containerd 1.2.8 Welcome to the v1.2.8 release of containerd! The eighth patch release for `containerd` 1.2 provides a series of bug fixes, many of them backported from the master branch to correct several known issues around manifest lists/indexes and pulling multi-arch, CVEs related to Golang/http2, fd leakage in the Golang runtime, a shim hang, process and image environment config handling, and finally mount cleanup related to Cloud Foundry's use of containerd with rootless containers. A set of bug fixes/updates for the CRI plugin are also included; details for the CRI issues and fixes are shown below. ### Notable Updates * Skip rootfs unmount when no mounts are provided. Fixed by [PR #3148](https://github.com/containerd/containerd/pull/3148) {cherry-picked as [PR #3402](https://github.com/containerd/containerd/pull/3402)}. * Close inherited socket file descriptor. Fixed in [PR #3359](https://github.com/containerd/containerd/pull/3359) {cherry-picked as [PR #3364](https://github.com/containerd/containerd/pull/3364)}. * Call CloseIO when stdin closes in ctr. Fixed by [PR #3462](https://github.com/containerd/containerd/pull/3462) {cherry-picked as [PR 3490](https://github.com/containerd/containerd/pull/3490)}. * Several multi-arch image fixes, including: ARM platform matching, selecting the proper manifest, and limited to best matched manifest to solve discrepancies with multi-arch image operations. Backported [PR #3270](https://github.com/containerd/containerd/pull/3270) as [PR #3404](https://github.com/containerd/containerd/pull/3404), [PR #3484](https://github.com/containerd/containerd/pull/3484) as [PR #3512](https://github.com/containerd/containerd/pull/3512), and added [PR #3421](https://github.com/containerd/containerd/pull/3421). * Override image's environment config with process config; including backport of fixes and tests for merging/replacing env variables; fix in [PR #3542](https://github.com/containerd/containerd/pull/3542), backported via [PR #3546](https://github.com/containerd/containerd/pull/3546) which included a backport of [PR #2887](https://github.com/containerd/containerd/pull/2887). Additional fix to logic for override re: image `$PATH` cherry-picked in [PR #3565](https://github.com/containerd/containerd/pull/3565). * Shim hang fix in master via [PR #3540](https://github.com/containerd/containerd/pull/3540) backported to `release/1.2` via [PR #3561](https://github.com/containerd/containerd/pull/3561). * Updated Golang version to 1.12.9 patch release: * Resolves CVE-2019-9512 and CVE-2019-9514 from the 1.12.8 security release. Originally fixed via [PR #3531](https://github.com/containerd/containerd/pull/3531) which lists the details of the Golang CVEs, backported via [PR #3532](https://github.com/containerd/containerd/pull/3532) to `release/1.2`. * Resolves fd leaks reported via [golang/go#33405](https://github.com/golang/go/issues/33405) and resolved in the 1.12.9 patch release, updated via [PR #3544](https://github.com/containerd/containerd/pull/3544). This fd leak bug was initially reported in containerd issue [#3481](https://github.com/containerd/containerd/issues/3481). * CRI: Fix a bug that if an image is deleted immediately after being pulled, the image may still exist after the deletion finishes successfully. (https://github.com/containerd/cri/issues/1161) * CRI: Fix a bug that `runc` and `crictl` binaries shipped in https://storage.googleapis.com/cri-containerd-release are versioned with the