Merge tag 'v1.6.0' into update_fork_main_to_1.6

containerd 1.6.0

Welcome to the v1.6.0 release of containerd!

The seventh major release of containerd includes many improvements and added
support to increase overall compatibility and stability.

* **Add runtime label to metrics** ([#5744](https://github.com/containerd/containerd/pull/5744))
* **Cleanup task delete logic in v2 shim** ([#5813](https://github.com/containerd/containerd/pull/5813))
* **Add support for shim plugins** ([#5817](https://github.com/containerd/containerd/pull/5817))
* **Handle sigint and sigterm in shimv2** ([#5828](https://github.com/containerd/containerd/pull/5828))
* **Decouple shim and task manager** ([#5918](https://github.com/containerd/containerd/pull/5918))
* **Add runc shim support for core scheduling** ([#6011](https://github.com/containerd/containerd/pull/6011))
* **Update shim client connect attempt to fail fast when shim errors** ([#6031](https://github.com/containerd/containerd/pull/6031))
* **Add support for absolute path to shim binaries** ([#6206](https://github.com/containerd/containerd/pull/6206))
* **Update runc to v1.1.0** ([#6375](https://github.com/containerd/containerd/pull/6375))

* **Add support for Windows HostProcess containers** ([#5131](https://github.com/containerd/containerd/pull/5131))
* **Add support for Windows resource limits** ([#5778](https://github.com/containerd/containerd/pull/5778))

* **Add CNI configuration based on runtime class** ([#4695](https://github.com/containerd/containerd/pull/4695))
* **Add support for Intel RDT** ([#5439](https://github.com/containerd/containerd/pull/5439))
* **Add support for CRI v1 and v1alpha in parallel** ([#5619](https://github.com/containerd/containerd/pull/5619))
* **Add support for unified resources field for cgroups v2** ([#5627](https://github.com/containerd/containerd/pull/5627))
* **Add IP preference configuration for reporting pod IP** ([#5964](https://github.com/containerd/containerd/pull/5964))
* **Implement new CRI pod sandbox stats API** ([#6113](https://github.com/containerd/containerd/pull/6113))
* **Add sandbox and container latency metrics** ([#6111](https://github.com/containerd/containerd/pull/6111))
* **Add namespace to ttrpc and grpc plugin connections** ([#6130](https://github.com/containerd/containerd/pull/6130))
* **Add option to allow ping sockets and privileged ports with no capabilities** ([#6170](https://github.com/containerd/containerd/pull/6170))
* **Add support for configuring swap** ([#6320](https://github.com/containerd/containerd/pull/6320))

* **Add support for client TLS Auth for grpc** ([#5606](https://github.com/containerd/containerd/pull/5606))
* **Add xfs support for devicemapper snapshotter** ([#5610](https://github.com/containerd/containerd/pull/5610))
* **Add metric exposing build version and revision** ([#5965](https://github.com/containerd/containerd/pull/5965))
* **Add support for custom fs options in devmapper snapshotter** ([#6122](https://github.com/containerd/containerd/pull/6122))
* **Update introspection service to show GRPC plugins** ([#6432](https://github.com/containerd/containerd/pull/6432))

* **Allow WithServices to use custom implementations** ([#5709](https://github.com/containerd/containerd/pull/5709))
* **Support custom compressor for walking differ** ([#5735](https://github.com/containerd/containerd/pull/5735))

The tar bundles released as `cri-containerd-*.tar.gz` contain a build of runc
linked with a newer version of libseccomp. This dynamically-linked build of runc
was built on Ubuntu 18.04 and will not work on some other distributions, such as
RHEL 7 and Debian 10. Users of such distributions may get a statically-linked
runc binary from https://github.com/opencontainers/runc/releases or build runc
for their own environment.

> **_Deprecation_** These tar bundles are now deprecated and will be removed or
> replaced in containerd 2.0. Projects relying on these tar bundles should use
> the `containerd-*.tar.gz` bundles or work with the containerd community on a
> suitable replacement in containerd 2.0.

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

* Derek McGowan
* Phil Estes
* Akihiro Suda
* Wei Fu
* Maksym Pavlenko
* Sebastiaan van Stijn
* Michael Crosby
* Kazuyoshi Kato
* Mike Brown
* Claudiu Belu
* Daniel Canter
* Gabriel Adrian Samfira
* haoyun
* Brian Goff
* Stefan Berger
* zounengren
* AdamKorcz
* Adelina Tuvenie
* Kohei Tokunaga
* Davanum Srinivas
* Nashwan Azhari
* Samuel Karp
* Shiming Zhang
* Markus Lehtonen
* Enrico Weigelt, metux IT consult
* Alakesh Haloi
* Hajime Tazaki
* Iceber Gu
* Kevin Parsons
* Aditi Sharma
* David Porter
* Jeremi Piotrowski
* Gijs Peskens
* ningmingxiao
* Brandon Lum
* Cody Roseborough
* Danielle Lancashire
* Eric Ernst
* Jacob MacElroy
* Tõnis Tiigi
* dependabot[bot]
* wanglei
* Alexandre Peixoto Ferreira
* Fabiano Fidêncio
* Furkan Türkal
* Jiaming Xu
* Kir Kolyshkin
* Miao Wang
* Neil Johnson
* Paul "TBBle" Hampson
* Priyanka Saggu
* Romain Aviolat
* Samuel Ortiz
* Sunghoon Kang
* Takumasa Sakao
* Tobias Klauser
* Zhiyu Li
* ye.sijun
* Alexander Minbaev
* Alexey Ivanov
* Andrey Smirnov
* Artem Khramov
* Aurelien Lun-Sin
* Ben Hutchings
* Cory Bennett
* Da McGrady
* Dan Williams
* Eng Zer Jun
* Ethan Chen
* Fupan Li
* Gaurav Gahlot
* Gunju Kim
* Henry Wang
* Jacob Blain Christen
* James Gordon
* James Sturtevant
* Jan Klippel
* Jayme Howard
* Jiajun Jiang
* Jintao Zhang
* Justin Terry
* Kaijie Chen
* Kante
* Kern Walster
* Kitt Hsu
* Lantao Liu
* Ma Xinjian
* Manabu Sugimoto
* Manuel Alejandro de Brito Fontes
* Mark Rossetti
* Markus Lippert
* Mete Durlu
* Michael Zappa
* Mikko Ylinen
* Ng Yang
* Nicolas Chariglione
* Ning Li
* Olli Janatuinen
* Peri Thompson
* Quan Tian
* Radostin Stoyanov
* Rui Lopes
* Sambhav Kothari
* Sebastian Hasler
* Sergey Kanzhelev
* Shuntaro Azuma
* Sören Tempel
* Yang Yang
* Yifan Yuan
* Zilong Wang
* Zufar Dhiyaulhaq
* botieking98
* chenxiaoyu
* jayonlau
* jerryzhuang
* linrunlong
* scuzhanglei
* wangzhan
* Étienne Guesnet

<details><summary>1059 commits</summary>
<p>

* Prepare release notes for v1.6.0 ([#6531](https://github.com/containerd/containerd/pull/6531))
  * Prepare release notes for v1.6.0
* Update Go to 1.16.14, 1.17.7 ([#6555](https://github.com/containerd/containerd/pull/6555))
  * Update Go to 1.16.14, 1.17.7
* Change the context to avoid misunderstandings in architecture.md. ([#6533](https://github.com/containerd/containerd/pull/6533))
  * Change the context to avoid misunderstandings
* Update go-cni to v1.1.3 ([#6543](https://github.com/containerd/containerd/pull/6543))
  * Update go-cni to v1.1.3
  * Update go-cni to v1.1.2
* Wait for containerd installation in GCE scripts ([#6544](https://github.com/containerd/containerd/pull/6544))
  * Wait for containerd installation in GCE scripts
* Enable TestContainerPTY and TestContainerUsername ([#6540](https://github.com/containerd/containerd/pull/6540))
  * Enable TestContainerPTY and TestContainerUsername
* Update BUILDING.md ([#6500](https://github.com/containerd/containerd/pull/6500))
  * Add instructions on using go with admin perms
* Prepare release notes for v1.6.0-rc.4 ([#6537](https://github.com/containerd/containerd/pull/6537))
  * Prepare release notes for v1.6.0-rc.4
* Change file name for shim binary path ([#6536](https://github.com/containerd/containerd/pull/6536))
  * Change file name for shim binary path
* containerd-stress: introduce option for specifying image ([#6532](https://github.com/containerd/containerd/pull/6532))
  * containerd-stress: introduce option for specifying image
* Prepare release notes for v1.6.0-rc.3 ([#6524](https://github.com/containerd/containerd/pull/6524))
  * Prepare release notes for v1.6.0-rc.3
* Use white logo in github dark mode ([#6529](https://github.com/containerd/containerd/pull/6529))
  * Use white logo in github dark mode
* cri: fix handling of ignore_rdt_not_enabled_errors config option ([#6514](https://github.com/containerd/containerd/pull/6514))
  * cri: fix handling of ignore_rdt_not_enabled_errors config option
* pkg/oom/v2: handle EventChan routine shutdown quietly ([#6504](https://github.com/containerd/containerd/pull/6504))
  * pkg/oom/v2: handle EventChan routine shutdown quietly
* fix: .dockerignore make git working tree dirty ([#6523](https://github.com/containerd/containerd/pull/6523))
  * fix: .dockerignore makes git working tree dirty
* containerd-stress: start task ctr before starting execs ([#6518](https://github.com/containerd/containerd/pull/6518))
  * containerd-stress: start task ctr before starting execs
* Document fs_type and fs_options in snapshots/devmapper/README.md ([#6501](https://github.com/containerd/containerd/pull/6501))
  * Document fs_type and fs_options in snapshots/devmapper/README.md
* docs: add Talos Linux to the list of adopters ([#6510](https://github.com/containerd/containerd/pull/6510))
  * docs: add Talos Linux to the list of adopters
* Prepare 1.6.0-rc.2 ([#6502](https://github.com/containerd/containerd/pull/6502))
  * Prepare release notes for v1.6.0-rc.2
  * Update releases document
* platforms.Normalize(): do not reset OSVersion and OSFeatures ([#6497](https://github.com/containerd/containerd/pull/6497))
  * platforms.Normalize(): do not reset OSVersion and OSFeatures
* tracing: use OTLP/HTTP in addition to OTLP/gRPC ([#6457](https://github.com/containerd/containerd/pull/6457))
  * tracing: return (ctx, span) from StartSpan
  * tracing: support OTLP/HTTP in addition to gRPC
* Update cgroups to v1.0.3 ([#6498](https://github.com/containerd/containerd/pull/6498))
  * Update cgroups to v1.0.3
* seccomp: kernel 5.11 -> 5.16 ([#6494](https://github.com/containerd/containerd/pull/6494))
  * seccomp: kernel 5.16 (futex_waitv)
  * seccomp: kernel 5.15 (process_mrelease)
  * seccomp: kernel 5.14 (quotactl_fd, memfd_secret)
  * seccomp: kernel 5.13 (landlock_{add_rule,create_ruleset,restrict_self})
  * seccomp: kernel 5.12 (mount_setattr)
* remotes: fix dockerPusher to handle abort correctly ([#6243](https://github.com/containerd/containerd/pull/6243))
  * remotes: fix dockerPusher to handle abort correctly
* seccomp: add support for "swapcontext" syscall in default policy ([#6411](https://github.com/containerd/containerd/pull/6411))
  * seccomp: add support for "swapcontext" syscall in default policy
* oci: use readonly mount to read user/group info ([#6478](https://github.com/containerd/containerd/pull/6478))
  * oci: use readonly mount to read user/group info
* Fix possibly incorrect media type default on import ([#6475](https://github.com/containerd/containerd/pull/6475))
  * Fix possibly incorrect media type default on import
* shimv2: handle sigint/sigterm ([#5828](https://github.com/containerd/containerd/pull/5828))
  * shimv2: handle sigint/sigterm
* Fix acr fetch token 400 ([#6481](https://github.com/containerd/containerd/pull/6481))
  * fix acr fetch token 400
* platforms: add support for matching amd64 variants ([#6455](https://github.com/containerd/containerd/pull/6455))
  * platforms: add support for matching amd64 variants
* Fix windows periodic workflow ([#6476](https://github.com/containerd/containerd/pull/6476))
  * Fix windows periodic workflow
* docs: add doc-comments on GC-related methods ([#6473](https://github.com/containerd/containerd/pull/6473))
  * docs: add doc-comments on GC-related methods
* fix: should not send 137 code event if cmd is notfound ([#6465](https://github.com/containerd/containerd/pull/6465))
  * fix: should not send 137 code event if cmd is notfound
* Fix empty scopes return ([#6463](https://github.com/containerd/containerd/pull/6463))
  * fix empty scopes return
* Prepare release notes for v1.6.0-rc.1 ([#6462](https://github.com/containerd/containerd/pull/6462))
  * Prepare release notes for v1.6.0-rc.1
* Add support for skipping non-dist blob push ([#6424](https://github.com/containerd/containerd/pull/6424))
  * ctr: flag to toggle non-distributable blob push
  * Add image handler to skip non-distributable blobs.
* Compile binaries for go1.16 and go1.17 in CI ([#6461](https://github.com/containerd/containerd/pull/6461))
  * Compile binaries for go1.16 and go1.17 in CI
* services/introspection: fix plugin caching to show grpc plugins ([#6432](https://github.com/containerd/containerd/pull/6432))
  * Update caching logic to avoid map access
  * services/introspection: support to show introspection grpc service
* Integration: Change to Windows Server 2022 build number constant ([#6458](https://github.com/containerd/containerd/pull/6458))
  * Integration: Change to Windows Server 2022 build number constant
* Update kubernetes vendor to 0.22.5 ([#6460](https://github.com/containerd/containerd/pull/6460))
  * Update kubernetes vendor to 0.22.5
* Fix rdt build tags for go 1.16 ([#6459](https://github.com/containerd/containerd/pull/6459))
  * Fix rdt build tags for go 1.16
* Remove submodule go mod ([#6439](https://github.com/containerd/containerd/pull/6439))
  * Remove api go submodule
  * Update makefile to remove API submodule
* go.mod: Update hcsshim to v0.9.2 ([#6453](https://github.com/containerd/containerd/pull/6453))
  * go.mod: Update hcsshim to v0.9.2
* update runc to v1.1.0 ([#6375](https://github.com/containerd/containerd/pull/6375))
  * go.mod: github.com/opencontainers/runc v1.1.0
  * update runc binary to v1.1.0
* tracing: fix OTLP tracer's initialization ([#6443](https://github.com/containerd/containerd/pull/6443))
  * tracing: fix OTLP tracer's initialization
* gha: run CodeQL scan on pull requests ([#6386](https://github.com/containerd/containerd/pull/6386))
  * gha: run CodeQL scan on pull requests
* Do not automatically inject client traces ([#6445](https://github.com/containerd/containerd/pull/6445))
  * Do not automatically inject client traces
* [containerd-stress] delete useless code ([#6451](https://github.com/containerd/containerd/pull/6451))
  * delete useless code
* Revert "Add shared content label to namespaces" ([#6440](https://github.com/containerd/containerd/pull/6440))
  * Revert "Add shared content label to namespaces"
* Add ppc64 support for test images ([#6435](https://github.com/containerd/containerd/pull/6435))
  * Add ppc64 support for test images
* ctr: Unify the delete subcommand alias ([#6427](https://github.com/containerd/containerd/pull/6427))
  * ctr: Unify the delete subcommand alias
* Prepare release notes for v1.6.0-rc.0 ([#6431](https://github.com/containerd/containerd/pull/6431))
  * Prepare release notes for v1.6.0-rc.0
* Integration: Switch to using `auth` Gcloud action in Windows workflow. ([#6397](https://github.com/containerd/containerd/pull/6397))
  * Integration: Switch to `upload-cloud-storage` Gcloud action.
  * Integration: Switch to using `auth` Gcloud action in Windows workflow.
* remove io/ioutil ([#6426](https://github.com/containerd/containerd/pull/6426))
  * remove io/ioutil
* test: e2e node COS cgroupv2 script ([#6418](https://github.com/containerd/containerd/pull/6418))
  * test: e2e node COS cgroupv2 script
* Integration: Enable CRITest on Windows 2022. ([#6378](https://github.com/containerd/containerd/pull/6378))
  * Enable critest tests on Windows Server 2022.
  * Parametrize CRITest test images in Windows Periodic workflow.
* Update error message for apparmor parser ([#6415](https://github.com/containerd/containerd/pull/6415))
  * Update error message for apparmor parser
* Fix wrong log message ([#6419](https://github.com/containerd/containerd/pull/6419))
  * Fix wrong log message
* Followup errors change ([#6414](https://github.com/containerd/containerd/pull/6414))
  * Fix incorrect error wrapped when closing ingest file
  * Fix seek error used without nil check
  * Fix followup items from errors replacement
* Updates CRI API & Kubernetes to 1.23 ([#6351](https://github.com/containerd/containerd/pull/6351))
  * Update k/k to 1.23.0
* Updating adoption of containerd for AKS ([#6416](https://github.com/containerd/containerd/pull/6416))
  * Updating adoption of containerd for AKS
* update the adoption status of containerd in GKE ([#6413](https://github.com/containerd/containerd/pull/6413))
  * update the adoption status of containerd in GKE
*  go.mod: update github.com/containerd/{continuity,go-cni,imgcrypt} ([#6410](https://github.com/containerd/containerd/pull/6410))
  * go.mod: update github.com/containerd/{continuity,go-cni,imgcrypt}
* replace github.com/pkg/errors with native errors ([#6366](https://github.com/containerd/containerd/pull/6366))
  * feat: replace github.com/pkg/errors to errors
* corrected link in cri architecture documentation ([#6412](https://github.com/containerd/containerd/pull/6412))
  * corrected link in cri architecture documentation
* remotes/docker: allow fetching "refresh token" (aka "identity token", "offline token") ([#6396](https://github.com/containerd/containerd/pull/6396))
  * remotes/docker: allow fetching "refresh token" (aka "identity token")
  * remotes/docker/config: allow setting custom AuthorizerOpts
* Prepare release notes for v1.6.0-beta.5 ([#6407](https://github.com/containerd/containerd/pull/6407))
  * Prepare release notes for v1.6.0-beta.5
* Integration: Check GCP secrets on Windows CI artifact upload. ([#6292](https://github.com/containerd/containerd/pull/6292))
  * Integration: Check GCP secrets on Windows CI artifact upload.
* Github Security Advisory [GHSA-mvff-h3cj-wj9c](https://github.com/containerd/containerd/security/advisories/GHSA-mvff-h3cj-wj9c)
  * only relabel cri managed host mounts
* Add support for Intel RDT ([#5439](https://github.com/containerd/containerd/pull/5439))
  * cri: add ignore_rdt_not_enabled_errors config option
  * Update dependencies
  * cri: annotations for controlling RDT class
  * tasks: add Linux rdt support
  * cmd: add --rdt-class command line option
  * oci: implement WithRdt
* fix: use _ for consistency ([#6391](https://github.com/containerd/containerd/pull/6391))
