deps: update module github.com/containerd/containerd to v1.7.11 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/containerd/containerd	v1.7.8 -> v1.7.11

GitHub Vulnerability Alerts

GHSA-7ww5-4wqc-m92c

/sys/devices/virtual/powercap accessible by default to containers

Intel's RAPL (Running Average Power Limit) feature, introduced by the Sandy Bridge microarchitecture, provides software insights into hardware energy consumption. To facilitate this, Intel introduced the powercap framework in Linux kernel 3.13, which reads values via relevant MSRs (model specific registers) and provides unprivileged userspace access via sysfs. As RAPL is an interface to access a hardware feature, it is only available when running on bare metal with the module compiled into the kernel.

By 2019, it was realized that in some cases unprivileged access to RAPL readings could be exploited as a power-based side-channel against security features including AES-NI (potentially inside a SGX enclave) and KASLR (kernel address space layout randomization). Also known as the PLATYPUS attack, Intel assigned CVE-2020-8694 and CVE-2020-8695, and AMD assigned CVE-2020-12912.

Several mitigations were applied; Intel reduced the sampling resolution via a microcode update, and the Linux kernel prevents access by non-root users since 5.10. However, this kernel-based mitigation does not apply to many container-based scenarios:

• Unless using user namespaces, root inside a container has the same level of privilege as root outside the container, but with a slightly more narrow view of the system
• sysfs is mounted inside containers read-only; however only read access is needed to carry out this attack on an unpatched CPU

While this is not a direct vulnerability in container runtimes, defense in depth and safe defaults are valuable and preferred, especially as this poses a risk to multi-tenant container environments. This is provided by masking /sys/devices/virtual/powercap in the default mount configuration, and adding an additional set of rules to deny it in the default AppArmor profile.

While sysfs is not the only way to read from the RAPL subsystem, other ways of accessing it require additional capabilities such as CAP_SYS_RAWIO which is not available to containers by default, or perf paranoia level less than 1, which is a non-default kernel tunable.

References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8694
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8695
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12912
• https://platypusattack.com/
• https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=949dd0104c496fa7c14991a23c03c62e44637e71
• https://web.eece.maine.edu/~vweaver/projects/rapl/

---

Release Notes

containerd/containerd (github.com/containerd/containerd)

v1.7.11: containerd 1.7.11

Compare Source

Welcome to the v1.7.11 release of containerd!

The eleventh patch release for containerd 1.7 contains various fixes and updates including
one security issue.

Notable Updates

• Fix Windows default path overwrite issue (#​9440)
• Update push to always inherit distribution sources from parent (#​9452)
• Update shim to use net dial for gRPC shim sockets (#​9458)
• Fix otel version incompatibility (#​9483)
• Fix Windows snapshotter blocking snapshot GC on remove failure (#​9482)
• Mask /sys/devices/virtual/powercap path in runtime spec and deny in default apparmor profile (GHSA-7ww5-4wqc-m92c)

Deprecation Warnings

• Emit deprecation warning for AUFS snapshotter (#​9436)
• Emit deprecation warning for v1 runtime (#​9450)
• Emit deprecation warning for deprecated CRI configs (#​9469)
• Emit deprecation warning for CRI v1alpha1 usage (#​9479)
• Emit deprecation warning for CRIU config in CRI (#​9481)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Samuel Karp
• Derek McGowan
• Phil Estes
• Bjorn Neergaard
• Danny Canter
• Sebastiaan van Stijn
• ruiwen-zhao
• Akihiro Suda
• Amit Barve
• Charity Kathure
• Maksym Pavlenko
• Milas Bowman
• Paweł Gronowski
• Wei Fu

