containerd/nerdctl v1.7.3 on GitHub

This release updates the runc and BuildKit binaries included in the nerdctl-full-*.tar.gz artifacts to apply security fixes.

Changes

nerdctl run:
- Update seccomp profile for kernel 6.7 (#2782)
nerdctl build:
- Implement --allow (#2746, thanks to @yankay)
nerdctl logs:
- Support containers running without -d (#2683, thanks to @vsiravar)
nerdctl compose:
- Implement group-add (#2771, thanks to @yankay)
containerd-rootless-setuptool.sh:
- nsenter: inherit RootlessKit env (#2743)
nerdctl-full:
- Update RootlessKit to v2.0.0 (#2779)
- Update containerd to v1.7.13 (#2779)
- Update runc to v1.1.12 (fixes CVE-2024-21626) (#2779)
- Update bypass4netns to v0.4.0 (#2779)
- Update Kubo to v0.26.0 (#2779)
- Update BuildKit to v0.12.5 (fixes CVE-2024-23651, CVE-2024-23652, CVE-2024-23653, CVE-2024-23650) (#2779)

Full changes: https://github.com/containerd/nerdctl/milestone/39?closed=1
Thanks to @TinaMor @dimaqq @henry118 @miurahr @sondavidb @vsiravar @yankay @zjumoon01

Compatible containerd versions

This release of nerdctl is expected to be used with containerd v1.6 or v1.7.

About the binaries

Minimal (nerdctl-1.7.3-linux-amd64.tar.gz): nerdctl only
Full (nerdctl-full-1.7.3-linux-amd64.tar.gz): Includes dependencies such as containerd, runc, and CNI

Minimal

Extract the archive to a path like /usr/local/bin or ~/bin .

tar Cxzvvf /usr/local/bin nerdctl-1.7.3-linux-amd64.tar.gz

-rwxr-xr-x root/root  25006080 2024-01-31 23:29 nerdctl
-rwxr-xr-x root/root     21916 2024-01-31 23:29 containerd-rootless-setuptool.sh
-rwxr-xr-x root/root      7187 2024-01-31 23:29 containerd-rootless.sh

Full

Extract the archive to a path like /usr/local or ~/.local .

