fix(deps): update containerd

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/containerd/containerd	v1.7.15 -> v1.7.16
github.com/containerd/nerdctl	v1.7.5 -> v1.7.6

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

containerd/containerd (github.com/containerd/containerd)

v1.7.16: containerd 1.7.16

Compare Source

Welcome to the v1.7.16 release of containerd!

The sixteenth patch release for containerd 1.7 contains various fixes and updates.

Highlights

• Update AppArmor template to allow confined runc to kill containers (#​10129)
• Fix config import relative path glob (#​9834)
• Update AppArmor template to better support rootlesskit (#​10116)
• Update HTTP fallback to better account for TLS timeout and previous attempts (#​10112)
• Add support for HPC port forwarding (#​10008)
• Prevent GC from schedule itself with 0 period. (#​10102)
• Fix issue with using invalid token to retry fetching layer (#​10065)
• Automatically decompress archives for transfer service import (#​9989)
• Fix HTTPFallback fails when pushing manifest (#​10044)
• Add support for configuring otel from env and config deprecation notice (#​9992)
• Fix deadlock during NRI plugin registration (containerd/nri#79)

Build and Release Toolchain

• Update Go to 1.21.9 and 1.22.2 with net/http security fix (#​10115)

Container Runtime Interface (CRI)

• Fix CRI snapshotter root path when not under containerd root (#​10096)
• Fix network creation failure from CreatedAt time as 269 years ago (#​10122)
• Include userns info in PodSandboxStatus (#​9865)
• Fix default working directory Windows HostProcess containers (#​10071)
• Fix ListPodSandboxStats to skip sandboxes with missing tasks (#​10042)

Deprecations

• Add support for configuring otel from env and config deprecation notice (#​9992)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Samuel Karp
• Wei Fu
• Danny Canter
• Kazuyoshi Kato
• Kirtana Ashok
• Maksym Pavlenko
• Phil Estes
• Sebastiaan van Stijn
• Brian Goff
• Rodrigo Campos
• Akihiro Suda
• Angelos Kolaitis
• Bin Tang
• David Porter
• Edgar Lee
• Evan Lezar
• Kirill A. Korinsky
• Kohei Tokunaga
• Maksim An
• Paweł Gronowski
• Tomáš Virtus
• 张钰10307750
• 沈陵

Changes

50 commits

• Add release notes for v1.7.16 (#​10124)
  • 1c623084f Add release notes for v1.7.16
• Update AppArmor template to allow confined runc to kill containers (#​10129)
  • 18a2c36fa apparmor: Allow confined runc to kill containers
• Fix config import relative path glob (#​9834)
  • 62e9535f2 Fix config import relative path glob
• Fix CRI snapshotter root path when not under containerd root (#​10096)
  • a8ebceb97 CRI: "Fix" imageFSPath behavior
  • bd423bf84 Snapshotters: Export the root path
  • 8fb6bfa71 Add exports to proxy plugin config
  • 8916e2cf9 Add platform config to proxy plugins
• Fix network creation failure from CreatedAt time as 269 years ago (#​10122)
  • 293f5151d pod: CreatedAt time will be 269 years ago while creating cri network failed.
• Update AppArmor template to better support rootlesskit (#​10116)
  • af19e746e apparmor: add signal (receive) peer=/usr/local/bin/rootlesskit,
• Update Go to 1.21.9 and 1.22.2 with net/http security fix (#​10115)
  • 637d259dd update to go1.21.9, go1.22.2
• Update HTTP fallback to better account for TLS timeout and previous attempts (#​10112)
  • 794b0c723 Add deprecated HTTPFallback for package compatibility
  • 51c649d9d Update HTTPFallback to handle tls handshake timeout
  • aa14890ed Remove empty default tls configuration in ctr
• Add support for HPC port forwarding (#​10008)
  • 3df5d4445 Add support for HPC port forwarding
• Prevent GC from schedule itself with 0 period. (#​10102)
  • 5c15bf406 Prevent GC from schedule itself with 0 period.
• Include userns info in PodSandboxStatus (#​9865)
  • b57dc9fd3 cri/server: Add userns tests in PodSandboxStatus
  • 6e809ef13 cri: Expose userns in PodSandboxStatus rpc
• mod: bump github.com/containerd/nri@v0.6.1 (#​10097)
  • 395a31901 mod: bump github.com/containerd/nri@v0.6.1
• Fix issue with using invalid token to retry fetching layer (#​10065)
  • f61de0864 fix bug that using invalid token to retry fetching layer
• Bump tags.cncf.io/container-device-interface to v0.7.2 (#​10077)
  • 7a2f49f70 Bump tags.cncf.io/container-device-interface to v0.7.2
• Fix default working directory Windows HostProcess containers (#​10071)
  • 989f1ec54 fix default working directory hostProcess
• Fix unexpected order of mounts since go 1.19 (#​10063)
  • 9f774e438 fix(cri): fix unexpected order of mounts since go 1.19
• Automatically decompress archives for transfer service import (#​9989)
  • 2aec52493 Automatically decompress archives for transfer service import
• Use different containerd sock address in tests (#​10056)
  • 8c76e7948 Use different containerd sock address in tests
• Fix HTTPFallback fails when pushing manifest (#​10044)
  • 18f4ad5ee remote: Fix HTTPFallback fails when pushing manifest
• Add support for configuring otel from env and config deprecation notice (#​9992)
  • 600ba8612 vendor: revendor OTEL
  • 9360e3716 Changes to configuring otel from env only
  • f2354894f Deprecate otel configs
• Fix ListPodSandboxStats to skip sandboxes with missing tasks (#​10042)
  • 90c309fe2 Add IsNotFound case to ListPodSandboxStats

