I'm horrible at vim, and use nano as my go-to editor for quick changes.
Let's install nano in the dev-container as alternative to vim for those
like me, who are not so vim-savvy ^O^C^C:wq:
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
`moby/vpnkit` now officially pushes a binary image to `moby/vpnkit-bin`
repository on Docker Hub.
Use it to fetch the vpnkit binary.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
The syntax was pinned for 1.7 in f696e0d2a7
possibly because it was not yet promoted as "latest stable" at the
time.
I don't think we need to pin to an old version, and just go with
the latest, so that we can use the latest features provided.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This updates the Docker CLI version used for integration-cli tests from
v17.06.2-ce to v18.06.3-ce.
v18.06 is the first one that supports enabling BuildKit.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
full diff: https://github.com/golang/go/compare/go1.23.7...go1.23.8
release notes: https://go.dev/doc/devel/release#go1.24.2
go1.23.8 (released 2025-04-01) includes security fixes to the net/http package,
as well as bug fixes to the runtime and the go command. See the Go 1.23.8
milestone on our issue tracker for details;
https://github.com/golang/go/issues?q=milestone%3AGo1.23.8+label%3ACherryPickApproved
From the mailing list:
Hello gophers,
We have just released Go versions 1.24.2 and 1.23.8, minor point releases.
These minor releases include 1 security fixes following the security policy:
- net/http: request smuggling through invalid chunked data
The net/http package accepted data in the chunked transfer encoding
containing an invalid chunk-size line terminated by a bare LF.
When used in conjunction with a server or proxy which incorrectly
interprets a bare LF in a chunk extension as part of the extension,
this could permit request smuggling.
The net/http package now rejects chunk-size lines containing a bare LF.
Thanks to Jeppe Bonde Weikop for reporting this issue.
This is CVE-2025-22871 and Go issue https://go.dev/issue/71988.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Since commit cfc049c the dev container has been using iptables-nft,
but the Dockerfile configured firewalld to use its iptables backend
(if firewalld is enabled, which it accidentally hasn't been in CI).
The integration tests run ok for a while, then some things start
failing with the less than obvious message:
Error: COMMAND_FAILED: UNKNOWN_ERROR: nonexistent or underflow of priority count
So, let firewalld use its default nftables backend.
Signed-off-by: Rob Murray <rob.murray@docker.com>
This is the sixth patch release in the 1.2.z series of runc.
It primarily fixes an issue with runc exec vs time namespace,
and a compatibility issue with older kernels.
* Fix a stall issue that would happen if setting `O_CLOEXEC` with
`CloseExecFrom` failed.
* `runc` now properly handles joining time namespaces (such as with
`runc exec`). Previously we would attempt to set the time offsets
when joining, which would fail.
* Handle `EINTR` retries correctly for socket-related direct
`golang.org/x/sys/unix` system calls.
* We no longer use `F_SEAL_FUTURE_WRITE` when sealing the runc binary, as it
turns out this had some unfortunate bugs in older kernel versions and was
never necessary in the first place.
* Remove `Fexecve` helper from `libcontainer/system`. Runc 1.2.1 removed
runc-dmz, but we forgot to remove this helper added only for that.
* Use Go 1.23 for official builds, run CI with Go 1.24 and drop Ubuntu 20.04
from CI. We need to drop Ubuntu 20.04 from CI because Github Actions
announced it's already deprecated and it will be discontinued soon.
full diff: https://github.com/opencontainers/runc/compare/v1.2.5...v1.2.6
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- full diff: https://github.com/containerd/containerd/compare/v1.7.25...v1.7.26
- release notes: https://github.com/containerd/containerd/releases/tag/v1.7.26
Welcome to the v1.7.26 release of containerd!
The twenty-sixth patch release for containerd 1.7 contains various fixes
and updates.
Highlights
- Add support for syncfs after unpack
- Update runc binary to v1.2.55
- Fix race between serve and immediate shutdown on the server
- Reject oversized messages from the sender
Container Runtime Interface (CRI)
- Fix fatal concurrency error in port forwarding
Node Resource Interface (NRI)
- Fix initial sync race when registering NRI plugins
- Add API support for reading Pod IPs
- Fix plugin sync to use multiple messages if ttrpc max message limit is hit
- Update API to pass configured timeouts to plugins.
- Fix mount removal in adjustments
- Close plugin if initial synchronization fails
- Add support for adjusting OOM score
- Add API support for NRI-native CDI injection
- Add support for pids cgroup
Runtime
- Fix console TTY leak in runc shim
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This is the fifth patch release in the 1.2.z series of runc. It primarily fixes
an issue caused by an upstream systemd bug.
* There was a regression in systemd v230 which made the way we define
device rule restrictions require a systemctl daemon-reload for our
transient units. This caused issues for workloads using NVIDIA GPUs.
Workaround the upstream regression by re-arranging how the unit properties
are defined.
* Dependency github.com/cyphar/filepath-securejoin is updated to v0.4.1,
to allow projects that vendor runc to bump it as well.
* CI: fixed criu-dev compilation.
* Dependency golang.org/x/net is updated to 0.33.0.
full diff: https://github.com/opencontainers/runc/compare/v1.2.4...v1.2.5
release notes: https://github.com/opencontainers/runc/releases/tag/v1.2.5
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This minor release include 1 security fix following the security policy:
- crypto/elliptic: timing sidechannel for P-256 on ppc64le
Due to the usage of a variable time instruction in the assembly implementation
of an internal function, a small number of bits of secret scalars are leaked on
the ppc64le architecture. Due to the way this function is used, we do not
believe this leakage is enough to allow recovery of the private key when P-256
is used in any well known protocols.
This is CVE-2025-22866 and Go issue https://go.dev/issue/71383.
View the release notes for more information:
https://go.dev/doc/devel/release#go1.23.6
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
