containerd 1.1.7 Welcome to the v1.1.7 release of containerd! This is the seventh patch release for the `containerd` 1.1 release. This release contains fixes for image management, containerd client, CRI plugin and containerd io handling. It also updates runc to include an improved fix for [CVE-2019-5736](https://nvd.nist.gov/vuln/detail/CVE-2019-5736) to reduce the increased memory-consumption introduced by the original patch, updates CNI to v0.7.5 to include the fix for [CVE-2019-9946](https://nvd.nist.gov/vuln/detail/CVE-2019-9946), adds 2 new syscalls in the default seccomp profile. All these changes are noted below. ## Notable Updates * Fix an issue that non-existent parent directory in image layers is created with permission `0700`. [#3017](https://github.com/containerd/containerd/issues/3017) * Fix an issue that snapshots of the base image can be deleted by mistake, when images built on top of it are deleted. [#3088](https://github.com/containerd/containerd/pull/3088) * Allow overriding package name in `containerd --version` output. [#3097](https://github.com/containerd/containerd/pull/3097) * Add 2 new syscalls `io_pgetevents` and `statx` in the default seccomp whitelist. [#3112](https://github.com/containerd/containerd/pull/3112) [#3114](https://github.com/containerd/containerd/pull/3114) * Fix a bug that container output can be incomplete when stdout and stderr are pointed to the same file. [#3156](https://github.com/containerd/containerd/issues/3156) * cri: fix a bug that pod can't get started when the same volume is defined differently in the image and the pod spec. [cri#1059](https://github.com/containerd/cri/issues/1059) * cri: fix a bug that causes container start failure after in-place upgrade containerd to 1.2.4+ or 1.1.6+. [cri#1082](https://github.com/containerd/cri/issues/1082) * cri: fix a bug that containers being gracefully stopped are SIGKILLed when kubelet is restarted. [cri#1098](https://github.com/containerd/cri/issues/1098) * cri: Fix a bug that pod UTS namespace is used for host network. [cri#1111](https://github.com/containerd/cri/pull/1111) * cri: Update CNI plugins to v0.7.5 for [CVE-2019-9946](https://nvd.nist.gov/vuln/detail/CVE-2019-9946) * Update cri to f8171b4530bed8992973cc4a2f24efe53b821d53. [3175](https://github.com/containerd/containerd/pull/3175) * Update runc to v1.0.0-rc7-6-g029124da [#3184](https://github.com/containerd/containerd/pull/3184) to include the improved fix for CVE-2019-5736, and fix a potential container start failure on non-SELinux system [runc#2030](https://github.com/opencontainers/runc/issues/2030). Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues. ### Contributors * Lantao Liu * Michael Crosby * Phil Estes * Sebastiaan van Stijn * Akihiro Suda * Derek McGowan * Peter Wagner * Andrei Vagin * Avi Kivity * Claudia Beresford * Daniel, Dao Quang Minh * John Howard * Kenfe-Mickaël Laventure * Lu Jingxiao * Madhan Raj Mookkandy * Nikos Anastopoulos * Parav Pandit * Sudeesh John * Wei Fu ### Changes * [`4278fbc243`](https://github.com/containerd/containerd/commit/4278fbc24348343e3693658313d6964d548b7063) Merge pull request [#3181](https://github.com/containerd/containerd/pull/3181) from Random-Liu/prepare-1.1.7 * [`f8e22625c6`](https://github.com/containerd/containerd/commit/f8e22625c6388de486f4420d750c93469402207a) Prepare v1.1.7 release. * [`af0bc2e035`](https://github.com/containerd/containerd/commit/af0bc2e035251ed2530636788adb78312d64129a) Merge pull request [#3184](https://github.com/containerd/containerd/pull/3184) from thaJeztah/1.1_bump_runc * [`c186fd8d8c`](https://github.com/containerd/containerd/commit/c186fd8d8c2d0613ee60e84784e8feee0ac8c841) bump runc to 029124da (v1.0.0-rc7-6-g029124da) * [`82ebb90280`](https://github.com/containerd/containerd/commit/82ebb902806fb6b55b8365abd6e2af0ec5d8a9f4) Merge pull request [#3175](https://github.com/containerd/containerd/pull/3175) from Random-Liu/update-cri-release-1.1 * [`125c9a0046`](https://github.com/containerd/containerd/commit/125c9a00466b0f7ad09150358b37bdfb985c50fe) Update cri to f8171b4530bed8992973cc4a2f24efe53b821d53. * [`41b3a316f7`](https://github.com/containerd/containerd/commit/41b3a316f7b02b597383210a8bffb4691ab1dbce) Merge pull request [#3165](https://github.com/containerd/containerd/pull/3165) from Random-Liu/update-cri-release-1.1 * [`3afed24a4e`](https://github.com/containerd/containerd/commit/3afed24a4e501be880576fdd7f6f7dfe98480dd3) Update cri to b9c06fd1410f1e6699a83277887af399a1342736. * [`01cd85f6e8`](https://github.com/containerd/containerd/commit/01cd85f6e8575ab2e18d9244980d4ce7c8dfb41d) Merge pull request [#3156](https://github.com/containerd/containerd/pull/3156) from thaJeztah/1.1_backport_issue_3118 * [`de85314d4f`](https://github.com/containerd/containerd/commit/de85314d4f6dc26341cd25e08b6e4a6b446ce75d) runtime: guard Close() until both streams are complete * [`255da2a7b0`](https://github.com/containerd/containerd/commit/255da2a7b0de582d39c70283532c5fe78aca8b81) runtime: log IO error when copying output streams * [`2bf4d3a650`](https://github.com/containerd/containerd/commit/2bf4d3a65093b09530c2512eda5989cde0782bba) Merge pull request [#3140](https://github.com/containerd/containerd/pull/3140) from thaJeztah/1.1_backport_bump_runc_v1.0.0-rc7 * [`25b40629d4`](https://github.com/containerd/containerd/commit/25b40629d4a777a9e533cd0377260817a8098ddb) update opencontainers/runc v1.0.0-rc7 * [`cdc2fe6d81`](https://github.com/containerd/containerd/commit/cdc2fe6d818320e91a6d084a6780a7f8389acdc4) Merge pull request [#3112](https://github.com/containerd/containerd/pull/3112) from thaJeztah/1.1_backport_whitelist_statx * [`8f6bcb2bba`](https://github.com/containerd/containerd/commit/8f6bcb2bba4b7520cf51a3de6259de2f1fc2259d) Merge pull request [#3114](https://github.com/containerd/containerd/pull/3114) from thaJeztah/1.1_backport_whitelist_io_pgetevents * [`58bee8125b`](https://github.com/containerd/containerd/commit/58bee8125b3c065967eb2f61466dfc05b2684679) seccomp: whitelist io_pgetevents * [`03d129bdb2`](https://github.com/containerd/containerd/commit/03d129bdb296d45a065476ff15de054282543799) seccomp: whitelist statx syscall * [`9a0a5fd1e7`](https://github.com/containerd/containerd/commit/9a0a5fd1e71db942b347f24dd93dd1fc55857f91) Merge pull request [#3097](https://github.com/containerd/containerd/pull/3097) from thaJeztah/1.1_backport_override_package_name * [`d28f4aa242`](https://github.com/containerd/containerd/commit/d28f4aa2424e98246ed0af186e978c4ae0f2ed3a) Makefile: allow overriding package name * [`8ecb055c07`](https://github.com/containerd/containerd/commit/8ecb055c07a6bd7eb5adf43f4cac48af71e31322) Merge pull request [#3083](https://github.com/containerd/containerd/pull/3083) from thaJeztah/1.1_backport_bump_runc * [`21abff907c`](https://github.com/containerd/containerd/commit/21abff907c261a0bafbcd01e7fa530258b936662) Vendor opencontainers/runtime-spec 29686dbc * [`49b7692b16`](https://github.com/containerd/containerd/commit/49b7692b161ed0f6d19a8eef6b06e6099d289769) Vendor in runtime spec referencing windows namespace * [`62e4a2c8e7`](https://github.com/containerd/containerd/commit/62e4a2c8e78358eacf2574e92229d55025b68c73) Update containerd dependencies for 1.2 * [`95a8d1d933`](https://github.com/containerd/containerd/commit/95a8d1d93356f2f806ccaa15bba878d643168b47) Merge pull request [#3088](https://github.com/containerd/containerd/pull/3088) from fuweid/me-cp-2876-release-1.1 * [`4e69228971`](https://github.com/containerd/containerd/commit/4e69228971ed5a67d19735fd27df7fa50b40b4ae) bugfix: unpack should always set the snapshot gc label * [`f86b114ac5`](https://github.com/containerd/containerd/commit/f86b114ac52eefe97d41e62ed79f48ea9c9f7219) update runc to 2b18fe1d885ee5083ef9f0838fee39b62d653e30 * [`52bfc9f530`](https://github.com/containerd/containerd/commit/52bfc9f53008ed96c394338d5c3ecaddf3d3969b) Merge pull request [#3078](https://github.com/containerd/containerd/pull/3078) from