by: Wei Fu <fuweid89@gmail.com>

view details

Phil Estes

commit sha 89c46ed5799fe7c687f8cf039b70624a55ca5b76

Merge pull request #4035 from fuweid/cp12-246a560e [release/1.2 backport] script: use github.com/kubernetes-sigs/cri-tools directly

view details

push time in 5 hours

PR merged containerd/containerd

[release/1.2 backport] script: use github.com/kubernetes-sigs/cri-tools directly

When we call go get -d -v github.com/kubernetes-incubator/cri-tools/... which repos has been moved to github.com/kubernetes-sigs/cri-tools, go get will create package github.com/kubernetes-sigs/cri-tools.

go get -d -v github.com/kubernetes-incubator/cri-tools/...
github.com/kubernetes-incubator/cri-tools (download)
github.com/kubernetes-sigs/cri-tools (download)

According to old version of github.com/kubernetes-incubator/cri-tools Makefile, if there is no github.com/kubernetes-sigs/cri-tools package, it will create softlink self to github.com/kubernetes-sigs/cri-tools. But go get will create github.com/kubernetes-sigs/cri-tools and there is no softlink. Therefore, the critools are always latest one, not specific version.

So, use github.com/kubernetes-sigs/cri-tools will be better and save traffic from go get.

Signed-off-by: Wei Fu fuweid89@gmail.com (cherry picked from commit 246a560edb19ef9220bb452d0a3c82c7770213fb) Signed-off-by: Wei Fu fuweid89@gmail.com

from https://github.com/containerd/containerd/pull/4034

+2 -2

0 comment

1 changed file

fuweid

pr closed time in 5 hours

push eventcontainerd/containerd

Wei Fu

commit sha de5b1b83baa90a0f5a0bb9034bc26eb9edf69790

script: use github.com/kubernetes-sigs/cri-tools directly When we call `go get -d -v github.com/kubernetes-incubator/cri-tools/...` which repos has been moved to `github.com/kubernetes-sigs/cri-tools`, `go get` will create package `github.com/kubernetes-sigs/cri-tools`. ``` go get -d -v github.com/kubernetes-incubator/cri-tools/... github.com/kubernetes-incubator/cri-tools (download) github.com/kubernetes-sigs/cri-tools (download) ``` According to old version of `github.com/kubernetes-incubator/cri-tools` Makefile, if there is no `github.com/kubernetes-sigs/cri-tools` package, it will create softlink self to `github.com/kubernetes-sigs/cri-tools`. But `go get` will create `github.com/kubernetes-sigs/cri-tools` and there is no softlink. Therefore, the critools are always latest one, not specific version. So, use `github.com/kubernetes-sigs/cri-tools` will be better and save traffic from `go get`. Signed-off-by: Wei Fu <fuweid89@gmail.com> (cherry picked from commit 246a560edb19ef9220bb452d0a3c82c7770213fb) Signed-off-by: Wei Fu <fuweid89@gmail.com>

view details

Phil Estes

commit sha 5811bc970201a9fee8b43843746abe25b3b538b7

Merge pull request #4036 from fuweid/cp13-246a560e [release/1.3 backport] script: use github.com/kubernetes-sigs/cri-tools directly

view details

push time in 5 hours

PR merged containerd/containerd

[release/1.3 backport] script: use github.com/kubernetes-sigs/cri-tools directly

When we call go get -d -v github.com/kubernetes-incubator/cri-tools/... which repos has been moved to github.com/kubernetes-sigs/cri-tools, go get will create package github.com/kubernetes-sigs/cri-tools.

go get -d -v github.com/kubernetes-incubator/cri-tools/...
github.com/kubernetes-incubator/cri-tools (download)
github.com/kubernetes-sigs/cri-tools (download)

According to old version of github.com/kubernetes-incubator/cri-tools Makefile, if there is no github.com/kubernetes-sigs/cri-tools package, it will create softlink self to github.com/kubernetes-sigs/cri-tools. But go get will create github.com/kubernetes-sigs/cri-tools and there is no softlink. Therefore, the critools are always latest one, not specific version.

So, use github.com/kubernetes-sigs/cri-tools will be better and save traffic from go get.

Signed-off-by: Wei Fu fuweid89@gmail.com (cherry picked from commit 246a560edb19ef9220bb452d0a3c82c7770213fb) Signed-off-by: Wei Fu fuweid89@gmail.com

from #4034

+2 -2

2 comments

1 changed file

fuweid

pr closed time in 5 hours

push eventcontainerd/containerd

Wei Fu

commit sha 246a560edb19ef9220bb452d0a3c82c7770213fb

script: use github.com/kubernetes-sigs/cri-tools directly When we call `go get -d -v github.com/kubernetes-incubator/cri-tools/...` which repos has been moved to `github.com/kubernetes-sigs/cri-tools`, `go get` will create package `github.com/kubernetes-sigs/cri-tools`. ``` go get -d -v github.com/kubernetes-incubator/cri-tools/... github.com/kubernetes-incubator/cri-tools (download) github.com/kubernetes-sigs/cri-tools (download) ``` According to old version of `github.com/kubernetes-incubator/cri-tools` Makefile, if there is no `github.com/kubernetes-sigs/cri-tools` package, it will create softlink self to `github.com/kubernetes-sigs/cri-tools`. But `go get` will create `github.com/kubernetes-sigs/cri-tools` and there is no softlink. Therefore, the critools are always latest one, not specific version. So, use `github.com/kubernetes-sigs/cri-tools` will be better and save traffic from `go get`. Signed-off-by: Wei Fu <fuweid89@gmail.com>

view details

Phil Estes

commit sha 48d998f52cc119cdc414268b39f5bfb391e291f5

Merge pull request #4034 from fuweid/me-use-current-git-for-critools script: use github.com/kubernetes-sigs/cri-tools directly

view details

push time in 5 hours

PR merged containerd/containerd

script: use github.com/kubernetes-sigs/cri-tools directly cherry-pick/1.2.x cherry-pick/1.3.x

When we call go get -d -v github.com/kubernetes-incubator/cri-tools/... which repos has been moved to github.com/kubernetes-sigs/cri-tools, go get will create package github.com/kubernetes-sigs/cri-tools.

go get -d -v github.com/kubernetes-incubator/cri-tools/...
github.com/kubernetes-incubator/cri-tools (download)
github.com/kubernetes-sigs/cri-tools (download)

According to old version of github.com/kubernetes-incubator/cri-tools Makefile, if there is no github.com/kubernetes-sigs/cri-tools package, it will create softlink self to github.com/kubernetes-sigs/cri-tools. But go get will create github.com/kubernetes-sigs/cri-tools and there is no softlink. Therefore, the critools are always latest one, not specific version.

So, use github.com/kubernetes-sigs/cri-tools will be better and save traffic from go get.

Signed-off-by: Wei Fu fuweid89@gmail.com

+2 -2

1 comment

1 changed file

fuweid

pr closed time in 5 hours

push eventcontainerd/containerd

Sebastiaan van Stijn

commit sha 6a3416449ee8dbc1ccc01887108465435c38b6bb

Update Golang 1.12.17 full diff: https://github.com/golang/go/compare/go1.12.16...go1.12.17 go1.12.17 (released 2020/02/12) includes a fix to the runtime. See the Go 1.12.17 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.12.17+label%3ACherryPickApproved Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Phil Estes

commit sha 2bd094daec0afa55a78878ee66399868a065ba28

Merge pull request #4030 from thaJeztah/1.3_bump_golang_1.12.17 [release/1.3] Update Golang 1.12.17

view details

push time in 6 hours

PR merged containerd/containerd

[release/1.3] Update Golang 1.12.17

full diff: https://github.com/golang/go/compare/go1.12.16...go1.12.17

go1.12.17 (released 2020/02/12) includes a fix to the runtime. See the Go 1.12.17 milestone on the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.12.17+label%3ACherryPickApproved

+3 -3

2 comments

3 changed files

thaJeztah

pr closed time in 6 hours

issue commentcontainerd/containerd

Support image pull progress deadline for containerd

Now that this looks like it is headed for K8s v1.18, I'm going to move this issue to the container/cri repo so that it can be closed by a PR in that repo when implemented. // cc: @Random-Liu

rtheis

comment created time in 6 hours

push eventcontainerd/cgroups

Boris Popovschi

commit sha 01da1a502b5743ce47f05aa66986a6f5779168be

memory.events handling rework Signed-off-by: Boris Popovschi <zyqsempai@mail.ru>

view details

Boris Popovschi

commit sha c5e426b4c83511fd517ab226f3502185d168cdff

Add goDoc Signed-off-by: Boris Popovschi <zyqsempai@mail.ru>

view details

Phil Estes

commit sha d732e370d46d8d554ed462c41f421a738e5b6d5d

Merge pull request #145 from Zyqsempai/memory-events-handling-rework memory.events handling rework

view details

push time in 6 hours

PR merged containerd/cgroups

memory.events handling rework

Small rework of the memory.events handler in order to implement OOM handler in main containerD repo.

