From 6be85a7fdf9eca117f6cb3c5b48d41240e7a0ecf Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 19 May 2021 14:31:54 +0200 Subject: [PATCH 01/44] Revert "remove default "containerd.toml" config file" This reverts commit 37e406ca6302b373b5840b794cf551110ad4d737. Relates to https://github.com/docker/containerd-packaging/pull/215#discussion_r632804641 > removing this does have some impact on rpm users who are currently overwriting > the rpm supplied config.toml with their own. This being removed above, causes > the user supplied override config.toml file also to be deleted, when they upgrade > to a rpm version with this change. rpm moves the file to.rpmsave/.rpmnew after > upgrading to the new version with the above change. Reverting this change (at least temporarily until we figure out an alternative) is the safest option for now. Signed-off-by: Sebastiaan van Stijn --- common/containerd.toml | 31 +++++++++++++++++++++++++++++++ debian/rules | 1 + dockerfiles/deb.dockerfile | 4 ++-- dockerfiles/rpm.dockerfile | 4 ++-- rpm/containerd.spec | 6 +++++- 5 files changed, 41 insertions(+), 5 deletions(-) create mode 100644 common/containerd.toml diff --git a/common/containerd.toml b/common/containerd.toml new file mode 100644 index 00000000..ccbbd5b4 --- /dev/null +++ b/common/containerd.toml @@ -0,0 +1,31 @@ +# Copyright 2018-2020 Docker Inc. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +disabled_plugins = ["cri"] + +#root = "/var/lib/containerd" +#state = "/run/containerd" +#subreaper = true +#oom_score = 0 + +#[grpc] +# address = "/run/containerd/containerd.sock" +# uid = 0 +# gid = 0 + +#[debug] +# address = "/run/containerd/debug.sock" +# uid = 0 +# gid = 0 +# level = "info" diff --git a/debian/rules b/debian/rules index 18293e29..d534ee00 100755 --- a/debian/rules +++ b/debian/rules @@ -54,3 +54,4 @@ override_dh_auto_install: binaries bin/runc man mkdir -p debian/containerd.io/usr/bin install -D -m 0755 bin/* debian/containerd.io/usr/bin install -D -m 0644 /root/common/containerd.service debian/containerd.io/lib/systemd/system/containerd.service + install -D -m 0644 /root/common/containerd.toml debian/containerd.io/etc/containerd/config.toml diff --git a/dockerfiles/deb.dockerfile b/dockerfiles/deb.dockerfile index 4a01b195..573efbb9 100644 --- a/dockerfiles/deb.dockerfile +++ b/dockerfiles/deb.dockerfile @@ -97,7 +97,7 @@ ENV PACKAGE=${PACKAGE:-containerd.io} FROM build-env AS build-packages RUN mkdir -p /archive /build -COPY common/containerd.service /root/common/ +COPY common/containerd.service common/containerd.toml /root/common/ ARG CREATE_ARCHIVE # NOTE: not using a cache-mount for /root/.cache/go-build, to prevent issues # with CGO when building multiple distros on the same machine / build-cache @@ -131,4 +131,4 @@ COPY --from=verify-packages /build /build # This stage is mainly for debugging (running the build interactively with mounted source) FROM build-env AS runtime COPY --from=golang /usr/local/go/ /usr/local/go/ -COPY common/containerd.service /root/common/ +COPY common/containerd.service common/containerd.toml /root/common/ diff --git a/dockerfiles/rpm.dockerfile b/dockerfiles/rpm.dockerfile index c1b0a359..0382ae08 100644 --- a/dockerfiles/rpm.dockerfile +++ b/dockerfiles/rpm.dockerfile @@ -79,7 +79,7 @@ ENV PACKAGE=${PACKAGE:-containerd.io} FROM build-env AS build-packages RUN mkdir -p /archive /build -COPY common/containerd.service SOURCES/ +COPY common/containerd.service common/containerd.toml SOURCES/ ARG CREATE_ARCHIVE # NOTE: not using a cache-mount for /root/.cache/go-build, to prevent issues # with CGO when building multiple distros on the same machine / build-cache @@ -124,4 +124,4 @@ COPY --from=verify-packages /build /build # This stage is mainly for debugging (running the build interactively with mounted source) FROM build-env AS runtime COPY --from=golang /usr/local/go/ /usr/local/go/ -COPY common/containerd.service SOURCES/ +COPY common/containerd.service common/containerd.toml SOURCES/ diff --git a/rpm/containerd.spec b/rpm/containerd.spec index c1fde145..44529e46 100644 --- a/rpm/containerd.spec +++ b/rpm/containerd.spec @@ -50,7 +50,8 @@ License: ASL 2.0 URL: https://containerd.io Source0: containerd Source1: containerd.service -Source2: runc +Source2: containerd.toml +Source3: runc # container-selinux isn't a thing in suse flavors %if %{undefined suse_version} # amazonlinux2 doesn't have container-selinux either @@ -123,6 +124,7 @@ cd %{_topdir}/BUILD mkdir -p %{buildroot}%{_bindir} install -D -m 0755 bin/* %{buildroot}%{_bindir} install -D -m 0644 %{S:1} %{buildroot}%{_unitdir}/containerd.service +install -D -m 0644 %{S:2} %{buildroot}%{_sysconfdir}/containerd/config.toml # install manpages, taking into account that not all sections may be present for i in $(seq 1 8); do @@ -149,7 +151,9 @@ done %doc README.md %{_bindir}/* %{_unitdir}/containerd.service +%{_sysconfdir}/containerd %{_mandir}/man*/* +%config(noreplace) %{_sysconfdir}/containerd/config.toml %changelog From 6832aad8f1ca5025c5455da0f25b93b26a112d3c Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 12 May 2021 10:33:28 +0200 Subject: [PATCH 02/44] prepare release v1.4.5 - Update to containerd 1.4.5 - Update runc to v1.0.0-rc94 containerd diff: https://github.com/containerd/containerd/compare/v1.4.4...v1.4.5 runc diff: https://github.com/opencontainers/runc/compare/v1.0.0-rc93...v1.0.0-rc94 containerd release notes: https://github.com/containerd/containerd/releases/tag/v1.4.5 - Update runc to rc94 - Fix leaking socket path in runc shim v2 - Fix cleanup logic in new container in runc shim v2 - Fix registry mirror authorization logic in CRI plugin - Add support for userxattr in overlay snapshotter for kernel 5.11+ runc release notes: https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc94 Potentially breaking changes: - cgroupv1: kernel memory limits are now always ignored, as kmemcg has been effectively deprecated by the kernel. Users should make use of regular memory cgroup controls. - libcontainer/cgroups: cgroup managers' Set now accept configs.Resources rather than configs.Cgroups - libcontainer/cgroups/systemd: reconnect and retry in case dbus connection is closed (after dbus restart) - libcontainer/cgroups/systemd: don't set limits in Apply Bugfixes: - seccomp: fix 32-bit compilation errors (regression in rc93) - cgroupv2: blkio weight value conversion fix - runc init: fix a hang caused by deadlock in seccomp/ebpf loading code (regression in rc93) - runc start: fix "chdir to cwd: permission denied" for some setups (regression in rc93) - s390: fix broken terminal (regression in rc93) Improvements: - runc start/exec: better diagnostics when container limits are too low - runc start/exec: better cleanup after failed runc init - cgroupv1: improve freezing chances - cgroupv2: multiple GetStats improvements - cgroupv2: fallback to setting io.weight if io.bfq.weight is not available - capabilities: WARN, not ERROR, for unknown / unavailable capabilities Signed-off-by: Sebastiaan van Stijn --- debian/changelog | 7 +++++++ rpm/containerd.spec | 4 ++++ 2 files changed, 11 insertions(+) diff --git a/debian/changelog b/debian/changelog index 3df1fd20..837802cd 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +containerd.io (1.4.5-1) release; urgency=medium + + * Update to containerd 1.4.5 + * Update runc to v1.0.0-rc94 + + -- Sebastiaan van Stijn Wed, 12 May 2021 08:29:50 +0000 + containerd.io (1.4.4-1) release; urgency=high * Update to containerd 1.4.4 to address CVE-2021-21334. diff --git a/rpm/containerd.spec b/rpm/containerd.spec index c1fde145..e59fd50c 100644 --- a/rpm/containerd.spec +++ b/rpm/containerd.spec @@ -153,6 +153,10 @@ done %changelog +* Wed May 12 2021 Sebastiaan van Stijn - 1.4.5-3.1 +- Update to containerd 1.4.5 +- Update runc to v1.0.0-rc94 + * Mon Mar 08 2021 Wei Fu - 1.4.4-3.1 - Update to containerd 1.4.4 to address CVE-2021-21334. From 2157ed05a228cb7534e9f9f9c442aa84c157241d Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 21 May 2021 09:34:57 +0200 Subject: [PATCH 03/44] prepare release v1.4.6 - Update to containerd 1.4.6 - Update runc to v1.0.0-rc95 containerd diff: https://github.com/containerd/containerd/compare/v1.4.5...v1.4.6 runc diff: https://github.com/opencontainers/runc/compare/v1.0.0-rc94...v1.0.0-rc95 containerd release notes: https://github.com/containerd/containerd/releases/tag/v1.4.6 The sixth patch release for containerd 1.4 is a security release to update runc for CVE-2021-30465 runc release notes: https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc95 This release of runc contains a fix for CVE-2021-30465, and users are strongly recommended to update (especially if you are providing semi-limited access to spawn containers to untrusted users). Aside from this security fix, only a few other changes were made since v1.0.0-rc94 (the only user-visible change was the addition of support for defaultErrnoRet in seccomp profiles). Signed-off-by: Sebastiaan van Stijn --- debian/changelog | 7 +++++++ rpm/containerd.spec | 4 ++++ 2 files changed, 11 insertions(+) diff --git a/debian/changelog b/debian/changelog index 837802cd..231f304e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +containerd.io (1.4.6-1) release; urgency=high + + * Update to containerd 1.4.6 + * Update runc to v1.0.0-rc95 to address CVE-2021-30465. + + -- Sebastiaan van Stijn Fri, 21 May 2021 07:30:42 +0000 + containerd.io (1.4.5-1) release; urgency=medium * Update to containerd 1.4.5 diff --git a/rpm/containerd.spec b/rpm/containerd.spec index cf8b0fd3..04caeeba 100644 --- a/rpm/containerd.spec +++ b/rpm/containerd.spec @@ -157,6 +157,10 @@ done %changelog +* Fri May 21 2021 Sebastiaan van Stijn - 1.4.6-3.1 +- Update to containerd 1.4.6 +- Update runc to v1.0.0-rc95 to address CVE-2021-30465. + * Wed May 12 2021 Sebastiaan van Stijn - 1.4.5-3.1 - Update to containerd 1.4.5 - Update runc to v1.0.0-rc94 From d727c248e19dc9daa884949cf542ccc1dd10c9dc Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 21 May 2021 