thaJeztah/1.1_bump_golang * [`8f044b8320`](https://github.com/containerd/containerd/commit/8f044b832094496a82516e231800bbf34390fbf2) Bump to Go 1.11.x * [`0fc64b682c`](https://github.com/containerd/containerd/commit/0fc64b682c0a43483fcdc96752f829e1e24be7e0) Workaround for gofmt change in Go 1.11 * [`45b8d86585`](https://github.com/containerd/containerd/commit/45b8d86585f43786ac7d0b38ee67dec95e30ebb7) Fix the formatting directives error during compilation * [`9d16e2e660`](https://github.com/containerd/containerd/commit/9d16e2e6607d1b34642803511dbe285baebc29e2) Merge pull request [#3039](https://github.com/containerd/containerd/pull/3039) from Random-Liu/cherrypick-#3018-release-1.1 * [`ee4754550a`](https://github.com/containerd/containerd/commit/ee4754550a2198c5438bfa8db5941b1aef699319) Unpack should set 0755 when the parent directory doesn't exist. ### Changes from containerd/cgroups * [`5e61083`](https://github.com/containerd/cgroups/commit/5e610833b72089b37d0e615de9a92dfc043757c2) Merge pull request [#50](https://github.com/containerd/cgroups/pull/50) from jingxiaolu/master * [`0d1587c`](https://github.com/containerd/cgroups/commit/0d1587cedd41971cd1af3e2f9edbce0f74e041db) Add interface AddTask to control groups. So that we can set tasks when we need. * [`07683a6`](https://github.com/containerd/cgroups/commit/07683a668a6c20f509112ea932da7e4ca98c7c3f) Merge pull request [#45](https://github.com/containerd/cgroups/pull/45) from anastop/master * [`15ef4c3`](https://github.com/containerd/cgroups/commit/15ef4c3a9e6a4d60361efafd525a3e3edad4362b) Add Update method for the cpuset controller * [`c755602`](https://github.com/containerd/cgroups/commit/c755602142464816c21c4950b991db93d9d6de95) Merge pull request [#41](https://github.com/containerd/cgroups/pull/41) from estesp/update-travis-go * [`0a357bb`](https://github.com/containerd/cgroups/commit/0a357bbad85b36dfa0d0394875a294a1e531c500) Update Go versions for travis * [`5539584`](https://github.com/containerd/cgroups/commit/5539584069073a678346861117642026f267fba3) Fix incorrect use of OCI runtime specs-go cgroup dev types * [`bf7d89f`](https://github.com/containerd/cgroups/commit/bf7d89f306222823b2b23f2d6e28cd39d4f8cbdf) Merge pull request [#40](https://github.com/containerd/cgroups/pull/40) from containerd/license * [`f1d9380`](https://github.com/containerd/cgroups/commit/f1d9380fd3c028194db9582825512fdf3f39ab2a) Add license to files * [`78a98a6`](https://github.com/containerd/cgroups/commit/78a98a644df4444dcb1fbfaea26287f2b1680bd7) Merge pull request [#39](https://github.com/containerd/cgroups/pull/39) from paravmellanox/master * [`ccd26c4`](https://github.com/containerd/cgroups/commit/ccd26c4469753abb6dfbf5170b3e19dab15233ac) Add support for rdma cgroup ### Changes from containerd/cri * [`f8171b45`](https://github.com/containerd/cri/commit/f8171b4530bed8992973cc4a2f24efe53b821d53) Merge pull request [#1117](https://github.com/containerd/cri/pull/1117) from thaJeztah/1.0_backport_bump_selinux * [`961bbf32`](https://github.com/containerd/cri/commit/961bbf3229e98818eddffc944545ea2fe942b17e) bump opencontainers/selinux v1.2.1 * [`c7ec47f5`](https://github.com/containerd/cri/commit/c7ec47f52dc0b9f0b9018f1a21496185b16b7c72) bump opencontainers/selinux to v1.2 * [`b9c06fd1`](https://github.com/containerd/cri/commit/b9c06fd1410f1e6699a83277887af399a1342736) Merge pull request [#1112](https://github.com/containerd/cri/pull/1112) from Random-Liu/cherrypick-#1102-release-1.0 * [`c29999cc`](https://github.com/containerd/cri/commit/c29999cc722ab7c024ba240804149dcd3ed541c8) No UTS namespace for hostnetwork. * [`15a38626`](https://github.com/containerd/cri/commit/15a38626beba8e1d428c16bcc247c12c102358e6) Merge pull request [#1110](https://github.com/containerd/cri/pull/1110) from Random-Liu/cherrypick-#1108-release-1.0 * [`5ca7e895`](https://github.com/containerd/cri/commit/5ca7e89556582a5f9860733864b9c8dd4834fc03) Update CNI to v0.7.5. * [`04ccb9ca`](https://github.com/containerd/cri/commit/04ccb9ca84687c041fed67a7fa13fc215b05390f) Merge