containerd 1.3.8 Welcome to the v1.3.8 release of containerd! The eighth patch release for `containerd` 1.3 includes several bug fixes and updates. ### Notable Updates * Fix metrics monitoring of v2 runtime tasks [containerd/containerd#4486](https://github.com/containerd/containerd/pull/4486) * Fix nil pointer error when restoring checkpoint [containerd/containerd#4754](https://github.com/containerd/containerd/pull/4754) * Fix devmapper device deletion on rollback [containerd/containerd#4437](https://github.com/containerd/containerd/pull/4437) * Fix integer overflow on Windows [containerd/containerd#4589](https://github.com/containerd/containerd/pull/4589) * Update seccomp default profile [containerd/containerd#4481](https://github.com/containerd/containerd/pull/4481) [#4491](https://github.com/containerd/containerd/pull/4491) [#4492](https://github.com/containerd/containerd/pull/4492) [#4493](https://github.com/containerd/containerd/pull/4493) Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues. ### Contributors * Lantao Liu * Sebastiaan van Stijn * Phil Estes * Derek McGowan * Wei Fu * Akihiro Suda * Brian Goff * Jintao Zhang * Mike Brown * Samuel Karp * Bingshen Wang * Bowen Yan * Florian Schmaus * Giuseppe Capizzi * Kazuyoshi Kato * Kenta Tada * Li Yuxuan * Maksym Pavlenko * Michael Crosby * Shengjing Zhu * Stanislav Levin * Tianon Gravi * Tim Allclair ### Changes <details><summary>109 commits</summary> <p> * [`7fb6e1713`](https://github.com/containerd/containerd/commit/7fb6e171309113ddcb8ea9599e34321550469250) Merge pull request [#4782](https://github.com/containerd/containerd/pull/4782) from dmcgowan/prepare-1.3.8 * [`3b63746c0`](https://github.com/containerd/containerd/commit/3b63746c0fff4395881e0fe8e7c81422894b8abf) Prepare 1.3.8 release * [`b2f19447a`](https://github.com/containerd/containerd/commit/b2f19447a1274bdbb8bf6df5b63f1950617021ca) Merge pull request [#4753](https://github.com/containerd/containerd/pull/4753) from thaJeztah/1.3_restore_nil_pointer * [`b3913eeaf`](https://github.com/containerd/containerd/commit/b3913eeaf14c9f9e0fda4c91391676af92010707) Merge pull request [#4750](https://github.com/containerd/containerd/pull/4750) from thaJeztah/1.3_backport_windows_int_overflow * [`bcb8bd3e4`](https://github.com/containerd/containerd/commit/bcb8bd3e43b5549b37f8c2608c4814e6a35e5178) bug fix:#3448 * [`7f4ecee09`](https://github.com/containerd/containerd/commit/7f4ecee097e35e28559a1a55d2be2a95bf4eba60) Fix integer overflow on windows * [`609788376`](https://github.com/containerd/containerd/commit/609788376d872c45f379a2e0269c9be64129e3a7) Merge pull request [#4747](https://github.com/containerd/containerd/pull/4747) from estesp/fix-gha-cve-1.3 * [`8fcab2e3f`](https://github.com/containerd/containerd/commit/8fcab2e3fe9333cefa184861828a687408388096) Fix release.yml script for GH Actions changes to env/path * [`e97ecf499`](https://github.com/containerd/containerd/commit/e97ecf499dbf9c7359eef49f33d4081d14e1dc80) Merge pull request [#4744](https://github.com/containerd/containerd/pull/4744) from estesp/fix-ci-1.3 * [`651188ccf`](https://github.com/containerd/containerd/commit/651188ccf9d9efc927a5aae716384b2f8761d7b5) Fix GH Actions CI deprecations * [`81678f0e5`](https://github.com/containerd/containerd/commit/81678f0e5a5ee3cf795e2244e4a2dceee2abc259) Merge pull request [#4697](https://github.com/containerd/containerd/pull/4697) from estesp/cp-4692-1.3 * [`d1f19bec7`](https://github.com/containerd/containerd/commit/d1f19bec732c78cc29eb9abb4383ce1db44fc1db) Remove setuid gosu in favor of "sudo -E PATH=$PATH ..." * [`ee26aa810`](https://github.com/containerd/containerd/commit/ee26aa8109f41615f93a1e2074c9ddd35612a2d4) Merge pull request [#4693](https://github.com/containerd/containerd/pull/4693) from samuelkarp/release1.3-critest * [`7f5720ee3`](https://github.com/containerd/containerd/commit/7f5720ee39417ffb83bfcf2852f78aec57d21dce) setup: install critest v1.16.1 * [`8ed201980`](https://github.com/containerd/containerd/commit/8ed2019805ed715e8a0a120e7f9bbbf754a38776) ci: run critest target for all runtimes * [`0cd442194`](https://github.com/containerd/containerd/commit/0cd4421947b0320a89b2b1a84c4843ff7a2491ef) Merge pull request [#4649](https://github.com/containerd/containerd/pull/4649) from estesp/cp-4645-1.3 * [`d47ee95a6`](https://github.com/containerd/containerd/commit/d47ee95a6379e563dfe3192906a05d0d6b381758) Check if a process exists before returning it * [`53371c823`](https://github.com/containerd/containerd/commit/53371c823884e6c4817e4e75a552db6950ce4c4b) Merge pull request [#4598](https://github.com/containerd/containerd/pull/4598) from estesp/release-script-updates * [`4bb1ec089`](https://github.com/containerd/containerd/commit/4bb1ec089ab07ede896200313f3793c9c73ff474) Proper case for DESTDIR so GH Actions configuration is used * [`6eef06eab`](https://github.com/containerd/containerd/commit/6eef06eab48549d9f0b309c18a76c39fd2ce3fa1) Fix DCO commit limit * [`e5afa333a`](https://github.com/containerd/containerd/commit/e5afa333a81c3d6f7dae94e35e491cc8c328fe1b) Add CRI release build * [`9bd8f6e4c`](https://github.com/containerd/containerd/commit/9bd8f6e4cc1f96458ba747a97b53286abee778f5) Update containerd systemd unit file * [`c7bd04763`](https://github.com/containerd/containerd/commit/c7bd04763a03df0f11860b0113dd28ac7b32acd0) Create etcd user in cloud init. * [`a208e937e`](https://github.com/containerd/containerd/commit/a208e937e61f1dc923825509e65120fe224b4084) use containerd/project header test * [`da709fe9b`](https://github.com/containerd/containerd/commit/da709fe9bbc1afc7140d9e1e6ddc4390d8b224cb) Fix indent in cni.template. * [`bdd3c8529`](https://github.com/containerd/containerd/commit/bdd3c85298c2b5d49de58fb80173e27174ac3d09) Update deployment and integration test * [`d8ef77eb8`](https://github.com/containerd/containerd/commit/d8ef77eb8d8e9670fd6cd0912ebf16a6a29f2db1) Add TaskMax=infinity * [`f3c918509`](https://github.com/containerd/containerd/commit/f3c91850993629851828ecc8be6ea2f40743f369) Remove `noSnat` * [`e617564d9`](https://github.com/containerd/containerd/commit/e617564d90b1c55bf027b65a0c73272a8d3a108b) Use v2 config. * [`70d9e28a6`](https://github.com/containerd/containerd/commit/70d9e28a6108151dcf1ac07c3c5541f69557e759) Use per-pod shim. * [`b3ef77e56`](https://github.com/containerd/containerd/commit/b3ef77e56f31208be24d70e7b246dd584b325cbe) Add DefaultRuntimeName option. * [`f0d9c25e6`](https://github.com/containerd/containerd/commit/f0d9c25e6531958821ecfec5a81d966ea604876d) Use ctr images import. * [`5a5581694`](https://github.com/containerd/containerd/commit/5a5581694e50cd31295f8bb596c2f756d5294d73) Add `cri` as required plugin. * [`1ee592b6a`](https://github.com/containerd/containerd/commit/1ee592b6adfd2c141756c06d6dc876ac2f6687ce) Use runc.v1 for now for debugging. * [`a6f0c7ba1`](https://github.com/containerd/containerd/commit/a6f0c7ba1772e2578294139a1fb5c58f62c38551) Enable runc.v2 as the default runtime in test. * [`61254c0d0`](https://github.com/containerd/containerd/commit/61254c0d0abcdc4a9fd5a06aa61e0ec3a48a820d) Use local env to avoid writing to passed-in readonly env. * [`816214947`](https://github.com/containerd/containerd/commit/8162149479ee487499f14a9429b044117f36d84a) Set default "" to extra runtime handler. * [`25b7a9361`](https://github.com/containerd/containerd/commit/25b7a936112404dae529f673bca262736cfefa74) Expose vars to configure an additional runtime handler * [`90ef88d69`](https://github.com/containerd/containerd/commit/90ef88d692861843f3ae8084997e89d61717123f) Support docker 18.09 in the test script. * [`3acc61aad`](https://github.com/containerd/containerd/commit/3acc61aad59583d11c868d8996ab72b9bb86aec7) Remove the unused `health-monitor.sh`. * [`1656e2c62`](https://github.com/containerd/containerd/commit/1656e2c62bdb5fff9abba2021417be3831ae209c) Support netd in GCE bootstrap. * [`cf18a7f24`](https://github.com/containerd/containerd/commit/cf18a7f248e1d5d13b483454dc3a34d1eb64e0fc) Serve streaming on localhost by default to match k8s 1.11 default. * [`6462656c5`](https://github.com/containerd/containerd/commit/6462656c53b1ef5cee57211d97bd9362b1b0c76f) Remove crictl on GCE for all cases. * [`876448273`](https://github.com/containerd/containerd/commit/8764482737e70818439bc36efb09918b78c561fe) Set stream server to serve on localhost on GCE. * [`151d40da7`](https://github.com/containerd/containerd/commit/151d40da7d7167b9ae868ce31803f9bf4d1472c6) Make max container log line size configurable through cloud init. * [`7423599a9`](https://github.com/containerd/containerd/commit/7423599a98a4c7ca94777d09c06115083ee1fc31) Disable TLS streaming to work with new kubelet streaming proxy. * [`de14be92d`](https://github.com/containerd/containerd/commit/de14be92df0f4a361030ae9ab6aa34f492f9ee79) Update cni.template * [`7ba7a1c74`](https://github.com/containerd/containerd/commit/7ba7a1c748e3b2caaf625d4a9eaef00101fb958b) Disable restart plugin on GCE. * [`d5a7d0d40`](https://github.com/containerd/containerd/commit/d5a7d0d40bceb1738c089035847f41d9aaf85d26) Fix kube-container-runtime-monitor. * [`51c239c50`](https://github.com/containerd/containerd/commit/51c239c504aa0ec2bc5f39d53728222bc40222d4) Use crictl installed in kube-up.sh * [`7e4202681`](https://github.com/containerd/containerd/commit/7e4202681807d35169d37d14cf1ee648104492a8) Add `unix://` prefix for socket addresses used by CRI remote client. * [`78bc3160c`](https://github.com/containerd/containerd/commit/78bc3160cc4483de176101995e41e589ac8c04f4) Add KUBE_CONTAINER_RUNTIME_NAME to fix fluentd support. * [`1efcba285`](https://github.com/containerd/containerd/commit/1efcba285965eaed2835696e7bcdaa6be0794f49) Try using preloaded containerd if no version is specified. * [`b3d92c5dd`](https://github.com/containerd/containerd/commit/b3d92c5dda294648dd6801d12de381bd8beed99d) Add log level support. * [`4c3b865ef`](https://github.com/containerd/containerd/commit/4c3b865ef7dd3da41e384ab08d1dbcc7ea89c358) Improve gce bootstrapping in various ways. * [`bae03ff7c`](https://github.com/containerd/containerd/commit/bae03ff7cc0e1dfb99c81e01aa2198c6028dc85a) Add cni config template support. * [`cb8d42994`](https://github.com/containerd/containerd/commit/cb8d429945e84148ff001bb61f361d12f3f37d87) Enable TLS streaming in all the setup. * [`7078a01e6`](https://github.com/containerd/containerd/commit/7078a01e6ffdfdd57dfe533b2ddaf84f43761b35) Use systemd service cgroup and oom score adj. * [`eca3ca166`](https://github.com/containerd/containerd/commit/eca3ca1668c47b254275318a4afd50ad30d81aed) Fix for kube-up.sh and update several documments. * [`95159e4e5`](https://github.com/containerd/containerd/commit/95159e4e5b03d7dc0cb26ade2fab3bb00d6be4a1) Replace `ctrcri` with `ctr cri`. * [`240169814`](https://github.com/containerd/containerd/commit/240169814dc5b4ac5ec5267b4ad0af7e80461c31) Update GCE cluster bootstrapping and e2e test * [`1fe038512`](https://github.com/containerd/containerd/commit/1fe03851212923e5be84d9f3f08a80b8c67531fb) Enable container log rotation. * [`0ce45ac5d`](https://github.com/containerd/containerd/commit/0ce45ac5d6bc6f211e39fed67e1eaa946fad3311) Do not block on stream server