v0.11.0
Note: This is the first tag from release/0.11 branch and release/0.11 branch is based off of v0.10.0-rc.8 tag. Tags cut from release/0.11 branch is intended to be used on containerd release/1.7
What's Changed
- Add test network agent for ncproxy dev work by @katiewasnothere in #1067
- Support restarting containerd in tests, add restart test case by @kevpar in #1188
- Export hcsshim annotations into its own package by @anmaxvl in #1201
- Extend integrity protection of LCOW layers to SCSI devices by @anmaxvl in #1170
- Remove block preventing us from making hardlinks to symlinks by @katiewasnothere in #1187
- Fix LayerData not being usable for ComputeStorage package by @dcantah in #1203
- tests: Add CRI tests for integrity protection of LCOW layers by @anmaxvl in #1193
- Fix commandline double quoting for job containers by @dcantah in #1207
- Support updating cpugroup membership by @katiewasnothere in #1202
- Add reconnect logic for stdio pipes by @dcantah in #1197
- Add support for finding net adapters that were assigned with vpci by @katiewasnothere in #1196
- Support booting isolated SNP from a GuestStateFile rather than separate kernel/initrd. by @KenGordon in #1206
- Add tool to install modules in lcow and plumb through shim by @katiewasnothere in #1195
- Add retries when removing device mapper target by @anmaxvl in #1200
- Handling of out-of-order whiteout files during tar expansion by @ambarve in #1218
- Fix permissions issues with sandbox mounts by @katiewasnothere in #1211
- Update readme to list accurate go version by @dcantah in #1220
- Pass disk handle for computestorage.FormatWritableLayerVhd on RS5 by @dcantah in #1204
- go.mod: Bump ttrpc to 1.1.0 by @dcantah in #1223
- Update the Type field name to PolicyType for SetPolicy by @netal in #1194
- Add DefaultContainerAnnotations runhcs option by @anmaxvl in #1210
- security policy appended to container's environment variables by @svolos in #1219
- Add 21H2 definitions to osversion package by @dcantah in #1205
- Rework merkle tree implementation to use io.Reader instead of byte array by @anmaxvl in #1209
- Time synchronization inside LCOW UVM by @ambarve in #1119
- Set default time zone for WCOW UVM by @dcantah in #1192
- Bump github.com/containerd/containerd from 1.5.7 to 1.5.8 by @dependabot in #1231
- Restructure location of various ncproxy apis by @katiewasnothere in #1216
- Fix ReadExt4SuperBlock function by @anmaxvl in #1229
- Support assigning devices into LCOW by @katiewasnothere in #1215
- Add ws2022 image/build to cri-containerd tests by @dcantah in #1160
- Update ncproxy API and adjust hcn support by @katiewasnothere in #1212
- Add function to write hash device by @anmaxvl in #1235
- Add conpty (pseudo console) package by @dcantah in #1228
- Revendor in /test and remove dead code by @dcantah in #1244
- Add E2E test for pulling images with unorderd tar by @ambarve in #1238
- Bump github.com/opencontainers/image-spec from 1.0.1 to 1.0.2 in /test by @dependabot in #1247
- Add new exec package for host process containers by @dcantah in #1233
- Swap to the internal/exec pkg for host process containers by @dcantah in #1248
- HCS fixes for HclEnabled and guest state file type. by @KenGordon in #1250
- Rename conpty.New to conpty.Create by @dcantah in #1254
- Ignore access denied on HcsTerminateProcess by @gabriel-samfira in #1252
- Change redundant conpty.ConPTY struct name by @dcantah in #1259
- Fix deferred os.Umask usage in loops by @anmaxvl in #1256
- Rework TestPseudoConsolePowershell by @dcantah in #1255
- Add endpoint settings to add nic call by @katiewasnothere in #1246
- Wait for waitInitExit() to return by @gabriel-samfira in #1249
- Bump github.com/containerd/containerd from 1.5.8 to 1.5.9 in /test by @dependabot in #1265
- Bump github.com/containerd/containerd from 1.5.8 to 1.5.9 by @dependabot in #1266
- Make kill noop on second run by @gabriel-samfira in #1269
- Rework process dump cri-containerd tests by @dcantah in #1267
