[pull] main from containerd:main#56
Open
pull[bot] wants to merge 5921 commits into
Open
Conversation
Document shim bootstrap behavior
…Windows. Signed-off-by: Apurv Barve <apurvbarve@microsoft.com>
…dows fix(windows): verify pipe readiness before returning shim address
Signed-off-by: HirazawaUi <695097494plus@gmail.com>
Uses the definition of valid grammar for this field from the OCI image annotations spec: https://github.com/opencontainers/image-spec/blob/e72ae99d5fc74e7f7f8e320a44f76968da86a545/annotations.md#pre-defined-annotation-keys On this commit the test will fail per the bug #10681 `manifest annotation org.opencontainers.image.ref.name ="@sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c" does not match required grammar` Signed-off-by: Laura Lorenz <lauralorenz@google.com>
Make utils.sh nounset-safe by never expanding unset CGROUP_DRIVER on Windows
Bump cri-api to v0.36.0-rc.0
Avoid using logrus concepts in the API, use slog style log levels with integer values and 0 meaning the default "info" level. Signed-off-by: Derek McGowan <derek@mcg.dev>
Update bootstrap API log level definition
Signed-off-by: Derek McGowan <derek@mcg.dev>
Signed-off-by: Derek McGowan <derek@mcg.dev>
Prepare v2.3.0 beta.1 release
… with .exe suffix Signed-off-by: Apurv Barve <apurvbarve@microsoft.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: apurv15 <69455689+apurv15@users.noreply.github.com>
Includes: "WCOW: restore support for client-mounted roots", which fixes a nil dereference in createWindowsContainerDocument when starting container with process isolation. full diff: microsoft/hcsshim@v0.14.0-rc.1...v0.15.0-rc.1 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
…ocker/login-action-4.1.0 build(deps): bump docker/login-action from 4.0.0 to 4.1.0
For Exec format error on Windows, compile cri-integration.test binary with .exe suffix
update runhcs to v0.15.0-rc.1
core/remotes/docker: use SystemCertPool on Windows
Although EROFS has native compression support (and each filesystem can contain multiple compression algorithms), in many cases, people only consider using zstd compression when transporting on the wire in order to reduce the pulling time but maintain the optimal runtime performance. Only `+zstd` is considered: it has skippable frames which will be used for the seekable EROFS implementation in future containerd versions. Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
erofs-differ: support zstd-wrapped EROFS layers
…pperdir
If fsmerge is enabled and no write is needed, it can return an overlay
mount with a single lowerdir, which is illegal for overlayfs.
For example, it can cause the following Nerdctl error:
: I'm not sure why ctr works, but the issue is real.
```bash
$ nerdctl run --runtime io.containerd.kata.v2 --snapshotter=erofs -it --rm nginx:latest /bin/bash
FATA[0000] failed to mount {Type:overlay Source:overlay Target: Options:[lowerdir=/run/containerd/
io.containerd.mount-manager.v1.bolt/t/7/1]} on "/tmp/initialC2039543827": mount source: "overlay",
target: "/tmp/initialC2039543827", fstype: overlay, flags: 0, data: "lowerdir=/run/containerd/io.
containerd.mount-manager.v1.bolt/t/7/1", err: invalid argument
```
Switch to using a bind mount instead.
