v0.9.0
What's New
- The runhcs containerd shim now supports launching Host Process containers.
- LCOW layers can now be encrypted via dmverity.
- Process dumps can now be generated for WCOW and LCOW via an OCI annotation.
- LCOW container execs now run as whatever user the container was launched as, unless the spec was overridden with a different user.
- Shared memory is now configurable via an OCI annotation.
- WCOW supports extensible virtual disks as data disks.
- LCOW supports hugepage mounts if the kernel used is built with this support.
See the Changelog for the full list of changes!
Bug Fixes
- Fix duplicate "failed" in HCS error strings.
- Get rid of redundant logs in HCN version range checks.
- HNS v1 policy schemas now have correct omitEmpty fields.
See the Changelog for the full list of changes!
Changelog
- Enable scratch space encryption via annotation by @anmaxvl in #1095
- Enforce security policy at unmount by @SeanTAllen in #1162
- Make policy environment variable rules consts by @SeanTAllen in #1164
- Remove unused variable by @SeanTAllen in #1165
- Update naming in internal security policy tool by @SeanTAllen in #1166
- Rename variable in SecurityPolicyEnforcer by @SeanTAllen in #1168
- Rename EnforceStartContainerPolicy by @SeanTAllen in #1169
- fix vmAccess param usage in AddSCSI by @anmaxvl in #1167
- Change internal data structure in SecurityPolicyEnforcer by @SeanTAllen in #1171
- Update kernel driver annotation for accuracy by @katiewasnothere in #1172
- Rework how working directories function for job containers by @dcantah in #1137
- Add WCOW sandbox mount support by @dcantah in #1087
- Add support for passing in a virtual function index to assign pci device by @katiewasnothere in #1163
- Set PATHEXT for job containers to handle binaries with no extension by @dcantah in #1174
- Add process dump functionality for WCOW/LCOW by @dcantah in #1062
- Update json format for security policy by @SeanTAllen in #1173
- Rework LCOW username setup/exec behavior by @dcantah in #1178
- Refactor pod config generation in tests by @anmaxvl in #1180
- tests: Fix tests that used old pullRequiredLCOWImages func name by @anmaxvl in #1183
- Remove unused definitions in winapi by @dcantah in #1181
- Also run tests on Windows Server 2022 GitHub Runner by @TBBle in #1176
- tests: Fix ExecUser LCOW tests using old function signature by @anmaxvl in #1184
- Add unit tests for computeagent by @katiewasnothere in #1182
- Bump github.com/containerd/containerd from 1.5.4 to 1.5.7 in /test by @dependabot in #1185
- Bump github.com/containerd/containerd from 1.5.4 to 1.5.7 by @dependabot in #1186
- Add compute agent store for ncproxy reconnect by @katiewasnothere in #1097
- Update names of ncproxy proxy resources with test name included by @katiewasnothere in #1189
- Merge Microsoft/opengcs and Microsoft/hcsshim by @dcantah in #973
- Run late clone tests on 20H2+ builds only. by @ambarve in #1028
- Fix bug with VSMB & SCSI mounts on the same host path by @ambarve in #1021
- Support for storage space data disks by @ambarve in #998
- Add option to set no direct map by default on wcow VSMB devices by @katiewasnothere in #1030
- Read max 1MB data from panic.log by @ambarve in #1029
- Change Makefile file type from crlf to lf by @katiewasnothere in #1031
- support pod and container updates by @katiewasnothere in #931
- Add new flags to integration tests to specify virtstack by @dcantah in #1019
- Change VSMBNoDirectMap_WCOW_Hypervisor test to fix CI break by @dcantah in #1033
- fix break in cpu groups test on machines with build < 20124 by @katiewasnothere in #1036
- lf line endingify stray opengcs files by @dcantah in #1032
- Remotevm UVM implementation by @dcantah in #1023
- VHD with dm-verity by @SeanTAllen in #985
- Add tests for LCOW shared scratch space work by @dcantah in #955
- shim: Clean up delete invocation behavior by @kevpar in #1041
- Remove internal GCS connection functionality by @dcantah in #1038
- Add instructions to build containerd-shim and gcs binaries by @dcantah in #1034
- Add DnsSettings to ncproxy CreateEndpointRequest by @dcantah in #1026
- use requested stdio in call to exec in shim host by @katiewasnothere in #1044
- Added Support for NestedIpSet type in SetPolicy and a new Network Policy called NetworkACL policy by @netal in #1045
- Add DNSDomain to hns endpoint object by @dcantah in #1047
- add logic to stack lcow layers on a single VPMEM device by @anmaxvl in #930
- Read vhd verity footer by @anmaxvl in #1008
- fix wrong error logged when dm-verity footer read fails by @anmaxvl in #1054
- Get rid of redundant logs in HCN version range checks by @dcantah in #1053
- Add containerd-shim plumbing for job containers by @dcantah in #962
