v0.10.0-rc.2

plumb AMD certs to workload containers (#1549)

confidential containers: Add AMD cert plumbing

Add logic to plumb AMD certificates to workload containers. The
assumption is that the certificates will be "fresh enough" for
necessary attestation and key release by the workflow and third
party services.

Additionally add error logging when UVM reference info file
is not found

Signed-off-by: Maksim An <[email protected]>

v0.9.5

What's Changed

• [release/0.9] Call container.Terminate() on shutdown timeouts #1554

Full Changelog: v0.9.4...v0.9.5

v0.9.4

What's Changed

• [release/0.9] Backport hostprocess fixes by @dcantah in #1465

Full Changelog: v0.9.3...v0.9.4

v0.9.3

What's Changed

• [release/0.9] Fix for linter issue on release/0.9 branch by @ameyag in #1385
• [release/0.9] Fix for port conflict with docker daemon by @ameyag in #1373
• [release/0.9] Query stats directly in-shim by @dcantah in #1403

Full Changelog: v0.9.2...v0.9.3

v0.8.24

What's Changed

• [release/0.8] Backport 'Bugfix for UnicodeString constructor' by @dcantah in #1306

Full Changelog: v0.8.23...v0.8.24

v0.9.2

What's Changed

• [release/0.9] Ignore ERROR_ACCESS_DENIED on Kill (#1252) by @gabriel-samfira in #1262
• [release/0.9] Backport TTY support for Host Process Containers by @dcantah in #1261
• [release/0.9] Wait for waitInitExit() to return #1249 by @gabriel-samfira in #1264
• [release/0.9] Add ws2022 image/build to cri-containerd tests (#1160) by @dcantah in #1274
• [release/0.9] Make kill noop on second run by @gabriel-samfira in #1275
• [release/0.9] Add ErrInvalidHandle and fix list stats by @gabriel-samfira in #1277

New Contributors

• @helsaawy made their first contribution in #1264

Full Changelog: v0.9.1...v0.9.2

v0.9.1

What's Changed

• [release/0.9] Fix commandline double quoting for job containers by @dcantah in #1226
• [release/0.9] go.mod: Bump ttrpc to 1.1.0 by @dcantah in #1225
• [release/0.9] Add reconnect logic for stdio pipes by @dcantah in #1227

Full Changelog: v0.9.0...v0.9.1

v0.8.23

What's Changed

• [release/0.8] Support specifying a specific logrus log level for shim log output by @dcantah in #1213
• [release/0.8] Add reconnect logic for stdio pipes by @dcantah in #1214
• [release/0.8] go.mod: Bump ttrpc to 1.1.0 by @dcantah in #1224

Full Changelog: v0.8.22...v0.8.23

v0.9.0

What's New

• The runhcs containerd shim now supports launching Host Process containers.
• LCOW layers can now be encrypted via dmverity.
• Process dumps can now be generated for WCOW and LCOW via an OCI annotation.
• LCOW container execs now run as whatever user the container was launched as, unless the spec was overridden with a different user.
• Shared memory is now configurable via an OCI annotation.
• WCOW supports extensible virtual disks as data disks.
• LCOW supports hugepage mounts if the kernel used is built with this support.

See the Changelog for the full list of changes!

Bug Fixes

• Fix duplicate "failed" in HCS error strings.
• Get rid of redundant logs in HCN version range checks.
• HNS v1 policy schemas now have correct omitEmpty fields.

See the Changelog for the full list of changes!

