containerd/nerdctl v1.2.1 on GitHub

This release updates the containerd library to fix CVE-2023-25173 (GHSA-hmfx-3pcx-653p , Supplementary groups are not set up properly).

Note
To fix CVE-2023-25173 for nerdctl build, you have to wait for the release of BuildKit v0.11.4, or install BuildKit manually with moby/buildkit#3668 .
The CVE doesn't seem to be problematic for nerdctl build though.

Changes

nerdctl logs:
- Accept Ctrl-C in CRI log viewer (#1972, thanks to @zhaojizhuang)
nerdctl rename:
- Support Windows (#1993, thanks to @dardelean)
nerdctl rmi:
- Fix checking containers with deleted image (#1998, thanks to @djdongjin)
nerdctl system prune:
- Fix confirmation prompt (#2036, #2039, #2044, thanks to @suyanhanx)
nerdctl compose down:
- Fix checking networks that are in use (#2051, thanks to @Retrospection)
nerdctl-full:
- Update containerd (1.6.19), BuildKit (0.11.3), Kubo (0.18.1) (#2047)
misc:
- Update containerd library to v1.7.0-rc.0 to fix CVE-2023-25173 (GHSA-hmfx-3pcx-653p) (#2019, #2055)
- Update Go to 1.20 (#2025)
Lots of refactoring

Full changes: https://github.com/containerd/nerdctl/milestone/27?closed=1
Thanks to @MimeLyc @Retrospection @brunohenriquy @dardelean @davidhsingyuchen @djdongjin @manugupt1 @rkonfj @suyanhanx @zhaojizhuang

Compatible containerd versions

This release of nerdctl is expected to be used with containerd v1.5 or v1.6.

About the binaries

Minimal (nerdctl-1.2.1-linux-amd64.tar.gz): nerdctl only
Full (nerdctl-full-1.2.1-linux-amd64.tar.gz): Includes dependencies such as containerd, runc, and CNI

Minimal

Extract the archive to a path like /usr/local/bin or ~/bin .

tar Cxzvvf /usr/local/bin nerdctl-1.2.1-linux-amd64.tar.gz

-rwxr-xr-x root/root  25595904 2023-02-28 04:13 nerdctl
-rwxr-xr-x root/root     21622 2023-02-28 04:12 containerd-rootless-setuptool.sh
-rwxr-xr-x root/root      7032 2023-02-28 04:12 containerd-rootless.sh

Full

Extract the archive to a path like /usr/local or ~/.local .

