Public bug reported: [Availability] The containerd package is available in Ubuntu Universe, and builds for amd64, arm64, armhf, i386, ppc64el, s390x It has been available since at least Yakkety in mid 2016: https://launchpad.net/ubuntu/+source/containerd/+publishinghistory
[Rationale] containerd controls runC (which is the subject of MIR bug #1817336). >From their github page (https://github.com/containerd/containerd): "containerd is an industry-standard container runtime with an emphasis on simplicity, robustness and portability." The "industry standard" bit is about OCI (Open Container Initiative: https://www.opencontainers.org/). [Security] - CVE: there are no CVEs for it currently: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=containerd - Ubuntu CVE tracker for universe also shows no hits: https://people.canonical.com/~ubuntu-security/cve/universe.html - one hit in the OSS security mailing list about CVE-2019-5736 (the runC vulnerability): https://www.openwall.com/lists/oss-security/2019/02/11/2 - no suid/sgid binaries - executables are in /usr/bin as expected - the package installs a systemd service and the daemon runs as root, at least initially: /lib/systemd/system/containerd.service - the service by default listens on a localhost socket: tcp 0 0 127.0.0.1:39301 0.0.0.0:* LISTEN 21114/containerd - the service also listens on a unix socket, available only to root: srw-rw---- 1 root root 0 Feb 22 15:54 /run/containerd/containerd.sock [Quality assurance] After installing the package it must be possible to make it working with a reasonable effort of configuration and documentation reading. - the service starts after installation without errors, and since no default config file is shipped, it assumes defaults on its own. A quick check with the unsupported bundled ctr(1) tool shows the service is live: root@disco-runc:~# ctr images list REF TYPE DIGEST SIZE PLATFORMS LABELS root@disco-runc:~# The DEP8 test can also be run manually right after installation: http://paste.ubuntu.com/p/KHh37hZYTb/ There are no debconf questions. Bugs: - upstream issues: https://github.com/containerd/containerd/issues - 110 open - 657 closed - two bugs in debian (https://bugs.debian.org/cgi-bin/pkgreport.cgi?dist=unstable;package=containerd): - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855922 - "containerd: 0.2.3 ds1-1 breaks docker 1.11 - unable to start containerd" - seems closed - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863248 - "containerd 0.2.3+git20170126.85.aa8187d~ds1-1: container not started (docker.io 1.13.0~ds1-3)" - unanswered for > 1y - no open bugs in Ubuntu at the moment: https://bugs.launchpad.net/ubuntu/+source/containerd - 4 closed bugs in ubuntu: - https://bugs.launchpad.net/ubuntu/+source/containerd/+bug/1574904 - "Old clients cannot talk to Docker in 16.04" - https://bugs.launchpad.net/ubuntu/+source/containerd/+bug/1602243 - "[16.10 FEAT] Upgrade Docker to newest version 1.12" - https://bugs.launchpad.net/ubuntu/+source/containerd/+bug/1655906 - "Please upgrade docker.io to latest 1.12.6" - https://bugs.launchpad.net/ubuntu/+source/containerd/+bug/1711935 - "failing to start on ppc64el: R_PPC64_ADDR16_HA 277ef287d88 for symbol `' out of range" Debian PTS: https://packages.qa.debian.org/c/containerd.html https://tracker.debian.org/pkg/containerd (new tracker) - a few lintian warnings - debian is behind upstream (0.2.3 vs 1.2.4) - debian experimental has a 1.2.4 upload (Ubuntu Disco has 1.2.2): - first upload since 2017-08-08 - https://packages.qa.debian.org/c/containerd/news/20190220T120012Z.html - package is out of date regarding the debian policy - excuses page looks bad: https://qa.debian.org/excuses.php?package=containerd "581 old (needed 10 days)" - Updating containerd 0.2.3 introduces new bugs: #855922, #857819, #863248, #923431 It's unclear if the 1.2.4 version in experimental is better. The package should not deal with exotic hardware which we cannot support. - no exotic hardware involved Tests: - there is a basic smoke DEP8 test which downloads a docker container and runs a command in it http://autopkgtest.ubuntu.com/packages/containerd - the package also runs tests during package build time, except on armhf: https://launchpadlibrarian.net/411349928/buildlog_ubuntu-disco-amd64.containerd_1.2.2-0ubuntu3_BUILDING.txt.gz (search for dh_auto_test) debian/watch: - a debian/watch file is provided, and it works: ubuntu@disco-runc:~/deb/containerd/containerd$ uscan uscan: Newest version of containerd on remote site is 1.2.4, local version is 1.2.2 uscan: => Newer package available from https://github.com/containerd/containerd/archive/v1.2.4.tar.gz Successfully symlinked ../containerd-1.2.4.tar.gz to ../containerd_1.2.4.orig.tar.gz. Full lintian: - lintian -I --pedantic output: http://paste.ubuntu.com/p/FXkPKnxZdF/ - I would highlight: - problems with d/copyright - missing build-depends - out of date standards - some cleanups needed in the -dev package (perms, .git dirs) - binaries with no manpages The package should not rely on obsolete or about to be demoted packages. That currently includes package dependencies on Python2 (without providing Python3 packages), and packages depending on GTK2. - none seen [UI standards] There is no i18n for containerd. [Dependencies] Runtime dependencies are in main with the exception of runc, subject of another MIR (1817336) - the package has one golang build dependencies that comes from Universe: go-md2man. That package itself has other golang build dependencies that are in Universe. The MIR team currently seems to have an understanding (https://wiki.ubuntu.com/MIRTeam#golang) that that is acceptable, but subject to a case-by-case analysis to avoid populating main with too many packages like this. - there are no python{2,3} or GTK2 dependencies [Standards compliance] - the package is behind in its declaration of standards compliance: 3.9.7 vs 4.3.0 - golang-github-docker-containerd-dev, a binary package produced by the containerd source, has tons of golang source code shipped in /usr/share/gocode/src. These are basically checkouts of full source code trees of several projects. There are currently no reverse-depends for this package, so it can probably be placed in Universe. This package is also where many of the lintian issues come from. - FHS is fine otherwise (I'm not sure if the above is an FHS violation) - golang buildsystem is "odd". From d/rules, for example: override_dh_auto_configure: # copy pristine source for "/usr/share/gocode" to get into "golang-github-containerd-containerd-dev" before we muddy it with build artifacts, etc mkdir -p .pristine-source tar -c --exclude=debian --exclude=.pc --exclude=.pristine-source . | tar -xC .pristine-source # set up GOPATH symlink farm mkdir -p '$(OUR_GOPATH)/src/github.com/containerd' ln -sfT '$(CURDIR)' '$(OUR_GOPATH)/src/github.com/containerd/containerd' [Maintenance] All packages must have a designated "owning" team, regardless of complexity, which is set as a package bug contact. - TBD This package is definitely important in the container ecosystem. It drives other runtimes (runc, docker), and is driven by other projects (k8s). [Background information] None at this time. ** Affects: containerd (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1819761 Title: [MIR] containerd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/containerd/+bug/1819761/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
