Open
Conversation
Signed-off-by: Michael Zappa <michael.zappa@gmail.com>
Remove image service dependency from podsandbox controller
When users configure a snapshotter in the runtime config (e.g., `plugins."io.containerd.cri.v1.runtime".containerd.runtimes.kata.snapshotter`), the CRI image service was not aware of this configuration. This caused images to be pulled with the default snapshotter instead of the runtime-specific one, because the image service's runtimePlatforms map was not populated with these runtime-to-snapshotter mappings. Let's make sure that during the CRI plugin init, we iterate over all the configured runtimes, and propagate any snapshotter configuration to the image service. The issue was found while working on #12835. Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Make linter for release branches happy
Makefile: assorted cleanups
…pecific-snapshotters-to-image-service cri: propagate runtime-specific snapshotters to image service
fix: propagate `context deadline exceeded` error properly
This is a follow-up to PR #12732. As noted by @TheColorman, while the previous PR successfully resolved absolute symlinks pointing outside the mount root for /etc/passwd during user lookups, the same logic was missing for group lookups. This caused `openat etc/group: path escapes from parent` errors when /etc/group was also an absolute symlink (e.g., in NixOS environments). This patch updates GIDFromFS, getSupplementalGroupsFromFS, and WithAppendAdditionalGroups to use the openUserFile helper, ensuring absolute symlinks are correctly re-anchored across all OCI user/group resolution paths. Includes unit test for validation. Fixes #12683 Signed-off-by: Paulo Oliveira <paulo.hco47@gmail.com>
Bumps [actions/stale](https://github.com/actions/stale) from 10.1.1 to 10.2.0. - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](actions/stale@9971854...b5d41d4) --- updated-dependencies: - dependency-name: actions/stale dependency-version: 10.2.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
…tters Remote/proxy snapshotters like nydus need per-layer annotations on each snapshot (cri.image-ref, cri.layer-digest, cri.manifest-digest, cri.image-layers) so they can lazily fetch content inside the guest VM. During a normal PullImage, these annotations are set by AppendInfoHandlerWrapper and flow through the core/unpack.Unpacker to each layer's Prepare/Commit call. However, when an image is already present for one snapshotter (e.g., overlayfs) and needs to be used with a different one (e.g., nydus for Kata), no pull occurs. The image must be unpacked into the target snapshotter with the correct per-layer labels. Replace the image.Unpack() fallback in customopts.WithNewSnapshot with unpackImage, which leverages the existing core/unpack.Unpacker and wraps the image handler with AppendInfoHandlerWrapper when snapshot annotations are enabled (!DisableSnapshotAnnotations). This reuses the same unpack machinery as PullImage, including retry handling, parallel layer support, and deduplication. Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
api: regenerate and re-vendor protos
…unpacked-for-the-target-snapshotter cri: unpack images with per-layer labels for runtime-specific
…ctions/stale-10.2.0 build(deps): bump actions/stale from 10.1.1 to 10.2.0
Use new filtered cgroups stats API
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.32.3 to 4.32.4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@9e907b5...89a39a4) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.32.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
…ead of values The loop `for flag := range unprivilegedFlags` iterates over slice indices (0,1,2,3,4,5,6) rather than the actual flag values (MS_RDONLY, MS_NODEV, etc). This was a porting error from moby/moby where the data structure was a map (where `for k := range m` yields keys/values). As a result, MS_NOEXEC, MS_NOATIME, MS_RELATIME, and MS_NODIRATIME are never detected or preserved. In user namespaces, this causes bind-mount remounts to fail with EPERM when any of these flags are locked on the parent mount, because the kernel requires all CL_UNPRIVILEGED locked flags to be preserved during remount. MS_RDONLY (0x1), MS_NOSUID (0x2), and MS_NODEV (0x4) happened to work by coincidence because their values equal low index numbers. Fix by using `for _, flag := range` to iterate over values. Signed-off-by: Luke Hinds <luke@stacklok.com>
Mounts a tmpfs with MS_NOEXEC, MS_NOATIME, and MS_NODIRATIME and verifies that getUnprivilegedMountFlags detects all of them. These three flags were the ones missed by the range-over-indices bug. Also verifies that flags not present on the mount (MS_NOSUID, MS_NODEV, MS_RDONLY) are not falsely reported. Signed-off-by: Luke Hinds <luke@stacklok.com>
core/mount: fix getUnprivilegedMountFlags iterating over indices instead of values
ci: fix critools version used in windows tests
Signed-off-by: ningmingxiao <ning.mingxiao@zte.com.cn>
ci: modprobe xt_comment on almalinux
…ithub/codeql-action-4.32.4 build(deps): bump github/codeql-action from 4.32.3 to 4.32.4