containerd version. (https://github.com/containerd/cri/pull/1193) * CRI: Fix a bug that the images become unusable if 2 images have the same image ID and RepoTag, but different RepoDigests. (https://github.com/containerd/containerd/issues/3401) * CRI: Fix [ProcMount](https://stupefied-goodall-e282f7.netlify.com/contributors/design-proposals/auth/proc-mount-type/) support (https://github.com/containerd/cri/pull/1216). ***NOTE: To use containerd 1.2.8+ with Kubernetes 1.11 or below, you MUST set `disable_proc_mount=true` in the cri plugin config.*** (https://github.com/containerd/cri/issues/1208) * CRI: Fix a bug that containerd tries to connect image registry with `https` even if the `http` endpoint is configured. (https://github.com/containerd/cri/issues/1201) Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues. ### Contributors * Michael Crosby * Lantao Liu * Sebastiaan van Stijn * Wei Fu * Mike Brown * Phil Estes * Shukui Yang * Derek McGowan * Akihiro Suda * Andrey Kolomentsev * Darren Shepherd * Eric Ren * Georgi Sabev * Jaime Caamaño Ruiz * Jintao Zhang * Justin Terry * Yangyang ### Changes * [`a4bc1d432a`](https://github.com/containerd/containerd/commit/a4bc1d432a2c33aa2eed37f338dceabb93641310) Merge pull request [#3534](https://github.com/containerd/containerd/pull/3534) from estesp/prep-v1.2.8 * [`5e060c4246`](https://github.com/containerd/containerd/commit/5e060c4246ba45dec63dcb9e502d2611b43c7078) Merge pull request [#3565](https://github.com/containerd/containerd/pull/3565) from estesp/cp-3551 * [`a9ba2e681c`](https://github.com/containerd/containerd/commit/a9ba2e681cd8d68f0dc8f411cd4272d2fef3f7ab) Prepare v1.2.8 point release * [`1c309d804d`](https://github.com/containerd/containerd/commit/1c309d804d74a773992550e4e22341f833d6c144) Remove the process default ENV * [`de8fa9b614`](https://github.com/containerd/containerd/commit/de8fa9b61446adee4a82f088096361715b2a6930) Merge pull request [#3561](https://github.com/containerd/containerd/pull/3561) from keloyang/shim-hung-1.2 * [`f1c661f787`](https://github.com/containerd/containerd/commit/f1c661f7872ff96a8f25b4fff878115c0bff7a17) Change bufferSize back to 32 * [`d161ab6327`](https://github.com/containerd/containerd/commit/d161ab6327a9e5c501d68c8264d3ef10eb7394aa) Try to preserve exit event order * [`7e2864b8f0`](https://github.com/containerd/containerd/commit/7e2864b8f096e622c7971a1c5e8c7f2fc337c110) Add retry and non-blocking send for exit events * [`dbf9a50175`](https://github.com/containerd/containerd/commit/dbf9a501756967a91e798ace7916d5e7a98e4a8d) Unifi reaper logic into package * [`9b5b55b142`](https://github.com/containerd/containerd/commit/9b5b55b142c0412c232fb3819946a8c393ed68a0) Fix shim hung * [`b21e4f466e`](https://github.com/containerd/containerd/commit/b21e4f466e7447786fe22a9ad5e3bdc83524c557) Merge pull request [#3546](https://github.com/containerd/containerd/pull/3546) from estesp/cp-3542 * [`c8d75ca5ed`](https://github.com/containerd/containerd/commit/c8d75ca5eda838204af7bfad330128d0f7dedb9b) do not mutate defaults in replaceOrAppendEnvValues * [`6c6b7e2976`](https://github.com/containerd/containerd/commit/6c6b7e29765e471158053db5aa37e740d952c55a) bugfix: override image.Env with process.Env, rather than be contrary * [`a0526340f7`](https://github.com/containerd/containerd/commit/a0526340f707e3bfebee80e8c116ed748f984444) Merge pull request [#3544](https://github.com/containerd/containerd/pull/3544) from thaJeztah/1.2_backport_bump_golang_1.12.9 * [`17690cc2fe`](https://github.com/containerd/containerd/commit/17690cc2fe5767080ddcebf175e85a39bc77c092) AppVeyor: update to go 1.12.9 * [`c5bca64cd1`](https://github.com/containerd/containerd/commit/c5bca64cd1c7132cc6b9e4a164a90f12ee5f9a23) Merge pull request [#3538](https://github.com/containerd/containerd/pull/3538) from thaJeztah/1.2_revert_bump_libseccomp * [`8c0ec3c35e`](https://github.com/containerd/containerd/commit/8c0ec3c35ef448a5f0194f414dc357e2c39d9366) Revert "bump libseccomp-golang v0.9.1" * [`eed8acd47c`](https://github.com/containerd/containerd/commit/eed8acd47c71def7e4e7266a77690e5ee8b0e300) Merge pull request [#3535](https://github.com/containerd/containerd/pull/3535) from Random-Liu/update-cri-release-1.2 * [`941dd9f2c3`](https://github.com/containerd/containerd/commit/941dd9f2c34aedca4c970e9ca33d06895b8c7995) Update cri to d928a4dd337fd2a992dbe72380eff2063c3ec62f. * [`e70728b659`](https://github.com/containerd/containerd/commit/e70728b6599aa43fb6e551aa9fcd56eb8332e50f) Merge pull request [#3532](https://github.com/containerd/containerd/pull/3532) from thaJeztah/1.2_backport_bump_golang_1.12.8 * [`4097217bbd`](https://github.com/containerd/containerd/commit/4097217bbd90ea4aa7f957d1d8a8b72734bfcec6) AppVeyor: update to go 1.12.8 (CVE-2019-9512, CVE-2019-9514) * [`bb238e05a1`](https://github.com/containerd/containerd/commit/bb238e05a129779588953c36b3af9d61ef5ce667) AppVeyor: update to go 1.12.7 * [`150468fcc7`](https://github.com/containerd/containerd/commit/150468fcc7bae5a82c4b85012144ff5c54380c6d) contrib: Dockerfile: bump go 1.12 * [`c675ea30c4`](https://github.com/containerd/containerd/commit/c675ea30c4db5300852fad25c00655a30dacc48d) contrib: Dockerfile: add a base stage * [`59134eb991`](https://github.com/containerd/containerd/commit/59134eb991a6b459805cbeb8ca498e19471acbf2) contrib: Dockerfile: reformat, and use --no-install-recommends * [`ad3bfc9e32`](https://github.com/containerd/containerd/commit/ad3bfc9e32ce9c44cf20b7f9471984ec7730fd70) contrib: Dockerfile: use build-arg for go-version * [`3d8ca756ab`](https://github.com/containerd/containerd/commit/3d8ca756abd1bcfed612a397e4e8d530737838f0) Merge pull request [#3527](https://github.com/containerd/containerd/pull/3527) from estesp/cp-2828-isolated * [`11a25c8a62`](https://github.com/containerd/containerd/commit/11a25c8a62b393b393266357aecbf628de6dac05) Move ctr run --isolation to Windows only * [`99ba29cbd5`](https://github.com/containerd/containerd/commit/99ba29cbd54a66481832e76ecaa6ff47a4ccb763) Merge pull request [#3512](https://github.com/containerd/containerd/pull/3512) from fuweid/cp-3484 * [`47e5d5fd44`](https://github.com/containerd/containerd/commit/47e5d5fd4400bb9ec9b5e1f79db372a2742aba00) Limit multiple platform manifests to one for size check * [`6e4353d6a9`](https://github.com/containerd/containerd/commit/6e4353d6a997bc18246959919e5f59483e47fd3d) Merge pull request [#3490](https://github.com/containerd/containerd/pull/3490) from estesp/cp3462 * [`116e770a8a`](https://github.com/containerd/containerd/commit/116e770a8aa79fd6ee77ce3239dc6d680e145d48) Call CloseIO when stdin closes in ctr * [`becb04a793`](https://github.com/containerd/containerd/commit/becb04a7932e923baa4350f7baddd1bc39a420a0) Merge pull request [#3437](https://github.com/containerd/containerd/pull/3437) from fuweid/cb-3025 * [`c8bbceb4ed`](https://github.com/containerd/containerd/commit/c8bbceb4ed9f6b7de5bd796bc427793bdcf32240) metadata: merge snapshot labels with metadata's