containerd
diff --git a/‎.github/workflows/ghcr-image-build-and-publish.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/ghcr-image-build-and-publish.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/release.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/test.yml‎
Lines changed: 79 additions & 35 deletions b/‎.github/workflows/test.yml‎
Lines changed: 79 additions & 35 deletions
diff --git a/‎Dockerfile‎
Lines changed: 18 additions & 18 deletions b/‎Dockerfile‎
Lines changed: 18 additions & 18 deletions
diff --git a/‎Dockerfile.d/SHA256SUMS.d/buildkit-v0.15.2‎
Lines changed: 2 additions & 0 deletions b/‎Dockerfile.d/SHA256SUMS.d/buildkit-v0.15.2‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎Dockerfile.d/SHA256SUMS.d/cni-plugins-v1.5.1‎
Lines changed: 2 additions & 0 deletions b/‎Dockerfile.d/SHA256SUMS.d/cni-plugins-v1.5.1‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎Dockerfile.d/SHA256SUMS.d/rootlesskit-v2.3.1‎
Lines changed: 6 additions & 0 deletions b/‎Dockerfile.d/SHA256SUMS.d/rootlesskit-v2.3.1‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎Dockerfile.d/SHA256SUMS.d/slirp4netns-v1.3.1‎
Lines changed: 6 additions & 0 deletions b/‎Dockerfile.d/SHA256SUMS.d/slirp4netns-v1.3.1‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎Dockerfile.d/test-integration-rootless.sh‎
Lines changed: 2 additions & 2 deletions b/‎Dockerfile.d/test-integration-rootless.sh‎
Lines changed: 2 additions & 2 deletions
@@ -23,7 +23,7 @@ env:
 jobs:
   build:
 
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       contents: read
       packages: write
 
@@ -9,13 +9,13 @@ env:
   GO111MODULE: on
 jobs:
   release:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 40
     steps:
     - uses: actions/[email protected]
     - uses: actions/setup-go@v5
       with:
-        go-version: 1.21.x
+        go-version: 1.23.x
     - name: "Compile binaries"
       run: make artifacts
     - name: "SHA256SUMS"
 
@@ -8,12 +8,12 @@ on:
   pull_request:
 
 env:
-  GO_VERSION: 1.21.x
+  GO_VERSION: 1.23.x
 
 jobs:
   project:
     name: Project Checks
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 20
     steps:
       - uses: actions/[email protected]
@@ -34,7 +34,7 @@ jobs:
         working-directory: src/github.com/containerd/nerdctl
 
   lint:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 20
     steps:
       - uses: actions/[email protected]
@@ -46,15 +46,15 @@ jobs:
           check-latest: true
           cache: true
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3.7.0
+        uses: golangci/golangci-lint-action@v6.1.0
         with:
-          version: v1.55.2
+          version: v1.60.1
           args: --verbose
       - name: yamllint-lint
         run: yamllint .
 
