%define _trivial .0 %define _buildid .1 %if 0%{?amzn} %bcond_with btrfs # with %else %bcond_without btrfs # with %endif %bcond_without seccomp # with %if 0%{?amzn} < 2 %bcond_with systemd # without %else %bcond_without systemd # with %endif %define golang_set_gopath(d:) \ export GOPATH="%{-d:%{-d*}}%{!-d:$(pwd -P)}"; \ export PATH="$PATH:$GOPATH/bin"; \ export GO111MODULE=off %define golang_init_gopath(d:) \ %{golang_set_gopath} \ rm -rf "${GOPATH}/"{src,pkg,bin} \ install -d "${GOPATH}"/{src,pkg,bin} %define golang_src_path(p:) ${GOPATH:-.}/src/%{-p*} %define gobuilddir %{golang_src_path} %define golang_prep(p:s:S:) \ install -d "$GOPATH/src/%{-p*}" && \ tar -x %{-S:--strip-components=%{-S*}} -C "%{golang_src_path -p %{-p*}}" -f %{-s*} %define golang_install(p:s:S:) %{golang_prep}\ go install %{-p*} %define containerd_release 2.0.6 %define containerd_commit 991cc3363c290ffd074e069f2b3034c7286ecbe0 %global containerd_short_sha %(c=%containerd_commit; echo ${c:0:7}) %define containerd_package github.com/containerd/containerd %define containerd_src %{golang_src_path -p %containerd_package} ## Pre/Post release VCS metadata, for NVR when unmatched with a ## release tag. # Update date to datestamp when containerd upstream data is bumped. %global containerd_rpm_snapshot_date 20210617 %global containerd_rpm_snapshot_vcs git%{containerd_short_sha} # Get the version bits before the dash or plus. %global containerd_rpm_version %(r=%containerd_release; echo ${r%%%%-*}) # Pre/Post release suffix with VCS info embedded into release. %global containerd_rpm_release_suffix .%{containerd_rpm_snapshot_date}.%{containerd_rpm_snapshot_vcs} %global containerd_buildtags %{?containerd_buildtags} selinux %if %{with btrfs} %global containerd_buildtags %{?containerd_buildtags} btrfs %else %global containerd_buildtags %{?containerd_buildtags} no_btrfs %endif %if %{with seccomp} %global containerd_buildtags %{?containerd_buildtags} seccomp %endif Name: containerd Version: %{containerd_rpm_version} Release: 1%{?dist}%{?_trivial}%{?_buildid} # Upstream license specification: Apache-2.0 License: ASL 2.0 Summary: An industry-standard container runtime with an emphasis on simplicity, robustness and portability Source0: https://%{containerd_package}/archive/%{containerd_commit}/containerd-%{containerd_release}.tar.gz Source1: config.toml Patch1000: 1000-containerd-2.0-iouring-seccomp.patch Patch1001: 1001-containerd-2.0-systemd-compat-config.patch Patch1002: 1002-containerd-2.0-remove-failing-image-verifier-test.patch # remove after upgrading to containerd 2.0.7 Patch1003: 1003-containerd-bootstrap-json-perms-fix.patch # Runtime requirements Requires: runc %if %{with seccomp} # Require the version of seccomp that we were built against. %global seccomp_version %(pkg-config --modversion libseccomp 2>/dev/null || echo 0) Requires: libseccomp%{?_isa} >= %{seccomp_version} %endif # container-selinux 2.120.0 adds necessary support for containerd-cri Conflicts: container-selinux < 2.120.0 Conflicts: docker < 25 # Compilation requirements BuildRequires: golang >= 1.24.6 BuildRequires: kernel-headers BuildRequires: libselinux-devel BuildRequires: go-rpm-macros BuildRequires: systemd-rpm-macros BuildRequires: go-md2man %if %{with btrfs} BuildRequires: btrfs-progs-devel %endif %if %{with seccomp} BuildRequires: libseccomp-devel %endif %description containerd is an industry-standard container runtime with an emphasis on simplicity, robustness and portability. It is available as a daemon for Linux and Windows, which can manage the complete container lifecycle of its host system: image transfer and storage, container execution and supervision, low-level storage and network attachments, etc. %package stress License: ASL 2.0 Summary: stress test a containerd daemon Requires: %{name} = %{version}-%{release} %description stress %{summary}. %prep %setup -c -T -n %{name}-%{version}-%{release} %golang_init_gopath %golang_prep -p %{containerd_package} -s %SOURCE0 -S 1 cd "%containerd_src" %patch1000 -p1 %patch1001 -p1 %patch1002 -p1 %patch1003 -p1 %build %golang_set_gopath cd "%containerd_src" export LDFLAGS="-X %{containerd_package}/version.Version=%{version} -X %{containerd_package}/version.Revision=%{containerd_commit} " export BUILDTAGS="%{containerd_buildtags}" for cmd in containerd containerd-shim-runc-v2 containerd-stress ctr gen-manpages ; do %gobuild -o %{gobuilddir}/bin/$cmd %{containerd_src}/cmd/$cmd done mkdir _man go-md2man -in docs/man/containerd-config.8.md -out _man/containerd-config.8 go-md2man -in docs/man/containerd-config.toml.5.md -out _man/containerd-config.toml.5 %{gobuilddir}/bin/gen-manpages containerd.8 _man %{gobuilddir}/bin/gen-manpages ctr.8 _man rm %{gobuilddir}/bin/gen-manpages %check %golang_set_gopath export BUILDTAGS="%{containerd_buildtags}" # Run scoped unit tests - skips some if not running as root. %if %{without btrfs} # We want to build/run tests the same way we build the binaries export EXTRA_TESTFLAGS="-tags='%{containerd_buildtags}'" %endif make -C %{containerd_src} test %install %golang_set_gopath # Install containerd binaries install -d %{buildroot}%{_bindir} install -p %{gobuilddir}/bin/* %{buildroot}%{_bindir}/ install -d %{buildroot}%{_mandir}/man{5,8} install -p -m 644 %{containerd_src}/_man/*.5 %{buildroot}%{_mandir}/man5/ install -p -m 644 %{containerd_src}/_man/*.8 %{buildroot}%{_mandir}/man8/ install -D -p -m 0644 %{S:1} %{buildroot}%{_sysconfdir}/containerd/config.toml %if %{with systemd} install -D -p -m 644 %{containerd_src}/containerd.service %{buildroot}%{_unitdir}/containerd.service %endif install -d %{buildroot}%{_localstatedir}/lib/containerd %if 0%{?amzn} == 2 # On a fresh install of container-selinux, or updating from selinux-policy in # amzn2-core to one that more closely tracks upstream, we need to relabel critical # files to pick up changes to file_contexts introduced by those packages. %define selinux_relabel_paths %{_bindir}/ctr %{_bindir}/containerd %{_bindir}/containerd-shim* %{_sysconfdir}/containerd/config.toml %{_localstatedir}/lib/containerd %define do_selinux_relabel() /usr/sbin/selinuxenabled && /usr/sbin/restorecon -r %* %triggerin -- container-selinux if [ $1 -eq 1 ]; then # new install, not update %{do_selinux_relabel} %{selinux_relabel_paths} ||: fi %triggerun -- selinux-policy < 3.13.1-266 if [ $1 -eq 1 ]; then # update, not uninstall %{do_selinux_relabel} %{selinux_relabel_paths} ||: fi %triggerin stress -- container-selinux if [ $1 -eq 1 ]; then # new install, not update %{do_selinux_relabel} %{_bindir}/containerd-stress ||: fi %triggerun stress -- selinux-policy < 3.13.1-266 if [ $1 -eq 1 ]; then # update, not uninstall %{do_selinux_relabel} %{_bindir}/containerd-stress ||: fi %endif %files %license src/github.com/containerd/containerd/LICENSE %doc src/github.com/containerd/containerd/README.md %{_bindir}/ctr %{_bindir}/containerd %{_bindir}/containerd-shim-runc-v2 %config(noreplace) %{_sysconfdir}/containerd/config.toml %dir %{_localstatedir}/lib/containerd %if %{with systemd} %{_unitdir}/containerd.service %endif %{_mandir}/man5/containerd-config.toml.5* %{_mandir}/man8/containerd-config.8* %{_mandir}/man8/containerd.8* %{_mandir}/man8/ctr.8* %files stress %{_bindir}/containerd-stress %post %if %{with systemd} %systemd_post containerd %endif %preun %if %{with systemd} %systemd_preun containerd %endif %postun %if %{with systemd} %systemd_postun_with_restart containerd %endif %changelog * Mon Sep 08 2025 Justin Alvarez 2.0.6-1.amzn2023.0.1 - Update containerd to 2.0.6 * Wed Jun 18 2025 Justin Alvarez 2.0.5-1.amzn2023.0.2 - Rebuild with golang 1.24.4 to fix CVE-2025-4673 and CVE-2025-22874 * Wed Jun 04 2025 Henry Wang 2.0.5-1.amzn2023.0.1 - Update containerd to 