[pull] main from containerd:main #55
Open
+354,444
−252,373
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![pull[bot]](https://avatars.githubusercontent.com/in/12910?s=60&v=4){kind=small}
Signed-off-by: zouyee <[email protected]>
Move features section to a separate file
Signed-off-by: Sameer <[email protected]>
Add timestamp to PodSandboxStatusResponse for kubernetes Evented PLEG
However, when an image has multiple tags, the image originally obtained may not be the one actually specified by the user. Starting from cri-api v0.28.0, a UserSpecifiedImage field is added to ImageSpec. It is more appropriate to use UserSpecifiedImage. Signed-off-by: jinda.ljd <[email protected]>
[cri] use 'UserSpecifiedImage' to set the image-name annotation
Signed-off-by: Derek McGowan <[email protected]>
Add check for CNI plugins before tearing down pod network
This adds trace context propagation over the grpc/ttrpc calls to a shim. It also adds the otlp plugin to the runc shim so that it will send traces to the configured tracer (which is inherited from containerd's config). It doesn't look like this is adding any real overhead to the runc shim's memory usage, however it does add 2MB to the binary size. As such this is gated by a build tag `shim_tracing` Signed-off-by: Brian Goff <[email protected]>
Propagate trace contexts to shims
Bumps [github.com/intel/goresctrl](https://github.com/intel/goresctrl) from 0.7.0 to 0.8.0. - [Release notes](https://github.com/intel/goresctrl/releases) - [Commits](intel/goresctrl@v0.7.0...v0.8.0) --- updated-dependencies: - dependency-name: github.com/intel/goresctrl dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Kirtana Ashok <[email protected]>
Prepare release notes for v2.0.0-rc.5
pkg/oci is a general utility package with dependency chains that are uneccessary for the shim. The shim only actually used it for a convenience function for reading an oci spec file. Instead of pulling in those deps just re-implement that internally in the shim command. Signed-off-by: Brian Goff <[email protected]>
Core should not have a dependency on API types. This was causing a transative dependency on grpc when importing the core snapshots package. Signed-off-by: Brian Goff <[email protected]>
This is needed so we can build the runc shim without grpc as a transative dependency. With this change the runc shim binary went from 14MB to 11MB. The RSS from an idle shim went from about 17MB to 14MB (back around where it was in in 1.7). Signed-off-by: Brian Goff <[email protected]>
Update hcsshim to v0.12.7
…b.com/intel/goresctrl-0.8.0 build(deps): bump github.com/intel/goresctrl from 0.7.0 to 0.8.0
Signed-off-by: lengrongfu <[email protected]> Signed-off-by: rongfu.leng <[email protected]>
Clean up some dependency trees for runc shim
Go taks multiple `--tags` as overwriting the previously set ones, which is not what we want. Signed-off-by: Brian Goff <[email protected]>
This PR adds the trap statement in the install runc script to clean up the temporary files and ensure we are not leaving them. Signed-off-by: Gabriela Cervantes <[email protected]>
When an upstream client (e.g. kubelet) stops or restarts, the CRI connection to the containerd gets interrupted which is treated as a cancellation of context which subsequently cancels an ongoing operation, including an image pull. This generally gets followed by containerd's GC routine that tries to delete the prepared snapshots for the image layer(s) corresponding to the image in the pull operation that got cancelled. However, if the upstream client immediately retries (or starts a new) image pull operation, containerd initiates a new image pull and starts unpacking the image layers into snapshots. This may create a race condition: the GC routine (corresponding to the failed image pull operation) trying to clean up the same snapshot that the new image pull operation is preparing, thus leading to the "parent snapshot does not exist: not found" error. Race Condition Scenario: Assume an image consisting of 2 layers (L1 and L2, L1 being the bottom layer) that are supposed to get unpacked into snapshots S1 and S2 respectively. During an image pull operation, containerd unpacks(L1) which involves Stat()'ing the chainID. This Stat() fails as the chainID does not exist and Prepare(L1) gets called. Once S1 gets prepared, containerd processes L2 - unpack(L2) which again involves Stat()'ing the chainID which fails as the chainID for S2 does not exist which results in the call to Prepare(L2). However, if the image pull operation gets cancelled before Prepare(L2) is called, then the GC routine tries to clean up S1. When the image pull operation is retried by the upstream client, containerd follows the same series of operations. unpack(L1) gets called which then calls Stat(chainID) for L1. However, this time, Stat(L1) succedes as S1 already exists (from the previous image pull operation) and thus containerd goes to the next iteration to unpack(L2). Now, GC cleans up S1 and when Prepare(L2) gets called, it returns back the "parent snapshot does not exist: not found" error. Fix: Removing the "Stat() + early return" fixes the race condition. Now during the image pull operation corresponding to the client retry, although the chainID (for L1) already exists, containerd does not return early and goes on to Prepare(L1). Since L1 is already prepared, it adds a new lease to S1 and then returns `ErrAlreadyExists`. This new lease prevents GC from cleaning up S1 when containerd processes L2 (unpack(L2) -> Prepare(L2)). Fixes: #3787 Signed-off-by: Saket Jajoo <[email protected]>
