[pull] main from containerd:main

.mailmap

@@ -77,6 +77,7 @@ Junyu Liu <ljyngup@gmail.com>
 LongtaoZhang <DragonBillow@outlook.com>
 Lorenz Brun <lorenz@brun.one> <lorenz@nexantic.com>
 Luc Perkins <lucperkins@gmail.com>
+Luke Hinds <luke@stacklok.com> <123011167+lukefr09@users.noreply.github.com>
 James Sturtevant <jsturtevant@gmail.com> <jstur@microsoft.com>
 Jiajun Jiang <levinxo@gmail.com>
 Jin Dong <djdongjin95@gmail.com> <jin.dong@databricks.com>
@@ -90,6 +91,7 @@ Kante <kerthcet@gmail.com>
 Kazuyoshi Kato <kato.kazuyoshi@gmail.com>
 Kazuyoshi Kato <kato.kazuyoshi@gmail.com> <kaz@fly.io>
 Kazuyoshi Kato <kato.kazuyoshi@gmail.com> <katokazu@amazon.com>
+Kazuyoshi Kato <kato.kazuyoshi@gmail.com> <kazuyoshi.kato@baseten.co>
 Kenfe-Mickaël Laventure <mickael.laventure@gmail.com>
 Kevin Kern <kaiwentan@harmonycloud.cn>
 Kevin Parsons <kevpar@microsoft.com> <kevpar@users.noreply.github.com>

go.mod

@@ -12,7 +12,7 @@ require (
 	github.com/containerd/btrfs/v2 v2.0.0
 	github.com/containerd/cgroups/v3 v3.1.3
 	github.com/containerd/console v1.0.5
-	github.com/containerd/containerd/api v1.10.0
+	github.com/containerd/containerd/api v1.11.0-beta.0
 	github.com/containerd/continuity v0.4.5
 	github.com/containerd/errdefs v1.0.0
 	github.com/containerd/errdefs/pkg v0.3.0
@@ -161,5 +161,3 @@ require (
 	sigs.k8s.io/yaml v1.6.0 // indirect
 	tags.cncf.io/container-device-interface/specs-go v1.1.0 // indirect
 )
-
-replace github.com/containerd/containerd/api => ./api

go.sum

@@ -43,6 +43,8 @@ github.com/containerd/cgroups/v3 v3.1.3 h1:eUNflyMddm18+yrDmZPn3jI7C5hJ9ahABE5q6
 github.com/containerd/cgroups/v3 v3.1.3/go.mod h1:PKZ2AcWmSBsY/tJUVhtS/rluX0b1uq1GmPO1ElCmbOw=
 github.com/containerd/console v1.0.5 h1:R0ymNeydRqH2DmakFNdmjR2k0t7UPuiOV/N/27/qqsc=
 github.com/containerd/console v1.0.5/go.mod h1:YynlIjWYF8myEu6sdkwKIvGQq+cOckRm6So2avqoYAk=
+github.com/containerd/containerd/api v1.11.0-beta.0 h1:qtnn2fNjzVl82CRfzt6VvDikwQnMD66eq06Djb+I1Lc=
+github.com/containerd/containerd/api v1.11.0-beta.0/go.mod h1:NBm1OAk8ZL+LG8R0ceObGxT5hbUYj7CzTmR3xh0DlMM=
 github.com/containerd/continuity v0.4.5 h1:ZRoN1sXq9u7V6QoHMcVWGhOwDFqZ4B9i5H6un1Wh0x4=
 github.com/containerd/continuity v0.4.5/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE=
 github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=

pkg/shim/util_abstract_test.go

@@ -0,0 +1,41 @@
+//go:build !windows && !darwin
+
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package shim
+
+import (
+	"net"
+	"testing"
+	"time"
+)
+
+func TestNewSocketAbstract(t *testing.T) {
+	address := "@shim-test-abstract"
+
+	l, err := NewSocket(address)
+	if err != nil {
+		t.Fatalf("NewSocket failed: %v", err)
+	}
+	t.Cleanup(func() { l.Close() })
+
+	conn, err := net.DialTimeout("unix", socket(address).path(), time.Second)
+	if err != nil {
+		t.Fatalf("failed to connect to socket: %v", err)
+	}
+	conn.Close()
+}

pkg/shim/util_unix.go

@@ -29,7 +29,6 @@ import (
 	"net"
 	"os"
 	"path/filepath"
-	"runtime"
 	"strconv"
 	"strings"
 	"syscall"
@@ -119,16 +118,14 @@ func NewSocket(address string) (*net.UnixListener, error) {
 		sock       = socket(address)
 		path       = sock.path()
 		isAbstract = sock.isAbstract()
-		perm       = os.FileMode(0600)
+		// Socket file permissions: read/write for owner only
+		sockPerm = os.FileMode(0600)
+		// Directory permissions: need execute bit for traversal
+		dirPerm = os.FileMode(0700)
 	)
 