- Add ErrInvalidHandle and fix list stats by @gabriel-samfira in #1276
- Fix ReadDMVeritySuperBlock function by @anmaxvl in #1257
- Update Go module version to 1.17 by @dcantah in #1222
- Add new service for querying compute systems' information by @katiewasnothere in #1243
- Fix Test_ExtendedTask_ProcessorInfo CRI test by @anmaxvl in #1283
- Update ncproxy to include new ncproxy network and endpoint types by @katiewasnothere in #1239
- Add logging to layer retry code path by @dcantah in #1281
- Skip flaky TestPseudoConsolePowershell by @dcantah in #1285
- Fix checkptr error with > 1 process in job object by @dcantah in #1284
- Refactor code for security policy by @anmaxvl in #1279
- shim: Don't shadow err return in createPod by @kevpar in #1288
- Bump github.com/opencontainers/runc from 1.0.2 to 1.0.3 by @dependabot in #1241
- Bug fix with runc container lifetime management by @helsaawy in #1272
- Shutdown hcsshim properly by @helsaawy in #1289
- Expand env variables for job containers to job mount path by @jsturtevant in #1292
- Enable gofmt in linter by @dcantah in #1293
- Delete shim workloads tasks in pod. by @helsaawy in #1271
- Add new guest request/resource packages by @anmaxvl in #1240
- Fix Network Namespace Bug For Ctr by @dcantah in #1270
- Fix comment placement for layers.MountContainerLayers by @dcantah in #1295
- Cleanup 'getUserTokenInheritAnnotation' by @dcantah in #1294
- Fix bugs in network setup introduced by a refactor PR by @anmaxvl in #1299
- Put Linux build tag on /internal/guest/transport/vsock.go by @dcantah in #1301
- Skip test for updating VM cpugroup membership for now by @katiewasnothere in #1298
- Linux GCS: Log disk info on ENOSPC errors by @dcantah in #1297
- Disable unsafe container options by @helsaawy in #1260
- Add local user account creation for host process containers by @dcantah in #1286
- all: fix typo by @cuishuang in #1310
- test: use
T.TempDirto create temporary test directory by @Juneezee in #1308 - Replace winapi GetQueuedCompletionStatus bind with x/sys/windows by @dcantah in #1307
- fix lint issue by @anmaxvl in #1314
- Bump github.com/containerd/containerd from 1.5.9 to 1.5.10 by @dependabot in #1313
- Working directory enforcement by @anmaxvl in #1305
- Scrubbing env vars from logs by @helsaawy in #1315
- Add helper functions for generating security policy and setup CRI tests by @anmaxvl in #1309
- Fix typo in error message by @SeanTAllen in #1322
- Revert to v2.5 schema GuestStateFileType to support release target OS by @KenGordon in #1318
- Fix WorkingDir missing in securityPolicyContainer by @anmaxvl in #1321
- Scrubbing annotations from logs by @helsaawy in #1324
- Respect console size for host process containers by @dcantah in #1326
- Default to deny all security policy. by @anmaxvl in #1320
- Scrubbing bugfix: incorrect return variable by @helsaawy in #1332
- Add new gcs hooks, add expected mounts to security policy by @anmaxvl in #1258
- rootfs.vhd make target by @helsaawy in #1333
- Fix gcs init args wrapping when ConsolePipe is enabled by @anmaxvl in #1334
- Fix up job object options for unit tests by @dcantah in #1335
- Go 1.17 is the minimum version in all cases by @TBBle in #1337
- Support for multiple SCSI controllers by @ambarve in #1328
- Fix dm-verity target naming format in linux guest by @anmaxvl in #1338
- Add Go bindflt/silo definitions by @dcantah in #1331
- Adding build constraints by @helsaawy in #1340
- Run Protobuild on GitHub Actions by @kzys in #1302
- Pin go version for linter to 1.17.x by @dcantah in #1346
- Add tests for security policy enforcement by @anmaxvl in #1325
- Fix working_dir negative test error expectation by @anmaxvl in #1348
- Specify go_package in its full path by @kzys in #1345
- Add guest package for fetching attestation report via syscall by @anmaxvl in #1341
- Swap to fmt.Errorf in jobobject package by @dcantah in #1353
- Add support for mount policy enforcement. by @anmaxvl in #1311
