Encode Generic ConfigBody as JSON #2
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Jenkins-J
force-pushed
the
runtime-config-toml
branch
from
a69edc7 to
98a3338
Compare
Jenkins-J
force-pushed
the
runtime-config-toml
branch
from
0adb7c1 to
5b65520
Compare
Signed-off-by: Iain Macdonald <[email protected]>
Signed-off-by: Derek McGowan <[email protected]>
Create new plugin type for CRI runtime and image services. Signed-off-by: Derek McGowan <[email protected]>
Signed-off-by: Derek McGowan <[email protected]>
Signed-off-by: Derek McGowan <[email protected]>
Signed-off-by: Derek McGowan <[email protected]>
Signed-off-by: Derek McGowan <[email protected]>
Add CRI Service plugin type
…/issue-6377 remotes/docker/authorizer.go: refresh OAuth tokens when they expire
Prepare release notes for v2.0.0-beta.2
Bumps [lycheeverse/lychee-action](https://github.com/lycheeverse/lychee-action) from 1.9.1 to 1.9.3. - [Release notes](https://github.com/lycheeverse/lychee-action/releases) - [Commits](lycheeverse/lychee-action@v1.9.1...v1.9.3) --- updated-dependencies: - dependency-name: lycheeverse/lychee-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [github.com/containerd/plugin](https://github.com/containerd/plugin) from 0.0.0-20231101173250-7ec69893e1e7 to 0.1.0. - [Release notes](https://github.com/containerd/plugin/releases) - [Commits](https://github.com/containerd/plugin/commits/v0.1.0) --- updated-dependencies: - dependency-name: github.com/containerd/plugin dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.60.1 to 1.61.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.60.1...v1.61.0) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [github.com/google/uuid](https://github.com/google/uuid) from 1.5.0 to 1.6.0. - [Release notes](https://github.com/google/uuid/releases) - [Changelog](https://github.com/google/uuid/blob/master/CHANGELOG.md) - [Commits](google/uuid@v1.5.0...v1.6.0) --- updated-dependencies: - dependency-name: github.com/google/uuid dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [github.com/klauspost/compress](https://github.com/klauspost/compress) from 1.17.4 to 1.17.5. - [Release notes](https://github.com/klauspost/compress/releases) - [Changelog](https://github.com/klauspost/compress/blob/master/.goreleaser.yml) - [Commits](klauspost/compress@v1.17.4...v1.17.5) --- updated-dependencies: - dependency-name: github.com/klauspost/compress dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
…actions/lycheeverse/lychee-action-1.9.3 build(deps): bump lycheeverse/lychee-action from 1.9.1 to 1.9.3
…les/github.com/containerd/plugin-0.1.0 build(deps): bump github.com/containerd/plugin from 0.0.0-20231101173250-7ec69893e1e7 to 0.1.0
…les/github.com/klauspost/compress-1.17.5 build(deps): bump github.com/klauspost/compress from 1.17.4 to 1.17.5
…les/google.golang.org/grpc-1.61.0 build(deps): bump google.golang.org/grpc from 1.60.1 to 1.61.0
…les/github.com/google/uuid-1.6.0 build(deps): bump github.com/google/uuid from 1.5.0 to 1.6.0
The file was replaced with the "Please update your bookmark" page on Apr 1, 2022 (PR 6758). Signed-off-by: Akihiro Suda <[email protected]>
Changes: - https://github.com/containers/crun/releases/tag/1.13 - https://github.com/containers/crun/releases/tag/1.14 Signed-off-by: Akihiro Suda <[email protected]>
Signed-off-by: Akihiro Suda <[email protected]>
…llation.md rm docs/cri/installation.md
Signed-off-by: James Sturtevant <[email protected]>
Signed-off-by: 谭九鼎 <[email protected]>
Update the runc binary, which includes a fix for [CVE-2024-21626]. - release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.12 - full diff: opencontainers/runc@v1.1.11...v1.1.12 [CVE-2024-21626]: GHSA-xr7r-f8xq-vfvv Signed-off-by: Derek McGowan <[email protected]>
Signed-off-by: James Sturtevant <[email protected]>
docs: fix typo
Update runc binary to v1.1.12
CI: bump up crun to 1.14
CI: update Rocky Linux to 8.9
Prior to this commit, `readOnly` volumes were not recursively read-only and
could result in compromise of data;
e.g., even if `/mnt` was mounted as read-only, its submounts such as
`/mnt/usbstorage` were not read-only.
This commit utilizes runc's "rro" bind mount option to make read-only bind
mounts literally read-only. The "rro" bind mount options is implemented by
calling `mount_setattr(2)` with `MOUNT_ATTR_RDONLY` and `AT_RECURSIVE`.
