containerd 1.2.8
Welcome to the v1.2.8 release of containerd!
The eighth patch release for `containerd` 1.2 provides a series of bug fixes, many
of them backported from the master branch to correct several known issues around
manifest lists/indexes and pulling multi-arch, CVEs related to Golang/http2,
fd leakage in the Golang runtime, a shim hang, process and image environment config
handling, and finally mount cleanup related to Cloud Foundry's use of containerd
with rootless containers. A set of bug fixes/updates for the CRI plugin are also
included; details for the CRI issues and fixes are shown below.
### Notable Updates
* Skip rootfs unmount when no mounts are provided. Fixed by [PR #3148](https://github.com/containerd/containerd/pull/3148) {cherry-picked as [PR #3402](https://github.com/containerd/containerd/pull/3402)}.
* Close inherited socket file descriptor. Fixed in [PR #3359](https://github.com/containerd/containerd/pull/3359) {cherry-picked as [PR #3364](https://github.com/containerd/containerd/pull/3364)}.
* Call CloseIO when stdin closes in ctr. Fixed by [PR #3462](https://github.com/containerd/containerd/pull/3462) {cherry-picked as [PR 3490](https://github.com/containerd/containerd/pull/3490)}.
* Several multi-arch image fixes, including: ARM platform matching, selecting the proper manifest, and limited to best matched manifest to solve discrepancies with multi-arch image operations. Backported [PR #3270](https://github.com/containerd/containerd/pull/3270) as [PR #3404](https://github.com/containerd/containerd/pull/3404), [PR #3484](https://github.com/containerd/containerd/pull/3484) as [PR #3512](https://github.com/containerd/containerd/pull/3512), and added [PR #3421](https://github.com/containerd/containerd/pull/3421).
* Override image's environment config with process config; including backport of fixes and tests for merging/replacing env variables; fix in [PR #3542](https://github.com/containerd/containerd/pull/3542), backported via [PR #3546](https://github.com/containerd/containerd/pull/3546) which included a backport of [PR #2887](https://github.com/containerd/containerd/pull/2887). Additional fix to logic for override re: image `$PATH` cherry-picked in [PR #3565](https://github.com/containerd/containerd/pull/3565).
* Shim hang fix in master via [PR #3540](https://github.com/containerd/containerd/pull/3540) backported to `release/1.2` via [PR #3561](https://github.com/containerd/containerd/pull/3561).
* Updated Golang version to 1.12.9 patch release:
* Resolves CVE-2019-9512 and CVE-2019-9514 from the 1.12.8 security release. Originally fixed via [PR #3531](https://github.com/containerd/containerd/pull/3531) which lists the details of the Golang CVEs, backported via [PR #3532](https://github.com/containerd/containerd/pull/3532) to `release/1.2`.
* Resolves fd leaks reported via [golang/go#33405](https://github.com/golang/go/issues/33405) and resolved in the 1.12.9 patch release, updated via [PR #3544](https://github.com/containerd/containerd/pull/3544). This fd leak bug was initially reported in containerd issue [#3481](https://github.com/containerd/containerd/issues/3481).
* CRI: Fix a bug that if an image is deleted immediately after being pulled, the image may still exist after the deletion finishes successfully. (https://github.com/containerd/cri/issues/1161)
* CRI: Fix a bug that `runc` and `crictl` binaries shipped in https://storage.googleapis.com/cri-containerd-release are versioned with the containerd version. (https://github.com/containerd/cri/pull/1193)
* CRI: Fix a bug that the images become unusable if 2 images have the same image ID and RepoTag, but different RepoDigests. (https://github.com/containerd/containerd/issues/3401)
* CRI: Fix [ProcMount](https://stupefied-goodall-e282f7.netlify.com/contributors/design-proposals/auth/proc-mount-type/) support (https://github.com/containerd/cri/pull/1216). ***NOTE: To use containerd 1.2.8+ with Kubernetes 1.11 or below, you MUST set `disable_proc_mount=true` in the cri plugin config.*** (https://github.com/containerd/cri/issues/1208)
* CRI: Fix a bug that containerd tries to connect image registry with `https` even if the `http` endpoint is configured. (https://github.com/containerd/cri/issues/1201)
Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.