  * fix: use _ for consistency
* content/local: use syscall.Timespec.Unix ([#6403](https://github.com/containerd/containerd/pull/6403))
  * content/local: use syscall.Timespec.Unix
* docs: improve plugin documentation ([#6207](https://github.com/containerd/containerd/pull/6207))
  * docs: document the runtime shim plugin config options
  * docs: use proper markdown lists in containerd-config.toml.5.md
* fix(ctr): enable networking for Windows containers ([#6304](https://github.com/containerd/containerd/pull/6304))
  * fix(ctr): enable networking for Windows containers
* Fix $(PWD) issue for Windows makefile ([#6394](https://github.com/containerd/containerd/pull/6394))
  * Fix $(PWD) issue for Windows makefile
* only test abstract uds on linux ([#6395](https://github.com/containerd/containerd/pull/6395))
  * fix: only test abstract unix socket on linux
* Fix restart container test ([#6390](https://github.com/containerd/containerd/pull/6390))
  * Expect ErrorNotFound on Windows after Kill()
  * Replace tskill with taskkill
* fix when kernel version < 4.13rc1 by using index=off cause test error ([#6291](https://github.com/containerd/containerd/pull/6291))
  * fix when kernel version < 4.13rc1 by using index=off cause overlay test error
* Fix no-daemon flag for integration/client tests ([#6384](https://github.com/containerd/containerd/pull/6384))
  * Fix no-daemon flag for integration/client tests
* Enable lazy init for ext4 with devicemapper ([#6122](https://github.com/containerd/containerd/pull/6122))
  * Enable lazy init for ext4 with devicemapper
* Fix flakiness on Windows for list stats ([#6385](https://github.com/containerd/containerd/pull/6385))
  * Fix flakiness on Windows for list stats
* cri-integration: Add Windows defaults and fix spaces issue ([#6347](https://github.com/containerd/containerd/pull/6347))
  * cri-integration: Add Windows default paths
* Upgrade OpenTelemetry dependencies ([#6383](https://github.com/containerd/containerd/pull/6383))
  * Upgrade k8s.io/klog/v2 from 2.9.0 to 2.20.0
  * Use insecure.NewCredentials instead of grpc.WithInsecure
  * Upgrade OpenTelemetry dependencies
* Fix default makefile target for windows ([#6322](https://github.com/containerd/containerd/pull/6322))
  * Fix default makefile target for windows
* Disable TestContainerHook on Windows ([#6379](https://github.com/containerd/containerd/pull/6379))
  * Disable TestContainerHook on Windows
* seutil: Fix setting the "container_kvm_t" label ([#6372](https://github.com/containerd/containerd/pull/6372))
  * seutil: Fix setting the "container_kvm_t" label
* Remove Windows integration testing for 2004. ([#6350](https://github.com/containerd/containerd/pull/6350))
  * Remove Windows integration testing for 2004.
* OCI: Mount (accessible) host devices in privileged rootless containers ([#6308](https://github.com/containerd/containerd/pull/6308))
  * OCI: Mount (accessible) host devices in privileged rootless containers
  * oci.getDevices(): move "non-dir, non '/dev/console'" case into switch
* cri: add support for configuring swap ([#6320](https://github.com/containerd/containerd/pull/6320))
  * fixup: check for swap accounting
  * fixup: handle diff between cgroupsv1 and v2
  * cri: add support for configuring swap
* Integration: Enable TestVolumeOwnership on Windows ([#6275](https://github.com/containerd/containerd/pull/6275))
  * Replace find with native Go code
  * Enable TestVolumeOwnership on Windows
* Prepare release notes for v1.6.0-beta.4 ([#6296](https://github.com/containerd/containerd/pull/6296))
  * Prepare release notes for v1.6.0-beta.4
* refactor: functions for error log and error return ([#6358](https://github.com/containerd/containerd/pull/6358))
  * feat: Errorf usage
* Split apart runc shim into plugin components ([#6021](https://github.com/containerd/containerd/pull/6021))
  * Use task plugin for runc shim
  * Seperate shim manager and task service
  * Split runc shim into plugin components
  * Add shutdown package
* CRI update for sandbox sizing ([#6155](https://github.com/containerd/containerd/pull/6155))
  * cri, sandbox: pass sandbox resource details if available, applicable
* medatada: make namespaces' deletion error less cryptic ([#6354](https://github.com/containerd/containerd/pull/6354))
  * medatada: make namespaces' deletion error less cryptic
* ListContainerStats to return stats response if ContainerStatsFilter is nil ([#6373](https://github.com/containerd/containerd/pull/6373))
  * add-list-stat: return container list if filter is nil
* integration: deflake TestContainerdRestart ([#6369](https://github.com/containerd/containerd/pull/6369))
  * integration: deflake TestContainerdRestart
* feat: add timeout for bolt open ([#6225](https://github.com/containerd/containerd/pull/6225))
  * feat: support custom timeout for blot open
* Update Go to 1.17.5 ([#6333](https://github.com/containerd/containerd/pull/6333))
  * Update Go to 1.17.5
* cri/server: use consistent alias for pkg/ioutil ([#6332](https://github.com/containerd/containerd/pull/6332))
  * cri/server: use consistent alias for pkg/ioutil
* Disable restart monitor test in Windows ([#6364](https://github.com/containerd/containerd/pull/6364))
  * Disable restart monitor test in Windows
* Don't fail-fast on Windows integration tests ([#6338](https://github.com/containerd/containerd/pull/6338))
  * Don't fail-fast on Windows integration tests
* Update restart monitor test to output daemon logs on failure ([#6355](https://github.com/containerd/containerd/pull/6355))
  * Run windows parallel integration test as short
  * Update restart monitor test to output daemon logs on failure
* go.mod: update image-spec to latest (v1.0.3-dev) ([#6263](https://github.com/containerd/containerd/pull/6263))
  * images/converter: remove deprecated types
  * go.mod: update image-spec to latest (v1.0.3-dev)
* Skip WithAdditionalGIDs on Darwin ([#6353](https://github.com/containerd/containerd/pull/6353))
  * Skip WithAdditionalGIDs on Darwin
* Use RFC3339 format on Windows periodic resource group creation so cleanup works ([#6303](https://github.com/containerd/containerd/pull/6303))
  * Use RFC3339 format so rg cleanup works
* update runc to v1.0.3 ([#6330](https://github.com/containerd/containerd/pull/6330))
  * go.mod: github.com/opencontainers/runc v1.0.3
  * update runc binary to v1.0.3
* Unblock native snapshotter on Darwin ([#6329](https://github.com/containerd/containerd/pull/6329))
  * Allow native snapshotter on Darwin
* Do not use `go get` to install executables ([#6328](https://github.com/containerd/containerd/pull/6328))
  * Do not use `go get` to install executables
* Include runtime v2 in default builtins ([#6326](https://github.com/containerd/containerd/pull/6326))
  * Include runtime v2 in default builtins
* Add Windows Server 2022 CI runs ([#6314](https://github.com/containerd/containerd/pull/6314))
  * Add Windows Server 2022 CI runs
* Set explicit ACL on test files ([#6324](https://github.com/containerd/containerd/pull/6324))
  * Use a single RUN command
  * Set explicit ACL on test files
* integration: align tags of test images ([#6311](https://github.com/containerd/containerd/pull/6311))
  * integration: align tags of test images
* Set CONTAINERD_ROOT in Windows cri-integration ([#6325](https://github.com/containerd/containerd/pull/6325))
  * Set CONTAINERD_ROOT in Windows cri-integration
* export oci.DeviceFromPath() ([#6312](https://github.com/containerd/containerd/pull/6312))
  * export oci.DeviceFromPath()
* Update volume test images ([#6321](https://github.com/containerd/containerd/pull/6321))
  * Update continuity dependency
  * Update volume test images
* Update TestRestartMonitor expected time check ([#6201](https://github.com/containerd/containerd/pull/6201))
  * Add error logging on cleanup
  * Update TestRestartMonitor expected time check
* Move test volume images from gcr to ghcr ([#6319](https://github.com/containerd/containerd/pull/6319))
  * Move volume images from gcr to ghcr
* Revert shim service plugin migration ([#6301](https://github.com/containerd/containerd/pull/6301))
  * Revert shim plugin migration
* Authenticate against ghcr.io ([#6317](https://github.com/containerd/containerd/pull/6317))
  * Add permissions
  * Authenticate against ghcr.io
* oci/deviceFromPath(): correctly check device types ([#6306](https://github.com/containerd/containerd/pull/6306))
  * oci/deviceFromPath(): correctly check device types
* Skip TestExportAndImportMultiLayer on Windows ([#6315](https://github.com/containerd/containerd/pull/6315))
  * Skip TestExportAndImportMultiLayer on Windows
* Integration: Add image build workflow ([#6290](https://github.com/containerd/containerd/pull/6290))
  * Add image build workflow
* Integration: Separate Windows Periodic Tests workflow trigger. ([#6286](https://github.com/containerd/containerd/pull/6286))
  * Integration: Separate Windows Periodic Tests workflow trigger.
* Build volume test images on Windows ([#6274](https://github.com/containerd/containerd/pull/6274))
  * Build volume test images on Windows
* Add VMware TKG & TCE to Containerd adopters ([#6297](https://github.com/containerd/containerd/pull/6297))
  * Add VMware TKG & TCE to Containerd adopters
* Vagrantfile: update to Fedora 35 ([#6293](https://github.com/containerd/containerd/pull/6293))
  * Vagrantfile: update to Fedora 35
* Update README.md repo->org ([#6269](https://github.com/containerd/containerd/pull/6269))
  * Update README.md repo->org
* Fix executable file not found when restoring shims ([#6278](https://github.com/containerd/containerd/pull/6278))
  * Fix executable file not found when restoring shims
* ctr/snapshots/diff: show media-type in stderr ([#6271](https://github.com/containerd/containerd/pull/6271))
  * ctr/snapshots/diff: don't show the media-type in output
* ctr: Add Linux Capabilities control flags ([#6289](https://github.com/containerd/containerd/pull/6289))
  * ctr: Add Linux Capabilities control flags
* integration: add stats result in error message ([#6270](https://github.com/containerd/containerd/pull/6270))
  * integration: add stats result in error message
* releases: mark 1.4 as Extended ([#6287](https://github.com/containerd/containerd/pull/6287))
  * docs: mark 1.4 as Extended
  * docs: fix RELEASES.md gRPC API anchor
* feat: skip ci for fork ([#6284](https://github.com/containerd/containerd/pull/6284))
  * feat: skip ci for fork
* content/local: Close the file if Seek fails ([#6280](https://github.com/containerd/containerd/pull/6280))
  * content/local: Close the file if Seek fails
* Integration: Remove explicit version passing to `azure/CLI`. ([#6268](https://github.com/containerd/containerd/pull/6268))
  * Integration: Remove explicit version passing to `azure/CLI`.
* Fix wrong make target on documentation ([#6276](https://github.com/containerd/containerd/pull/6276))
  * Fix wrong make target on documentation
* fix: server error return ([#6272](https://github.com/containerd/containerd/pull/6272))
  * fix: server error return
* Prepare release notes for v1.6.0-beta.3 ([#6267](https://github.com/containerd/containerd/pull/6267))
  * Prepare release notes for v1.6.0-beta.3
  * Update API version in go.mod
  * Update release name to use consistent format
* feat:support custom callopts on client side ([#6254](https://github.com/containerd/containerd/pull/6254))
  * fix: make max recv/send msg size setting default
  * feat:support custom callopts on client side
* [CRI] Fix panic when registry.mirrors use localhost ([#6258](https://github.com/containerd/containerd/pull/6258))
  * [CRI] Fix panic when registry.mirrors use localhost
* Add support for TMP override on toml ([#6241](https://github.com/containerd/containerd/pull/6241))
  * Add support for TMP override on toml