- Removed shim publisher dependence on global flag/setting by @helsaawy in #1343
- Reorganizing makefile and adding info to rootfs by @helsaawy in #1350
- Use /internal/memory constants by @dcantah in #1354
- Linux GCS flags use 1 -, not 2 by @helsaawy in #1358
- Split out GCS test and build by @helsaawy in #1361
- Spelling fixes by @helsaawy in #1365
- Revert "Fix working_dir negative test error expectation (#1348)" by @anmaxvl in #1368
- Change receivers for security policy enforcer where applicable by @anmaxvl in #1369
- Allow multiple CreateContainer operations at the same time. by @anmaxvl in #1355
- Port grantvmgroupaccess code from go-winio and extend functionality. by @anmaxvl in #1347
- Fix for port conflict with docker daemon. by @ameyag in #1370
- Hold lock when updating DefaultMounts by @anmaxvl in #1367
- Include CommandLine in CreateProcess errors by @jterry75 in #1363
- uvmboot functionality by @helsaawy in #1359
- Add ArgsEscaped exec test by @dcantah in #1372
- Random fixes broken out of base layer work by @TBBle in #1374
- Fix wrong word use by @dcantah in #1377
- Missing build constraint, doc.go by @helsaawy in #1381
- Adding more logfield entries by @helsaawy in #1380
- Tests for task and sandbox reset/restart by @helsaawy in #1273
- Features/bugfixes to support LCOW GCS tests by @helsaawy in #1360
- tests: add tests for wait-paths by @anmaxvl in #1384
- Only pull appropriate images for testing by @helsaawy in #1387
- Change file path for restart tests to avoid permission issue by @helsaawy in #1389
- Fill in HyperV runtime spec field if shim options asks for it by @dcantah in #1388
- Log context integration changes by @helsaawy in #1382
- Bridge
rpcProcstring conversion by @helsaawy in #1391 - Unset text attribute for vendored files in gitattributes by @katiewasnothere in #1393
- testing bugs by @helsaawy in #1394
- Remove vsock consts by @dcantah in #1396
- Add _test suffix by @helsaawy in #1395
- wcow-process: Query Stats directly from shim by @dcantah in #1362
- Fix Hyper-V check in late clone spec comparisons by @dcantah in #1400
- Add secure hardware support for uvmboot by @anmaxvl in #1390
- extra ` by @helsaawy in #1401
- Fix typo in comment by @SeanTAllen in #1406
- Don't use unsafe.Sizeof where encoding/binary.Size suffices by @edef1c in #1404
- Fix nil deref if no shim options were specified by @dcantah in #1398
- Pass span context in ociwclayer by @helsaawy in #1402
- Add handling of ENTRYPOINT and CMD when "command" is not in policy by @anmaxvl in #1304
- fix unused commandArgs by @anmaxvl in #1411
- Add security policy config to allow containers to run in privileged mode by @anmaxvl in #1366
- Cleanup for shared container scratch by @ambarve in #1414
- Implement file binding support for host process containers by @dcantah in #1344
- Fix nil deref in Windows layer setup by @dcantah in #1418
- Fix spelling in runhcs options by @dcantah in #1415
- Rename ExpectedMounts to WaitMountPoints by @anmaxvl in #1413
- Remove vendor dir in /test by @dcantah in #1417
- Bump github.com/containerd/containerd from 1.5.10 to 1.5.13 by @dependabot in #1421
- Bump github.com/containerd/containerd from 1.5.10 to 1.5.13 in /test by @dependabot in #1420
- Remove /test/vendor.. again by @dcantah in #1422
- Change bind filter API used by @dcantah in #1424
- update docs for security policy tool by @anmaxvl in #1426
- Adding Microsoft SECURITY.MD by @microsoft-github-policy-service in #1407
- Add Plan9 support when booting from VMGS by @anmaxvl in #1429
- fix shared scratch scenario by @anmaxvl in #1435
- Adds cri-integration job by @gabriel-samfira in #1427
- Remove log file from runc commands by @helsaawy in #1436
- Fix unsafe uses of unsafe.Pointer by @dcantah in #1438
- Fix up hostprocess integration tests by @dcantah in #1434
- downgrade mingw by @anmaxvl in #1440
- Always set SECURITY_POLICY env var, even for open door policy. by @anmaxvl in #1397
- Fixed securitypolicy unit tests: AllowElevated and struct references. by @douglasmaciver in #1442