During the memory.events handler implementations, were made few mistakes, this PR fixes them.

Signed-off-by: Boris Popovschi zyqsempai@mail.ru

+19 -9

4 comments

1 changed file

Zyqsempai

pr closed time in 6 hours

push eventcontainerd/containerd

Laurent Bernaille

commit sha 25a806c508455c3572a1538b953cc0fcdd3b9a11

bump cgroups dependency to address blkio issue Signed-off-by: Laurent Bernaille <laurent.bernaille@datadoghq.com>

view details

Phil Estes

commit sha 5bead4582c05b5bf383be4cb038a152ffcbd4e32

Merge pull request #4001 from DataDog/lbernail/upgrade-cgroups [release/1.2] bump cgroups dependency to address blkio issue

view details

push time in 6 hours

PR merged containerd/containerd

[release/1.2] bump cgroups dependency to address blkio issue

Issue #3412 also impacts 1.2, which we are using extensively

This PR bumps the cgroups dependency to the same commit used in 1.3 (it includes more changes but it is much easier this way). I did some testing on our clusters and I confirm that with this change the issue preventing the metrics from working disappear.

I may be missing other impacts, so of course let me know if this is the best approach.

+554 -125

10 comments

7 changed files

lbernail

pr closed time in 6 hours

push eventcontainerd/containerd

Michael Crosby

commit sha 6ad255383ada1c93e7c43998444daa75b6dcf1d7

Pin to libseccomp 2.3.3 lib seccomp 2.4 has huge performance regressions. This change pins to 2.3.3 where that is not an issue Signed-off-by: Michael Crosby <crosbymichael@gmail.com> (cherry picked from commit b5f03eacd34c7beffe5c8cc2a5cfee852335f681) Signed-off-by: Ciprian Hacman <ciprian.hacman@sematext.com>

view details

Phil Estes

commit sha a7c9b7605cc62772851802ac0c653fc4e2f556c8

Fix incorrect comment from copy/paste of starting script Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (cherry picked from commit 75d0c5f2e74b44353da357c5603a52871bea3940) Signed-off-by: Ciprian Hacman <ciprian.hacman@sematext.com>

view details

Phil Estes

commit sha 01edb7cddb34221a3121b709ae6c7c9db45fdea3

Merge pull request #4015 from hakman/fix-libseccomp-ver [release/1.2 backport] Pin to libseccomp 2.3.3

view details

push time in 6 hours

PR merged containerd/containerd

Reviewers
[release/1.2 backport] Pin to libseccomp 2.3.3

Besides the fact that lib seccomp 2.4 has huge performance regressions, it also breaks support for older distros like Debian 9 and RHEL/CentOS 7, as discussed in https://github.com/containerd/containerd/issues/4008. This change pins to 2.3.3 where that is not an issue.

Fixes #4008.

(cherry picked from commits b5f03eacd34c7beffe5c8cc2a5cfee852335f681 and 75d0c5f2e74b44353da357c5603a52871bea3940) Signed-off-by: Ciprian Hacman ciprian.hacman@sematext.com

+37 -1

11 comments

2 changed files

hakman

pr closed time in 6 hours

pull request commentcontainerd/containerd

Support 32-bit userspace on 64-bit ARM cores

I'll admit that all the reading I did only left me more confused, but at least partially convinced that the combination "armv8" and "32-bit" don't make sense together. Yes, you can run a 32-bit OS on an Aarch64 Armv8 ABI chip, which is what surfaced this issue, but from what I could find, that is actually causing the ARM "mode" to match the Armv7 "Aarch32" instruction set, meaning it makes more sense to then match/run images which are build with the linux/arm/v7 tuple. The question is, beyond you @tianon, who is actually building images with specific ARM tuples, and are there any images in the linux/arm/v8 set today? I'm guessing there are zero since if you are running 32-bit ARM, you are usually going to build ARMv7 images, and it makes sense for ARMv8 running as 32-bit to use those images.

But again, I also found some conflicting information on that front, but usually in a very narrow sense that wasn't broadly applicable. No one has detailed information on container image architecture tuples and this topic anywhere that I can find! :)

estesp

comment created time in 3 days

PR opened containerd/containerd

[release/1.3] cherry-pick: Fix incorrect comment from copy/paste of starting script

Cherry-pick #4022 for release/1.3

Signed-off-by: Phil Estes estesp@linux.vnet.ibm.com

+1 -2

0 comment

1 changed file

pr created time in 3 days

create barnchestesp/containerd

branch : cp-1.3-4022

created branch time in 3 days

PR opened containerd/containerd

[release/1.2] backport: Set octet-stream content-type on put request

Backport #4017 to release/1.2.

Signed-off-by: Josh Dolitsky 393494+jdolitsky@users.noreply.github.com

+1 -0

0 comment

1 changed file

pr created time in 3 days

PR opened containerd/containerd

[release/1.3] cherry-pick: Set octet-stream content-type on put request

Cherry pick #4017

Signed-off-by: Josh Dolitsky 393494+jdolitsky@users.noreply.github.com Signed-off-by: Phil Estes estesp@linux.vnet.ibm.com

+1 -0

0 comment

1 changed file

pr created time in 3 days

create barnchestesp/containerd

branch : cp-1.2-4017

created branch time in 3 days

create barnchestesp/containerd

branch : cp-1.3-4017

created branch time in 3 days

push eventestesp/containerd

Phil Estes

commit sha 89de113de9aedce0f41126c83c08ba9d3c6df0f1

Support 32-bit userspace on 64-bit ARM cores Don't rely on /proc/cpuinfo denoting a 64-bit ARMv8 processor if the runtime detected GOARCH == arm. This allows aarch64 32-bit userspace distros to run containers properly via a 32-bit runtime. Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>

view details

Phil Estes

commit sha 75d0c5f2e74b44353da357c5603a52871bea3940

Fix incorrect comment from copy/paste of starting script Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>

view details

Phil Estes

commit sha 7811aa755265ba3f017683afb1ee3b5a1e0f29b4

Merge pull request #4022 from estesp/fix-script-comment Fix incorrect comment from copy/paste of starting script

view details

Maksym Pavlenko

commit sha 27f25069c06d597542e57428165225bd2a9e2696

Merge pull request #4013 from estesp/support-32bit-arm64 Support 32-bit userspace on 64-bit ARM cores

view details

push time in 3 days

delete branch estesp/containerd

delete branch : update-readme

delete time in 3 days

delete branch estesp/containerd

delete branch : fix-script-comment

delete time in 3 days

delete branch estesp/containerd

delete branch : support-32bit-arm64

delete time in 3 days

pull request commentcontainerd/containerd

Support 32-bit userspace on 64-bit ARM cores

@doanac are you able to test that this solves your problem? I don't have easy access to a 32-bit env. on Aarch64

estesp

comment created time in 3 days

push eventcontainerd/containerd

Phil Estes

commit sha 75d0c5f2e74b44353da357c5603a52871bea3940

Fix incorrect comment from copy/paste of starting script Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>

view details

Phil Estes

commit sha 7811aa755265ba3f017683afb1ee3b5a1e0f29b4

Merge pull request #4022 from estesp/fix-script-comment Fix incorrect comment from copy/paste of starting script

view details

push time in 4 days

Pull request review commentcontainerd/containerd

[release/1.2 backport] Pin to libseccomp 2.3.3

+#!/usr/bin/env bash++#   Copyright The containerd Authors.++#   Licensed under the Apache License, Version 2.0 (the "License");+#   you may not use this file except in compliance with the License.+#   You may obtain a copy of the License at++#       http://www.apache.org/licenses/LICENSE-2.0++#   Unless required by applicable law or agreed to in writing, software+#   distributed under the License is distributed on an "AS IS" BASIS,+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.+#   See the License for the specific language governing permissions and+#   limitations under the License.+++#+# Builds and installs runc to /usr/local/go/bin based off+# the commit defined in vendor.conf

That's a mistake in master from the original commit. I just opened a PR to fix.

hakman

comment created time in 4 days

create barnchestesp/containerd

branch : fix-script-comment

created branch time in 4 days

push eventestesp/containerd

Josh Dolitsky

commit sha d8a0d29c232330f371c949a27527d8b89adccfc5

Set octet-stream content-type on put request Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com>

view details

Phil Estes

commit sha 5abacb62da89dd18219f8ce28a2d4c3d28d8304d

Merge pull request #4017 from bloodorangeio/octet-stream-fix Set octet-stream content-type on put request

view details

Phil Estes

commit sha 0dd6d24d2ae34680d6fb59fcd58c617ad0d61b34

Fix reference to LICENSE in README.md Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>

view details

Wei Fu

commit sha e74962eaa6c0533453fcc823ae0e1b5976a30d8c

Merge pull request #4018 from estesp/update-readme Fix reference to LICENSE in README.md

view details

push time in 4 days

pull request commentcontainerd/containerd

[release/1.2 backport] Pin to libseccomp 2.3.3

I'm at a loss for why there are CRI test failures based on this PR. I don't see that the same things happened in master when libseccomp was pinned. Any ideas @Random-Liu?

hakman

comment created time in 5 days

PR opened containerd/containerd

Fix reference to LICENSE in README.md

Dedicated to our anonymous contributor @x448. Thanks for alerting us to this broken link!