* CRI: Support enable_unprivileged_icmp and enable_unprivileged_ports options ([#6170](https://github.com/containerd/containerd/pull/6170))
  * CRI: Support enable_unprivileged_icmp and enable_unprivileged_ports options
* Github Security Advisory [GHSA-5j5w-g665-5m35](https://github.com/containerd/containerd/security/advisories/GHSA-5j5w-g665-5m35)
  * schema1: reject ambiguous documents
  * images: validate document type before unmarshal
* [cri] add sandbox and container latency metrics ([#6111](https://github.com/containerd/containerd/pull/6111))
  * [cri] add sandbox and container latency metrics
* Integration: Generalize Windows CI setup scripts for any username. ([#6255](https://github.com/containerd/containerd/pull/6255))
  * Generalize Windows CI setup script for any user.
  * Standardize cmdlet capitalization in Windows CI scripts.
* feat: use rwmutex instead ([#6253](https://github.com/containerd/containerd/pull/6253))
  * feat: use rwmutex instead
* Allow absolute path to shim binaries ([#6206](https://github.com/containerd/containerd/pull/6206))
  * Fix package alias
  * Support custom runtime path when launching tasks
  * Add runtime path in CreateTaskRequest
* Close file if permission modification fails ([#6246](https://github.com/containerd/containerd/pull/6246))
  * Close file if permission modification fails
* release: change tar name to match prior releases ([#6250](https://github.com/containerd/containerd/pull/6250))
  * release: change tar name to match prior releases
* Fix wrong error returned for image index lookup ([#6237](https://github.com/containerd/containerd/pull/6237))
  * Fix wrong error returned for image index lookup
* Fix containerd fails to pull OCI image with non-`http(s)://` urls ([#6221](https://github.com/containerd/containerd/pull/6221))
  * Fix containerd fails to pull OCI image with non-`http(s)://` urls
* Prepare release notes for v1.6.0-beta.2 ([#6223](https://github.com/containerd/containerd/pull/6223))
  * Prepare release notes for v1.6.0-beta.2
* Add arm64 to releases ([#6196](https://github.com/containerd/containerd/pull/6196))
  * Rename release dockerfile to omit distro name
  * release: improve dockerfile
  * Add arm64 to releases
* use write lock when updating container stats ([#6236](https://github.com/containerd/containerd/pull/6236))
  * use write lock when updating container stats
* go.mod: Bump hcsshim to v0.9.1 ([#6230](https://github.com/containerd/containerd/pull/6230))
  * go.mod: Bump hcsshim to v0.9.1
* go.mod: Bump ttrpc to 1.1.0 ([#6228](https://github.com/containerd/containerd/pull/6228))
  * go.mod: Bump ttrpc to 1.1.0
* go.mod: bump moby/sys/symlink v0.2.0, moby/sys/signal v0.6.0, moby/sys/mountinfo v0.5.0 ([#6213](https://github.com/containerd/containerd/pull/6213))
  * go.mod: github.com/moby/sys/mountinfo v0.5.0
  * go.mod: github.com/moby/sys/signal v0.6.0
  * go.mod: github.com/moby/sys/symlink v0.2.0
  * go.mod: golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359
* cleanup: add more description on comment ([#6222](https://github.com/containerd/containerd/pull/6222))
  * cleanup: add more description on comment
* Update Go to 1.17.3 ([#6211](https://github.com/containerd/containerd/pull/6211))
  * Update Go to 1.17.3
* CI: bump up crun: 1.0 -> 1.3 ([#6214](https://github.com/containerd/containerd/pull/6214))
  * CI: bump up crun: 1.0 -> 1.3
* Pin az CLI version in windows-periodic workflow ([#6205](https://github.com/containerd/containerd/pull/6205))
  * Pin az CLI version
* Decouple task manager ([#5918](https://github.com/containerd/containerd/pull/5918))
  * Address PR comments
  * Fix build after rebase
  * Migrate task directory
  * Expose shim process interface
  * Fix after rebase
  * Cleanup shim loading
  * Move shim restore to a separate file
  * Fix backward compatibility with old task shims
  * Add plugin dependency between shim and shim services
  * Rework task create and cleanup flow
  * Add task manager
  * Rename task manager to shim manager
* [cri] Implement k8s 1.23 CRI Pod Sandbox and Container Stats ([#6113](https://github.com/containerd/containerd/pull/6113))
  * Implement CRI container and pods stats
  * Vendor latest k8s.io/cri-api and netlink
* test: Add grace period for restart monitor test ([#6200](https://github.com/containerd/containerd/pull/6200))
  * test: Add grace period for restart monitor test
* integration: Enables TestRuntimeHandler for Windows ([#6179](https://github.com/containerd/containerd/pull/6179))
  * integration: Enables TestRuntimeHandler for Windows
* Add mkdir on Dockerfile ([#6171](https://github.com/containerd/containerd/pull/6171))
  * Add mkdir on Dockerfile
* sys/reaper: avoid leaky goroutine when exec timeout ([#6189](https://github.com/containerd/containerd/pull/6189))
  * sys/reaper: avoid leaky goroutine when exec timeout
* adds additional debug out to timebox cni setup ([#6184](https://github.com/containerd/containerd/pull/6184))
  * adds additional debug out to timebox cni setup
* converter: Allow hooks during image conversion ([#6176](https://github.com/containerd/containerd/pull/6176))
  * converter: Allow hooks during image conversion
* compression: support zstd with skippable frame ([#6177](https://github.com/containerd/containerd/pull/6177))
  * compression: support zstd with skippable frame
* integration: Enables TestVolumeCopyUp for Windows ([#6182](https://github.com/containerd/containerd/pull/6182))
  * integration: Enables TestVolumeCopyUp for Windows
*  integration: Enable some tests for Windows (part 2) ([#6121](https://github.com/containerd/containerd/pull/6121))
  * integration: Enable some tests for Windows (part 2)
* integration: Enable some tests for Windows ([#6085](https://github.com/containerd/containerd/pull/6085))
  * integration: Enable some tests for Windows
* Update doc to version 2 syntax ([#6125](https://github.com/containerd/containerd/pull/6125))
  * feat(doc): update to version 2 syntax
* fix shim reaper wait command execute blocked ([#6166](https://github.com/containerd/containerd/pull/6166))
  * fix shim reaper wait command execute blocked
* content: close stream after commit request ([#6145](https://github.com/containerd/containerd/pull/6145))
  * content: close stream after commit request
* Generating token options with each scope as a separate string. ([#6165](https://github.com/containerd/containerd/pull/6165))
  * Adding scope tests for ParseAuthHeader
  * Adding tests for GenerateTokenOptions
  * Generate token options with each scope as a separate string.
* vendor: Updates go-cni ([#6167](https://github.com/containerd/containerd/pull/6167))
  * vendor: Updates go-cni
* commands: Enables task metrics for Windows ([#6159](https://github.com/containerd/containerd/pull/6159))
  * commands: Enables task metrics for Windows
* vendor: update moby/sys for darwin support ([#6149](https://github.com/containerd/containerd/pull/6149))
  * vendor: update moby/sys for darwin support
* Prepare v1.6.0-beta.1 ([#6144](https://github.com/containerd/containerd/pull/6144))
  * Prepare release notes for v1.6.0-beta.1
  * Update mailmap
  * Update api vendor
* bump cni to spec v1.0.0 ([#6136](https://github.com/containerd/containerd/pull/6136))
  * bump CNI to spec v1.0.0
* Inject otel traces to grpc client. ([#5992](https://github.com/containerd/containerd/pull/5992))
  * Inject otel traces to grpc client.
* client: expose (*image).platform ([#6142](https://github.com/containerd/containerd/pull/6142))
  * client: expose (*image).platform
* Adding documentation for Core Scheduling ([#6128](https://github.com/containerd/containerd/pull/6128))
  * feat(doc): add Core Scheduling documentation
* Ensure namespace is proxied to grpc/ttrpc plugins ([#6130](https://github.com/containerd/containerd/pull/6130))
  * Ensure namespace is proxied to grpc/ttrpc plugins
* fix #6054  MaxConcurrentDownloads is not effect when Unpack is true ([#6109](https://github.com/containerd/containerd/pull/6109))
  * fix #6054 MaxConcurrentDownloads is not effect when Unpack is true
* Output a warning for label image labels instead of erroring ([#6124](https://github.com/containerd/containerd/pull/6124))
  * Output a warning for label image labels instead of erroring
* Fix spelling mistake in Windows snapshotter ([#6132](https://github.com/containerd/containerd/pull/6132))
  * Fix spelling mistake in Windows snapshotter
* Windows: Cleanup rm- prefixed layers ([#6126](https://github.com/containerd/containerd/pull/6126))
  * Windows: Cleanup rm- prefixed layers
* cleanup deprecated package  `io/ioutil ` ([#6118](https://github.com/containerd/containerd/pull/6118))
  * io/ioutil package has been deprecated in Go 1.16 that replaces io/ioutil functions
* close Writer after use which may memory leak ([#6115](https://github.com/containerd/containerd/pull/6115))
  * close Writer after use which may leak mem
* Adds Windows resource limits support ([#5778](https://github.com/containerd/containerd/pull/5778))
  * Adds Windows resource limits support
* Prepare release notes for v1.6.0-beta.0 ([#6098](https://github.com/containerd/containerd/pull/6098))
  * Prepare release notes for v1.6.0-beta.0
* Add error message to in TestContainerdRestart integration test ([#6105](https://github.com/containerd/containerd/pull/6105))
  * Add error message to in TestContainerdRestart integration test
* Fix typo in the NewContainer function documentation ([#6110](https://github.com/containerd/containerd/pull/6110))
  * Fix typo in the NewContainer function documentation
* Update cgroups to v1.0.2 ([#6104](https://github.com/containerd/containerd/pull/6104))
  * Update cgroups to v1.0.2
* btrfs: verify file content after mount ([#6100](https://github.com/containerd/containerd/pull/6100))
  * test: check file content after mount
* Update test timeout based on recent cancellations ([#6107](https://github.com/containerd/containerd/pull/6107))
  * Update test timeout based on recent cancellations
* Check the pid in cri test teardown ([#6106](https://github.com/containerd/containerd/pull/6106))
  * Remove extra test_teardown
  * Check the pid in cri test teardown
* add runc shim support for sched core ([#6011](https://github.com/containerd/containerd/pull/6011))
  * fix integration client vendor
  * add runc shim support for sched core
* integration: Enables Windows containerd restart test ([#5579](https://github.com/containerd/containerd/pull/5579))
  * integration: Enables Windows containerd restart test
* vendor: Bump hcsshim to 0.9.0 ([#6099](https://github.com/containerd/containerd/pull/6099))
  * vendor: Bump hcsshim to 0.9.0
* [cri] Add CNI conf based on runtime class ([#4695](https://github.com/containerd/containerd/pull/4695))
  * Add CNI conf based on runtime class
* Update Go to 1.17.2 ([#6102](https://github.com/containerd/containerd/pull/6102))
  * Update Go to 1.17.2
* integration: Adds test for multilayer image import ([#5933](https://github.com/containerd/containerd/pull/5933))
  * integration: Adds test for multilayer image import
* runtime: should fail fast if dial error on shim ([#6031](https://github.com/containerd/containerd/pull/6031))
  * runtime: should fail fast if dial error on shim
* Fixes Windows containers with image volumes ([#6034](https://github.com/containerd/containerd/pull/6034))
  * Windows: Fixes Windows containers with image volumes
* run `gofmt` with GO 1.17 ([#6094](https://github.com/containerd/containerd/pull/6094))
  * run `gofmt` with Go 1.17
* pkg/cap: remove an outdated comment ([#6088](https://github.com/containerd/containerd/pull/6088))
  * pkg/cap: remove an outdated comment
* Update go otel 1.0.1 ([#6066](https://github.com/containerd/containerd/pull/6066))
  * Update go otel 1.0.1
* Update ADOPTERS.md with additional uses ([#6086](https://github.com/containerd/containerd/pull/6086))
  * Update ADOPTERS.md with additional uses
