Open
Conversation
contrib/apparmor: remove non-matching rules for /proc/mem, /proc/kmem
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
ci: add build/test go1.26.0, drop go1.24
Remove Container field from sandbox metadata
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
It's more common for directory-paths to not have a trailing slash; strip
it so that we don't have some double slashes.
Before:
make protos
...
+ protos
(cd api && buf dep update)
(cd api && PATH="/go/src/github.com/containerd/containerd//bin:$PATH" buf generate)
After:
make protos
...
+ protos
(cd api && buf dep update)
(cd api && PATH="/go/src/github.com/containerd/containerd/bin:$PATH" buf generate)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The `go list` command is vendor-aware, and doesn't include the vendor dir;
go list ./... | grep 'vendor'
# (no output)
For the API module, there's no need to grep for `integration` as it does
not have that sub-directory.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Fix some mixed tabs/spaces and indentation level. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
go1.20 and up has a `-C` flag to change to a directory before running commands (see https://go.dev/cl/421436). Documentation is a bit hard to find, and doesn't mention `go mod` subcommands, but can be found in the `go build` help; go help build ... The build flags are shared by the build, clean, get, install, list, run, and test commands: -C dir Change to dir before running the command. Any files named on the command line are interpreted after changing directories. If used, this flag must be the first one in the command line. Update the Makefile to use this option where applicable, so that we can skip some `cd` and sub-shells. Also switch some assignments to use `:=` to evaluate them once. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
contrib/apparmor: fix /proc/sys rule
cmd/protoc-gen-go-fieldpath: add support for optional fields
…rifier Don't bail out if no image verifiers available
assert the exact error message while loading a higher version drop-in config than the root config Signed-off-by: Akhil Mohan <akhilerm@gmail.com>
add check on version of drop in configs
This adds GPU vendor auto-detection from CDI specs instead of hardcoding nvidia.com. This allows the --gpus flag to work with both NVIDIA and AMD GPUs by detecting the vendor from available CDI spec files. Signed-off-by: Shiv Tyagi <Shiv.Tyagi@amd.com>
Signed-off-by: Shiv Tyagi <Shiv.Tyagi@amd.com>
Signed-off-by: Shiv Tyagi <Shiv.Tyagi@amd.com>
Perform the plugin migrations on load to allow stepping through plugin migration versions to happen alongside migration of the global configuration object. When the configuration migrations happen separately, the version in the config can get increasd on load and cause plugin migration not to occur. This does not cause issues today because global config migrations only occur for version 0 and 1, which was before plugin config migration was introduced. Any new version which does migrations either cannot get called on load or will break plugin migration later. This change simplifies configuration load and migration, preventing the need to migrate the configurations on load and again later when plugins are loaded. This also allows includes to work at different versions, which may currently break or cause inconsistent results. Signed-off-by: Derek McGowan <derek@mcg.dev>
cmd: fix inconsistencies in command-line flags, and add missing `--version` flags
Detect vendor in cdi specs to generate deviceIDs for --gpus
In some spots we can get away with only reading a subset of the cgroup stats we are today. It would be reaaally nice for container stats in the cri plugin, but they're requested via the task API and we have no way to signify we only want a subset through this surface yet. We can still get some benefit in the stats collector and the existing sandbox stats where we only need mem and cpu. Signed-off-by: Danny Canter <danny@dcantah.dev>
Signed-off-by: Michael Zappa <michael.zappa@gmail.com>
Signed-off-by: Michael Zappa <michael.zappa@gmail.com>
Signed-off-by: Michael Zappa <michael.zappa@gmail.com>
Fix CNI issue where CNI DEL is never executed
Signed-off-by: Michael Zappa <michael.zappa@gmail.com>
Preserve cgroup mount options for privileged containers
Provides test coverage for existing UpdatePodSandboxResources behavior. Assisted-by: Antigravity Signed-off-by: Chris Henzie <chrishenzie@gmail.com>
Integrates CRI container resource updates with core Sandbox API plugin. Delegates payload to out-of-tree controllers via UpdateSandbox API. Gracefully tolerates ErrNotImplemented to preserve backwards compatibility for legacy sandboxers. Assisted-by: Antigravity Signed-off-by: Chris Henzie <chrishenzie@gmail.com>
Propagate OpenTelemetry traces in outgoing RPCs from plugin clients
Wire UpdatePodSandboxResources to Sandbox API
…tainerd core/mount: Reject X-containerd.* options before kernel mount
The `push` function below assumes that digest and mediatypes are populated and set. If they aren't, then the requests made are malformed, attempting to invoke `HEAD /blobs/` (instead of `HEAD /blobs/<digest>`). Additionally, if we *were* to move past this point, we'd then populate an empty digest in the query parameter, and even provide invalid HTTP mediatypes. However, the `WithDescriptor` `WriterOpt` specifically notes that "Write does not require any field of desc to be set". It's very easy for the caller to read this as an optional field, to skip it, and then get confusing HTTP errors from inside the `push` function. We can avoid this by explicitly validating that the descriptor is valid and provide early feedback. Signed-off-by: Justin Chadwell <me@jedevc.com>
Fix send stream data with EOF
chore: Add explicit digest requirement to docker pusher
fix: avoid content storage pollution by limiting the fallback on ref resolution
Tweak mount info for overlayfs in case of parallel unpack
allow to pass multiple extra arguments to critest
Scary warnings were printed for any mediaType that wasn't mapped;
INFO[2026-03-10T11:39:45.677430346Z] Docker daemon commit=83bca51 containerd-snapshotter=true storage-driver=overlayfs version=29.3.0
...