Changes from containerd/nri

5 commits

• Fix deadlock during NRI plugin registration (containerd/nri#79)
  • c4893c7 Fix deadlock during NRI plugin registration
• go.mod: github.com/containerd/ttrpc v1.2.3 (containerd/nri#71)
  • 02a1d5e go.mod: github.com/containerd/ttrpc v1.2.3
  • eb3edc4 examples: go mod tidy

Dependency Changes

• github.com/containerd/nri v0.6.0 -> v0.6.1
• tags.cncf.io/container-device-interface v0.6.2 -> v0.7.2
• tags.cncf.io/container-device-interface/specs-go v0.6.0 -> v0.7.0

Previous release can be found at v1.7.15

containerd/nerdctl (github.com/containerd/nerdctl)

v1.7.6

Compare Source

Changes

• rootless: fix nerdctl rm failure with AppArmor on Ubuntu >= 23.10 (#​2730, #​2958)
• nerdctl-full: update containerd (1.7.16) (#​2958)

Full change: https://github.com/containerd/nerdctl/milestone/42?closed=1

Compatible containerd versions

This release of nerdctl is expected to be used with containerd v1.6 or v1.7.

About the binaries

• Minimal (nerdctl-1.7.6-linux-amd64.tar.gz): nerdctl only
• Full (nerdctl-full-1.7.6-linux-amd64.tar.gz): Includes dependencies such as containerd, runc, and CNI

Minimal

Extract the archive to a path like /usr/local/bin or ~/bin .

tar Cxzvvf /usr/local/bin nerdctl-1.7.6-linux-amd64.tar.gz

-rwxr-xr-x root/root  25116672 2024-04-30 06:21 nerdctl
-rwxr-xr-x root/root     21916 2024-04-30 06:20 containerd-rootless-setuptool.sh
-rwxr-xr-x root/root      7187 2024-04-30 06:20 containerd-rootless.sh

Full

Extract the archive to a path like /usr/local or ~/.local .

