api,adaptation,generate: allow adjusting linux net devices#157
Merged
mikebrow merged 2 commits intocontainerd:mainfrom Dec 3, 2025
Merged
api,adaptation,generate: allow adjusting linux net devices#157mikebrow merged 2 commits intocontainerd:mainfrom
mikebrow merged 2 commits intocontainerd:mainfrom
Conversation
klihub
force-pushed
the
devel/linux-net-devices
branch
from
df6df04 to
02f0b68
Compare
Contributor
|
❤️ |
klihub
force-pushed
the
devel/linux-net-devices
branch
from
02f0b68 to
d886c51
Compare
klihub
force-pushed
the
devel/linux-net-devices
branch
2 times, most recently
from
df21d77 to
20533ae
Compare
klihub
force-pushed
the
devel/linux-net-devices
branch
from
20533ae to
6e14a15
Compare
Member
Author
|
/cc @aojea @tao12345666333 Here is the draft PR proposal #180 was asking for. |
aojea
reviewed
Jun 25, 2025
aojea
reviewed
Jun 25, 2025
aojea
reviewed
Jun 25, 2025
Contributor
|
This is fantastic @klihub , can we undraft it for final review |
klihub
force-pushed
the
devel/linux-net-devices
branch
from
6e14a15 to
a03dcca
Compare
Member
Author
We can try to do that to get it reviewed. @mikebrow WDYT? But I think we won't be able to get this merged before the necessary new bits in runtime-spec gets behind a tag. Both CRI-O and containerd main/HEAD is at runtime-spec@v1.2.1 and I think we usually tend to stick to a tagged version in both even in main. |
Contributor
|
ok, that is fair |
Contributor
|
Fixes: #180 |
klihub
force-pushed
the
devel/linux-net-devices
branch
from
a03dcca to
a999d9b
Compare
2 tasks
Contributor
|
Containerd containerd/containerd#12295 is already testing runc 1.4.0-rc.2 |
Member
|
Thx for the update @aojea |
klihub
force-pushed
the
devel/linux-net-devices
branch
2 times, most recently
from
8df6cec to
0a96043
Compare
Member
Author
@aojea @mikebrow But I think we'd still need a tagged version of |
Contributor
|
@klihub yeah, I was using the comment as a breadcrumb , so next time I check I can track teh history, otherwise I forget I was not trying to push for merging before that, sorry for the confusion |
Member
Author
@aojea No prob / no offense taken. I just asked to make sure I understand correctly where we are and whether we can try to move this forward yet. |
Contributor
|
informational update , ETA for 1.3.0 spec is 2025/11/04 opencontainers/runc#4875 (comment) , runc will follow |
Member
Author
|
@aojea @mikebrow With opencontainers/runtime-spec v1.3.0 now tagged and released, unfortunately opencontainer/runtime-tools is now badly out of sync with runtime-spec. runtime-spec@v1.3.0 brings a flips the linux PID limit setting the from I filed a PR for fixing this but I'm not sure what are the chances of getting that merged soon |
chrishenzie
reviewed
Nov 13, 2025
| LinuxIOPriority io_priority = 6; | ||
| SecurityProfile seccomp_profile = 7; | ||
| LinuxSeccomp seccomp_policy = 8; | ||
| map<string, LinuxNetDevice> net_devices = 9; |
Member
There was a problem hiding this comment.
What are the keys, and why is a map chosen vs. repeated?
Contributor
There was a problem hiding this comment.
Because network interface names are unique, so there is no need to validate or fail at runtime, the keys are the interface name
Contributor
|
it seems the dependency problem got unblocked |
klihub
force-pushed
the
devel/linux-net-devices
branch
from
0a96043 to
bf5c053
Compare
klihub
force-pushed
the
devel/linux-net-devices
branch
2 times, most recently
from
c2faa3d to
c5f3eae
Compare
chrishenzie
approved these changes
Nov 17, 2025
| Name: d.Name, | ||
| }) | ||
| if !verbose { | ||
| log.Infof("%s: injected network device %q -> %q...", containerName(pod, ctr), |
Member
There was a problem hiding this comment.
nit: This is unrelated since I see this is an established pattern, but I'm not following why we would conditionally write info logs. I would think we would always info log, and then conditionally decide whether or not to additionally dump verbose output above
Member
Author
There was a problem hiding this comment.
True. It is a bit strange not to log that info in verbose mode. We can fix all instances of that wrong pattern in a separate PR.
Allow adding and removing container linux net devices. Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
klihub
force-pushed
the
devel/linux-net-devices
branch
from
c5f3eae to
5145c92
Compare
Contributor
|
yay 👏 |
jeniawhite
pushed a commit
to elastic/cloudbeat
that referenced
this pull request
Apr 22, 2026
…4) (#4771) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/containerd/containerd](https://redirect.github.com/containerd/containerd) | indirect | major | `v1.7.31` -> `v2.2.3` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>containerd/containerd (github.com/containerd/containerd)</summary> ### [`v2.2.3`](https://redirect.github.com/containerd/containerd/releases/tag/v2.2.3): containerd 2.2.3 [Compare Source](https://redirect.github.com/containerd/containerd/compare/v2.2.2...v2.2.3) Welcome to the v2.2.3 release of containerd! The third patch release for containerd 2.2 contains various fixes and updates including a security patch. ##### Security Updates - **spdystream** - [**CVE-2026-35469**](https://redirect.github.com/moby/spdystream/security/advisories/GHSA-pc3f-x583-g7j2) ##### Highlights ##### Container Runtime Interface (CRI) - Preserve cgroup mount options for privileged containers ([#​13120](https://redirect.github.com/containerd/containerd/pull/13120)) - Ensure UpdatePodSandbox returns Unimplemented instead of a generic error ([#​13023](https://redirect.github.com/containerd/containerd/pull/13023)) ##### Go client - Handle absolute symlinks in rootfs user lookup to fix regressions when using Go 1.24 ([#​13015](https://redirect.github.com/containerd/containerd/pull/13015)) ##### Image Distribution - Enable mount manager in diff walking to fix layer extraction errors with some snapshotters (e.g., EROFS) ([#​13198](https://redirect.github.com/containerd/containerd/pull/13198)) - Apply hardening to prevent TOCTOU race during tar extraction ([#​12971](https://redirect.github.com/containerd/containerd/pull/12971)) ##### Runtime - Restore support for client-mounted roots in Windows containers using process isolation ([#​13195](https://redirect.github.com/containerd/containerd/pull/13195)) - Update runc to v1.3.5 ([#​13061](https://redirect.github.com/containerd/containerd/pull/13061)) - Apply absolute symlink resolution to /etc/group in OCI spec to fix lookups on NixOS-style systems ([#​13019](https://redirect.github.com/containerd/containerd/pull/13019)) - Handle absolute symlinks in rootfs user lookup to fix regressions when using Go 1.24 ([#​13015](https://redirect.github.com/containerd/containerd/pull/13015)) ##### Snapshotters - Fix bug that caused whiteouts to be ignored when parallel unpack was used ([#​13125](https://redirect.github.com/containerd/containerd/pull/13125)) Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues. ##### Contributors - Samuel Karp - Sebastiaan van Stijn - Maksym Pavlenko - Chris Henzie - Derek McGowan - Paulo Oliveira - Henry Wang - Phil Estes - Wei Fu - Akihiro Suda - Gao Xiang - Ricardo Branco - Shachar Tal ##### Changes <details><summary>40 commits</summary> <p> - Prepare release notes for v2.2.3 ([#​13224](https://redirect.github.com/containerd/containerd/pull/13224)) - [`8a0f4ed5d`](https://redirect.github.com/containerd/containerd/commit/8a0f4ed5d360171d62ca625bc93f393a36241189) Prepare release notes for