tar Cxzvvf /usr/local nerdctl-full-1.2.1-linux-amd64.tar.gz

drwxr-xr-x 0/0               0 2023-02-28 04:23 bin/
-rwxr-xr-x 0/0        27066377 2015-10-21 00:00 bin/buildctl
-rwxr-xr-x 0/0        23724032 2022-09-05 09:52 bin/buildg
-rwxr-xr-x 0/0        51980414 2015-10-21 00:00 bin/buildkitd
-rwxr-xr-x 0/0         3679064 2023-02-28 04:20 bin/bypass4netns
-rwxr-xr-x 0/0         5210112 2023-02-28 04:20 bin/bypass4netnsd
-rwxr-xr-x 0/0        55054136 2023-02-28 04:22 bin/containerd
-rwxr-xr-x 0/0        10219520 2022-11-09 07:56 bin/containerd-fuse-overlayfs-grpc
-rwxr-xr-x 0/0           21622 2023-02-28 04:21 bin/containerd-rootless-setuptool.sh
-rwxr-xr-x 0/0            7032 2023-02-28 04:21 bin/containerd-rootless.sh
-rwxr-xr-x 0/0         9830400 2023-02-28 04:22 bin/containerd-shim-runc-v2
-rwxr-xr-x 0/0        58983200 2023-01-26 12:59 bin/containerd-stargz-grpc
-rwxr-xr-x 0/0        20416279 2023-02-28 04:23 bin/ctd-decoder
-rwxr-xr-x 0/0        28246072 2023-02-28 04:21 bin/ctr
-rwxr-xr-x 0/0        29073157 2023-02-28 04:23 bin/ctr-enc
-rwxr-xr-x 0/0        26628320 2023-01-26 12:59 bin/ctr-remote
-rwxr-xr-x 0/0         1783392 2023-02-28 04:23 bin/fuse-overlayfs
-rwxr-xr-x 0/0        81852800 2023-01-30 14:42 bin/ipfs
-rwxr-xr-x 0/0        25567232 2023-02-28 04:21 bin/nerdctl
-rwxr-xr-x 0/0         9847163 2022-11-15 11:19 bin/rootlessctl
-rwxr-xr-x 0/0        11311662 2022-11-15 11:19 bin/rootlesskit
-rwxr-xr-x 0/0        13624920 2023-02-28 04:20 bin/runc
-rwxr-xr-x 0/0         2338128 2023-02-28 04:23 bin/slirp4netns
-rwxr-xr-x 0/0          870496 2023-02-28 04:23 bin/tini
drwxr-xr-x 0/0               0 2023-02-28 04:22 lib/
drwxr-xr-x 0/0               0 2023-02-28 04:22 lib/systemd/
drwxr-xr-x 0/0               0 2023-02-28 04:22 lib/systemd/system/
-rw-r--r-- 0/0            1331 2023-02-28 04:22 lib/systemd/system/buildkit.service
-rw-r--r-- 0/0            1270 2023-02-28 04:19 lib/systemd/system/containerd.service
-rw-r--r-- 0/0             312 2023-02-28 04:22 lib/systemd/system/stargz-snapshotter.service
drwxr-xr-x 0/0               0 2023-02-28 04:22 libexec/
drwxrwxr-x 0/0               0 2023-02-28 04:22 libexec/cni/
-rwxr-xr-x 0/0         3859475 2023-01-16 21:42 libexec/cni/bandwidth
-rwxr-xr-x 0/0         4299004 2023-01-16 21:42 libexec/cni/bridge
-rwxr-xr-x 0/0        10167415 2023-01-16 21:42 libexec/cni/dhcp
-rwxr-xr-x 0/0         3986082 2023-01-16 21:42 libexec/cni/dummy
-rwxr-xr-x 0/0         4385098 2023-01-16 21:42 libexec/cni/firewall
-rwxr-xr-x 0/0         3870731 2023-01-16 21:42 libexec/cni/host-device
-rwxr-xr-x 0/0         3287319 2023-01-16 21:42 libexec/cni/host-local
-rwxr-xr-x 0/0         3999593 2023-01-16 21:42 libexec/cni/ipvlan
-rwxr-xr-x 0/0         3353028 2023-01-16 21:42 libexec/cni/loopback
-rwxr-xr-x 0/0         4029261 2023-01-16 21:42 libexec/cni/macvlan
-rwxr-xr-x 0/0         3746163 2023-01-16 21:42 libexec/cni/portmap
-rwxr-xr-x 0/0         4161070 2023-01-16 21:42 libexec/cni/ptp
-rwxr-xr-x 0/0         3550152 2023-01-16 21:42 libexec/cni/sbr
-rwxr-xr-x 0/0         2845685 2023-01-16 21:42 libexec/cni/static
-rwxr-xr-x 0/0         3437180 2023-01-16 21:42 libexec/cni/tuning
-rwxr-xr-x 0/0         3993252 2023-01-16 21:42 libexec/cni/vlan
-rwxr-xr-x 0/0         3586502 2023-01-16 21:42 libexec/cni/vrf
drwxr-xr-x 0/0               0 2023-02-28 04:21 share/
drwxr-xr-x 0/0               0 2023-02-28 04:21 share/doc/
drwxr-xr-x 0/0               0 2023-02-28 04:21 share/doc/nerdctl/
-rw-r--r-- 0/0           12358 2023-02-28 04:12 share/doc/nerdctl/README.md
drwxr-xr-x 0/0               0 2023-02-28 04:21 share/doc/nerdctl/docs/
-rw-r--r-- 0/0            3953 2023-02-28 04:12 share/doc/nerdctl/docs/build.md
-rw-r--r-- 0/0            2570 2023-02-28 04:12 share/doc/nerdctl/docs/builder-debug.md
-rw-r--r-- 0/0            3996 2023-02-28 04:12 share/doc/nerdctl/docs/cni.md
-rw-r--r-- 0/0           67311 2023-02-28 04:12 share/doc/nerdctl/docs/command-reference.md
-rw-r--r-- 0/0            1846 2023-02-28 04:12 share/doc/nerdctl/docs/compose.md
-rw-r--r-- 0/0            3030 2023-02-28 04:12 share/doc/nerdctl/docs/config.md
-rw-r--r-- 0/0            7328 2023-02-28 04:12 share/doc/nerdctl/docs/cosign.md
-rw-r--r-- 0/0            2435 2023-02-28 04:12 share/doc/nerdctl/docs/dir.md
-rw-r--r-- 0/0             854 2023-02-28 04:12 share/doc/nerdctl/docs/experimental.md
-rw-r--r-- 0/0           14217 2023-02-28 04:12 share/doc/nerdctl/docs/faq.md
-rw-r--r-- 0/0            1197 2023-02-28 04:12 share/doc/nerdctl/docs/freebsd.md
-rw-r--r-- 0/0            2439 2023-02-28 04:12 share/doc/nerdctl/docs/gpu.md
-rw-r--r-- 0/0           14463 2023-02-28 04:12 share/doc/nerdctl/docs/ipfs.md
-rw-r--r-- 0/0            1748 2023-02-28 04:12 share/doc/nerdctl/docs/multi-platform.md
-rw-r--r-- 0/0            2596 2023-02-28 04:12 share/doc/nerdctl/docs/nydus.md
-rw-r--r-- 0/0            3277 2023-02-28 04:12 share/doc/nerdctl/docs/ocicrypt.md
-rw-r--r-- 0/0            1876 2023-02-28 04:12 share/doc/nerdctl/docs/overlaybd.md
-rw-r--r-- 0/0           15626 2023-02-28 04:12 share/doc/nerdctl/docs/registry.md
-rw-r--r-- 0/0            5088 2023-02-28 04:12 share/doc/nerdctl/docs/rootless.md
-rw-r--r-- 0/0           10370 2023-02-28 04:12 share/doc/nerdctl/docs/stargz.md
drwxr-xr-x 0/0               0 2023-02-28 04:23 share/doc/nerdctl-full/
-rw-r--r-- 0/0            1152 2023-02-28 04:23 share/doc/nerdctl-full/README.md
-rw-r--r-- 0/0            6014 2023-02-28 04:23 share/doc/nerdctl-full/SHA256SUMS

