Skip to content

@dmcgowan dmcgowan released this Sep 6, 2019

Welcome to the v1.2.9 release of containerd!

The ninth patch release for containerd 1.2 provides a handful of bug fixes and an
update to the gRPC vendored codebase to include 3 CVE fixes provided in the upstream
v1.23.0 release of gRPC. Note that updating gRPC to the current release required small
changes to our core containerd codebase to match the upstream changes since gRPC v1.12.0.
These changes have been backported from containerd's master branch, as well as a
similar small change in ttrpc, requiring that package's vendoring to be updated.

In addition to the gRPC update to include CVE fixes, fixes were made to correct a
container's default Unix environment (introduced in 1.2.8), a small list of CRI plugin
fixes, as well as fixes for registry interactions where Docker-Content-Digest is not
returned (e.g. GitHub Package Registry), and a tar archive modification time bug found
by the buildkit maintainers. A fix to the zfs snapshotter was also included via a
re-vendoring of containerd's zfs import. More notes on these fixes are found below.

Notable Updates

  • Cherry-pick update to gRPC 1.23.0. PR #3586 {cherry-picked from changes in master PRs #3192 and #3581}.

    • Fixes grpc/grpc-go#2970 transport: block reading frames when too many transport control frames are queued.
    • Addresses CVE-2019-9512 (Ping Flood), CVE-2019-9514 (Reset Flood), and CVE-2019-9515 (Settings Flood).
    • Other changes can be found in the gRPC release notes.
  • CRI fixes:

    • Fix a bug that the default apparmor profile is mistakenly applied to privileged containers with runtime/default specified. containerd/cri#1239
    • Fix a bug that image can't be pulled if an empty AuthConfig is specified. containerd/cri#1249
  • Bug fix: Compute manifest data when not provided (Docker-Content-Digest header missing). PR #3591 {cherry-picked from master PR #3245 with backports of #2871 and #3335 required}.

  • Bug fix: Use default UNIX env when image has no environment. PR #3601 {cherry-picked from master branch PR #3599}.

  • Bug fix: archive: truncate modification time. PR #3602 {cherry-picked from master branch PR #3589}.

  • Bug fix: zfs: Datasets don't seem to be cleaned up properly on image removal. Reported in containerd/zfs#22 and fixed by PR containerd/zfs#24 and re-vendored into containerd release/1.2 via PR #3596.

Please try out the release binaries and report any issues at


  • Michael Crosby
  • Phil Estes
  • Derek McGowan
  • Wei Fu
  • Akihiro Suda
  • Lantao Liu
  • Sebastiaan van Stijn
  • Maksym Pavlenko
  • Akihiro Suda
  • Charles Kenney
  • Eric Lin
  • Kevin Parsons
  • Mark Gordon
  • Nishchay
  • Nishchay Kumar
  • Tõnis Tiigi


Changes from containerd/cri

  • ad5dcc6c Merge pull request #1254 from awesomenix/release/1.2
  • ce727bab fix: support empty auth config for anonymous registry
  • 0ee59257 Merge pull request #1241 from Random-Liu/cherrypick-#1240-release-1.2
  • f5a171f4 Fix apparmor for privileged.

Changes from containerd/ttrpc

  • 92c8520 Merge pull request #49 from crosbymichael/status
  • 0e0f228 Handle ok status
  • 9abb3e2 Merge pull request #48 from crosbymichael/travis
  • 8c74fe8 Update to go 1.12x on travis
  • 1ab4dfb Merge pull request #46 from thaJeztah/adjust_for_grpc_1.23
  • 17f4d32 Client.Call(): do not return error if no Status is set (gRPC v1.23 and up)
  • f969a7f Merge pull request #44 from kevpar/method-full-name
  • 271238a Fix method full name generation
  • 1fb3814 Merge pull request #42 from crosbymichael/client
  • 5829a06 Merge pull request #43 from crosbymichael/metadata
  • 694de9d metadata as KeyValue type
  • 3afb82b Fix error handling with server shutdown
  • f3eb35b Refactor close handling for ttrpc clients
  • d134fe7 Merge pull request #41 from crosbymichael/interceptors
  • de8faac Add godocs for interceptors
  • e409d7d Add example binary for testing the example service
  • 819653f Add client and server unary interceptors
  • a5bd8ce Merge pull request #40 from mxpv/headers
  • 04523b9 Rename headers to metadata
  • 5926a92 Support headers

Changes from containerd/zfs

  • 2ceb2db Merge pull request #24 from AkihiroSuda/fix-remove-committed
  • 5b87656 Merge pull request #23 from AkihiroSuda/update-travis
  • 1b4b223 update .travis.yml
  • 6fde16e fix removing Committed
  • 31af176 Merge pull request #21 from estesp/add-project-repo-checks
  • 2f23511 Add common project content/checks to zfs
  • c6182c4 Add license headers to files
  • 9f6ef3b Merge pull request #20 from containerd/skip
  • d78b0d0 Return skip error on unsupported fs
  • 39692b4 Merge pull request #19 from AkihiroSuda/update-containerd
  • 154f951 update containerd

Dependency Changes

Previous release can be found at v1.2.8

  • d928a4dd337fd2a992dbe72380eff2063c3ec62f -> ad5dcc6cba067488d017540d06ebc08b21bb82bc
  • f82148331ad2181edea8f3f649a1f7add6c3f9c2 -> 92c8520ef9f86600c650dd540266a007bf03670f
  • 9a0b8b8b5982014b729cd34eb7cd7a11062aa6ec -> 2ceb2dbb8154202ed1b8fd32e4ea25b491d7b251
  • v1.1.1 new
  • 166add352731e515512690329794ee593f1aaff2 -> f784269be439d704d3dfa1906f45dd848fed2beb
  • v1.12.0 -> 6eaf6f47437a6b4e2153a190160ef39a92c7eceb
Assets 3
You can’t perform that action at this time.