[pull] main from containerd:main#56
Open
pull[bot] wants to merge 5843 commits into
Open
Conversation
The test image ghcr.io/containerd/volume-copy-up:2.1 does not include a manifest for s390x, causing the test to fail with: "no manifest found for platform: not found". Signed-off-by: Ricardo Branco <rbranco@suse.de>
Skip TestExportAndImportMultiLayer on s390x
Signed-off-by: ningmingxiao <ning.mingxiao@zte.com.cn>
Use latest k8s 1.36
klog has a long-standing bug where setting -logtostderr=true causes the -stderrthreshold flag to be silently ignored. All log messages are sent to stderr regardless of their severity. klog v2.140.0 introduced two new flags that allow callers to opt into the correct behavior: -legacy_stderr_threshold_behavior=false -stderrthreshold=INFO Set them in the CRI plugin's setGLogLevel() function, right after klog.InitFlags() and before any other flag configuration. Reference: kubernetes/klog#212 Signed-off-by: Pierluigi Lenoci <pierluigi.lenoci@gmail.com>
…upport Signed-off-by: Sergey Kanzhelev <S.Kanzhelev@live.com>
pause image 3.10.1 -> 3.10.2 for add Windows Server 2025 (ltsc2025) s…
Google Kubernetes Engine and Container-Optimized OS will use containerd 2.0 until March 2027. Signed-off-by: Samuel Karp <samuelkarp@google.com>
script/setup: update runc binary to v1.4.2
Honor stderrthreshold when logtostderr is enabled
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
Signed-off-by: Mujib Ahasan <ahasanmujib8@gmail.com>
Move runtime v2 docs to ./docs
content: use descriptor digest algorithm instead of assuming sha256
Allows reading snapshot mounts without performing mounts. This is valuable when the host cannot perform the mounts due to platform or permissions. Signed-off-by: Derek McGowan <derek@mcg.dev>
Signed-off-by: Derek McGowan <derek@mcg.dev>
Signed-off-by: Derek McGowan <derek@mcg.dev>
Remove `runtime.GOOS == "darwin"` checks from WithUser, WithAdditionalGIDs, and WithAppendAdditionalGroups. These guards prevented supplementary group resolution when containerd runs on a non-Linux host (e.g. macOS or Windows) that creates Linux containers. The `s.Windows != nil` check for LCOW is retained. Move user/group tests from spec_opts_linux_test.go to the new cross-platform spec_opts_user_test.go so they run on all platforms. Signed-off-by: Rob Murray <rob.murray@docker.com>
Signed-off-by: Derek McGowan <derek@mcg.dev>
Signed-off-by: Derek McGowan <derek@mcg.dev>
Move erofs implementation to plugin and register with fsview. Signed-off-by: Derek McGowan <derek@mcg.dev>
Signed-off-by: Derek McGowan <derek@mcg.dev>
Expose log URI schemes in runtime v2 metadata Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
When cancel() sends SIGTERM to a short-lived logging binary that is already mid-exit, cmd.Wait() may return 'signal: terminated'. This is expected behavior since we sent the SIGTERM ourselves, so treat it as a normal exit. Fixes flaky TestNewBinaryIOBinaryV2Ready. Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
Fix binary logging driver not blocking container start on failure
Ensure volume-copy-up and volume-ownership publish linux/s390x variants so integration tests can use these images on s390x without architecture-specific skips. Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
Signed-off-by: Sergey Kanzhelev <S.Kanzhelev@live.com>
…mages integration/images: add s390x builds for volume test images
replace one more k8s.io/apimachinery/ reference
Add support for transfering data to and from a container filesystem. Signed-off-by: Derek McGowan <derek@mcg.dev>
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.80.0 to 1.81.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.80.0...v1.81.0) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-version: 1.81.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github.com/klauspost/compress](https://github.com/klauspost/compress) from 1.18.5 to 1.18.6. - [Release notes](https://github.com/klauspost/compress/releases) - [Commits](klauspost/compress@v1.18.5...v1.18.6) --- updated-dependencies: - dependency-name: github.com/klauspost/compress dependency-version: 1.18.6 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github.com/pelletier/go-toml/v2](https://github.com/pelletier/go-toml) from 2.3.0 to 2.3.1. - [Release notes](https://github.com/pelletier/go-toml/releases) - [Commits](pelletier/go-toml@v2.3.0...v2.3.1) --- updated-dependencies: - dependency-name: github.com/pelletier/go-toml/v2 dependency-version: 2.3.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Rob Murray <rob.murray@docker.com> Signed-off-by: Austin Vazquez <austin.vazquez@docker.com>
This release include 11 security fixes:
- cmd/go: malicious module proxy can bypass checksum database
A malicious module proxy could exploit a flaw in the go command's
validation of module checksums to bypass checksum database validation.
This vulnerability affects any user using an untrusted module proxy
(GOMODPROXY) or checksum database (GOSUMDB).
A malicious module proxy can serve altered versions of the Go toolchain.
