From 8ad06b27840f9e734dedbfadb284f61d0fb08131 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Sat, 7 Feb 2026 11:48:50 +0100 Subject: [PATCH 1/3] contrib/Dockerfile: remove proto3 (protobuf) stage edb3e0869706fa0d058f8530f7b563af9310eec3 removed `script/setup/install-protobuf` and the tools are now installed through `script/setup/install-dev-tools` Signed-off-by: Sebastiaan van Stijn --- contrib/Dockerfile.test | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/contrib/Dockerfile.test b/contrib/Dockerfile.test index baeb4059e1846..87d8629580586 100644 --- a/contrib/Dockerfile.test +++ b/contrib/Dockerfile.test @@ -146,24 +146,6 @@ COPY contrib/Dockerfile.test.d/critest.sh /critest.sh ENTRYPOINT ["/critest.sh","start"] -# Install proto3 -FROM golang AS proto3 -ARG DESTDIR=/build -RUN apt-get update && apt-get install -y --no-install-recommends \ - autoconf \ - automake \ - g++ \ - libtool \ - unzip \ - && rm -rf /var/lib/apt/lists/* - -COPY script/setup/install-protobuf install-protobuf -RUN ./install-protobuf \ - && mkdir -p $DESTDIR/usr/local/bin $DESTDIR/usr/local/include \ - && mv /usr/local/bin/protoc $DESTDIR/usr/local/bin/protoc \ - && mv /usr/local/include/google $DESTDIR/usr/local/include/google - FROM build-env AS dev -COPY --from=proto3 /build/ / COPY --from=runc /build/ / COPY . . From a6f03a7d56411648c2e97085ae8e120120c06b6b Mon Sep 17 00:00:00 2001 From: Alex Chernyakhovsky Date: Fri, 6 Feb 2026 16:29:08 -0500 Subject: [PATCH 2/3] apparmor: explicitly set abi/3.0 This change sets the AppArmor policy used by containerd to indicate it is `abi/3.0`. This was chosen based on some code archeology which indicated that containerd 1.7 came out in March 2023, before the AppArmor 4.0 ABI. The AppArmor policies themselves date to much older; the last apparmor version-checks were removed in 4baa1876ba45ffdab9059753215aa1c5d6f79b1d and c990e3f2ed88637ac084d32c08f658b211298b61, and both were looking for AppArmor 2.8.96 or older, pointing to abi/3.0 being the "correct" one to pick. Nothing is preventing containerd from migrating to a newer AppArmor ABI; note, however, that anything newer than `abi/4.0` will need modifications to preserve UNIX domain sockets. This was tested by building a custom k3s v1.35.0+k3s3, with the following modification: ``` diff --git a/go.mod b/go.mod index 4e7bacd204..0fcaf76b8f 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ replace ( github.com/cilium/ebpf => github.com/cilium/ebpf v0.12.3 github.com/cloudnativelabs/kube-router/v2 => github.com/k3s-io/kube-router/v2 v2.6.3-k3s1 github.com/containerd/containerd/api => github.com/containerd/containerd/api v1.9.0 - github.com/containerd/containerd/v2 => github.com/k3s-io/containerd/v2 v2.1.5-k3s1 + github.com/containerd/containerd/v2 => github.com/achernya/containerd/v2 v2.0.0-20260206214308-5e0dce89c422 github.com/containerd/imgcrypt => github.com/containerd/imgcrypt v1.1.11 github.com/containerd/stargz-snapshotter => github.com/k3s-io/stargz-snapshotter v0.17.0-k3s1 github.com/docker/distribution => github.com/docker/distribution v2.8.3+incompatible ``` to use a precursor to this commit. Once built, the resulting k3s was tested on a brand-new Proxmox installation: ``` root@containerd-test:~# uname -a Linux containerd-test 6.17.2-1-pve #1 SMP PREEMPT_DYNAMIC PMX 6.17.2-1 (2025-10-21T11:55Z) x86_64 GNU/Linux root@containerd-test:~# pveversion pve-manager/9.1.1/42db4a6cf33dac83 (running kernel: 6.17.2-1-pve) ``` Files were copied over: ``` achernya@achernya-dev:~/src/k3s$ scp -r dist/artifacts/ root@containerd-test: ``` and installed ``` root@containerd-test:~# mkdir -p /var/lib/rancher/k3s/agent/images/ /usr/local/bin root@containerd-test:~# cp artifacts/k3s /usr/local/bin/ root@containerd-test:~# cp artifacts/k3s-airgap-images-amd64.tar.zst /var/lib/rancher/k3s/agent/images/ ``` then finally started with `k3s server`. Argo CD was then installed: ``` root@containerd-test:~# k3s kubectl create namespace argocd namespace/argocd created root@containerd-test:~# k3s kubectl apply -n argocd --server-side --force-conflicts -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml [elided] root@containerd-test:~# k3s kubectl get pods -A NAMESPACE NAME READY STATUS RESTARTS AGE argocd argocd-application-controller-0 