* modify the way for checking cos ([#6082](https://github.com/containerd/containerd/pull/6082))
  * modify the way for checking cos
* Fuzzing: Add fuzzers + small modifications ([#5915](https://github.com/containerd/containerd/pull/5915))
  * Fuzzing: Add 4 fuzzers + small modifications
* Fixes for Windows CI ([#6081](https://github.com/containerd/containerd/pull/6081))
  * Pin mingw to version 10.2.0
  * Update to golang 1.17.1
  * Install nssm
* Github Security Advisory [GHSA-c2h3-6mxw-7mvq](https://github.com/containerd/containerd/security/advisories/GHSA-c2h3-6mxw-7mvq)
  * btrfs: reduce permissions on plugin directories
  * v1 runtime: reduce permissions for bundle dir
  * v2 runtime: reduce permissions for bundle dir
* task service: return known error type ([#6079](https://github.com/containerd/containerd/pull/6079))
  * task service: return known error type
* refactor: move from io/ioutil to io and os package ([#5973](https://github.com/containerd/containerd/pull/5973))
  * refactor: move from io/ioutil to io and os package
* fix: import from k8s.io/utils/clock instead ([#6076](https://github.com/containerd/containerd/pull/6076))
  * fix: update vendor
  * cleanup: import from k8s.io/utils/clock/testing instead
  * cleanup: import from k8s.io/utils/clock instead
* feat: enable integration cri remote client to call with grpc calloptions ([#6069](https://github.com/containerd/containerd/pull/6069))
  * feat: enable cri remote client to call with grpc calloptions
* cleanup k8s ansible yaml (carry for #5713)  ([#6074](https://github.com/containerd/containerd/pull/6074))
  * cleanup k8s ansible yaml (carry for https://github.com/jayonlau <[email protected]>)
* feat: support import image for specific platform ([#6070](https://github.com/containerd/containerd/pull/6070))
  * fix: wrong flag type
  * feat: support import image for specific platform
* Update mirror images to take target image name ([#6065](https://github.com/containerd/containerd/pull/6065))
  * Update mirror images to take target image name
* fix: make exec-id flag required in exec command ([#6059](https://github.com/containerd/containerd/pull/6059))
  * fix: make exec-id flag required in exec command
* images: enable converter to uncompress zstd ([#6052](https://github.com/containerd/containerd/pull/6052))
  * images: enable converter to uncompress zstd
* replace deprecated function with Domain and Path ([#5922](https://github.com/containerd/containerd/pull/5922))
  * replace deprecated function
* integration: Adds Windows HostProcess tests ([#5853](https://github.com/containerd/containerd/pull/5853))
  * integration: Adds Windows HostProcess tests
* Fix main branch build is broken ([#6047](https://github.com/containerd/containerd/pull/6047))
  * Fix main branch build is broken
* Add open telemetry logging hook for logrus ([#6003](https://github.com/containerd/containerd/pull/6003))
  * Add open telemetry logging hook for logrus
* Change `oci.WithUser` behavior for LCOW ([#6023](https://github.com/containerd/containerd/pull/6023))
  * Change oci.WithUser behavior for LCOW
* switch usage directly to errdefs.(ErrAlreadyExists and ErrNotFound) ([#5946](https://github.com/containerd/containerd/pull/5946))
  * switch usage directly to errdefs.(ErrAlreadyExists and ErrNotFound)
* import: Raise error if the imported image is filtered out ([#5926](https://github.com/containerd/containerd/pull/5926))
  * import: Raise error if the imported image is filtered out
* Fix panic in metadata content writer on copy error ([#6043](https://github.com/containerd/containerd/pull/6043))
  * Fix panic in metadata content writer on copy error
* Move tracing to plugin ([#6001](https://github.com/containerd/containerd/pull/6001))
  * Move tracing to plugin
* ctr: Fixes Windows image import ([#5916](https://github.com/containerd/containerd/pull/5916))
  * ctr: Fixes Windows image import
* update open go.opentelemetry.io v1.0.0 to fix import path ([#6017](https://github.com/containerd/containerd/pull/6017))
  * go.mod: update opentelemetry modules to v1.0.0
* fix error string format ([#5979](https://github.com/containerd/containerd/pull/5979))
  * fix error string format
* Add github action to mirror image ([#6036](https://github.com/containerd/containerd/pull/6036))
  * Add github action to mirror image
* add current process state to the error message ([#6027](https://github.com/containerd/containerd/pull/6027))
  * add current process state to the error message
*  FreeBSD: fix tar headers & the nil check on getxattr  ([#5991](https://github.com/containerd/containerd/pull/5991))
  * FreeBSD: fix tar headers & the nil check on getxattr
* gha: collect VMs' IP addresses ([#6035](https://github.com/containerd/containerd/pull/6035))
  * gha: collect Vagrant VMs' IP addresses
* bump continuity and console version  that remove pkg/errors ([#6033](https://github.com/containerd/containerd/pull/6033))
  * bump continuity and console version that remove pkg/errors
* import: Add option to prevent duplicated digest image ([#5997](https://github.com/containerd/containerd/pull/5997))
  * import: Add option to skip creating digest image
* ctr namespaces: improve usage string ([#5998](https://github.com/containerd/containerd/pull/5998))
  * ctr namespaces: improve usage string
* bump console version to v1.0.3 that remove pkg/errors  ([#6028](https://github.com/containerd/containerd/pull/6028))
  * bump console version to v1.0.3 that remove pkg/errors
* Use github images for integration tests ([#6032](https://github.com/containerd/containerd/pull/6032))
  * Use github images for integration tests
* Fix typo ([#5995](https://github.com/containerd/containerd/pull/5995))
  * Fix typo
* Enable image config labels in ctr and CRI container creation ([#6012](https://github.com/containerd/containerd/pull/6012))
  * Enable image config labels in ctr and CRI container creation
* Make sure exit signals trigger an exit during init ([#5970](https://github.com/containerd/containerd/pull/5970))
  * Make sure exit signals trigger an exit during init
* task delete: Closes task IO before waiting ([#5974](https://github.com/containerd/containerd/pull/5974))
  * task delete: Closes task IO before waiting
* CI: bump up crun to 1.0 ([#5985](https://github.com/containerd/containerd/pull/5985))
  * CI: bump up crun to 1.0
* seccomp: support "clone3" (return ENOSYS unless SYS_ADMIN is granted) ([#5982](https://github.com/containerd/containerd/pull/5982))
  * seccomp: support "clone3" (return ENOSYS unless SYS_ADMIN is granted)
* Update to Go 1.17.1 ([#5990](https://github.com/containerd/containerd/pull/5990))
  * Update to Go 1.17.1
* CI: Switch to available latest images ([#5987](https://github.com/containerd/containerd/pull/5987))
  * CI: Switch to available latest images
* add xfs support to devicemapper snapshotter ([#5610](https://github.com/containerd/containerd/pull/5610))
  * add xfs support to devicemapper snapshotter
* Fixes task kill --force on Windows ([#5956](https://github.com/containerd/containerd/pull/5956))
  * Fixes task kill --force on Windows
* Add support for shim plugins ([#5817](https://github.com/containerd/containerd/pull/5817))
  * Add support for shim plugins
* vendor: update continuity for darwin support ([#5976](https://github.com/containerd/containerd/pull/5976))
  * vendor: update continuity for darwin support
* replace uses of os/exec with golang.org/x/sys/execabs ([#5906](https://github.com/containerd/containerd/pull/5906))
  * replace uses of os/exec with golang.org/x/sys/execabs
* complete integration test for pulling image with labels ([#5972](https://github.com/containerd/containerd/pull/5972))
  * Additional integration tests for pulling image with labels
* Fix content copy to not ignore unexpected EOF ([#5966](https://github.com/containerd/containerd/pull/5966))
  * Fix content copy to not ignore unexpected EOF
* add ip_pref CNI options for primary pod ip ([#5964](https://github.com/containerd/containerd/pull/5964))
  * add ip_pref CNI options for primary pod ip
* cri: add devices for privileged container ([#5939](https://github.com/containerd/containerd/pull/5939))
  * cri: add devices for privileged container
* sandbox: Allows the sandbox to be deleted in NotReady state ([#5954](https://github.com/containerd/containerd/pull/5954))
  * sandbox: Allows the sandbox to be deleted in NotReady state
* pin protobuild version to tag ([#5969](https://github.com/containerd/containerd/pull/5969))
  * pin protobuild version to tag
* Add metric exposing build version&revision ([#5965](https://github.com/containerd/containerd/pull/5965))
  * use a const metric for build_info
  * Add metric exposing build version&revision
* Feature: containerd-cri support LinuxContainerResources.Unified ([#5627](https://github.com/containerd/containerd/pull/5627))
  * add cri test case
  * feature: add field LinuxContainerResources.Unified on cri
* integration: investigate TestRestartMonitor's failure ([#5861](https://github.com/containerd/containerd/pull/5861))
  * integration: investigate TestRestartMonitor's failure
* Use issue forms for bug reporting ([#5917](https://github.com/containerd/containerd/pull/5917))
  * Address issue forms feedback
  * Use issue forms for bug reporting
* cri: patch update image labels ([#5945](https://github.com/containerd/containerd/pull/5945))
  * cri: patch update image labels
* darwin: runtime support ([#5936](https://github.com/containerd/containerd/pull/5936))
  * darwin: runtime support
  * darwin: use the default values for socketRoot variable
* Update RELEASES.md ([#5858](https://github.com/containerd/containerd/pull/5858))
  * Update RELEASES.md
* archive: Add WriteDiff error logs ([#5949](https://github.com/containerd/containerd/pull/5949))
  * archive: Add WriteDiff error logs
* replace deprecated Dialer with ContextDialer ([#5958](https://github.com/containerd/containerd/pull/5958))
  * replace deprecated Dail with DailContext
* Add WS2022 support in Windows Periodic tests ([#5951](https://github.com/containerd/containerd/pull/5951))
  * Add WS2022 support in Windows Periodic tests
* Content fuzzer: Clean up temp store dir ([#5943](https://github.com/containerd/containerd/pull/5943))
  * content fuzzer: Clean up tempdir
* using Hosts replace deprecated field ([#5944](https://github.com/containerd/containerd/pull/5944))
  * using Hosts replace deprecated field
* fix document non-synchronous ([#5947](https://github.com/containerd/containerd/pull/5947))
  * fix document non-synchronous in crictl.md
* go.mod: Update hcsshim to v0.8.21 ([#5929](https://github.com/containerd/containerd/pull/5929))
  * go.mod: Update hcsshim to v0.8.21
* Makefile.linux: build on RISC-V with PIE ([#5937](https://github.com/containerd/containerd/pull/5937))
  * Makefile.linux: build on riscv with PIE
* Fix cwd flag for `ctr tasks exec` ([#5932](https://github.com/containerd/containerd/pull/5932))
  * Fix cwd flag for `ctr tasks exec`
* Update Pause image in tests & config ([#5927](https://github.com/containerd/containerd/pull/5927))
  * Update Pause image in tests & config
* cri: Devices ownership from SecurityContext ([#5122](https://github.com/containerd/containerd/pull/5122))
  * cri: Devices ownership from SecurityContext
* Fix pull fails on unexpected EOF ([#5921](https://github.com/containerd/containerd/pull/5921))
  * Fix pull fails on unexpected EOF
* Fix dir support for devices ([#5845](https://github.com/containerd/containerd/pull/5845))
  * Adding testing of two devices
  * Fix dir support for devices V3 (#4847)
* windows: The DefaultSpec platform should match the Default matcher ([#5914](https://github.com/containerd/containerd/pull/5914))
  * windows: The DefaultSpec platform should match the Default matcher
* Add RunAsUserName functionality for the Windows pod sandbox container ([#5865](https://github.com/containerd/containerd/pull/5865))