15:21:51 +0200 Subject: [PATCH 04/44] Fix RUNC_REF not being evaluated correctly When testing the script locally from a clean state, I noticed that the RUNC_REF variable was not working as expected, and failed to pick the runc version that is set in containerd. This patch fixes the runc version not being detected correctly. While Make "promises" to expand variables "when used", it actually performs this earlier than that, so when combining, it evaluates $(SOME_VAR) *before* the target is run.... From the docs: https://www.gnu.org/software/make/manual/html_node/Flavors.html#Flavors > references are expanded whenever this variable is substituted (in the course > of expanding some other string). When this happens, it is called recursive expansion. However, taking the following Makefile: SOME_VAR=$(shell cat hello) .PHONY: clean clean: @rm hello .PHONY: together together: @echo this is hello > hello @cat hello @echo SOME_VAR is \""$(SOME_VAR)"\" .PHONY: separate separate: one two .PHONY: one one: @echo this is hello > hello @cat hello .PHONE: two two: @echo SOME_VAR is \""$(SOME_VAR)"\" When combined: make clean make together cat: hello: No such file or directory this is hello SOME_VAR is "" As shown, $(SOME_VAR) is evaluated *before* `together` is run, and produces an error, because "hello" is not yet created. When doing creating the file and using the file separate, things work as expected, and $(SOME_VAR) is able to read the file: make clean make separate this is hello SOME_VAR is "this is hello" Signed-off-by: Sebastiaan van Stijn --- Makefile | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 201c10fe..5e4c69a9 100644 --- a/Makefile +++ b/Makefile @@ -72,8 +72,15 @@ docker.io/%: $(MAKE) BUILD_IMAGE="$@" build .PHONY: checkout -checkout: src +checkout: checkout-containerd checkout-runc + +.PHONY: checkout-containerd +checkout-containerd: src ./scripts/checkout.sh src/github.com/containerd/containerd "$(REF)" + +# this must be a separate target, otherwise "RUNC_REF" is not evaluated correctly +.PHONY: checkout-runc +checkout-runc: checkout-containerd ./scripts/checkout.sh src/github.com/opencontainers/runc "$(RUNC_REF)" .PHONY: build From 02c3b0f5da872801d5c7cccc93a4bd83b400115e Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 25 May 2021 17:16:25 +0200 Subject: [PATCH 05/44] Evaluate runc version directly instead of through make variable Signed-off-by: Sebastiaan van Stijn --- Makefile | 17 ++++------------- common/common.mk | 1 - 2 files changed, 4 insertions(+), 14 deletions(-) diff --git a/Makefile b/Makefile index 5e4c69a9..a0676322 100644 --- a/Makefile +++ b/Makefile @@ -22,8 +22,6 @@ BUILD_BASE=$(shell ./scripts/determine-base $(BUILD_IMAGE)) # For example, use "make PROGRESS=plain ..." to show build progress in plain test PROGRESS=auto TARGET=packages -CONTAINERD_COMMIT=$(shell git -C "src/github.com/containerd/containerd" log -1 --pretty='%h') -RUNC_COMMIT=$(shell git -C "src/github.com/opencontainers/runc" log -1 --pretty='%h') all: build @@ -72,16 +70,9 @@ docker.io/%: $(MAKE) BUILD_IMAGE="$@" build .PHONY: checkout -checkout: checkout-containerd checkout-runc - -.PHONY: checkout-containerd -checkout-containerd: src +checkout: src ./scripts/checkout.sh src/github.com/containerd/containerd "$(REF)" - -# this must be a separate target, otherwise "RUNC_REF" is not evaluated correctly -.PHONY: checkout-runc -checkout-runc: checkout-containerd - ./scripts/checkout.sh src/github.com/opencontainers/runc "$(RUNC_REF)" + ./scripts/checkout.sh src/github.com/opencontainers/runc "$$(./scripts/determine-runc-version)" .PHONY: build build: checkout common/containerd.service @@ -89,8 +80,8 @@ build: @echo "--------------------------------------------------------------------" @echo "Building $(TARGET) on $(BUILD_IMAGE)" @echo "" - @echo "containerd : $(REF) (commit: $(CONTAINERD_COMMIT))" - @echo "runc : $(RUNC_REF) (commit: $(RUNC_COMMIT))" + @echo "containerd : $(REF) (commit: $(shell git -C "src/github.com/containerd/containerd" log -1 --pretty='%h'))" + @echo "runc : $$(./scripts/determine-runc-version) (commit: $$(git -C "src/github.com/opencontainers/runc" log -1 --pretty='%h'))" @echo "architecture : $(shell uname -m)" @echo "build image : $(BUILD_IMAGE)" @echo "golang image : $(GOLANG_IMAGE)" diff --git a/common/common.mk b/common/common.mk index aed4daa4..addeccbc 100644 --- a/common/common.mk +++ b/common/common.mk @@ -20,7 +20,6 @@ REF?=HEAD # Select the default version of Golang and runc based on the containerd source. GOVERSION?=$(shell grep "ARG GOLANG_VERSION" src/github.com/containerd/containerd/contrib/Dockerfile.test | awk -F'=' '{print $$2}') -RUNC_REF?=$(shell scripts/determine-runc-version) GOLANG_IMAGE=golang:$(GOVERSION) ifeq ($(OS),Windows_NT) From e1b2c4a0e7437e63b018829deb4d0e79e8065205 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 25 May 2021 22:05:25 +0200 Subject: [PATCH 06/44] improve info messages from determine-runc-version Signed-off-by: Sebastiaan van Stijn --- scripts/determine-runc-version | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/scripts/determine-runc-version b/scripts/determine-runc-version index ba4ab52b..c8133d6b 100755 --- a/scripts/determine-runc-version +++ b/scripts/determine-runc-version @@ -27,7 +27,7 @@ runc_version() { if [ -n "${RUNC_REF}" ]; then # just a safe-guard if this script is called when RUNC_REF was already set. echo "${RUNC_REF}" - >&2 echo "INFO: using runc version from RUNC_REF." + >&2 echo "INFO: using runc version (${RUNC_REF}) from RUNC_REF." return fi @@ -38,23 +38,23 @@ runc_version() { if [ -f "${containerd_src_dir}/script/setup/runc-version" ]; then # containerd v1.5.0-beta.4 and up, and v1.4.5 and up specify the version of # runc to use in script/setup/runc-version. - cat "${containerd_src_dir}/script/setup/runc-version" - >&2 echo "INFO: detected runc version from script/setup/runc-version" + runc_ref=$(cat "${containerd_src_dir}/script/setup/runc-version") + >&2 echo "INFO: detected runc version (${runc_ref}) from script/setup/runc-version" return elif [ -f "${containerd_src_dir}/go.mod" ]; then # containerd master between v1.4.x and v1.5.0-beta.4 required the runc binary # to be the same version as the vendored (libcontainer) dependency, specified # in go.mod. containerd v1.5.0-beta.4 (and up), and v1.4.5 (and up) decoupled # the binary version from the libnetwork version, and use script/setup/runc-version - grep 'opencontainers/runc' "${containerd_src_dir}/go.mod" | awk '{print $2}' - >&2 echo "INFO: detected runc version from go.mod" + runc_ref=$(grep 'opencontainers/runc' "${containerd_src_dir}/go.mod" | awk '{print $2}') + >&2 echo "INFO: detected runc version (${runc_ref}) from go.mod" return elif [ -f "${containerd_src_dir}/vendor.conf" ]; then # containerd master between v1.4.x and v1.5.0-beta.4 required the runc binary # to be the same version as the vendored (libcontainer) dependency, specified # in vendor.conf. - grep 'opencontainers/runc' "${containerd_src_dir}/vendor.conf" | awk '{print $2}' - >&2 echo "INFO: detected runc version from vendor.conf" + runc_ref=$(grep 'opencontainers/runc' "${containerd_src_dir}/vendor.conf" | awk '{print $2}') + >&2 echo "INFO: detected runc version (${runc_ref}) from vendor.conf" return fi From 91b25bb07efd4d1fc3e5fed4e6d75990f5fbee4a Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 26 May 2021 13:05:05 +0200 Subject: [PATCH 07/44] Fix missing echo in scripts/determine-runc-version This was introduced in e1b2c4a0e7437e63b018829deb4d0e79e8065205, where the version that was found is now stored in a variable (runc_ref) for debugging. However, I forgot to add an "echo" to actually print the version. Because of that, the script debugs the version it found: + git -C src/github.com/containerd/containerd checkout -q refs/tags/v1.4.6 ./scripts/checkout.sh src/github.com/opencontainers/runc "$(./scripts/determine-runc-version)" INFO: detected runc version (v1.0.0-rc95) from script/setup/runc-version But in the "build" target it shows that it didn't actually print it (note the missing version missing between `runc :` and `(commit: ...)`): -------------------------------------------------------------------- Building packages on docker.io/dockereng/rhel:7-s390x containerd : v1.4.6 (commit: d71fcd7) INFO: detected runc version (v1.0.0-rc95) from script/setup/runc-version runc : (commit: e005fee) architecture : s390x build image : docker.io/dockereng/rhel:7-s390x golang image : docker.io/library/golang:1.13.15-buster -------------------------------------------------------------------- Signed-off-by: Sebastiaan van Stijn --- scripts/determine-runc-version | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/determine-runc-version b/scripts/determine-runc-version index c8133d6b..a7f8f99a 100755 --- a/scripts/determine-runc-version +++ b/scripts/determine-runc-version @@ -40,6 +40,7 @@ runc_version() { # runc to use in script/setup/runc-version. runc_ref=$(cat "${containerd_src_dir}/script/setup/runc-version") >&2 echo "INFO: detected runc version (${runc_ref}) from script/setup/runc-version" + echo "${runc_ref}" return elif [ -f "${containerd_src_dir}/go.mod" ]; then # containerd master between v1.4.x and v1.5.0-beta.4 required the runc binary @@ -48,6 +49,7 @@ runc_version() { # the binary version from the libnetwork version, and use script/setup/runc-version runc_ref=$(grep 'opencontainers/runc' "${containerd_src_dir}/go.mod" | awk '{print $2}') >&2 echo "INFO: detected runc version (${runc_ref}) from go.mod" + echo "${runc_ref}" return elif [ -f "${containerd_src_dir}/vendor.conf" ]; then # containerd master between v1.4.x and v1.5.0-beta.4 required the runc binary @@ -55,6 +57,7 @@ runc_version() { # in vendor.conf. runc_ref=$(grep 'opencontainers/runc' "${containerd_src_dir}/vendor.conf" | awk '{print $2}') >&2 echo "INFO: detected runc version (${runc_ref}) from vendor.conf" + echo "${runc_ref}" return fi From 338997169b59dc652771a3421aabcfbde1ee1c5a Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 