tar Cxzvvf /usr/local nerdctl-full-1.7.3-linux-amd64.tar.gz

drwxr-xr-x 0/0               0 2024-01-31 23:36 bin/
-rwxr-xr-x 0/0        27644700 2015-10-21 00:00 bin/buildctl
-rwxr-xr-x 0/0        23724032 2022-09-05 09:52 bin/buildg
-rwxr-xr-x 0/0        53374823 2015-10-21 00:00 bin/buildkitd
-rwxr-xr-x 0/0         7277720 2024-01-31 23:34 bin/bypass4netns
-rwxr-xr-x 0/0         5308416 2024-01-31 23:34 bin/bypass4netnsd
-rwxr-xr-x 0/0        38864440 2024-01-31 23:36 bin/containerd
-rwxr-xr-x 0/0         9474048 2023-11-02 17:34 bin/containerd-fuse-overlayfs-grpc
-rwxr-xr-x 0/0           21916 2024-01-31 23:34 bin/containerd-rootless-setuptool.sh
-rwxr-xr-x 0/0            7187 2024-01-31 23:34 bin/containerd-rootless.sh
-rwxr-xr-x 0/0        12066816 2024-01-31 23:36 bin/containerd-shim-runc-v2
-rwxr-xr-x 0/0        45903872 2023-10-31 08:57 bin/containerd-stargz-grpc
-rwxr-xr-x 0/0        20496015 2024-01-31 23:36 bin/ctd-decoder
-rwxr-xr-x 0/0        18763776 2024-01-31 23:35 bin/ctr
-rwxr-xr-x 0/0        29449409 2024-01-31 23:36 bin/ctr-enc
-rwxr-xr-x 0/0        19931136 2023-10-31 08:58 bin/ctr-remote
-rwxr-xr-x 0/0         1785448 2024-01-31 23:36 bin/fuse-overlayfs
-rwxr-xr-x 0/0        65332928 2024-01-31 23:36 bin/ipfs
-rwxr-xr-x 0/0        24977408 2024-01-31 23:34 bin/nerdctl
-rwxr-xr-x 0/0        10128131 2024-01-15 01:11 bin/rootlessctl
-rwxr-xr-x 0/0        11771211 2024-01-15 01:11 bin/rootlesskit
-rwxr-xr-x 0/0        15065104 2024-01-31 23:34 bin/runc
-rwxr-xr-x 0/0         2346328 2024-01-31 23:36 bin/slirp4netns
-rwxr-xr-x 0/0          870496 2024-01-31 23:36 bin/tini
drwxr-xr-x 0/0               0 2024-01-31 23:36 lib/
drwxr-xr-x 0/0               0 2024-01-31 23:36 lib/systemd/
drwxr-xr-x 0/0               0 2024-01-31 23:36 lib/systemd/system/
-rw-r--r-- 0/0            1475 2024-01-31 23:36 lib/systemd/system/buildkit.service
-rw-r--r-- 0/0            1414 2024-01-31 23:34 lib/systemd/system/containerd.service
-rw-r--r-- 0/0             312 2024-01-31 23:36 lib/systemd/system/stargz-snapshotter.service
drwxr-xr-x 0/0               0 2024-01-31 23:36 libexec/
drwxrwxr-x 0/0               0 2024-01-31 23:36 libexec/cni/
-rwxr-xr-x 0/0         4109351 2023-12-04 16:38 libexec/cni/bandwidth
-rwxr-xr-x 0/0         4652757 2023-12-04 16:39 libexec/cni/bridge
-rwxr-xr-x 0/0        11050013 2023-12-04 16:39 libexec/cni/dhcp
-rwxr-xr-x 0/0         4297556 2023-12-04 16:39 libexec/cni/dummy
-rwxr-xr-x 0/0         4736299 2023-12-04 16:39 libexec/cni/firewall
-rwxr-xr-x 0/0         4191837 2023-12-04 16:39 libexec/cni/host-device
-rwxr-xr-x 0/0         3549866 2023-12-04 16:39 libexec/cni/host-local
-rwxr-xr-x 0/0         4315686 2023-12-04 16:39 libexec/cni/ipvlan
-rwxr-xr-x 0/0         3636792 2023-12-04 16:39 libexec/cni/loopback
-rwxr-xr-x 0/0         4349395 2023-12-04 16:39 libexec/cni/macvlan
-rwxr-xr-x 0/0         4085020 2023-12-04 16:39 libexec/cni/portmap
-rwxr-xr-x 0/0         4470977 2023-12-04 16:39 libexec/cni/ptp
-rwxr-xr-x 0/0         3851218 2023-12-04 16:39 libexec/cni/sbr
-rwxr-xr-x 0/0         3110828 2023-12-04 16:39 libexec/cni/static
-rwxr-xr-x 0/0         4371897 2023-12-04 16:39 libexec/cni/tap
-rwxr-xr-x 0/0         3726382 2023-12-04 16:39 libexec/cni/tuning
-rwxr-xr-x 0/0         4310173 2023-12-04 16:39 libexec/cni/vlan
-rwxr-xr-x 0/0         4001842 2023-12-04 16:39 libexec/cni/vrf
drwxr-xr-x 0/0               0 2024-01-31 23:34 share/
drwxr-xr-x 0/0               0 2024-01-31 23:34 share/doc/
drwxr-xr-x 0/0               0 2024-01-31 23:34 share/doc/nerdctl/
-rw-r--r-- 0/0           12480 2024-01-31 23:29 share/doc/nerdctl/README.md
drwxr-xr-x 0/0               0 2024-01-31 23:29 share/doc/nerdctl/docs/
-rw-r--r-- 0/0            3953 2024-01-31 23:29 share/doc/nerdctl/docs/build.md
-rw-r--r-- 0/0            2570 2024-01-31 23:29 share/doc/nerdctl/docs/builder-debug.md
-rw-r--r-- 0/0            3996 2024-01-31 23:29 share/doc/nerdctl/docs/cni.md
-rw-r--r-- 0/0           74383 2024-01-31 23:29 share/doc/nerdctl/docs/command-reference.md
-rw-r--r-- 0/0            1814 2024-01-31 23:29 share/doc/nerdctl/docs/compose.md
-rw-r--r-- 0/0            5329 2024-01-31 23:29 share/doc/nerdctl/docs/config.md
-rw-r--r-- 0/0            9128 2024-01-31 23:29 share/doc/nerdctl/docs/cosign.md
-rw-r--r-- 0/0            5660 2024-01-31 23:29 share/doc/nerdctl/docs/cvmfs.md
-rw-r--r-- 0/0            2435 2024-01-31 23:29 share/doc/nerdctl/docs/dir.md
-rw-r--r-- 0/0             906 2024-01-31 23:29 share/doc/nerdctl/docs/experimental.md
-rw-r--r-- 0/0           14217 2024-01-31 23:29 share/doc/nerdctl/docs/faq.md
-rw-r--r-- 0/0             884 2024-01-31 23:29 share/doc/nerdctl/docs/freebsd.md
-rw-r--r-- 0/0            3228 2024-01-31 23:29 share/doc/nerdctl/docs/gpu.md
-rw-r--r-- 0/0           14463 2024-01-31 23:29 share/doc/nerdctl/docs/ipfs.md
-rw-r--r-- 0/0            1748 2024-01-31 23:29 share/doc/nerdctl/docs/multi-platform.md
-rw-r--r-- 0/0            2960 2024-01-31 23:29 share/doc/nerdctl/docs/notation.md
-rw-r--r-- 0/0            2596 2024-01-31 23:29 share/doc/nerdctl/docs/nydus.md
-rw-r--r-- 0/0            3277 2024-01-31 23:29 share/doc/nerdctl/docs/ocicrypt.md
-rw-r--r-- 0/0            1876 2024-01-31 23:29 share/doc/nerdctl/docs/overlaybd.md
-rw-r--r-- 0/0           15657 2024-01-31 23:29 share/doc/nerdctl/docs/registry.md
-rw-r--r-- 0/0            5088 2024-01-31 23:29 share/doc/nerdctl/docs/rootless.md
-rw-r--r-- 0/0            2015 2024-01-31 23:29 share/doc/nerdctl/docs/soci.md
-rw-r--r-- 0/0           10312 2024-01-31 23:29 share/doc/nerdctl/docs/stargz.md
drwxr-xr-x 0/0               0 2024-01-31 23:36 share/doc/nerdctl-full/
-rw-r--r-- 0/0            1153 2024-01-31 23:36 share/doc/nerdctl-full/README.md
-rw-r--r-- 0/0            6400 2024-01-31 23:36 share/doc/nerdctl-full/SHA256SUMS