When selecting a different version of the Go toolchain than the
currently installed toolchain (due to the GOTOOLCHAIN environment variable,
or a go.work or go.mod with a toolchain line), the go command will download
and execute a toolchain provided by the module proxy. A malicious module
proxy can bypass checksum database validation for this downloaded
toolchain.
Since this vulnerability affects the security of toolchain downloads,
setting GOTOOLCHAIN to a fixed version is not sufficient. You must upgrade
your base Go toolchain.
The go tool always validates the hash of a toolchain before executing it,
so fixed versions will refuse to execute any cached, altered versions of the
toolchain.
The go tool trusts go.sum files to contain accurate hashes of the current
module's dependencies. A malicious proxy exploiting this vulnerability to
serve an altered module will have caused an incorrect hash to be recorded
in the go.sum. Users who have configured a non-trusted GOPROXY can determine
if they have been affected by running "rm go.sum ; go mod tidy ; go mod verify",
which will revalidate all dependencies of the current module.
The specific flaw in more detail:
The go command consults the checksum database to validate downloaded modules,
when a module is not listed in the go.sum file. It verifies that the module hash
reported by the checksum database matches the hash of the downloaded module.
If, however, the checksum database returns a successful response that contains
no entry for the module, the go command incorrectly permitted validation to succeed.
A module proxy may mirror or proxy the checksum database, in which case the go
command will not connect to the checksum database directly. Checksums reported
by the checksum database are cryptographically signed, so a malicious proxy
cannot alter the reported checksum for a module. However, a proxy which returns
an empty checksum response, or a checksum response for an unrelated module,
could cause the go command to proceed as if a downloaded module has been validated.
The go command now properly checks checksum database responses to ensure
that the expected module signature is present, not just that if a signature is
present it matches the expectation.
Thanks to Mundur (https://github.com/M0nd0R) for reporting this issue.
This is CVE-2026-42501 and Go issue https://go.dev/issue/79070.
- net/http/httputil: ReverseProxy forwards queries with more than urlmaxqueryparams parameters
When used with a Rewrite function, or a Director function which parses query parameters,
ReverseProxy sanitizes the forwarded request to remove query parameters which are not
parsed by url.ParseQuery. ReverseProxy did not take ParseQuery's limit on the total number
of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account.
This could permit ReverseProxy to forward a request containing a query parameter
that was not visible to the Rewrite function.
For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" could forward the parameter
"hidden=y" while hiding it from the proxy's Rewrite function.
ReverseProxy now avoids forwarding parameters that exceed the ParseQuery limit.
This is CVE-2026-39825 and Go issue https://go.dev/issue/78948.
- net: panic in Dial and LookupPort when handling NUL byte on Windows
The Dial and LookupPort functions would panic on Windows when provided
with an input containing a NUL (0). These functions now return an error
rather than panicking.
This is CVE-2026-39836 and Go issue https://go.dev/issue/79006.
- net/mail: quadratic string concatenation in consumePhrase
Pathological inputs could cause DoS through consumePhrase
when parsing an email address according to RFC 5322.
This is CVE-2026-42499 and Go issue https://go.dev/issue/78987.
- net/mail: quadratic string concatentation in consumeComment
Well-crafted inputs reaching ParseAddress, ParseAddressList,
and ParseDate were able to trigger excessive CPU exhaustion
and memory allocations.
This is CVE-2026-39820 and Go issue https://go.dev/issue/78566.
- cmd/go: "go bug" follows symlinks in predictable temporary filenames
The "go bug" command wrote to two files with predictable names in
the system temporary directory (for example, "/tmp").
An attacker with access to the temporary directory could create a
symlink in one of these names, causing "go bug" to overwrite the
target of the symlink.
The "go bug" command now uses os.MkdirTemp to create a safe
working directory.
Thanks to Harshit Gupta (Mr HAX) for reporting this issue.
This is CVE-2026-39819 and Go issue https://go.dev/issue/78584.
- cmd/go: "go tool pack" does not sanitize output paths
The "go tool pack" subcommand is a minimal version of the Unix ar utility.
It is used by the compiler as an internal tool with known-good inputs.
The "pack" subcommand did not sanitize output filenames.
When invoked to extract a malicious archive file, it could write
files to arbitrary locations on the filesystem.
The "pack" subcommand now refuses to extract files with names
containing any directory components.
Thanks to Harshit Gupta (Mr HAX) for reporting this issue.
This is CVE-2026-39817 and Go issue https://go.dev/issue/78778.
- net/http: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of
writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a
value of 0.
This allows potential DoS against a client by a malicious server. HTTP/2
transport now properly checks that the received SETTINGS_MAX_FRAME_SIZE is
valid.
Thanks to Marwan Atia (marwansamir688@gmail.com) for reporting this issue.
This is CVE-2026-33814 and Go issue https://go.dev/issue/78476.
- html/template: escaper bypass leads to XSS
If a trusted template author were to write a
tag containing an empty type attribute or a type
attribute with an ASCII whitespace, the execution of
the template would incorrectly escape any data passed
into the block.
Thanks to Mundur (https://github.com/M0nd0R) for reporting this issue.