25 Jun 2021 10:08:29 +0200 Subject: [PATCH 08/44] deb: fix use of PREFIX and DESTDIR for changes in containerd containerd commit https://github.com/containerd/containerd/commit/b5f530a15780ee443b8c568200d37d50d0449672 changed the handling of PREFIX and DESTDIR. As a result, the location in which the binaries are installed changed. This patch sets the PREFIX variable to match the old location, so that the build script can work with both the 1.4 and 1.5 release branches of containerd, and with current master/main. Once the upstream 1.4 and 1.5 release branches become obsolete, we should consider removing the custom PREFIX, and use (pwd)/usr/local/bin instead, and consider using a TEMP dir for the binaries (and set that as DESTDIR). Signed-off-by: Sebastiaan van Stijn --- debian/rules | 3 +++ 1 file changed, 3 insertions(+) diff --git a/debian/rules b/debian/rules index d534ee00..b182343e 100755 --- a/debian/rules +++ b/debian/rules @@ -19,9 +19,12 @@ # GO_SRC_PATH and PACKAGE are defined in the dockerfile # VERSION and REF are defined in scripts/build-deb +# TODO remove custom PREFIX variable once containerd release/1.4 and release/1.5 +# are obsolete. See https://github.com/containerd/containerd/commit/b5f530a157 binaries: ## Create containerd binaries @set -x; GO111MODULE=off make -C $(GO_SRC_PATH) --no-print-directory \ DESTDIR="$$(pwd)" \ + PREFIX="" \ VERSION=$${VERSION} \ REVISION=$${REF} \ PACKAGE=$${PACKAGE} \ From 46ea2e8db8a13c9ee60d909b3200794b97c8a485 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Mon, 22 Jun 2020 09:44:47 +0200 Subject: [PATCH 09/44] Jenkinsfile: enable armhf builds for ubuntu:focal and above Now that our agents run on a more recent kernel version, problems with seccomp should likely be resolved, so we can enable these for CI. Signed-off-by: Sebastiaan van Stijn --- Jenkinsfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index d980d345..8ccdc250 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -21,9 +21,9 @@ def images = [ [image: "docker.io/balenalib/rpi-raspbian:bullseye",arches: ["armhf"]], [image: "docker.io/library/ubuntu:xenial", arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 16.04 LTS (End of support: April, 2021. EOL: April, 2024) [image: "docker.io/library/ubuntu:bionic", arches: ["amd64", "aarch64", "armhf", "s390x"]], // Ubuntu 18.04 LTS (End of support: April, 2023. EOL: April, 2028) - [image: "docker.io/library/ubuntu:focal", arches: ["amd64", "aarch64"]], // Ubuntu 20.04 LTS (End of support: April, 2025. EOL: April, 2030) - [image: "docker.io/library/ubuntu:groovy", arches: ["amd64", "aarch64"]], // Ubuntu 20.10 (EOL: July, 2021) - [image: "docker.io/library/ubuntu:hirsute", arches: ["amd64", "aarch64"]], // Ubuntu 21.04 (EOL: January, 2022) + [image: "docker.io/library/ubuntu:focal", arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 20.04 LTS (End of support: April, 2025. EOL: April, 2030) + [image: "docker.io/library/ubuntu:groovy", arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 20.10 (EOL: July, 2021) + [image: "docker.io/library/ubuntu:hirsute", arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 21.04 (EOL: January, 2022) ] def generatePackageStep(opts, arch) { From d8bf1279290f90004e08b01a6c85004a1cb2f9ad Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 9 Jul 2021 08:54:58 +0200 Subject: [PATCH 10/44] Jenkinsfile: remove Ubuntu 16.04 "xenial" (End of support: April, 2021) Signed-off-by: Sebastiaan van Stijn --- Jenkinsfile | 1 - 1 file changed, 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 8ccdc250..cc32a7cc 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -19,7 +19,6 @@ def images = [ [image: "docker.io/opensuse/leap:15", arches: ["amd64"]], [image: "docker.io/balenalib/rpi-raspbian:buster", arches: ["armhf"]], [image: "docker.io/balenalib/rpi-raspbian:bullseye",arches: ["armhf"]], - [image: "docker.io/library/ubuntu:xenial", arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 16.04 LTS (End of support: April, 2021. EOL: April, 2024) [image: "docker.io/library/ubuntu:bionic", arches: ["amd64", "aarch64", "armhf", "s390x"]], // Ubuntu 18.04 LTS (End of support: April, 2023. EOL: April, 2028) [image: "docker.io/library/ubuntu:focal", arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 20.04 LTS (End of support: April, 2025. EOL: April, 2030) [image: "docker.io/library/ubuntu:groovy", arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 20.10 (EOL: July, 2021) From 7d0ecf84f5e418a02651197340a06b5b4d1d9445 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 9 Jul 2021 08:57:27 +0200 Subject: [PATCH 11/44] Jenkinsfile: remove Fedora 32 (EOL: 18 May 2021) Signed-off-by: Sebastiaan van Stijn --- Jenkinsfile | 1 - 1 file changed, 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index cc32a7cc..9ea179b4 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -12,7 +12,6 @@ def images = [ [image: "docker.io/library/centos:8", arches: ["amd64", "aarch64"]], [image: "docker.io/library/debian:buster", arches: ["amd64", "aarch64", "armhf"]], // Debian 10 (EOL: 2024) [image: "docker.io/library/debian:bullseye", arches: ["amd64", "aarch64", "armhf"]], // Debian 11 (Next stable) - [image: "docker.io/library/fedora:32", arches: ["amd64", "aarch64"]], // Fedora 32 (EOL: 18 May 2021) [image: "docker.io/library/fedora:33", arches: ["amd64", "aarch64"]], [image: "docker.io/library/fedora:34", arches: ["amd64", "aarch64"]], [image: "docker.io/library/fedora:rawhide", arches: ["amd64"]], // Rawhide is the name given to the current development version of Fedora From 830b5c6331d7b84f52649b03aa9b63be2963ed19 Mon Sep 17 00:00:00 2001 From: anujajakhade Date: Mon, 12 Jul 2021 15:07:54 +0530 Subject: [PATCH 12/44] RPM : Update libseccomp dependency name for SLES/openSUSE distros Signed-off-by: Anuja Jakhade Update containerd.spec --- rpm/containerd.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rpm/containerd.spec b/rpm/containerd.spec index 04caeeba..70a1a86f 100644 --- a/rpm/containerd.spec +++ b/rpm/containerd.spec @@ -59,6 +59,10 @@ Source3: runc Requires: container-selinux >= 2:2.74 %endif Requires: libseccomp +%else +# SUSE flavors do not have container-selinux, +# and libseccomp is named libseccomp2 +Requires: libseccomp2 %endif BuildRequires: make BuildRequires: gcc From edec85851294a539260b56f22054dcf976d49200 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Mon, 19 Jul 2021 11:51:34 +0200 Subject: [PATCH 13/44] scripts: remove unused gen-go-dl-url script This was originally used in e232259116593c1630b40bce9ae34f75a6d5b06a to download the go binary, but starting with 6e4218ae9a6e568d06bae5ef3d2fe6b41f3d7a2f, the code switched to copy the go binary from a Docker Image, so there's no longer a need to generate the download URL. Signed-off-by: Sebastiaan van Stijn --- scripts/gen-go-dl-url | 35 ----------------------------------- 1 file changed, 35 deletions(-) delete mode 100755 scripts/gen-go-dl-url diff --git a/scripts/gen-go-dl-url b/scripts/gen-go-dl-url deleted file mode 100755 index 7fc589ae..00000000 --- a/scripts/gen-go-dl-url +++ /dev/null @@ -1,35 +0,0 @@ -#!/usr/bin/env sh - -# Copyright 2018-2020 Docker Inc. - -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at - -# http://www.apache.org/licenses/LICENSE-2.0 - -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -GOVERSION=${GOVERSION:-1.12.16} -HOST_ARCH=${HOST_ARCH:-$(uname -m)} -DL_ARCH=${HOST_ARCH} - -# Why do they name them differently than their `uname -m` counterparts? -# ¯\_(ツ)_/¯ -case $HOST_ARCH in - x86_64) - DL_ARCH="amd64" - ;; - aarch64) - DL_ARCH="arm64" - ;; - armv7l) - DL_ARCH="armv6l" - ;; -esac - -echo "https://dl.google.com/go/go${GOVERSION}.linux-${DL_ARCH}.tar.gz" From 3206806f2a4ab686b257710aadb3a14f3a8a735f Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Mon, 19 Jul 2021 12:04:35 +0200 Subject: [PATCH 14/44] scripts/determine-runc-version: remove fallback for older containerd versions Starting with containerd v1.4.5, and v1.5.0-beta.4, we can now use the runc-version file: - https://github.com/containerd/containerd/blob/v1.4.5/script/setup/runc-version - https://github.com/containerd/containerd/blob/v1.5.0/script/setup/runc-version There should no longer be a need to build older (patch) releases of the containerd packages, so we can now remove the fallbacks. Signed-off-by: Sebastiaan van Stijn --- scripts/determine-runc-version | 31 +++++-------------------------- 1 file changed, 5 insertions(+), 26 deletions(-) diff --git a/scripts/determine-runc-version b/scripts/determine-runc-version index a7f8f99a..9c18efd6 100755 --- a/scripts/determine-runc-version +++ b/scripts/determine-runc-version @@ -15,14 +15,10 @@ # limitations under the License. # Select the default version of runc based on the containerd source if no -# RUNC_REF is set manually. For containerd > 1.5.0-beta.4, and containerd > 1.4.4, -# the runc version commit/tag is defined script/setup/runc-version. For older -# versions, use go.mod or vendor.conf. +# RUNC_REF is set manually. # # See the install-runc script in the containerd repository: -# https://github.com/containerd/containerd/blob/v1.5.0-beta.4/script/setup/install-runc#L24-L27 -# https://github.com/containerd/containerd/blob/v1.5.0-beta.3/script/setup/install-runc#L24 -# https://github.com/containerd/containerd/blob/v1.4.0/script/setup/install-runc#L24 +# https://github.com/containerd/containerd/blob/v1.5.0/script/setup/install-runc#L24-L27 runc_version() { if [ -n "${RUNC_REF}" ]; then # just a safe-guard if this script is called when RUNC_REF was already set. @@ -36,33 +32,16 @@ runc_version() { containerd_src_dir="${repo_abspath}/src/github.com/containerd/containerd" if [ -f "${containerd_src_dir}/script/setup/runc-version" ]; then - # containerd v1.5.0-beta.4 and up, and v1.4.5 and up specify the version of - # runc to use in script/setup/runc-version. + # starting with v1.5.0-beta.4 and up, and v1.4.5, containerd specifies + # the version of runc to use in script/setup/runc-version. runc_ref=$(cat "${containerd_src_dir}/script/setup/runc-version") >&2 echo "INFO: detected runc version (${runc_ref}) from script/setup/runc-version" echo "${runc_ref}" return - elif [ -f "${containerd_src_dir}/go.mod" ]; then - # containerd master between v1.4.x and v1.5.0-beta.4 required the runc binary - # to be the same version as the vendored (libcontainer) dependency, specified - # in go.mod. containerd v1.5.0-beta.4 (and up), and v1.4.5 (and up) decoupled - # the binary version from the libnetwork version, and use script/setup/runc-version - runc_ref=$(grep 'opencontainers/runc' "${containerd_src_dir}/go.mod" | awk '{print $2}') - >&2 echo "INFO: detected runc version (${runc_ref}) from go.mod" - echo "${runc_ref}" - return - elif [ -f "${containerd_src_dir}/vendor.conf" ]; then - # containerd master between v1.4.x and v1.5.0-beta.4 required the runc binary - # to be the same version as the vendored (libcontainer) dependency, specified - # in vendor.conf. - runc_ref=$(grep 'opencontainers/runc' "${containerd_src_dir}/vendor.conf" | awk '{print $2}') - >&2 echo "INFO: detected runc version (${runc_ref}) from vendor.conf" - echo "${runc_ref}" - return fi # if all else fails - >&2 echo "INFO: unable to detect runc version, using HEAD" + >&2 echo "WARNING: unable to detect runc version, using HEAD" echo "HEAD" } From b7ef55aa6d1e8343b476a1cf76ab39a7e250f86a Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 21 Jul 2020 11:23:29 +0200 Subject: [PATCH 15/44] Makefile: use Ubuntu:20.04 as default BUILD_IMAGE Signed-off-by: Sebastiaan van Stijn --- Makefile | 2 +- dockerfiles/deb.dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index a0676322..ac4277c1 100644 --- a/Makefile +++ b/Makefile @@ -14,7 +14,7 @@ include common/common.mk -BUILD_IMAGE=centos:7 +BUILD_IMAGE=ubuntu:focal BUILD_TYPE=$(shell ./scripts/deb-or-rpm $(BUILD_IMAGE)) BUILD_BASE=$(shell ./scripts/determine-base $(BUILD_IMAGE)) diff --git a/dockerfiles/deb.dockerfile b/dockerfiles/deb.dockerfile index 573efbb9..71984a53 100644 --- a/dockerfiles/deb.dockerfile +++ b/dockerfiles/deb.dockerfile @@ -15,7 +15,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -ARG BUILD_IMAGE=ubuntu:bionic +ARG BUILD_IMAGE=ubuntu:focal ARG GOLANG_IMAGE=golang:latest # Install golang from the official image, since the package managed From 34dfddae2d6262c06e6b8202ae76acadafe6efff Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Mon, 19 Jul 2021 12:54:18 +0200 Subject: [PATCH 16/44] rpm: fix repository-file names on CentOS Names of these files changed a couple of times (lowercase/uppercase). And differ between CentOS 7 and CentOS 8: On CentOS 7: docker run --rm centos:7 ls -1 /etc/yum.repos.d/ CentOS-Base.repo CentOS-CR.repo CentOS-Debuginfo.repo CentOS-Media.repo CentOS-Sources.repo CentOS-Vault.repo CentOS-fasttrack.repo CentOS-x86_64-kernel.repo On CentOS 8, the files were renamed, and now have `-Linux` in their names: docker run --rm centos:8 ls -1 /etc/yum.repos.d/ CentOS-Linux-AppStream.repo CentOS-Linux-BaseOS.repo CentOS-Linux-ContinuousRelease.repo CentOS-Linux-Debuginfo.repo CentOS-Linux-Devel.repo CentOS-Linux-Extras.repo CentOS-Linux-FastTrack.repo CentOS-Linux-HighAvailability.repo CentOS-Linux-Media.repo CentOS-Linux-Plus.repo CentOS-Linux-PowerTools.repo CentOS-Linux-Sources.repo Signed-off-by: Sebastiaan van Stijn --- dockerfiles/rpm.dockerfile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/dockerfiles/rpm.dockerfile b/dockerfiles/rpm.dockerfile index 0382ae08..f6a030cc 100644 --- a/dockerfiles/rpm.dockerfile +++ b/dockerfiles/rpm.dockerfile @@ -35,10 +35,11 @@ RUN yum install -y yum-utils rpm-build git FROM redhat-base AS rhel-base FROM redhat-base AS centos-base -RUN if [ -f /etc/yum.repos.d/CentOS-PowerTools.repo ]; then sed -i 's/enabled=0/enabled=1/g' /etc/yum.repos.d/CentOS-PowerTools.repo; fi +# Using a wildcard: CentOS 7 uses "CentOS-RepoName", CentOS 8 uses "CentOS-Linux-RepoName" +RUN if [ -f /etc/yum.repos.d/CentOS-*PowerTools.repo ]; then sed -i 's/enabled=0/enabled=1/g' /etc/yum.repos.d/CentOS-*PowerTools.repo; fi # In aarch64 (arm64) images, the altarch repo is specified as repository, but # failing, so replace the URL. -RUN if [ -f /etc/yum.repos.d/CentOS-Sources.repo ]; then sed -i 's/altarch/centos/g' /etc/yum.repos.d/CentOS-Sources.repo; fi +RUN if [ -f /etc/yum.repos.d/CentOS-*Sources.repo ]; then sed -i 's/altarch/centos/g' /etc/yum.repos.d/CentOS-*Sources.repo; fi FROM redhat-base AS amzn-base From 6ec0dbe473ef92f9a8c5eaf9cfa162457b914a3d Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Mon, 19 Jul 2021 11:46:31 +0200 Subject: [PATCH 17/44] prepare release v1.4.7 - Update to containerd 1.4.7 - Update runc to v1.0.0 - Update Golang runtime to 1.15.14 containerd: - diff: https://github.com/containerd/containerd/compare/v1.4.6...v1.4.7 - release notes: https://github.com/containerd/containerd/releases/tag/v1.4.7 runc: - diff: https://github.com/opencontainers/runc/compare/v1.0.0-rc95...v1.0.0 - release notes: https://github.com/opencontainers/runc/releases/tag/v1.0.0 golang: - release notes: https://golang.org/doc/devel/release#go1.15 Signed-off-by: Sebastiaan van Stijn --- debian/changelog | 8 ++++++++ rpm/containerd.spec | 5 +++++ 2 files changed, 13 insertions(+) diff --git a/debian/changelog b/debian/changelog index 231f304e..85a823ea 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +containerd.io (1.4.7-1) release; urgency=medium + + * Update to containerd 1.4.7 + * Update runc to v1.0.0 + * Update Golang runtime to 1.15.14 + + -- Sebastiaan van Stijn Mon, 19 Jul 2021 09:30:34 +0000 + containerd.io (1.4.6-1) release; urgency=high * Update to containerd 1.4.6 diff --git a/rpm/containerd.spec b/rpm/containerd.spec index 70a1a86f..2dda6ea1 100644 --- a/rpm/containerd.spec +++ b/rpm/containerd.spec @@ -161,6 +161,11 @@ done %changelog +* Mon Jul 19 2021 Sebastiaan van Stijn - 1.4.7-3.1 +- Update to containerd 1.4.7 +- Update runc to v1.0.0 +- Update Golang runtime to 1.15.14 + * Fri May 21 2021 Sebastiaan van Stijn - 1.4.6-3.1 - Update to containerd 1.4.6 - Update runc to v1.0.0-rc95 to address CVE-2021-30465. From f096c9d827556161370def804f7eb44b0f095735 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Mon, 19 Jul 2021 21:07:16 +0200 Subject: [PATCH 18/44] prepare release v1.4.8 Update to containerd 1.4.8 to address [CVE-2021-32760][1]. [1]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32760 Signed-off-by: Sebastiaan van Stijn --- debian/changelog | 6 ++++++ rpm/containerd.spec | 3 +++ 2 files changed, 9 insertions(+) diff --git a/debian/changelog b/debian/changelog index 85a823ea..777b23ef 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +containerd.io (1.4.8-1) release; urgency=high + + * Update to containerd 1.4.8 to address CVE-2021-32760 + + -- Sebastiaan van Stijn Mon, 19 Jul 2021 19:03:08 +0000 + containerd.io (1.4.7-1) release; urgency=medium * Update to containerd 1.4.7 diff --git a/rpm/containerd.spec b/rpm/containerd.spec index 2dda6ea1..1b4bd734 100644 --- a/rpm/containerd.spec +++ b/rpm/containerd.spec @@ -161,6 +161,9 @@ done %changelog +* Mon Jul 19 2021 Sebastiaan van Stijn - 1.4.8-3.1 +- Update to containerd 1.4.8 to address CVE-2021-32760 + * Mon Jul 19 2021 Sebastiaan van Stijn - 1.4.7-3.1 - Update to containerd 1.4.7 - Update runc to v1.0.0 From 8c11ccb8295aba8a65d55c7fa53b146ba103d67a Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Thu, 29 Jul 2021 22:47:10 +0200 Subject: [PATCH 19/44] prepare release v1.4.9 - Update to containerd 1.4.9 - Update runc to v1.0.1 Welcome to the v1.4.9 release of containerd! The ninth patch release for containerd 1.4 updates runc to 1.0.1 and contains other minor updates. Notable Updates - Update runc binary to 1.0.1 - Update pull authorization logic on redirect - Fix user agent used for fetching registry authentication tokens Signed-off-by: Sebastiaan van Stijn --- debian/changelog | 7 +++++++ rpm/containerd.spec | 4 ++++ 2 files changed, 11 insertions(+) diff --git a/debian/changelog b/debian/changelog index 777b23ef..451b637f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +containerd.io (1.4.9-1) release; urgency=medium + + * Update to containerd 1.4.8 + * Update runc to v1.0.1 + + -- Sebastiaan van Stijn Thu, 29 Jul 2021 20:43:55 +0000 + containerd.io (1.4.8-1) release; urgency=high * Update to containerd 1.4.8 to address CVE-2021-32760 diff --git a/rpm/containerd.spec b/rpm/containerd.spec index 1b4bd734..91fd6a52 100644 --- a/rpm/containerd.spec +++ b/rpm/containerd.spec @@ -161,6 +161,10 @@ done %changelog +* Thu Jul 29 2021 Sebastiaan van Stijn - 1.4.9-3.1 +- Update to containerd 1.4.9 +- Update runc to v1.0.1 + * Mon Jul 19 2021 Sebastiaan van Stijn - 1.4.8-3.1 - Update to containerd 1.4.8 to address CVE-2021-32760 From e13469216910d95cc94e5482d5b35fb0df7b998c Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Thu, 16 Sep 2021 14:32:38 +0200 Subject: [PATCH 20/44] Use GO111MODULE=auto instead of "off" Using "auto" to work around an issue with a broken vendor package in containerd; GO111MODULE=off make -C /go/src/github.com/containerd/containerd --no-print-directory DESTDIR=/root/containerd PREFIX= VERSION=20210916.065010~7ddf5e5 REVISION=7ddf5e52ba738e868b70807797c79c8e54da3497 PACKAGE=containerd.io binaries install vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/connection/connection.go:33:2: found import comments "go.opentelemetry.io/otel/exporters/otlp/internal/otlpconfig" (options.go) and "go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/otlpconfig" (optiontypes.go) in /go/src/github.com/containerd/containerd/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/otlpconfig Using "auto" should (I hope) still use the vendored packages, but instead of "GOPATH" mode, will be using "go modules" mode, which ignores `// import` comments (which isn't a thing in go modules). Signed-off-by: Sebastiaan van Stijn --- debian/rules | 6 +++--- rpm/containerd.spec | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/debian/rules b/debian/rules index b182343e..9cfe0cd9 100755 --- a/debian/rules +++ b/debian/rules @@ -22,7 +22,7 @@ # TODO remove custom PREFIX variable once containerd release/1.4 and release/1.5 # are obsolete. See https://github.com/containerd/containerd/commit/b5f530a157 binaries: ## Create containerd binaries - @set -x; GO111MODULE=off make -C $(GO_SRC_PATH) --no-print-directory \ + @set -x; GO111MODULE=auto make -C $(GO_SRC_PATH) --no-print-directory \ DESTDIR="$$(pwd)" \ PREFIX="" \ VERSION=$${VERSION} \ @@ -34,13 +34,13 @@ binaries: ## Create containerd binaries rm -f bin/containerd-stress bin/runc: - @set -x; GO111MODULE=off make -C /go/src/github.com/opencontainers/runc --no-print-directory \ + @set -x; GO111MODULE=auto make -C /go/src/github.com/opencontainers/runc --no-print-directory \ BINDIR="$$(pwd)/bin" \ BUILDTAGS='seccomp apparmor selinux' \ runc install man: ## Create containerd man pages - @set -x; GO111MODULE=off make -C $(GO_SRC_PATH) --no-print-directory man + @set -x; GO111MODULE=auto make -C $(GO_SRC_PATH) --no-print-directory man # copy the generated man pages instead of using "make install-man" to allow # dh_installman doing its magic diff --git a/rpm/containerd.spec b/rpm/containerd.spec index 91fd6a52..ff6bc358 100644 --- a/rpm/containerd.spec +++ b/rpm/containerd.spec @@ -106,21 +106,21 @@ cd %{_topdir}/BUILD/ %build cd %{_topdir}/BUILD -GO111MODULE=off make man +GO111MODULE=auto make man BUILDTAGS="seccomp selinux" %if 1%{!?el8:1} BUILDTAGS="${BUILDTAGS} no_btrfs" %endif -GO111MODULE=off make -C /go/src/%{import_path} VERSION=%{getenv:VERSION} REVISION=%{getenv:REF} PACKAGE=%{getenv:PACKAGE} BUILDTAGS="${BUILDTAGS}" +GO111MODULE=auto make -C /go/src/%{import_path} VERSION=%{getenv:VERSION} REVISION=%{getenv:REF} PACKAGE=%{getenv:PACKAGE} BUILDTAGS="${BUILDTAGS}" # Remove containerd-stress, as we're not shipping it as part of the packages rm -f bin/containerd-stress bin/containerd --version bin/ctr --version -GO111MODULE=off make -C /go/src/github.com/opencontainers/runc BINDIR=%{_topdir}/BUILD/bin BUILDTAGS='seccomp apparmor selinux %{runc_nokmem}' runc install +GO111MODULE=auto make -C /go/src/github.com/opencontainers/runc BINDIR=%{_topdir}/BUILD/bin BUILDTAGS='seccomp apparmor selinux %{runc_nokmem}' runc install %install From 22294883205a3cd50b8c3676fdce6dd4f31e6e13 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 15 Sep 2021 19:15:22 +0200 Subject: [PATCH 21/44] Jenkinsfile: remove Ubuntu 20.10 "Groovy" (EOL: 2021-07-22) Signed-off-by: Sebastiaan van Stijn --- Jenkinsfile | 1 - 1 file changed, 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 9ea179b4..629942f7 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -20,7 +20,6 @@ def images = [ [image: "docker.io/balenalib/rpi-raspbian:bullseye",arches: ["armhf"]], [image: "docker.io/library/ubuntu:bionic", arches: ["amd64", "aarch64", "armhf", "s390x"]], // Ubuntu 18.04 LTS (End of support: April, 2023. EOL: April, 2028) [image: "docker.io/library/ubuntu:focal", arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 20.04 LTS (End of support: April, 2025. EOL: April, 2030) - [image: "docker.io/library/ubuntu:groovy", arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 20.10 (EOL: July, 2021) [image: "docker.io/library/ubuntu:hirsute", arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 21.04 (EOL: January, 2022) ] From 4495a55f7d5a463bf27be59284c3d1696e78f1e1 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Thu, 30 Sep 2021 17:25:48 +0200 Subject: [PATCH 22/44] prepare release v1.4.10 - Update to containerd 1.4.10 - Update runc to v1.0.2 - Update Golang runtime to 1.16.8 Signed-off-by: Sebastiaan van Stijn --- debian/changelog | 10 +++++++++- rpm/containerd.spec | 5 +++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index 451b637f..ef765f0c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,14 @@ +containerd.io (1.4.10-1) release; urgency=medium + + * Update to containerd 1.4.10 + * Update runc to v1.0.2 + * Update Golang runtime to 1.16.8 + + -- Sebastiaan van Stijn Thu, 30 Sep 2021 15:21:28 +0000 + containerd.io (1.4.9-1) release; urgency=medium - * Update to containerd 1.4.8 + * Update to containerd 1.4.9 * Update runc to v1.0.1 -- Sebastiaan van Stijn Thu, 29 Jul 2021 20:43:55 +0000 diff --git a/rpm/containerd.spec b/rpm/containerd.spec index ff6bc358..8dbe00bd 100644 --- a/rpm/containerd.spec +++ b/rpm/containerd.spec @@ -161,6 +161,11 @@ done %changelog +* Thu Sep 30 2021 Sebastiaan van Stijn - 1.4.10-3.1 +- Update to containerd 1.4.10 +- Update runc to v1.0.2 +- Update Golang runtime to 1.16.8 + * Thu Jul 29 2021 Sebastiaan van Stijn - 1.4.9-3.1 - Update to containerd 1.4.9 - Update runc to v1.0.1 From 56ff89384d1f86f4ccbcfc2509b73978a907e007 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Thu, 30 Sep 2021 19:41:45 +0200 Subject: [PATCH 23/44] windows: fix go modules setting make bin/containerd + bin/containerd go: cannot find main module, but found vendor.conf in C:\gopath\src\github.com\containerd\containerd to create a module there, run: go mod init Signed-off-by: Sebastiaan van Stijn --- dockerfiles/win.dockerfile | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/dockerfiles/win.dockerfile b/dockerfiles/win.dockerfile index 5f95e90a..f20b57fd 100644 --- a/dockerfiles/win.dockerfile +++ b/dockerfiles/win.dockerfile @@ -12,9 +12,11 @@ # See the License for the specific language governing permissions and # limitations under the License. -ARG GOLANG_IMAGE -FROM ${GOLANG_IMAGE} -ENV chocolateyUseWindowsCompression=false +ARG GOLANG_IMAGE=golang:latest +FROM ${GOLANG_IMAGE} AS golang +ARG GO111MODULE=on +ENV GO111MODULE=$GO111MODULE \ + chocolateyUseWindowsCompression=false # Install make and gcc RUN iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1')); \ choco feature disable --name showDownloadProgress; \ From 4c2611d0f5c82b13ccd0b8b3561ea787e7359a9c Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Thu, 30 Sep 2021 20:19:33 +0200 Subject: [PATCH 24/44] windows: use GO111MODULE=auto (needed for 1.4 branch) Signed-off-by: Sebastiaan van Stijn --- dockerfiles/win.dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dockerfiles/win.dockerfile b/dockerfiles/win.dockerfile index f20b57fd..0a9b5b44 100644 --- a/dockerfiles/win.dockerfile +++ b/dockerfiles/win.dockerfile @@ -14,7 +14,7 @@ ARG GOLANG_IMAGE=golang:latest FROM ${GOLANG_IMAGE} AS golang -ARG GO111MODULE=on +ARG GO111MODULE=auto ENV GO111MODULE=$GO111MODULE \ chocolateyUseWindowsCompression=false # Install make and gcc From 7047b3c18398585ba7807c4841bc6d218b932b0e Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Mon, 4 Oct 2021 13:25:21 +0200 Subject: [PATCH 25/44] prepare release v1.4.11 Update to containerd 1.4.11 to address CVE-2021-41103 Signed-off-by: Sebastiaan van Stijn --- debian/changelog | 6 ++++++ rpm/containerd.spec | 3 +++ 2 files changed, 9 insertions(+) diff --git a/debian/changelog b/debian/changelog index ef765f0c..c1f69f02 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +containerd.io (1.4.11-1) release; urgency=high + + * Update to containerd 1.4.11 to address CVE-2021-41103 + + -- Sebastiaan van Stijn Mon, 04 Oct 2021 11:20:49 +0000 + containerd.io (1.4.10-1) release; urgency=medium * Update to containerd 1.4.10 diff --git a/rpm/containerd.spec b/rpm/containerd.spec index 8dbe00bd..012a3243 100644 --- a/rpm/containerd.spec +++ b/rpm/containerd.spec @@ -161,6 +161,9 @@ done %changelog +* Mon Oct 04 2021 Sebastiaan van Stijn - 1.4.11-3.1 +- Update to containerd 1.4.11 to address CVE-2021-41103 + * Thu Sep 30 2021 Sebastiaan van Stijn - 1.4.10-3.1 - Update to containerd 1.4.10 - Update runc to v1.0.2 From 5c59f1ad9195ef4ab534f1c9bc2550e727a061a7 Mon Sep 17 00:00:00 2001 From: Janar Juusu Date: Fri, 15 Oct 2021 12:10:20 +0300 Subject: [PATCH 26/44] Jenkinsfile: add Fedora 35 Signed-off-by: Janar Juusu --- Jenkinsfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 629942f7..abfe4953 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -12,8 +12,9 @@ def images = [ [image: "docker.io/library/centos:8", arches: ["amd64", "aarch64"]], [image: "docker.io/library/debian:buster", arches: ["amd64", "aarch64", "armhf"]], // Debian 10 (EOL: 2024) [image: "docker.io/library/debian:bullseye", arches: ["amd64", "aarch64", "armhf"]], // Debian 11 (Next stable) - [image: "docker.io/library/fedora:33", arches: ["amd64", "aarch64"]], + [image: "docker.io/library/fedora:33", arches: ["amd64", "aarch64"]], // EOL: 23rd November 2021 [image: "docker.io/library/fedora:34", arches: ["amd64", "aarch64"]], + [image: "docker.io/library/fedora:35", arches: ["amd64", "aarch64"]], [image: "docker.io/library/fedora:rawhide", arches: ["amd64"]], // Rawhide is the name given to the current development version of Fedora [image: "docker.io/opensuse/leap:15", arches: ["amd64"]], [image: "docker.io/balenalib/rpi-raspbian:buster", arches: ["armhf"]], From 760dc02830b8f314cbb10d9f3ddded7292dddd6b Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 19 Oct 2021 11:06:04 +0200 Subject: [PATCH 27/44] Jenkinsfile: add Ubuntu 21.10 "Impish Indri" Released on 14 October 2021: https://ubuntu.com/blog/ubuntu-21-10-has-landed Signed-off-by: Sebastiaan van Stijn --- Jenkinsfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Jenkinsfile b/Jenkinsfile index abfe4953..6897bba1 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -22,6 +22,7 @@ def images = [ [image: "docker.io/library/ubuntu:bionic", arches: ["amd64", "aarch64", "armhf", "s390x"]], // Ubuntu 18.04 LTS (End of support: April, 2023. EOL: April, 2028) [image: "docker.io/library/ubuntu:focal", arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 20.04 LTS (End of support: April, 2025. EOL: April, 2030) [image: "docker.io/library/ubuntu:hirsute", arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 21.04 (EOL: January, 2022) + [image: "docker.io/library/ubuntu:impish", arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 21.10 (EOL: July, 2022) ] def generatePackageStep(opts, arch) { From ef9a0db53b3ccbb545aa5d8521dae48a92d686b2 