Changelog

• Enable scratch space encryption via annotation by @anmaxvl in #1095
• Enforce security policy at unmount by @SeanTAllen in #1162
• Make policy environment variable rules consts by @SeanTAllen in #1164
• Remove unused variable by @SeanTAllen in #1165
• Update naming in internal security policy tool by @SeanTAllen in #1166
• Rename variable in SecurityPolicyEnforcer by @SeanTAllen in #1168
• Rename EnforceStartContainerPolicy by @SeanTAllen in #1169
• fix vmAccess param usage in AddSCSI by @anmaxvl in #1167
• Change internal data structure in SecurityPolicyEnforcer by @SeanTAllen in #1171
• Update kernel driver annotation for accuracy by @katiewasnothere in #1172
• Rework how working directories function for job containers by @dcantah in #1137
• Add WCOW sandbox mount support by @dcantah in #1087
• Add support for passing in a virtual function index to assign pci device by @katiewasnothere in #1163
• Set PATHEXT for job containers to handle binaries with no extension by @dcantah in #1174
• Add process dump functionality for WCOW/LCOW by @dcantah in #1062
• Update json format for security policy by @SeanTAllen in #1173
• Rework LCOW username setup/exec behavior by @dcantah in #1178
• Refactor pod config generation in tests by @anmaxvl in #1180
• tests: Fix tests that used old pullRequiredLCOWImages func name by @anmaxvl in #1183
• Remove unused definitions in winapi by @dcantah in #1181
• Also run tests on Windows Server 2022 GitHub Runner by @TBBle in #1176
• tests: Fix ExecUser LCOW tests using old function signature by @anmaxvl in #1184
• Add unit tests for computeagent by @katiewasnothere in #1182
• Bump github.com/containerd/containerd from 1.5.4 to 1.5.7 in /test by @dependabot in #1185
• Bump github.com/containerd/containerd from 1.5.4 to 1.5.7 by @dependabot in #1186
• Add compute agent store for ncproxy reconnect by @katiewasnothere in #1097
• Update names of ncproxy proxy resources with test name included by @katiewasnothere in #1189
• Merge Microsoft/opengcs and Microsoft/hcsshim by @dcantah in #973
• Run late clone tests on 20H2+ builds only. by @ambarve in #1028
• Fix bug with VSMB & SCSI mounts on the same host path by @ambarve in #1021
• Support for storage space data disks by @ambarve in #998
• Add option to set no direct map by default on wcow VSMB devices by @katiewasnothere in #1030
• Read max 1MB data from panic.log by @ambarve in #1029
• Change Makefile file type from crlf to lf by @katiewasnothere in #1031
• support pod and container updates by @katiewasnothere in #931
• Add new flags to integration tests to specify virtstack by @dcantah in #1019
• Change VSMBNoDirectMap_WCOW_Hypervisor test to fix CI break by @dcantah in #1033
• fix break in cpu groups test on machines with build < 20124 by @katiewasnothere in #1036
• lf line endingify stray opengcs files by @dcantah in #1032
• Remotevm UVM implementation by @dcantah in #1023
• VHD with dm-verity by @SeanTAllen in #985
• Add tests for LCOW shared scratch space work by @dcantah in #955
• shim: Clean up delete invocation behavior by @kevpar in #1041
• Remove internal GCS connection functionality by @dcantah in #1038
• Add instructions to build containerd-shim and gcs binaries by @dcantah in #1034
• Add DnsSettings to ncproxy CreateEndpointRequest by @dcantah in #1026
• use requested stdio in call to exec in shim host by @katiewasnothere in #1044
• Added Support for NestedIpSet type in SetPolicy and a new Network Policy called NetworkACL policy by @netal in #1045
• Add DNSDomain to hns endpoint object by @dcantah in #1047
• add logic to stack lcow layers on a single VPMEM device by @anmaxvl in #930
• Read vhd verity footer by @anmaxvl in #1008
• fix wrong error logged when dm-verity footer read fails by @anmaxvl in #1054
• Get rid of redundant logs in HCN version range checks by @dcantah in #1053
• Add containerd-shim plumbing for job containers by @dcantah in #962
• Fix functional tests build and revendor by @katiewasnothere in #1063
• Remove ERROR_PROC_NOT_FOUND from error checks by @kevpar in #1064
• export annotations for use in test suite by @katiewasnothere in #1061
• Support specifying a specific logrus log level for shim log output by @dcantah in #1058
• Support registering and unregistering ncproxy as a Windows service by @dcantah in #1046
• Bump containerd to 1.5.2 by @aledbf in #1068
• Add missing 'functional' tag to test source by @TBBle in #1069
• Add support to dump stacks for ncproxy when requested by @katiewasnothere in #1070
• Fix lost span attribute for NameToGuid by @TBBle in #1071
• Remove leftover generated HCS2 schema file by @TBBle in #1074
• Add volume mount support for job containers by @dcantah in #1057
• Gate CRI update container tests behind feature flag by @dcantah in #1079
• Updating HNS v1 policy schemas with correct omitEmpty fields by @elweb9858 in #1078
• Fix relative paths (with dot) not working for job containers by @dcantah in #1081
• Add support for reading in device extension files for container create hcs document by @katiewasnothere in #1060
• Bump github.com/containerd/containerd from 1.5.2 to 1.5.4 in /test by @dependabot in #1082
• Bump github.com/containerd/containerd from 1.5.2 to 1.5.4 by @dependabot in #1083
• Bump github.com/opencontainers/runc from 1.0.0-rc93 to 1.0.0-rc95 by @dependabot in #1084
• tests: increase opengcs tests verbosity by @anmaxvl in #1088
• make container's shared memory configurable via annotation by @anmaxvl in #1052
• Support for extensible virtual disks as data disks by @ambarve in #1039
• Minor bug fixes by @ambarve in #1093
• Add support to encrypt SCSI scratch disks with dm-crypt by @AntonioND in #1090
• Add basis for allowing the creation of configuration enforcement in gcs by @SeanTAllen in #1094
• Add retry around wclayer operations for...

v0.8.22

Dependencies

• Revert containerd/containerd dependency to 1.4.9 to avoid some circular dependency issues in Kubernetes. See kubernetes/kubernetes#104827