-	// Darwin needs +x to access socket, otherwise it'll fail with "bind: permission denied" when running as non-root.
-	if runtime.GOOS == "darwin" {
-		perm = 0700
-	}
-
 	if !isAbstract {
-		if err := os.MkdirAll(filepath.Dir(path), perm); err != nil {
+		if err := os.MkdirAll(filepath.Dir(path), dirPerm); err != nil {
 			return nil, fmt.Errorf("mkdir failed for %s: %w", path, err)
 		}
 	}
@@ -138,7 +135,7 @@ func NewSocket(address string) (*net.UnixListener, error) {
 	}
 
 	if !isAbstract {
-		if err := os.Chmod(path, perm); err != nil {
+		if err := os.Chmod(path, sockPerm); err != nil {
 			os.Remove(sock.path())
 			l.Close()
 			return nil, fmt.Errorf("chmod failed for %s: %w", path, err)

pkg/shim/util_unix_test.go

@@ -0,0 +1,74 @@
+//go:build !windows
+
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package shim
+
+import (
+	"fmt"
+	"net"
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+)
+
+func TestNewSocket(t *testing.T) {
+	t.Run("socket in nested directory", func(t *testing.T) {
+		dir, err := os.MkdirTemp("/tmp", "shim-test-")
+		if err != nil {
+			t.Fatalf("failed to create temp dir: %v", err)
+		}
+		t.Cleanup(func() { os.RemoveAll(dir) })
+
+		address := fmt.Sprintf("unix://%s/a/b/test.sock", dir)
+
+		l, err := NewSocket(address)
+		if err != nil {
+			t.Fatalf("NewSocket failed: %v", err)
+		}
+		t.Cleanup(func() { l.Close() })
+
+		conn, err := net.DialTimeout("unix", socket(address).path(), time.Second)
+		if err != nil {
+			t.Fatalf("failed to connect to socket: %v", err)
+		}
+		conn.Close()
+	})
+
+	t.Run("socket in existing directory", func(t *testing.T) {
+		dir, err := os.MkdirTemp("/tmp", "shim-test-")
+		if err != nil {
+			t.Fatalf("failed to create temp dir: %v", err)
+		}
+		t.Cleanup(func() { os.RemoveAll(dir) })
+
+		address := "unix://" + filepath.Join(dir, "test.sock")
+
+		l, err := NewSocket(address)
+		if err != nil {
+			t.Fatalf("NewSocket failed: %v", err)
+		}
+		t.Cleanup(func() { l.Close() })
+
+		conn, err := net.DialTimeout("unix", socket(address).path(), time.Second)
+		if err != nil {
+			t.Fatalf("failed to connect to socket: %v", err)
+		}
+		conn.Close()
+	})
+}

releases/v2.3.0-beta.toml

@@ -0,0 +1,36 @@
+# commit to be tagged for new release
+commit = "HEAD"
+
+project_name = "containerd"
+github_repo = "containerd/containerd"
+match_deps = "^github.com/(containerd/[a-zA-Z0-9-]+)$"
+ignore_deps = [ "github.com/containerd/containerd" ]
+
+# previous release
+previous = "v2.2.0"
+
+pre_release = true
+
+preface = """\
+The third minor release of containerd 2.x focuses on continued stability alongside
+new features and improvements. This is the third time-based release for containerd.
+
+Starting with containerd 2.3, the project has moved to release cadence aligned with
+the Kubernetes release schedule, with new minor releases about every 4 months. The
+containerd 2.3 release is also the first annual LTS (Long Term Stable) release under
+this new schedule, with support planned for at least two years. Direct upgrades
+between sequential LTS releases (e.g., 1.7 to 2.3) will be tested and supported.
+
+This is a beta release and some functionality is still under development.
+"""
+
+postface = """\
+### Which file should I download?
+* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
+* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.
+
+In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
+and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.
+
+See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.
+"""