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 20 Oct 2021 00:04:53 +0200 Subject: [PATCH 28/44] deb: force dpkg-build to use xz compression instead of zstd Ubuntu 21.10 switched the default compression for .deb packages to use zstd. While this change may bring some performance improvement, it is non-standard, and not all deb-related tooling currently support zstd compression. One of those tools, dpkg-sig, has not (yet) been modified to support zstd compression; we use this tool to sign our packages (and verify that packages are signed), which currently fails if packages use zstd compression; dpkg-sig --verify ./containerd.io_1.4.11-1_amd64.deb Processing ./containerd.io_1.4.11-1_amd64.deb... BADSIG _gpgbuilder It should be noted that signing individual packages is *optional* [1], and that dpkg-sig has not received updates since 2006 [2] (possibly better replaced with debsigs / debsig-verify), but changing would be a potential breaking change, as these tools are not interchangeable [3] [1]: https://www.debian.org/doc/manuals/securing-debian-manual/deb-pack-sign.en.html [2]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995113 [3]: https://raphaelhertzog.com/2010/09/17/how-to-create-debian-packages-with-alternative-compression-methods/ This patch hard-codes the compression to use in the debian rules, instead of using the default that's used by the distro. xz appears to be the previous default for Ubuntu and Debian; to verify this does not change the compression used for other distros, I did a quick check of the existing packages; curl -O https://download.docker.com/linux/debian/dists/bullseye/pool/stable/amd64/containerd.io_1.4.11-1_amd64.deb ar t .containerd.io_1.4.11-1_amd64.deb debian-binary control.tar.xz data.tar.xz _gpgbuilder From a size perspective, it looks like xz is actually smaller than zstd, so no negative effect there; With zstd compression: -rw-r--r-- 1 sebastiaan staff 25M Oct 19 14:43 ./build/ubuntu/impish/amd64/containerd.io_1.4.11-1_amd64.deb With xz compression: -rw-r--r-- 1 sebastiaan staff 23M Oct 19 23:56 ./build/ubuntu/impish/amd64/containerd.io_1.4.11-1_amd64.deb Before this change: make docker.io/library/ubuntu:impish ar t ./build/ubuntu/impish/amd64/*.deb debian-binary control.tar.zst data.tar.zst _gpgbuilder After this change: make docker.io/library/ubuntu:impish ar t ./build/ubuntu/impish/amd64/*.deb debian-binary control.tar.xz data.tar.xz Signed-off-by: Sebastiaan van Stijn --- debian/rules | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/debian/rules b/debian/rules index 9cfe0cd9..c9e9787a 100755 --- a/debian/rules +++ b/debian/rules @@ -47,6 +47,11 @@ man: ## Create containerd man pages install -d man install -D -m 0644 $(GO_SRC_PATH)/man/* man +# force packages to be built with xz compression, as Ubuntu 21.10 and up use +# zstd compression, which is non-standard, and breaks 'dpkg-sig --verify' +override_dh_builddeb: + dh_builddeb -- -Zxz + override_dh_auto_build: binaries bin/runc man override_dh_systemd_start: From 77f4a8617ecf2bdcabce932b02084fb287299e99 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 22 Oct 2021 15:14:17 +0200 Subject: [PATCH 29/44] Jenkinsfile: update Fedora EOL dates Signed-off-by: Sebastiaan van Stijn --- Jenkinsfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 6897bba1..0e328941 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -12,9 +12,9 @@ def images = [ [image: "docker.io/library/centos:8", arches: ["amd64", "aarch64"]], [image: "docker.io/library/debian:buster", arches: ["amd64", "aarch64", "armhf"]], // Debian 10 (EOL: 2024) [image: "docker.io/library/debian:bullseye", arches: ["amd64", "aarch64", "armhf"]], // Debian 11 (Next stable) - [image: "docker.io/library/fedora:33", arches: ["amd64", "aarch64"]], // EOL: 23rd November 2021 - [image: "docker.io/library/fedora:34", arches: ["amd64", "aarch64"]], - [image: "docker.io/library/fedora:35", arches: ["amd64", "aarch64"]], + [image: "docker.io/library/fedora:33", arches: ["amd64", "aarch64"]], // EOL: November 23, 2021 + [image: "docker.io/library/fedora:34", arches: ["amd64", "aarch64"]], // EOL: May 17, 2022 + [image: "docker.io/library/fedora:35", arches: ["amd64", "aarch64"]], // EOL: November 30, 2022 [image: "docker.io/library/fedora:rawhide", arches: ["amd64"]], // Rawhide is the name given to the current development version of Fedora [image: "docker.io/opensuse/leap:15", arches: ["amd64"]], [image: "docker.io/balenalib/rpi-raspbian:buster", arches: ["armhf"]], From 2f985db5c5d64701c1411a35fd2cc5d491dcf95c Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 17 Nov 2021 20:00:08 +0100 Subject: [PATCH 30/44] prepare release v1.4.12 Update to containerd 1.4.11 to address CVE-2021-41190 Signed-off-by: Sebastiaan van Stijn --- debian/changelog | 7 +++++++ rpm/containerd.spec | 4 ++++ 2 files changed, 11 insertions(+) diff --git a/debian/changelog b/debian/changelog index c1f69f02..ccbbc9ac 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +containerd.io (1.4.12-1) release; urgency=high + + * Update containerd to v1.4.12 to address CVE-2021-41190 + * Update Golang runtime to 1.16.10 + + -- Sebastiaan van Stijn Wed, 17 Nov 2021 18:48:28 +0000 + containerd.io (1.4.11-1) release; urgency=high * Update to containerd 1.4.11 to address CVE-2021-41103 diff --git a/rpm/containerd.spec b/rpm/containerd.spec index 012a3243..4bcb9c37 100644 --- a/rpm/containerd.spec +++ b/rpm/containerd.spec @@ -161,6 +161,10 @@ done %changelog +* Wed Nov 17 2021 Sebastiaan van Stijn - 1.4.12-3.1 +- Update containerd to v1.4.12 to address CVE-2021-41190 +- Update Golang runtime to 1.16.10 + * Mon Oct 04 2021 Sebastiaan van Stijn - 1.4.11-3.1 - Update to containerd 1.4.11 to address CVE-2021-41103 From ff03b26d4f75d1a1cd84f0c4bf6c3f9a7f78b081 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Mon, 22 Nov 2021 10:52:25 +0100 Subject: [PATCH 31/44] Jenkinsfile: remove s390x steps Packages for s390x are built by IBM, and the RHEL image that we used was outdated/broken, so made CI fail. Signed-off-by: Sebastiaan van Stijn --- Jenkinsfile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 0e328941..bbcca159 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -8,7 +8,6 @@ def images = [ [image: "docker.io/library/amazonlinux:2", arches: ["aarch64"]], [image: "docker.io/library/centos:7", arches: ["amd64", "aarch64"]], - [image: "docker.io/dockereng/rhel:7-s390x", arches: ["s390x"]], [image: "docker.io/library/centos:8", arches: ["amd64", "aarch64"]], [image: "docker.io/library/debian:buster", arches: ["amd64", "aarch64", "armhf"]], // Debian 10 (EOL: 2024) [image: "docker.io/library/debian:bullseye", arches: ["amd64", "aarch64", "armhf"]], // Debian 11 (Next stable) @@ -19,7 +18,7 @@ def images = [ [image: "docker.io/opensuse/leap:15", arches: ["amd64"]], [image: "docker.io/balenalib/rpi-raspbian:buster", arches: ["armhf"]], [image: "docker.io/balenalib/rpi-raspbian:bullseye",arches: ["armhf"]], - [image: "docker.io/library/ubuntu:bionic", arches: ["amd64", "aarch64", "armhf", "s390x"]], // Ubuntu 18.04 LTS (End of support: April, 2023. EOL: April, 2028) + [image: "docker.io/library/ubuntu:bionic", arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 18.04 LTS (End of support: April, 2023. EOL: April, 2028) [image: "docker.io/library/ubuntu:focal", arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 20.04 LTS (End of support: April, 2025. EOL: April, 2030) [image: "docker.io/library/ubuntu:hirsute", arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 21.04 (EOL: January, 2022) [image: "docker.io/library/ubuntu:impish", arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 21.10 (EOL: July, 2022) From c6e965fc1a02a3504f7fb9e82a9d687916271dbc Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 21 Jul 2021 12:08:30 +0200 Subject: [PATCH 32/44] Update cpuguy83/go-md2man to v2.0.1 full diff: https://github.com/cpuguy83/go-md2man/compare/v2.0.0...v2.0.1 - Fix handling multiple definition descriptions - Fix inline markup causing table cells to split - Remove escaping tilde character (prevents tildes (`~`) from disappearing). - Do not escape dash, underscore, and ampersand (prevents ampersands (`&`) from disappearing). - Ignore unknown HTML tags to prevent noisy warnings With this, generating manpages becomes a lot less noisy; no more of these: WARNING: go-md2man does not handle node type HTMLSpan WARNING: go-md2man does not handle node type HTMLSpan WARNING: go-md2man does not handle node type HTMLSpan Signed-off-by: Sebastiaan van Stijn --- dockerfiles/deb.dockerfile | 2 +- dockerfiles/rpm.dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dockerfiles/deb.dockerfile b/dockerfiles/deb.dockerfile index 71984a53..9fcd7dbc 100644 --- a/dockerfiles/deb.dockerfile +++ b/dockerfiles/deb.dockerfile @@ -25,7 +25,7 @@ FROM ${GOLANG_IMAGE} AS golang FROM golang AS go-md2man ARG GOPROXY=direct ARG GO111MODULE=on -ARG MD2MAN_VERSION=v2.0.0 +ARG MD2MAN_VERSION=v2.0.1 RUN go get github.com/cpuguy83/go-md2man/v2/@${MD2MAN_VERSION} FROM ${BUILD_IMAGE} AS distro-image diff --git a/dockerfiles/rpm.dockerfile b/dockerfiles/rpm.dockerfile index f6a030cc..9999a60d 100644 --- a/dockerfiles/rpm.dockerfile +++ b/dockerfiles/rpm.dockerfile @@ -26,7 +26,7 @@ FROM ${GOLANG_IMAGE} AS golang FROM golang AS go-md2man ARG GOPROXY=direct ARG GO111MODULE=on -ARG MD2MAN_VERSION=v2.0.0 +ARG MD2MAN_VERSION=v2.0.1 RUN go get github.com/cpuguy83/go-md2man/v2/@${MD2MAN_VERSION} FROM ${BUILD_IMAGE} AS redhat-base From 80ef081058220a64afb9546ddf6e7109abc9893c Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Mon, 22 Nov 2021 15:01:10 +0100 Subject: [PATCH 33/44] Jenkinsfile: remove Fedora 33 as it's EOL Signed-off-by: Sebastiaan van Stijn --- Jenkinsfile | 1 - 1 file changed, 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index bbcca159..ca631059 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -11,7 +11,6 @@ def images = [ [image: "docker.io/library/centos:8", arches: ["amd64", "aarch64"]], [image: "docker.io/library/debian:buster", arches: ["amd64", "aarch64", "armhf"]], // Debian 10 (EOL: 2024) [image: "docker.io/library/debian:bullseye", arches: ["amd64", "aarch64", "armhf"]], // Debian 11 (Next stable) - [image: "docker.io/library/fedora:33", arches: ["amd64", "aarch64"]], // EOL: November 23, 2021 [image: "docker.io/library/fedora:34", arches: ["amd64", "aarch64"]], // EOL: May 17, 2022 [image: "docker.io/library/fedora:35", arches: ["amd64", "aarch64"]], // EOL: November 30, 2022 [image: "docker.io/library/fedora:rawhide", arches: ["amd64"]], // Rawhide is the name given to the current development version of Fedora From 8cbaf7302a6379ca13bacc9c25fd629ca3bdcf29 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 8 Feb 2022 14:51:44 +0100 Subject: [PATCH 34/44] Makefile: add target for quay.io images MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This allows building packages using base-images from quay.io, for example to build for CentOS 8 stream (which is not (yet) on Docker Hub); make quay.io/centos/centos:stream8 tree build build └── centos └── 8 └── x86_64 ├── containerd.io-0.20220208.013149~6a628b6-0.el8.src.rpm └── containerd.io-0.20220208.013149~6a628b6-0.el8.x86_64.rpm 3 directories, 2 files Signed-off-by: Sebastiaan van Stijn --- Makefile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index ac4277c1..bdfc064d 100644 --- a/Makefile +++ b/Makefile @@ -63,10 +63,11 @@ endif # This targets allows building multiple distros at once, for example: # # make docker.io/library/ubuntu:bionic docker.io/library/centos:7 +# make quay.io/centos/centos:stream8 # # It is a shorthand for "make BUILD_IMAGE=mydistro:version build" -.PHONY: docker.io/% -docker.io/%: +.PHONY: docker.io/% quay.io/% +docker.io/% quay.io/%: $(MAKE) BUILD_IMAGE="$@" build .PHONY: checkout From 8150e28859e2a850d3dc106fa101a5b79a20a769 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 8 Feb 2022 14:58:51 +0100 Subject: [PATCH 35/44] Jenkinsfile: switch CentOS 8 to "stream" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CentOS 8 reached EOL in December, and the package repositories are no longer available (at least, not all repositories, some are available as archive). This switches the centos 8 builds to build packages using the quay.io/centos/centos:stream8 image (which is not (yet) on Docker Hub); make quay.io/centos/centos:stream8 tree build build └── centos └── 8 └── x86_64 ├── containerd.io-0.20220208.013149~6a628b6-0.el8.src.rpm └── containerd.io-0.20220208.013149~6a628b6-0.el8.x86_64.rpm 3 directories, 2 files Signed-off-by: Sebastiaan van Stijn --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index ca631059..b4f0b99f 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -8,7 +8,7 @@ def images = [ [image: "docker.io/library/amazonlinux:2", arches: ["aarch64"]], [image: "docker.io/library/centos:7", arches: ["amd64", "aarch64"]], - [image: "docker.io/library/centos:8", arches: ["amd64", "aarch64"]], + [image: "quay.io/centos/centos:stream8", arches: ["amd64", "aarch64"]], [image: "docker.io/library/debian:buster", arches: ["amd64", "aarch64", "armhf"]], // Debian 10 (EOL: 2024) [image: "docker.io/library/debian:bullseye", arches: ["amd64", "aarch64", "armhf"]], // Debian 11 (Next stable) [image: "docker.io/library/fedora:34", arches: ["amd64", "aarch64"]], // EOL: May 17, 2022 From c868515cec97ffb0b3dd2f6dc80c262e8b53bbb2 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Mon, 20 Jul 2020 18:40:00 +0200 Subject: [PATCH 36/44] Jenkinsfile: use Ubuntu 20.04 nodes for building Signed-off-by: Sebastiaan van Stijn --- Jenkinsfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index b4f0b99f..581a67ca 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -25,7 +25,7 @@ def images = [ def generatePackageStep(opts, arch) { return { - wrappedNode(label: "linux&&${arch}") { + wrappedNode(label: "ubuntu-2004 && ${arch}") { stage("${opts.image}-${arch}") { try { sh 'docker version' @@ -74,7 +74,7 @@ pipeline { agent none stages { stage('Check file headers') { - agent { label 'linux&&amd64' } + agent { label 'ubuntu-2004 && amd64' } steps{ script{ checkout scm From 31448205d5638ebdd11b500e5951bcfcfb9ca80b Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 9 Feb 2022 10:27:02 +0100 Subject: [PATCH 37/44] Makefile: clean: also remove "archive" directory This directory is used when CREATE_ARCHIVE=1 is set, but wasn't cleaned up when runnning `make clean`. Signed-off-by: Sebastiaan van Stijn --- Makefile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index bdfc064d..6658ac59 100644 --- a/Makefile +++ b/Makefile @@ -27,10 +27,11 @@ all: build .PHONY: clean clean: - -$(RM) -r build/ - -$(RM) common/containerd.service + -$(RM) -r archive -$(RM) -r artifacts + -$(RM) -r build -$(RM) -r src + -$(RM) common/containerd.service -docker builder prune -f --filter until=24h .PHONY: src From b7a6c760bc4237f6810b9614efa5d7c9c4e7966a Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 9 Feb 2022 17:09:54 +0100 Subject: [PATCH 38/44] Makefile: remove unused GOARCH variable This variable was previously used to generate the `BUILDER_IMAGE` variable, but appears to be unused since commit 018f1b9384e881a8a6157207615a941c15fb15b3 Signed-off-by: Sebastiaan van Stijn --- common/common.mk | 1 - 1 file changed, 1 deletion(-) diff --git a/common/common.mk b/common/common.mk index addeccbc..d53b31d0 100644 --- a/common/common.mk +++ b/common/common.mk @@ -27,4 +27,3 @@ ifeq ($(OS),Windows_NT) else GOLANG_IMAGE=docker.io/library/golang:$(GOVERSION)-buster endif -GOARCH=$(shell docker run --rm $(GOLANG_IMAGE) go env GOARCH 2>/dev/null) From 824ff643966d7ff3f310c7e65f197e8d9cd2c8de Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 9 Feb 2022 17:48:19 +0100 Subject: [PATCH 39/44] Makefile: remove workaround for s390x GOLANG_IMAGE This workaround was added in d1225f65c3cde07915d9c8a116e096b043921d5a, and from the related PR; > This is a workaround for golang:1.12.x images where the manifest list is missing > s390x. With golang:1.13.x or newer this if block can ve removed again. Signed-off-by: Sebastiaan van Stijn --- common/common.mk | 5 ----- 1 file changed, 5 deletions(-) diff --git a/common/common.mk b/common/common.mk index d53b31d0..398820ac 100644 --- a/common/common.mk +++ b/common/common.mk @@ -22,8 +22,3 @@ REF?=HEAD GOVERSION?=$(shell grep "ARG GOLANG_VERSION" src/github.com/containerd/containerd/contrib/Dockerfile.test | awk -F'=' '{print $$2}') GOLANG_IMAGE=golang:$(GOVERSION) -ifeq ($(OS),Windows_NT) - GOLANG_IMAGE=docker.io/library/golang:$(GOVERSION) -else - GOLANG_IMAGE=docker.io/library/golang:$(GOVERSION)-buster -endif From bf26309de652dfa8d3e4c3f7f805097ea2095519 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 15 Feb 2022 09:55:53 +0100 Subject: [PATCH 40/44] Makefile: allow GOVERSION to be passed, but being empty Some of our Jenkins jobs allow for GOVERSION to be set as parameter but unconditionally pass the variable when calling `make` from this repository. The intent of those parameters was to allow overriding the Go version when building packages, but due to the parameter to be passed unconditionally, curently requires us to always set the Go version to build, and making sure it's set to the correct version for containerd to build. Make (unfortunately) seems to make it nigh impossible to detect if a variable is either unset (not passed) or empty, while also accounting for the variable to be passed as `FOO= make ` and `make FOO= ` _and_ allowing the default value to be evaluated lazily (on "use"), which is needed in our case (to get the default version from containerd's repository, which requires the source code to be checked out first). Variations of the below all failed (as demonstrated below); ```makefile ifndef FOO FOO = $(shell echo "default1") else ifeq ($(strip $(FOO)),) FOO = $(shell echo "default2") endif .PHONY: test test: @echo foo is "$(FOO)" from $(origin FOO) ``` ```bash $ make test foo is default1 from file $ FOO= make test foo is default1 from file $ make FOO= test foo is from command line ``` To work around this, we're introducing separate variables for the `GOVERSION` (to be used to override the default) and `GOLANG_VERSION`, which is the (lazily evaluated) variable used to construct the golang image reference to use. Signed-off-by: Sebastiaan van Stijn --- common/common.mk | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/common/common.mk b/common/common.mk index 398820ac..3d490c12 100644 --- a/common/common.mk +++ b/common/common.mk @@ -19,6 +19,16 @@ RUNC_REMOTE ?=https://github.com/opencontainers/runc.git REF?=HEAD # Select the default version of Golang and runc based on the containerd source. -GOVERSION?=$(shell grep "ARG GOLANG_VERSION" src/github.com/containerd/containerd/contrib/Dockerfile.test | awk -F'=' '{print $$2}') +GOLANG_VERSION?