  * Add RunAsUserName functionality for the Windows Pod Sandbox Container
* bump up runc v1.0.2 ([#5899](https://github.com/containerd/containerd/pull/5899))
  * go.mod: update runc to v1.0.2
  * update runc binary to v1.0.2
* Run `go fmt` with Go 1.17 ([#5903](https://github.com/containerd/containerd/pull/5903))
  * Run `go fmt` with Go 1.17
* go.mod: github.com/pelletier/go-toml v1.9.3 ([#5905](https://github.com/containerd/containerd/pull/5905))
  * go.mod: github.com/pelletier/go-toml v1.9.3
* cri: filter selinux xattr for image volumes ([#5902](https://github.com/containerd/containerd/pull/5902))
  * cri: filter selinux xattr for image volumes
* Add Windows HostProcess Support ([#5131](https://github.com/containerd/containerd/pull/5131))
  * Added windows hostProcess cni skip
* script: update golangci-lint from v1.38.0 and v1.36.0 to v1.42.0 ([#5897](https://github.com/containerd/containerd/pull/5897))
  * script: update golangci-lint from v1.38.0 and v1.36.0 to v1.42.0
* Update to Go 1.17 ([#5889](https://github.com/containerd/containerd/pull/5889))
  * Bump integration timeout to 35 min
  * Update to Go 1.17
* integration: fix TestContainerPids ([#5896](https://github.com/containerd/containerd/pull/5896))
  * integration: fix TestContainerPids
* [ctr] add HOSTNAME env for host network ([#5891](https://github.com/containerd/containerd/pull/5891))
  * [ctr] add HOSTNAME env for host network
* Fuzzing: Add fuzzer ([#5886](https://github.com/containerd/containerd/pull/5886))
  * Fuzzing: Add fuzzer
* Make Cgroup driver configurable in gce configure script ([#5884](https://github.com/containerd/containerd/pull/5884))
  * Add env for SystemdCgroup driver
* Allow expanded DNS configuration ([#5878](https://github.com/containerd/containerd/pull/5878))
  * Allow expanded DNS configuration
* Fuzzing: Add 4 fuzzers ([#5863](https://github.com/containerd/containerd/pull/5863))
  * Fuzzing: Add 4 fuzzers
* Cleanup v2 shim ([#5813](https://github.com/containerd/containerd/pull/5813))
  * Cleanup v2 shim
* Fuzzing: Add experimental version of container fuzzer ([#5840](https://github.com/containerd/containerd/pull/5840))
  * Use http.Get to download binaries instead of exec.Command
  * Fuzzing: Add experimental version of container fuzzer
* add cpu-shares to ctr ([#5846](https://github.com/containerd/containerd/pull/5846))
  * add cpu-shares to ctr
* docs: rename master to main (it was opposite on the actual commit) ([#5847](https://github.com/containerd/containerd/pull/5847))
  * docs: rename main to master
* content: return the error with its timestamp ([#5849](https://github.com/containerd/containerd/pull/5849))
  * content: return the error with its timestamp
* Fix bad `make protos` failure ([#5857](https://github.com/containerd/containerd/pull/5857))
  * Fix bad `make protos` failure
* replace cri and point to new location ([#5851](https://github.com/containerd/containerd/pull/5851))
  * archive docs and point to new location fix #https://github.com/containerd/cri/issues/1624
* docs: remove FOSSA's badge ([#5856](https://github.com/containerd/containerd/pull/5856))
  * docs: remove FOSSA's badge
* BUILDING.md: remove some bits about building runc ([#5850](https://github.com/containerd/containerd/pull/5850))
  * BUILDING.md: remove some bits about building runc
  * BUILDING.md: markdown fixes
* go.mod: update k8s deps to v1.22.0 ([#5836](https://github.com/containerd/containerd/pull/5836))
  * go.mod: update kubernetes to v1.22.0
* [Scripts] Add trap to cri-integration test script ([#5852](https://github.com/containerd/containerd/pull/5852))
  * Add trap to cri-integration test script
* docs: list all snapshotter-related build flags ([#5848](https://github.com/containerd/containerd/pull/5848))
  * docs: list all snapshotter-related build flags
* Move plugin context events into separate plugin ([#5835](https://github.com/containerd/containerd/pull/5835))
  * Move plugin context events into separate plugin
* Fix Linux CI Linter using Go 1.15.14 ([#5839](https://github.com/containerd/containerd/pull/5839))
  * Fix Linux CI Linter using go 1.15.14
* Update Go to 1.16.7 ([#5842](https://github.com/containerd/containerd/pull/5842))
  * Update Go to 1.16.7
* Cleanup CI ([#5838](https://github.com/containerd/containerd/pull/5838))
  * Cleanup CI
* Remove redundant build tags ([#5834](https://github.com/containerd/containerd/pull/5834))
  * Remove redundant build tags
* Change default directories on Darwin ([#5830](https://github.com/containerd/containerd/pull/5830))
  * Change default directories on Darwin
* [otel-tracing] Initial opentelemetry support ([#5731](https://github.com/containerd/containerd/pull/5731))
  * [otel-tracing] vendor and go modules changes
  * [otel-tracing] Initial opentelemetry support
  * remove go 1.13 from containerd
* Fuzzing: Fix for OSS-fuzz issue 36825 ([#5829](https://github.com/containerd/containerd/pull/5829))
  * Fuzzing: Fix for OSS-fuzz issue 36825
* Fuzzing: Add two fuzzers ([#5825](https://github.com/containerd/containerd/pull/5825))
  * Fuzzing: Add two more fuzzers
* scripts: linting fixes, and remove support for Debian Jessie (as it's EOL) ([#5760](https://github.com/containerd/containerd/pull/5760))
  * scripts: declare ROOT closer to where it's used, and some DRY changes
  * scripts: add missing quotes, and minor linting issues
  * test/build-utils.sh: remove support for Debian Jessie
* platforms: Format(): use path.Join() instead of joinNotEmpty() ([#5821](https://github.com/containerd/containerd/pull/5821))
  * platforms: Format(): use path.Join() instead of joinNotEmpty()
* Fuzzing: Remove panics of container_fuzzer ([#5823](https://github.com/containerd/containerd/pull/5823))
  * Fuzzing: Remove panics of container_fuzzer
* Fuzzing: Add container fuzzer ([#5785](https://github.com/containerd/containerd/pull/5785))
  * Change protoc link
  * Split fuzzer to two fuzzers
  * Fuzzing: Add container fuzzer
* runtime: fix the issue of create new socket with abstract address ([#5746](https://github.com/containerd/containerd/pull/5746))
  * runtime: fix the issue of create new socket with abstract address
* mergo: Upgrade to 0.3.12 to fix panic ([#5809](https://github.com/containerd/containerd/pull/5809))
  * mergo: Upgrade to 0.3.12 to fix panic
* ci: install criu from PPA ([#5802](https://github.com/containerd/containerd/pull/5802))
  * ci: install criu from PPA
* Update release workflow to upload binary without CNI ([#5144](https://github.com/containerd/containerd/pull/5144))
  * Split release steps into multiple tasks
  * Update release workflow to upload binary without CNI
* Enable critest on Windows Periodic Jobs ([#5725](https://github.com/containerd/containerd/pull/5725))
  * Enable critest on Windows
* Script to check if entries in go.mod files are in sync ([#5792](https://github.com/containerd/containerd/pull/5792))
  * Script to check if entries in go.mod files are in sync
* Add a sharedNamespace label ([#5043](https://github.com/containerd/containerd/pull/5043))
  * Add shared content label to namespaces
* platforms: add "ios" as known OS, "loong64" as known ARCH ([#5784](https://github.com/containerd/containerd/pull/5784))
  * platforms: add "ios" as known OS, "loong64" as known ARCH
* Updates the location of protobuf downloads ([#5804](https://github.com/containerd/containerd/pull/5804))
  * Updates the location of protobuf downloads in docs
* Update protobuf install to use correct repository ([#5803](https://github.com/containerd/containerd/pull/5803))
  * Update protobuf install to use correct repository
* overlay: expose upperdir location of each snapshot via an optional label ([#5624](https://github.com/containerd/containerd/pull/5624))
  * overlay: add an optional label of upperdir location of each snapshot
* Support SIGRTMIN+n signals ([#5693](https://github.com/containerd/containerd/pull/5693))
  * Support SIGRTMIN+n signals
* respect context timeout in shim binary call ([#5800](https://github.com/containerd/containerd/pull/5800))
  * respect context timeout in shim binary call
* Introduce a new go module - containerd/api for use in standalone clients ([#5716](https://github.com/containerd/containerd/pull/5716))
  * Introduce a new go module - containerd/api for use in standalone clients
* grpc config add options tcp_client_ca_cert ([#5606](https://github.com/containerd/containerd/pull/5606))
  * grpc config add options tcp_tls_ca
* integration: Windows volume-copy-up images ([#5162](https://github.com/containerd/containerd/pull/5162))
  * integration: Windows volume-copy-up images
* add CRI support matrix to RELEASES.md ([#5795](https://github.com/containerd/containerd/pull/5795))
  * add CRI support matrix to RELEASES.md
* adding a little more clarity ([#5794](https://github.com/containerd/containerd/pull/5794))
  * adding a little more clarity
* update gotestsum to v1.7.0 ([#5793](https://github.com/containerd/containerd/pull/5793))
  * update gotestsum to v1.7.0
* Discard blocks when removing a thin device ([#5756](https://github.com/containerd/containerd/pull/5756))
  * Discard blocks when removing a thin device
* Makefile: fix passing build tags ([#5590](https://github.com/containerd/containerd/pull/5590))
  * Makefile: pass build tags to manpage build process
  * Makefile: fix tags parameter computation
* Add runtime label to metrics ([#5744](https://github.com/containerd/containerd/pull/5744))
  * Add runtime label to metrics
* interface about shim build check ([#5745](https://github.com/containerd/containerd/pull/5745))
  * interface about shim build check
* integration: log all processes to investigate the test failure ([#5775](https://github.com/containerd/containerd/pull/5775))
  * integration: log all processes to investigate the test failure
* Fuzzing: Add archive fuzzer ([#5779](https://github.com/containerd/containerd/pull/5779))
  * Fuzzing: Add archive fuzzer
* Add docker.Fetch fuzzer ([#5687](https://github.com/containerd/containerd/pull/5687))
  * Add docker fetch fuzzer
* Support custom compressor for walking differ ([#5735](https://github.com/containerd/containerd/pull/5735))
  * Support custom compressor for walking differ
* remotes/docker/pusher.go: Fix missing Close() on push to docker remote ([#5770](https://github.com/containerd/containerd/pull/5770))
  * remotes/docker/pusher.go: Fix missing Close()
* remotes/docker/fetcher.go: Fix missing Close() on fetch from docker remote ([#5769](https://github.com/containerd/containerd/pull/5769))
  * remotes/docker/fetcher.go: Fix missing Close()
* Update cpuguy83/go-md2man binary to v2.0.1 ([#5771](https://github.com/containerd/containerd/pull/5771))
  * Update cpuguy83/go-md2man binary to v2.0.1
* Refactor / optimize contrib/Dockerfile.test ([#5750](https://github.com/containerd/containerd/pull/5750))
  * Dockerfile.test: build containerd in separate stage
  * Dockerfile.test: add GOLANG_IMAGE build arg to allow overriding
  * Dockerfile.test: clean up apt indexes after installing
  * Dockerfile.test: build critools in a separate stage
  * Dockerfile.test: build cni in a separate stage
  * Dockerfile.test: standard directory to collect build aftifacts
  * Dockerfile.test: split dev stage, and optimize order
  * Dockerfile.test: skip curl, gcc, git and make install
  * install-critools: make sure DESTDIR exists
* update gotestsum to current master ([#5754](https://github.com/containerd/containerd/pull/5754))
  * update gotestsum to current master
* Github Security Advisory [GHSA-c72p-9xmj-rx3w](https://github.com/containerd/containerd/security/advisories/GHSA-c72p-9xmj-rx3w)
  * Add test for archive breakout test for lchmod
* Use systemd cgroup driver for Kubernetes e2e tests with cgroupsv2 ([#5755](https://github.com/containerd/containerd/pull/5755))
  * Use systemd cgroup driver for cgroupv2 tests
* update runc  to v1.0.1 ([#5751](https://github.com/con…