2.0.5 * Wed May 28 2025 David Son 1.7.27-1.amzn2023.0.3 - Rebuild with golang 1.23.8 to fix CVE-2025-22871 * Tue Apr 1 2025 Sam Chew 1.7.27-1.amzn2023.0.2 - Patch go-jose for CVE-2025-27144 - Backport patch https://github.com/containerd/containerd/pull/11619 * Tue Mar 18 2025 Austin Vazquez 1.7.27-1.amzn2023.0.1 - Update containerd to 1.7.27 * Fri Jan 10 2025 Austin Vazquez 1.7.25-1.amzn2023.0.1 - Update containerd to 1.7.25 - Backport patch https://github.com/containerd/containerd/commit/aedb079bf18f1f913b705d9b791beebcf1962cdd * Sun Nov 3 2024 Shubhranshu Mahapatra 1.7.23-1.amzn2023.0.1 - Update containerd to 1.7.23 * Fri Sep 13 2024 Justin Alvarez 1.7.22-1.amzn2023.0.2 - Add soci-snapshotter config * Wed Sep 11 2024 Henry Wang 1.7.22-1.amzn2023.0.1 - Update containerd to 1.7.22 * Tue Jun 18 2024 Austin Vazquez 1.7.20-1.amzn2023.0.1 - Update containerd to 1.7.18 - Fix CVE-2023-47108, CVE-2024-24786 * Thu Jan 11 2024 Christopher R. Miller 1.7.11-1.amzn2023.0.1 - Update containerd to 1.7.11 - Fix CVE-2023-39326 * Fri Oct 13 2023 Antuan Weeks - 1.7.2-1.amzn2023.0.4 - rebuild with golang 1.20.10 to fix CVE-2023-44487 * Wed Aug 09 2023 Antuan Weeks - 1.7.2-1.amzn2023.0.3 - rebuild with golang 1.20.7 to fix CVE-2023-29409 * Thu Jul 27 2023 Christopher Miller - 1.7.2-1.amzn2023.0.2 - Rebuild for CVE-2023-29406 * Thu Jul 06 2023 Lucas Meneghel - 1.7.2-1.amzn2023.0.1 - containerd: Update to upstream 1.7.2 - Dropped patches that are included with the new version * Fri Mar 17 2023 Sonia Xu - 1.6.19-1.amzn2023.0.1 - Update to v1.6.19 - Update patch to apply properly * Tue Mar 14 2023 Sai Harsha - 1.6.8-2.amzn2023.0.4 - Fix CVE-2022-1996 * Mon Jan 30 2023 Stewart Smith - 1.6.8-2.amzn2023.0.3 - Mass rebuild for AL2023 * Tue Dec 20 2022 Chanchal Mathew - 1.6.8-2.amzn2022.0.2 - Rebuild for CVE-2022-2879, CVE-2022-41715, CVE-2022-41716 in golang * Tue Oct 11 2022 Chanchal Mathew - 1.6.8-2 - Fix FTBFS * Tue Oct 04 2022 Chanchal Mathew - 1.6.8-1 - Update to 1.6.8 from upstream * Mon Oct 03 2022 Stewart Smith - 1.6.6-1.amzn2022.0.3 - AL2022 pre-GA mass rebuild * Wed Sep 28 2022 Mansi Jaitly - 1.6.6-1.amzn2022.0.2 - Rebuild due to golang-1.19.1-1.amzn2022.0.1 update * Fri Jul 22 2022 Stewart Smith - 1.6.6-1.amzn2022.0.1 - build without btrfs on Amazon Linux * Mon Jun 20 2022 Sai Harsha - 1.6.6-1 - Update to 1.6.6 from upstream - Remove patches included upstream since 1.4.13 * Tue May 31 2022 Sai Harsha - 1.4.13-3 - Limit the response size of ExecSync * Tue Mar 29 2022 Malcolm Inglis - 1.4.13-2 - Apply patch for CVE-2022-24769 * Tue Mar 29 2022 Malcolm Inglis - 1.4.13-1 - Update to 1.4.13 from upstream - Update golang BuildRequires to 1.16.15 - Remove patches included upstream since 1.4.6 * Thu Feb 24 2022 Malcolm Inglis - 1.4.6-9 - Apply patch for CVE-2022-23648 * Wed Dec 08 2021 Paul Ezvan - 1.4.6-8 - Build for AL2022 * Wed Nov 17 2021 Jamie Anderson - 1.4.6-7 - CVE-2021-41190 * Tue Nov 02 2021 Jamie Anderson - 1.4.6-5 - Fix typo in container-selinux Conflicts: * Fri Oct 29 2021 Jamie Anderson - 1.4.6-4 - Add selinux to buildtags - Conflict with container-selinux versions that don't have containerd-cri support * Fri Sep 24 2021 Jamie Anderson - 1.4.6-3 - Apply patches for CVE-2021-41103 * Mon Jul 12 2021 Jamie Anderson - 1.4.6-2 - Apply patch for CVE-2021-32760 * Thu Jun 17 2021 Jamie Anderson - 1.4.6-1 - Update to 1.4.6 from upstream * Thu Feb 25 2021 Jamie Anderson - 1.4.4-1 - Update to 1.4.4 from upstream * Tue Nov 17 2020 Samuel Karp - 1.4.1-2 - Apply patch for CVE-2020-15257 * Fri Nov 13 2020 Jamie Anderson - 1.4.1 - Update to 1.4.1 from upstream * Wed Sep 23 2020 Jamie Anderson - 1.4.0 - Update to 1.4.0 from upstream - Add triggers to relabel after container-selinux install * Mon Feb 10 2020 Jamie Anderson - 1.3.2 - Update to 1.3.2 from upstream * Mon May 13 2019 Jacob Vallejo - 1.2.6-1 - Initial packaging