Merge tag 'v1.6.19' into release-4.13

containerd 1.6.19 Welcome to the v1.6.19 release of containerd! The nineteenth patch release for containerd 1.6 contains runtime fixes and additions for Windows platforms * **Update hcsshim to v0.9.7 to include fix for graceful termination and pause containers ([containerd#8153](containerd#8153)) See the changelog for complete list of changes Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues. * Kirtana Ashok * Derek McGowan * Wei Fu <details><summary>4 commits</summary> <p> * [release/1.6] Prepare release notes for v1.6.19 ([containerd#8157](containerd#8157)) * [`23e94075a`](containerd@23e9407) Add release notes for v1.6.19 * [release/1.6] go.mod: Bump hcsshim to v0.9.7 ([containerd#8153](containerd#8153)) * [`f488a6241`](containerd@f488a62) Update hcsshim tag to v0.9.7 </p> </details> * **github.com/Microsoft/hcsshim** v0.9.6 -> v0.9.7 Previous release can be found at [v1.6.18](https://github.com/containerd/containerd/releases/tag/v1.6.18)
openshift · Feb 28, 2023 · d594a39 · d594a39 · aravindhp · Feb 28, 2023
2 parents 2d3127c + 1e1ea6e
commit d594a39
Show file tree

Hide file tree

Showing 45 changed files with 950 additions and 273 deletions.
diff --git a/.github/workflows/build-test-images.yml b/.github/workflows/build-test-images.yml
@@ -41,7 +41,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v3
         with:
-          go-version: '1.18.10'
+          go-version: '1.19.6'
 
       - uses: actions/checkout@v3
         with:

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -12,7 +12,7 @@ on:
 env:
   # Go version we currently use to build containerd across all CI.
   # Note: don't forget to update `Binaries` step, as it contains the matrix of all supported Go versions.
-  GO_VERSION: '1.18.10'
+  GO_VERSION: '1.19.6'
 
 permissions:  # added using https://github.com/step-security/secure-workflows
   contents: read
@@ -56,6 +56,7 @@ jobs:
   #
   project:
     name: Project Checks
+    if: github.repository == 'containerd/containerd'
     runs-on: ubuntu-20.04
     timeout-minutes: 5
 
@@ -135,7 +136,7 @@ jobs:
   # Make sure binaries compile with other platforms
   crossbuild:
     name: Crossbuild Binaries
-    needs: [project, linters, protos, man]
+    needs: [linters, protos, man]
     runs-on: ubuntu-20.04
     timeout-minutes: 10
     strategy:
@@ -227,12 +228,12 @@ jobs:
     name: Binaries
     runs-on: ${{ matrix.os }}
     timeout-minutes: 10
-    needs: [project, linters, protos, man]
+    needs: [linters, protos, man]
 
     strategy:
       matrix:
         os: [ubuntu-20.04, macos-12, windows-2019, windows-2022]
-        go-version: ["1.17.13", "1.18.10"]
+        go-version: ["1.17.13", "1.19.6"]
     steps:
       - name: Install dependencies
         if: matrix.os == 'ubuntu-20.04'
@@ -267,7 +268,7 @@ jobs:
     name: Windows Integration
     runs-on: ${{ matrix.os }}
     timeout-minutes: 35
-    needs: [project, linters, protos, man]
+    needs: [linters, protos, man]
     env:
       GOTEST: gotestsum --
 
@@ -356,7 +357,7 @@ jobs:
     name: Linux Integration
     runs-on: ubuntu-20.04
     timeout-minutes: 40
-    needs: [project, linters, protos, man]
+    needs: [linters, protos, man]
 
     strategy:
       fail-fast: false
@@ -486,7 +487,7 @@ jobs:
     name: MacOS unit tests
     runs-on: macos-12
     timeout-minutes: 10
-    needs: [project, linters, protos, man]
+    needs: [linters, protos, man]
     env:
       GOTEST: gotestsum --
 
@@ -512,7 +513,7 @@ jobs:
     # nested virtualization is only available on macOS hosts
     runs-on: macos-12
     timeout-minutes: 45
-    needs: [project, linters, protos, man]
+    needs: [linters, protos, man]
     strategy:
       fail-fast: false
       matrix:
@@ -583,7 +584,7 @@ jobs:
     # nested virtualization is only available on macOS hosts
     runs-on: macos-12
     timeout-minutes: 45
-    needs: [project, linters, protos, man]
+    needs: [linters, protos, man]
     steps:
       - uses: actions/checkout@v3
 