Changes

39 commits

• [release/1.7] Prepare release notes for v1.7.11 (#​9491)
  • dfae68bc3 Prepare release notes for v1.7.11
• [release/1.7] update to go1.20.12, test go1.21.5 (#​9352)
  • 0d314401d update to go1.20.12, test go1.21.5
  • 1ec1ae2c6 update to go1.20.11, test go1.21.4
• Github Security Advisory GHSA-7ww5-4wqc-m92c
  • cb804da21 contrib/apparmor: deny /sys/devices/virtual/powercap
  • 40162a576 oci/spec: deny /sys/devices/virtual/powercap
• [release/1.7] Don't block snapshot garbage collection on Remove failures (#​9482)
  • ed7c6895b Don't block snapshot garbage collection on Remove failures
• [release/1.7] Add warning for CRIU config usage (#​9481)
  • 1fdefdd22 Add warning for CRIU config usage
• [release/1.7] Fix otel version incompatibility (#​9483)
  • f8f659e66 Add HTTP client update function to tracing library
  • 807ddd658 fix(tracing): use latest version of semconv
• [release/1.7] Add cri-api v1alpha2 usage warning to all api calls (#​9479)
  • dc45bc838 Add cri-api v1alpha2 usage warning to all api calls
• [release/1.7] cri: add deprecation warnings for deprecated CRI configs (#​9469)
  • 9d1bad62e deprecation: fix missing spaces in warnings
  • 51a604c07 cri: add deprecation warning for runtime_root
  • 8040e74bf cri: add deprecation warning for rutnime_engine
  • 99adc40eb cri: add deprecation warning for default_runtime
  • afef7ec64 cri: add warning for untrusted_workload_runtime
  • 6220dc190 cri: add warning for old form of systemd_cgroup
• [release/1.7] runtime/v2: net.Dial gRPC shim sockets before trying grpc (#​9458)
  • 80f96cd18 runtime/v2: net.Dial gRPC shim sockets before trying grpc
• [release/1.7] tasks: emit warning for v1 runtime and runc v1 runtime (#​9450)
  • f471bb2b8 tasks: emit warning for runc v1 runtime
  • 329e1d487 tasks: emit warning for v1 runtime
• [release/1.7] push: always inherit distribution sources from parent (#​9452)
  • 4464fde12 push: always inherit distribution sources from parent
• [release/1.7] Update tar tests to run on Darwin (#​9451)
  • 7e069ee25 Update tar tests to run on Darwin
• [release/1.7] ctr: Add sandbox flag to ctr run (#​9449)
  • 5fc0e4e61 ctr: Add sandbox flag to ctr run
• [release/1.7] Windows default path overwrite fix (#​9440)
  • 31fe03764 Fix windows default path overwrite issue
• [release/1.7] snapshots: emit deprecation warning for aufs (#​9436)
  • 625b35e4b snapshots: emit deprecation warning for aufs

Dependency Changes

• github.com/felixge/httpsnoop v1.0.3 new
• go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0 new

Previous release can be found at v1.7.10

v1.7.10: containerd 1.7.10

Compare Source

Welcome to the v1.7.10 release of containerd!

The tenth patch release for containerd 1.7 contains various fixes and updates.

Notable Updates

• Enhance container image unpack client logs (#​9379)
• cri: fix using the pinned label to pin image (#​9381)
• fix: ImagePull should close http connection if there is no available data to read. (#​9409)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Wei Fu
• Iceber Gu
• Austin Vazquez
• Derek McGowan
• Phil Estes
• Samuel Karp
• ruiwen-zhao

Changes

11 commits

• Add release notes for v1.7.10 (#​9426)
  • a995fe3a8 Add release notes for v1.7.10
• [release/1.7] fix: ImagePull should close http connection if there is no available data to read. (#​9409)
  • 206806128 remotes/docker: close connection if no more data
  • 328493962 integration: reproduce #​9347
  • d1aab27cb fix: deflake TestCRIImagePullTimeout/HoldingContentOpenWriter
• [release/1.7] cri: fix using the pinned label to pin image (#​9381)
  • a2b16d7f9 cri: fix update of pinned label for images
  • 8dc861844 cri: fix using the pinned label to pin image
• [release/1.7] Enhance container image unpack client logs (#​9379)
  • 5930a3750 Enhance container image unpack client logs

Dependency Changes

This release has no dependency changes

Previous release can be found at v1.7.9

v1.7.9: containerd 1.7.9

Compare Source

Welcome to the v1.7.9 release of containerd!

