Prepare 1.7.x

.github/workflows/ghcr-image-build-and-publish.yml

@@ -23,7 +23,7 @@ env:
 jobs:
   build:
 
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       contents: read
       packages: write

.github/workflows/release.yml

@@ -9,13 +9,13 @@ env:
   GO111MODULE: on
 jobs:
   release:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 40
     steps:
     - uses: actions/[email protected]
     - uses: actions/setup-go@v5
       with:
-        go-version: 1.21.x
+        go-version: 1.23.x
     - name: "Compile binaries"
       run: make artifacts
     - name: "SHA256SUMS"

.github/workflows/test.yml

@@ -8,12 +8,12 @@ on:
   pull_request:
 
 env:
-  GO_VERSION: 1.21.x
+  GO_VERSION: 1.23.x
 
 jobs:
   project:
     name: Project Checks
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 20
     steps:
       - uses: actions/[email protected]
@@ -34,7 +34,7 @@ jobs:
         working-directory: src/github.com/containerd/nerdctl
 
   lint:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 20
     steps:
       - uses: actions/[email protected]
@@ -54,7 +54,7 @@ jobs:
         run: yamllint .
 
   test-unit:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 20
     steps:
       - uses: actions/[email protected]
@@ -74,16 +74,20 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        # ubuntu-20.04: cgroup v1, ubuntu-22.04: cgroup v2
+        # ubuntu-20.04: cgroup v1, ubuntu-22.04 and later: cgroup v2
         include:
           - ubuntu: 20.04
             containerd: v1.6.31
           - ubuntu: 20.04
-            containerd: v1.7.16
+            containerd: v1.7.21
           - ubuntu: 22.04
-            containerd: v1.7.16
+            containerd: v1.7.21
           - ubuntu: 22.04
             containerd: main
+          - ubuntu: 24.04
+            containerd: v1.7.21
+          - ubuntu: 24.04
+            containerd: main
     env:
       UBUNTU_VERSION: "${{ matrix.ubuntu }}"
       CONTAINERD_VERSION: "${{ matrix.containerd }}"
@@ -110,10 +114,10 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        # ubuntu-20.04: cgroup v1, ubuntu-22.04: cgroup v2
+        # ubuntu-20.04: cgroup v1, ubuntu-22.04 and later: cgroup v2
         include:
-          - ubuntu: 22.04
-            containerd: v1.7.16
+          - ubuntu: 24.04
+            containerd: v1.7.21
     env:
       UBUNTU_VERSION: "${{ matrix.ubuntu }}"
       CONTAINERD_VERSION: "${{ matrix.containerd }}"
@@ -154,47 +158,78 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        # ubuntu-22.04: cgroup v1, ubuntu-22.04: cgroup v2
+        # ubuntu-20.04: cgroup v1, ubuntu-22.04 and later: cgroup v2
         include:
           - ubuntu: 20.04
             containerd: v1.6.31
             rootlesskit: v1.1.1
             target: test-integration-rootless
           - ubuntu: 20.04
-            containerd: v1.7.16
-            rootlesskit: v2.0.2
+            containerd: v1.7.21
+            rootlesskit: v2.3.1
             target: test-integration-rootless
           - ubuntu: 22.04
-            containerd: v1.7.16
+            containerd: v1.7.21
             rootlesskit: v1.1.1
             target: test-integration-rootless
           - ubuntu: 22.04
-            containerd: main
-            rootlesskit: v2.0.2
+            containerd: main  # v2.0.0-rc.X
+            rootlesskit: v2.3.1
+            target: test-integration-rootless
+          - ubuntu: 24.04
+            containerd: v1.7.21
+            rootlesskit: v1.1.1
+            target: test-integration-rootless
+          - ubuntu: 24.04
+            containerd: main  # v2.0.0-rc.X
+            rootlesskit: v2.3.1
             target: test-integration-rootless
           - ubuntu: 20.04
             containerd: v1.6.31
             rootlesskit: v1.1.1
             target: test-integration-rootless-port-slirp4netns
           - ubuntu: 20.04
-            containerd: v1.7.16
-            rootlesskit: v2.0.2
+            containerd: v1.7.21
+            rootlesskit: v2.3.1
             target: test-integration-rootless-port-slirp4netns
           - ubuntu: 22.04
-            containerd: v1.7.16
+            containerd: v1.7.21
             rootlesskit: v1.1.1
             target: test-integration-rootless-port-slirp4netns
           - ubuntu: 22.04
-            containerd: main
-            rootlesskit: v2.0.2
+            containerd: main  # v2.0.0-rc.X
+            rootlesskit: v2.3.1
+            target: test-integration-rootless-port-slirp4netns
+          - ubuntu: 24.04
+            containerd: v1.7.21
+            rootlesskit: v1.1.1
+            target: test-integration-rootless-port-slirp4netns
+          - ubuntu: 24.04
+            containerd: main  # v2.0.0-rc.X
+            rootlesskit: v2.3.1
             target: test-integration-rootless-port-slirp4netns
     env:
       UBUNTU_VERSION: "${{ matrix.ubuntu }}"
       CONTAINERD_VERSION: "${{ matrix.containerd }}"
       ROOTLESSKIT_VERSION: "${{ matrix.rootlesskit }}"
       TEST_TARGET: "${{ matrix.target }}"
     steps:
-      - uses: actions/[email protected]
+      - name: "Set up AppArmor"
+        if: matrix.ubuntu == '24.04'
+        run: |
+          cat <<EOT | sudo tee "/etc/apparmor.d/usr.local.bin.rootlesskit"
+          abi <abi/4.0>,
+          include <tunables/global>
+
+          /usr/local/bin/rootlesskit flags=(unconfined) {
+            userns,
+
+            # Site-specific additions and overrides. See local/README for details.
+            include if exists <local/usr.local.bin.rootlesskit>
+          }
+          EOT
+          sudo systemctl restart apparmor.service
+      - uses: actions/[email protected]
         with:
           fetch-depth: 1
       - name: "Register QEMU (tonistiigi/binfmt)"
@@ -205,11 +240,11 @@ jobs:
         run: docker run -t --rm --privileged -e WORKAROUND_ISSUE_622=1 ${TEST_TARGET}
 