   test-unit:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 20
     steps:
       - uses: actions/[email protected]
@@ -74,16 +74,20 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        # ubuntu-20.04: cgroup v1, ubuntu-22.04: cgroup v2
+        # ubuntu-20.04: cgroup v1, ubuntu-22.04 and later: cgroup v2
         include:
           - ubuntu: 20.04
             containerd: v1.6.31
           - ubuntu: 20.04
-            containerd: v1.7.16
+            containerd: v1.7.22
           - ubuntu: 22.04
-            containerd: v1.7.16
+            containerd: v1.7.22
           - ubuntu: 22.04
             containerd: main
+          - ubuntu: 24.04
+            containerd: v1.7.22
+          - ubuntu: 24.04
+            containerd: main
     env:
       UBUNTU_VERSION: "${{ matrix.ubuntu }}"
       CONTAINERD_VERSION: "${{ matrix.containerd }}"
@@ -110,10 +114,10 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        # ubuntu-20.04: cgroup v1, ubuntu-22.04: cgroup v2
+        # ubuntu-20.04: cgroup v1, ubuntu-22.04 and later: cgroup v2
         include:
-          - ubuntu: 22.04
-            containerd: v1.7.16
+          - ubuntu: 24.04
+            containerd: v1.7.22
     env:
       UBUNTU_VERSION: "${{ matrix.ubuntu }}"
       CONTAINERD_VERSION: "${{ matrix.containerd }}"
@@ -154,47 +158,78 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        # ubuntu-22.04: cgroup v1, ubuntu-22.04: cgroup v2
+        # ubuntu-20.04: cgroup v1, ubuntu-22.04 and later: cgroup v2
         include:
           - ubuntu: 20.04
             containerd: v1.6.31
             rootlesskit: v1.1.1
             target: test-integration-rootless
           - ubuntu: 20.04
-            containerd: v1.7.16
-            rootlesskit: v2.0.2
+            containerd: v1.7.22
+            rootlesskit: v2.3.1
             target: test-integration-rootless
           - ubuntu: 22.04
-            containerd: v1.7.16
+            containerd: v1.7.22
             rootlesskit: v1.1.1
             target: test-integration-rootless
           - ubuntu: 22.04
-            containerd: main
-            rootlesskit: v2.0.2
+            containerd: main  # v2.0.0-rc.X
+            rootlesskit: v2.3.1
+            target: test-integration-rootless
+          - ubuntu: 24.04
+            containerd: v1.7.22
+            rootlesskit: v1.1.1
+            target: test-integration-rootless
+          - ubuntu: 24.04
+            containerd: main  # v2.0.0-rc.X
+            rootlesskit: v2.3.1
             target: test-integration-rootless
           - ubuntu: 20.04
             containerd: v1.6.31
             rootlesskit: v1.1.1
             target: test-integration-rootless-port-slirp4netns
           - ubuntu: 20.04
-            containerd: v1.7.16
-            rootlesskit: v2.0.2
+            containerd: v1.7.22
+            rootlesskit: v2.3.1
             target: test-integration-rootless-port-slirp4netns
           - ubuntu: 22.04
-            containerd: v1.7.16
+            containerd: v1.7.22
             rootlesskit: v1.1.1
             target: test-integration-rootless-port-slirp4netns
           - ubuntu: 22.04
-            containerd: main
-            rootlesskit: v2.0.2
+            containerd: main  # v2.0.0-rc.X
+            rootlesskit: v2.3.1
+            target: test-integration-rootless-port-slirp4netns
+          - ubuntu: 24.04
+            containerd: v1.7.22
+            rootlesskit: v1.1.1
+            target: test-integration-rootless-port-slirp4netns
+          - ubuntu: 24.04
+            containerd: main  # v2.0.0-rc.X
+            rootlesskit: v2.3.1
             target: test-integration-rootless-port-slirp4netns
     env:
       UBUNTU_VERSION: "${{ matrix.ubuntu }}"
       CONTAINERD_VERSION: "${{ matrix.containerd }}"
       ROOTLESSKIT_VERSION: "${{ matrix.rootlesskit }}"
       TEST_TARGET: "${{ matrix.target }}"
     steps:
-      - uses: actions/[email protected]
+      - name: "Set up AppArmor"
+        if: matrix.ubuntu == '24.04'
+        run: |
+          cat <<EOT | sudo tee "/etc/apparmor.d/usr.local.bin.rootlesskit"
+          abi <abi/4.0>,
+          include <tunables/global>
+
+          /usr/local/bin/rootlesskit flags=(unconfined) {
+            userns,
+
+            # Site-specific additions and overrides. See local/README for details.
+            include if exists <local/usr.local.bin.rootlesskit>
+          }
+          EOT
+          sudo systemctl restart apparmor.service
+      - uses: actions/[email protected]
         with:
           fetch-depth: 1
       - name: "Register QEMU (tonistiigi/binfmt)"
@@ -205,11 +240,11 @@ jobs:
         run: docker run -t --rm --privileged -e WORKAROUND_ISSUE_622=1 ${TEST_TARGET}
 
