Update containerd_version to >=1.6.12

[dims]

There's a leak we should pick up newer versions of containerd for:
GHSA-2qjp-425j-52j9

thanks,
Dims

[cartermckinnon]

I've reached out to the Amazon Linux team about getting this updated; I'll track progress here.

[dims]

🙏🏾 thanks @cartermckinnon

[RothAndrew]

@cartermckinnon what did the Amazon Linux team say?

[mkilchhofer]

We at @swisspost would also apreciate this upgrade. We need at least 1.6.7 to have things around seccompProfile fixed:

Allow ptrace(2) by default for kernels >= 4.8 (containerd/containerd#7171)

Our dotnet core workload needs to have PTRACE capabilities to do memory dumps:

• dotnet-dump in container doesn't work due to ptrace restriction dotnet/runtime#80898 (comment)

[cartermckinnon]

The AL team has staged 1.6.19 for release to the public repositories. I expect that to happen within a couple of weeks; and we'll release an AMI containing the updated package in quick succession.

[mkilchhofer]

Is there already an ETA?
I think it would be a good idea to close two CVEs soon:

• CVE-2023-25173
• CVE-2023-25153

Update:
Oh since PR #1247 containerd patch version isn't hardcoded anymore.

[cartermckinnon]

The latest AMI release (v20230406) contains containerd-1.6.19-1.amzn2.0.1.