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -15,7 +15,7 @@ permissions:  # added using https://github.com/step-security/secure-workflows
 
 jobs:
   CodeQL-Build:
-
+    if: github.repository == 'containerd/containerd'
     permissions:
       actions: read  # for github/codeql-action/init to get workflow details
       contents: read  # for actions/checkout to fetch code
@@ -33,7 +33,7 @@ jobs:
 
     - uses: actions/setup-go@v3
       with:
-        go-version: 1.18.10
+        go-version: 1.19.6
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

diff --git a/.github/workflows/images.yml b/.github/workflows/images.yml
@@ -26,7 +26,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v3
         with:
-          go-version: '1.18.10'
+          go-version: '1.19.6'
 
       - uses: actions/checkout@v3
         with:

diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
@@ -7,7 +7,7 @@ on:
       - '.github/workflows/nightly.yml'
 
 env:
-  GO_VERSION: '1.18.10'
+  GO_VERSION: '1.19.6'
 
 permissions:  # added using https://github.com/step-security/secure-workflows
   contents: read

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -6,7 +6,7 @@ on:
 name: Containerd Release
 
 env:
-  GO_VERSION: '1.18.10'
+  GO_VERSION: '1.19.6'
 
 permissions:  # added using https://github.com/step-security/secure-workflows
   contents: read

diff --git a/Vagrantfile b/Vagrantfile
@@ -93,7 +93,7 @@ EOF
   config.vm.provision "install-golang", type: "shell", run: "once" do |sh|
     sh.upload_path = "/tmp/vagrant-install-golang"
     sh.env = {
-        'GO_VERSION': ENV['GO_VERSION'] || "1.18.10",
+        'GO_VERSION': ENV['GO_VERSION'] || "1.19.6",
     }
     sh.inline = <<~SHELL
         #!/usr/bin/env bash

diff --git a/api/services/content/v1/content.pb.go b/api/services/content/v1/content.pb.go
diff --git a/cmd/ctr/commands/run/run.go b/cmd/ctr/commands/run/run.go
@@ -97,7 +97,7 @@ var Command = cli.Command{
 	Flags: append([]cli.Flag{
 		cli.BoolFlag{
 			Name:  "rm",
-			Usage: "remove the container after running",
+			Usage: "remove the container after running, cannot be used with --detach",
 		},
 		cli.BoolFlag{
 			Name:  "null-io",
@@ -109,7 +109,7 @@ var Command = cli.Command{
 		},
 		cli.BoolFlag{
 			Name:  "detach,d",
-			Usage: "detach from the task after it has started execution",
+			Usage: "detach from the task after it has started execution, cannot be used with --rm",
 		},
 		cli.StringFlag{
 			Name:  "fifo-dir",
@@ -136,6 +136,7 @@ var Command = cli.Command{
 			id  string
 			ref string
 
+			rm        = context.Bool("rm")
 			tty       = context.Bool("tty")
 			detach    = context.Bool("detach")
 			config    = context.IsSet("config")
@@ -158,6 +159,10 @@ var Command = cli.Command{
 		if id == "" {
 			return errors.New("container id must be provided")
 		}
+		if rm && detach {
+			return errors.New("flags --detach and --rm cannot be specified together")
+		}
+
 		client, ctx, cancel, err := commands.NewClient(context)
 		if err != nil {
 			return err
@@ -167,7 +172,7 @@ var Command = cli.Command{
 		if err != nil {
 			return err
 		}
-		if context.Bool("rm") && !detach {
+		if rm && !detach {
 			defer container.Delete(ctx, containerd.WithSnapshotCleanup)
 		}
 		var con console.Console

diff --git a/contrib/Dockerfile.test b/contrib/Dockerfile.test
@@ -10,7 +10,7 @@
 #
 # docker build -t containerd-test --build-arg RUNC_VERSION=v1.0.0-rc94 -f Dockerfile.test ../
 