   cross:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 40
     strategy:
       matrix:
-        go-version: ["1.21.x", "1.22.x"]
+        go-version: ["1.22.x", "1.23.x"]
     steps:
       - uses: actions/[email protected]
         with:
@@ -223,8 +258,8 @@ jobs:
         run: GO_VERSION="$(echo ${{ matrix.go-version }} | sed -e s/.x//)" make artifacts
 
   test-integration-docker-compatibility:
-    runs-on: ubuntu-22.04
-    timeout-minutes: 30
+    runs-on: ubuntu-22.04  # TODO: ubuntu-24.04
+    timeout-minutes: 45
     steps:
       - uses: actions/[email protected]
         with:
@@ -234,15 +269,25 @@ jobs:
           go-version: ${{ env.GO_VERSION }}
           cache: true
           check-latest: true
-      - name: "Enable BuildKit"
+      - name: "Install Docker v24"
         run: |
           set -eux -o pipefail
+          # Uninstall the preinstalled Docker
+          sudo apt-get remove docker-* containerd.io
           # Enable BuildKit explicitly
           sudo apt-get install -y moreutils
           cat /etc/docker/daemon.json
           jq '.features.buildkit = true' </etc/docker/daemon.json  | sudo sponge /etc/docker/daemon.json
           cat /etc/docker/daemon.json
-          sudo systemctl restart docker
+          # Download Docker packages
+          curl -OSL https://download.docker.com/linux/ubuntu/dists/jammy/pool/stable/amd64/containerd.io_1.6.33-1_amd64.deb
+          curl -OSL https://download.docker.com/linux/ubuntu/dists/jammy/pool/stable/amd64/docker-ce_24.0.9-1~ubuntu.22.04~jammy_amd64.deb
+          curl -OSL https://download.docker.com/linux/ubuntu/dists/jammy/pool/stable/amd64/docker-ce-cli_24.0.9-1~ubuntu.22.04~jammy_amd64.deb
+          curl -OSL https://download.docker.com/linux/ubuntu/dists/jammy/pool/stable/amd64/docker-buildx-plugin_0.13.1-1~ubuntu.22.04~jammy_amd64.deb
+          curl -OSL https://download.docker.com/linux/ubuntu/dists/jammy/pool/stable/amd64/docker-compose-plugin_2.25.0-1~ubuntu.22.04~jammy_amd64.deb
+          # Install Docker
+          sudo apt-get install -y ./*.deb
+          rm -f ./*.deb
           # Print docker info
           docker info
           docker version
@@ -276,25 +321,24 @@ jobs:
       - uses: actions/[email protected]
         with:
           repository: containerd/containerd
-          ref: v1.7.16
+          ref: v1.7.22
           path: containerd
           fetch-depth: 1
       - name: "Set up CNI"
         working-directory: containerd
         run: GOPATH=$(go env GOPATH) script/setup/install-cni-windows
       - name: "Set up containerd"
         env:
-          ctrdVersion: 1.7.16
+          ctrdVersion: 1.7.22
         run: powershell hack/configure-windows-ci.ps1
       # TODO: Run unit tests
       - name: "Run integration tests"
         run: go test -v ./cmd/...
 
   test-integration-freebsd:
     name: FreeBSD
-    # "Larger" runner is needed for nested virtualization
-    # https://github.com/organizations/containerd/settings/actions/runners
-    runs-on: ubuntu-latest-4-cores
+    # ubuntu-24.04 lacks the vagrant package
+    runs-on: ubuntu-22.04
     timeout-minutes: 20
 
     steps:
 
@@ -18,43 +18,43 @@
 # TODO: verify commit hash
 
 # Basic deps
-ARG CONTAINERD_VERSION=v1.7.16
-ARG RUNC_VERSION=v1.1.12
-ARG CNI_PLUGINS_VERSION=v1.4.1
+ARG CONTAINERD_VERSION=v1.7.22
+ARG RUNC_VERSION=v1.1.14
+ARG CNI_PLUGINS_VERSION=v1.5.1
 
