Skip to content

@dmcgowan dmcgowan released this Apr 5, 2019

Welcome to the v1.1.7 release of containerd!

This is the seventh patch release for the containerd 1.1 release. This
release contains fixes for image management, containerd client, CRI plugin
and containerd io handling.

It also updates runc to include an improved fix for CVE-2019-5736
to reduce the increased memory-consumption introduced by the original
patch, updates CNI to v0.7.5 to include the fix for CVE-2019-9946,
adds 2 new syscalls in the default seccomp profile.

All these changes are noted below.

Notable Updates

  • Fix an issue that non-existent parent directory in image layers is created with permission 0700. #3017
  • Fix an issue that snapshots of the base image can be deleted by mistake, when images built on top of it are deleted. #3088
  • Allow overriding package name in containerd --version output. #3097
  • Add 2 new syscalls io_pgetevents and statx in the default seccomp whitelist. #3112 #3114
  • Fix a bug that container output can be incomplete when stdout and stderr are pointed to the same file. #3156
  • cri: fix a bug that pod can't get started when the same volume is defined differently in the image and the pod spec. cri#1059
  • cri: fix a bug that causes container start failure after in-place upgrade containerd to 1.2.4+ or 1.1.6+. cri#1082
  • cri: fix a bug that containers being gracefully stopped are SIGKILLed when kubelet is restarted. cri#1098
  • cri: Fix a bug that pod UTS namespace is used for host network. cri#1111
  • cri: Update CNI plugins to v0.7.5 for CVE-2019-9946
  • Update cri to f8171b4530bed8992973cc4a2f24efe53b821d53. 3175
  • Update runc to v1.0.0-rc7-6-g029124da #3184 to include the improved fix for CVE-2019-5736, and fix a potential container start failure on non-SELinux system runc#2030.

Please try out the release binaries and report any issues at


  • Lantao Liu
  • Michael Crosby
  • Phil Estes
  • Sebastiaan van Stijn
  • Akihiro Suda
  • Derek McGowan
  • Peter Wagner
  • Andrei Vagin
  • Avi Kivity
  • Claudia Beresford
  • Daniel, Dao Quang Minh
  • John Howard
  • Kenfe-Mickaël Laventure
  • Lu Jingxiao
  • Madhan Raj Mookkandy
  • Nikos Anastopoulos
  • Parav Pandit
  • Sudeesh John
  • Wei Fu


  • 4278fbc243 Merge pull request #3181 from Random-Liu/prepare-1.1.7
  • f8e22625c6 Prepare v1.1.7 release.
  • af0bc2e035 Merge pull request #3184 from thaJeztah/1.1_bump_runc
  • c186fd8d8c bump runc to 029124da (v1.0.0-rc7-6-g029124da)
  • 82ebb90280 Merge pull request #3175 from Random-Liu/update-cri-release-1.1
  • 125c9a0046 Update cri to f8171b4530bed8992973cc4a2f24efe53b821d53.
  • 41b3a316f7 Merge pull request #3165 from Random-Liu/update-cri-release-1.1
  • 3afed24a4e Update cri to b9c06fd1410f1e6699a83277887af399a1342736.
  • 01cd85f6e8 Merge pull request #3156 from thaJeztah/1.1_backport_issue_3118
  • de85314d4f runtime: guard Close() until both streams are complete
  • 255da2a7b0 runtime: log IO error when copying output streams
  • 2bf4d3a650 Merge pull request #3140 from thaJeztah/1.1_backport_bump_runc_v1.0.0-rc7
  • 25b40629d4 update opencontainers/runc v1.0.0-rc7
  • cdc2fe6d81 Merge pull request #3112 from thaJeztah/1.1_backport_whitelist_statx
  • 8f6bcb2bba Merge pull request #3114 from thaJeztah/1.1_backport_whitelist_io_pgetevents
  • 58bee8125b seccomp: whitelist io_pgetevents
  • 03d129bdb2 seccomp: whitelist statx syscall
  • 9a0a5fd1e7 Merge pull request #3097 from thaJeztah/1.1_backport_override_package_name
  • d28f4aa242 Makefile: allow overriding package name
  • 8ecb055c07 Merge pull request #3083 from thaJeztah/1.1_backport_bump_runc
  • 21abff907c Vendor opencontainers/runtime-spec 29686dbc
  • 49b7692b16 Vendor in runtime spec referencing windows namespace
  • 62e4a2c8e7 Update containerd dependencies for 1.2
  • 95a8d1d933 Merge pull request #3088 from fuweid/me-cp-2876-release-1.1
  • 4e69228971 bugfix: unpack should always set the snapshot gc label
  • f86b114ac5 update runc to 2b18fe1d885ee5083ef9f0838fee39b62d653e30
  • 52bfc9f530 Merge pull request #3078 from thaJeztah/1.1_bump_golang
  • 8f044b8320 Bump to Go 1.11.x
  • 0fc64b682c Workaround for gofmt change in Go 1.11
  • 45b8d86585 Fix the formatting directives error during compilation
  • 9d16e2e660 Merge pull request #3039 from Random-Liu/cherrypick-#3018-release-1.1
  • ee4754550a Unpack should set 0755 when the parent directory doesn't exist.