Ref: #4014

Signed-off-by: Phil Estes estesp@linux.vnet.ibm.com

+1 -1

0 comment

1 changed file

pr created time in 5 days

create barnchestesp/containerd

branch : update-readme

created branch time in 5 days

push eventestesp/containerd

Phil Estes

commit sha 89de113de9aedce0f41126c83c08ba9d3c6df0f1

Support 32-bit userspace on 64-bit ARM cores Don't rely on /proc/cpuinfo denoting a 64-bit ARMv8 processor if the runtime detected GOARCH == arm. This allows aarch64 32-bit userspace distros to run containers properly via a 32-bit runtime. Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>

view details

push time in 5 days

push eventcontainerd/containerd

Josh Dolitsky

commit sha d8a0d29c232330f371c949a27527d8b89adccfc5

Set octet-stream content-type on put request Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com>

view details

Phil Estes

commit sha 5abacb62da89dd18219f8ce28a2d4c3d28d8304d

Merge pull request #4017 from bloodorangeio/octet-stream-fix Set octet-stream content-type on put request

view details

push time in 5 days

PR merged containerd/containerd

Set octet-stream content-type on put request

According to the spec:

Monolithic Upload A monolithic upload is simply a chunked upload with a single chunk and MAY be favored by clients that would like to avoided the complexity of chunking. To carry out a "monolithic" upload, one can simply put the entire content blob to the provided URL:

PUT /v2/<name>/blobs/uploads/<session_id>?digest=<digest>
Content-Length: <size of layer>
Content-Type: application/octet-stream

<Layer Binary Data>
+1 -0

3 comments

1 changed file

jdolitsky

pr closed time in 5 days

PR opened containerd/containerd

Support 32-bit userspace on 64-bit ARM cores

Fixes: #3990

Don't rely on /proc/cpuinfo denoting a 64-bit ARMv8 processor if the runtime detected GOARCH == arm. This allows aarch64 32-bit userspace distros to run containers properly via a 32-bit runtime.

Signed-off-by: Phil Estes estesp@linux.vnet.ibm.com

+6 -1

0 comment

1 changed file

pr created time in 6 days

create barnchestesp/containerd

branch : support-32bit-arm64

created branch time in 6 days

issue commentestesp/manifest-tool

Unexpected EOF reading trailer

Hmm, do you know what level of manifest-tool code is being used there? I can do a simple inspect of that image using manifest-tool itself:

$ manifest-tool inspect grafana/loki:master-675a5f3-amd64
grafana/loki:master-675a5f3-amd64: manifest type: application/vnd.docker.distribution.manifest.v2+json
      Digest: sha256:5a9b27e5677fdd65e83997ff1572b56712b9a2808ad17eae01033e04dc982f43
Architecture: amd64
          OS: linux
    # Layers: 4
      layer 1: digest = sha256:9123ac7c32f74759e6283f04dbf571f18246abe5bb2c779efcb32cd50f3ff13c
      layer 2: digest = sha256:10989b06f6ec6d647dbff7cc004c708eb13c4d53c9712fc03ee2e7548759cf59
      layer 3: digest = sha256:ad1684fff383fa4d80fdaf3f6079924abae5c09988c5c932fdd5d46da29315f6
      layer 4: digest = sha256:5ed6cf20875895d402892a3fde148051c46d22fcfb5334c466e859ccf6f6bca0

Hard to know what's happening without the ability to reproduce. The actual error looks like it's in the bowels of an HTTP interaction, which is simply using the Go HTTP client libraries. Is this repeatable or is it random?

Thanks!

rfratto

comment created time in 6 days

issue commentcontainerd/containerd

CPU Variant incorrect when doing armhf builds under aarch64 kernel

Based on the fact that it appears in 32-bit mode that runtime.GOARCH == arm, can we effectively add that special case when assigning variant? In that case we would ignore v8 coming from a read of /proc/cpuinfo and fall back to v7 as the variant, leaving the platform as linux/arm/v7? Is that what you are setting in your override variable?

doanac

comment created time in 6 days

push eventestesp/containerd

Sebastiaan van Stijn

commit sha 4c38278895a431fc4939bad0b7d4270d88d8b589

vendor: update containerd/cri c0294ebfe0b4342db85c0faf7727ceb8d8c3afce full diff: https://github.com/containerd/cri/compare/19589b4bf9663815649f1125fb45a1674d52a702...c0294ebfe0b4342db85c0faf7727ceb8d8c3afce - containerd/cri#1387 vendor: bump gopkg.in/yaml.v2 v2.2.8 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 263ab701463864381e113db9ad72aa1a65897b5a

vendor: bump gopkg.in/yaml.v2 v2.2.8 full diff: https://github.com/go-yaml/yaml/compare/v2.2.4...v2.2.8 includes: - go-yaml/yaml@f90ceb4 Fix check for non-map alias merging in v2 - fix for "yaml.Unmarshal crashes on "assignment to entry in nil map"" - go-yaml/yaml 543 Port stale simple_keys fix to v2 - go-yaml/yaml@1f64d61 Fix issue in simple_keys improvements - fixes "Invalid simple_keys now cause panics later in decode" - go-yaml/yaml 555 Optimize cases with long potential simple_keys Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Phil Estes

commit sha 4f348c5b5b53a70b282ab5b81b2cc8f03bf6a338

Merge pull request #3999 from thaJeztah/bump_cri vendor: bump cri, gopkg.in/yaml.v2 v2.2.8

view details

Shengjing Zhu

commit sha 348e683cebe4ddada6d9b11c2581bfeacba8d458

Fix zsh autocomplete script Fix completion when argument startswith `-` Merged in upstream https://github.com/urfave/cli/pull/1062 Signed-off-by: Shengjing Zhu <zhsj@debian.org>

view details

Derek McGowan

commit sha cbf3ee0e22635920adc221b7bf570cd82ab7bab9

Merge pull request #4010 from zhsj/fix-zsh-complete Fix zsh autocomplete script

view details

push time in 6 days

push eventcontainerd/containerd

Derek McGowan

commit sha d4345c335ca4e0abd794315985ddbba3a842dd8d

Update yaml dependency Synchronizes dependency across master and 1.2 release branch Signed-off-by: Derek McGowan <derek@mcgstyle.net>

view details

Phil Estes

commit sha 163fb0bd28750a521be5991cf81b19a15686fec1

Merge pull request #4003 from dmcgowan/1.3-update-yaml [release/1.3] Update yaml dependency

view details

push time in 11 days

PR merged containerd/containerd

[release/1.3] Update yaml dependency

Synchronizes dependency across master and 1.2 release branch

+66 -64

3 comments

6 changed files

dmcgowan

pr closed time in 11 days

issue commentcontainerd/typeurl

Create release tag

@dmcgowan at this point, I'm fine with 0.x.x given the purpose is related to simpler use of go mod, which can be achieved with either.

estesp

comment created time in 12 days

push eventcontainerd/typeurl

Rui Chen

commit sha 39e897d0315d16649b482d577490593ad74cab47

Upgrade dependencies Signed-off-by: Rui Chen <chenrui333@gmail.com>

view details

Rui Chen

commit sha 202060afb39befc9f29595421ad5fd7ee8308650

Add gitignore Signed-off-by: Rui Chen <chenrui333@gmail.com>

view details

Rui Chen

commit sha 3aae6316cb6fc24fa5701b9292abd6318ea74002

Update travis config Signed-off-by: Rui Chen <chenrui333@gmail.com>

view details

Rui Chen

commit sha 981b2ecfc453748d26028aaa1259b9346457d2f6

Remove `go get` in travis config Signed-off-by: Rui Chen <chenrui333@gmail.com>

view details

Phil Estes

commit sha b45ef1f1f737e10bd45b25b669df25f0da8b9ba0

Merge pull request #18 from chenrui333/upgrade-dependencies Upgrade dependencies

view details

push time in 12 days

push eventcontainerd/cgroups

Rui Chen

commit sha 5157b337e55451c1bc4d63a418f4eb1ee35f23f8

Upgrade dependencies Signed-off-by: Rui Chen <chenrui333@gmail.com>

view details

Rui Chen

commit sha bc4e23659161a7f99dd7f73fa937c7729d2901ba

Update travis config and simplify installation Signed-off-by: Rui Chen <chenrui333@gmail.com>

view details

Phil Estes

commit sha 780d211660898498b231fdcfbce55afad3cb8891

Merge pull request #144 from chenrui333/upgrade-dependencies Upgrade dependencies

view details

push time in 13 days

PR merged containerd/cgroups

Upgrade dependencies
  • Move to go 1.13
  • Upgrade dependencies
  • Update travis config (remove GOPATH stuff and drop support for go 1.11 and 1.12)
+29 -34