   cross:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 40
     strategy:
       matrix:
-        go-version: ["1.21.x", "1.22.x"]
+        go-version: ["1.22.x", "1.23.x"]
     steps:
       - uses: actions/[email protected]
         with:
@@ -223,8 +258,8 @@ jobs:
         run: GO_VERSION="$(echo ${{ matrix.go-version }} | sed -e s/.x//)" make artifacts
 
   test-integration-docker-compatibility:
-    runs-on: ubuntu-22.04
-    timeout-minutes: 30
+    runs-on: ubuntu-22.04  # TODO: ubuntu-24.04
+    timeout-minutes: 45
     steps:
       - uses: actions/[email protected]
         with:
@@ -234,15 +269,25 @@ jobs:
           go-version: ${{ env.GO_VERSION }}
           cache: true
           check-latest: true
-      - name: "Enable BuildKit"
+      - name: "Install Docker v24"
         run: |
           set -eux -o pipefail
+          # Uninstall the preinstalled Docker
+          sudo apt-get remove docker-* containerd.io
           # Enable BuildKit explicitly
           sudo apt-get install -y moreutils
           cat /etc/docker/daemon.json
           jq '.features.buildkit = true' </etc/docker/daemon.json  | sudo sponge /etc/docker/daemon.json
           cat /etc/docker/daemon.json
-          sudo systemctl restart docker
+          # Download Docker packages
+          curl -OSL https://download.docker.com/linux/ubuntu/dists/jammy/pool/stable/amd64/containerd.io_1.6.33-1_amd64.deb
+          curl -OSL https://download.docker.com/linux/ubuntu/dists/jammy/pool/stable/amd64/docker-ce_24.0.9-1~ubuntu.22.04~jammy_amd64.deb
+          curl -OSL https://download.docker.com/linux/ubuntu/dists/jammy/pool/stable/amd64/docker-ce-cli_24.0.9-1~ubuntu.22.04~jammy_amd64.deb
+          curl -OSL https://download.docker.com/linux/ubuntu/dists/jammy/pool/stable/amd64/docker-buildx-plugin_0.13.1-1~ubuntu.22.04~jammy_amd64.deb
+          curl -OSL https://download.docker.com/linux/ubuntu/dists/jammy/pool/stable/amd64/docker-compose-plugin_2.25.0-1~ubuntu.22.04~jammy_amd64.deb
+          # Install Docker
+          sudo apt-get install -y ./*.deb
+          rm -f ./*.deb
           # Print docker info
           docker info
           docker version
@@ -276,25 +321,24 @@ jobs:
       - uses: actions/[email protected]
         with:
           repository: containerd/containerd
-          ref: v1.7.16
+          ref: v1.7.21
           path: containerd
           fetch-depth: 1
       - name: "Set up CNI"
         working-directory: containerd
         run: GOPATH=$(go env GOPATH) script/setup/install-cni-windows
       - name: "Set up containerd"
         env:
-          ctrdVersion: 1.7.16
+          ctrdVersion: 1.7.21
         run: powershell hack/configure-windows-ci.ps1
       # TODO: Run unit tests
       - name: "Run integration tests"
         run: go test -v ./cmd/...
 
