This document details the versioning and release plan for containerd. Stability
is a top goal for this project, and we hope that this document and the processes
it entails will help to achieve that. It covers the release process, versioning
numbering, backporting, API stability and support horizons.
If you rely on containerd, it would be good to spend time understanding the
areas of the API that are and are not supported and how they impact your
project in the future.
This document will be considered a living document. Supported timelines,
backport targets and API stability guarantees will be updated here as they
change.
If there is something that you require or this document leaves out, please
reach out by filing an issue.
Releases
Releases of containerd will be versioned using dotted triples, similar to
Semantic Version. For the purposes of this document, we
will refer to the respective components of this triple as
<major>.<minor>.<patch>. The version number may have additional information,
such as alpha, beta and release candidate qualifications. Such releases will be
considered "pre-releases".
Major and Minor Releases
Major and minor releases of containerd will be made from main. Releases of
containerd will be marked with GPG signed tags and announced at
https://github.com/containerd/containerd/releases. The tag will be of the
format v<major>.<minor>.<patch> and should be made with the command git tag -s v<major>.<minor>.<patch>.
After a minor release, a branch will be created, with the format
release/<major>.<minor> from the minor tag. All further patch releases will
be done from that branch. For example, once we release v1.0.0, a branch
release/1.0 will be created from that tag. All future patch releases will be
done against that branch.
Pre-releases
Pre-releases, such as alphas, betas and release candidates will be conducted
from their source branch. For major and minor releases, these releases will be
done from main. For patch releases, these pre-releases should be done within
the corresponding release branch.
While pre-releases are done to assist in the stabilization process, no
guarantees are provided.
... (truncated)
Commits
64b8a81 Merge pull request #9491 from dmcgowan/prepare-1.7.11
ea5a477 Merge pull request #9352 from thaJeztah/1.7_update_golang_1.20.11
67d356c Merge pull request from GHSA-7ww5-4wqc-m92c
For more information about the security issues addressed in this release, and the unaddressed vulnerabilities in BuildKit, refer to the
blog post. For details about each vulnerability, see the relevant security advisory:
runc 1.1.12 -- "Now you're thinking with Portals™!"
This is the twelfth patch release in the 1.1.z release branch of runc.
It fixes a high-severity container breakout vulnerability involving
leaked file descriptors, and users are strongly encouraged to update as
soon as possible.
Fix CVE-2024-21626, a container breakout attack that took advantage of
a file descriptor that was leaked internally within runc (but never
leaked to the container process).
In addition to fixing the leak, several strict hardening measures were
added to ensure that future internal leaks could not be used to break
out in this manner again.
Based on our research, while no other container runtime had a similar
leak, none had any of the hardening steps we've introduced (and some
runtimes would not check for any file descriptors that a calling
process may have leaked to them, allowing for container breakouts due
to basic user error).
Static Linking Notices
The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.
Thanks to all of the contributors who made this release possible:
Fix CVE-2024-21626, a container breakout attack that took
advantage of a file descriptor that was leaked internally within runc (but
never leaked to the container process). In addition to fixing the leak,
several strict hardening measures were added to ensure that future internal
leaks could not be used to break out in this manner again. Based on our
research, while no other container runtime had a similar leak, none had any
of the hardening steps we've introduced (and some runtimes would not check
for any file descriptors that a calling process may have leaked to them,
allowing for container breakouts due to basic user error).
Support memory.peak and memory.swap.peak in cgroups v2.
Add swapOnlyUsage in MemoryStats. This field reports swap-only usage.
For cgroupv1, Usage and Failcnt are set by subtracting memory usage
from memory+swap usage. For cgroupv2, Usage, Limit, and MaxUsage
are set. (#4000, #4010, #4131)
Updates google.golang.org/protobuf from 1.30.0 to 1.31.0
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/initializ-buildpacks/git/network/alerts).
Bumps the go_modules group with 5 updates:
1.7.71.7.1124.0.7+incompatible24.0.9+incompatible1.1.51.1.120.17.00.23.01.30.01.31.0Updates
github.com/containerd/containerdfrom 1.7.7 to 1.7.11Release notes
Sourced from github.com/containerd/containerd's releases.
... (truncated)
Changelog
Sourced from github.com/containerd/containerd's changelog.
... (truncated)
Commits
64b8a81Merge pull request #9491 from dmcgowan/prepare-1.7.11ea5a477Merge pull request #9352 from thaJeztah/1.7_update_golang_1.20.1167d356cMerge pull request from GHSA-7ww5-4wqc-m92cdfae68bPrepare release notes for v1.7.11de6d8a8Merge pull request #9482 from ambarve/sn_cleanup_1.7ed7c689Don't block snapshot garbage collection on Remove failures467de56Merge pull request #9481 from ruiwen-zhao/cri-ud94f8ffMerge pull request #9483 from dmcgowan/backport-1.7-fix-otel-http1fdefddAdd warning for CRIU config usage8e06899Merge pull request #9479 from ruiwen-zhao/cri-api-warningUpdates
github.com/docker/dockerfrom 24.0.7+incompatible to 24.0.9+incompatibleRelease notes
Sourced from github.com/docker/docker's releases.
... (truncated)
Commits
fca702dMerge pull request from GHSA-xw73-rw38-6vjcf78a772Merge pull request #47281 from thaJeztah/24.0_backport_bump_containerd_binary...61afffeMerge pull request #47270 from thaJeztah/24.0_backport_bump_runc_binary_1.1.12b38e74cMerge pull request #47276 from thaJeztah/24.0_backport_bump_runc_1.1.12dac5663update containerd binary to v1.7.1320e1af3vendor: github.com/opencontainers/runc v1.1.12858919dupdate runc binary to v1.1.12141ad39Merge pull request #47266 from vvoland/ci-fix-makeps1-templatefail-24db968c6hack/make.ps1: Fix go list pattern61c51fbMerge pull request #47221 from vvoland/pkg-pools-close-noop-24Updates
github.com/opencontainers/runcfrom 1.1.5 to 1.1.12Release notes
Sourced from github.com/opencontainers/runc's releases.
... (truncated)
Changelog
Sourced from github.com/opencontainers/runc's changelog.
... (truncated)
Commits
51d5e94VERSION: release 1.1.122a4ed3emerge 1.1-ghsa-xr7r-f8xq-vfvv into release-1.1e9665f4init: don't special-case logrus fds683ad2flibcontainer: mark all non-stdio fds O_CLOEXEC before spawning initb6633f4cgroup: plug leaks of /sys/fs/cgroup handle284ba30init: close internal fds before execvefbe3eedsetns init: do explicit lookup of execve argument early0994249init: verify after chdir that cwd is inside the container506552aFix File to Close099ff69merge #4177 into opencontainers/runc:release-1.1Updates
golang.org/x/netfrom 0.17.0 to 0.23.0Commits
c48da13http2: fix TestServerContinuationFlood flakes762b58dhttp2: fix tipos in commentba87210http2: close connections when receiving too many headersebc8168all: fix some typos3678185http2: make TestCanonicalHeaderCacheGrowth faster448c44fhttp2: remove clientTesterc7877achttp2: convert the remaining clientTester tests to testClientConnd8870b0http2: use synthetic time in TestIdleConnTimeoutd73acffhttp2: only set up deadline when Server.IdleTimeout is positive89f602bhttp2: validate client/outgoing trailersUpdates
google.golang.org/protobuffrom 1.30.0 to 1.31.0Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show