1 comment

3 changed files

chenrui333

pr closed time in 13 days

PR merged containerd/containerd

vendor: bump cri, gopkg.in/yaml.v2 v2.2.8

vendor: update containerd/cri c0294ebfe0b4342db85c0faf7727ceb8d8c3afce

full diff: https://github.com/containerd/cri/compare/19589b4bf9663815649f1125fb45a1674d52a702...c0294ebfe0b4342db85c0faf7727ceb8d8c3afce

  • containerd/cri#1387 vendor: bump gopkg.in/yaml.v2 v2.2.8

vendor: bump gopkg.in/yaml.v2 v2.2.8

full diff: https://github.com/go-yaml/yaml/compare/v2.2.4...v2.2.8

includes:

  • go-yaml/yaml@f90ceb4 Fix check for non-map alias merging in v2
    • fix for "yaml.Unmarshal crashes on "assignment to entry in nil map""
  • go-yaml/yaml 543 Port stale simple_keys fix to v2
  • go-yaml/yaml@1f64d61 Fix issue in simple_keys improvements
    • fixes "Invalid simple_keys now cause panics later in decode"
  • go-yaml/yaml 555 Optimize cases with long potential simple_keys
+66 -64

2 comments

6 changed files

thaJeztah

pr closed time in 13 days

push eventcontainerd/containerd

Sebastiaan van Stijn

commit sha 4c38278895a431fc4939bad0b7d4270d88d8b589

vendor: update containerd/cri c0294ebfe0b4342db85c0faf7727ceb8d8c3afce full diff: https://github.com/containerd/cri/compare/19589b4bf9663815649f1125fb45a1674d52a702...c0294ebfe0b4342db85c0faf7727ceb8d8c3afce - containerd/cri#1387 vendor: bump gopkg.in/yaml.v2 v2.2.8 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 263ab701463864381e113db9ad72aa1a65897b5a

vendor: bump gopkg.in/yaml.v2 v2.2.8 full diff: https://github.com/go-yaml/yaml/compare/v2.2.4...v2.2.8 includes: - go-yaml/yaml@f90ceb4 Fix check for non-map alias merging in v2 - fix for "yaml.Unmarshal crashes on "assignment to entry in nil map"" - go-yaml/yaml 543 Port stale simple_keys fix to v2 - go-yaml/yaml@1f64d61 Fix issue in simple_keys improvements - fixes "Invalid simple_keys now cause panics later in decode" - go-yaml/yaml 555 Optimize cases with long potential simple_keys Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Phil Estes

commit sha 4f348c5b5b53a70b282ab5b81b2cc8f03bf6a338

Merge pull request #3999 from thaJeztah/bump_cri vendor: bump cri, gopkg.in/yaml.v2 v2.2.8

view details

push time in 13 days

push eventcontainerd/containerd

Derek McGowan

commit sha db4c58b8c1cbfa5276a7bdad2b7ef97040a485d3

Update CRI vendor for 1.3 Signed-off-by: Derek McGowan <derek@mcgstyle.net>

view details

Phil Estes

commit sha aa877d788ed4837922ce6286ec90841e9d26500f

Merge pull request #3998 from dmcgowan/bump-cri-1.3 [release/1.3] Bump CRI 1.3 branch

view details

push time in 14 days

PR merged containerd/containerd

[release/1.3] Bump CRI 1.3 branch

Update 1.3 release branch to sync with CRI release branch

+516 -235

4 comments

34 changed files

dmcgowan

pr closed time in 14 days

issue commentalexellis/faasd

[Feature] Support other container image registries, including private ones

Some help on using the Go API to support authenticated registry interactions:

When used as a CRI provider, the CRI plugin has its own configuration for registry auth: https://github.com/containerd/cri/blob/master/docs/registry.md

When using the Go client API for containerd, you can see from the ctr images pull implementation (as one example) how it sets up the NewDockerAuthorizer using these helper functions: https://github.com/containerd/containerd/blob/master/cmd/ctr/commands/resolver.go

alexellis

comment created time in 14 days

push eventcontainerd/containerd

unknown

commit sha 5db3987ebff7b5baa9338d55e78461690432cbb7

Fix dependency in BUILDING.md btrfs/ioctl.h is now included in libbtrfs-dev instead of btrfs-tools. Update BUILDING.md Dockerfile to install the correct dependency. Resolves: #3813 Signed-off-by: Reid Li <reid.li@utexas.edu> (cherry picked from commit a647407ca038bc208280ab5d5832f08c2f149464) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Phil Estes

commit sha 8761b1bf869a09970d0c1319b17f2e103744b760

Update name for btrfs headers package Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (cherry picked from commit fda652be5aa802bc3298fad70833934d363a9743) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Phil Estes

commit sha 9c7bd5072d634512078319ce5ba4ee36653c2e08

Merge pull request #3997 from thaJeztah/1.2_backport_dockerfile_test_fixes [release/1.2 backport] Fix btrfs packages in contrib Dockerfile

view details

push time in 17 days

PR merged containerd/containerd

[release/1.2 backport] Fix btrfs packages in contrib Dockerfile

Building containerd inside a container showed that the Dockerfile was broken (due to the golang:1.12.x image now using Debian Buster as base image)

Nothing critical, but let's make the Dockerfile work again. Backports of:

  • https://github.com/containerd/containerd/pull/3814 Fix dependency in BUILDING.md
    • fixes https://github.com/containerd/containerd/issues/3813 Dependency missing after following Docker build instructions
  • https://github.com/containerd/containerd/pull/3815 Update name for btrfs headers package
+3 -2

1 comment

2 changed files

thaJeztah

pr closed time in 17 days

pull request commentcontainerd/containerd

[release/1.2] Prepare v1.2.12 release

@thaJeztah those both appear to be complete and I just compared cri 1.2 branch with our release/1.2 branch and it seems correct; anything else we are waiting on?

thaJeztah

comment created time in 17 days

push eventestesp/runc

Kevin Kelani

commit sha 056909bd3d966ea22ebb243b15fce5060d9850f0

Adds note about user ns for rootless containers Signed-off-by: Kevin Kelani <kkelani@gmail.com>

view details

Lifubang

commit sha 472fe623a76a039c438429345c0ccf71dc7722e8

criu image path permission error in rootless checkpoint Signed-off-by: Lifubang <lifubang@acmcoder.com>

view details

Sebastiaan van Stijn

commit sha e7831f2abb163fe39aef1067dc1a56087b68b3da

Update to Go 1.12 and drop obsolete versions Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Joe Burianek

commit sha 7a9ffa897f1a9c1e4bac6bd9b5986696e77348ef

Change the permissions of the notify listener socket to rwx for everyone When runc is started as a `Type=notify` systemd service, runc opens up its own listening socket inside the container to act as a proxy between the container and systemd for passing notify messages. The domain socket that runc creates is only writeable by the user running runc however, so if the container has a different UID/GID then nothing inside the container will be able to write to the socket. The fix is to change the permissions of the notify listener socket to 0777. Signed-off-by: Joe Burianek <joe.burianek@pantheon.io>

view details

Howard Zhang

commit sha 68cc1a772aceedd36637e9fb1c9d46a688915d1a

Update busybox source and fix runc exec bug Currently, the id verification in integration test failed on arm platform due to the inconsistent /etc/group in the busybox images for arm and x86. To be specific, the nogroup id in x86 is 99 while that in arm is 65534. 99 is old id for nogroup, and no longer be used in recent system, so sync the busybox image for arm and x86 to the image in busybox github. Also change the id verification rule in integration test. Signed-off-by: Howard Zhang <howard.zhang@arm.com>

view details

Akihiro Suda

commit sha 7e67862542050a57553e8550843242196a2662f8

Bump CRIU to 3.12 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Akihiro Suda

commit sha 351bfb4bafc1e6671f1544e458d2656aad1b7983

integration: remove blkio.weight (unavailable in kernel 5.0) weight, leafWeight, and weightDevice are removed in kernel 5.0 https://github.com/torvalds/linux/commit/f382fb0bcef4c37dc049e9f6963e3baf204d815c https://github.com/opencontainers/runtime-spec/issues/1015 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Kurnia D Win

commit sha 5e0e67d76cc99d76c8228d48f38f37034503f315

fix permission denied when exec as root and config.Cwd is not owned by root, exec will fail because root doesn't have the caps. So, Chdir should be done before setting the caps. Signed-off-by: Kurnia D Win <kurnia.d.win@gmail.com>

view details

Qiang Huang

commit sha 9ae790178ee4535e1afd865eed70a7f7cdb655ac

Merge pull request #2080 from zhlhahaha/pr_id Update busybox source and fix runc exec bug

view details

Mrunal Patel

commit sha dd8b9b1414a21374feeb43313f7502fe593daf9c

Merge pull request #2081 from AkihiroSuda/criu312 Bump CRIU to 3.12

view details

Mrunal Patel

commit sha 80d35c7ce445a595e5139a0939d2cd37eb200525

Merge pull request #2082 from AkihiroSuda/blkio-kernel50 integration: remove blkio.weight (unavailable in kernel 5.0)

view details

Andreas Stocker

commit sha 808e809f8a0c2db31947a8c7bba51ba8dc4fa1df

doc: First process in container needs `Init: true` `Init` on the `Process` struct specifies whether the process is the first process in the container. This needs to be set to `true` when running the container. Signed-off-by: Andreas Stocker <astocker@anexia-it.com>

view details

Erik Sipsma

commit sha f08cdaeec98a2a28aaa2ea14d630fb0b618ee216

Skip searching /dev/.udev for device nodes. Closes: #2093 Signed-off-by: Erik Sipsma <sipsma@amazon.com>

view details

Mrunal Patel

commit sha 44f9ec138db678a9909920e1236da3f45992e245

Merge pull request #2089 from anx-astocker/master doc: First process in container needs `Init: true`

view details

Mrunal Patel

commit sha 2e94378464ae22b92e1335c200edb37ebc94a1b7

Merge pull request #2094 from sipsma/2093-nodotudev Skip searching /dev/.udev for device nodes.