close. * [`206b239d6`](https://github.com/containerd/containerd/commit/206b239d63edd059f5352647336b260f1484258a) Add initial wait for health-monitor and use pkill -x. * [`fc561a2a1`](https://github.com/containerd/containerd/commit/fc561a2a1b927220afd047bfc59194a093323ddb) The ENV is finalized as KUBE_KUBELET_EXTRA_ARGS. * [`8416e9356`](https://github.com/containerd/containerd/commit/8416e93566de741262e1d0445017c5f8c142f9aa) change crictl sandboxes to pods; other references to sandboxes * [`23bd0364e`](https://github.com/containerd/containerd/commit/23bd0364e2155d966c13e8139694177dd049c6cd) Update ocicni to main stream. * [`1b4ef5d64`](https://github.com/containerd/containerd/commit/1b4ef5d642374cbc4c628800efc3b37e0cda932f) Add a separate CLI for cri-containerd `ctrcri`. * [`4fc3b564c`](https://github.com/containerd/containerd/commit/4fc3b564c10d24cad578a59ba315b92582f22570) Use registry-1.docker.io as backup * [`3bc1d3559`](https://github.com/containerd/containerd/commit/3bc1d35595bc9f1e80de129e5806d2efc5527f1a) Put version into metadata so that version won't be changed across restart. * [`544e0e71a`](https://github.com/containerd/containerd/commit/544e0e71a9a1da5d34e777ad1f544d83de530e28) Set registry mirror. * [`0d0257a94`](https://github.com/containerd/containerd/commit/0d0257a94aeb51f6be1b997505442e625684bd49) Configure container runtime cgroups for cgroup. * [`5ad7db207`](https://github.com/containerd/containerd/commit/5ad7db2070818ef3b335c400201e36022198379b) Add runtime cgroup and fix a cli panic. * [`89e92495d`](https://github.com/containerd/containerd/commit/89e92495d0fccf32d299ef21b4f3ffc6ab8812ca) Update all glog flags to `log-level`. * [`b49929ebc`](https://github.com/containerd/containerd/commit/b49929ebcb4686eb0b5d887c6e418ac56eae8508) Update containerd to 6c7abf7c76c1973d4fb4b0bad51691de84869a51. * [`077721211`](https://github.com/containerd/containerd/commit/0777212112b21542636085d895ce142e67b98a25) Add document for kube-up.sh * [`a797a6ce2`](https://github.com/containerd/containerd/commit/a797a6ce2a14e4ce173f717843d57107fc3b5d6c) Add OS and arch in release tarball. * [`2ad761ddb`](https://github.com/containerd/containerd/commit/2ad761ddbe1034d7db826b1f63921717eedfc012) Add `cluster` directory and health-monitor.sh. * [`02d93addb`](https://github.com/containerd/containerd/commit/02d93addbd0d18e75015f705122653582957e400) Merge pull request [#4561](https://github.com/containerd/containerd/pull/4561) from thaJeztah/1.3_backport_seccomp_updates * [`1f5b5c909`](https://github.com/containerd/containerd/commit/1f5b5c909eecd1a0b30a10c0e074d76f2c85af3e) seccomp: allow io-uring related system calls * [`37c1a8ecb`](https://github.com/containerd/containerd/commit/37c1a8ecb67188cede3d60bfcebd9a5322bf5a5d) seccomp: allow clock_settime when CAP_SYS_TIME is added * [`f959608b0`](https://github.com/containerd/containerd/commit/f959608b059520b6fbb3395011a3084b29fb1d15) seccomp: allow quotactl with CAP_SYS_ADMIN * [`61f1b4ee2`](https://github.com/containerd/containerd/commit/61f1b4ee2944546045f9dee9124c6160bec8c857) seccomp: allow sync_file_range2 on supported architectures. * [`4748bb7d5`](https://github.com/containerd/containerd/commit/4748bb7d5edf7eac00d0dba8d23d5bfd44637de0) seccomp: allow personality with UNAME26 bit set * [`93a529467`](https://github.com/containerd/containerd/commit/93a529467cfe9317b601b45a1f74f1d12d5615b5) seccomp: allow syscall membarrier * [`280fc55eb`](https://github.com/containerd/containerd/commit/280fc55eb29d7a9f8a41d79bd33dcb69a82fb3d6) seccomp: allow adjtimex get time operation * [`2fb406bef`](https://github.com/containerd/containerd/commit/2fb406befbcf2ecc027dbdcd38a2e170fbd61215) seccomp: allow add preadv2 and pwritev2 syscalls * [`f81ce26aa`](https://github.com/containerd/containerd/commit/f81ce26aaa1ed04ba58ed89f96a1d73a243c21e7) seccomp: move the syslog syscall to be gated by CAP_SYS_ADMIN or CAP_SYSLOG * [`2ee65d857`](https://github.com/containerd/containerd/commit/2ee65d85740626577eed51f02a41c41ea0a34004) Update usage of whitelist in project * [`39052fa79`](https://github.com/containerd/containerd/commit/39052fa79bc2feccfdeb1afae89fe5cdf21c34a6) seccomp: allow 'rseq' syscall in default seccomp profile * [`a3a385c9d`](https://github.com/containerd/containerd/commit/a3a385c9dec60516cc7e5424e4e1d4792a96309c) seccomp: remove the unused query_module(2) * [`7d3e2766c`](https://github.com/containerd/containerd/commit/7d3e2766c254ff1957270812e3e0ce6a95313f04) seccomp: Whitelist `clock_adjtime` * [`078b6d91b`](https://github.com/containerd/containerd/commit/078b6d91bea47e9235bd09ea8bfa9ff40281a8a0) seccomp: add 64-bit time_t syscalls * [`6f8f27ab4`](https://github.com/containerd/containerd/commit/6f8f27ab4a14b00750b88be139823e53917845d4) Merge pull request [#4553](https://github.com/containerd/containerd/pull/4553) from thaJeztah/1.3_backport_add_openat2_syscall * [`bdb3ce2fa`](https://github.com/containerd/containerd/commit/bdb3ce2fa4fad41a00a3c5d295378da9cb8f8463) seccomp: add `faccessat2` syscall. * [`44633cf1b`](https://github.com/containerd/containerd/commit/44633cf1b1bdc37b5496dcf82b7c69dd79a5c358) seccomp: add `openat2` syscall. * [`8d67174ae`](https://github.com/containerd/containerd/commit/8d67174ae36e38866298309fe9525aeb4f4e9781) Merge pull request [#4543](https://github.com/containerd/containerd/pull/4543) from thaJeztah/1.3_backport_forward_signal_not_found * [`1850de7af`](https://github.com/containerd/containerd/commit/1850de7af9edd5a40e9be1c6e2b925ac993274fa) Ignore SIGURG signals in signal forwarder * [`11325afdb`](https://github.com/containerd/containerd/commit/11325afdb7e906c65e84009029a95011b077858f) Exit signal forward if process not found * [`aebad1da6`](https://github.com/containerd/containerd/commit/aebad1da64ac49795ec20a741b4133bab85d621c) Merge pull request [#4511](https://github.com/containerd/containerd/pull/4511) from fuweid/13-cherry-pick-4486 * [`58172a6f4`](https://github.com/containerd/containerd/commit/58172a6f4ff5d0ce50b92dcaafb65012c386b22a) tasks: Monitor v2 tasks in initFunc as well * [`f99bb2cc4`](https://github.com/containerd/containerd/commit/f99bb2cc44834f07975aed46f3072572b172c334) Merge pull request [#4495](https://github.com/containerd/containerd/pull/4495) from kzys/backport-1.3-4437 * [`fd6c9153a`](https://github.com/containerd/containerd/commit/fd6c9153aaf47fb1e0bac84e71a0878d86843bf1) snapshots/devmapper: fix rollback * [`6c71fe1c4`](https://github.com/containerd/containerd/commit/6c71fe1c400c2f97b5343ce8938e5600ff2fa320) Merge pull request [#4463](https://github.com/containerd/containerd/pull/4463) from thaJeztah/1.3_backport_bump_golang_1.13.15 * [`1ef5cd282`](https://github.com/containerd/containerd/commit/1ef5cd28285d67d3376cc69712ffc8f428981901) Bump Golang 1.13.15 * [`0e7693b58`](https://github.com/containerd/containerd/commit/0e7693b58d9f96e661a14e3bca5142e3069ca393) Bump Golang 1.13.14 * [`e36542ca5`](https://github.com/containerd/containerd/commit/e36542ca574e98a4e837d21eacdb8f72ee50ebd4) Bump Go 1.13.13 * [`83b33f63b`](https://github.com/containerd/containerd/commit/83b33f63b388c116658eaae1893a9fe95ec206e6) .zuul: update go version to 1.13.10 * [`2ba1c323b`](https://github.com/containerd/containerd/commit/2ba1c323bce28b0faa7ae261c7402a8bede4b4a7) ci: set pipefail in zuul script </p> </details> ### Dependency Changes This release has no dependency changes Previous release can be found at [v1.3.7](https://github.com/containerd/containerd/releases/tag/v1.3.7)