Included components

See share/doc/nerdctl-full/README.md:

# nerdctl (full distribution)
- nerdctl: v1.7.3
- containerd: v1.7.13
- runc: v1.1.12
- CNI plugins: v1.4.0
- BuildKit: v0.12.5
- Stargz Snapshotter: v0.15.1
- imgcrypt: v1.1.9
- RootlessKit: v2.0.0
- slirp4netns: v1.2.2
- bypass4netns: v0.4.0
- fuse-overlayfs: v1.13
- containerd-fuse-overlayfs: v1.0.8
- Kubo (IPFS): v0.26.0
- Tini: v0.19.0
- buildg: v0.4.1

## License
- bin/slirp4netns:    [GNU GENERAL PUBLIC LICENSE, Version 2](https://github.com/rootless-containers/slirp4netns/blob/v1.2.2/COPYING)
- bin/fuse-overlayfs: [GNU GENERAL PUBLIC LICENSE, Version 2](https://github.com/containers/fuse-overlayfs/blob/v1.13/COPYING)
- bin/ipfs: [Combination of MIT-only license and dual MIT/Apache-2.0 license](https://github.com/ipfs/kubo/blob/v0.26.0/LICENSE)
- bin/{runc,bypass4netns,bypass4netnsd}: Apache License 2.0, statically linked with libseccomp ([LGPL 2.1](https://github.com/seccomp/libseccomp/blob/main/LICENSE), source code available at https://github.com/seccomp/libseccomp/)
- bin/tini: [MIT License](https://github.com/krallin/tini/blob/v0.19.0/LICENSE)
- Other files: [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0)

Quick start

Rootful

$ sudo systemctl enable --now containerd
$ sudo nerdctl run -d --name nginx -p 80:80 nginx:alpine

Rootless

$ containerd-rootless-setuptool.sh install
$ nerdctl run -d --name nginx -p 8080:80 nginx:alpine

Enabling cgroup v2 is highly recommended for rootless mode, see https://rootlesscontaine.rs/getting-started/common/cgroup2/ .

The binaries were built automatically on GitHub Actions.
The build log is available for 90 days: https://github.com/containerd/nerdctl/actions/runs/7733769295

The sha256sum of the SHA256SUMS file itself is 9954c172f202e8fbebc733e1a58d3aeaed05ca5372c416342d6ebd06859f0411 .

Release manager: Akihiro Suda (@AkihiroSuda)