view details

Adrian Reber

commit sha 1712af0e80eecf17be40d0417bc5f22491d4c54b

man: fix man-pages The man-pages are using pre-formatted section to display the options for all commands. The result on my system never looked correct: OPTIONS --bundle value, -b value path to the root [...] --console-socket value path to an AF_UNIX [...] The first line was always indented less than the other lines. This commit makes the option block a pre-formatted block (as intended???) by using 4 spaces instead of 3 spaces. In addition the man-pages did not specify their name and section correctly. This adds something like '% runc-run "8"' to all man-pages to have correct title 'runc-run(8)' instead of 'NAME()' and it also adds the section to the title: 'System Manager's Manual'. This also fixes the use of '>' and '<' at multiple places. The markdown source files were using "<container-id>" and similar which was (most of the time) rendered as '""'. On some systems it was rendered correctly. Signed-off-by: Adrian Reber <areber@redhat.com>

view details

Erik Sipsma

commit sha 9c822e48473d8cce671cbe8aa5a1f875af2bfdb1

cgroups/fs: check nil pointers in cgroup manager Signed-off-by: Erik Sipsma <sipsma@amazon.com>

view details

sashayakovtseva

commit sha afc24792dc94dc8ac723e1afdcd0c352332aefbe

Make get devices function public Signed-off-by: sashayakovtseva <sasha@sylabs.io>

view details

Filipe Brandenburger

commit sha 588f040a77c7998787396dba45aeee003d63f77b

Avoid the dependency on cgo through go-systemd/util package This dependency is only needed in package "github.com/coreos/go-systemd/util" and we only use it for IsRunningSystemd(), which is a simple Go function that just stats a file. Let's just borrow it here, so we remove the dependency and can remove that package from vendored build. This also removes dependencies on dlopen and on trying to find libsystemd.so or libsystemd-login.so in the system. Tested that this still builds and works as expected. Signed-off-by: Filipe Brandenburger <filbranden@gmail.com>

view details

Filipe Brandenburger

commit sha 4ca00773eee9c20a0e99e53458e86684bcae6060

Update vendored dependencies to remove go-systemd/util This removes "github.com/coreos/go-systemd/util", no longer needed after removing the dependency on it. It also gets rid of "github.com/coreos/pkg/dlopen", since that was only referred to by the aforementioned "util" package. Tested that everything builds and works as expected. Signed-off-by: Filipe Brandenburger <filbranden@gmail.com>

view details

push time in 17 days

push eventestesp/containerd

wawa0210

commit sha 4d62d8795c42dfec2506631cc7013b3b8786bf76

bump microsoft/hcsshim to 0.8.7 Signed-off-by: 张潇 <xiaozhang0210@hotmail.com>

view details

Wei Fu

commit sha 1c2606d05bf242d269b7a8dfb27c05305dc7331b

Merge pull request #3946 from wawa0210/bump-hcsshim bump microsoft/hcsshim to 0.8.7

view details

Akihiro Suda

commit sha e1221e69a824ce9aaca34c5bb603feb2f921b883

revendor containerd/cgroups Note: now vndr >= v0.10 is required (https://github.com/containerd/cgroups/issues/139) Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Phil Estes

commit sha a767b62321ae3fae0b77a1320d93680baff0d7c1

Merge pull request #3954 from AkihiroSuda/vendor-cgroups-20200110 revendor containerd/cgroups

view details

Sebastiaan van Stijn

commit sha 77a3780c25735901928284496efc4b6349de328c

vendor: bump beorn7/perks v1.0.1 full diff: https://github.com/beorn7/perks/compare/4c0e84591b9aa9e6dcfdf3e020114cd81f89d5f9...v1.0.1 - beorn7/perks#3 Avoid iterating on maps - Speed up InsertTargeted* functions by at least 2x by avoiding iterating on maps. - beorn7/perks#4 Fixed format error - Use 1000000 instead of 1e6 for int constant - Add go module support Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha c02dc24ecfa6b46f8575a170f90498d89115e492

vendor: bump prometheus/client_model v0.1.0 full diff: https://github.com/prometheus/client_model/compare/99fa1f4be8e564e8a6b613da7fa6f46c9edafc6c...v0.1.0 - prometheus/client_model#22 add `go_package`, regenerate Go binding file - prometheus/client_model#31 Support Go Modules - prometheus/client_model#38 Remove all languages but Go and add a deprecation note Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha ed6ae818612b8f08dfa319eb40aea1aab286c979

vendor: bump prometheus/common v0.7.0 full diff: https://github.com/prometheus/common/compare/89604d197083d4781071d3c65855d24ecfb0a563...v0.7.0 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 99911ea668437cb0dcd30d67fcf3d7fb86238a95

vendor: bump prometheus/procfs v0.0.8 full diff: https://github.com/prometheus/procfs/compare/cb4147076ac75738c9a7d279075a253c0cc5acbd...v0.0.8 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 04506b87d65a3390656de6f9e5de8d84d0270567

vendor: bump docker/go-metrics v0.0.1: full diff: https://github.com/docker/go-metrics/compare/4ea375f7759c82740c893fc030bc37088d2ec098...v0.0.1 - docker/go-metrics#15 Add functions that instruments http handler using promhttp - docker/go-metrics#20 Rename LICENSE.code → LICENSE - docker/go-metrics#22 Support Go Modules Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 845b91d6b5431433cf2b33a21bd921d5b23ec432

vendor: bump prometheus/client_golang v0.9.4 full diff: https://github.com/prometheus/client_golang/compare/f4fb1b73fb099f396a7f0036bf86aa8def4ed823...v0.9.4 version v0.9.0 is the minimum tagged version to work with go-metrics v0.0.1, as it depends on `prometheus.Observer`: vendor/github.com/docker/go-metrics/timer.go:39:4: undefined: prometheus.Observer Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha e10c911876614cef082e988f7b14c4d008370165

vendor: bump prometheus/client_golang v1.1.0 full diff: https://github.com/prometheus/client_golang/compare/v0.9.4...v1.1.0 Using v1.1.0, because version v1.2.0 and up use versioned import paths for the github.com/cespare/xxhash/v2 dependency (prometheus/client_golang#657), which causes vendoring with vndr to break due to the v2 in the import-path. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 2f0db8e2a81319b3e48bc6e3d433b10090bd5f50

vendor: bump prometheus/client_golang v1.3.0 full diff: https://github.com/prometheus/client_golang/compare/v1.1.0...v1.3.0 This requires LK4D/vndr v0.1.0 or newer for vendoring; also adds a new dependency: github.com/cespare/xxhash Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Seth Pellegrino

commit sha 9456040acb746dccf65e700563fb7371a03f79e6

fix: eventfd leak Only start watching the cgroup for OOMs when the first process starts instead of on every process. Signed-off-by: Seth Pellegrino <spellegrino@newrelic.com>

view details

Seth Pellegrino

commit sha 66508589d33c3ae0ad3db5a581c75c8257bc4bfc

fix: eventfd leak for v2 runtime with v1 cgroups There's no OOM monitoring for the v2 cgroups yet, so it seems unlikely that there was a leak in that case. Signed-off-by: Seth Pellegrino <spellegrino@newrelic.com>

view details

Derek McGowan

commit sha bb9d4e8bf22e802301ffab4d3bc247659b9f5dbe

Merge pull request #3959 from thaJeztah/bump_prometheus Bump prometheus/client_golang and dependencies v1.3.0

view details

Akihiro Suda

commit sha c55bd87f471a4de48ea349e66bfdf7c454327421

Merge pull request #3956 from sethp-nr/fix/eventfd-leak fix: eventfd leak

view details

Shengjing Zhu

commit sha e859b8a92b58499b4681cb96dae74f2f3bb50a70

gc: increase sleep time in test Fix some flaky tests. Signed-off-by: Shengjing Zhu <zhsj@debian.org>

view details

Boris Popovschi

commit sha 3eb57b01be87a9b5047ae79775b9c43d65fb2150

Added IO metrics Signed-off-by: Boris Popovschi <zyqsempai@mail.ru>

view details

Phil Estes

commit sha 5383d31f32ba7db0eb6f0cd333be6463af07034d

Merge pull request #3963 from zhsj/flaky-gc-test gc: increase sleep time in test

view details

Shengjing Zhu

commit sha 35a8e6e589eb37a73f94cdbd5c8d7938b2b04140

sys: clean up process after test Signed-off-by: Shengjing Zhu <zhsj@debian.org>

view details

push time in 17 days

issue commentcontainerd/containerd

containerd 1.3.0+ leaks an eventfd on every exec

@sethp-nr we are working on 1.2 and 1.3 point releases; sorry for the delay, but they should be pulled together soon; we now have a runc fix and CVEs across some dependencies (including Golang) backported into release/1.3 so we should be ready to release very soon.