Fixes: 9a7500a ("Add support for EROFS fsmerge feature")
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Signed-off-by: Samuel Karp <samuelkarp@google.com>
update github.com/moby/spdystream v0.5.1
Bumps [softprops/action-gh-release](https://github.com/softprops/action-gh-release) from 2.6.1 to 3.0.0. - [Release notes](https://github.com/softprops/action-gh-release/releases) - [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md) - [Commits](softprops/action-gh-release@153bb8e...b430933) --- updated-dependencies: - dependency-name: softprops/action-gh-release dependency-version: 3.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/github-script](https://github.com/actions/github-script) from 8.0.0 to 9.0.0. - [Release notes](https://github.com/actions/github-script/releases) - [Commits](actions/github-script@ed59741...3a2844b) --- updated-dependencies: - dependency-name: actions/github-script dependency-version: 9.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/cache](https://github.com/actions/cache) from 5.0.4 to 5.0.5. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@6682284...27d5ce7) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 5.0.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps the golang-x group with 2 updates: [golang.org/x/mod](https://github.com/golang/mod) and [golang.org/x/sys](https://github.com/golang/sys). Updates `golang.org/x/mod` from 0.34.0 to 0.35.0 - [Commits](golang/mod@v0.34.0...v0.35.0) Updates `golang.org/x/sys` from 0.42.0 to 0.43.0 - [Commits](golang/sys@v0.42.0...v0.43.0) --- updated-dependencies: - dependency-name: golang.org/x/mod dependency-version: 0.35.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x - dependency-name: golang.org/x/sys dependency-version: 0.43.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 7.0.0 to 7.0.1. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@bbbca2d...043fb46) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github.com/erofs/go-erofs](https://github.com/erofs/go-erofs) from 0.2.0 to 0.2.1. - [Release notes](https://github.com/erofs/go-erofs/releases) - [Commits](erofs/go-erofs@v0.2.0...v0.2.1) --- updated-dependencies: - dependency-name: github.com/erofs/go-erofs dependency-version: 0.2.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
…304265291e build(deps): bump the otel group across 1 directory with 8 updates
Between starting the sandbox and adding it to the sandbox store, there are opportunities for failures including in any NRI RunPodSandbox prehooks. This defer is added to that period so if they fail, this function will try to clean it up itself. If the sandbox is already added to the persistent store, it will not attempt to stop the sandbox as it can now be recognized by other components from the CRI store. ShutdownSandbox is used instead of StopSandbox as it both stops it and cleans up all its directories. Signed-off-by: lauralorenz <lauralorenz@google.com>
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Resurrect 2.1 branch for a short period
Update the Fuzzing workflow to upload crash artifacts found during the go_test_fuzz job. Currently, when `go test -fuzz` fails, the crash reproducers are generated but not preserved, making it difficult to diagnose and fix the issues discovered in CI. This change adds an upload-artifact step that captures all files in testdata/fuzz directories across the repository upon failure. Assisted-by: gemini-cli Signed-off-by: Samuel Karp <samuelkarp@google.com> Signed-off-by: lauralorenz <lauralorenz@google.com>
…nectShim integration: deflake TestFailFastWhenConnectShim
runc-shim: don't hold the service lock across runc create
Update the setup-go version in our private action yml to 1) be pinned by hash (with comment to version string) 2) remove cache disable that was fixed 3 years ago Signed-off-by: Phil Estes <estesp@amazon.com>
…-reset cri: reset pull progress timer on idle→active transition
The CRI progress reporter cancels an image pull if it sees no progress for 5 seconds. It tracks this through active HTTP requests. During remote fetches, the HTTP response reader is closed via a deferred call after `content.Copy` completes. Diagnosis: `content.Copy` handles both downloading the stream and committing the writer to the content store. Any delays during the database commit phase (e.g. from database locks, slow disk syncs, or concurrent pull deduplication blocks) keep the HTTP connection open. The progress reporter sees the request is still active (`activeReqs = 1`) but no new bytes are coming in, leading to a premature timeout cancellation. Reproduction: We reproduced this flakiness deterministically on a GCE VM under a simulated 2 Mbps ingress bandwidth limit using Linux traffic control ingress policing (`tc filter ... action police rate 2mbit`). Under this slowness, the download took longer than the progress timeout during the slow commit phase, triggering context cancellation and failing the `TestCRIImagePullTimeout/HoldingContentOpenWriterWithLocalPull` test. Solution: To fix this, we wrap the HTTP reader in a `closeOnEOFReader` or `closeOnEOFReadSeeker` before handing it to `content.Copy`. If the underlying connection reader implements `io.Seeker`, it is dynamically wrapped in `closeOnEOFReadSeeker` to forward `Seek` operations. This ensures that O(1) Range seeks are fully preserved during network resumes or retries. The wrappers automatically close the underlying network stream as soon as `Read()` returns `io.EOF` (when the download completes, before the database commit begins). This drops `activeReqs` to `0` early, freeing the socket and preventing progress timeouts during commits. A `sync.Once` ensures that subsequent deferred `Close()` calls do not double-decrement the reporter. How it was tested: Verified the fix on a GCE VM under a simulated 2 Mbps ingress bandwidth limit. Verified seeker safety via standalone logic audits and trace proofs. Assisted-by: Antigravity Signed-off-by: Samuel Karp <samuelkarp@google.com>
The TestCRIImagePullTimeout test case "NoDataTransferred" flaked under constrained networks because the test proxy mirror registry used a blocking ReadAtLeast call to forward bytes to containerd. This blocking wait (up to 4KB) meant the mirror registry server completely stopped forwarding data during network slowness, triggering containerd's aggressive 5-second progress timeout and canceling the pull before it could reach its 3MB circuit-breaker limit. This is resolved by changing the proxy's custom copy loop from io.ReadAtLeast(src, buf, len(buf)) to standard src.Read(buf). This streams network chunks to containerd immediately as they arrive, preventing false timeout cancellations while maintaining correct circuit-breaker byte tracking. Assisted-by: Antigravity Signed-off-by: Samuel Karp <samuelkarp@google.com>
Signed-off-by: Derek McGowan <derek@mcg.dev>
remotes: close fetch reader immediately on EOF
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
CI: update Fedora to 44
Add max size label for snapshots
…rpolation Use intermediate env variables for bash script runners in github workflows
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.36.0 to 4.36.2. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@7211b7c...8aad20d) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.36.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps the golang-x group with 3 updates: [golang.org/x/mod](https://github.com/golang/mod), [golang.org/x/sync](https://github.com/golang/sync) and [golang.org/x/sys](https://github.com/golang/sys). Updates `golang.org/x/mod` from 0.36.0 to 0.37.0 - [Commits](golang/mod@v0.36.0...v0.37.0) Updates `golang.org/x/sync` from 0.20.0 to 0.21.0 - [Commits](golang/sync@v0.20.0...v0.21.0) Updates `golang.org/x/sys` from 0.45.0 to 0.46.0 - [Commits](golang/sys@v0.45.0...v0.46.0) --- updated-dependencies: - dependency-name: golang.org/x/mod dependency-version: 0.37.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x - dependency-name: golang.org/x/sync dependency-version: 0.21.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x - dependency-name: golang.org/x/sys dependency-version: 0.46.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x ... Signed-off-by: dependabot[bot] <support@github.com>
Upload crash artifacts from go test -fuzz when failed
Add defer in event of mid-function failures in RunPodSandbox to avoid mount leaks
GHA runners occasionally experience I/O constraints during root-test test execution. While concurrent tests rapidly allocate loopback devices, background udev probing stalls. This quickly exhausts systemd-udevd's default worker pool ceiling (20 children max), stalling netlink uevent processing so device-mapper device nodes are never created for subsequent dm-verity test execution. Logging cgroups v2 pids.peak telemetry confirmed peak in-flight udev workers accumulate to 325 during test execution. Raising the children-max limit to 500 provides comfortable buffer room so udevd freely spawns worker processes without entering event lockup or causing test timeouts. Assisted-by: Antigravity Signed-off-by: Chris Henzie <chrishenzie@gmail.com>
Configure udevd children-max for root-test
…ithub/codeql-action-4.36.2 build(deps): bump github/codeql-action from 4.36.0 to 4.36.2
Update to current setup-go version
go1.26.4 includes security fixes to the crypto/x509, mime, and net/textproto packages, as well as bug fixes to the compiler, the runtime, the go fix command, and the crypto/fips140 package Signed-off-by: Akhil Mohan <akhilerm@gmail.com>
update go to 1.26.4
Allow the last host to retry on transient network errors to incrase the likelihood of the operation succeeding and help reduce flaky tests. Signed-off-by: Derek McGowan <derek@mcg.dev>
resolver: retry on transient network errors
…g-x-b1834abdb7 build(deps): bump the golang-x group with 3 updates
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot]
Can you help keep this open source service alive? 💖 Please sponsor : )