Changes from containerd/cgroups

  • 5e61083 Merge pull request #50 from jingxiaolu/master
  • 0d1587c Add interface AddTask to control groups. So that we can set tasks when we need.
  • 07683a6 Merge pull request #45 from anastop/master
  • 15ef4c3 Add Update method for the cpuset controller
  • c755602 Merge pull request #41 from estesp/update-travis-go
  • 0a357bb Update Go versions for travis
  • 5539584 Fix incorrect use of OCI runtime specs-go cgroup dev types
  • bf7d89f Merge pull request #40 from containerd/license
  • f1d9380 Add license to files
  • 78a98a6 Merge pull request #39 from paravmellanox/master
  • ccd26c4 Add support for rdma cgroup

Changes from containerd/cri

  • f8171b45 Merge pull request #1117 from thaJeztah/1.0_backport_bump_selinux
  • 961bbf32 bump opencontainers/selinux v1.2.1
  • c7ec47f5 bump opencontainers/selinux to v1.2
  • b9c06fd1 Merge pull request #1112 from Random-Liu/cherrypick-#1102-release-1.0
  • c29999cc No UTS namespace for hostnetwork.
  • 15a38626 Merge pull request #1110 from Random-Liu/cherrypick-#1108-release-1.0
  • 5ca7e895 Update CNI to v0.7.5.
  • 04ccb9ca Merge pull request #1105 from Random-Liu/cherrypick-#1099-release-1.0
  • b2568d2e Do not SIGKILL container if container stop is cancelled.
  • 3c81b301 Merge pull request #1087 from Random-Liu/cherrypick-#1085-release-1.0
  • 134c2f35 Fix /etc/hostname backward compatibility issue for in-place upgrade.
  • 5b8046c2 Merge pull request #1073 from Random-Liu/cherrypick-#1072-release-1.0
  • b01bbde7 Use clean path for map and comparison.
  • d35c6741 Merge pull request #1068 from Random-Liu/cherrypick-#1055-release-1.0
  • 90bc4a66 Use the correct sandbox config.
  • 64e3e2d0 Merge pull request #1051 from Random-Liu/update-containerd-release-1.0
  • 5f8a6b6b Update containerd to 878924b.

Changes from containerd/go-runc

  • 14606eb Merge pull request #43 from AkihiroSuda/rootless
  • 0194529 add support for --rootless
  • 74719bd Merge pull request #42 from Random-Liu/expose-parsePSOutput
  • fdf39b3 Expose parsePSOutput.
  • 301f7c1 Merge pull request #41 from masters-of-cats/master
  • 07e192d Use user-specific temp directory if set
  • f271fa2 Merge pull request #40 from avagin/tty
  • 400dfa3 Add ConsoleSocket to RestoreOpts

Dependency Changes

Previous release can be found at v1.1.6

  • fe281dd265766145e943a034aa41086474ea6130 -> 5e610833b72089b37d0e615de9a92dfc043757c2
  • f0b5665a959119b6a6234001e6d55206d9200e95 -> f8171b4530bed8992973cc4a2f24efe53b821d53
  • bcb223a061a3dd7de1a89c0b402a60f4dd9bd307 -> 14606eb66abd9e834e3bd22a4f5f46a3aad54c54
  • v0.7.0 -> v0.7.5
  • 6635b4f0c6af3810594d2770f662f34ddc15b40d -> 029124da7af7360afa781a0234d1b083550f797c
  • v1.0.1 -> 29686dbc5559d93fb1ef402eeda3e35c38d75af4
  • b6fa367ed7f534f9ba25391cc2d467085dbb445a -> v1.2.1
Assets 3