Skip to content

[v0.20] cherry-picks for v0.20.1 #5803

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Mar 5, 2025
Merged

[v0.20] cherry-picks for v0.20.1 #5803

merged 6 commits into from
Mar 5, 2025

Conversation

@crazy-max
Copy link
Member

@crazy-max crazy-max commented Mar 3, 2025
edited
Loading

@github-actions github-actions bot added area/dependencies Pull requests that update a dependency file area/buildkitd labels Mar 3, 2025
@tonistiigi @crazy-max
update binfmt to v9.2.2
b1b594e 
Should help with segmentation fault on libc-bin

Signed-off-by: Tonis Tiigi <[email protected]>
@AkihiroSuda @crazy-max
rootless: update docs and examples
bfe3c17 
Fix issue 5763

- Discourage `--oci-worker-no-process-sandbox`, due to the leakage of
  the processes (by design).
  Instead, encourage setting `systempaths=unconfined` in `docker run`.
  This corresponds to `securityContext.procMount: Unmasked` in Kubernetes,
  however, the configuration is hard on Kubernetes, as it has to be used
  in conjunction with `hostUsers: false`.

- Remove `--device /dev/fuse`, as fuse-overlayfs is no longer used typically.

- Use the new Kubernetes struct for AppArmor

- Add a hint about `kernel.apparmor_restrict_unprivileged_userns`

- Remove `$` from command snippets for ease of copypasting

- Make `job.*.yaml` more practical

- Add `*.userns.yaml`. Needs `UserNamespaceSupport` feature gate to be enabled.

Signed-off-by: Akihiro Suda <[email protected]>
@crazy-max crazy-max marked this pull request as ready for review March 4, 2025 14:53
@tonistiigi @crazy-max
dockerfile: normalize platform in image config
2c40436 
Base image may use unnormalized platform so if platform
is inherited normalize needs to be called again.

Signed-off-by: Tonis Tiigi <[email protected]>
@tonistiigi @crazy-max
vendor: update containerd to v2.0.3
cc210c8 
Brings in the gRPC message size fix for writing SBOMs.

Signed-off-by: Tonis Tiigi <[email protected]>
tonistiigi
tonistiigi approved these changes Mar 4, 2025
View reviewed changes
Copy link
Member

@tonistiigi tonistiigi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like there aren't any other containerd changes in vendor with 2.0.3 bump. Otherwise there is a patch without vendor update also in #5785

@crazy-max crazy-max merged commit de56a3c into moby:v0.20 Mar 5, 2025
104 checks passed
@crazy-max crazy-max deleted the 0.20_picks_0.20.1 branch March 5, 2025 13:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tonistiigi tonistiigi tonistiigi approved these changes

@jsternberg jsternberg Awaiting requested review from jsternberg

Assignees

No one assigned

Labels

area/buildkitd area/dependencies Pull requests that update a dependency file area/dockerfile area/docs area/examples area/frontend area/project

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@crazy-max @tonistiigi @AkihiroSuda