- Fix policy enforcement to handle identical layers. by @anmaxvl in #1441
- Correctly set silo field when opening job object by @dcantah in #1437
- Fix access denied when killing stopped container by @gabriel-samfira in #1447
- Add CI stage dependencies by @helsaawy in #1453
- Rework /internal/queue package by @dcantah in #1449
- linter: fix linting issues by @anmaxvl in #1457
- Add vpmem mount capability to uvmboot by @anmaxvl in #1455
- Backwards compat for hostprocess cntrs mounts by @dcantah in #1458
- Add annotations passthrough for host process containers by @dcantah in #1423
- Add IO tracking option for job objects by @dcantah in #1459
- Remove uneccessary use of silos in jobobject tests by @dcantah in #1464
- VPMem device unmap VHD, don't remove VPMem itself. by @anmaxvl in #1456
- tests: run securitypolicy tests in github CI. by @anmaxvl in #1470
- Add powershell to hostprocess container paths by @dcantah in #1473
- enforcement: fix use case when the same target has different hashes by @anmaxvl in #1469
- Remove osversion usage in computestorage APIs by @dcantah in #1463
- Update to Go 1.18 by @dcantah in #1479
- Properly assign logrus entry for fallback queries by @dcantah in #1478
- Fix OpenJobObject definition by @dcantah in #1481
- test coverage for #1456 by @anmaxvl in #1482
- Fix golangci-lint issues by @dcantah in #1480
- Fix a race condition in add SCSI workflow by @ambarve in #1483
- Short circuit Properties calls if NULL handle by @dcantah in #1484
- securitypolicy: add security policy enforcer registration and defaults by @anmaxvl in #1476
- Remove wait mounts functionality by @SeanTAllen in #1474
- Added LCOW functional tests and benchmarks for uVMs and containers. by @helsaawy in #1351
- fix unmarshaling of LCOWSecurityPolicyEnforcer by @anmaxvl in #1487
- Linux/LCOW bugs by @helsaawy in #1489
- Call container.Terminate() on shutdown timeouts by @dcantah in #1488
- add test utility func that waits for particular container state by @anmaxvl in #1492
- Add Tasks command to shimdiag by @dcantah in #1486
- Readonly option for hostprocess mounts by @dcantah in #1462
- Adding a Rego Policy Enforcer by @matajoh in #1493
- Add support for accepting Rego policy code. by @matajoh in #1495
- Fix nil pointer dereference in addSCSI by @ambarve in #1497
- Enable linting on test directory by @helsaawy in #1491
- Add step to check test/go.mod, updated test/go.mod by @helsaawy in #1501
- Add enforcement versioning to rego enforcer by @SeanTAllen in #1496
- Move rego only test fixtures into the rego tests file by @SeanTAllen in #1502
- Moving rego api test fixtures to a separate file by @matajoh in #1503
- Open Door fix for Rego policies by @matajoh in #1504
- Set HCSSHIM_UVM_REFERENCE_INFO env for workload containers by @anmaxvl in #1499
- Update lcow driver installation path by @katiewasnothere in #1383
- Add new
ctrdtaskapipackage for shim task API support. by @anmaxvl in #1485 - Remove unused open/closed door enforcement methods by @SeanTAllen in #1507
- Adding required environment variable rules logic. by @matajoh in #1505
- Fix seeding for generative policy tests by @SeanTAllen in #1508
- remove spelling linter by @helsaawy in #1509
- Adding the
exec_in_containerenforcement point by @matajoh in #1506 - Refactor of metadata operations. by @matajoh in #1513
- Update hcs errors to gov1.13 style by @helsaawy in #1450
- Use alpine and pause images from MSFT mirrors in tests by @anmaxvl in #1515
- update security policy and uvm reference env var names by @anmaxvl in #1514
- Linux GCS tests and benchmarks by @helsaawy in #1352
- Adding the
exec_externalenforcement point. by @matajoh in #1512 - Update dmverity-vhd tool to accept local images by @hgarvison in #1494
- rename SecurityPolicyEnv annotation to UVMSecurityPolicyEnv by @anmaxvl in #1517
- Fix 'ProcessorCount' comment by @dcantah in #1522
- Add policy enforcement for shutting down a container by @matajoh in #1518
