chore(deps): update module github.com/containerd/containerd to v1.7.11 [security] #2200
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v1.7.6
->v1.7.11
GitHub Vulnerability Alerts
GHSA-7ww5-4wqc-m92c
/sys/devices/virtual/powercap accessible by default to containers
Intel's RAPL (Running Average Power Limit) feature, introduced by the Sandy Bridge microarchitecture, provides software insights into hardware energy consumption. To facilitate this, Intel introduced the powercap framework in Linux kernel 3.13, which reads values via relevant MSRs (model specific registers) and provides unprivileged userspace access via
sysfs
. As RAPL is an interface to access a hardware feature, it is only available when running on bare metal with the module compiled into the kernel.By 2019, it was realized that in some cases unprivileged access to RAPL readings could be exploited as a power-based side-channel against security features including AES-NI (potentially inside a SGX enclave) and KASLR (kernel address space layout randomization). Also known as the PLATYPUS attack, Intel assigned CVE-2020-8694 and CVE-2020-8695, and AMD assigned CVE-2020-12912.
Several mitigations were applied; Intel reduced the sampling resolution via a microcode update, and the Linux kernel prevents access by non-root users since 5.10. However, this kernel-based mitigation does not apply to many container-based scenarios:
sysfs
is mounted inside containers read-only; however only read access is needed to carry out this attack on an unpatched CPUWhile this is not a direct vulnerability in container runtimes, defense in depth and safe defaults are valuable and preferred, especially as this poses a risk to multi-tenant container environments. This is provided by masking
/sys/devices/virtual/powercap
in the default mount configuration, and adding an additional set of rules to deny it in the default AppArmor profile.While
sysfs
is not the only way to read from the RAPL subsystem, other ways of accessing it require additional capabilities such asCAP_SYS_RAWIO
which is not available to containers by default, orperf
paranoia level less than 1, which is a non-default kernel tunable.References
Release Notes
containerd/containerd (github.com/containerd/containerd)
v1.7.11
: containerd 1.7.11Compare Source
Welcome to the v1.7.11 release of containerd!
The eleventh patch release for containerd 1.7 contains various fixes and updates including
one security issue.
Notable Updates
/sys/devices/virtual/powercap
path in runtime spec and deny in default apparmor profile (GHSA-7ww5-4wqc-m92c)Deprecation Warnings
See the changelog for complete list of changes
Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.
Contributors
Changes
39 commits
dfae68bc3
Prepare release notes for v1.7.110d314401d
update to go1.20.12, test go1.21.51ec1ae2c6
update to go1.20.11, test go1.21.4cb804da21
contrib/apparmor: deny /sys/devices/virtual/powercap40162a576
oci/spec: deny /sys/devices/virtual/powercaped7c6895b
Don't block snapshot garbage collection on Remove failures1fdefdd22
Add warning for CRIU config usagef8f659e66
Add HTTP client update function to tracing library807ddd658
fix(tracing): use latest version of semconvdc45bc838
Add cri-api v1alpha2 usage warning to all api calls9d1bad62e
deprecation: fix missing spaces in warnings51a604c07
cri: add deprecation warning for runtime_root8040e74bf
cri: add deprecation warning for rutnime_engine99adc40eb
cri: add deprecation warning for default_runtimeafef7ec64
cri: add warning for untrusted_workload_runtime6220dc190
cri: add warning for old form of systemd_cgroup80f96cd18
runtime/v2: net.Dial gRPC shim sockets before trying grpcf471bb2b8
tasks: emit warning for runc v1 runtime329e1d487
tasks: emit warning for v1 runtime4464fde12
push: always inherit distribution sources from parent7e069ee25
Update tar tests to run on Darwin5fc0e4e61
ctr: Add sandbox flag to ctr run31fe03764
Fix windows default path overwrite issue625b35e4b
snapshots: emit deprecation warning for aufsDependency Changes
Previous release can be found at v1.7.10
v1.7.10
: containerd 1.7.10Compare Source
Welcome to the v1.7.10 release of containerd!
The tenth patch release for containerd 1.7 contains various fixes and updates.
Notable Updates
See the changelog for complete list of changes
Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.
Contributors
Changes
11 commits
a995fe3a8
Add release notes for v1.7.10206806128
remotes/docker: close connection if no more data328493962
integration: reproduce #9347d1aab27cb
fix: deflake TestCRIImagePullTimeout/HoldingContentOpenWritera2b16d7f9
cri: fix update of pinned label for images8dc861844
cri: fix using the pinned label to pin image5930a3750
Enhance container image unpack client logsDependency Changes
This release has no dependency changes
Previous release can be found at v1.7.9
v1.7.9
: containerd 1.7.9Compare Source
Welcome to the v1.7.9 release of containerd!
The ninth patch release for containerd 1.7 contains various fixes and updates.
Notable Updates
See the changelog for complete list of changes
Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.
Contributors
Changes
28 commits
4b912af52
Add release notes for v1.7.9eff291713
update runc binary to v1.1.10bd9428ff7
vendor: upgrade OpenTelemetry to v1.19.0 / v0.45.0d62cba40c
Expose usage of cri-api v1alpha25dbc258a8
integration: deflake TestIssue9103449912857
fix: shimv1 leak issue152c57e91
cri: add deprecation warning for configs689a1036d
cri: add deprecation warning for auths8c38975bf
cri: add deprecation warning for mirrors1fbce40c4
cri: add ability to emit deprecation warnings73f15bdb6
Update hcsshim tag to v0.11.460d48ffea
ctr: new deprecations command74a06671a
plugin: record deprecation for dynamic pluginsfa5f3c91a
server: add ability to record config deprecationsf7880e7f0
pull: record deprecation warning for schema 11dd2f2c02
introspection: add support for deprecationsaaf000c18
api/introspection: deprecation warnings in server9b7ceee54
warning: new service for deprecationsb708f8bfa
deprecation: new package for deprecationsDependency Changes
Previous release can be found at v1.7.8
v1.7.8
: containerd 1.7.8Compare Source
Welcome to the v1.7.8 release of containerd!