-ARG GOLANG_VERSION=1.18.10
+ARG GOLANG_VERSION=1.19.6
 ARG GOLANG_IMAGE=golang
 
 FROM ${GOLANG_IMAGE}:${GOLANG_VERSION} AS golang

diff --git a/docs/hosts.md b/docs/hosts.md
@@ -71,6 +71,9 @@ $ tree /etc/containerd/certs.d
     └── hosts.toml
 ```
 
+Optionally the `_default` registry host namespace can be used as a fallback, if no
+other namespace matches.
+
 The `/v2` portion of the pull request format shown above refers to the version of the
 distribution api. If not included in the pull request, `/v2` is added by default for all
 clients compliant to the distribution specification linked above.
@@ -155,6 +158,21 @@ server = "https://registry-1.docker.io"    # Exclude this to not use upstream
   ca = "docker-mirror.crt"                 # Or absolute path /etc/containerd/certs.d/docker.io/docker-mirror.crt
 ```
 
+### Setup Default Mirror for All Registries
+
+```
+$ tree /etc/containerd/certs.d
+/etc/containerd/certs.d
+└── _default
+    └── hosts.toml
+
+$ cat /etc/containerd/certs.d/_default/hosts.toml
+server = "https://registry.example.com"
+
+[host."https://registry.example.com"]
+  capabilities = ["pull", "resolve"]
+```
+
 ### Bypass TLS Verification Example
 
 To bypass the TLS verification for a private registry at `192.168.31.250:5000`

diff --git a/go.mod b/go.mod
@@ -5,7 +5,7 @@ go 1.17
 require (
 	github.com/AdaLogics/go-fuzz-headers v0.0.0-20210715213245-6c3934b029d8
 	github.com/Microsoft/go-winio v0.5.2
-	github.com/Microsoft/hcsshim v0.9.6
+	github.com/Microsoft/hcsshim v0.9.7
 	github.com/containerd/aufs v1.0.0
 	github.com/containerd/btrfs v1.0.0
 	github.com/containerd/cgroups v1.0.4

diff --git a/go.sum b/go.sum
@@ -83,8 +83,8 @@ github.com/Microsoft/hcsshim v0.8.20/go.mod h1:+w2gRZ5ReXQhFOrvSQeNfhrYB/dg3oDwT
 github.com/Microsoft/hcsshim v0.8.21/go.mod h1:+w2gRZ5ReXQhFOrvSQeNfhrYB/dg3oDwTOcER2fw4I4=
 github.com/Microsoft/hcsshim v0.8.23/go.mod h1:4zegtUJth7lAvFyc6cH2gGQ5B3OFQim01nnU2M8jKDg=
 github.com/Microsoft/hcsshim v0.9.2/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc=
-github.com/Microsoft/hcsshim v0.9.6 h1:VwnDOgLeoi2du6dAznfmspNqTiwczvjv4K7NxuY9jsY=
-github.com/Microsoft/hcsshim v0.9.6/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc=
+github.com/Microsoft/hcsshim v0.9.7 h1:mKNHW/Xvv1aFH87Jb6ERDzXTJTLPlmzfZ28VBFD/bfg=
+github.com/Microsoft/hcsshim v0.9.7/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc=
 github.com/Microsoft/hcsshim/test v0.0.0-20201218223536-d3e5debf77da/go.mod h1:5hlzMzRKMLyo42nCZ9oml8AdTlq/0cvIaBv6tK1RehU=
 github.com/Microsoft/hcsshim/test v0.0.0-20210227013316-43a75bb4edd3/go.mod h1:mw7qgWloBUl75W/gVH3cQszUg1+gUITj7D6NY7ywVnY=
 github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=

diff --git a/images/archive/importer.go b/images/archive/importer.go
@@ -232,12 +232,14 @@ func ImportIndex(ctx context.Context, store content.Store, reader io.Reader, opt
 	return writeManifest(ctx, store, idx, ocispec.MediaTypeImageIndex)
 }
 
+const (
+	kib       = 1024
+	mib       = 1024 * kib
+	jsonLimit = 20 * mib
+)
+
 func onUntarJSON(r io.Reader, j interface{}) error {
-	b, err := io.ReadAll(r)
-	if err != nil {
-		return err
-	}
-	return json.Unmarshal(b, j)
+	return json.NewDecoder(io.LimitReader(r, jsonLimit)).Decode(j)
 }
 
 func onUntarBlob(ctx context.Context, r io.Reader, store content.Ingester, size int64, ref string) (digest.Digest, error) {