   test-integration-freebsd:
     name: FreeBSD
-    # "Larger" runner is needed for nested virtualization
-    # https://github.com/organizations/containerd/settings/actions/runners
-    runs-on: ubuntu-latest-4-cores
+    # ubuntu-24.04 lacks the vagrant package
+    runs-on: ubuntu-22.04
     timeout-minutes: 20
 
     steps:

Dockerfile

@@ -18,43 +18,43 @@
 # TODO: verify commit hash
 
 # Basic deps
-ARG CONTAINERD_VERSION=v1.7.16
-ARG RUNC_VERSION=v1.1.12
-ARG CNI_PLUGINS_VERSION=v1.4.1
+ARG CONTAINERD_VERSION=v1.7.21
+ARG RUNC_VERSION=v1.1.14
+ARG CNI_PLUGINS_VERSION=v1.5.1
 
 # Extra deps: Build
-ARG BUILDKIT_VERSION=v0.12.5
+ARG BUILDKIT_VERSION=v0.15.2
 # Extra deps: Lazy-pulling
 ARG STARGZ_SNAPSHOTTER_VERSION=v0.15.1
 # Extra deps: Encryption
-ARG IMGCRYPT_VERSION=v1.1.10
+ARG IMGCRYPT_VERSION=v1.1.11
 # Extra deps: Rootless
-ARG ROOTLESSKIT_VERSION=v2.0.2
-ARG SLIRP4NETNS_VERSION=v1.2.3
+ARG ROOTLESSKIT_VERSION=v2.3.1
+ARG SLIRP4NETNS_VERSION=v1.3.1
 # Extra deps: bypass4netns
-ARG BYPASS4NETNS_VERSION=v0.4.0
+ARG BYPASS4NETNS_VERSION=v0.4.1
 # Extra deps: FUSE-OverlayFS
 ARG FUSE_OVERLAYFS_VERSION=v1.13
 ARG CONTAINERD_FUSE_OVERLAYFS_VERSION=v1.0.8
 # Extra deps: IPFS
-ARG KUBO_VERSION=v0.27.0
+ARG KUBO_VERSION=v0.29.0
 # Extra deps: Init
 ARG TINI_VERSION=v0.19.0
 # Extra deps: Debug
 ARG BUILDG_VERSION=v0.4.1
 
 # Test deps
-ARG GO_VERSION=1.21
-ARG UBUNTU_VERSION=22.04
+ARG GO_VERSION=1.23
+ARG UBUNTU_VERSION=24.04
 ARG CONTAINERIZED_SYSTEMD_VERSION=v0.1.1
-ARG GOTESTSUM_VERSION=v1.11.0
-ARG NYDUS_VERSION=v2.2.4
-ARG SOCI_SNAPSHOTTER_VERSION=0.4.0
+ARG GOTESTSUM_VERSION=v1.12.0
+ARG NYDUS_VERSION=v2.2.5
+ARG SOCI_SNAPSHOTTER_VERSION=0.7.0
 
-FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.3.0 AS xx
+FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.5.0 AS xx
 
 
-FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-bullseye AS build-base-debian
+FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-bookworm AS build-base-debian
 COPY --from=xx / /
 ENV DEBIAN_FRONTEND=noninteractive
 RUN apt-get update && \
@@ -63,7 +63,7 @@ ARG TARGETARCH
 # libbtrfs: for containerd
 # libseccomp: for runc and bypass4netns
 RUN xx-apt-get update && \
-  xx-apt-get install -y binutils gcc libc6-dev libbtrfs-dev libseccomp-dev
+  xx-apt-get install -y binutils gcc libc6-dev libbtrfs-dev libseccomp-dev pkg-config
 
 FROM build-base-debian AS build-containerd
 ARG TARGETARCH
@@ -323,7 +323,7 @@ RUN apt-get update && \
   apt-get install -qq -y \
   uidmap \
   openssh-server openssh-client
-# TODO: update containerized-systemd to enable sshd by default, or allow `systemctl wants <TARGET> sshd` here
+# TODO: update containerized-systemd to enable sshd by default, or allow `systemctl wants <TARGET> ssh` here
 RUN ssh-keygen -q -t rsa -f /root/.ssh/id_rsa -N '' && \
   useradd -m -s /bin/bash rootless && \
   mkdir -p -m 0700 /home/rootless/.ssh && \