v2.2.3 - update github.com/moby/spdystream v0.5.1 ([#​13217](https://redirect.github.com/containerd/containerd/pull/13217)) - [`31bd34a06`](https://redirect.github.com/containerd/containerd/commit/31bd34a064dc7136413efde09b99a2bdd14dabe9) update github.com/moby/spdystream v0.5.1 - vendor: github.com/klauspost/compress v1.18.5 ([#​13197](https://redirect.github.com/containerd/containerd/pull/13197)) - [`1336f6c45`](https://redirect.github.com/containerd/containerd/commit/1336f6c45d25c674963e5cb86ee1ea522e6f513e) vendor: github.com/klauspost/compress v1.18.5 - diff/walking: enable mount manager ([#​13198](https://redirect.github.com/containerd/containerd/pull/13198)) - [`409f75be8`](https://redirect.github.com/containerd/containerd/commit/409f75be8791d53e2e4e96ab060d8db56fd46b1e) diff/walking: enable mount manager - update runhcs to v0.14.1 ([#​13195](https://redirect.github.com/containerd/containerd/pull/13195)) - [`3f33146c1`](https://redirect.github.com/containerd/containerd/commit/3f33146c1c199f1d9479d791b105197cebf7b1bc) update runhcs to v0.14.1 - vendor: github.com/Microsoft/hcsshim v0.14.1 ([#​13196](https://redirect.github.com/containerd/containerd/pull/13196)) - [`8bd1b74e5`](https://redirect.github.com/containerd/containerd/commit/8bd1b74e5dbcd6aad671666e13861a6c8a7bf13c) vendor: github.com/Microsoft/hcsshim v0.14.1 - [`c6b0be8e1`](https://redirect.github.com/containerd/containerd/commit/c6b0be8e1317166d53a05c308db3223293f36f85) vendor: github.com/Microsoft/hcsshim v0.14.0 - update to Go 1.25.9, 1.26.2 ([#​13190](https://redirect.github.com/containerd/containerd/pull/13190)) - [`2ecde8cfe`](https://redirect.github.com/containerd/containerd/commit/2ecde8cfe12320fefd05e08c83e413a4046bb72c) update to Go 1.25.9, 1.26.2 - Skip TestExportAndImportMultiLayer on s390x ([#​13154](https://redirect.github.com/containerd/containerd/pull/13154)) - [`be554f478`](https://redirect.github.com/containerd/containerd/commit/be554f478ceb629d3dc3fbd5331b9167cc7a4870) Skip TestExportAndImportMultiLayer on s390x - Tweak mount info for overlayfs in case of parallel unpack ([#​13125](https://redirect.github.com/containerd/containerd/pull/13125)) - [`660de195b`](https://redirect.github.com/containerd/containerd/commit/660de195b07db576cbe8aab53a4b6e87cc931347) Tweak mount info for overlayfs in case of parallel unpack - [`bc9274a4b`](https://redirect.github.com/containerd/containerd/commit/bc9274a4b05342ba1096c73ce6ce8a505ce243ce) Add integration test for issue 13030 - Preserve cgroup mount options for privileged containers ([#​13120](https://redirect.github.com/containerd/containerd/pull/13120)) - [`c387890b5`](https://redirect.github.com/containerd/containerd/commit/c387890b582324c4cf11e940efe4268a21524ed6) Add integration test for privileged container cgroup mounts - [`047a335a6`](https://redirect.github.com/containerd/containerd/commit/047a335a69d66e673ddc155fed779152e00a5652) Forward RUNC_FLAVOR env var down to integration tests - [`9b2d72ee0`](https://redirect.github.com/containerd/containerd/commit/9b2d72ee03b548c8344cd243670e06f863a701a2) Preserve host cgroup mount options for privileged containers - [`5b66cd6a0`](https://redirect.github.com/containerd/containerd/commit/5b66cd6a0902b7927eeb8107bb5a30d78436eaa3) Move cgroup namespace placement higher in spec builder - update runc binary to v1.3.5 ([#​13061](https://redirect.github.com/containerd/containerd/pull/13061)) - [`584205c2f`](https://redirect.github.com/containerd/containerd/commit/584205c2fa986334d22b840293b1060b10ab724e) \[release/2.2] update runc binary to v1.3.5 - Fix vagrant on CI ([#​13066](https://redirect.github.com/containerd/containerd/pull/13066)) - [`77c6886df`](https://redirect.github.com/containerd/containerd/commit/77c6886df6510bf1ac9326436e7b371a28eb5678) Ignore NOCHANGE error - Fix TOCTOU race bug in tar extraction ([#​12971](https://redirect.github.com/containerd/containerd/pull/12971)) - [`fbed68b8f`](https://redirect.github.com/containerd/containerd/commit/fbed68b8fb97b778b0caf68167cb0c4ab4af27df) Fix TOCTOU race bug in tar extraction - cri: UpdatePodSandbox should return Unimplemented ([#​13023](https://redirect.github.com/containerd/containerd/pull/13023)) - [`a83510103`](https://redirect.github.com/containerd/containerd/commit/a835101036b106386be8e5b433d5ca0f1f0529cd) cri: UpdatePodSandbox should return Unimplemented - fix(oci): apply absolute symlink resolution to /etc/group ([#​13019](https://redirect.github.com/containerd/containerd/pull/13019)) - [`ee4179e52`](https://redirect.github.com/containerd/containerd/commit/ee4179e5212c09e7bc4c429bf5b77eabb2b84662) fix(oci): apply absolute symlink resolution to /etc/group - fix(oci): handle absolute symlinks in rootfs user lookup ([#​13015](https://redirect.github.com/containerd/containerd/pull/13015)) - [`fd061b848`](https://redirect.github.com/containerd/containerd/commit/fd061b84887177b969e8f8e2499e780341cde0ae) test(oci): use fstest and mock fs for better symlink coverage - [`5d44d2c22`](https://redirect.github.com/containerd/containerd/commit/5d44d2c220d6296156c1c4fe3a500958667a3708) fix(oci): handle absolute symlinks in rootfs user lookup - update to go1.25.8, test go1.26.1 ([#​13011](https://redirect.github.com/containerd/containerd/pull/13011)) - [`00c776f07`](https://redirect.github.com/containerd/containerd/commit/00c776f075f06e4eeb4bfd97e23b3331c5c96bbc) update to go1.25.8, test go1.26.1 </p> </details> ##### Dependency Changes - **github.com/Microsoft/hcsshim** v0.14.0-rc.1 -> v0.14.1 - **github.com/klauspost/compress** v1.18.1 -> v1.18.5 - **github.com/moby/spdystream** v0.5.0 -> v0.5.1 Previous release can be found at [v2.2.2](https://redirect.github.com/containerd/containerd/releases/tag/v2.2.2) ##### Which file should I download? - `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`: ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04). - `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`: Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent. In addition to containerd, typically you will have to install [runc](https://redirect.github.com/opencontainers/runc/releases) and [CNI plugins](https://redirect.github.com/containernetworking/plugins/releases) from their official sites too. See also the [Getting Started](https://redirect.github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation. ### [`v2.2.2`](https://redirect.github.com/containerd/containerd/releases/tag/v2.2.2): containerd 2.2.2 [Compare Source](https://redirect.github.com/containerd/containerd/compare/v2.2.1...v2.2.2) Welcome to the v2.2.2 release of containerd! The second patch release for containerd 2.2 contains various fixes and improvements. ##### Highlights ##### Container Runtime Interface (CRI) - Fix migrated CRI image config when using legacy registry mirrors ([#​12987](https://redirect.github.com/containerd/containerd/pull/12987)) - Unpack images with per-layer labels for runtime-specific snapshotters ([#​12936](https://redirect.github.com/containerd/containerd/pull/12936)) - Fix CNI issue where DEL is never executed after a restart ([#​12926](https://redirect.github.com/containerd/containerd/pull/12926)) - Harden error handling to strip potentially-sensitive registry parameters ([#​12804](https://redirect.github.com/containerd/containerd/pull/12804)) - Fix nil pointer dereference in container spec memory metrics when memory constraints are not fully configured ([#​12731](https://redirect.github.com/containerd/containerd/pull/12731)) - Use the specified runtime handler when pulling images ([#​12721](https://redirect.github.com/containerd/containerd/pull/12721)) - Reduce noisy CDI logs ([#​12717](https://redirect.github.com/containerd/containerd/pull/12717)) - Fix regression for pulling encrypted images ([#​12712](https://redirect.github.com/containerd/containerd/pull/12712)) ##### Runtime - Fix unintended dropping of mount flags for read-only bind-mounts in user namespaces ([#​12944](https://redirect.github.com/containerd/containerd/pull/12944)) - Fix AppArmor bug disallowing unix domain sockets on newer kernels ([#​12897](https://redirect.github.com/containerd/containerd/pull/12897)) ##### ctr development tool - Fix `ctr image mount` failing with "no such device" ([#​12831](https://redirect.github.com/containerd/containerd/pull/12831)) Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues. ##### Contributors - Maksym Pavlenko - Akhil Mohan - Samuel Karp - Wei Fu - Michael Zappa - Phil Estes - Fabiano Fidêncio - Jérôme Poulin - Luke Hinds - Aadhar Agarwal - Akihiro Suda - Alex Chernyakhovsky - Chris Adeniyi-Jones - Kazuyoshi Kato - Rodrigo Campos - Sebastiaan van Stijn - You Binhao - ningmingxiao - qiuxue ##### Changes <details><summary>48 commits</summary> <p> - Prepare release notes for v2.2.2 ([#​12998](https://redirect.github.com/containerd/containerd/pull/12998)) - [`7e6ecf434`](https://redirect.github.com/containerd/containerd/commit/7e6ecf43421f9cfa64cd7043f86ae224dc7dc0a4) Prepare release notes for v2.2.2 - Fix migrated CRI image config when using legacy registry mirrors ([#​12987](https://redirect.github.com/containerd/containerd/pull/12987)) - [`a20dead7c`](https://redirect.github.com/containerd/containerd/commit/a20dead7cc644291433b2da4b1efa2f70c8a144f) set default config_path in plugin init - Unpack images with per-layer labels for runtime-specific snapshotters ([#​12936](https://redirect.github.com/containerd/containerd/pull/12936)) - [`a5f83d8c2`](https://redirect.github.com/containerd/containerd/commit/a5f83d8c2b419a3f882182d5beca60725387f499) cri: unpack images with per-layer labels for runtime-specific snapshotters - ci: modprobe xt_comment on almalinux ([#​12957](https://redirect.github.com/containerd/containerd/pull/12957)) - [`68855cb0b`](https://redirect.github.com/containerd/containerd/commit/68855cb0be5d372fd53c450e91cc3224157abb4b) ci: modprobe xt_comment on almalinux - Fix unintended dropping of mount flags for read-only bind-mounts in user namespaces ([#​12944](https://redirect.github.com/containerd/containerd/pull/12944)) - [`ef7a8beb3`](https://redirect.github.com/containerd/containerd/commit/ef7a8beb375c8322b9a09666f50150717b9ae335) core/mount: add test for getUnprivilegedMountFlags - [`07b2cc07e`](https://redirect.github.com/containerd/containerd/commit/07b2cc07e4f3d553c5ca801c9f0800b55ba7eac2) core/mount: fix getUnprivilegedMountFlags iterating over indices instead of values - Fix CNI issue where DEL is never executed after a restart ([#​12926](https://redirect.github.com/containerd/containerd/pull/12926)) - [`54101116f`](https://redirect.github.com/containerd/containerd/commit/54101116fcdf18e21c8d202f86ed93c34a5932af) add integration test for cni result nil - [`d44c4384e`](https://redirect.github.com/containerd/containerd/commit/d44c4384ec9f7adef9a4598e05f12e0850338fd8) address comment - [`f1835270b`](https://redirect.github.com/containerd/containerd/commit/f1835270b0b800e4c1ba13391cd4a75617810615) fix issue where cni del is never executed - Fix AppArmor bug disallowing unix domain sockets on newer kernels ([#​12897](https://redirect.github.com/containerd/containerd/pull/12897)) - [`6c05047b4`](https://redirect.github.com/containerd/containerd/commit/6c05047b4ba86d2fb857429c6272bb66679e7dee) apparmor: explicitly set abi/3.0 - ci: add build/test go1.26.0, drop go1.24 ([#​12917](https://redirect.github.com/containerd/containerd/pull/12917)) - [`5dbf1b915`](https://redirect.github.com/containerd/containerd/commit/5dbf1b91596e35247f5928ad202da2a378859703) update golangci-lint to v2.9.0 with go1.26 support - [`8ec695ebe`](https://redirect.github.com/containerd/containerd/commit/8ec695ebe8b6f8ec4fbd4ebbe658a2aaa35ac857) remove windows/arm from cross build - [`b9c22a6e3`](https://redirect.github.com/containerd/containerd/commit/b9c22a6e39a937e86723bac0b63e30587cd8e936) ci: build/test go1.26.0 - integration: Fix TestImageLoad() failure on CI ([#​12906](https://redirect.github.com/containerd/containerd/pull/12906)) - [`09b876a81`](https://redirect.github.com/containerd/containerd/commit/09b876a8198818ab7d59e9037e6592889faea861) integration: Fix TestImageLoad() failure on CI - cri: Fix image volumes with user namespaces ([#​12885](https://redirect.github.com/containerd/containerd/pull/12885)) - [`172ba65b6`](https://redirect.github.com/containerd/containerd/commit/172ba65b6a89479865832a7101f10e1b3a323d78) cri: Fix image volumes with user namespaces - update to go1.24.13, go1.25.7 ([#​12871](https://redirect.github.com/containerd/containerd/pull/12871)) - [`b4240ef87`](https://redirect.github.com/containerd/containerd/commit/b4240ef8782d274b97554881cec65aa8b1da0d2c) update to go1.24.13, go1.25.7 - [`94dbfaea7`](https://redirect.github.com/containerd/containerd/commit/94dbfaea7295d65c11f36510abc558e6e01c9205) ci: bump go 1.24.12, 1.25.6 - ci: set fetch-depth for containerd to 0 for version parsing ([#​12875](https://redirect.github.com/containerd/containerd/pull/12875)) - [`e46a7a286`](https://redirect.github.com/containerd/containerd/commit/e46a7a28682e79b9d851ea4de1840eb0dcf555b5) set fetch-depth for containerd to 0 for version parsing - Fix `ctr image mount` failing with "no such device" ([#​12831](https://redirect.github.com/containerd/containerd/pull/12831)) - [`1d7908273`](https://redirect.github.com/containerd/containerd/commit/1d79082735d46fe24ded00a55ea6e3a33954593e) core/mount/manager: fix bind mount missing rbind option - [`3d509bcd3`](https://redirect.github.com/containerd/containerd/commit/3d509bcd335b15cece69ebfa117681d2715df930) core/mount/manager: add tests for WithTemporary option - Harden error handling to strip potentially-sensitive registry parameters ([#​12804](https://redirect.github.com/containerd/containerd/pull/12804)) - [`cb3ae2119`](https://redirect.github.com/containerd/containerd/commit/cb3ae211952909a5c4d9fcb274e029286057fc34) fix: sanitize error before gRPC return to prevent credential leak in pod events - bump google.golang.org/grpc from 1.76.0 to 1.78.0 ([#​12739](https://redirect.github.com/containerd/containerd/pull/12739)) - [`533a2552e`](https://redirect.github.com/containerd/containerd/commit/533a2552e9e1ff1896868986240f493e9f488920) build(deps): bump google.golang.org/grpc from 1.77.0 to 1.78.0 - [`b120237fb`](https://redirect.github.com/containerd/containerd/commit/b120237fb6af3b65117ba83af204cf92790acff3) build(deps): bump google.golang.org/grpc from 1.76.0 to 1.77.0 - Fix nil pointer dereference in container spec memory metrics when memory constraints are not fully configured ([#​12731](https://redirect.github.com/containerd/containerd/pull/12731)) - [`4be4e5156`](https://redirect.github.com/containerd/containerd/commit/4be4e5156c1bfdd84f12bb43424261e3b5578208) Fix nil pointer dereference in container spec memory metrics - cri: emit warning for concurrent CreateContainer ([#​12735](https://redirect.github.com/containerd/containerd/pull/12735)) - [`a76eb698a`](https://redirect.github.com/containerd/containerd/commit/a76eb698a52f1eb3018fe6126587dcf36fad4e7b) cri: emit warning for concurrent CreateContainer - Use the specified runtime handler when pulling images ([#​12721](https://redirect.github.com/containerd/containerd/pull/12721)) - [`3d2e188b1`](https://redirect.github.com/containerd/containerd/commit/3d2e188b15d7db18f87251eaf134da463f36a8c8) cri: Use the runtimeHandler parameter in PullImage - Reduce noisy CDI logs ([#​12717](https://redirect.github.com/containerd/containerd/pull/12717)) - [`633057382`](https://redirect.github.com/containerd/containerd/commit/633057382e7bfd16523865928549b38e0aa0b7e2) cri: move noisy CDI logs to debug level - Fix regression for pulling encrypted images ([#​12712](https://redirect.github.com/containerd/containerd/pull/12712)) - [`8a7409e2e`](https://redirect.github.com/containerd/containerd/commit/8a7409e2e71fd9486db3504ab804d4419e45af41) Reinstate image decryption </p> </details> ##### Dependency Changes - **github.com/go-jose/go-jose/v4** v4.1.2 -> v4.1.3 - **go.opentelemetry.io/auto/sdk** v1.1.0 -> v1.2.1 - **go.opentelemetry.io/otel** v1.37.0 -> v1.38.0 - **go.opentelemetry.io/otel/metric** v1.37.0 -> v1.38.0 - **go.opentelemetry.io/otel/sdk** v1.37.0 -> v1.38.0 - **go.opentelemetry.io/otel/trace** v1.37.0 -> v1.38.0 - **golang.org/x/oauth2** v0.30.0 -> v0.32.0 - **google.golang.org/genproto/googleapis/api** [`a7a43d2`](https://redirect.github.com/containerd/containerd/commit/a7a43d27e69b) -> [`ab9386a`](https://redirect.github.com/containerd/containerd/commit/ab9386a59fda) - **google.golang.org/genproto/googleapis/rpc** [`a7a43d2`](https://redirect.github.com/containerd/containerd/commit/a7a43d27e69b) -> [`ab9386a`](https://redirect.github.com/containerd/containerd/commit/ab9386a59fda) - **google.golang.org/grpc** v1.76.0 -> v1.78.0 Previous release can be found at [v2.2.1](https://redirect.github.com/containerd/containerd/releases/tag/v2.2.1) ##### Which file should I download? - `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`: ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04). - `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`: Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent. In addition to containerd, typically you will have to install [runc](https://redirect.github.com/opencontainers/runc/releases) and [CNI plugins](https://redirect.github.com/containernetworking/plugins/releases) from their official sites too. See also the [Getting Started](https://redirect.github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation. ### [`v2.2.1`](https://redirect.github.com/containerd/containerd/releases/tag/v2.2.1): containerd 2.2.1 [Compare Source](https://redirect.github.com/containerd/containerd/compare/v2.2.0...v2.2.1) Welcome to the v2.2.1 release of containerd! The first patch release for containerd 2.2 contains various fixes and improvements. ##### Highlights ##### Container Runtime Interface (CRI) - **Redact all query parameters in CRI error logs** ([#​12546](https://redirect.github.com/containerd/containerd/pull/12546)) ##### Image Distribution - **Fix image defaults on Darwin to usable configuration** ([#​12544](https://redirect.github.com/containerd/containerd/pull/12544)) - **Fix possible panic from WithMediaTypeKeyPrefix** ([#​12516](https://redirect.github.com/containerd/containerd/pull/12516)) ##### Runtime - **Update runc binary to v1.3.4** ([#​12593](https://redirect.github.com/containerd/containerd/pull/12593)) - **Fix parsing of hugetlb.<size>.events files** ([containerd/cgroups#379](https://redirect.github.com/containerd/cgroups/pull/379)) Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues. ##### Contributors - Krisztian Litkey - Markus Lehtonen - Akihiro Suda - Mike Brown - Sebastiaan van Stijn - Derek McGowan - Heran Yang - Wei Fu - Phil Estes - Samuel Karp - Austin Vazquez - Sascha Grunert - Akhil Mohan - Andrey Noskov - Brian Goff - CrazyMax - Davanum Srinivas - Gaurav Ghildiyal - Neeraj Krishna Gopalakrishna - Paweł Gronowski - Tariq Ibrahim - TomerLev - Tõnis Tiigi - bo.jiang - ningmingxiao ##### Changes <details><summary>53 commits</summary> <p> - Prepare release notes for v2.2.1 ([#​12677](https://redirect.github.com/containerd/containerd/pull/12677)) - [`f6bae1f88`](https://redirect.github.com/containerd/containerd/commit/f6bae1f8807a099a0b101e584f1f8aabddab91a6) Prepare release notes for v2.2.1 - cri,nri: bump NRI dependencies to v0.11.0 ([#​12701](https://redirect.github.com/containerd/containerd/pull/12701)) - [`c22cf5d49`](https://redirect.github.com/containerd/containerd/commit/c22cf5d49819a2996f184db954c53c2060916314) cri,nri: pass any linux security profile to plugins. - [`d7532de75`](https://redirect.github.com/containerd/containerd/commit/d7532de751f81eee4f03001bb46e49d76a1607fb) cri,nri: pass any linux RDT constraints to plugins. - [`ef36e6181`](https://redirect.github.com/containerd/containerd/commit/ef36e6181456ebb9919d2a51d786f416f85f780b) cri,nri: pass any linux net devices to plugins. - [`d56faf426`](https://redirect.github.com/containerd/containerd/commit/d56faf4261b5f946caa92c4869963f89f63a9b22) cri,nri: pass any linux scheduler attributes to plugins. - [`e1824d261`](https://redirect.github.com/containerd/containerd/commit/e1824d2613d32793cf1fd7282f0b9f5f6f622613) cri,nri: pass any linux I/O priority to plugins. - [`01d5490ae`](https://redirect.github.com/containerd/containerd/commit/01d5490ae26a05b1a73ca9e253761005c7286754) go.{mod,sum}: bump NRI deps to v0.11.0, re-vendor. - pkg/tracing: HTTPStatusCodeAttributes: remove use of deprecated SemConv const ([#​12697](https://redirect.github.com/containerd/containerd/pull/12697)) - [`58d23ab63`](https://redirect.github.com/containerd/containerd/commit/58d23ab63830dc41d7c2e1035a9c0a7a28b6fed2) pkg/tracing: HTTPStatusCodeAttributes: remove use of deprecated SemConv const - cri/nri: short-circuit nil adjustment. ([#​12672](https://redirect.github.com/containerd/containerd/pull/12672)) - [`05ccbb3a7`](https://redirect.github.com/containerd/containerd/commit/05ccbb3a7eb10a72427c722155a2eacdc2908a61) cri/nri: short-circuit nil adjustment. - go.{mod,sum}: bump CDI deps to v1.1.0. ([#​12664](https://redirect.github.com/containerd/containerd/pull/12664)) - [`c166a577d`](https://redirect.github.com/containerd/containerd/commit/c166a577d0638de704d6c9f999858ed47cf06a60) go.