pull request [#1105](https://github.com/containerd/cri/pull/1105) from Random-Liu/cherrypick-#1099-release-1.0 * [`b2568d2e`](https://github.com/containerd/cri/commit/b2568d2eaaecc76c7977879ff251107479ce3d16) Do not SIGKILL container if container stop is cancelled. * [`3c81b301`](https://github.com/containerd/cri/commit/3c81b301d518842795af4d562a11affe88e7f09f) Merge pull request [#1087](https://github.com/containerd/cri/pull/1087) from Random-Liu/cherrypick-#1085-release-1.0 * [`134c2f35`](https://github.com/containerd/cri/commit/134c2f35daa7c8a46d39e3d02976ff24e561b544) Fix /etc/hostname backward compatibility issue for in-place upgrade. * [`5b8046c2`](https://github.com/containerd/cri/commit/5b8046c28ee1c090418800e5f154ba9aeeb77260) Merge pull request [#1073](https://github.com/containerd/cri/pull/1073) from Random-Liu/cherrypick-#1072-release-1.0 * [`b01bbde7`](https://github.com/containerd/cri/commit/b01bbde7ebf9125df794b8c6b00a4b0d5a3e8891) Use clean path for map and comparison. * [`d35c6741`](https://github.com/containerd/cri/commit/d35c6741eb82afe419c6d890096ec6d9e01c4ed3) Merge pull request [#1068](https://github.com/containerd/cri/pull/1068) from Random-Liu/cherrypick-#1055-release-1.0 * [`90bc4a66`](https://github.com/containerd/cri/commit/90bc4a666b440ebbca2225b716d384d07b002622) Use the correct sandbox config. * [`64e3e2d0`](https://github.com/containerd/cri/commit/64e3e2d06a0a54594f3d3e8d3cf2b9155b8fefac) Merge pull request [#1051](https://github.com/containerd/cri/pull/1051) from Random-Liu/update-containerd-release-1.0 * [`5f8a6b6b`](https://github.com/containerd/cri/commit/5f8a6b6bf7f572240a602ee451b66a0aa8024ad4) Update containerd to 878924b9b5b2d5fc22a3bdbe93ac736f31618f44. ### Changes from containerd/go-runc * [`14606eb`](https://github.com/containerd/go-runc/commit/14606eb66abd9e834e3bd22a4f5f46a3aad54c54) Merge pull request [#43](https://github.com/containerd/go-runc/pull/43) from AkihiroSuda/rootless * [`0194529`](https://github.com/containerd/go-runc/commit/0194529da8005aec523e4419fbbba7999199a79a) add support for --rootless * [`74719bd`](https://github.com/containerd/go-runc/commit/74719bd2a8ade2628345189915f20296781dcd55) Merge pull request [#42](https://github.com/containerd/go-runc/pull/42) from Random-Liu/expose-parsePSOutput * [`fdf39b3`](https://github.com/containerd/go-runc/commit/fdf39b3a7ef10982d1a5311c0411461406299517) Expose parsePSOutput. * [`301f7c1`](https://github.com/containerd/go-runc/commit/301f7c1fbbc328a0b5b08c4e9942de2f0a147f96) Merge pull request [#41](https://github.com/containerd/go-runc/pull/41) from masters-of-cats/master * [`07e192d`](https://github.com/containerd/go-runc/commit/07e192dad382644e9bf2f6e6044cd8d24aac6bec) Use user-specific temp directory if set * [`f271fa2`](https://github.com/containerd/go-runc/commit/f271fa2021de855d4d918dbef83c5fe19db1bdd5) Merge pull request [#40](https://github.com/containerd/go-runc/pull/40) from avagin/tty * [`400dfa3`](https://github.com/containerd/go-runc/commit/400dfa3a6d4473c42b68aae921cb63b8080397a8) Add ConsoleSocket to RestoreOpts ### Dependency Changes Previous release can be found at [v1.1.6](https://github.com/containerd/containerd/releases/tag/v1.1.6) * **github.com/containerd/cgroups** fe281dd265766145e943a034aa41086474ea6130 -> 5e610833b72089b37d0e615de9a92dfc043757c2 * **github.com/containerd/cri** f0b5665a959119b6a6234001e6d55206d9200e95 -> f8171b4530bed8992973cc4a2f24efe53b821d53 * **github.com/containerd/go-runc** bcb223a061a3dd7de1a89c0b402a60f4dd9bd307 -> 14606eb66abd9e834e3bd22a4f5f46a3aad54c54 * **github.com/containernetworking/plugins** v0.7.0 -> v0.7.5 * **github.com/opencontainers/runc** 6635b4f0c6af3810594d2770f662f34ddc15b40d -> 029124da7af7360afa781a0234d1b083550f797c * **github.com/opencontainers/runtime-spec** v1.0.1 -> 29686dbc5559d93fb1ef402eeda3e35c38d75af4 * **github.com/opencontainers/selinux** b6fa367ed7f534f9ba25391cc2d467085dbb445a -> v1.2.1