sethp-nr

comment created time in 17 days

issue commentcontainerd/containerd

Seccomp at POD level always requires extra syscalls

Do you mind if I transfer this issue to the containerd/cri repository? The code that starts pods using the containerd Go API is in that sub-project, so any changes to the implementation of seccomp/profiles, ordering/timing, etc. will be in that code. The issue # will change, but everything else should be preserved.

pjbgf

comment created time in 17 days

issue commentopencontainers/tob

OCI TOB Chair 2020

I’ll put my name in. Thanks!

caniszczyk

comment created time in 17 days

issue commentcontainerd/containerd

CPU Variant incorrect when doing armhf builds under aarch64 kernel

What does uname -a report when you are running a 32-bit userspace? I'm thinking maybe something like setarch which was used historically on PowerPC when running 32-bit userspace--it would affect the uname architecture so programs using that information would run properly. Maybe we need to check uname if that reports properly to handle the special 64-bit processor but 32-bit userspace case(s).

doanac

comment created time in 18 days

push eventcontainerd/containerd

Mihai Coman

commit sha 5e6d56ee2deaeeebf15cb6a19d4898e365a3d926

Fix startup_delay within default configuration Without this patch, the containerd daemon fails to start using the default configuration example: containerd[37139]: containerd: time: missing unit in duration 100000000 Signed-off-by: Mihai Coman <mihai.cmn@gmail.com>

view details

Phil Estes

commit sha 431cfd86e7bc636cdd5254ea8a30bd4f547c7bfc

Merge pull request #3991 from mihaicmn/fix-default-config Fix startup_delay within default configuration

view details

push time in 18 days

PR merged containerd/containerd

Fix startup_delay within default configuration

Without this patch, the containerd daemon fails to start using the default configuration example: containerd[37139]: containerd: time: missing unit in duration 100000000

Signed-off-by: Mihai Coman mihai.cmn@gmail.com

+1 -1

2 comments

1 changed file

mihaicmn

pr closed time in 18 days

push eventcontainerd/project

Marco Franssen

commit sha 6cc8c883e567db6fff1adb651e1ccee4c80adb6f

Fix the vendor folder check As 'vendor' is a folder the if statement needs to check with -d. without that it will not check for changes in the vendor folder. Signed-off-by: Marco Franssen <marco.franssen@gmail.com>

view details

Phil Estes

commit sha 21c87b09e15da1390993be5fd5fe9bc3734d6ae6

Merge pull request #44 from marcofranssen/patch-1 Fix the vendor folder check

view details

push time in 18 days

PR merged containerd/project

Fix the vendor folder check

As 'vendor' is a folder the if statement needs to check with -d. without that it will not check for changes in the vendor folder.

+1 -1

7 comments

1 changed file

marcofranssen

pr closed time in 18 days

push eventcontainerd/containerd

Akihiro Suda

commit sha 833701165aad9d55adda23f48bb5a46cdbcff5b1

ctr events: do not exit on an error Errors like `"type with url %s: not found"` are typical for non-builtin event types, and should not resultin exiting `ctr`. Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Phil Estes

commit sha 07de4eccf1e62056efd24a232e2f75266b03608a

Merge pull request #3983 from AkihiroSuda/ctr-events-ignore-err ctr events: do not exit on an error

view details

push time in 19 days

PR merged containerd/containerd

ctr events: do not exit on an error

Errors like "type with url %s: not found" are typical for non-builtin event types, and should not resultin exiting ctr.

+5 -2

8 comments

1 changed file

AkihiroSuda

pr closed time in 19 days

push eventcontainerd/containerd

Sebastiaan van Stijn

commit sha d1e31f9f2deadc1816da1bfcdf0dbff85818a28d

Update Golang 1.12.16 (CVE-2020-0601, CVE-2020-7919) full diff: https://github.com/golang/go/compare/go1.12.15...go1.12.16 go1.12.16 (released 2020/01/28) includes two security fixes. One mitigates the CVE-2020-0601 certificate verification bypass on Windows. The other affects only 32-bit architectures. https://github.com/golang/go/issues?q=milestone%3AGo1.12.16+label%3ACherryPickApproved - X.509 certificate validation bypass on Windows 10 A Windows vulnerability allows attackers to spoof valid certificate chains when the system root store is in use. These releases include a mitigation for Go applications, but it’s strongly recommended that affected users install the Windows security update to protect their system. This issue is CVE-2020-0601 and Go issue golang.org/issue/36834. - Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic. The malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Thanks to Project Wycheproof for providing the test cases that led to the discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837. This is also fixed in version v0.0.0-20200124225646-8b5121be2f68 of golang.org/x/crypto/cryptobyte. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 44b5bac0c08a0b296cd4e16f0055187b0dfb00d7) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 14d166c632b2ca56a1460ebdf12959bfea2ef0ac

[release/1.3] vendor: update golang.org/x/crypto 69ecbb4d6d5dab05e49161c6e77ea40a030884e1 full diff: https://github.com/golang/crypto/compare/5c40567a22f818bd14a1ea7245dad9f8ef0691aa...69ecbb4d6d5dab05e49161c6e77ea40a030884e1 Includes https://github.com/golang/crypto/commit/69ecbb4d6d5dab05e49161c6e77ea40a030884e1 (forward-port of https://github.com/golang/crypto/commit/8b5121be2f68d8fc40bb06467003bdde1040a094), which fixes CVE-2020-7919: Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic. The malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Thanks to Project Wycheproof for providing the test cases that led to the discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Phil Estes

commit sha 8366042ca3aed4d9400b8ce9c10b530a1a4a87b2

Merge pull request #3989 from thaJeztah/1.3_bump_golang_1.12.16 [release/1.3] Update Golang 1.12.16, x/crypto (CVE-2020-0601, CVE-2020-7919)

view details

push time in 19 days

PR merged containerd/containerd

[release/1.3] Update Golang 1.12.16, x/crypto (CVE-2020-0601, CVE-2020-7919)

Update Golang 1.12.16 (CVE-2020-0601, CVE-2020-7919)

full diff: https://github.com/golang/go/compare/go1.12.15...go1.12.16

go1.12.16 (released 2020/01/28) includes two security fixes. One mitigates the CVE-2020-0601 certificate verification bypass on Windows. The other affects only 32-bit architectures.

https://github.com/golang/go/issues?q=milestone%3AGo1.12.16+label%3ACherryPickApproved

  • X.509 certificate validation bypass on Windows 10 A Windows vulnerability allows attackers to spoof valid certificate chains when the system root store is in use. These releases include a mitigation for Go applications, but it’s strongly recommended that affected users install the Windows security update to protect their system. This issue is CVE-2020-0601 and Go issue golang.org/issue/36834.
  • Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic. The malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Thanks to Project Wycheproof for providing the test cases that led to the discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837. This is also fixed in version v0.0.0-20200124225646-8b5121be2f68 of golang.org/x/crypto/cryptobyte.

vendor: update golang.org/x/crypto 69ecbb4d6d5dab05e49161c6e77ea40a030884e1

full diff: https://github.com/golang/crypto/compare/5c40567a22f818bd14a1ea7245dad9f8ef0691aa...69ecbb4d6d5dab05e49161c6e77ea40a030884e1

Includes https://github.com/golang/crypto/commit/69ecbb4d6d5dab05e49161c6e77ea40a030884e1 (forward-port of https://github.com/golang/crypto/commit/8b5121be2f68d8fc40bb06467003bdde1040a094), which fixes CVE-2020-7919:

Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic. The malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Thanks to Project Wycheproof for providing the test cases that led to the discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837.