script/setup/install-runc: Add trap statement to clean up tmp files
Fix the race condition during GC of snapshots when client retries
This makes it so we don't need to import otelttrpc unless the shim is compiled with the `shim_tracing` build tag. This way otel is no longer compiled into the binary at all unless `shim_tracing` is set. Signed-off-by: Brian Goff <[email protected]>
Makes the pprof server a plugin and also gates by the `shim_tracing` build tag (like otel is). With this change, `net/http` is no longer a dependency in the shim. Signed-off-by: Brian Goff <[email protected]>
add use systemd cgroup e2e
More shim imports cleanup
…ctions/attest-build-provenance-1.4.4 build(deps): bump actions/attest-build-provenance from 1.4.3 to 1.4.4
…b.com/containerd/typeurl/v2-2.2.3 build(deps): bump github.com/containerd/typeurl/v2 from 2.2.2 to 2.2.3
…g-x-70d324b242 build(deps): bump the golang-x group with 3 updates
…ithub/codeql-action-3.27.1 build(deps): bump github/codeql-action from 3.27.0 to 3.27.1
…ycheeverse/lychee-action-2.1.0 build(deps): bump lycheeverse/lychee-action from 2.0.2 to 2.1.0
fsverity_linux.go: Fix fsverity.IsEnabled() for big endian systems
* Correctly reference the only schema 1 mediatype containerd supports. * Document that `--local` is required for `ctr` when pulling schema 1 images * Document CRI users more clearly Fixes #10998 Signed-off-by: Samuel Karp <[email protected]>
docs: update schema 1 deprecation information
This reverts commit ae73e30. Signed-off-by: Akhil Mohan <[email protected]>
Revert "Disable vagrant strict dependency checking"
Fix runtimeoptions location in v2 migration script
Other similar events were already moved to the metadata store. The metadata store has more information that can be used for a future content created event. Signed-off-by: Derek McGowan <[email protected]>
Signed-off-by: Marat Radchenko <[email protected]>
* defaults_unix.go contains settings common to all Unixes * defaults_linux.go contains Linux-specific settings * defaults_unix_nolinux.go contains non-Linux Unix settings User-visible change of this commit is that now FreeBSD uses proper paths: /var/run instead of Linux-specific /run Signed-off-by: Marat Radchenko <[email protected]>
Add repo env similar to other install script Signed-off-by: Jing Xu <[email protected]>
Signed-off-by: Austin Vazquez <[email protected]>
update runc binary to 1.2.2
Update install-imgcrypt to allow change install repo
[containerd-stress] Use platform-specific default address
Bumps google.golang.org/protobuf from 1.35.1 to 1.35.2. --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [github.com/containerd/continuity](https://github.com/containerd/continuity) from 0.4.4 to 0.4.5. - [Release notes](https://github.com/containerd/continuity/releases) - [Commits](containerd/continuity@v0.4.4...v0.4.5) --- updated-dependencies: - dependency-name: github.com/containerd/continuity dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.27.1 to 3.27.4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@4f3212b...ea9e4e3) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
The containerd-shim creates pipes and passes them to the init container as stdin, stdout, and stderr for logging purposes. By default, these pipes are owned by the root user (UID/GID: 0/0). The init container can access them directly through inheritance. However, if the init container attempts to open any files pointing to these pipes (e.g., /proc/1/fd/2, /dev/stderr), it will encounter a permission issue since it is not the owner. To avoid this, we need to align the ownership of the pipes with the init process. Fixes: #10598 Signed-off-by: Wei Fu <[email protected]>
…ithub/codeql-action-3.27.4 build(deps): bump github/codeql-action from 3.27.1 to 3.27.4
Move content events to metadata
…b.com/containerd/continuity-0.4.5 build(deps): bump github.com/containerd/continuity from 0.4.4 to 0.4.5
[defaults] Reorganize per-platform defaults
…e.golang.org/protobuf-1.35.2 build(deps): bump google.golang.org/protobuf from 1.35.1 to 1.35.2
fix: set the credentials even if not provided
*: should align pipe's owner with init process
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot]
Can you help keep this open source service alive? 💖 Please sponsor : )