 # Extra deps: Build
-ARG BUILDKIT_VERSION=v0.12.5
+ARG BUILDKIT_VERSION=v0.15.2
 # Extra deps: Lazy-pulling
 ARG STARGZ_SNAPSHOTTER_VERSION=v0.15.1
 # Extra deps: Encryption
-ARG IMGCRYPT_VERSION=v1.1.10
+ARG IMGCRYPT_VERSION=v1.1.11
 # Extra deps: Rootless
-ARG ROOTLESSKIT_VERSION=v2.0.2
-ARG SLIRP4NETNS_VERSION=v1.2.3
+ARG ROOTLESSKIT_VERSION=v2.3.1
+ARG SLIRP4NETNS_VERSION=v1.3.1
 # Extra deps: bypass4netns
-ARG BYPASS4NETNS_VERSION=v0.4.0
+ARG BYPASS4NETNS_VERSION=v0.4.1
 # Extra deps: FUSE-OverlayFS
 ARG FUSE_OVERLAYFS_VERSION=v1.13
 ARG CONTAINERD_FUSE_OVERLAYFS_VERSION=v1.0.8
 # Extra deps: IPFS
-ARG KUBO_VERSION=v0.27.0
+ARG KUBO_VERSION=v0.29.0
 # Extra deps: Init
 ARG TINI_VERSION=v0.19.0
 # Extra deps: Debug
 ARG BUILDG_VERSION=v0.4.1
 
 # Test deps
-ARG GO_VERSION=1.21
-ARG UBUNTU_VERSION=22.04
+ARG GO_VERSION=1.23
+ARG UBUNTU_VERSION=24.04
 ARG CONTAINERIZED_SYSTEMD_VERSION=v0.1.1
-ARG GOTESTSUM_VERSION=v1.11.0
-ARG NYDUS_VERSION=v2.2.4
-ARG SOCI_SNAPSHOTTER_VERSION=0.4.0
+ARG GOTESTSUM_VERSION=v1.12.0
+ARG NYDUS_VERSION=v2.2.5
+ARG SOCI_SNAPSHOTTER_VERSION=0.7.0
 
-FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.3.0 AS xx
+FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.5.0 AS xx
 
 
-FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-bullseye AS build-base-debian
+FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-bookworm AS build-base-debian
 COPY --from=xx / /
 ENV DEBIAN_FRONTEND=noninteractive
 RUN apt-get update && \
@@ -63,7 +63,7 @@ ARG TARGETARCH
 # libbtrfs: for containerd
 # libseccomp: for runc and bypass4netns
 RUN xx-apt-get update && \
-  xx-apt-get install -y binutils gcc libc6-dev libbtrfs-dev libseccomp-dev
+  xx-apt-get install -y binutils gcc libc6-dev libbtrfs-dev libseccomp-dev pkg-config
 
 FROM build-base-debian AS build-containerd
 ARG TARGETARCH
@@ -323,7 +323,7 @@ RUN apt-get update && \
   apt-get install -qq -y \
   uidmap \
   openssh-server openssh-client
-# TODO: update containerized-systemd to enable sshd by default, or allow `systemctl wants <TARGET> sshd` here
+# TODO: update containerized-systemd to enable sshd by default, or allow `systemctl wants <TARGET> ssh` here
 RUN ssh-keygen -q -t rsa -f /root/.ssh/id_rsa -N '' && \
   useradd -m -s /bin/bash rootless && \
   mkdir -p -m 0700 /home/rootless/.ssh && \
 