.github/workflows/build-test-images.yml

@@ -39,7 +39,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v2
         with:
-          go-version: '1.17.5'
+          go-version: '1.17.7'
 
       - uses: actions/checkout@v2
         with:

.github/workflows/ci.yml

@@ -20,7 +20,7 @@ jobs:
 
     strategy:
       matrix:
-        go-version: [1.17.5]
+        go-version: [1.17.7]
         os: [ubuntu-18.04, macos-10.15, windows-2019]
 
     steps:
@@ -46,7 +46,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v2
         with:
-          go-version: '1.17.5'
+          go-version: '1.17.7'
 
       - uses: actions/checkout@v2
         with:
@@ -78,7 +78,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v2
         with:
-          go-version: '1.17.5'
+          go-version: '1.17.7'
 
       - uses: actions/checkout@v2
         with:
@@ -110,7 +110,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v2
         with:
-          go-version: '1.17.5'
+          go-version: '1.17.7'
       - uses: actions/checkout@v2
       - run: go install github.com/cpuguy83/go-md2man/[email protected]
       - run: make man
@@ -144,7 +144,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v2
         with:
-          go-version: '1.17.5'
+          go-version: '1.17.7'
       - uses: actions/checkout@v2
       - run: |
           set -e -x
@@ -201,7 +201,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-18.04, macos-10.15, windows-2019, windows-2022]
-        go-version: ['1.17.5']
+        go-version: ['1.16.14', '1.17.7']
 
     steps:
       - uses: actions/setup-go@v2
@@ -248,7 +248,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v2
         with:
-          go-version: '1.17.5'
+          go-version: '1.17.7'
 
       - uses: actions/checkout@v2
         with:
@@ -330,7 +330,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v2
         with:
-          go-version: '1.17.5'
+          go-version: '1.17.7'
 
       - uses: actions/checkout@v2
 
@@ -449,7 +449,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v2
         with:
-          go-version: '1.17.5'
+          go-version: '1.17.7'
       - uses: actions/checkout@v2
       - run: sudo -E PATH=$PATH script/setup/install-gotestsum
       - name: Tests

.github/workflows/codeql.yml

@@ -2,11 +2,13 @@ name: "CodeQL Scan"
 
 on:
   push:
-  schedule:
-    - cron: '0 0 * * 0'
+    branches:
+      - main
+      - 'release/**'
   pull_request:
-    paths:
-      - '.github/workflows/codeql.yml'
+    branches:
+      - main
+      - 'release/**'
 
 jobs:
   CodeQL-Build:
@@ -22,28 +24,20 @@ jobs:
     - name: Checkout repository
       uses: actions/checkout@v2
 
+    - uses: actions/setup-go@v2
+      with:
+        go-version: 1.17.7
+
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v1
       # Override language selection by uncommenting this and choosing your languages
       # with:
       #   languages: go, javascript, csharp, python, cpp, java
 
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below).
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
-
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 https://git.io/JvXDl
-
-    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
-    #    and modify them (or add more) to build your code if your project
-    #    uses a compiled language
-
-    #- run: |
-    #   make bootstrap
-    #   make release
+    - run: |
+        sudo apt-get install -y libseccomp-dev libbtrfs-dev
+        make
 
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@v1

.github/workflows/images.yml

@@ -24,7 +24,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v2
         with:
-          go-version: '1.17.5'
+          go-version: '1.17.7'
 
       - uses: actions/checkout@v2
         with:

.github/workflows/nightly.yml

@@ -18,7 +18,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v2
         with:
-          go-version: '1.17.5'
+          go-version: '1.17.7'
 
       - uses: actions/checkout@v2
         with:
@@ -135,7 +135,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v2
         with:
-          go-version: '1.17.5'
+          go-version: '1.17.7'
 
       - uses: actions/checkout@v2
         with:

.github/workflows/release.yml

@@ -64,7 +64,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v2
         with:
-          go-version: '1.17.5'
+          go-version: '1.17.7'
       - name: Set env
         shell: bash
         env:

.github/workflows/release/Dockerfile

@@ -50,5 +50,10 @@ RUN \
 	make release cri-release cri-cni-release && \
 	for f in $(find bin -executable -type f); do xx-verify $f; done
 
+# check git working tree after build
+RUN \
+	export GIT_STATUS_OUTPUT=$(git status --porcelain) && \
+	test -z $GIT_STATUS_OUTPUT || (echo $GIT_STATUS_OUTPUT && exit 1)
+
 FROM scratch AS release
 COPY --from=target /go/src/github.com/containerd/containerd/releases/ /

.github/workflows/windows-periodic-trigger.yml

@@ -21,5 +21,5 @@ jobs:
     secrets:
       AZURE_SUB_ID: "${{ secrets.AZURE_SUB_ID }}"
       AZURE_CREDS: "${{ secrets.AZURE_CREDS }}"
-      GCP_PROJECT_ID: "${{ secrets.GCP_PROJECT_ID }}"
-      GCP_SA_KEY: "${{ secrets.GCP_SA_KEY }}"
+      GCP_SERVICE_ACCOUNT: "${{ secrets.GCP_SERVICE_ACCOUNT }}"
+      GCP_WORKLOAD_IDENTITY_PROVIDER: "${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}"

.github/workflows/windows-periodic.yml

@@ -10,9 +10,9 @@ on:
         required: true
       AZURE_CREDS:
         required: true
-      GCP_PROJECT_ID:
+      GCP_SERVICE_ACCOUNT:
         required: true
-      GCP_SA_KEY:
+      GCP_WORKLOAD_IDENTITY_PROVIDER:
         required: true
 
 env:
@@ -23,21 +23,29 @@ env:
   DEFAULT_ADMIN_USERNAME: azureuser
   SSH_OPTS: "-o ServerAliveInterval=20 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
   REMOTE_VM_BIN_PATH: "c:\\containerd\\bin"
+  BUSYBOX_TESTING_IMAGE_REF: "k8s.gcr.io/e2e-test-images/busybox:1.29-2"
+  RESOURCE_CONSUMER_TESTING_IMAGE_REF: "k8s.gcr.io/e2e-test-images/resource-consumer:1.10"
+  WEBSERVER_TESTING_IMAGE_REF: "k8s.gcr.io/e2e-test-images/nginx:1.14-2"
+
 
 jobs:
   winIntegration:
+    # NOTE: the following permissions are required by `google-github-actions/auth`:
+    permissions:
+      contents: 'read'
+      id-token: 'write'
     strategy:
       matrix:
         win_ver: [ltsc2019, ltsc2022]
         include:
         - win_ver: ltsc2019
           AZURE_IMG: "MicrosoftWindowsServer:WindowsServer:2019-Datacenter-with-Containers-smalldisk:17763.1935.2105080716"
           AZURE_RESOURCE_GROUP: ctrd-integration-ltsc2019-${{ github.run_id }}
-          GOOGLE_BUCKET: "gs://containerd-integration/logs/windows-ltsc2019/"
+          GOOGLE_BUCKET: "containerd-integration/logs/windows-ltsc2019/"
         - win_ver: ltsc2022
           AZURE_IMG: "MicrosoftWindowsServer:WindowsServer:2022-datacenter-smalldisk-g2:20348.169.2108120020"
           AZURE_RESOURCE_GROUP: ctrd-integration-ltsc2022-${{ github.run_id }}
-          GOOGLE_BUCKET: "gs://containerd-integration/logs/windows-ltsc2022/"
+          GOOGLE_BUCKET: "containerd-integration/logs/windows-ltsc2022/"
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
@@ -77,13 +85,25 @@ jobs:
         uses: azure/CLI@v1
         with:
           inlinescript: |
-            az vm create -n winTestVM --admin-username ${{ env.DEFAULT_ADMIN_USERNAME }} --admin-password ${{ env.PASSWORD }} --image ${{ matrix.AZURE_IMG }} -g ${{ matrix.AZURE_RESOURCE_GROUP }} --nsg-rule SSH --size ${{ env.AZURE_DEFAULT_VM_SIZE }}
-
-      - name: GetAZVMPublicIP
-        uses: azure/CLI@v1
-        with:
-          inlinescript: |
-            echo "VM_PUB_IP=$(az network public-ip list -g ${{ matrix.AZURE_RESOURCE_GROUP }} | jq '.[0]["ipAddress"]' | tr -d '\"')" >> $GITHUB_ENV
+            DETAILS=$(az vm create -n winTestVM --admin-username ${{ env.DEFAULT_ADMIN_USERNAME }} --admin-password ${{ env.PASSWORD }} --image ${{ matrix.AZURE_IMG }} -g ${{ matrix.AZURE_RESOURCE_GROUP }} --nsg-rule SSH --size ${{ env.AZURE_DEFAULT_VM_SIZE }} --public-ip-sku Standard -o json)
+            PUB_IP=$(echo $DETAILS | jq -r .publicIpAddress)
+            if [ "$PUB_IP" == "null" ]
+            then
+                RETRY=0
+                while [ "$PUB_IP" == "null" ] || [ $RETRY -le 5 ]
+                do
+                    sleep 5
+                    PUB_IP=$(az vm show -d -g ${{ matrix.AZURE_RESOURCE_GROUP }} -n winTestVM -o json --query publicIps | jq -r)
+                    RETRY=$(( $RETRY + 1 ))
+                done
+            fi
+
+            if [ "$PUB_IP" == "null" ]
+            then
+                echo "failed to fetch public IP"
+                exit 1
+            fi
+            echo "VM_PUB_IP=$PUB_IP" >> $GITHUB_ENV
 
       - name: EnableAZVMSSH
         uses: azure/CLI@v1
@@ -143,13 +163,20 @@ jobs:
           ssh -i $HOME/.ssh/id_rsa ${{ env.SSH_OPTS }} azureuser@${{ env.VM_PUB_IP }} "sh.exe -c 'cd /c/containerd && (make integration | tee /c/Logs/integration.log)'"
           ssh -i $HOME/.ssh/id_rsa ${{ env.SSH_OPTS }} azureuser@${{ env.VM_PUB_IP }} "sh.exe -c 'cat /c/Logs/integration.log | go-junit-report.exe > /c/Logs/junit_00.xml'"
 
-      # CRI-integration tests for Windows PR is not merged. TO DO (adelina-t): enable these when PR #5163 merges.
       - name: PrepareRepoList
         run: |
-           ssh -i $HOME/.ssh/id_rsa ${{ env.SSH_OPTS }} azureuser@${{ env.VM_PUB_IP }} "sh -c 'cat > c:/repolist.toml'" <<'EOF'
-               busybox = "k8s.gcr.io/e2e-test-images/busybox:1.29-2"
-               ResourceConsumer = "k8s.gcr.io/e2e-test-images/resource-consumer:1.10"
-           EOF
+            cat > repolist.toml << EOF
+            busybox = "${{ env.BUSYBOX_TESTING_IMAGE_REF }}"
+            ResourceConsumer = "${{ env.RESOURCE_CONSUMER_TESTING_IMAGE_REF }}"
+            EOF
+
+            cat > cri-test-images.yaml << EOF
+            defaultTestContainerImage: ${{ env.BUSYBOX_TESTING_IMAGE_REF }}
+            webServerTestImage: ${{ env.WEBSERVER_TESTING_IMAGE_REF }}
+            EOF
+
+            scp -i $HOME/.ssh/id_rsa ${{ env.SSH_OPTS }} repolist.toml azureuser@${{ env.VM_PUB_IP }}:c:/repolist.toml
+            scp -i $HOME/.ssh/id_rsa ${{ env.SSH_OPTS }} cri-test-images.yaml azureuser@${{ env.VM_PUB_IP }}:c:/cri-test-images.yaml
 
       - name: RunCRIIntegrationTests
         run: |
@@ -163,19 +190,16 @@ jobs:
            ssh -i $HOME/.ssh/id_rsa ${{ env.SSH_OPTS }} azureuser@${{ env.VM_PUB_IP }} "sh.exe -c 'cat /c/Logs/cri-integration.log | go-junit-report.exe > c:/Logs/junit_01.xml' "
 
       - name: GetCritestRepo
-        if: ${{ matrix.win_ver != 'ltsc2022' }}
         run: |
           ssh -i $HOME/.ssh/id_rsa ${{ env.SSH_OPTS }} azureuser@${{ env.VM_PUB_IP }} "git clone https://github.com/kubernetes-sigs/cri-tools c:/cri-tools"
 
       - name: BuildCritest
-        if: ${{ matrix.win_ver != 'ltsc2022' }}
         run: |
           ssh -i $HOME/.ssh/id_rsa ${{ env.SSH_OPTS }} azureuser@${{ env.VM_PUB_IP }} "sh.exe -c 'cd /c/cri-tools && make critest'"
 
       - name: RunCritest
-        if: ${{ matrix.win_ver != 'ltsc2022' }}
         run: |
-          ssh -i $HOME/.ssh/id_rsa ${{ env.SSH_OPTS }} azureuser@${{ env.VM_PUB_IP }} "powershell.exe -command { Start-Process -FilePath C:\containerd\bin\containerd.exe -NoNewWindow -RedirectStandardError true -PassThru ; get-process | sls containerd ; start-sleep 5 ; c:\cri-tools\build\bin\critest.exe --runtime-endpoint=\"npipe:\\\\.\\pipe\\containerd-containerd\" --report-dir='c:\Logs' }"
+          ssh -i $HOME/.ssh/id_rsa ${{ env.SSH_OPTS }} azureuser@${{ env.VM_PUB_IP }} "powershell.exe -command { Start-Process -FilePath C:\containerd\bin\containerd.exe -NoNewWindow -RedirectStandardError true -PassThru ; get-process | sls containerd ; start-sleep 5 ; c:\cri-tools\build\bin\critest.exe --runtime-endpoint=\"npipe:\\\\.\\pipe\\containerd-containerd\" --test-images-file='c:\cri-test-images.yaml' --report-dir='c:\Logs' }"
 
       - name: PullLogsFromWinNode
         run: |
@@ -188,29 +212,39 @@ jobs:
       - name: FinishJob
         run: |
           jq -n --arg result SUCCESS --arg timestamp $(date +%s) '$timestamp|tonumber|{timestamp:.,$result}' > ${{ env.LOGS_DIR }}/finished.json
-          echo "${{ env.STARTED_TIME }}" > $HOME/latest-build.txt
+          echo "${{ env.STARTED_TIME }}" > ${{ github.workspace }}/latest-build.txt
 
       - name: AssignGcpCreds
         id: AssignGcpCreds
         run: |
-          echo '::set-output name=GCP_PROJECT_ID::${{ secrets.GCP_PROJECT_ID }}'
-          echo '::set-output name=GCP_SA_KEY::${{ secrets.GCP_SA_KEY }}'
+          echo '::set-output name=GCP_SERVICE_ACCOUNT::${{ secrets.GCP_SERVICE_ACCOUNT }}'
+          echo '::set-output name=GCP_WORKLOAD_IDENTITY_PROVIDER::${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}'
 
-      - name: SetUpCloudSDK
-        if: steps.AssignGcpCreds.outputs.GCP_PROJECT_ID && steps.AssignGcpCreds.outputs.GCP_SA_KEY
-        uses: google-github-actions/setup-gcloud@master
+      - name: AuthGcp
+        uses: google-github-actions/auth@v0
+        if: steps.AssignGcpCreds.outputs.GCP_SERVICE_ACCOUNT && steps.AssignGcpCreds.outputs.GCP_WORKLOAD_IDENTITY_PROVIDER
         with:
-          project_id: ${{ secrets.GCP_PROJECT_ID }}
-          service_account_key: ${{ secrets.GCP_SA_KEY }}
-          export_default_credentials: true
+          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
+          workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
 
-      - name: UploadArtifacts
-        if: steps.AssignGcpCreds.outputs.GCP_PROJECT_ID && steps.AssignGcpCreds.outputs.GCP_SA_KEY
-        run: |
-          gsutil cp -r ${{ env.LOGS_DIR }} ${{ matrix.GOOGLE_BUCKET }}
-          gsutil cp $HOME/latest-build.txt ${{ matrix.GOOGLE_BUCKET }}
+      - name: UploadJobReport
+        uses: google-github-actions/upload-cloud-storage@v0
+        if: steps.AssignGcpCreds.outputs.GCP_SERVICE_ACCOUNT && steps.AssignGcpCreds.outputs.GCP_WORKLOAD_IDENTITY_PROVIDER
+        with:
+          path: ${{ github.workspace }}/latest-build.txt
+          destination: ${{ matrix.GOOGLE_BUCKET }}
+          parent: false
+
+      - name: UploadLogsDir
+        uses: google-github-actions/upload-cloud-storage@v0
+        if: steps.AssignGcpCreds.outputs.GCP_SERVICE_ACCOUNT && steps.AssignGcpCreds.outputs.GCP_WORKLOAD_IDENTITY_PROVIDER
+        with:
+          path: ${{ env.LOGS_DIR }}
+          destination: ${{ matrix.GOOGLE_BUCKET }}${{ env.STARTED_TIME}}
+          parent: false
 
       - name: ResourceCleanup
+        if: always()
         uses: azure/CLI@v1
         with:
           inlinescript: |