+12 -2947

6 comments

17 changed files

thaJeztah

pr closed time in 19 days

push eventcontainerd/containerd

Sebastiaan van Stijn

commit sha 44b5bac0c08a0b296cd4e16f0055187b0dfb00d7

Update Golang 1.12.16 (CVE-2020-0601, CVE-2020-7919) full diff: https://github.com/golang/go/compare/go1.12.15...go1.12.16 go1.12.16 (released 2020/01/28) includes two security fixes. One mitigates the CVE-2020-0601 certificate verification bypass on Windows. The other affects only 32-bit architectures. https://github.com/golang/go/issues?q=milestone%3AGo1.12.16+label%3ACherryPickApproved - X.509 certificate validation bypass on Windows 10 A Windows vulnerability allows attackers to spoof valid certificate chains when the system root store is in use. These releases include a mitigation for Go applications, but it’s strongly recommended that affected users install the Windows security update to protect their system. This issue is CVE-2020-0601 and Go issue golang.org/issue/36834. - Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic. The malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Thanks to Project Wycheproof for providing the test cases that led to the discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837. This is also fixed in version v0.0.0-20200124225646-8b5121be2f68 of golang.org/x/crypto/cryptobyte. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 1bc2590d983711a4b715521dc1966d2a01fc5c33

vendor: update golang.org/x/crypto 69ecbb4d6d5dab05e49161c6e77ea40a030884e1 full diff: https://github.com/golang/crypto/compare/49796115aa4b964c318aad4f3084fdb41e9aa067...69ecbb4d6d5dab05e49161c6e77ea40a030884e1 Includes https://github.com/golang/crypto/commit/69ecbb4d6d5dab05e49161c6e77ea40a030884e1 (forward-port of https://github.com/golang/crypto/commit/8b5121be2f68d8fc40bb06467003bdde1040a094), which fixes CVE-2020-7919: Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic. The malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Thanks to Project Wycheproof for providing the test cases that led to the discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Phil Estes

commit sha 92b40b6254b8a15fbf809fa7e7a31b3f60c22013

Merge pull request #3988 from thaJeztah/1.2_bump_golang_1.12.16 [release/1.2] Update Golang 1.12.16, x/crypto (CVE-2020-0601, CVE-2020-7919)

view details

push time in 19 days

PR merged containerd/containerd

[release/1.2] Update Golang 1.12.16, x/crypto (CVE-2020-0601, CVE-2020-7919)

Update Golang 1.12.16 (CVE-2020-0601, CVE-2020-7919)

full diff: https://github.com/golang/go/compare/go1.12.15...go1.12.16

go1.12.16 (released 2020/01/28) includes two security fixes. One mitigates the CVE-2020-0601 certificate verification bypass on Windows. The other affects only 32-bit architectures.

https://github.com/golang/go/issues?q=milestone%3AGo1.12.16+label%3ACherryPickApproved

  • X.509 certificate validation bypass on Windows 10 A Windows vulnerability allows attackers to spoof valid certificate chains when the system root store is in use. These releases include a mitigation for Go applications, but it’s strongly recommended that affected users install the Windows security update to protect their system. This issue is CVE-2020-0601 and Go issue golang.org/issue/36834.
  • Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic. The malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Thanks to Project Wycheproof for providing the test cases that led to the discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837. This is also fixed in version v0.0.0-20200124225646-8b5121be2f68 of golang.org/x/crypto/cryptobyte.

vendor: update golang.org/x/crypto 69ecbb4d6d5dab05e49161c6e77ea40a030884e1

full diff: https://github.com/golang/crypto/compare/49796115aa4b964c318aad4f3084fdb41e9aa067...69ecbb4d6d5dab05e49161c6e77ea40a030884e1

Includes https://github.com/golang/crypto/commit/69ecbb4d6d5dab05e49161c6e77ea40a030884e1 (forward-port of https://github.com/golang/crypto/commit/8b5121be2f68d8fc40bb06467003bdde1040a094), which fixes CVE-2020-7919:

Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic. The malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Thanks to Project Wycheproof for providing the test cases that led to the discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837.

+102 -3006

2 comments

22 changed files

thaJeztah

pr closed time in 19 days

push eventcontainerd/containerd.io

Phil Estes

commit sha ed07c41aa08529c2235c0e051adba5fad1554ccc

keep releases.md in sync with containerd/containerd Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>

view details

Phil Estes

commit sha 76605fc34c8722d9db904147f292532725e984ca

Merge pull request #52 from containerd/dep-updates Automated RELEASES.md sync update

view details

push time in 19 days

PR merged containerd/containerd.io

Automated RELEASES.md sync update

This is an auto-generated PR to sync updates in the main containerd project's RELEASES.md file.

+2 -2

0 comment

1 changed file

github-actions[bot]

pr closed time in 19 days

push eventcontainerd/containerd

Sebastiaan van Stijn

commit sha 32ba75f0fbfe47ad94e7c7daccc9f31efd0b2db2

Update Golang 1.13.7 (CVE-2020-0601, CVE-2020-7919) full diff: https://github.com/golang/go/compare/go1.13.6...go1.13.7 go1.13.7 (released 2020/01/28) includes two security fixes. One mitigates the CVE-2020-0601 certificate verification bypass on Windows. The other affects only 32-bit architectures. https://github.com/golang/go/issues?q=milestone%3AGo1.13.7+label%3ACherryPickApproved - X.509 certificate validation bypass on Windows 10 A Windows vulnerability allows attackers to spoof valid certificate chains when the system root store is in use. These releases include a mitigation for Go applications, but it’s strongly recommended that affected users install the Windows security update to protect their system. This issue is CVE-2020-0601 and Go issue golang.org/issue/36834. - Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic. The malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Thanks to Project Wycheproof for providing the test cases that led to the discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837. This is also fixed in version v0.0.0-20200124225646-8b5121be2f68 of golang.org/x/crypto/cryptobyte. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 2002411638cfdc620f3e3be112e2184452048779

vendor: update golang.org/x/crypto 69ecbb4d6d5dab05e49161c6e77ea40a030884e1 full diff: https://github.com/golang/crypto/compare/60c769a6c58655dab1b9adac0d58967dd517cfba...69ecbb4d6d5dab05e49161c6e77ea40a030884e1 Includes https://github.com/golang/crypto/commit/69ecbb4d6d5dab05e49161c6e77ea40a030884e1 (forward-port of https://github.com/golang/crypto/commit/8b5121be2f68d8fc40bb06467003bdde1040a094), to address CVE-2020-7919: Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic. The malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Thanks to Project Wycheproof for providing the test cases that led to the discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Phil Estes

commit sha a07cb9d0c48b06e627c585f0ce70d90ba97a9ff9

Merge pull request #3987 from thaJeztah/bump_golang_1.13.7 Update Golang 1.13.7, x/crypto (CVE-2020-0601, CVE-2020-7919)

view details

push time in 19 days

PR merged containerd/containerd

Update Golang 1.13.7, x/crypto (CVE-2020-0601, CVE-2020-7919)

Update Golang 1.13.7

full diff: https://github.com/golang/go/compare/go1.13.6...go1.13.7

go1.13.7 (released 2020/01/28) includes two security fixes. One mitigates the CVE-2020-0601 certificate verification bypass on Windows. The other affects only 32-bit architectures.

https://github.com/golang/go/issues?q=milestone%3AGo1.13.7+label%3ACherryPickApproved

  • X.509 certificate validation bypass on Windows 10 A Windows vulnerability allows attackers to spoof valid certificate chains when the system root store is in use. These releases include a mitigation for Go applications, but it’s strongly recommended that affected users install the Windows security update to protect their system. This issue is CVE-2020-0601 and Go issue golang.org/issue/36834.
  • Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic. The malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Thanks to Project Wycheproof for providing the test cases that led to the discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837. This is also fixed in version v0.0.0-20200124225646-8b5121be2f68 of golang.org/x/crypto/cryptobyte.

vendor: update golang.org/x/crypto 69ecbb4d6d5dab05e49161c6e77ea40a030884e1

full diff: https://github.com/golang/crypto/compare/60c769a6c58655dab1b9adac0d58967dd517cfba...69ecbb4d6d5dab05e49161c6e77ea40a030884e1

Includes https://github.com/golang/crypto/commit/69ecbb4d6d5dab05e49161c6e77ea40a030884e1 (forward-port of https://github.com/golang/crypto/commit/8b5121be2f68d8fc40bb06467003bdde1040a094), which fixes CVE-2020-7919:

Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic. The malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Thanks to Project Wycheproof for providing the test cases that led to the discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837.

