This document details the versioning and release plan for containerd. Stability
is a top goal for this project, and we hope that this document and the processes
it entails will help to achieve that. It covers the release process, versioning
numbering, backporting, API stability and support horizons.
If you rely on containerd, it would be good to spend time understanding the
areas of the API that are and are not supported and how they impact your
project in the future.
This document will be considered a living document. Supported timelines,
backport targets and API stability guarantees will be updated here as they
change.
If there is something that you require or this document leaves out, please
reach out by filing an issue.
Releases
Releases of containerd will be versioned using dotted triples, similar to
Semantic Version. For the purposes of this document, we
will refer to the respective components of this triple as
<major>.<minor>.<patch>. The version number may have additional information,
such as alpha, beta and release candidate qualifications. Such releases will be
considered "pre-releases".
Major and Minor Releases
Major and minor releases of containerd will be made from main. Releases of
containerd will be marked with GPG signed tags and announced at
https://github.com/containerd/containerd/releases. The tag will be of the
format v<major>.<minor>.<patch> and should be made with the command git tag -s v<major>.<minor>.<patch>.
After a minor release, a branch will be created, with the format
release/<major>.<minor> from the minor tag. All further patch releases will
be done from that branch. For example, once we release v1.0.0, a branch
release/1.0 will be created from that tag. All future patch releases will be
done against that branch.
Pre-releases
Pre-releases, such as alphas, betas and release candidates will be conducted
from their source branch. For major and minor releases, these releases will be
done from main. For patch releases, these pre-releases should be done within
the corresponding release branch.
While pre-releases are done to assist in the stabilization process, no
guarantees are provided.
... (truncated)
Commits
64b8a81 Merge pull request #9491 from dmcgowan/prepare-1.7.11
ea5a477 Merge pull request #9352 from thaJeztah/1.7_update_golang_1.20.11
67d356c Merge pull request from GHSA-7ww5-4wqc-m92c
For more information about the security issues addressed in this release, and the unaddressed vulnerabilities in BuildKit, refer to the
blog post. For details about each vulnerability, see the relevant security advisory:
runc 1.1.12 -- "Now you're thinking with Portals™!"
This is the twelfth patch release in the 1.1.z release branch of runc.
It fixes a high-severity container breakout vulnerability involving
leaked file descriptors, and users are strongly encouraged to update as
soon as possible.
Fix CVE-2024-21626, a container breakout attack that took advantage of
a file descriptor that was leaked internally within runc (but never
leaked to the container process).
In addition to fixing the leak, several strict hardening measures were
added to ensure that future internal leaks could not be used to break
out in this manner again.
Based on our research, while no other container runtime had a similar
leak, none had any of the hardening steps we've introduced (and some
runtimes would not check for any file descriptors that a calling
process may have leaked to them, allowing for container breakouts due
to basic user error).
Static Linking Notices
The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.
Thanks to all of the contributors who made this release possible:
Fix CVE-2024-21626, a container breakout attack that took
advantage of a file descriptor that was leaked internally within runc (but
never leaked to the container process). In addition to fixing the leak,
several strict hardening measures were added to ensure that future internal
leaks could not be used to break out in this manner again. Based on our
research, while no other container runtime had a similar leak, none had any
of the hardening steps we've introduced (and some runtimes would not check
for any file descriptors that a calling process may have leaked to them,
allowing for container breakouts due to basic user error).
Support memory.peak and memory.swap.peak in cgroups v2.
Add swapOnlyUsage in MemoryStats. This field reports swap-only usage.
For cgroupv1, Usage and Failcnt are set by subtracting memory usage
from memory+swap usage. For cgroupv2, Usage, Limit, and MaxUsage
are set. (#4000, #4010, #4131)
Updates google.golang.org/protobuf from 1.30.0 to 1.31.0
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/initializ-buildpacks/git/network/alerts).
Bumps the go_modules group with 5 updates:
1.7.7
1.7.11
24.0.7+incompatible
24.0.9+incompatible
1.1.5
1.1.12
0.17.0
0.23.0
1.30.0
1.31.0
Updates
github.com/containerd/containerd
from 1.7.7 to 1.7.11Release notes
Sourced from github.com/containerd/containerd's releases.
... (truncated)
Changelog
Sourced from github.com/containerd/containerd's changelog.
... (truncated)
Commits
64b8a81
Merge pull request #9491 from dmcgowan/prepare-1.7.11ea5a477
Merge pull request #9352 from thaJeztah/1.7_update_golang_1.20.1167d356c
Merge pull request from GHSA-7ww5-4wqc-m92cdfae68b
Prepare release notes for v1.7.11de6d8a8
Merge pull request #9482 from ambarve/sn_cleanup_1.7ed7c689
Don't block snapshot garbage collection on Remove failures467de56
Merge pull request #9481 from ruiwen-zhao/cri-ud94f8ff
Merge pull request #9483 from dmcgowan/backport-1.7-fix-otel-http1fdefdd
Add warning for CRIU config usage8e06899
Merge pull request #9479 from ruiwen-zhao/cri-api-warningUpdates
github.com/docker/docker
from 24.0.7+incompatible to 24.0.9+incompatibleRelease notes
Sourced from github.com/docker/docker's releases.
... (truncated)
Commits
fca702d
Merge pull request from GHSA-xw73-rw38-6vjcf78a772
Merge pull request #47281 from thaJeztah/24.0_backport_bump_containerd_binary...61afffe
Merge pull request #47270 from thaJeztah/24.0_backport_bump_runc_binary_1.1.12b38e74c
Merge pull request #47276 from thaJeztah/24.0_backport_bump_runc_1.1.12dac5663
update containerd binary to v1.7.1320e1af3
vendor: github.com/opencontainers/runc v1.1.12858919d
update runc binary to v1.1.12141ad39
Merge pull request #47266 from vvoland/ci-fix-makeps1-templatefail-24db968c6
hack/make.ps1: Fix go list pattern61c51fb
Merge pull request #47221 from vvoland/pkg-pools-close-noop-24Updates
github.com/opencontainers/runc
from 1.1.5 to 1.1.12Release notes
Sourced from github.com/opencontainers/runc's releases.
... (truncated)
Changelog
Sourced from github.com/opencontainers/runc's changelog.
... (truncated)
Commits
51d5e94
VERSION: release 1.1.122a4ed3e
merge 1.1-ghsa-xr7r-f8xq-vfvv into release-1.1e9665f4
init: don't special-case logrus fds683ad2f
libcontainer: mark all non-stdio fds O_CLOEXEC before spawning initb6633f4
cgroup: plug leaks of /sys/fs/cgroup handle284ba30
init: close internal fds before execvefbe3eed
setns init: do explicit lookup of execve argument early0994249
init: verify after chdir that cwd is inside the container506552a
Fix File to Close099ff69
merge #4177 into opencontainers/runc:release-1.1Updates
golang.org/x/net
from 0.17.0 to 0.23.0Commits
c48da13
http2: fix TestServerContinuationFlood flakes762b58d
http2: fix tipos in commentba87210
http2: close connections when receiving too many headersebc8168
all: fix some typos3678185
http2: make TestCanonicalHeaderCacheGrowth faster448c44f
http2: remove clientTesterc7877ac
http2: convert the remaining clientTester tests to testClientConnd8870b0
http2: use synthetic time in TestIdleConnTimeoutd73acff
http2: only set up deadline when Server.IdleTimeout is positive89f602b
http2: validate client/outgoing trailersUpdates
google.golang.org/protobuf
from 1.30.0 to 1.31.0Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show