### Contributors
* Michael Crosby
* Lantao Liu
* Sebastiaan van Stijn
* Wei Fu
* Mike Brown
* Phil Estes
* Shukui Yang
* Derek McGowan
* Akihiro Suda
* Andrey Kolomentsev
* Darren Shepherd
* Eric Ren
* Georgi Sabev
* Jaime Caamaño Ruiz
* Jintao Zhang
* Justin Terry
* Yangyang
### Changes
* [`a4bc1d432a`](https://github.com/containerd/containerd/commit/a4bc1d432a2c33aa2eed37f338dceabb93641310) Merge pull request [#3534](https://github.com/containerd/containerd/pull/3534) from estesp/prep-v1.2.8
* [`5e060c4246`](https://github.com/containerd/containerd/commit/5e060c4246ba45dec63dcb9e502d2611b43c7078) Merge pull request [#3565](https://github.com/containerd/containerd/pull/3565) from estesp/cp-3551
* [`a9ba2e681c`](https://github.com/containerd/containerd/commit/a9ba2e681cd8d68f0dc8f411cd4272d2fef3f7ab) Prepare v1.2.8 point release
* [`1c309d804d`](https://github.com/containerd/containerd/commit/1c309d804d74a773992550e4e22341f833d6c144) Remove the process default ENV
* [`de8fa9b614`](https://github.com/containerd/containerd/commit/de8fa9b61446adee4a82f088096361715b2a6930) Merge pull request [#3561](https://github.com/containerd/containerd/pull/3561) from keloyang/shim-hung-1.2
* [`f1c661f787`](https://github.com/containerd/containerd/commit/f1c661f7872ff96a8f25b4fff878115c0bff7a17) Change bufferSize back to 32
* [`d161ab6327`](https://github.com/containerd/containerd/commit/d161ab6327a9e5c501d68c8264d3ef10eb7394aa) Try to preserve exit event order
* [`7e2864b8f0`](https://github.com/containerd/containerd/commit/7e2864b8f096e622c7971a1c5e8c7f2fc337c110) Add retry and non-blocking send for exit events
* [`dbf9a50175`](https://github.com/containerd/containerd/commit/dbf9a501756967a91e798ace7916d5e7a98e4a8d) Unifi reaper logic into package
* [`9b5b55b142`](https://github.com/containerd/containerd/commit/9b5b55b142c0412c232fb3819946a8c393ed68a0) Fix shim hung
* [`b21e4f466e`](https://github.com/containerd/containerd/commit/b21e4f466e7447786fe22a9ad5e3bdc83524c557) Merge pull request [#3546](https://github.com/containerd/containerd/pull/3546) from estesp/cp-3542
* [`c8d75ca5ed`](https://github.com/containerd/containerd/commit/c8d75ca5eda838204af7bfad330128d0f7dedb9b) do not mutate defaults in replaceOrAppendEnvValues
* [`6c6b7e2976`](https://github.com/containerd/containerd/commit/6c6b7e29765e471158053db5aa37e740d952c55a) bugfix: override image.Env with process.Env, rather than be contrary
* [`a0526340f7`](https://github.com/containerd/containerd/commit/a0526340f707e3bfebee80e8c116ed748f984444) Merge pull request [#3544](https://github.com/containerd/containerd/pull/3544) from thaJeztah/1.2_backport_bump_golang_1.12.9
* [`17690cc2fe`](https://github.com/containerd/containerd/commit/17690cc2fe5767080ddcebf175e85a39bc77c092) AppVeyor: update to go 1.12.9
* [`c5bca64cd1`](https://github.com/containerd/containerd/commit/c5bca64cd1c7132cc6b9e4a164a90f12ee5f9a23) Merge pull request [#3538](https://github.com/containerd/containerd/pull/3538) from thaJeztah/1.2_revert_bump_libseccomp
* [`8c0ec3c35e`](https://github.com/containerd/containerd/commit/8c0ec3c35ef448a5f0194f414dc357e2c39d9366) Revert "bump libseccomp-golang v0.9.1"
* [`eed8acd47c`](https://github.com/containerd/containerd/commit/eed8acd47c71def7e4e7266a77690e5ee8b0e300) Merge pull request [#3535](https://github.com/containerd/containerd/pull/3535) from Random-Liu/update-cri-release-1.2
* [`941dd9f2c3`](https://github.com/containerd/containerd/commit/941dd9f2c34aedca4c970e9ca33d06895b8c7995) Update cri to d928a4dd337fd2a992dbe72380eff2063c3ec62f.