+14 -2949

5 comments

18 changed files

thaJeztah

pr closed time in 19 days

pull request commentcontainerd/project

Fix the vendor folder check

Sorry, but for some reason your commit still has no Signed-off-by: line at the end. Can you check again?

marcofranssen

comment created time in 19 days

push eventestesp/playground

Phil Estes

commit sha 771721e202027cc74bf66e3d33b0ed8e818f06f7

Some cleanup of demo scripts/yaml Signed-off-by: Phil Estes <estesp@gmail.com>

view details

push time in 20 days

pull request commentcontainerd/cri

[release/1.3 backport] update kubernetes dependency to v1.16.3

/ok-to-test

thaJeztah

comment created time in 20 days

pull request commentopencontainers/runc

Adding Security audit

needs a rebase

amye

comment created time in 20 days

push eventcontainerd/containerd

Davanum Srinivas

commit sha 4c03d5dfb85fc10243fc10442959096ba077396c

Pick up fix for CVE-2019-16884 in opencontainers/selinux Signed-off-by: Davanum Srinivas <davanum@gmail.com> (cherry picked from commit faf03c3d239d54e9fce44deaae274dc1fe8b672e) Signed-off-by: Davanum Srinivas <davanum@gmail.com>

view details

Phil Estes

commit sha 7276974071698a8f45a9fa64f27cd18bfea280ea

Merge pull request #3982 from dims/bump-opencontainers/selinux-for-CVE-2019-16884-release-1.2 [release/1.2 backport] Pick up fix for CVE-2019-16884 in opencontainers/selinux

view details

push time in 21 days

PR merged containerd/containerd

Reviewers
[release/1.2 backport] Pick up fix for CVE-2019-16884 in opencontainers/selinux

Picking up the changes in the following diff: https://github.com/containerd/containerd/compare/master...dims:bump-opencontainers/selinux-for-CVE-2019-16884-release-1.3?expand=1

specifically so we can include: https://github.com/opencontainers/selinux/commit/03b517dc4fd57245b1cf506e8ba7b817b6d309da

+58 -8

1 comment

4 changed files

dims

pr closed time in 21 days

push eventcontainerd/containerd

Davanum Srinivas

commit sha 3074db3a4b5d57b891d3d86105df1be357a758e1

Pick up fix for CVE-2019-16884 in opencontainers/selinux Signed-off-by: Davanum Srinivas <davanum@gmail.com> (cherry picked from commit faf03c3d239d54e9fce44deaae274dc1fe8b672e) Signed-off-by: Davanum Srinivas <davanum@gmail.com>

view details

Phil Estes

commit sha 9cf15235d04a1a3fe9903402fbc4460ab1c7fffe

Merge pull request #3980 from dims/bump-opencontainers/selinux-for-CVE-2019-16884-release-1.3 [release/1.3 backport] Pick up fix for CVE-2019-16884 in opencontainers/selinux

view details

push time in 21 days

PR merged containerd/containerd

Reviewers
[release/1.3 backport] Pick up fix for CVE-2019-16884 in opencontainers/selinux

Picking up the changes in the following diff: https://github.com/containerd/containerd/compare/master...dims:bump-opencontainers/selinux-for-CVE-2019-16884-release-1.3?expand=1

specifically so we can include: https://github.com/opencontainers/selinux/commit/03b517dc4fd57245b1cf506e8ba7b817b6d309da

+58 -8

2 comments

4 changed files

dims

pr closed time in 21 days

push eventcontainerd/containerd

Davanum Srinivas

commit sha faf03c3d239d54e9fce44deaae274dc1fe8b672e

Pick up fix for CVE-2019-16884 in opencontainers/selinux Signed-off-by: Davanum Srinivas <davanum@gmail.com>

view details

Davanum Srinivas

commit sha 53ced5ffe1d38dd407d18dfab752ab29623b3647

update to latest containerd/cri (master) Signed-off-by: Davanum Srinivas <davanum@gmail.com>

view details

Davanum Srinivas

commit sha 0dc69620b8dc5f03a1282acff7a37ffbefd2697d

update dependencies of containerd/cri List generated by running: `git diff c9d45e65263e26f7e7f0ac8fdca0d510622f12cb 19589b4bf9663815649f1125fb45a1674d52a702 vendor.conf` in the containerd/cri repositoru Signed-off-by: Davanum Srinivas <davanum@gmail.com>

view details

Phil Estes

commit sha a1e0303e7adaf8b6316293b605f631aba78914d5

Merge pull request #3978 from dims/sync-with-latest-containerd-cri-master-including-selinux-change Sync with latest changes in containerd/cri

view details

push time in 23 days

PR merged containerd/containerd

Sync with latest changes in containerd/cri
  • pick up fix for CVE-2019-19921 in opencontainers/selinux ( 5f0bf0523952f3c0044d4a0faf3cf7d65440a1de )
  • pick up latest containerd/cri master.
  • pick up dependencies for containerd/cri latest

Signed-off-by: Davanum Srinivas <davanum@gmail.com>

+3919 -1952

5 comments

98 changed files

dims

pr closed time in 23 days

push eventcontainerd/containerd

Davanum Srinivas

commit sha 87648d2a7b0cc0d6990ffadcdd797b1048bb1e62

Bump to opencontainers/runc new version - v1.0.0-rc10 We have a new release of runc ( opencontainers/runc#2217 ). This release has a fix for a race condition we are struggling with in kubernetes (especially CI jobs) which was fixed in opencontainers/runc#2185 The v1.0.0-rc10 includes the fix for CVE-2019-19921 as well. The full diff upstream is here: https://github.com/opencontainers/runc/compare/v1.0.0-rc9...v1.0.0-rc10 Signed-off-by: Davanum Srinivas <davanum@gmail.com> (cherry picked from commit 923c05bed10b14512cf5ec029066ca5e90d87431) Signed-off-by: Davanum Srinivas <davanum@gmail.com>

view details

Phil Estes

commit sha 318111bdfebfb398551159e15cd1c2f4d6869901

Merge pull request #3977 from dims/update-to-new-rc10-of-opencontainers/runc-release-1.2 [release/1.2 backport] Bump to opencontainers/runc new version - v1.0.0-rc10

view details

push time in 23 days

PR merged containerd/containerd

[release/1.2 backport] Bump to opencontainers/runc new version - v1.0.0-rc10

We have a new release of runc ( opencontainers/runc#2217 ). This release has a fix for a race condition we are struggling with in kubernetes (especially CI jobs) which was fixed in opencontainers/runc#2185

The v1.0.0-rc10 includes the fix for CVE-2019-19921 as well. The full diff upstream is here: https://github.com/opencontainers/runc/compare/v1.0.0-rc9...v1.0.0-rc10

Signed-off-by: Davanum Srinivas davanum@gmail.com

+17 -3

1 comment

3 changed files

dims

pr closed time in 23 days

push eventcontainerd/containerd

Davanum Srinivas

commit sha 0db3c9b78007f1c7fab5d358a95f3dd086258251

Bump to opencontainers/runc new version - v1.0.0-rc10 We have a new release of runc ( opencontainers/runc#2217 ). This release has a fix for a race condition we are struggling with in kubernetes (especially CI jobs) which was fixed in opencontainers/runc#2185 The v1.0.0-rc10 includes the fix for CVE-2019-19921 as well. The full diff upstream is here: https://github.com/opencontainers/runc/compare/v1.0.0-rc9...v1.0.0-rc10 Signed-off-by: Davanum Srinivas <davanum@gmail.com> (cherry picked from commit 923c05bed10b14512cf5ec029066ca5e90d87431) Signed-off-by: Davanum Srinivas <davanum@gmail.com>

view details

Phil Estes

commit sha da15d825c098e936da815c4b24e0e0f6e6533216

Merge pull request #3976 from dims/update-to-new-rc10-of-opencontainers/runc-release-1.3 [release/1.3 backport] Bump to opencontainers/runc new version - v1.0.0-rc10

view details

push time in 23 days

PR merged containerd/containerd

[release/1.3 backport] Bump to opencontainers/runc new version - v1.0.0-rc10

We have a new release of runc ( opencontainers/runc#2217 ). This release has a fix for a race condition we are struggling with in kubernetes (especially CI jobs) which was fixed in opencontainers/runc#2185

The v1.0.0-rc10 includes the fix for CVE-2019-19921 as well. The full diff upstream is here: https://github.com/opencontainers/runc/compare/v1.0.0-rc9...v1.0.0-rc10

Signed-off-by: Davanum Srinivas <davanum@gmail.com>

+17 -3

6 comments

3 changed files

dims

pr closed time in 23 days

push eventcontainerd/containerd

Davanum Srinivas

commit sha 923c05bed10b14512cf5ec029066ca5e90d87431

Bump to opencontainers/runc new version - v1.0.0-rc10 We have a new release of runc ( opencontainers/runc#2217 ). This release has a fix for a race condition we are struggling with in kubernetes (especially CI jobs) which was fixed in opencontainers/runc#2185 The v1.0.0-rc10 includes the fix for CVE-2019-19921 as well. The full diff upstream is here: https://github.com/opencontainers/runc/compare/v1.0.0-rc9...v1.0.0-rc10 Signed-off-by: Davanum Srinivas <davanum@gmail.com>

view details

Phil Estes

commit sha 5c72f92a5d924fdd699e761d022991266a77ed51

Merge pull request #3973 from dims/update-to-new-rc10-of-opencontainers/runc Bump to opencontainers/runc new version - v1.0.0-rc10

view details

push time in 24 days

PR merged containerd/containerd

Bump to opencontainers/runc new version - v1.0.0-rc10

We have a new release of runc ( opencontainers/runc#2217 ). This release has a fix for a race condition we are struggling with in kubernetes (especially CI jobs) which was fixed in opencontainers/runc#2185

The v1.0.0-rc10 includes the fix for CVE-2019-19921 as well. The full diff upstream is here: https://github.com/opencontainers/runc/compare/v1.0.0-rc9...v1.0.0-rc10

Signed-off-by: Davanum Srinivas <davanum@gmail.com>

+17 -3

17 comments

3 changed files

dims

pr closed time in 24 days

pull request commentcontainerd/containerd

Pull: create image record after blobs download

ping @dmcgowan

fuweid

comment created time in a month

more