Skip to content

@dmcgowan dmcgowan released this Aug 22, 2019

Welcome to the v1.2.8 release of containerd!

The eighth patch release for containerd 1.2 provides a series of bug fixes, many
of them backported from the master branch to correct several known issues around
manifest lists/indexes and pulling multi-arch, CVEs related to Golang/http2,
fd leakage in the Golang runtime, a shim hang, process and image environment config
handling, and finally mount cleanup related to Cloud Foundry's use of containerd
with rootless containers. A set of bug fixes/updates for the CRI plugin are also
included; details for the CRI issues and fixes are shown below.

Notable Updates

  • Skip rootfs unmount when no mounts are provided. Fixed by PR #3148 {cherry-picked as PR #3402}.
  • Close inherited socket file descriptor. Fixed in PR #3359 {cherry-picked as PR #3364}.
  • Call CloseIO when stdin closes in ctr. Fixed by PR #3462 {cherry-picked as PR 3490}.
  • Several multi-arch image fixes, including: ARM platform matching, selecting the proper manifest, and limited to best matched manifest to solve discrepancies with multi-arch image operations. Backported PR #3270 as PR #3404, PR #3484 as PR #3512, and added PR #3421.
  • Override image's environment config with process config; including backport of fixes and tests for merging/replacing env variables; fix in PR #3542, backported via PR #3546 which included a backport of PR #2887. Additional fix to logic for override re: image $PATH cherry-picked in PR #3565.
  • Shim hang fix in master via PR #3540 backported to release/1.2 via PR #3561.
  • Updated Golang version to 1.12.9 patch release:
    • Resolves CVE-2019-9512 and CVE-2019-9514 from the 1.12.8 security release. Originally fixed via PR #3531 which lists the details of the Golang CVEs, backported via PR #3532 to release/1.2.
    • Resolves fd leaks reported via golang/go#33405 and resolved in the 1.12.9 patch release, updated via PR #3544. This fd leak bug was initially reported in containerd issue #3481.
  • CRI: Fix a bug that if an image is deleted immediately after being pulled, the image may still exist after the deletion finishes successfully. (containerd/cri#1161)
  • CRI: Fix a bug that runc and crictl binaries shipped in are versioned with the containerd version. (containerd/cri#1193)
  • CRI: Fix a bug that the images become unusable if 2 images have the same image ID and RepoTag, but different RepoDigests. (#3401)
  • CRI: Fix ProcMount support (containerd/cri#1216). NOTE: To use containerd 1.2.8+ with Kubernetes 1.11 or below, you MUST set disable_proc_mount=true in the cri plugin config. (containerd/cri#1208)
  • CRI: Fix a bug that containerd tries to connect image registry with https even if the http endpoint is configured. (containerd/cri#1201)

Please try out the release binaries and report any issues at


  • Michael Crosby
  • Lantao Liu
  • Sebastiaan van Stijn
  • Wei Fu
  • Mike Brown
  • Phil Estes
  • Shukui Yang
  • Derek McGowan
  • Akihiro Suda
  • Andrey Kolomentsev
  • Darren Shepherd
  • Eric Ren
  • Georgi Sabev
  • Jaime Caamaño Ruiz
  • Jintao Zhang
  • Justin Terry
  • Yangyang


Changes from containerd/cri

  • d928a4dd Merge pull request #1230 from Random-Liu/fix-https-release-1.2
  • ecd021d4 Fix unnecessary https trial in release/1.2.
  • 789b26f3 Merge pull request #1216 from Random-Liu/cherrypick-1209-release-1.2
  • c54f640f Add test for disable_proc_mount.
  • 21343bf7 Fix proc mount support.
  • 106dfbde Merge pull request #1210 from Random-Liu/cherrypick-1202-release-1.2
  • dcdfa8f2 Do not cache image handler.
  • 7fb9c17c Merge pull request #1191 from thaJeztah/1.2_backport_bump_libseccomp
  • f68a182b Merge pull request #1193 from thaJeztah/1.2_backport_fix_version
  • 0c86149e Fix runc and critools version in release.
  • 8738fd62 bump libseccomp-golang v0.9.1
  • 0bb5f8ed Merge pull request #1186 from mikebrow/revert-1179-update-containerd-release-1.2
  • 489dd6af Revert "[release/1.2] Update containerd to v1.2.7"
  • 38ab32bf Merge pull request #1179 from Random-Liu/update-containerd-release-1.2
  • 30e14d9d Update containerd to v1.2.7
  • ec3609df Merge pull request #1167 from Random-Liu/cherrypick-#1162-release-1.2
  • cb317ddf Add cri managed image label when pulling the image.

Dependency Changes

Previous release can be found at v1.2.7

  • 49ca74043390bc2eeea7a45a46005fbec58a3f88 -> d928a4dd337fd2a992dbe72380eff2063c3ec62f
Assets 3
You can’t perform that action at this time.