{mod,sum} bump CDI deps to v1.1.0. - go.mod: containerd/zfs v2.0.0; remove exclude rules ([#​12654](https://redirect.github.com/containerd/containerd/pull/12654)) - [`73a08aa00`](https://redirect.github.com/containerd/containerd/commit/73a08aa00dc98a0662a40d45ed50dac534dce1e6) go.mod: remove exclude rules - [`cee08c8af`](https://redirect.github.com/containerd/containerd/commit/cee08c8af836002863b30e2ef8cd3c45b6ae56ad) build(deps): bump github.com/containerd/zfs/v2 from 2.0.0-rc.0 to 2.0.0 - go.mod: github.com/containernetworking/plugins v1.9.0 ([#​12658](https://redirect.github.com/containerd/containerd/pull/12658)) - [`8a5fc8641`](https://redirect.github.com/containerd/containerd/commit/8a5fc86416926d2a2189861391cd77b07d7f4443) go.mod: github.com/containernetworking/plugins v1.9.0 - go.mod: golang.org/x/crypto v0.45.0 ([#​12638](https://redirect.github.com/containerd/containerd/pull/12638)) - [`55c93d6fb`](https://redirect.github.com/containerd/containerd/commit/55c93d6fb85333d4988122b2ae97b947bcde02b7) go.mod: golang.org/x/crypto v0.45.0 - ci :bump Go 1.24.11, 1.25.5 ([#​12625](https://redirect.github.com/containerd/containerd/pull/12625)) - [`aedd29bb4`](https://redirect.github.com/containerd/containerd/commit/aedd29bb4ecabfae1d8806dc1011a347a3401fb2) ci: bump Go 1.24.11, 1.25.5 - [`26628f139`](https://redirect.github.com/containerd/containerd/commit/26628f1397f991a9ee2fe7de32a6a2df70ab89bd) ci: bump Go 1.24.10, 1.25.4 - [`8bb0e9be6`](https://redirect.github.com/containerd/containerd/commit/8bb0e9be6ceebc1ad1d76c88a661bacf84921b3d) ci(release): set GO_VERSION in Dockerfile - core/runtime/v2: remove uses of otelgrpc.UnaryClientInterceptor ([#​12622](https://redirect.github.com/containerd/containerd/pull/12622)) - [`ed19c5420`](https://redirect.github.com/containerd/containerd/commit/ed19c542003cc00988760b0f72e487c20dc198a0) core/runtime/v2: remove uses of otelgrpc.UnaryClientInterceptor - ci: update CIFuzz actions to support Ubuntu 24.04 ([#​12632](https://redirect.github.com/containerd/containerd/pull/12632)) - [`952237d9b`](https://redirect.github.com/containerd/containerd/commit/952237d9ba4390f4fa740f3832492e3870f0f9f9) ci: update CIFuzz actions to support Ubuntu 24.04 - Update runc binary to v1.3.4 ([#​12593](https://redirect.github.com/containerd/containerd/pull/12593)) - [`fb5b818a9`](https://redirect.github.com/containerd/containerd/commit/fb5b818a9a34ad4fe3b0901c73cd7432ae4bb8bc) runc: Update runc binary to v1.3.4 - : update containerd/cgroups from v3.1.0 to v3.1.2 ([#​12598](https://redirect.github.com/containerd/containerd/pull/12598)) - [`51582ed27`](https://redirect.github.com/containerd/containerd/commit/51582ed27b13941f6bbf1526d909a00deadfcc0f) bump containerd/cgroups to v3.1.2 - [`50d0e4fd4`](https://redirect.github.com/containerd/containerd/commit/50d0e4fd4cb909829d9965d9da5be04ee812fe29) build(deps): bump github.com/containerd/cgroups/v3 from 3.1.0 to 3.1.1 - core/mount: should not call removeLoop when set autoclear ([#​12587](https://redirect.github.com/containerd/containerd/pull/12587)) - [`41a69eb0d`](https://redirect.github.com/containerd/containerd/commit/41a69eb0d19cafbf40e03c36ef6be259a52d6f5e) core/mount: should not call removeLoop when set autoclear - build(deps): bump github.com/opencontainers/selinux ([#​12589](https://redirect.github.com/containerd/containerd/pull/12589)) - [`e3bf2b80b`](https://redirect.github.com/containerd/containerd/commit/e3bf2b80b9ca3280fd64a2bd0436fcdb894c4410) build(deps): bump github.com/opencontainers/selinux - .github: skip 5 critest cases for window-2022 ([#​12584](https://redirect.github.com/containerd/containerd/pull/12584)) - [`da8e846f9`](https://redirect.github.com/containerd/containerd/commit/da8e846f97a081f580eccc4a7384f3f050dd5b5e) .github: skip 5 critest cases in window CI pipeline - Fix image defaults on Darwin to usable configuration ([#​12544](https://redirect.github.com/containerd/containerd/pull/12544)) - [`d154e234b`](https://redirect.github.com/containerd/containerd/commit/d154e234b29c5bed4f14a72d605e92e4728415a2) Update the ctr pull defaults when using the transfer service - [`09364216d`](https://redirect.github.com/containerd/containerd/commit/09364216de92aab056118507da59fabf642d88ac) Fix transfer unpack defaults on darwin - [`2055d3c62`](https://redirect.github.com/containerd/containerd/commit/2055d3c62e85350642c4b031c35a63b22e2ec6f7) Update default differs on darwin - [`9da97686d`](https://redirect.github.com/containerd/containerd/commit/9da97686d151da046d5512bb9f7f1d67ea4c8393) Use default writable size in erofs snapshotter for non-Linux hosts - [`eeb0f889a`](https://redirect.github.com/containerd/containerd/commit/eeb0f889aed826b58a3033a5a5b14dff6ccd1979) Update default erofs block size on macOS during erofs diff - Redact all query parameters in CRI error logs ([#​12546](https://redirect.github.com/containerd/containerd/pull/12546)) - [`c707f771a`](https://redirect.github.com/containerd/containerd/commit/c707f771a872f9dd22ad8f2f827317a800e4a74f) fix: redact all query parameters in CRI error logs - Revert "Implement io.ReaderAt on docker fetch reader" ([#​12542](https://redirect.github.com/containerd/containerd/pull/12542)) - [`678f944dd`](https://redirect.github.com/containerd/containerd/commit/678f944dd16601d08ecbb19e350acc027728b656) Revert "Implement io.ReaderAt on docker fetch reader" - Fix possible panic from WithMediaTypeKeyPrefix ([#​12516](https://redirect.github.com/containerd/containerd/pull/12516)) - [`8b73c2de3`](https://redirect.github.com/containerd/containerd/commit/8b73c2de310e95fe3a143473b511fcf99d03692f) remotes: fix possible panic from WithMediaTypeKeyPrefix </p> </details> ##### Changes from containerd/cgroups <details><summary>13 commits</summary> <p> - ci: bump golangci-lint to v2.6.2 ([containerd/cgroups#382](https://redirect.github.com/containerd/cgroups/pull/382)) - [`a302e56`](https://redirect.github.com/containerd/cgroups/commit/a302e56b258f818a3dacb6e282907904f17ea239) ci: bump golangci-lint to v2.6.2 - [`731cf7a`](https://redirect.github.com/containerd/cgroups/commit/731cf7a96296e8eccffe9b986aece85ec4ab9b5b) ci: suppress errcheck - [`9bee663`](https://redirect.github.com/containerd/cgroups/commit/9bee663879fd7f5b873fa40f61a837309c4be8b0) utils: move Close() to defer block - [`9d7647c`](https://redirect.github.com/containerd/cgroups/commit/9d7647ce3bae2f67cc4ecfe1df51796caba49d52) rdma: use strings.Cut in Go 1.18 - [`109f063`](https://redirect.github.com/containerd/cgroups/commit/109f063d1c6cefbc3def1a8e0a169b746f7f5f0a) memory_test: apply De Morgan's law - [`e6fcf3f`](https://redirect.github.com/containerd/cgroups/commit/e6fcf3fda4200609bb6323428e2d1f24f712e62e) memory_test: omit type from declaration - build(deps): bump actions/checkout from 5 to 6 ([containerd/cgroups#381](https://redirect.github.com/containerd/cgroups/pull/381)) - [`4e30098`](https://redirect.github.com/containerd/cgroups/commit/4e3009894821335455c4b804600eb9667b818f81) build(deps): bump actions/checkout from 5 to 6 - Fix parsing of hugetlb.<size>.events files ([containerd/cgroups#379](https://redirect.github.com/containerd/cgroups/pull/379)) - [`2ad7a12`](https://redirect.github.com/containerd/cgroups/commit/2ad7a1241827ef1bc4f964fe8a5248b073f2db82) hugetlb: correctly parse hugetlb.<size>.events files - go.mod: github.com/opencontainers/runtime-spec v1.3.0 ([containerd/cgroups#376](https://redirect.github.com/containerd/cgroups/pull/376)) - [`34ef430`](https://redirect.github.com/containerd/cgroups/commit/34ef430d727e569c31b4f2bbc7d83bffeb1c0165) go.mod: github.com/opencontainers/runtime-spec v1.3.0 </p> </details> ##### Changes from containerd/nri <details><summary>79 commits</summary> <p> - adaptation: allow compiling out WASM support altogether. ([containerd/nri#253](https://redirect.github.com/containerd/nri/pull/253)) - [`ab88fe6`](https://redirect.github.com/containerd/nri/commit/ab88fe680c11b35234c38c7d4eac72335721c78d) adaptation: allow compiling out WASM support altogether. - Support direct editing of the intelRdt config ([containerd/nri#215](https://redirect.github.com/containerd/nri/pull/215)) - [`8c0c9f6`](https://redirect.github.com/containerd/nri/commit/8c0c9f67a905fb24682239a4d6d94b0dd52c13e7) Implement removal of RDT - [`dfbae8a`](https://redirect.github.com/containerd/nri/commit/dfbae8a616b80037798e3cfb8315d70f3f2eff7e) plugins: add sample rdt plugin - [`d05dd81`](https://redirect.github.com/containerd/nri/commit/d05dd818ed26c3dbeae0fce88289387b62e4665c) pkg/adaptation: support new RDT fields - [`725289b`](https://redirect.github.com/containerd/nri/commit/725289b256878de8e965327ab6e70dc883ea771b) pkg/runtime-tools/generate: support new RDT fields - [`a7832a2`](https://redirect.github.com/containerd/nri/commit/a7832a241411573e03982490197d7eb98a1c9d29) api: add rdt - update wazero/wazero version to v1.10.1 ([containerd/nri#252](https://redirect.github.com/containerd/nri/pull/252)) - [`9eb9a0f`](https://redirect.github.com/containerd/nri/commit/9eb9a0f0f6e223e6060805b55957f117f159f5cc) update tetratelabs/wazero version to v1.10.1 - support specifying a custom NRI socket path ([containerd/nri#249](https://redirect.github.com/containerd/nri/pull/249)) - [`2df6565`](https://redirect.github.com/containerd/nri/commit/2df656516e73b31e013257f713a1df5baa7fdcb0) \[plugins] support specifying a custom NRI socket path - pkg/api: add OptionalRepeatedString type ([containerd/nri#212](https://redirect.github.com/containerd/nri/pull/212)) - [`687c1a6`](https://redirect.github.com/containerd/nri/commit/687c1a6a8b5c75056acd176dc89c45251926d0bb) pkg/api: add OptionalRepeatedString type - api,adaptation,generate: allow setting kernel scheduling policy attributes. ([containerd/nri#160](https://redirect.github.com/containerd/nri/pull/160)) - [`6a371ac`](https://redirect.github.com/containerd/nri/commit/6a371ac5e7afcd185ee575828f4822d779f0ded9) device-injector: add scheduling policy adjustment. - [`e06369e`](https://redirect.github.com/containerd/nri/commit/e06369e8d1cad80f12eaf6f2c0da19c7ac78396c) api,adaptation,generate: allow setting scheduler attributes. - device-injector: always log injection summary. ([containerd/nri#246](https://redirect.github.com/containerd/nri/pull/246)) - [`14cc2e2`](https://redirect.github.com/containerd/nri/commit/14cc2e2fb6b9504c5241e3156b24b1055ed4e3ed) device-injector: always log injection summary. - api,adaptation,generate: allow adjusting linux net devices ([containerd/nri#157](https://redirect.github.com/containerd/nri/pull/157)) - [`5145c92`](https://redirect.github.com/containerd/nri/commit/5145c92e7c215ce3969805005ebdb0f37749e68b) device-injector: add network device injection. - [`8a03823`](https://redirect.github.com/containerd/nri/commit/8a03823fe8afbca00b30f669805c911414c58803) api,adaptation,generate: allow adjusting linux net devices. - Add support for sysctl adjustment ([containerd/nri#248](https://redirect.github.com/containerd/nri/pull/248)) - [`914fbf3`](https://redirect.github.com/containerd/nri/commit/914fbf3faf42da144376c133541c37211d2f9200) default-validator: restrict sysctl adjustment - [`a418956`](https://redirect.github.com/containerd/nri/commit/a4189560f80f7c02579eec252ae43034bf21cb8a) api: apply sysctl adjustments - [`8705f9b`](https://redirect.github.com/containerd/nri/commit/8705f9b1eb3107ad8bc422978b0412527e3fd236) api: add sysctl container adjustment - feat: Make logger a configurable struct member for stub ([containerd/nri#239](https://redirect.github.com/containerd/nri/pull/239)) - [`08a891a`](https://redirect.github.com/containerd/nri/commit/08a891a81d90b03b5e5ae14734f5ad74e74c264b) feat: Make logger a configurable struct member for stub - Drop dependency on opencontainers/runtime-tools ([containerd/nri#247](https://redirect.github.com/containerd/nri/pull/247)) - [`5e5c2be`](https://redirect.github.com/containerd/nri/commit/5e5c2be5f57436228f2762e0deb2c4f9873f3e9b) Drop dependency on opencontainers/runtime-tools - deps: bump runtime-spec to v1.3.0. ([containerd/nri#243](https://redirect.github.com/containerd/nri/pull/243)) - [`29c5811`](https://redirect.github.com/containerd/nri/commit/29c581117267cb5d2289ff08902a93ff263caf0e) (v0.1.0) examples: lock NRI, runtime spec deps. - [`d812952`](https://redirect.github.com/containerd/nri/commit/d8129529588cca090c972aa5e5f7775162af59da) v010-adapter: lock NRI, runtime spec and tools deps. - [`7dd7c7f`](https://redirect.github.com/containerd/nri/commit/7dd7c7f8b21c08242de41634b12ab2ee71b91000) api,runtime-tools: adjust for runtime-spec v1.3.0. - [`5d5d4c4`](https://redirect.github.com/containerd/nri/commit/5d5d4c4c877fdef4fe0938e627b11b97234195b8) go.{mod,sum}: update runtime-tools, runtime-spec to v1.3.0. - adaptation: ensure sync'ed plugins are fully registered in tests. ([containerd/nri#234](https://redirect.github.com/containerd/nri/pull/234)) - [`c840397`](https://redirect.github.com/containerd/nri/commit/c84039771e9c2cee68952b4b7cc52cba1909784e) adaptation: ensure sync'ed plugins are fully registered in tests. - Fix wasm example ([containerd/nri#237](https://redirect.github.com/containerd/nri/pull/237)) - [`44b2861`](https://redirect.github.com/containerd/nri/commit/44b2861a26c8e392229cd8b27a20cf689925f176) Fix wasm example - Makefile: build proto files unconditionally ([containerd/nri#229](https://redirect.github.com/containerd/nri/pull/229)) - [`d99f960`](https://redirect.github.com/containerd/nri/commit/d99f96028e5226c004f94a3394be82190980c4bd) Fix dockerized proto build - [`9623748`](https://redirect.github.com/containerd/nri/commit/9623748f543343bfe6b2312df47a7ed9000d47fe) Makefile: build proto files unconditionally - [`25d9391`](https://redirect.github.com/containerd/nri/commit/25d9391690a7158d851364ef011e1f56fd607a70) build: ensure we use correct version of protoc and its deps. - adaptation: test with populated initial resources. ([containerd/nri#231](https://redirect.github.com/containerd/nri/pull/231)) - [`b6b98b5`](https://redirect.github.com/containerd/nri/commit/b6b98b56a60df29da312cc1e1e070697dec43583) adaptation: test with populated initial resources. - Install protoc locally in the source tree ([containerd/nri#232](https://redirect.github.com/containerd/nri/pull/232)) - [`2394daa`](https://redirect.github.com/containerd/nri/commit/2394daa45f1c7c0fcf28e9e39895c8b871a7445c) Install protoc locally in the source tree - plugins/logger: fix default event subscription mask. ([containerd/nri#158](https://redirect.github.com/containerd/nri/pull/158)) - [`33b1db1`](https://redirect.github.com/containerd/nri/commit/33b1db1add2e9a603f7c47e1efa95d386f4af560) logger: fix default event subscription mask. - extract memory and CPU resource helpers ([containerd/nri#210](https://redirect.github.com/containerd/nri/pull/210)) - [`7afb32a`](https://redirect.github.com/containerd/nri/commit/7afb32a3a444fd0a24e36988e0906ad35590c672) extract memory and CPU resource helpers - api: expose container user/group ID to plugins. ([containerd/nri#230](https://redirect.github.com/containerd/nri/pull/230)) - [`22aeb46`](https://redirect.github.com/containerd/nri/commit/22aeb467e553bffd7650930b3bc6c28b95a2dee5) docs: update README with container uid/gid info. - [`71b0335`](https://redirect.github.com/containerd/nri/commit/71b0335fdc262451ab2ff71591f1126c8a036265) api,adaptation: add container uid/gid info. - contrib: add example for enabling per-container RDT monitoring ([containerd/nri#228](https://redirect.github.com/containerd/nri/pull/228)) - [`91fbf06`](https://redirect.github.com/containerd/nri/commit/91fbf06ed654e46629cb7aefb11856953720c9cf) contrib: add example for enabling per-container RDT monitoring - ci: enable image signing ([containerd/nri#224](https://redirect.github.com/containerd/nri/pull/224)) - [`fb54916`](https://redirect.github.com/containerd/nri/commit/fb5491601ca84bf52b70e75d0e99ddc4dfe6a922) ci: enable image signing - golangci: disable QF1008 from staticcheck