=$(shell grep "ARG GOLANG_VERSION" src/github.com/containerd/containerd/contrib/Dockerfile.test | awk -F'=' '{print $$2}') -GOLANG_IMAGE=golang:$(GOVERSION) +# Allow GOLANG_VERSION to be overridden through GOVERSION. +# +# We're using a separate variable for this to account for make being called as +# either `GOVERSION=x make foo` or `make GOVERSION=x foo`, while also accounting +# for `GOVERSION` to be an empty string (which may happen when triggered by some +# Jenkins jobs in our pipeline). +ifneq ($(strip $(GOVERSION)),) + GOLANG_VERSION=$(GOVERSION) +endif + +GOLANG_IMAGE=golang:$(GOLANG_VERSION) From eba9abbf662a39683f69a8946f29dfcf8d741885 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 4 Mar 2022 10:13:16 +0100 Subject: [PATCH 41/44] prepare release v1.4.13 - Update containerd to v1.4.13 to address CVE-2022-23648 - Update runc to v1.0.3 - Update Golang runtime to 1.16.15 Signed-off-by: Sebastiaan van Stijn --- debian/changelog | 8 ++++++++ rpm/containerd.spec | 5 +++++ 2 files changed, 13 insertions(+) diff --git a/debian/changelog b/debian/changelog index ccbbc9ac..85f105ab 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +containerd.io (1.4.13-1) release; urgency=high + + * Update containerd to v1.4.13 to address CVE-2022-23648 + * Update runc to v1.0.3 + * Update Golang runtime to 1.16.15 + + -- Sebastiaan van Stijn Thu, 03 Mar 2022 21:09:12 +0000 + containerd.io (1.4.12-1) release; urgency=high * Update containerd to v1.4.12 to address CVE-2021-41190 diff --git a/rpm/containerd.spec b/rpm/containerd.spec index 4bcb9c37..d061a526 100644 --- a/rpm/containerd.spec +++ b/rpm/containerd.spec @@ -161,6 +161,11 @@ done %changelog +* Thu Mar 03 2022 Sebastiaan van Stijn - 1.4.13-3.1 +- Update containerd to v1.4.13 to address CVE-2022-23648 +- Update runc to v1.0.3 +- Update Golang runtime to 1.16.15 + * Wed Nov 17 2021 Sebastiaan van Stijn - 1.4.12-3.1 - Update containerd to v1.4.12 to address CVE-2021-41190 - Update Golang runtime to 1.16.10 From 655193435b87b50b8b80d81c9a4f550e0f9f3870 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 4 Mar 2022 10:30:39 +0100 Subject: [PATCH 42/44] update years in license headers Signed-off-by: Sebastiaan van Stijn --- Makefile | 2 +- Makefile.win | 2 +- NOTICE | 2 +- common/common.mk | 2 +- common/containerd.toml | 2 +- debian/rules | 2 +- dockerfiles/deb.dockerfile | 2 +- dockerfiles/rpm.dockerfile | 2 +- dockerfiles/win.dockerfile | 2 +- scripts/build-deb | 2 +- scripts/build-rpm | 2 +- scripts/checkout.sh | 2 +- scripts/deb-or-rpm | 2 +- scripts/determine-base | 2 +- scripts/determine-runc-version | 2 +- scripts/new-deb-release | 2 +- scripts/new-rpm-release | 2 +- scripts/validate/template/bash.txt | 2 +- scripts/validate/template/dockerfile.txt | 2 +- scripts/validate/template/makefile.txt | 2 +- 20 files changed, 20 insertions(+), 20 deletions(-) diff --git a/Makefile b/Makefile index bdfc064d..f3e94d55 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -# Copyright 2018-2020 Docker Inc. +# Copyright 2018-2022 Docker Inc. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/Makefile.win b/Makefile.win index 9cb4cccf..fca03739 100644 --- a/Makefile.win +++ b/Makefile.win @@ -1,4 +1,4 @@ -# Copyright 2018-2020 Docker Inc. +# Copyright 2018-2022 Docker Inc. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/NOTICE b/NOTICE index 52a93acb..2943451e 100644 --- a/NOTICE +++ b/NOTICE @@ -1,5 +1,5 @@ Docker containerd-packaging -Copyright 2018-2020 Docker Inc. +Copyright 2018-2022 Docker Inc. This product includes software developed at Docker Inc. (http://www.docker.com/). diff --git a/common/common.mk b/common/common.mk index 3d490c12..09aff004 100644 --- a/common/common.mk +++ b/common/common.mk @@ -1,4 +1,4 @@ -# Copyright 2018-2020 Docker Inc. +# Copyright 2018-2022 Docker Inc. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/common/containerd.toml b/common/containerd.toml index ccbbd5b4..94003c7e 100644 --- a/common/containerd.toml +++ b/common/containerd.toml @@ -1,4 +1,4 @@ -# Copyright 2018-2020 Docker Inc. +# Copyright 2018-2022 Docker Inc. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/debian/rules b/debian/rules index c9e9787a..f7522428 100755 --- a/debian/rules +++ b/debian/rules @@ -1,6 +1,6 @@ #!/usr/bin/make -f -# Copyright 2018-2020 Docker Inc. +# Copyright 2018-2022 Docker Inc. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/dockerfiles/deb.dockerfile b/dockerfiles/deb.dockerfile index 9fcd7dbc..8facb78e 100644 --- a/dockerfiles/deb.dockerfile +++ b/dockerfiles/deb.dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:experimental -# Copyright 2018-2020 Docker Inc. +# Copyright 2018-2022 Docker Inc. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/dockerfiles/rpm.dockerfile b/dockerfiles/rpm.dockerfile index 9999a60d..8d469770 100644 --- a/dockerfiles/rpm.dockerfile +++ b/dockerfiles/rpm.dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:experimental -# Copyright 2018-2020 Docker Inc. +# Copyright 2018-2022 Docker Inc. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/dockerfiles/win.dockerfile b/dockerfiles/win.dockerfile index 0a9b5b44..d997e6d4 100644 --- a/dockerfiles/win.dockerfile +++ b/dockerfiles/win.dockerfile @@ -1,4 +1,4 @@ -# Copyright 2018-2020 Docker Inc. +# Copyright 2018-2022 Docker Inc. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/scripts/build-deb b/scripts/build-deb index 1cb3cc11..5a434629 100755 --- a/scripts/build-deb +++ b/scripts/build-deb @@ -1,6 +1,6 @@ #!/usr/bin/env sh -# Copyright 2018-2020 Docker Inc. +# Copyright 2018-2022 Docker Inc. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/scripts/build-rpm b/scripts/build-rpm index e2899ffa..8ace13e1 100755 --- a/scripts/build-rpm +++ b/scripts/build-rpm @@ -1,6 +1,6 @@ #!/usr/bin/env sh -# Copyright 2018-2020 Docker Inc. +# Copyright 2018-2022 Docker Inc. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/scripts/checkout.sh b/scripts/checkout.sh index 6bc18479..e53a9e4b 100755 --- a/scripts/checkout.sh +++ b/scripts/checkout.sh @@ -1,6 +1,6 @@ #!/usr/bin/env sh -# Copyright 2018-2020 Docker Inc. +# Copyright 2018-2022 Docker Inc. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/scripts/deb-or-rpm b/scripts/deb-or-rpm index 8eadf299..d44a9d8b 100755 --- a/scripts/deb-or-rpm +++ b/scripts/deb-or-rpm @@ -1,6 +1,6 @@ #!/usr/bin/env sh -# Copyright 2018-2020 Docker Inc. +# Copyright 2018-2022 Docker Inc. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/scripts/determine-base b/scripts/determine-base index 8e743c00..460ae303 100755 --- a/scripts/determine-base +++ b/scripts/determine-base @@ -1,6 +1,6 @@ #!/usr/bin/env sh -# Copyright 2018-2020 Docker Inc. +# Copyright 2018-2022 Docker Inc. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/scripts/determine-runc-version b/scripts/determine-runc-version index 9c18efd6..2e62ac9e 100755 --- a/scripts/determine-runc-version +++ b/scripts/determine-runc-version @@ -1,6 +1,6 @@ #!/usr/bin/env sh -# Copyright 2018-2020 Docker Inc. +# Copyright 2018-2022 Docker Inc. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/scripts/new-deb-release b/scripts/new-deb-release index 15e41312..7ffcb7d0 100755 --- a/scripts/new-deb-release +++ b/scripts/new-deb-release @@ -1,6 +1,6 @@ #!/usr/bin/env sh -# Copyright 2018-2020 Docker Inc. +# Copyright 2018-2022 Docker Inc. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/scripts/new-rpm-release b/scripts/new-rpm-release index 3ecb04e7..edc9b598 100755 --- a/scripts/new-rpm-release +++ b/scripts/new-rpm-release @@ -1,6 +1,6 @@ #!/usr/bin/env sh -# Copyright 2018-2020 Docker Inc. +# Copyright 2018-2022 Docker Inc. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/scripts/validate/template/bash.txt b/scripts/validate/template/bash.txt index 098531f1..08227300 100644 --- a/scripts/validate/template/bash.txt +++ b/scripts/validate/template/bash.txt @@ -1,4 +1,4 @@ -# Copyright 2018-2020 Docker Inc. +# Copyright 2018-2022 Docker Inc. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/scripts/validate/template/dockerfile.txt b/scripts/validate/template/dockerfile.txt index 098531f1..08227300 100644 --- a/scripts/validate/template/dockerfile.txt +++ b/scripts/validate/template/dockerfile.txt @@ -1,4 +1,4 @@ -# Copyright 2018-2020 Docker Inc. +# Copyright 2018-2022 Docker Inc. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/scripts/validate/template/makefile.txt b/scripts/validate/template/makefile.txt index 098531f1..08227300 100644 --- a/scripts/validate/template/makefile.txt +++ b/scripts/validate/template/makefile.txt @@ -1,4 +1,4 @@ -# Copyright 2018-2020 Docker Inc. +# Copyright 2018-2022 Docker Inc. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. From 5958e7b884839c9a929b63fd300dd483e6c56af1 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 4 Mar 2022 18:51:13 +0100 Subject: [PATCH 43/44] prepare release v1.5.10 - Update containerd to v1.5.10 Signed-off-by: Sebastiaan van Stijn --- debian/changelog | 10 ++++++++-- rpm/containerd.spec | 3 +++ 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index 85f105ab..e445f056 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,17 +1,23 @@ +containerd.io (1.5.10-1) release; urgency=medium + + * Update containerd to v1.5.10 + + -- Sebastiaan van Stijn Fri, 04 Mar 2022 17:47:48 +0000 + containerd.io (1.4.13-1) release; urgency=high * Update containerd to v1.4.13 to address CVE-2022-23648 * Update runc to v1.0.3 * Update Golang runtime to 1.16.15 - -- Sebastiaan van Stijn Thu, 03 Mar 2022 21:09:12 +0000 + -- Sebastiaan van Stijn Thu, 03 Mar 2022 21:09:12 +0000 containerd.io (1.4.12-1) release; urgency=high * Update containerd to v1.4.12 to address CVE-2021-41190 * Update Golang runtime to 1.16.10 - -- Sebastiaan van Stijn Wed, 17 Nov 2021 18:48:28 +0000 + -- Sebastiaan van Stijn Wed, 17 Nov 2021 18:48:28 +0000 containerd.io (1.4.11-1) release; urgency=high diff --git a/rpm/containerd.spec b/rpm/containerd.spec index d061a526..749e7270 100644 --- a/rpm/containerd.spec +++ b/rpm/containerd.spec @@ -161,6 +161,9 @@ done %changelog +* Fri Mar 04 2022 Sebastiaan van Stijn - 1.5.10-3.1 +- Update containerd to v1.5.10 + * Thu Mar 03 2022 Sebastiaan van Stijn - 1.4.13-3.1 - Update containerd to v1.4.13 to address CVE-2022-23648 - Update runc to v1.0.3 From d552d0aa7140a4b099a2930d029392dbe6713c6f Mon Sep 17 00:00:00 2001 From: Romain Geissler Date: Tue, 8 Mar 2022 16:12:01 +0000 Subject: [PATCH 44/44] Add Ubuntu 22.04. Signed-off-by: Romain Geissler --- Jenkinsfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Jenkinsfile b/Jenkinsfile index 581a67ca..7fdb6c72 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -21,6 +21,7 @@ def images = [ [image: "docker.io/library/ubuntu:focal", arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 20.04 LTS (End of support: April, 2025. EOL: April, 2030) [image: "docker.io/library/ubuntu:hirsute", arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 21.04 (EOL: January, 2022) [image: "docker.io/library/ubuntu:impish", arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 21.10 (EOL: July, 2022) + [image: "docker.io/library/ubuntu:jammy", arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 22.04 LTS (End of support: April, 2027. EOL: April, 2032) ] def generatePackageStep(opts, arch) {