* [`e70728b659`](https://github.com/containerd/containerd/commit/e70728b6599aa43fb6e551aa9fcd56eb8332e50f) Merge pull request [#3532](https://github.com/containerd/containerd/pull/3532) from thaJeztah/1.2_backport_bump_golang_1.12.8
* [`4097217bbd`](https://github.com/containerd/containerd/commit/4097217bbd90ea4aa7f957d1d8a8b72734bfcec6) AppVeyor: update to go 1.12.8 (CVE-2019-9512, CVE-2019-9514)
* [`bb238e05a1`](https://github.com/containerd/containerd/commit/bb238e05a129779588953c36b3af9d61ef5ce667) AppVeyor: update to go 1.12.7
* [`150468fcc7`](https://github.com/containerd/containerd/commit/150468fcc7bae5a82c4b85012144ff5c54380c6d) contrib: Dockerfile: bump go 1.12
* [`c675ea30c4`](https://github.com/containerd/containerd/commit/c675ea30c4db5300852fad25c00655a30dacc48d) contrib: Dockerfile: add a base stage
* [`59134eb991`](https://github.com/containerd/containerd/commit/59134eb991a6b459805cbeb8ca498e19471acbf2) contrib: Dockerfile: reformat, and use --no-install-recommends
* [`ad3bfc9e32`](https://github.com/containerd/containerd/commit/ad3bfc9e32ce9c44cf20b7f9471984ec7730fd70) contrib: Dockerfile: use build-arg for go-version
* [`3d8ca756ab`](https://github.com/containerd/containerd/commit/3d8ca756abd1bcfed612a397e4e8d530737838f0) Merge pull request [#3527](https://github.com/containerd/containerd/pull/3527) from estesp/cp-2828-isolated
* [`11a25c8a62`](https://github.com/containerd/containerd/commit/11a25c8a62b393b393266357aecbf628de6dac05) Move ctr run --isolation to Windows only
* [`99ba29cbd5`](https://github.com/containerd/containerd/commit/99ba29cbd54a66481832e76ecaa6ff47a4ccb763) Merge pull request [#3512](https://github.com/containerd/containerd/pull/3512) from fuweid/cp-3484
* [`47e5d5fd44`](https://github.com/containerd/containerd/commit/47e5d5fd4400bb9ec9b5e1f79db372a2742aba00) Limit multiple platform manifests to one for size check
* [`6e4353d6a9`](https://github.com/containerd/containerd/commit/6e4353d6a997bc18246959919e5f59483e47fd3d) Merge pull request [#3490](https://github.com/containerd/containerd/pull/3490) from estesp/cp3462
* [`116e770a8a`](https://github.com/containerd/containerd/commit/116e770a8aa79fd6ee77ce3239dc6d680e145d48) Call CloseIO when stdin closes in ctr
* [`becb04a793`](https://github.com/containerd/containerd/commit/becb04a7932e923baa4350f7baddd1bc39a420a0) Merge pull request [#3437](https://github.com/containerd/containerd/pull/3437) from fuweid/cb-3025
* [`c8bbceb4ed`](https://github.com/containerd/containerd/commit/c8bbceb4ed9f6b7de5bd796bc427793bdcf32240) metadata: merge snapshot labels with metadata's labels
* [`4579a892be`](https://github.com/containerd/containerd/commit/4579a892beae99b2fbcdef67fcbe0d066be0a925) Merge pull request [#3428](https://github.com/containerd/containerd/pull/3428) from AkihiroSuda/fix-task-start-1.2
* [`227ebf36a9`](https://github.com/containerd/containerd/commit/227ebf36a99b750359cc16637edd0710da933671) runtime/v1/linux: ignore ErrCgroupDeleted in Task.Start
* [`18100a35eb`](https://github.com/containerd/containerd/commit/18100a35ebf3078df4947c45a50894091ecb60b1) Merge pull request [#3421](https://github.com/containerd/containerd/pull/3421) from fuweid/cherry-pick-manifest
* [`d528a69a42`](https://github.com/containerd/containerd/commit/d528a69a42a091aab271771bf9ca707ade481eb3) images: only fetch the best matched manifest info