- Fix functional tests build and revendor by @katiewasnothere in #1063
- Remove ERROR_PROC_NOT_FOUND from error checks by @kevpar in #1064
- export annotations for use in test suite by @katiewasnothere in #1061
- Support specifying a specific logrus log level for shim log output by @dcantah in #1058
- Support registering and unregistering ncproxy as a Windows service by @dcantah in #1046
- Bump containerd to 1.5.2 by @aledbf in #1068
- Add missing 'functional' tag to test source by @TBBle in #1069
- Add support to dump stacks for ncproxy when requested by @katiewasnothere in #1070
- Fix lost span attribute for NameToGuid by @TBBle in #1071
- Remove leftover generated HCS2 schema file by @TBBle in #1074
- Add volume mount support for job containers by @dcantah in #1057
- Gate CRI update container tests behind feature flag by @dcantah in #1079
- Updating HNS v1 policy schemas with correct omitEmpty fields by @elweb9858 in #1078
- Fix relative paths (with dot) not working for job containers by @dcantah in #1081
- Add support for reading in device extension files for container create hcs document by @katiewasnothere in #1060
- Bump github.com/containerd/containerd from 1.5.2 to 1.5.4 in /test by @dependabot in #1082
- Bump github.com/containerd/containerd from 1.5.2 to 1.5.4 by @dependabot in #1083
- Bump github.com/opencontainers/runc from 1.0.0-rc93 to 1.0.0-rc95 by @dependabot in #1084
- tests: increase opengcs tests verbosity by @anmaxvl in #1088
- make container's shared memory configurable via annotation by @anmaxvl in #1052
- Support for extensible virtual disks as data disks by @ambarve in #1039
- Minor bug fixes by @ambarve in #1093
- Add support to encrypt SCSI scratch disks with dm-crypt by @AntonioND in #1090
- Add basis for allowing the creation of configuration enforcement in gcs by @SeanTAllen in #1094
- Add retry around wclayer operations for process isolated containers by @dcantah in #1091
- Fix build break in functional tests by @katiewasnothere in #1098
- Fix incorrect casing in error message by @SeanTAllen in #1103
- chore: Cleanup guest pmem package by @anmaxvl in #1096
- Skip setting security policy when it's empty by @anmaxvl in #1099
- Fix incorrect variable casing by @SeanTAllen in #1106
- Fix variable naming by @SeanTAllen in #1105
- tests: fix VPMem layer packing tests by @anmaxvl in #1109
- Support for Kernel Boot Options - LCOW by @ninzavivek in #1108
- Add network stats to the enable getting stats directly by @jsturtevant in #1102
- Add sleep before layer operation retries by @dcantah in #1122
- Add GetCachedSupportedFeatures method to hcn package by @dcantah in #1123
- Check if stdio pipes are nil for job containers/fix windows.Close usage by @dcantah in #1115
- Add security policy enforcement of command line options when starting containers by @SeanTAllen in #1116
- Fix spelling error by @SeanTAllen in #1127
- Update ncproxy compute agent cache map by @katiewasnothere in #1126
- Make ncproxy a urfave/cli app by @dcantah in #1121
- Bugfix for UnicodeString constructor by @ambarve in #1138
- Fix duplicate "failed" in HCS errors by @thaJeztah in #1139
- Add extra info about DCO check to README by @dcantah in #1140
- Update test package go modules by @katiewasnothere in #1141
- Fixup logic for sandbox and container cleanup on failure by @katiewasnothere in #1142
- Add stylecheck linter to golangci-lint CI runs by @dcantah in #1125
- Enable dm-verity for multi-mapped LCOW layers by @anmaxvl in #1089
- add RecommendedVHDSizeGB constant by @praenubilus in #1145
- Add more messages when guest relays and init process finish by @anmaxvl in #1104
- Job container path touchups + rework tests by @dcantah in #1117
- Update test modules with hcsshim changes by @katiewasnothere in #1150
- Add ci step to validate that modules have been vendored in by @katiewasnothere in #1112
- Hugepage support for LCOW by @ninzavivek in #1118
- Update test modules with up to date hcsshim code by @katiewasnothere in #1151
- Add security policy enforcement of environment variables by @SeanTAllen in #1146
- Add note about test directory go mod vendor steps to README by @dcantah in #1156
- Update script to verify go modules to match hashes of all files by @katiewasnothere in #1157
- Add unit tests to ncproxy by @katiewasnothere in #1143
- Switch JSON policy schema from using arrays to maps by @SeanTAllen in #1154
- Add new internal cmd package request struct to remove shimdiag package import by @katiewasnothere in #1153
- Add additional information to the error message when validating modules by @katiewasnothere in #1159
- Update securitypolicy tool to support multiple registries by @SeanTAllen in #1161
- Add security policy enforcement for SCSI devices by @SeanTAllen in #1158
Full changelog: v0.8.22...v0.9.0