linter ([containerd/nri#226](https://redirect.github.com/containerd/nri/pull/226)) - [`0b3b577`](https://redirect.github.com/containerd/nri/commit/0b3b5770d1f6845d3a3e52ccb5218f2b3ce1f34e) golangci: disable QF1008 from staticcheck linter - ci: bump golangci-lint to v2.4 ([containerd/nri#225](https://redirect.github.com/containerd/nri/pull/225)) - [`9787127`](https://redirect.github.com/containerd/nri/commit/9787127c0f3e69726b968e12b29dae31e35e250b) Bump golangci-lint to v2.4 - [`1a50ff5`](https://redirect.github.com/containerd/nri/commit/1a50ff585624f01763fd20aafaeaa92aa8b27c46) Add nolint directives - [`00fa1a1`](https://redirect.github.com/containerd/nri/commit/00fa1a124e605590d3ceea1e687600785ae6518d) Add and fix comments for exported types - [`ac21da7`](https://redirect.github.com/containerd/nri/commit/ac21da7be8f991a8699cef41acba8783dee5351e) pkg/api/seccomp: add comments for exported functions - [`3aff986`](https://redirect.github.com/containerd/nri/commit/3aff986af5f8abefda8552edae991608782df46c) pkg/runtime-tools/generate: remove embedded field "Generator" - [`c0c4bb6`](https://redirect.github.com/containerd/nri/commit/c0c4bb648ae46207f47d5b18bf447f7d5b32e26b) pkg/api/validate: add comments for exported methods - [`c0ba9da`](https://redirect.github.com/containerd/nri/commit/c0ba9da712934c860a64af54d96b5cfc74672ff5) adaptation/builtin: add comment for exported symbols - .gitignore: revert hastily reviewed editor-specific addition. ([containerd/nri#221](https://redirect.github.com/containerd/nri/pull/221)) - [`02376f3`](https://redirect.github.com/containerd/nri/commit/02376f371c707718144dd509172618c69ce6670c) .gitignore: add comment about global gitignore. - [`9336a79`](https://redirect.github.com/containerd/nri/commit/9336a7933c666dbe6da09fe3cb46e80b478fb268) Revert "nit: Add .idea folder to gitignore" - nit: Add .idea folder to gitignore ([containerd/nri#218](https://redirect.github.com/containerd/nri/pull/218)) - [`f578ea2`](https://redirect.github.com/containerd/nri/commit/f578ea2804642f2cd59594edc17b59d995289223) nit: Add .idea folder to gitignore - chore: clean and unify nolint directives ([containerd/nri#217](https://redirect.github.com/containerd/nri/pull/217)) - [`21741b9`](https://redirect.github.com/containerd/nri/commit/21741b9ee40d69eb9ee3d5688e45b0b022c32738) chore: clean and unify nolint directives - Downgrade go to require 1.24.0 ([containerd/nri#214](https://redirect.github.com/containerd/nri/pull/214)) - [`d26e910`](https://redirect.github.com/containerd/nri/commit/d26e910702c62126decc6befe835e7315cd738a9) Downgrade go to require 1.24.0 - Add dockerized target for building proto files ([containerd/nri#211](https://redirect.github.com/containerd/nri/pull/211)) - [`13fcc07`](https://redirect.github.com/containerd/nri/commit/13fcc0773d23520ff44d54549122ec78c8f1e473) Add dockerized target for building proto files </p> </details> ##### Changes from containerd/zfs <details><summary>11 commits</summary> <p> - go.mod: update to stable containerd v2.0 ([containerd/zfs#89](https://redirect.github.com/containerd/zfs/pull/89)) - [`f11f891`](https://redirect.github.com/containerd/zfs/commit/f11f891ff42b3f8cd6f15d0fb18b2644a002bb85) go.mod: update to stable containerd v2.0 - ci: update actions, test against go1.23, fix linting, and update golangci-lint ([containerd/zfs#88](https://redirect.github.com/containerd/zfs/pull/88)) - [`662ad3c`](https://redirect.github.com/containerd/zfs/commit/662ad3cefa596775e20a44a1c6b1037b0a0d539d) gha: update golangci/golangci-lint-action@v9, golangci-lint v2.7 - [`b0b2584`](https://redirect.github.com/containerd/zfs/commit/b0b25847ac875af99d62e9d4f83b2875a2f39df9) remove nolint comments - [`7c4274b`](https://redirect.github.com/containerd/zfs/commit/7c4274bfa0a0df14d66fabb51269bfdfbf4e0b06) fix error capitalization - [`24ce1b9`](https://redirect.github.com/containerd/zfs/commit/24ce1b93f0579fe5ecaec4bd55290ff7e2f456db) fix inconsistent receiver name - [`c8545c3`](https://redirect.github.com/containerd/zfs/commit/c8545c33c3c9f4d881c45a22688be49f4ff1502a) gha: update actions/checkout@v6 - [`d23ec04`](https://redirect.github.com/containerd/zfs/commit/d23ec046338e9a5761083cef373be2bab1551995) gha: update actions/setup-go@v6 - [`bb45f6e`](https://redirect.github.com/containerd/zfs/commit/bb45f6e4d3965616dcaae6eaab9342af0e4c1cad) gha: update containerd/project-checks@v1.2.2 - [`65bc451`](https://redirect.github.com/containerd/zfs/commit/65bc451f6abab9d7133abd7c227be227ad6b1f0d) gha: test against go1.23 </p> </details> ##### Dependency Changes - **github.com/containerd/cgroups/v3** v3.1.0 -> v3.1.2 - **github.com/containerd/nri** v0.10.0 -> v0.11.0 - **github.com/containerd/zfs/v2** v2.0.0-rc.0 -> v2.0.0 - **github.com/containernetworking/plugins** v1.8.0 -> v1.9.0 - **github.com/cyphar/filepath-securejoin** v0.5.1 ***new*** - **github.com/opencontainers/runtime-spec** v1.2.1 -> v1.3.0 - **github.com/opencontainers/runtime-tools** [`0ea5ed0`](https://redirect.github.com/containerd/containerd/commit/0ea5ed0382a2) -> [`edf4cb3`](https://redirect.github.com/containerd/containerd/commit/edf4cb3d2116) - **github.com/opencontainers/selinux** v1.12.0 -> v1.13.1 - **github.com/tetratelabs/wazero** v1.9.0 -> v1.10.1 - **golang.org/x/crypto** v0.41.0 -> v0.45.0 - **golang.org/x/net** v0.43.0 -> v0.47.0 - **golang.org/x/sync** v0.17.0 -> v0.18.0 - **golang.org/x/sys** v0.37.0 -> v0.38.0 - **golang.org/x/term** v0.34.0 -> v0.37.0 - **golang.org/x/text** v0.28.0 -> v0.31.0 - **tags.cncf.io/container-device-interface** v1.0.1 -> v1.1.0 - **tags.cncf.io/container-device-interface/specs-go** v1.0.0 -> v1.1.0 Previous release can be found at [v2.2.0](https://redirect.github.com/containerd/containerd/releases/tag/v2.2.0) ##### Which file should I download? - `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`: ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04). - `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`: Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent. In addition to containerd, typically you will have to install [runc](https://redirect.github.com/opencontainers/runc/releases) and [CNI plugins](https://redirect.github.com/containernetworking/plugins/releases) from their official sites too. See also the [Getting Started](https://redirect.github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation. ### [`v2.2.0`](https://redirect.github.com/containerd/containerd/releases/tag/v2.2.0): containerd 2.2.0 [Compare Source](https://redirect.github.com/containerd/containerd/compare/v2.1.7...v2.2.0) Welcome to the v2.2.0 release of containerd! The second minor release of containerd 2.x focuses on continued stability alongside new features and improvements. This is the second time-based released for containerd. ##### Highlights - **Add mount manager** ([#​12063](https://redirect.github.com/containerd/containerd/pull/12063)) The mount manager is a new service that provides lifecycle management for filesystem mounts to support more advanced use cases, such as: - **Device formatting** to create formatted filesystems (xfs, ext4) on-demand - **Mount activation** to prepare devices such as loopbacks or network fileystems - **Mount transformation** to allow mount arguments to be filled in dynamically from previous mounts - **Garbage collection** of mounts to ensure temporary mounts are never leaked - **Add conf.d include in the default