1/1 Running 0 31s argocd argocd-applicationset-controller-77475dfcf-6b4cb 1/1 Running 0 32s argocd argocd-dex-server-6485c5ddf5-ckp5s 1/1 Running 0 32s argocd argocd-notifications-controller-758f795776-djx69 1/1 Running 0 32s argocd argocd-redis-6cc4bb5db5-lt9fh 1/1 Running 0 32s argocd argocd-repo-server-c76cf57cd-mr4mc 1/1 Running 0 32s argocd argocd-server-6f85b59c87-w6cns 0/1 Running 0 32s kube-system coredns-6b4688786f-pnds2 1/1 Running 0 4m1s kube-system helm-install-traefik-crd-cn28g 0/1 Completed 0 4m1s kube-system helm-install-traefik-hc9gp 0/1 Completed 2 4m1s kube-system local-path-provisioner-6bc6568469-7wglx 1/1 Running 0 4m1s kube-system metrics-server-77dbbf84b-nqzsc 1/1 Running 0 4m1s kube-system svclb-traefik-fe6d3a0b-z7jsp 2/2 Running 0 3m14s kube-system traefik-5fdc878c8d-cjhx5 1/1 Running 0 3m15s ``` Fixes: #12726 Signed-off-by: Alex Chernyakhovsky --- contrib/apparmor/template.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/contrib/apparmor/template.go b/contrib/apparmor/template.go index 3701c90ede148..263c09d1bdf22 100644 --- a/contrib/apparmor/template.go +++ b/contrib/apparmor/template.go @@ -40,6 +40,8 @@ import ( const dir = "/etc/apparmor.d" const defaultTemplate = ` +abi , + {{range $value := .Imports}} {{$value}} {{end}} From 1551986af47067488deaa7428d04e6f89d3b6d36 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Sat, 7 Feb 2026 21:55:44 +0100 Subject: [PATCH 3/3] update to go1.24.13, go1.25.7 go1.25.7 (released 2026-02-04) includes security fixes to the go command and the crypto/tls package, as well as bug fixes to the compiler and the crypto/x509 package. See the Go 1.25.7 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.25.7+label%3ACherryPickApproved full diff: https://github.com/golang/go/compare/go1.25.6...go1.25.7 From the security mailing list: > Hello gophers, > > We have just released Go versions 1.25.7 and 1.24.13, minor point releases. > > These releases include 2 security fixes following the security policy: > > - cmd/cgo: remove user-content from doc strings in cgo ASTs > > A discrepancy between how Go and C/C++ comments > were parsed allowed for code smuggling into the > resulting cgo binary. > > To prevent this behavior, the cgo compiler > will no longer parse user-provided doc > comments. > > Thank you to RyotaK (https://ryotak.net) of > GMO Flatt Security Inc. for reporting this issue. > > This is CVE-2025-61732 and https://go.dev/issue/76697. > > - crypto/tls: unexpected session resumption when using Config.GetConfigForClient > > Config.GetConfigForClient is documented to use the original Config's session > ticket keys unless explicitly overridden. This can cause unexpected behavior if > the returned Config modifies authentication parameters, like ClientCAs: a > connection initially established with the parent (or a sibling) Config can be > resumed, bypassing the modified authentication requirements. > > If ClientAuth is VerifyClientCertIfGiven or RequireAndVerifyClientCert (on the > server) or InsecureSkipVerify is false (on the client), crypto/tls now checks > that the root of the previously-verified chain is still in ClientCAs/RootCAs > when resuming a connection. > > Go 1.26 Release Candidate 2, Go 1.25.6, and Go 1.24.12 had fixed a similar issue > related to session ticket keys being implicitly shared by Config.Clone. Since > this fix is broader, the Config.Clone behavior change has been reverted. > > Note that VerifyPeerCertificate still behaves as documented: it does not apply > to resumed connections. Applications that use Config.GetConfigForClient or > Config.Clone and do not wish to blindly resume connections established with the > original Config must use VerifyConnection instead (or SetSessionTicketKeys or > SessionTicketsDisabled). > > Thanks to Coia Prant (github.com/rbqvq) for reporting this issue. > > This updates CVE-2025-68121 and Go issue https://go.dev/issue/77217. Signed-off-by: Sebastiaan van Stijn --- .devcontainer/devcontainer.json | 2 +- .github/actions/install-go/action.yml | 2 +- .github/workflows/api-release.yml | 2 +- .github/workflows/ci.yml | 2 +- .github/workflows/release/Dockerfile | 2 +- Vagrantfile | 2 +- contrib/Dockerfile.test | 2 +- contrib/fuzz/oss_fuzz_build.sh | 4 ++-- script/setup/prepare_env_windows.ps1 | 2 +- 9 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 9b969be499953..10b4efa7cbea3 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -12,7 +12,7 @@ "features": { "ghcr.io/devcontainers/features/docker-in-docker:2": {}, "ghcr.io/devcontainers/features/go:1": { - "version": "1.24.12" + "version": "1.24.13" } }, diff --git a/.github/actions/install-go/action.yml b/.github/actions/install-go/action.yml index edc5ae011efb5..f40057faf4e35 100644 --- a/.github/actions/install-go/action.yml +++ b/.github/actions/install-go/action.yml @@ -3,7 +3,7 @@ description: "Reusable action to install Go, so there is one place to bump Go ve inputs: go-version: required: true - default: "1.24.12" + default: "1.24.13" description: "Go version to install" runs: diff --git a/.github/workflows/api-release.yml b/.github/workflows/api-release.yml index f3d9e69a4a082..6636811ae2574 100644 --- a/.github/workflows/api-release.yml +++ b/.github/workflows/api-release.yml @@ -6,7 +6,7 @@ on: name: API Release env: - GO_VERSION: "1.24.12" + GO_VERSION: "1.24.13" permissions: # added using https://github.com/step-security/secure-workflows contents: read diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9fa85ddfd3d3a..5b579e32d4381 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -187,7 +187,7 @@ jobs: strategy: matrix: os: [ubuntu-latest, ubuntu-24.04-arm, macos-latest, windows-latest] - go-version: ["1.24.12", "1.25.6"] + go-version: ["1.24.13", "1.25.7"] exclude: - os: ${{ github.event.repository.private && 'ubuntu-24.04-arm' || '' }} steps: diff --git a/.github/workflows/release/Dockerfile b/.github/workflows/release/Dockerfile index 330ff14ac29f6..3965ec699ed76 100644 --- a/.github/workflows/release/Dockerfile +++ b/.github/workflows/release/Dockerfile @@ -14,7 +14,7 @@ ARG UBUNTU_VERSION=22.04 ARG BASE_IMAGE=ubuntu:${UBUNTU_VERSION} -ARG GO_VERSION=1.24.12 +ARG GO_VERSION=1.24.13 ARG GO_IMAGE=golang:${GO_VERSION} FROM --platform=$BUILDPLATFORM $GO_IMAGE AS go FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.6.1@sha256:923441d7c25f1e2eb5789f82d987693c47b8ed987c4ab3b075d6ed2b5d6779a3 AS xx diff --git a/Vagrantfile b/Vagrantfile index 97cc3dd06c0d2..f3bc611450b76 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -107,7 +107,7 @@ EOF config.vm.provision "install-golang", type: "shell", run: "once" do |sh| sh.upload_path = "/tmp/vagrant-install-golang" sh.env = { - 'GO_VERSION': ENV['GO_VERSION'] || "1.24.12", + 'GO_VERSION': ENV['GO_VERSION'] || "1.24.13", } sh.inline = <<~SHELL #!/usr/bin/env bash diff --git a/contrib/Dockerfile.test b/contrib/Dockerfile.test index baeb4059e1846..db5af3e7c224d 100644 --- a/contrib/Dockerfile.test +++ b/contrib/Dockerfile.test @@ -34,7 +34,7 @@ # docker run --privileged --group-add keep-groups -v ./critest_exit_code.txt:/tmp/critest_exit_code.txt containerd-test # ------------------------------------------------------------------------------ -ARG GOLANG_VERSION=1.24.12 +ARG GOLANG_VERSION=1.24.13 ARG GOLANG_IMAGE=golang FROM ${GOLANG_IMAGE}:${GOLANG_VERSION} AS golang diff --git a/contrib/fuzz/oss_fuzz_build.sh b/contrib/fuzz/oss_fuzz_build.sh index 99651875688b7..7eba9d3d343bd 100755 --- a/contrib/fuzz/oss_fuzz_build.sh +++ b/contrib/fuzz/oss_fuzz_build.sh @@ -39,11 +39,11 @@ compile_fuzzers() { apt-get update && apt-get install -y wget cd $SRC -wget --quiet https://go.dev/dl/go1.24.12.linux-amd64.tar.gz +wget --quiet https://go.dev/dl/go1.24.13.linux-amd64.tar.gz mkdir temp-go rm -rf /root/.go/* -tar -C temp-go/ -xzf go1.24.12.linux-amd64.tar.gz +tar -C temp-go/ -xzf go1.24.13.linux-amd64.tar.gz mv temp-go/go/* /root/.go/ cd $SRC/containerd diff --git a/script/setup/prepare_env_windows.ps1 b/script/setup/prepare_env_windows.ps1 index 7123ef140913b..0e62560092ad7 100644 --- a/script/setup/prepare_env_windows.ps1 +++ b/script/setup/prepare_env_windows.ps1 @@ -5,7 +5,7 @@ # lived test environment. Set-MpPreference -DisableRealtimeMonitoring:$true -$PACKAGES= @{ mingw = "10.2.0"; git = ""; golang = "1.24.12"; make = ""; nssm = "" } +$PACKAGES= @{ mingw = "10.2.0"; git = ""; golang = "1.24.13"; make = ""; nssm = "" } Write-Host "Downloading chocolatey package" curl.exe -L "https://packages.chocolatey.org/chocolatey.0.10.15.nupkg" -o 'c:\choco.zip'