* [`ef9f3a5316`](https://github.com/containerd/containerd/commit/ef9f3a53167268c2590dc350c421e96abf4c68fc) Merge pull request [#3413](https://github.com/containerd/containerd/pull/3413) from crosbymichael/snapshot-test
* [`46920a60fa`](https://github.com/containerd/containerd/commit/46920a60faf72ca455e78dd16930ca12f0266bef) test/snapshots: umount before committing snapshot
* [`e12b7078f2`](https://github.com/containerd/containerd/commit/e12b7078f2559a0c6164aef1b29e47feeeaf953a) Merge pull request [#3404](https://github.com/containerd/containerd/pull/3404) from crosbymichael/cherry-arm
* [`452e9c532b`](https://github.com/containerd/containerd/commit/452e9c532b5801579d5ca665a3aea448e6930673) Improve ARM platform matching
* [`682f6e730f`](https://github.com/containerd/containerd/commit/682f6e730fd9edc707ed3fab18f3b50b37bc30b8) Merge pull request [#3402](https://github.com/containerd/containerd/pull/3402) from masters-of-cats/release/1.2
* [`b207b33292`](https://github.com/containerd/containerd/commit/b207b33292a7c330d70a2b747cb2f109d5b93bae) Skip rootfs unmount when no mounts are provided
* [`fd103cb716`](https://github.com/containerd/containerd/commit/fd103cb716352c7e19768e4fed057f71d68902a0) Merge pull request [#3376](https://github.com/containerd/containerd/pull/3376) from thaJeztah/1.2_backport_bump_libseccomp
* [`d8f4da4fef`](https://github.com/containerd/containerd/commit/d8f4da4fef8a8f82b2252defd1778271e9640225) bump libseccomp-golang v0.9.1
* [`524eb23af6`](https://github.com/containerd/containerd/commit/524eb23af6f5971fa3f0216c8dc98b73c6cd6bb0) Merge pull request [#3364](https://github.com/containerd/containerd/pull/3364) from keloyang/close-socket-fd-1.2
* [`ed35eec321`](https://github.com/containerd/containerd/commit/ed35eec32133875d0402b933070f6bd102c7145a) Close the inherited socket fd
* [`5ca28c1d0f`](https://github.com/containerd/containerd/commit/5ca28c1d0fa55e54567f0ae76a6f1c8b124c3288) Merge pull request [#3342](https://github.com/containerd/containerd/pull/3342) from thaJeztah/1.2_backport_travis_and_golang
* [`4b2dc65cf2`](https://github.com/containerd/containerd/commit/4b2dc65cf2129d14d32f2408135764e7d1b52d3c) Merge pull request [#3346](https://github.com/containerd/containerd/pull/3346) from crosbymichael/cherry-diff-panic
* [`b2d260c4f4`](https://github.com/containerd/containerd/commit/b2d260c4f4d97bbfdf2e535ac03846f46bbaa033) Ensure labels is not nil in differ
* [`1b2230eb33`](https://github.com/containerd/containerd/commit/1b2230eb33577c723e3e415a99d384dd08e1a377) AppVeyor: Bump golang 1.12.6
* [`d0b89fd57e`](https://github.com/containerd/containerd/commit/d0b89fd57ea783c3153fc0e7d12be61fd4784b17) Add travis_wait to prevent vndr timing out
* [`aab8e9d135`](https://github.com/containerd/containerd/commit/aab8e9d1351bd3522f236986df25f649f4c253d3) Update to Golang 1.12, and prepare for ppc64le
* [`56f8ef8ced`](https://github.com/containerd/containerd/commit/56f8ef8ced14ccda8a41f1e80455f35dbe901be8) Update travis to xenial worker
### Changes from containerd/cri
* [`d928a4dd`](https://github.com/containerd/cri/commit/d928a4dd337fd2a992dbe72380eff2063c3ec62f) Merge pull request [#1230](https://github.com/containerd/cri/pull/1230) from Random-Liu/fix-https-release-1.2
* [`ecd021d4`](https://github.com/containerd/cri/commit/ecd021d4fc99ce6b82efe08ed74081a461018d42) Fix unnecessary https trial in release/1.2.