Dockerfile.d/SHA256SUMS.d/buildkit-v0.15.2

@@ -0,0 +1,2 @@
+59279df5853bef19a03ec15c5c31b772e59d91d079ab0221e1bafa023cf41c35  buildkit-v0.15.2.linux-amd64.tar.gz
+15329adaa5e5b2bea0580f3e5e33765f84504075710bb791e362c3b160ca7e61  buildkit-v0.15.2.linux-arm64.tar.gz

Dockerfile.d/SHA256SUMS.d/cni-plugins-v1.5.1

@@ -0,0 +1,2 @@
+77baa2f669980a82255ffa2f2717de823992480271ee778aa51a9c60ae89ff9b  cni-plugins-linux-amd64-v1.5.1.tgz
+c2a292714d0fad98a3491ae43df8ad58354b3c0bdf5d5a3e281777967c70fcff  cni-plugins-linux-arm64-v1.5.1.tgz

Dockerfile.d/SHA256SUMS.d/rootlesskit-v2.3.1

@@ -0,0 +1,6 @@
+57bc67f71b8043961417325be13528d4f1e8ec90876cd34c38064431f457070f  rootlesskit-aarch64.tar.gz
+5154542509736957738478e3624b53865a875c396f978db5adea513d7507dee6  rootlesskit-armv7l.tar.gz
+983642556dd3dcbe2c9b764d577882016ad1ca960815ffa13ca76d7da518504f  rootlesskit-ppc64le.tar.gz
+83c40bb8938828eb15837a4900ba825a1f52227631195c22df85f2e8f7f73546  rootlesskit-riscv64.tar.gz
+dd6c8bc7e1c9b5d8c775efcf40854ef1d25205060294f0654a77d996a7f4e172  rootlesskit-s390x.tar.gz
+caafdce18e0959f078b4b478d4f352ebf3d556e373265fc7831f1a6d70219ee0  rootlesskit-x86_64.tar.gz

Dockerfile.d/SHA256SUMS.d/slirp4netns-v1.3.1

@@ -0,0 +1,6 @@
+2dd9aac6c2e3203e53cb7b6e4b9fc7123e4e4a9716c8bb1d95951853059a6af5  slirp4netns-aarch64
+ed618c0f2c74014bb736e9e427e18c8791ad9d68311872a41b06fac0d7cb9ef2  slirp4netns-armv7l
+a10f70209cee0dd0532fea0e8b6bfde5d16dec5206fd4b3387d861721456de66  slirp4netns-ppc64le
+38209015c2f3f4619d9fc46610852887910f33c7a0b96f7d2aa835a7bbc73f31  slirp4netns-riscv64
+9f42718455b1f9cf4b6f0efee314b78e860b8c36dbbb6290f09c8fbedda9ff8a  slirp4netns-s390x
+4bc5d6c311f9fa7ae00ce54aefe10c2afaf0800fe9e99f32616a964ed804a9e1  slirp4netns-x86_64

Dockerfile.d/test-integration-rootless.sh

@@ -27,7 +27,7 @@ if [[ "$(id -u)" = "0" ]]; then
 	fi
 
 	# Switch to the rootless user via SSH
-	systemctl start sshd
+	systemctl start ssh
 	exec ssh -o StrictHostKeyChecking=no rootless@localhost "$0" "$@"
 else
 	containerd-rootless-setuptool.sh install
@@ -48,7 +48,7 @@ else
 [proxy_plugins]
   [proxy_plugins."stargz"]
     type = "snapshot"
-    address = "/run/user/1000/containerd-stargz-grpc/containerd-stargz-grpc.sock"
+    address = "/run/user/$(id -u)/containerd-stargz-grpc/containerd-stargz-grpc.sock"
 EOF
 	systemctl --user restart containerd.service
 	containerd-rootless-setuptool.sh -- install-ipfs --init --offline # offline ipfs daemon for testing

cmd/nerdctl/container_create_linux_test.go

@@ -57,9 +57,9 @@ func TestCreateWithMACAddress(t *testing.T) {
 		WantErr bool
 		Expect  string
 	}{
-		{"host", true, "conflicting options"},
+		{"host", true, ""},
 		{"none", true, "can't open '/sys/class/net/eth0/address'"},
-		{"container:whatever" + tID, true, "conflicting options"},
+		{"container:whatever" + tID, true, ""},
 		{"bridge", false, ""},
 		{networkBridge, false, ""},
 		{networkMACvlan, false, ""},