The "rro" bind mount options requires kernel >= 5.12, with runc >= 1.1 or
a compatible runtime such as crun >= 1.4.
When the "rro" bind mount options is not available, containerd falls back
to the legacy non-recursive read-only mounts by default.
The behavior is configurable via `/etc/containerd/config.toml`:
```toml
version = 2
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
# treat_ro_mounts_as_rro ("Enabled"|"IfPossible"|"Disabled")
# treats read-only mounts as recursive read-only mounts.
# An empty string means "IfPossible".
# "Enabled" requires Linux kernel v5.12 or later.
# This configuration does not apply to non-volume mounts such as "/sys/fs/cgroup".
treat_ro_mounts_as_rro = ""
```
Replaces:
- kubernetes/enhancements issue 3857
- kubernetes/enhancements PR 3858
Note: this change does not affect non-CRI clients such as ctr, nerdctl, and Docker/Moby.
RRO mounts have been supported since nerdctl v0.14 (containerd/nerdctl PR 511)
and Docker v25 (moby/moby PR 45278).
Signed-off-by: Akihiro Suda <[email protected]>
cri: make read-only mounts recursively read-only
Signed-off-by: Maksym Pavlenko <[email protected]>
If we find that DNSConfig is provided and empty (not nil), we should not replace it with the host's resolv.conf. Also adds tests. Signed-off-by: Tim Hockin <[email protected]>
CRI: An empty DNSConfig != unspecified
Signed-off-by: Maksym Pavlenko <[email protected]>
Signed-off-by: Maksym Pavlenko <[email protected]>
Signed-off-by: Maksym Pavlenko <[email protected]>
Signed-off-by: Maksym Pavlenko <[email protected]>
Move CRI from pkg/ to internal/
…windows Add a default differ for Windows that matches the snapshotter when using transfer service
Move Message proto to types
We can't set the status to Ready before task.Wait succeed. Signed-off-by: Abel Feng <[email protected]>
Signed-off-by: Abel Feng <[email protected]>
Remove duplicated TOML duration parsers
sandbox: fix podsandbox recover status issue
Enocode the runtime configuration body as JSON when the TypeURL is available and the generic configuration options are being used. Signed-off-by: James Jenkins <[email protected]>
Generate proto files to add new comment for runtimeoptions. Signed-off-by: James Jenkins <[email protected]>
Jenkins-J
force-pushed
the
runtime-config-toml
branch
from
5b65520 to
dabaed7
Compare
Jenkins-J
pushed a commit
that referenced
this pull request
Jul 1, 2024
Update the dependency and the indirect golang.org/x/net version to align
with containerd itself, and to prevent a vulnerability being detected.
We should keep the versions <= versions used by containerd 1.7 to prevent
forcing users of containerd 1.7 in combination with the latest version
of the API module from having to update all their dependencies, but
this update should likely be fine (and aligns with 1.7).
Before this:
Scanning your code and 254 packages across 15 dependent modules for known vulnerabilities...
=== Symbol Results ===
Vulnerability #1: GO-2024-2687
HTTP/2 CONTINUATION flood in net/http
More info: https://pkg.go.dev/vuln/GO-2024-2687
Module: golang.org/x/net
Found in: golang.org/x/[email protected]
Fixed in: golang.org/x/[email protected]
Example traces found:
#1: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.ConnectionError.Error
#2: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.ErrCode.String
#3: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.FrameHeader.String
containerd#4: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.FrameType.String
containerd#5: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.Setting.String
containerd#6: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.SettingID.String
containerd#7: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.StreamError.Error
containerd#8: services/content/v1/content_ttrpc.pb.go:272:35: content.ttrpccontentClient.Write calls ttrpc.Client.NewStream, which eventually calls http2.chunkWriter.Write
containerd#9: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.connError.Error
containerd#10: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.duplicatePseudoHeaderError.Error
containerd#11: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.headerFieldNameError.Error
containerd#12: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.headerFieldValueError.Error
containerd#13: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.pseudoHeaderError.Error
containerd#14: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.writeData.String
Your code is affected by 1 vulnerability from 1 module.
This scan also found 0 vulnerabilities in packages you import and 3
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
After this:
govulncheck ./...
Scanning your code and 251 packages across 13 dependent modules for known vulnerabilities...
=== Symbol Results ===
No vulnerabilities found.
Your code is affected by 0 vulnerabilities.
This scan also found 0 vulnerabilities in packages you import and 3
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
Signed-off-by: Sebastiaan van Stijn <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
For further context, see the community discussion: https://zoom.us/rec/share/MHx4Q_exj8u60JnbzcoMS0ONdeNpMuqAfUxqWlb1I_OBomvdlL1ro6czB4hGDixv.vxx5Zf0NUbskIQBS?startTime=1678377588000 (discussion starts at timestamp: 6:44)