tar Cxzvvf /usr/local nerdctl-full-1.7.6-linux-amd64.tar.gz

drwxr-xr-x 0/0               0 2024-04-30 06:28 bin/
-rwxr-xr-x 0/0        27644700 2015-10-21 00:00 bin/buildctl
-rwxr-xr-x 0/0        23724032 2022-09-05 09:52 bin/buildg
-rwxr-xr-x 0/0        53374823 2015-10-21 00:00 bin/buildkitd
-rwxr-xr-x 0/0         7277848 2024-04-30 06:26 bin/bypass4netns
-rwxr-xr-x 0/0         5308416 2024-04-30 06:26 bin/bypass4netnsd
-rwxr-xr-x 0/0        38946168 2024-04-30 06:27 bin/containerd
-rwxr-xr-x 0/0         9474048 2023-11-02 17:34 bin/containerd-fuse-overlayfs-grpc
-rwxr-xr-x 0/0           21916 2024-04-30 06:26 bin/containerd-rootless-setuptool.sh
-rwxr-xr-x 0/0            7187 2024-04-30 06:26 bin/containerd-rootless.sh
-rwxr-xr-x 0/0        12161024 2024-04-30 06:28 bin/containerd-shim-runc-v2
-rwxr-xr-x 0/0        45903872 2023-10-31 08:57 bin/containerd-stargz-grpc
-rwxr-xr-x 0/0        20630617 2024-04-30 06:28 bin/ctd-decoder
-rwxr-xr-x 0/0        18870272 2024-04-30 06:27 bin/ctr
-rwxr-xr-x 0/0        29671743 2024-04-30 06:28 bin/ctr-enc
-rwxr-xr-x 0/0        19931136 2023-10-31 08:58 bin/ctr-remote
-rwxr-xr-x 0/0         1785448 2024-04-30 06:28 bin/fuse-overlayfs
-rwxr-xr-x 0/0        65589641 2024-04-30 06:27 bin/ipfs
-rwxr-xr-x 0/0        25088000 2024-04-30 06:26 bin/nerdctl
-rwxr-xr-x 0/0        10666181 2024-03-05 22:20 bin/rootlessctl
-rwxr-xr-x 0/0        12358373 2024-03-05 22:20 bin/rootlesskit
-rwxr-xr-x 0/0        15074072 2024-04-30 06:26 bin/runc
-rwxr-xr-x 0/0         2346328 2024-04-30 06:28 bin/slirp4netns
-rwxr-xr-x 0/0          870496 2024-04-30 06:28 bin/tini
drwxr-xr-x 0/0               0 2024-04-30 06:28 lib/
drwxr-xr-x 0/0               0 2024-04-30 06:28 lib/systemd/
drwxr-xr-x 0/0               0 2024-04-30 06:28 lib/systemd/system/
-rw-r--r-- 0/0            1475 2024-04-30 06:28 lib/systemd/system/buildkit.service
-rw-r--r-- 0/0            1414 2024-04-30 06:25 lib/systemd/system/containerd.service
-rw-r--r-- 0/0             312 2024-04-30 06:28 lib/systemd/system/stargz-snapshotter.service
drwxr-xr-x 0/0               0 2024-04-30 06:28 libexec/
drwxr-xr-x 0/0               0 2024-04-30 06:28 libexec/cni/
-rw-r--r-- 0/0           11357 2024-03-12 10:56 libexec/cni/LICENSE
-rw-r--r-- 0/0            2343 2024-03-12 10:56 libexec/cni/README.md
-rwxr-xr-x 0/0         4119661 2024-03-12 10:56 libexec/cni/bandwidth
-rwxr-xr-x 0/0         4662227 2024-03-12 10:56 libexec/cni/bridge
-rwxr-xr-x 0/0        11065251 2024-03-12 10:56 libexec/cni/dhcp
-rwxr-xr-x 0/0         4306546 2024-03-12 10:56 libexec/cni/dummy
-rwxr-xr-x 0/0         4751593 2024-03-12 10:56 libexec/cni/firewall
-rwxr-xr-x 0/0         4198427 2024-03-12 10:56 libexec/cni/host-device
-rwxr-xr-x 0/0         3560496 2024-03-12 10:56 libexec/cni/host-local
-rwxr-xr-x 0/0         4324636 2024-03-12 10:56 libexec/cni/ipvlan
-rwxr-xr-x 0/0         3651038 2024-03-12 10:56 libexec/cni/loopback
-rwxr-xr-x 0/0         4355073 2024-03-12 10:56 libexec/cni/macvlan