config** ([#​12323](https://redirect.github.com/containerd/containerd/pull/12323)) - **Add support for back references in the garbage collector** ([#​12025](https://redirect.github.com/containerd/containerd/pull/12025)) ##### Container Runtime Interface (CRI) - **Pod Sandbox Metrics** ([#​10691](https://redirect.github.com/containerd/containerd/pull/10691)) Full implementation of Kubernetes CRI pod-level metrics API - **ListPodSandboxMetrics**: Query metrics for running pods/sandboxes - **ListMetricsDescriptors**: Discover available metrics and their descriptions - **Support image volume mount subpath** ([#​11578](https://redirect.github.com/containerd/containerd/pull/11578)) ##### Go client - **Update pkg/oci to use fs.FS interface and os.OpenRoot** ([#​12245](https://redirect.github.com/containerd/containerd/pull/12245)) ##### Image Distribution - **Parallel Unpack** ([#​12332](https://redirect.github.com/containerd/containerd/pull/12332)) Adds support for unpacking layers in parallel during pull operations. This feature is supported with overlayfs and EROFS snapshotters. - **OCI Referrers Support** ([#​12309](https://redirect.github.com/containerd/containerd/pull/12309)) Adds new referrers fetcher to remote registry interface using the [new referrers endpoint added in OCI distribution-spec 1.1](https://redirect.github.com/opencontainers/distribution-spec/blob/v1.1.0/spec.md#listing-referrers) - **Tar unpack progress through transfer service** ([#​11921](https://redirect.github.com/containerd/containerd/pull/11921)) ##### Image Storage - **EROFS enhancements using mount manager** ([#​12333](https://redirect.github.com/containerd/containerd/pull/12333)) Improvements to EROFS snapshotter using the new mount manager service - **Quota Support**: Support for sized block devices as the upper layer for overlayfs - **Mount Lifecycle**: Loopback setup, block device creation, and overlayfs argument formatting is moved to the mount manager to be performed on-demand or within the runtime. - **Mount handler**: To allow optimization of EROFS mount types based on the current system - **macOS Support**: EROFS snapshotter can now be used on Darwin to natively allow image pulls - **Tar index mode**: Efficiently generate EROFS metadata backed by original tar content ([#​11919](https://redirect.github.com/containerd/containerd/pull/11919)) - **Add snapshotter and differ for block CIMs** ([#​12050](https://redirect.github.com/containerd/containerd/pull/12050)) ##### Node Resource Interface (NRI) - **Enable otel traces in NRI** ([#​12082](https://redirect.github.com/containerd/containerd/pull/12082)) - **Add WASM plugin support** ([containerd/nri#121](https://redirect.github.com/containerd/nri/pull/121)) ##### Runtime - **Improve shim load time after restart by loading in parallel** ([#​12142](https://redirect.github.com/containerd/containerd/pull/12142)) - **Fix pidfd leak in UnshareAfterEnterUserns** ([#​12167](https://redirect.github.com/containerd/containerd/pull/12167)) ##### Deprecations - **Deprecate cgroup v1** ([#​12445](https://redirect.github.com/containerd/containerd/pull/12445)) - **Postpone v2.2 deprecation items to v2.3** ([#​12417](https://redirect.github.com/containerd/containerd/pull/12417)) Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues. ##### Contributors - Derek McGowan - Phil Estes - Akihiro Suda - Maksym Pavlenko - Wei Fu - Krisztian Litkey - Mike Brown - Akhil Mohan - Markus Lehtonen - Samuel Karp - Sebastiaan van Stijn - ningmingxiao - Austin Vazquez - yashsingh74 - Gao Xiang - Kirtana Ashok - Jin Dong - Chris Henzie - Aadhar Agarwal - Etienne Champetier - Henry Wang - Rodrigo Campos - Sascha Grunert - Aleksa Sarai - Eric Mountain - Keith Mattix II - Paweł Gronowski - Tõnis Tiigi - Adrien Delorme - Apurv Barve - Enji Cooper - Kohei Tokunaga - Max Jonas Werner - Rehan Khan - Yang Yang - jinda.ljd - jokemanfire - Amit Barve - Andrew Halaney - Antonio Ojea - Brian Goff - Carlos Eduardo Arango Gutierrez - Chenyang Yan - Dawei Wei - Divya Rani - Evan Anderson - Fabiano Fidêncio - Iceber Gu - Jared Ledvina - Jonathan Perkin - Jose Fernandez - Karl Baumgartner - Michael Weibel - Osama Abdelkader - Radostin Stoyanov - Ruidong Cao - Sameer - Sergey Kanzhelev - Swagat Bora - Sylvain MOUQUET - Tom Wieczorek - Tycho Andersen - Wuyue (Tony) Sun - suranmiao - tanhuaan - wheat2018 - zounengren ##### Dependency Changes - **dario.cat/mergo** v1.0.1 -> v1.0.2 - **github.com/Microsoft/hcsshim** v0.13.0-rc.3 -> v0.14.0-rc.1 - **github.com/StackExchange/wmi** [`cbe6696`](https://redirect.github.com/containerd/containerd/commit/cbe66965904d) ***new*** - **github.com/checkpoint-restore/checkpointctl** v1.3.0 -> v1.4.0 - **github.com/containerd/cgroups/v3** v3.0.5 -> v3.1.0 - **github.com/containerd/console** v1.0.4 -> v1.0.5 - **github.com/containerd/containerd/api** v1.9.0 -> v1.10.0 - **github.com/containerd/go-cni** v1.1.12 -> v1.1.13 - **github.com/containerd/nri** v0.8.0 -> v0.10.0 - **github.com/containerd/platforms** v1.0.0-rc.1 -> v1.0.0-rc.2 - **github.com/containernetworking/plugins** v1.7.1 -> v1.8.0 - **github.com/coreos/go-systemd/v22** v22.5.0 -> v22.6.0 - **github.com/cpuguy83/go-md2man/v2** v2.0.5 -> v2.0.7 - **github.com/emicklei/go-restful/v3** v3.11.0 -> v3.13.0 - **github.com/fxamacker/cbor/v2** v2.7.0 -> v2.9.0 - **github.com/go-jose/go-jose/v4** v4.0.5 -> v4.1.2 - **github.com/go-logr/logr** v1.4.2 -> v1.4.3 - **github.com/go-ole/go-ole** v1.2.6 ***new*** - **github.com/golang/groupcache** [`41bb18b`](https://redirect.github.com/containerd/containerd/commit/41bb18bfe9da) -> [`2c02b82`](https://redirect.github.com/containerd/containerd/commit/2c02b8208cf8) - **github.com/google/certtostore** v1.0.6 ***new*** - **github.com/google/deck** [`105ad94`](https://redirect.github.com/containerd/containerd/commit/105ad94aa8ae) ***new*** - **github.com/gorilla/websocket** v1.5.0 -> [`e064f32`](https://redirect.github.com/containerd/containerd/commit/e064f32e3674) - **github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus** v1.0.1 -> v1.1.0 - **github.com/hashicorp/errwrap** v1.1.0 ***new*** - **github.com/intel/goresctrl** v0.8.0 -> v0.10.0 - **github.com/klauspost/compress** v1.18.0 -> v1.18.1 - **github.com/knqyf263/go-plugin** v0.9.0 ***new*** - **github.com/moby/sys/capability** v0.4.0 ***new*** - **github.com/modern-go/reflect2** v1.0.2 -> [`35a7c28`](https://redirect.github.com/containerd/containerd/commit/35a7c28c31ee) - **github.com/opencontainers/runtime-tools** [`2e043c6`](https://redirect.github.com/containerd/containerd/commit/2e043c6bd626) -> [`0ea5ed0`](https://redirect.github.com/containerd/containerd/commit/0ea5ed0382a2) - **github.com/prometheus/client_golang** v1.22.0 -> v1.23.2 - **github.com/prometheus/client_model** v0.6.1 -> v0.6.2 - **github.com/prometheus/common** v0.62.0 -> v0.66.1 - ** </details> --- ### Configuration 📅 **Schedule**: Branch creation - "* 1 * * 1-5" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xMDcuMCIsInVwZGF0ZWRJblZlciI6IjM5LjEwNy4wIiwidGFyZ2V0QnJhbmNoIjoiOS40IiwibGFiZWxzIjpbIlRlYW06U2VjdXJpdHktQ2xvdWQgU2VydmljZXMiLCJiYWNrcG9ydC1za2lwIiwiZGVwZW5kZW5jaWVzIiwicmVub3ZhdGUiXX0=--> Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds NRI support for injecting 'linux net devices' a.k.a host side network interfaces into containers, building upon all the work @aojea did to make this possible.
Notes:
To test this in practice, one needs
runcorcrunwith support forLinuxNetDevices in the OCI Spec,