This is CVE-2026-39826 and Go issue https://go.dev/issue/78981.
- net: crash when handling long CNAME response
When using LookupCNAME with the cgo DNS resolver,
a very long CNAME response could trigger a double-free of C memory
and a crash. The double-free has been fixed.
Thanks to hamayanhamayan for reporting this issue.
This is CVE-2026-33811 and Go issue https://go.dev/issue/78803.
- html/template: bypass of meta content URL escaping causes XSS
CVE-2026-27142 fixed a vulnerability in which URLs were not
correctly escaped inside of a tag's attribute.
If the URL content were to insert ASCII whitespaces around the
= rune inside of the attribute, the escaper would
fail to similarly escape it, leading to XSS.
Dynamic inputs to a tag's attribute are now
whitespace sanitized prior to escaping.
Thanks to Samy Ghannad for reporting this issue.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
The grpc, grpc-tcp, and ttrpc server plugins enumerated their services through ic.GetByType, which short-circuits on the first plugin whose Instance() returned an error. A single failed gRPC plugin (e.g. CRI under rootless, which cannot watch /etc/cni/net.d) therefore prevented the server plugins from initialising, leaving /run/containerd/containerd.sock uncreated. Iterate the plugin set directly and skip plugins that failed to initialise, restoring the pre-c15ec2485 behaviour where the listener is still created and only the failed services are missing. Fixes: c15ec24 ("Add server plugins for grpc and ttrpc") Fixes: #13362 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Fix optional EROFS differ setup in transfer plugin
…-and-mount-plugins fix: close boltdb on metadata and mount plugin close
…e.golang.org/grpc-1.81.0 build(deps): bump google.golang.org/grpc from 1.80.0 to 1.81.0
AF_ALG (address family 38) exposes the Linux kernel crypto API to userspace via socket(2). Containers have no legitimate need for this interface under the default profile, and leaving it accessible widens the kernel attack surface unnecessarily (see https://copy.fail/). Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Update Go to 1.26.3
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
fix(erofs): set TMPDIR for mkfs.erofs on Windows
Bumps the golang-x group with 2 updates: [golang.org/x/mod](https://github.com/golang/mod) and [golang.org/x/sys](https://github.com/golang/sys). Updates `golang.org/x/mod` from 0.35.0 to 0.36.0 - [Commits](golang/mod@v0.35.0...v0.36.0) Updates `golang.org/x/sys` from 0.43.0 to 0.44.0 - [Commits](golang/sys@v0.43.0...v0.44.0) --- updated-dependencies: - dependency-name: golang.org/x/mod dependency-version: 0.36.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x - dependency-name: golang.org/x/sys dependency-version: 0.44.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x ... Signed-off-by: dependabot[bot] <support@github.com>
…rver server: tolerate failed gRPC plugins when starting listeners
Fix issue 13388 ``` [...] May 12 16:57:23 kind-control-plane kubelet[257]: failed to extract layer (application/vnd.docker.image.rootfs .diff.tar sha256:6f1cdceb6a3146f0ccb986521156bef8a422cdbb0863396f7f751f575ba308f4) to overlayfs as "extract-920875437 -7QPF sha256:31e64620332e54e3e4fb246d8325ed2c9f1c2cc64a95f0bb23b4b7e82834c95a": failed to mount /var/lib/containerd/t mpmounts/containerd-mount2180142388: mount source: "overlay", target: "/var/lib/containerd/tmpmounts/containerd-mount 2180142388", fstype: overlay, flags: 0, data: "upperdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/sn apshots/279/fs", err: invalid argument [...] ``` This was a regression introduced in PR 13115. Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Commit f9c80be removed varcheck linter, but some nolint:varcheck annotations are still there, resulting in golangci-lint warning: > WARN [runner/nolint_filter] Found unknown linters in //nolint directives: varcheck Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
…b.com/klauspost/compress-1.18.6 build(deps): bump github.com/klauspost/compress from 1.18.5 to 1.18.6
overlay: disable "rebase" capability when running in UserNS
seccomp: Block AF_ALG in default socket policy
pkg: remove unused nolint annotations
…b.com/pelletier/go-toml/v2-2.3.1 build(deps): bump github.com/pelletier/go-toml/v2 from 2.3.0 to 2.3.1
…g-x-46c647a010 build(deps): bump the golang-x group with 2 updates
RELEASES.md: 2.1 EOL (2026-05-05)
Signed-off-by: Mike Brown <brownwm@us.ibm.com> Co-authored-by: Sebastiaan van Stijn <github@gone.nl>
merge_group CI is primarily a final sanity check that queued changes still compose cleanly, not a place to rerun every expensive advisory suite. Skip Windows integration, Vagrant integration, and Kubernetes node e2e for merge_group because those jobs are costly and have recurring flakes, which wastes merge-queue capacity and delays unrelated merges. They still run on pull_request events for advisory coverage, and the existing aggregate required status check name is unchanged. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
…-logging cleanup the systemd debug notification logging
ci: skip advisory jobs in merge queue
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot]
Can you help keep this open source service alive? 💖 Please sponsor : )