Included components

See share/doc/nerdctl-full/README.md:

# nerdctl (full distribution)
- nerdctl: v1.2.1
- containerd: v1.6.19
- runc: v1.1.4
- CNI plugins: v1.2.0
- BuildKit: v0.11.3
- Stargz Snapshotter: v0.14.1
- imgcrypt: v1.1.7
- RootlessKit: v1.1.0
- slirp4netns: v1.2.0
- bypass4netns: v0.3.0
- fuse-overlayfs: v1.10
- containerd-fuse-overlayfs: v1.0.5
- Kubo (IPFS): v0.18.1
- Tini: v0.19.0
- buildg: v0.4.1

## License
- bin/slirp4netns:    [GNU GENERAL PUBLIC LICENSE, Version 2](https://github.com/rootless-containers/slirp4netns/blob/v1.2.0/COPYING)
- bin/fuse-overlayfs: [GNU GENERAL PUBLIC LICENSE, Version 3](https://github.com/containers/fuse-overlayfs/blob/v1.10/COPYING)
- bin/ipfs: [Combination of MIT-only license and dual MIT/Apache-2.0 license](https://github.com/ipfs/kubo/blob/v0.18.1/LICENSE)
- bin/{runc,bypass4netns,bypass4netnsd}: Apache License 2.0, statically linked with libseccomp ([LGPL 2.1](https://github.com/seccomp/libseccomp/blob/main/LICENSE), source code available at https://github.com/seccomp/libseccomp/)
- bin/tini: [MIT License](https://github.com/krallin/tini/blob/v0.19.0/LICENSE)
- Other files: [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0)

Quick start

Rootful

$ sudo systemctl enable --now containerd
$ sudo nerdctl run -d --name nginx -p 80:80 nginx:alpine

Rootless

$ containerd-rootless-setuptool.sh install
$ nerdctl run -d --name nginx -p 8080:80 nginx:alpine

Enabling cgroup v2 is highly recommended for rootless mode, see https://rootlesscontaine.rs/getting-started/common/cgroup2/ .

The binaries were built automatically on GitHub Actions.
The build log is available for 90 days: https://github.com/containerd/nerdctl/actions/runs/4289468997

The sha256sum of the SHA256SUMS file itself is f1c5fee1ad7fc7641b867947a971c56c1d12cd9a6fb6482813fbd39542499577 .