labels * [`4579a892be`](https://github.com/containerd/containerd/commit/4579a892beae99b2fbcdef67fcbe0d066be0a925) Merge pull request [#3428](https://github.com/containerd/containerd/pull/3428) from AkihiroSuda/fix-task-start-1.2 * [`227ebf36a9`](https://github.com/containerd/containerd/commit/227ebf36a99b750359cc16637edd0710da933671) runtime/v1/linux: ignore ErrCgroupDeleted in Task.Start * [`18100a35eb`](https://github.com/containerd/containerd/commit/18100a35ebf3078df4947c45a50894091ecb60b1) Merge pull request [#3421](https://github.com/containerd/containerd/pull/3421) from fuweid/cherry-pick-manifest * [`d528a69a42`](https://github.com/containerd/containerd/commit/d528a69a42a091aab271771bf9ca707ade481eb3) images: only fetch the best matched manifest info * [`ef9f3a5316`](https://github.com/containerd/containerd/commit/ef9f3a53167268c2590dc350c421e96abf4c68fc) Merge pull request [#3413](https://github.com/containerd/containerd/pull/3413) from crosbymichael/snapshot-test * [`46920a60fa`](https://github.com/containerd/containerd/commit/46920a60faf72ca455e78dd16930ca12f0266bef) test/snapshots: umount before committing snapshot * [`e12b7078f2`](https://github.com/containerd/containerd/commit/e12b7078f2559a0c6164aef1b29e47feeeaf953a) Merge pull request [#3404](https://github.com/containerd/containerd/pull/3404) from crosbymichael/cherry-arm * [`452e9c532b`](https://github.com/containerd/containerd/commit/452e9c532b5801579d5ca665a3aea448e6930673) Improve ARM platform matching * [`682f6e730f`](https://github.com/containerd/containerd/commit/682f6e730fd9edc707ed3fab18f3b50b37bc30b8) Merge pull request [#3402](https://github.com/containerd/containerd/pull/3402) from masters-of-cats/release/1.2 * [`b207b33292`](https://github.com/containerd/containerd/commit/b207b33292a7c330d70a2b747cb2f109d5b93bae) Skip rootfs unmount when no mounts are provided * [`fd103cb716`](https://github.com/containerd/containerd/commit/fd103cb716352c7e19768e4fed057f71d68902a0) Merge pull request [#3376](https://github.com/containerd/containerd/pull/3376) from thaJeztah/1.2_backport_bump_libseccomp * [`d8f4da4fef`](https://github.com/containerd/containerd/commit/d8f4da4fef8a8f82b2252defd1778271e9640225) bump libseccomp-golang v0.9.1 * [`524eb23af6`](https://github.com/containerd/containerd/commit/524eb23af6f5971fa3f0216c8dc98b73c6cd6bb0) Merge pull request [#3364](https://github.com/containerd/containerd/pull/3364) from keloyang/close-socket-fd-1.2 * [`ed35eec321`](https://github.com/containerd/containerd/commit/ed35eec32133875d0402b933070f6bd102c7145a) Close the inherited socket fd * [`5ca28c1d0f`](https://github.com/containerd/containerd/commit/5ca28c1d0fa55e54567f0ae76a6f1c8b124c3288) Merge pull request [#3342](https://github.com/containerd/containerd/pull/3342) from thaJeztah/1.2_backport_travis_and_golang * [`4b2dc65cf2`](https://github.com/containerd/containerd/commit/4b2dc65cf2129d14d32f2408135764e7d1b52d3c) Merge pull request [#3346](https://github.com/containerd/containerd/pull/3346) from crosbymichael/cherry-diff-panic * [`b2d260c4f4`](https://github.com/containerd/containerd/commit/b2d260c4f4d97bbfdf2e535ac03846f46bbaa033) Ensure labels is not nil in differ * [`1b2230eb33`](https://github.com/containerd/containerd/commit/1b2230eb33577c723e3e415a99d384dd08e1a377) AppVeyor: Bump golang 1.12.6 * [`d0b89fd57e`](https://github.com/containerd/containerd/commit/d0b89fd57ea783c3153fc0e7d12be61fd4784b17) Add travis_wait to prevent vndr timing out * [`aab8e9d135`](https://github.com/containerd/containerd/commit/aab8e9d1351bd3522f236986df25f649f4c253d3) Update to Golang 1.12, and prepare for ppc64le * [`56f8ef8ced`](https://github.com/containerd/containerd/commit/56f8ef8ced14ccda8a41f1e80455f35dbe901be8) Update travis to xenial worker ### Changes from containerd/cri * [`d928a4dd`](https://github.com/containerd/cri/commit/d928a4dd337fd2a992dbe72380eff2063c3ec62f) Merge pull request [#1230](https://github.com/containerd/cri/pull/1230) from Random-Liu/fix-https-release-1.2 * [`ecd021d4`](https://github.com/containerd/cri/commit/ecd021d4fc99ce6b82efe08ed74081a461018d42) Fix unnecessary https trial in release/1.2. * [`789b26f3`](https://github.com/containerd/cri/commit/789b26f33bd08df09cfd23f1c20c2026fec762b4) Merge pull request [#1216](https://github.com/containerd/cri/pull/1216) from Random-Liu/cherrypick-1209-release-1.2 * [`c54f640f`](https://github.com/containerd/cri/commit/c54f640f6cc34ed1db611ee026eee091587e7117) Add test for disable_proc_mount. * [`21343bf7`](https://github.com/containerd/cri/commit/21343bf742b566ffd80de97a3048e9e680504d70) Fix proc mount support. * [`106dfbde`](https://github.com/containerd/cri/commit/106dfbde97905882d16ccbdd0638251529a6b90a) Merge pull request [#1210](https://github.com/containerd/cri/pull/1210) from Random-Liu/cherrypick-1202-release-1.2 * [`dcdfa8f2`](https://github.com/containerd/cri/commit/dcdfa8f2c57f74dab70e606abb19dd2b399601e9) Do not cache image handler. * [`7fb9c17c`](https://github.com/containerd/cri/commit/7fb9c17cbb8cc83f48dbb0f886ffbbcfb2a8b583) Merge pull request [#1191](https://github.com/containerd/cri/pull/1191) from thaJeztah/1.2_backport_bump_libseccomp * [`f68a182b`](https://github.com/containerd/cri/commit/f68a182bc521bc509bea2f57f383ac592e13f089) Merge pull request [#1193](https://github.com/containerd/cri/pull/1193) from thaJeztah/1.2_backport_fix_version * [`0c86149e`](https://github.com/containerd/cri/commit/0c86149e2fd52ab44566c2b84b860bcda0b154f4) Fix runc and critools version in release. * [`8738fd62`](https://github.com/containerd/cri/commit/8738fd6287d40296632484a4b0c14fe2372b10c2) bump libseccomp-golang v0.9.1 * [`0bb5f8ed`](https://github.com/containerd/cri/commit/0bb5f8edb9ac880376f92fc126a5004ceaeb7661) Merge pull request [#1186](https://github.com/containerd/cri/pull/1186) from mikebrow/revert-1179-update-containerd-release-1.2 * [`489dd6af`](https://github.com/containerd/cri/commit/489dd6afbd78e1259141db4deee627ad741db176) Revert "[release/1.2] Update containerd to v1.2.7" * [`38ab32bf`](https://github.com/containerd/cri/commit/38ab32bf5e2d33345c920c70937a13c6fecb0d9b) Merge pull request [#1179](https://github.com/containerd/cri/pull/1179) from Random-Liu/update-containerd-release-1.2 * [`30e14d9d`](https://github.com/containerd/cri/commit/30e14d9d9d17a545613c9720389495236a5c9b6d) Update containerd to v1.2.7 * [`ec3609df`](https://github.com/containerd/cri/commit/ec3609df5b6d6f07b1e42046c50fdcad6af060a0) Merge pull request [#1167](https://github.com/containerd/cri/pull/1167) from Random-Liu/cherrypick-#1162-release-1.2 * [`cb317ddf`](https://github.com/containerd/cri/commit/cb317ddfc771464bd071f312031d49fbfe181039) Add cri managed image label when pulling the image. ### Dependency Changes Previous release can be found at [v1.2.7](https://github.com/containerd/containerd/releases/tag/v1.2.7) * **github.com/containerd/cri** 49ca74043390bc2eeea7a45a46005fbec58a3f88 -> d928a4dd337fd2a992dbe72380eff2063c3ec62f