-rwxr-xr-x 0/0         4095898 2024-03-12 10:56 libexec/cni/portmap
-rwxr-xr-x 0/0         4476535 2024-03-12 10:56 libexec/cni/ptp
-rwxr-xr-x 0/0         3861176 2024-03-12 10:56 libexec/cni/sbr
-rwxr-xr-x 0/0         3120090 2024-03-12 10:56 libexec/cni/static
-rwxr-xr-x 0/0         4381887 2024-03-12 10:56 libexec/cni/tap
-rwxr-xr-x 0/0         3743844 2024-03-12 10:56 libexec/cni/tuning
-rwxr-xr-x 0/0         4319235 2024-03-12 10:56 libexec/cni/vlan
-rwxr-xr-x 0/0         4008392 2024-03-12 10:56 libexec/cni/vrf
drwxr-xr-x 0/0               0 2024-04-30 06:26 share/
drwxr-xr-x 0/0               0 2024-04-30 06:26 share/doc/
drwxr-xr-x 0/0               0 2024-04-30 06:26 share/doc/nerdctl/
-rw-r--r-- 0/0           12480 2024-04-30 06:20 share/doc/nerdctl/README.md
drwxr-xr-x 0/0               0 2024-04-30 06:20 share/doc/nerdctl/docs/
-rw-r--r-- 0/0            3953 2024-04-30 06:20 share/doc/nerdctl/docs/build.md
-rw-r--r-- 0/0            2570 2024-04-30 06:20 share/doc/nerdctl/docs/builder-debug.md
-rw-r--r-- 0/0            3996 2024-04-30 06:20 share/doc/nerdctl/docs/cni.md
-rw-r--r-- 0/0           74383 2024-04-30 06:20 share/doc/nerdctl/docs/command-reference.md
-rw-r--r-- 0/0            1814 2024-04-30 06:20 share/doc/nerdctl/docs/compose.md
-rw-r--r-- 0/0            5329 2024-04-30 06:20 share/doc/nerdctl/docs/config.md
-rw-r--r-- 0/0            9128 2024-04-30 06:20 share/doc/nerdctl/docs/cosign.md
-rw-r--r-- 0/0            5660 2024-04-30 06:20 share/doc/nerdctl/docs/cvmfs.md
-rw-r--r-- 0/0            2435 2024-04-30 06:20 share/doc/nerdctl/docs/dir.md
-rw-r--r-- 0/0             906 2024-04-30 06:20 share/doc/nerdctl/docs/experimental.md
-rw-r--r-- 0/0           14217 2024-04-30 06:20 share/doc/nerdctl/docs/faq.md
-rw-r--r-- 0/0             884 2024-04-30 06:20 share/doc/nerdctl/docs/freebsd.md
-rw-r--r-- 0/0            3228 2024-04-30 06:20 share/doc/nerdctl/docs/gpu.md
-rw-r--r-- 0/0           14463 2024-04-30 06:20 share/doc/nerdctl/docs/ipfs.md
-rw-r--r-- 0/0            1748 2024-04-30 06:20 share/doc/nerdctl/docs/multi-platform.md
-rw-r--r-- 0/0            2960 2024-04-30 06:20 share/doc/nerdctl/docs/notation.md
-rw-r--r-- 0/0            2596 2024-04-30 06:20 share/doc/nerdctl/docs/nydus.md
-rw-r--r-- 0/0            3277 2024-04-30 06:20 share/doc/nerdctl/docs/ocicrypt.md
-rw-r--r-- 0/0            1876 2024-04-30 06:20 share/doc/nerdctl/docs/overlaybd.md
-rw-r--r-- 0/0           15657 2024-04-30 06:20 share/doc/nerdctl/docs/registry.md
-rw-r--r-- 0/0            5088 2024-04-30 06:20 share/doc/nerdctl/docs/rootless.md
-rw-r--r-- 0/0            2015 2024-04-30 06:20 share/doc/nerdctl/docs/soci.md
-rw-r--r-- 0/0           10312 2024-04-30 06:20 share/doc/nerdctl/docs/stargz.md
drwxr-xr-x 0/0               0 2024-04-30 06:28 share/doc/nerdctl-full/
-rw-r--r-- 0/0            1154 2024-04-30 06:28 share/doc/nerdctl-full/README.md
-rw-r--r-- 0/0            6578 2024-04-30 06:28 share/doc/nerdctl-full/SHA256SUMS

