[pull] main from containerd:main#245
Merged
pull[bot] merged 6 commits intomeonBot:mainfrom Feb 19, 2026
Merged
Conversation
When the local transfer plugin is instantiated, it loads verifiers through `ic.GetByType()` which returns ErrPluginNotFound if no plugins of the given type is available. This would happen if users explicitly disabled the bindir plugin. Users may wish to disable that plugin to prevent containerd from executing arbitrary binaries on the host (e.g. when running rootless). Currently, the only way to achieve that is to set bindir's param `bin_dir` to the empty string but that seems more fragile than disabling the plugin altogether. The local transfer plugin is already checking if there are no plugins available, and take action accordingly. Thus, not handling `ErrPluginNotFound` seems to be an oversight. Signed-off-by: Albin Kerouanton <albin.kerouanton@docker.com>
The current AppArmor profile intends to block write access to everything
in `/proc`, except for `/proc/<pid>` and `/proc/sys/kernel/shm*`.
Currently the rules block access to everything in `/proc/sys`, and do
not successfully allow access to `/proc/sys/kernel/shm*`. Specifically,
a path like /proc/sys/kernel/shmmax matches this part of the pattern:
deny @{PROC}/{[^1-9][^0-9][^0-9][^0-9]* }/** w,
/proc / s y s / kernel /shmmax
This downstreams the patch from [moby@66f14e4] to the containerd profile,
and updates the rule so that it works as intended.
[moby@66f14e4]: moby/moby@66f14e4
Co-authored-by: Phil Sphicas <phil.sphicas@att.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
generating protos produced a warning:
WARN plugin "protoc-gen-go-fieldpath" does not support required features. Feature "proto3 optional" is required by 1 file(s): services/images/v1/images.proto
Implement handling for optional fields (nillable / pointer)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
contrib/apparmor: fix /proc/sys rule
cmd/protoc-gen-go-fieldpath: add support for optional fields
…rifier Don't bail out if no image verifiers available
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )