[ImgBot] Optimize images#1
Open
imgbot[bot] wants to merge 1 commit into
Open
Conversation
*Total -- 508.91kb -> 384.87kb (24.37%) /design/architecture.png -- 85.74kb -> 36.46kb (57.47%) /design/data-flow.png -- 29.61kb -> 15.22kb (48.58%) /docs/cri/cri.png -- 80.19kb -> 48.46kb (39.56%) /docs/cri/architecture.png -- 124.24kb -> 98.33kb (20.85%) /vendor/github.com/grpc-ecosystem/go-grpc-middleware/slack.png -- 4.97kb -> 4.45kb (10.4%) /docs/cri/containerd.png -- 51.56kb -> 50.81kb (1.45%) /design/snapshot_model.png -- 63.24kb -> 62.53kb (1.12%) /docs/cri/performance.png -- 69.36kb -> 68.59kb (1.11%) Signed-off-by: ImgBotApp <ImgBotHelp@gmail.com>
pull Bot
pushed a commit
that referenced
this pull request
Oct 28, 2025
Silence a govulncheck noise: ``` Vulnerability #1: GO-2025-3595 Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net More info: https://pkg.go.dev/vuln/GO-2025-3595 Module: golang.org/x/net Found in: golang.org/x/net@v0.37.0 Fixed in: golang.org/x/net@v0.38.0 Your code is affected by 0 vulnerabilities. This scan also found 0 vulnerabilities in packages you import and 1 vulnerability in modules you require, but your code doesn't appear to call these vulnerabilities. ``` Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
pull Bot
pushed a commit
that referenced
this pull request
Nov 5, 2025
[Carry #1] fix goroutine leak of container Attach
pull Bot
pushed a commit
that referenced
this pull request
Feb 8, 2026
This change sets the AppArmor policy used by containerd to indicate it is `abi/3.0`. This was chosen based on some code archeology which indicated that containerd 1.7 came out in March 2023, before the AppArmor 4.0 ABI. The AppArmor policies themselves date to much older; the last apparmor version-checks were removed in 4baa187 and c990e3f, and both were looking for AppArmor 2.8.96 or older, pointing to abi/3.0 being the "correct" one to pick. Nothing is preventing containerd from migrating to a newer AppArmor ABI; note, however, that anything newer than `abi/4.0` will need modifications to preserve UNIX domain sockets. This was tested by building a custom k3s v1.35.0+k3s3, with the following modification: ``` diff --git a/go.mod b/go.mod index 4e7bacd204..0fcaf76b8f 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ replace ( github.com/cilium/ebpf => github.com/cilium/ebpf v0.12.3 github.com/cloudnativelabs/kube-router/v2 => github.com/k3s-io/kube-router/v2 v2.6.3-k3s1 github.com/containerd/containerd/api => github.com/containerd/containerd/api v1.9.0 - github.com/containerd/containerd/v2 => github.com/k3s-io/containerd/v2 v2.1.5-k3s1 + github.com/containerd/containerd/v2 => github.com/achernya/containerd/v2 v2.0.0-20260206214308-5e0dce89c422 github.com/containerd/imgcrypt => github.com/containerd/imgcrypt v1.1.11 github.com/containerd/stargz-snapshotter => github.com/k3s-io/stargz-snapshotter v0.17.0-k3s1 github.com/docker/distribution => github.com/docker/distribution v2.8.3+incompatible ``` to use a precursor to this commit. Once built, the resulting k3s was tested on a brand-new Proxmox installation: ``` root@containerd-test:~# uname -a Linux containerd-test 6.17.2-1-pve #1 SMP PREEMPT_DYNAMIC PMX 6.17.2-1 (2025-10-21T11:55Z) x86_64 GNU/Linux root@containerd-test:~# pveversion pve-manager/9.1.1/42db4a6cf33dac83 (running kernel: 6.17.2-1-pve) ``` Files were copied over: ``` achernya@achernya-dev:~/src/k3s$ scp -r dist/artifacts/ root@containerd-test: ``` and installed ``` root@containerd-test:~# mkdir -p /var/lib/rancher/k3s/agent/images/ /usr/local/bin root@containerd-test:~# cp artifacts/k3s /usr/local/bin/ root@containerd-test:~# cp artifacts/k3s-airgap-images-amd64.tar.zst /var/lib/rancher/k3s/agent/images/ ``` then finally started with `k3s server`. Argo CD was then installed: ``` root@containerd-test:~# k3s kubectl create namespace argocd namespace/argocd created root@containerd-test:~# k3s kubectl apply -n argocd --server-side --force-conflicts -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml [elided] root@containerd-test:~# k3s kubectl get pods -A NAMESPACE NAME READY STATUS RESTARTS AGE argocd argocd-application-controller-0 1/1 Running 0 31s argocd argocd-applicationset-controller-77475dfcf-6b4cb 1/1 Running 0 32s argocd argocd-dex-server-6485c5ddf5-ckp5s 1/1 Running 0 32s argocd argocd-notifications-controller-758f795776-djx69 1/1 Running 0 32s argocd argocd-redis-6cc4bb5db5-lt9fh 1/1 Running 0 32s argocd argocd-repo-server-c76cf57cd-mr4mc 1/1 Running 0 32s argocd argocd-server-6f85b59c87-w6cns 0/1 Running 0 32s kube-system coredns-6b4688786f-pnds2 1/1 Running 0 4m1s kube-system helm-install-traefik-crd-cn28g 0/1 Completed 0 4m1s kube-system helm-install-traefik-hc9gp 0/1 Completed 2 4m1s kube-system local-path-provisioner-6bc6568469-7wglx 1/1 Running 0 4m1s kube-system metrics-server-77dbbf84b-nqzsc 1/1 Running 0 4m1s kube-system svclb-traefik-fe6d3a0b-z7jsp 2/2 Running 0 3m14s kube-system traefik-5fdc878c8d-cjhx5 1/1 Running 0 3m15s ``` Fixes: containerd#12726 Signed-off-by: Alex Chernyakhovsky <alex@achernya.com>
pull Bot
pushed a commit
that referenced
this pull request
Jun 16, 2026
golang.org/x/crypto v0.52.0 contains various security updates; those
do NOT impact containerd, but may show up as vulnerability in scanners;
=== Symbol Results ===
No vulnerabilities found.