- Update policy enforcer overlay error message to be more descriptive by @SethHollandsworth in #1524
- Add enforcement of sending signals to arbitrary processes in a container by @matajoh in #1525
- fix wrong parameters passed to EnforceExecExternalProcessPolicy by @anmaxvl in #1523
- Switch to go-winio/tools/mkwinsyscall by @helsaawy in #1409
- fix release.yml push trigger expecting a map. by @anmaxvl in #1527
- fix release.yml trigger for real now by @anmaxvl in #1529
- Add pod startup security policy fragment injection by @anmaxvl in #1521
- Device mounting and unmounting updates by @matajoh in #1526
- fix create-scratch and other
runhcssubucommands by @anmaxvl in #1528 - Changes to support ipv6 in ncproxy by @katiewasnothere in #1452
- Ignoring unneeded fields in JSON policy marshalling. by @matajoh in #1530
- Vendor go generate binaries, update CI by @helsaawy in #1433
- set confidential UVM options during UVM start by @anmaxvl in #1533
- Add policy enforcement of mounting and unmounting plan9 devices by @matajoh in #1531
- Add
t.Helpercalls, test helpers linter by @helsaawy in #1534 - Add policy enforcement for overlay unmounting by @matajoh in #1535
- Add support for generating guest crash dumps by @ambarve in #1516
- Adding GetProperties policy enforcement point. by @matajoh in #1542
- Lint ./ext4 directory by @helsaawy in #1537
- Adding DumpStacks policy enforcement point. by @matajoh in #1543
- remove pod startup fragment functionality by @anmaxvl in #1544
- Add enforcement of logging from the GCS runtime by @SeanTAllen in #1545
- Adding policy fragments. by @matajoh in #1539
- Pass ipv6 address information to Linux GCS by @helsaawy in #1552
- Change the default policy stance to "allow" and fix logging by @anmaxvl in #1553
- Update LCOW boot file paths used in tests by @helsaawy in #1551
- Drop unmatched environment variables. by @matajoh in #1550
- fix: wrong assignment after enforcing a policy by @anmaxvl in #1559
- rego and hardening: add enforcement and hardening for encrypted scratch by @anmaxvl in #1538
- uVM timeout handling and logging improvement by @helsaawy in #1561
- race condition with exitCh in
(*UtilityVM).Start()by @helsaawy in #1562 - test/functional: Add flag for container layer paths, remove containerd dependence by @helsaawy in #1536
- [CI] update actions version by @helsaawy in #1564
- [test]logging and tracing to stdout by @helsaawy in #1563
- [test]Add feature for CRI extensions by @helsaawy in #1565
- test: CRI initialization by @helsaawy in #1566
- Adding some missing policy elements from the templates. by @matajoh in #1571
- Set up dependabot by @slonopotamus in #1319
- Bump github.com/stretchr/testify from 1.8.0 to 1.8.1 in /test by @dependabot in #1582
- Reduce dependabot update schedule by @helsaawy in #1588
- Bump actions/download-artifact from 2 to 3 by @dependabot in #1577
- Bump go.opencensus.io from 0.23.0 to 0.24.0 in /test by @dependabot in #1578
- Bump github.com/google/go-containerregistry from 0.11.0 to 0.12.1 in /test by @dependabot in #1589
- Upgrade test module to go1.18 by @helsaawy in #1593
- Bump github.com/BurntSushi/toml from 0.4.1 to 1.2.1 by @dependabot in #1590
- Bump github.com/cenkalti/backoff/v4 from 4.1.3 to 4.2.0 by @dependabot in #1583
- Bump golang.org/x/sys from 0.1.0 to 0.2.0 in /test by @dependabot in #1596
- plumb AMD certs to workload containers by @anmaxvl in #1549
- Prevent operations on exited HCS objects. by @helsaawy in #1567
- Add ability in policy to allow/disallow access to stdio by @matajoh in #1594
- Remove blocking on container exit for every new exec created by @kiashok in #1601
- Updating dependencies by @helsaawy in #1607
- policy: do not set policy to open door if none is provided by @anmaxvl in #1572
- wcow: support graceful termination of servercore containers by @kiashok in #1416
- Add 20H2 container image to test constants by @helsaawy in #1611
- Remove goversioninfo from tools.go by @helsaawy in #1616