@@ -0,0 +1,2 @@
+59279df5853bef19a03ec15c5c31b772e59d91d079ab0221e1bafa023cf41c35  buildkit-v0.15.2.linux-amd64.tar.gz
+15329adaa5e5b2bea0580f3e5e33765f84504075710bb791e362c3b160ca7e61  buildkit-v0.15.2.linux-arm64.tar.gz
@@ -0,0 +1,2 @@
+77baa2f669980a82255ffa2f2717de823992480271ee778aa51a9c60ae89ff9b  cni-plugins-linux-amd64-v1.5.1.tgz
+c2a292714d0fad98a3491ae43df8ad58354b3c0bdf5d5a3e281777967c70fcff  cni-plugins-linux-arm64-v1.5.1.tgz
@@ -0,0 +1,6 @@
+57bc67f71b8043961417325be13528d4f1e8ec90876cd34c38064431f457070f  rootlesskit-aarch64.tar.gz
+5154542509736957738478e3624b53865a875c396f978db5adea513d7507dee6  rootlesskit-armv7l.tar.gz
+983642556dd3dcbe2c9b764d577882016ad1ca960815ffa13ca76d7da518504f  rootlesskit-ppc64le.tar.gz
+83c40bb8938828eb15837a4900ba825a1f52227631195c22df85f2e8f7f73546  rootlesskit-riscv64.tar.gz
+dd6c8bc7e1c9b5d8c775efcf40854ef1d25205060294f0654a77d996a7f4e172  rootlesskit-s390x.tar.gz
+caafdce18e0959f078b4b478d4f352ebf3d556e373265fc7831f1a6d70219ee0  rootlesskit-x86_64.tar.gz
@@ -0,0 +1,6 @@
+2dd9aac6c2e3203e53cb7b6e4b9fc7123e4e4a9716c8bb1d95951853059a6af5  slirp4netns-aarch64
+ed618c0f2c74014bb736e9e427e18c8791ad9d68311872a41b06fac0d7cb9ef2  slirp4netns-armv7l
+a10f70209cee0dd0532fea0e8b6bfde5d16dec5206fd4b3387d861721456de66  slirp4netns-ppc64le
+38209015c2f3f4619d9fc46610852887910f33c7a0b96f7d2aa835a7bbc73f31  slirp4netns-riscv64
+9f42718455b1f9cf4b6f0efee314b78e860b8c36dbbb6290f09c8fbedda9ff8a  slirp4netns-s390x
+4bc5d6c311f9fa7ae00ce54aefe10c2afaf0800fe9e99f32616a964ed804a9e1  slirp4netns-x86_64
@@ -27,7 +27,7 @@ if [[ "$(id -u)" = "0" ]]; then
 	fi
 
 	# Switch to the rootless user via SSH
-	systemctl start sshd
+	systemctl start ssh
 	exec ssh -o StrictHostKeyChecking=no rootless@localhost "$0" "$@"
 else
 	containerd-rootless-setuptool.sh install
@@ -48,7 +48,7 @@ else
 [proxy_plugins]
   [proxy_plugins."stargz"]
     type = "snapshot"
-    address = "/run/user/1000/containerd-stargz-grpc/containerd-stargz-grpc.sock"
+    address = "/run/user/$(id -u)/containerd-stargz-grpc/containerd-stargz-grpc.sock"
 EOF
 	systemctl --user restart containerd.service
 	containerd-rootless-setuptool.sh -- install-ipfs --init --offline # offline ipfs daemon for testing
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+59279df5853bef19a03ec15c5c31b772e59d91d079ab0221e1bafa023cf41c35 buildkit-v0.15.2.linux-amd64.tar.gz`
	`2`	`+15329adaa5e5b2bea0580f3e5e33765f84504075710bb791e362c3b160ca7e61 buildkit-v0.15.2.linux-arm64.tar.gz`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+77baa2f669980a82255ffa2f2717de823992480271ee778aa51a9c60ae89ff9b cni-plugins-linux-amd64-v1.5.1.tgz`
	`2`	`+c2a292714d0fad98a3491ae43df8ad58354b3c0bdf5d5a3e281777967c70fcff cni-plugins-linux-arm64-v1.5.1.tgz`