The eighth patch release for containerd 1.7 contains various fixes and updates.
Notable Updates
See the changelog for complete list of changes
Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.
Contributors
Changes
27 commits
48dbdf871
Prepare release notes for v1.7.868abc543b
Check scheme and host of request on push redirect35c7634e3
Avoid TLS fallback when protocol is not ambiguousf36948cad
vendor: gRPC v1.58.3c67a53190
vendor: golang.org/x/net v0.17.071f4b36ca
vendor: golang.org/x/text v0.13.0a7b3b7090
vendor: golang.org/x/sys v0.13.026736d6e1
vendor: google.golang.org/grpc v1.56.354a69a6e4
vendor: golang.org/x/oauth2 v0.7.0ac15a7f5b
vendor: google.golang.org/protobuf v1.30.02479c3321
[release/1.7] update to go1.20.10, test go1.21.311f40e9d8
[release/1.7] update to go1.20.9, test go1.21.2cac1bab79
Add a new image label if it is docker schema 16cd2cc4a8
remotes: add handling for missing basic auth credentialsd0a1fedb5
*: add runc-fp as runc wrapper to inject failpoint04491240a
containerd-shim-runc-v2: avoid potential deadlock in create handler6982a0df5
containerd-shim-runc-v2: remove unnecessarys.getContainer()
0e2320398
Uncopypaste parsing of OCI Bundle spec fileDependency Changes
7f2fa6f
->782d3b1
782d3b1
new782d3b1
newPrevious release can be found at v1.7.7
v1.7.7
: containerd 1.7.7Compare Source
Welcome to the v1.7.7 release of containerd!
The seventh patch release for containerd 1.7 contains various fixes and updates.
Notable Updates
See the changelog for complete list of changes
Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.
Contributors
Changes
31 commits
a34fa5681
Prepare release notes for v1.7.76ca0aebf0
Allow for images with artifacts to pull7df492a95
remotes/docker: Fix MountedFrom prefixed with target repositoryb3db314a5
Bump x/net to 0.137779ce64e
remotes: always try to establish tls connection when tls configured6013b5e03
cri: stop recommending disable_cgroupa83c66813
Require plugins to succeed after registering readiness171d76849
cri: call RegisterReadiness after NewCRIService3d27bc738
Handle unexpected shim kill events4ffa3ed29
Build binaries with 1.21.15756f6064
[release/1.7] vendor: github.com/Microsoft/hcsshim v0.11.109633b539
deprecate logs package, but disable linter (for transitioning)cb201519f
alias log package to github.com/containerd/log v0.1.0a5024e6dd
vendor: github.com/stretchr/testify v1.8.47bd976af3
vendor: github.com/sirupsen/logrus v1.9.38cd2d33c2
[release/1.7] remotes/docker: Add MountedFrom and Exists push status3ca015e55
nri: update mock plugin handlers4cd208c1f
vendor: update github.com/containerd/nri@v0.4.0Changes from containerd/log
9 commits
89c9a54
Update golangci to 1.49cf26711
Update description in READMEf9f250c
Add project detailsfb7fe3d
Add github CI flow7e13034
Add go module16a3c76
Rename log import from logtest698c398
Add README87c83c4
Add license fileChanges from containerd/nri
35 commits
5f13915
releases: update note about 0.4.05ecea04
ulimit-adjuster: add validation for hard limitsdb3de10
test: exclude ulimit-adjuster from ginkgof0deb59
ulimit-adjuster: new sample plugind2dd708
Add support for rlimitsefaf36e
api: add POSIXRlimit type3f092c2
.github: add test build to CI workflow.01d5f14
Add a note about NRI API stability and release notes.ea9976d
adaptation: add UpdateContainer tests.d042d24
stub: fix plugin UpdateContainerInterface.f5d0f51
plugins: update plugins for stub changes.b4bd301
adaptation: update tests with stub changes.9d86150
stub: pass context to plugin event handlers.5eee915
removed linkc783fc7
Resolves broken podman links and adds details to help better guide people in testing.da291a6
Fix ParseEventMask to produce proper masksNRI_PLUGIN_NAME
env value when launching a pre-installed plugin (#42)4a4cea6
fix the NRI_PLUGIN_NAME env value when launching a pre-installed plugina67478e
stub: update setIdentify to ensureIdentify841f5ed
update module name of the logger plugin8d9c64d
Add gitignore for build artifactsc03d1be
Makefile: fix 'install-*' targets.ab28e71
docs: add a chapter about security considerations.2862d98
api: initialize OCI LinuxMemory resources to empty.Dependency Changes
Previous release can be found at v1.7.6
Which file should I download?
containerd-<VERSION>-<OS>-<ARCH>.tar.gz
: ✅Recommended. Dynamically linked with glibc 2.31 (Ubuntu 20.04).containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz
: Statically linked. Expected to be used on non-glibc Linux distributions. Not position-independent.cri-containerd-<VERSION>-<OS>-<ARCH>.tar.gz
: (Deprecated)cri-containerd-cni-<VERSION>-<OS>-<ARCH>.tar.gz
: (Deprecated)In addition to containerd, typically you will have to install runc
and CNI plugins from their official sites too.
See also the Getting Started documentation.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.