INFO[2026-03-10T11:39:45.689383471Z] API listen on /var/run/docker.sock
WARN[2026-03-10T11:40:32.382484965Z] reference for unknown type: application/vnd.oci.empty.v1+json digest="sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a" mediatype=application/vnd.oci.empty.v1+json size=2
WARN[2026-03-10T11:40:32.445406215Z] reference for unknown type: application/vnd.oci.empty.v1+json
WARN[2026-03-10T11:40:32.695256132Z] reference for unknown type: application/vnd.dev.sigstore.bundle.v0.3+json digest="sha256:7e8cf55036d9be9d6a0d720a2e78468401cc0e01946dbbcb1cd7622ae854a0a3" mediatype=application/vnd.dev.sigstore.bundle.v0.3+json size=10491
WARN[2026-03-10T11:40:32.695314215Z] reference for unknown type: application/vnd.oci.empty.v1+json digest="sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a" mediatype=application/vnd.oci.empty.v1+json size=2
WARN[2026-03-10T11:40:32.745608673Z] reference for unknown type: application/vnd.dev.sigstore.bundle.v0.3+json
WARN[2026-03-10T11:40:32.745629632Z] reference for unknown type: application/vnd.oci.empty.v1+json
WARN[2026-03-10T11:40:32.845403049Z] reference for unknown type: application/vnd.dev.sigstore.bundle.v0.3+json
WARN[2026-03-10T11:40:32.945182007Z] reference for unknown type: application/vnd.dev.sigstore.bundle.v0.3+json
INFO[2026-03-10T11:40:34.714635924Z] image pulled digest="sha256:37539dd4d60fc70968d164d3850d903a2c56f6402214a1953fbf9fcb81ada731" remote="docker.io/moby/buildkit:latest
These cases are not actionable by the user, and not critical, so let's change
them to a debug-message, but add more context. Also update the GoDoc for this
function to better cover its functionality.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Mirror cAdvisor's instantaneous CPU rate behavior for CRI stats. Compute UsageNanoCores from the latest two samples only, and leave the field unset when there is not yet enough data to calculate an instantaneous rate. This avoids publishing an authoritative zero before a valid rate exists while keeping containerd aligned with cAdvisor semantics. Signed-off-by: Davanum Srinivas <davanum@gmail.com>
Signed-off-by: HirazawaUi <695097494plus@gmail.com>
Signed-off-by: HirazawaUi <695097494plus@gmail.com>
Signed-off-by: HirazawaUi <695097494plus@gmail.com>
feat: Allow containers to use both host network and user namespace
fix: hide `go-cmp` library from the non-test code path
cri: mirror cadvisor UsageNanoCores semantics
Bumps [azure/CLI](https://github.com/azure/cli) from 2.2.0 to 3.0.0. - [Release notes](https://github.com/azure/cli/releases) - [Changelog](https://github.com/Azure/cli/blob/master/ReleaseProcess.md) - [Commits](Azure/cli@9f7ce6f...9eb25b8) --- updated-dependencies: - dependency-name: azure/CLI dependency-version: 3.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
…ctions/cache-5.0.4 build(deps): bump actions/cache from 5.0.3 to 5.0.4
Updates crun version used by integration tests to 1.27 and enables the test for cgroup mount options in TestPrivilegedContainerCgroupMountOptions. Assisted-by: Antigravity Signed-off-by: Chris Henzie <chrishenzie@gmail.com>
…zure/login-3.0.0 build(deps): bump azure/login from 2.3.0 to 3.0.0
This change updates the Go version from 1.25.8 to 1.26.0 across the repository, including CI configurations, build scripts, and development environments. It also fixes two linter issues discovered after upgrading the Go version: - core/snapshots/storage/bolt.go: incorrect printf format for uint64 - plugins/transfer/plugin.go: incorrect printf format for int and unused variable The golangci-lint version in script/setup/install-dev-tools is also updated to v2.9.0 to match CI. Signed-off-by: Sergey Kanzhelev <S.Kanzhelev@live.com>
…zure/CLI-3.0.0 build(deps): bump azure/CLI from 2.2.0 to 3.0.0
tracing: add option to inject trace ID into logrus fields
core/remotes: MakeRefKey: update godoc and change Warn to Debug logs
Update crun version to 1.27 and enable in mount options test
Bump Go to 1.26.0
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot]
Can you help keep this open source service alive? 💖 Please sponsor : )