- Adding a simulator + regopolicyinterpreter. by @matajoh in #1558
- adding tarball support for generating root layer hashes by @SethHollandsworth in #1600
- Add logic to cleanup the oci bundle root dir on container delete by @katiewasnothere in #1597
- Retain pause.exe as entrypoint for default pause images by @kiashok in #1615
- Add missing AllowElevated policy check when creating a container by @SeanTAllen in #1624
- rego enforcer: trim whitespaces from fragment namespace name by @anmaxvl in #1627
- Make LCOWPrivileged annotation more resilient to change by @SeanTAllen in #1628
- fix snp-report: fake-report flag is now correctly parsed by @anmaxvl in #1626
- API Data and Framework Versioning. by @matajoh in #1622
- rego: fix slightly incorrect sandbox and hugepage mounts enforcement by @anmaxvl in #1625
- Fragment COSE Sign1 support. by @KenGordon in #1575
- Bump github.com/containerd/cgroups from 1.0.3 to 1.1.0 in /test by @dependabot in #1631
- Bump github.com/google/go-containerregistry from 0.12.1 to 0.13.0 in /test by @dependabot in #1632
- Bump google.golang.org/grpc from 1.51.0 to 1.52.3 in /test by @dependabot in #1633
- Bump golang.org/x/sys from 0.3.0 to 0.4.0 in /test by @dependabot in #1612
- Bump github.com/containerd/cgroups from 1.0.3 to 1.1.0 by @dependabot in #1630
- Bump github.com/google/go-containerregistry from 0.12.1 to 0.13.0 by @dependabot in #1629
- internal/tools/securitypolicy: switch to github.com/pelletier/go-toml by @thaJeztah in #1620
- Add retry to install mingw by @helsaawy in #1636
- test: Add CRI benchmarks for container operations by @helsaawy in #1569
- Fix SCSI mount error handling by @ambarve in #1642
- fix: treat VMGS file as template when launching multiple UVMs by @anmaxvl in #1646
- Redact environment variable values in policy error output by @SeanTAllen in #1649
- Adding a default error message. by @matajoh in #1647
- policy: add plan9 mount type handling when generating policy by @anmaxvl in #1650
- Bump golang.org/x/sys from 0.4.0 to 0.5.0 in /test by @dependabot in #1654
- Bump google.golang.org/grpc from 1.52.3 to 1.53.0 in /test by @dependabot in #1656
- Bump golang.org/x/sys from 0.1.0 to 0.5.0 by @dependabot in #1655
- Fix unintended data modification when redacted environment variables by @SeanTAllen in #1657
- Fix false positive error messages on exec_external policy denial by @SeanTAllen in #1658
- dmverity: fix padding by @anmaxvl in #1659
- fix: temp file leak during hash computation by @anmaxvl in #1641
- Provide error message when allow_stdio_access creates and undecideable error by @SeanTAllen in #1662
- Make a couple tests match the naming convention around them by @SeanTAllen in #1664
- Update selectContainerFromConstraints to work on a container list by @SeanTAllen in #1645
- Bump golang.org/x/net from 0.5.0 to 0.7.0 in /test by @dependabot in #1666
- Provide error message when the lack of required environment variable causes policy denial by @SeanTAllen in #1661
- tests: rego policy exec in container tests by @anmaxvl in #1635
- Fix compilation error caused by "PRs crossing in the night" by @SeanTAllen in #1668
- Adding support and policy enforcement for NoNewPrivileges. by @matajoh in #1652
- Bump golang.org/x/net from 0.1.0 to 0.7.0 by @dependabot in #1667
- Format encrypted scratch disk as xfs rather than ext4fs by @KenGordon in #1665
- Wait longer before trying to install mingw after failing to install by @SeanTAllen in #1670
- osversion: implement stringer interface, deprecate ToString() by @thaJeztah in #1547
- Bump actions/upload-artifact from 2 to 3 by @dependabot in #1677
- Bump actions/checkout from 2 to 3 by @dependabot in #1676
- Bump github.com/opencontainers/runtime-tools from 0.0.0-20181011054405-1d69bd0f9c39 to 0.9.0 in /test by @dependabot in #1674
- Use gotestsum to get test summary by @helsaawy in #1678
- simplify zeroDevice to just zero first block by @anmaxvl in #1672
- Base layer manipulation by @gabriel-samfira in #1637