Included components

See share/doc/nerdctl-full/README.md:

##### nerdctl (full distribution)
- nerdctl: v1.7.6
- containerd: v1.7.16
- runc: v1.1.12
- CNI plugins: v1.4.1
- BuildKit: v0.12.5
- Stargz Snapshotter: v0.15.1
- imgcrypt: v1.1.10
- RootlessKit: v2.0.2
- slirp4netns: v1.2.3
- bypass4netns: v0.4.0
- fuse-overlayfs: v1.13
- containerd-fuse-overlayfs: v1.0.8
- Kubo (IPFS): v0.27.0
- Tini: v0.19.0
- buildg: v0.4.1

##### License
- bin/slirp4netns:    [GNU GENERAL PUBLIC LICENSE, Version 2](https://github.com/rootless-containers/slirp4netns/blob/v1.2.3/COPYING)
- bin/fuse-overlayfs: [GNU GENERAL PUBLIC LICENSE, Version 2](https://github.com/containers/fuse-overlayfs/blob/v1.13/COPYING)
- bin/ipfs: [Combination of MIT-only license and dual MIT/Apache-2.0 license](https://github.com/ipfs/kubo/blob/v0.27.0/LICENSE)
- bin/{runc,bypass4netns,bypass4netnsd}: Apache License 2.0, statically linked with libseccomp ([LGPL 2.1](https://github.com/seccomp/libseccomp/blob/main/LICENSE), source code available at https://github.com/seccomp/libseccomp/)
- bin/tini: [MIT License](https://github.com/krallin/tini/blob/v0.19.0/LICENSE)
- Other files: [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0)

Quick start

Rootful

$ sudo systemctl enable --now containerd
$ sudo nerdctl run -d --name nginx -p 80:80 nginx:alpine

Rootless

$ containerd-rootless-setuptool.sh install
$ nerdctl run -d --name nginx -p 8080:80 nginx:alpine

Enabling cgroup v2 is highly recommended for rootless mode, see https://rootlesscontaine.rs/getting-started/common/cgroup2/ .

---

The binaries were built automatically on GitHub Actions.
The build log is available for 90 days: https://github.com/containerd/nerdctl/actions/runs/8890214856

The sha256sum of the SHA256SUMS file itself is a443c7f8ef507fcaefd49f4774440f010ab8105eb8df9247c0d153e89a0da940 .

---

Release manager: Akihiro Suda (@​AkihiroSuda)

---

Configuration

📅 Schedule: Branch creation - "after 6am every weekday,before 12pm every weekday" in timezone Etc/UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[github-actions]

Hey!

Your images are ready:

• ghcr.io/openclarity/vmclarity-apiserver-dev:pr1616-59556c137549d7a33a192b4ff2c4d69a66b87bb2
• ghcr.io/openclarity/vmclarity-cli-dev:pr1616-59556c137549d7a33a192b4ff2c4d69a66b87bb2
• ghcr.io/openclarity/vmclarity-cr-discovery-server-dev:pr1616-59556c137549d7a33a192b4ff2c4d69a66b87bb2
• ghcr.io/openclarity/vmclarity-orchestrator-dev:pr1616-59556c137549d7a33a192b4ff2c4d69a66b87bb2
• ghcr.io/openclarity/vmclarity-plugin-kics-dev:pr1616-59556c137549d7a33a192b4ff2c4d69a66b87bb2
• ghcr.io/openclarity/vmclarity-ui-dev:pr1616-59556c137549d7a33a192b4ff2c4d69a66b87bb2
• ghcr.io/openclarity/vmclarity-ui-backend-dev:pr1616-59556c137549d7a33a192b4ff2c4d69a66b87bb2