=== Package Results ===
No other vulnerabilities found.
=== Module Results ===
Vulnerability #1: GO-2026-5033
Invoking pathological inputs can lead to client panic in
golang.org/x/crypto/ssh/agent
More info: https://pkg.go.dev/vuln/GO-2026-5033
Module: golang.org/x/crypto
Found in: golang.org/x/crypto@v0.51.0
Fixed in: golang.org/x/crypto@v0.52.0
Vulnerability #2: GO-2026-5023
Invoking VerifiedPublicKeyCallback permissions skip enforcement in
golang.org/x/crypto/ssh
More info: https://pkg.go.dev/vuln/GO-2026-5023
Module: golang.org/x/crypto
Found in: golang.org/x/crypto@v0.51.0
Fixed in: golang.org/x/crypto@v0.52.0
Vulnerability #3: GO-2026-5021
Invoking auth bypass via unenforced @Revoked status in
golang.org/x/crypto/ssh/knownhosts
More info: https://pkg.go.dev/vuln/GO-2026-5021
Module: golang.org/x/crypto
Found in: golang.org/x/crypto@v0.51.0
Fixed in: golang.org/x/crypto@v0.52.0
Vulnerability #4: GO-2026-5020
Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh
More info: https://pkg.go.dev/vuln/GO-2026-5020
Module: golang.org/x/crypto
Found in: golang.org/x/crypto@v0.51.0
Fixed in: golang.org/x/crypto@v0.52.0
Vulnerability #5: GO-2026-5019
Invoking bypass of FIDO/U2F security keys physical interaction in
golang.org/x/crypto/ssh
More info: https://pkg.go.dev/vuln/GO-2026-5019
Module: golang.org/x/crypto
Found in: golang.org/x/crypto@v0.51.0
Fixed in: golang.org/x/crypto@v0.52.0
Vulnerability #6: GO-2026-5018
Invoking pathological RSA/DSA parameters may cause DoS in
golang.org/x/crypto/ssh
More info: https://pkg.go.dev/vuln/GO-2026-5018
Module: golang.org/x/crypto
Found in: golang.org/x/crypto@v0.51.0
Fixed in: golang.org/x/crypto@v0.52.0
Vulnerability #7: GO-2026-5017
Invoking client can cause server deadlock on unexpected responses in
golang.org/x/crypto/ssh
More info: https://pkg.go.dev/vuln/GO-2026-5017
Module: golang.org/x/crypto
Found in: golang.org/x/crypto@v0.51.0
Fixed in: golang.org/x/crypto@v0.52.0
Vulnerability #8: GO-2026-5016
Invoking memory leak when rejecting channels can lead to DoS in
golang.org/x/crypto/ssh
More info: https://pkg.go.dev/vuln/GO-2026-5016
Module: golang.org/x/crypto
Found in: golang.org/x/crypto@v0.51.0
Fixed in: golang.org/x/crypto@v0.52.0
Vulnerability #9: GO-2026-5015
Invoking server panic during CheckHostKey/Authenticate in
golang.org/x/crypto/ssh
More info: https://pkg.go.dev/vuln/GO-2026-5015
Module: golang.org/x/crypto
Found in: golang.org/x/crypto@v0.51.0
Fixed in: golang.org/x/crypto@v0.52.0
Vulnerability #10: GO-2026-5014
Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh
More info: https://pkg.go.dev/vuln/GO-2026-5014
Module: golang.org/x/crypto
Found in: golang.org/x/crypto@v0.51.0
Fixed in: golang.org/x/crypto@v0.52.0
Vulnerability #11: GO-2026-5013
Invoking byte arithmetic causes underflow and panic in
golang.org/x/crypto/ssh
More info: https://pkg.go.dev/vuln/GO-2026-5013
Module: golang.org/x/crypto
Found in: golang.org/x/crypto@v0.51.0
Fixed in: golang.org/x/crypto@v0.52.0
Vulnerability #12: GO-2026-5006
Invoking agent constraints dropped when forwarding keys in
golang.org/x/crypto/ssh/agent
More info: https://pkg.go.dev/vuln/GO-2026-5006
Module: golang.org/x/crypto
Found in: golang.org/x/crypto@v0.51.0
Fixed in: golang.org/x/crypto@v0.52.0
Vulnerability #13: GO-2026-5005
Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent
More info: https://pkg.go.dev/vuln/GO-2026-5005
Module: golang.org/x/crypto
Found in: golang.org/x/crypto@v0.51.0
Fixed in: golang.org/x/crypto@v0.52.0
Your code is affected by 0 vulnerabilities.
This scan also found 0 vulnerabilities in packages you import and 13
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Beep boop. Your images are optimized!
Your image file size has been reduced by 24% 🎉
Details
📝 docs |
repo | 🙋🏾 issues | 🏪 marketplace
~Imgbot - Part of Optimole family