- Adding policy enforcement for User. by @matajoh in #1669
- Bump golang.org/x/sys from 0.5.0 to 0.6.0 in /test by @dependabot in #1685
- Fix silly error whereby a chain was required although unnecessary. by @KenGordon in #1682
- github-ci: use go1.19.x by @anmaxvl in #1689
- Bump github.com/containerd/ttrpc from 1.1.0 to 1.2.1 in /test by @dependabot in #1693
- tests: rego exec in uvm cri integration tests by @anmaxvl in #1648
- Fix graceful termination test errors by @kiashok in #1687
- Logging (JSON) formatting; span export by @helsaawy in #1364
- Bump actions/setup-go from 3 to 4 by @dependabot in #1696
- Fix "no matches" test that can somewhat easily match by @SeanTAllen in #1684
- Update dependencies by @helsaawy in #1697
- tests: add tests for concurrent pod startup by @anmaxvl in #1639
- Bump github.com/google/go-containerregistry from 0.13.0 to 0.14.0 in /test by @dependabot in #1700
- Bump github.com/google/go-containerregistry from 0.13.0 to 0.14.0 by @dependabot in #1701
- Adding policy for Linux capabilities. by @matajoh in #1683
- NCProxy: attach to host and macpool by @helsaawy in #1591
- Update golangci linter and clean go mod cache by @katiewasnothere in #1707
- Seccomp profile policy enforcement. by @matajoh in #1705
- upgrade runc dependency by @helsaawy in #1714
- Clarifying SVN vs. Version. by @matajoh in #1715
- sev-snp: add SEV device when security policy is present by @anmaxvl in #1679
- tests: Add rego cri-integration tests for plan9 mount policy. by @anmaxvl in #1651
- con-con: write policy, reference info and cert to container's rootfs by @anmaxvl in #1708
- Moving to structured JSON policy decisions. by @matajoh in #1718
- hack: add blanket retries on device-mapper failures with SCSI by @anmaxvl in #1720
- negative rego cri-integration tests by @anmaxvl in #1719
- tests: fix error assertion and container layer sha256 by @anmaxvl in #1725
- Create new test packages that reference internal packages by @katiewasnothere in #1704
- Make sure that security context files are readable by all by @jumaffre in #1729
- Switch from filepath.EvalSymlinks to fs.ResolvePath by @helsaawy in #1644
- Policy decision truncation. by @matajoh in #1731
- Fixing the errors for missing enforcement points by @matajoh in #1735
- tests: write seccomp profile to a temporary file by @anmaxvl in #1736
- Add code to format disk as ext4 in guest by @katiewasnothere in #1717
- Adding padding to base64 encoded policy decisions by @matajoh in #1738
- fix: bug potentially not removing RW device. by @anmaxvl in #1737
- Consolidate dependabot updates by @helsaawy in #1748
- [bug] Consolidate dependabot updates by @helsaawy in #1749
- Remove UVM/container cloning functionality by @kevpar in #1740
- gcs: Add SCSIDevice type with remove operation by @kevpar in #1741
- Remove dependence on GetScsiUvmPath function by @kevpar in #1742
- Rework layer handling to return a ResourceCloser by @kevpar in #1743
- Remove godeps from makefile by @helsaawy in #1750
- slice bounds and nil VM access fix by @helsaawy in #1754
- [release/0.11] Add support for platform compatibility check for windows + fix integration test failures by @kiashok in #1878
New Contributors
- @KenGordon made their first contribution in #1206
- @svolos made their first contribution in #1219
- @gabriel-samfira made their first contribution in #1252
- @cuishuang made their first contribution in #1310
- @Juneezee made their first contribution in #1308
- @kzys made their first contribution in #1302
- @edef1c made their first contribution in #1404
- @microsoft-github-policy-service made their first contribution in #1407
- @douglasmaciver made their first contribution in #1442
- @matajoh made their first contribution in #1493
- @hgarvison made their first contribution in #1494
- @SethHollandsworth made their first contribution in #1524
- @jumaffre made their first contribution in #1729
Full Changelog: v0.9.0...v0.11.0
Contributors
kzys, edef1c, and 26 other contributors