* [`789b26f3`](https://github.com/containerd/cri/commit/789b26f33bd08df09cfd23f1c20c2026fec762b4) Merge pull request [#1216](https://github.com/containerd/cri/pull/1216) from Random-Liu/cherrypick-1209-release-1.2
* [`c54f640f`](https://github.com/containerd/cri/commit/c54f640f6cc34ed1db611ee026eee091587e7117) Add test for disable_proc_mount.
* [`21343bf7`](https://github.com/containerd/cri/commit/21343bf742b566ffd80de97a3048e9e680504d70) Fix proc mount support.
* [`106dfbde`](https://github.com/containerd/cri/commit/106dfbde97905882d16ccbdd0638251529a6b90a) Merge pull request [#1210](https://github.com/containerd/cri/pull/1210) from Random-Liu/cherrypick-1202-release-1.2
* [`dcdfa8f2`](https://github.com/containerd/cri/commit/dcdfa8f2c57f74dab70e606abb19dd2b399601e9) Do not cache image handler.
* [`7fb9c17c`](https://github.com/containerd/cri/commit/7fb9c17cbb8cc83f48dbb0f886ffbbcfb2a8b583) Merge pull request [#1191](https://github.com/containerd/cri/pull/1191) from thaJeztah/1.2_backport_bump_libseccomp
* [`f68a182b`](https://github.com/containerd/cri/commit/f68a182bc521bc509bea2f57f383ac592e13f089) Merge pull request [#1193](https://github.com/containerd/cri/pull/1193) from thaJeztah/1.2_backport_fix_version
* [`0c86149e`](https://github.com/containerd/cri/commit/0c86149e2fd52ab44566c2b84b860bcda0b154f4) Fix runc and critools version in release.
* [`8738fd62`](https://github.com/containerd/cri/commit/8738fd6287d40296632484a4b0c14fe2372b10c2) bump libseccomp-golang v0.9.1
* [`0bb5f8ed`](https://github.com/containerd/cri/commit/0bb5f8edb9ac880376f92fc126a5004ceaeb7661) Merge pull request [#1186](https://github.com/containerd/cri/pull/1186) from mikebrow/revert-1179-update-containerd-release-1.2
* [`489dd6af`](https://github.com/containerd/cri/commit/489dd6afbd78e1259141db4deee627ad741db176) Revert "[release/1.2] Update containerd to v1.2.7"
* [`38ab32bf`](https://github.com/containerd/cri/commit/38ab32bf5e2d33345c920c70937a13c6fecb0d9b) Merge pull request [#1179](https://github.com/containerd/cri/pull/1179) from Random-Liu/update-containerd-release-1.2
* [`30e14d9d`](https://github.com/containerd/cri/commit/30e14d9d9d17a545613c9720389495236a5c9b6d) Update containerd to v1.2.7
* [`ec3609df`](https://github.com/containerd/cri/commit/ec3609df5b6d6f07b1e42046c50fdcad6af060a0) Merge pull request [#1167](https://github.com/containerd/cri/pull/1167) from Random-Liu/cherrypick-#1162-release-1.2
* [`cb317ddf`](https://github.com/containerd/cri/commit/cb317ddfc771464bd071f312031d49fbfe181039) Add cri managed image label when pulling the image.
### Dependency Changes
Previous release can be found at [v1.2.7](https://github.com/containerd/containerd/releases/tag/v1.2.7)
* **github.com/containerd/cri** 49ca74043390bc2eeea7a45a46005fbec58a3f88 -> d928a4dd337fd2a992dbe72380eff2063c3ec62f