https://docs.google.com/document/d/1RjFMBHLluYK9byUSz1IYgumPUMEqwNPTn890tg-IlCo/edit?tab=t.0 #12706 Signed-off-by: Samuel Karp <samuelkarp@google.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.32.4 to 4.32.5. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@89a39a4...c793b71) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.32.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 7.0.0 to 8.0.0. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@37930b1...70fc10c) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-version: 8.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Shachar Tal <stal@paloaltonetworks.com>
…ctions/download-artifact-8.0.0 build(deps): bump actions/download-artifact from 7.0.0 to 8.0.0
Signed-off-by: Derek McGowan <derek@mcg.dev>
Signed-off-by: Derek McGowan <derek@mcg.dev>
Bumps [crazy-max/ghaction-github-runtime](https://github.com/crazy-max/ghaction-github-runtime) from 3.1.0 to 4.0.0. - [Release notes](https://github.com/crazy-max/ghaction-github-runtime/releases) - [Commits](crazy-max/ghaction-github-runtime@3cb05d8...04d248b) --- updated-dependencies: - dependency-name: crazy-max/ghaction-github-runtime dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Aadhar Agarwal <aadagarwal@microsoft.com>
This change updates the Go version from 1.25.8 to 1.26.0 across the repository, including CI configurations, build scripts, and development environments. It also fixes two linter issues discovered after upgrading the Go version: - core/snapshots/storage/bolt.go: incorrect printf format for uint64 - plugins/transfer/plugin.go: incorrect printf format for int and unused variable The golangci-lint version in script/setup/install-dev-tools is also updated to v2.9.0 to match CI. Signed-off-by: Sergey Kanzhelev <S.Kanzhelev@live.com>
…zure/CLI-3.0.0 build(deps): bump azure/CLI from 2.2.0 to 3.0.0
tracing: add option to inject trace ID into logrus fields
core/remotes: MakeRefKey: update godoc and change Warn to Debug logs
Update crun version to 1.27 and enable in mount options test
Bump Go to 1.26.0
…th-goverity Add dmverity support to the erofs snapshotter using go-dmverity
…ctions/attest-build-provenance-4.1.0 build(deps): bump actions/attest-build-provenance from 3.2.0 to 4.1.0
…ctions/upload-artifact-7.0.0 build(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0
In order to support `os.features`. Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
If no snapshotter is specified and `os.features` contains "erofs", unpacking should use the EROFS snapshotter and differ. This enhances the usability of native EROFS container images. Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Just use apitypes.OCIPlatformFromProto(). Suggested-by: Jin Dong <djdongjin95@gmail.com> Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
…e` is set
If no snapshotter is specified, container run selects the default
snapshotter.
However, if `os.features` is set, we should always call
`checkSnapshotterSupport()`. This ensures containerd clients
report a clear error:
```
ctr: snapshotter overlayfs does not support platform
{amd64 linux [erofs] } for image sha256:[]
```
instead of the confusing layer extraction error:
```
ctr: apply layer error for "": failed to extract layer sha256:[]:
failed to get stream processor for application/vnd.erofs.layer.v1:
no processor for media-type
```
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
…b.com/pelletier/go-toml/v2-2.3.0 build(deps): bump github.com/pelletier/go-toml/v2 from 2.2.4 to 2.3.0
…ithub/codeql-action-4.35.1 build(deps): bump github/codeql-action from 4.33.0 to 4.35.1
…ng/pkg/httpstream Signed-off-by: Sergey Kanzhelev <S.Kanzhelev@live.com>
Signed-off-by: Sergey Kanzhelev <S.Kanzhelev@live.com>
Add `os.features` support for EROFS native container images
fix: handle nil spec for hostNetwork containers
The test image ghcr.io/containerd/volume-copy-up:2.1 does not include a manifest for s390x, causing the test to fail with: "no manifest found for platform: not found". Signed-off-by: Ricardo Branco <rbranco@suse.de>
Skip TestExportAndImportMultiLayer on s390x
Signed-off-by: ningmingxiao <ning.mingxiao@zte.com.cn>
Use latest k8s 1.36
klog has a long-standing bug where setting -logtostderr=true causes the -stderrthreshold flag to be silently ignored. All log messages are sent to stderr regardless of their severity. klog v2.140.0 introduced two new flags that allow callers to opt into the correct behavior: -legacy_stderr_threshold_behavior=false -stderrthreshold=INFO Set them in the CRI plugin's setGLogLevel() function, right after klog.InitFlags() and before any other flag configuration. Reference: kubernetes/klog#212 Signed-off-by: Pierluigi Lenoci <pierluigi.lenoci@gmail.com>
…upport Signed-off-by: Sergey Kanzhelev <S.Kanzhelev@live.com>
pause image 3.10.1 -> 3.10.2 for add Windows Server 2025 (ltsc2025) s…
script/setup: update runc binary to v1.4.2
Honor stderrthreshold when logtostderr is enabled
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot]
Can you help keep this open source service alive? 💖 Please sponsor : )