The ninth patch release for containerd 1.7 contains various fixes and updates.

Notable Updates

• update runc binary to v1.1.10:: (#​9359)
• vendor: upgrade OpenTelemetry to v1.19.0 / v0.45.0 (#​9301)
• Expose usage of cri-api v1alpha2 (#​9336)
• integration: deflake TestIssue9103 (#​9354)
• fix: shimv1 leak issue (#​9344)
• cri: add deprecation warnings for mirrors, auths, and configs (#​9327)
• Update hcsshim tag to v0.11.4 (#​9326)
• Expose usage of deprecated features (#​9315)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Samuel Karp
• Kazuyoshi Kato
• Wei Fu
• Kirtana Ashok
• Derek McGowan
• Milas Bowman
• Sebastiaan van Stijn
• ruiwen-zhao

Changes

28 commits

• [release/1.7] Add release notes for v1.7.9 (#​9333)
  • 4b912af52 Add release notes for v1.7.9
• [release/1.7 backport] update runc binary to v1.1.10 (#​9359)
  • eff291713 update runc binary to v1.1.10
• [release/1.7] vendor: upgrade OpenTelemetry to v1.19.0 / v0.45.0 (#​9301)
  • bd9428ff7 vendor: upgrade OpenTelemetry to v1.19.0 / v0.45.0
• [release/1.7] Expose usage of cri-api v1alpha2 (#​9336)
  • d62cba40c Expose usage of cri-api v1alpha2
• [release/1.7] integration: deflake TestIssue9103 (#​9354)
  • 5dbc258a8 integration: deflake TestIssue9103
• [release/1.7] fix: shimv1 leak issue (#​9344)
  • 449912857 fix: shimv1 leak issue
• [release/1.7] cri: add deprecation warnings for mirrors, auths, and configs (#​9327)
  • 152c57e91 cri: add deprecation warning for configs
  • 689a1036d cri: add deprecation warning for auths
  • 8c38975bf cri: add deprecation warning for mirrors
  • 1fbce40c4 cri: add ability to emit deprecation warnings
• [release/1.7] Update hcsshim tag to v0.11.4 (#​9326)
  • 73f15bdb6 Update hcsshim tag to v0.11.4
• [release/1.7] Expose usage of deprecated features (#​9315)
  • 60d48ffea ctr: new deprecations command
  • 74a06671a plugin: record deprecation for dynamic plugins
  • fa5f3c91a server: add ability to record config deprecations
  • f7880e7f0 pull: record deprecation warning for schema 1
  • 1dd2f2c02 introspection: add support for deprecations
  • aaf000c18 api/introspection: deprecation warnings in server
  • 9b7ceee54 warning: new service for deprecations
  • b708f8bfa deprecation: new package for deprecations

Dependency Changes

• github.com/Microsoft/hcsshim v0.11.1 -> v0.11.4
• github.com/cenkalti/backoff/v4 v4.2.0 -> v4.2.1
• github.com/go-logr/logr v1.2.3 -> v1.2.4
• github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0 -> v2.16.0
• go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.40.0 -> v0.45.0
• go.opentelemetry.io/otel v1.14.0 -> v1.19.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.14.0 -> v1.19.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.14.0 -> v1.19.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.14.0 -> v1.19.0
• go.opentelemetry.io/otel/metric v0.37.0 -> v1.19.0
• go.opentelemetry.io/otel/sdk v1.14.0 -> v1.19.0
• go.opentelemetry.io/otel/trace v1.14.0 -> v1.19.0
• go.opentelemetry.io/proto/otlp v0.19.0 -> v1.0.0

Previous release can be found at v1.7.8

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.