Add log config specific changes

.github/workflows/ghcr-image-build-and-publish.yml

@@ -34,7 +34,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf  # v3.2.0
+        uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a  # v3.3.0
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5  # v3.8.0
@@ -60,7 +60,7 @@ jobs:
       # Build and push Docker image with Buildx (don't push on PR)
       # https://github.com/docker/build-push-action
       - name: Build and push Docker image
-        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355  # v6.10.0
+        uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc  # v6.11.0
         with:
           context: .
           platforms: linux/amd64,linux/arm64

.github/workflows/test-canary.yml

@@ -81,7 +81,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           repository: containerd/containerd
-          ref: "v1.7.24"
+          ref: "v1.7.25"
           path: containerd
           fetch-depth: 1
       - name: "Set up CNI"

.github/workflows/test.yml

@@ -28,7 +28,7 @@ jobs:
             containerd: v1.6.36
             arch: amd64
           - runner: ubuntu-24.04
-            containerd: v1.7.24
+            containerd: v1.7.25
             arch: amd64
           - runner: ubuntu-24.04
             containerd: v2.0.1
@@ -84,7 +84,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           repository: containerd/containerd
-          ref: v1.7.24
+          ref: v1.7.25
           path: containerd
           fetch-depth: 1
       - if: ${{ matrix.goos=='windows' }}
@@ -109,7 +109,7 @@ jobs:
             runner: "ubuntu-20.04"
             arch: amd64
           - ubuntu: 22.04
-            containerd: v1.7.24
+            containerd: v1.7.25
             runner: "ubuntu-22.04"
             arch: amd64
           - ubuntu: 24.04
@@ -234,7 +234,7 @@ jobs:
             target: rootless
             arch: amd64
           - ubuntu: 22.04
-            containerd: v1.7.24
+            containerd: v1.7.25
             rootlesskit: v2.3.1
             target: rootless
             arch: amd64
@@ -244,7 +244,7 @@ jobs:
             target: rootless
             arch: amd64
           - ubuntu: 24.04
-            containerd: v1.7.24
+            containerd: v1.7.25
             rootlesskit: v2.3.1
             target: rootless-port-slirp4netns
             arch: amd64
@@ -374,15 +374,15 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           repository: containerd/containerd
-          ref: v1.7.24
+          ref: v1.7.25
           path: containerd
           fetch-depth: 1
       - name: "Set up CNI"
         working-directory: containerd
         run: GOPATH=$(go env GOPATH) script/setup/install-cni-windows
       - name: "Set up containerd"
         env:
-          ctrdVersion: 1.7.24
+          ctrdVersion: 1.7.25
         run: powershell hack/configure-windows-ci.ps1
       - name: "Run integration tests"
         run: ./hack/test-integration.sh -test.only-flaky=false
@@ -392,8 +392,7 @@ jobs:
   test-integration-freebsd:
     timeout-minutes: 30
     name: FreeBSD
-    # ubuntu-24.04 lacks the vagrant package
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
@@ -404,9 +403,19 @@ jobs:
           key: vagrant-${{ matrix.box }}
       - name: Set up vagrant
         run: |
+          # from https://github.com/containerd/containerd/blob/v2.0.1/.github/workflows/ci.yml#L583-L596
+          # which is based on https://github.com/opencontainers/runc/blob/v1.1.8/.cirrus.yml#L41-L49
+          curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
+          echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
+          sudo sed -i 's/^Types: deb$/Types: deb deb-src/' /etc/apt/sources.list.d/ubuntu.sources
           sudo apt-get update
-          sudo apt-get install -y libvirt-daemon libvirt-daemon-system vagrant vagrant-libvirt
+          sudo apt-get install -y libvirt-daemon libvirt-daemon-system vagrant ovmf
+          # https://github.com/vagrant-libvirt/vagrant-libvirt/issues/1725#issuecomment-1454058646
+          sudo cp /usr/share/OVMF/OVMF_VARS_4M.fd /var/lib/libvirt/qemu/nvram/
           sudo systemctl enable --now libvirtd
+          sudo apt-get build-dep -y ruby-libvirt
+          sudo apt-get install -y --no-install-recommends libxslt-dev libxml2-dev libvirt-dev ruby-bundler ruby-dev zlib1g-dev
+          sudo vagrant plugin install vagrant-libvirt
       - name: Boot VM
         run: |
           ln -sf Vagrantfile.freebsd Vagrantfile

Dockerfile

@@ -19,8 +19,8 @@
 
 # Basic deps
 ARG CONTAINERD_VERSION=v2.0.1
-ARG RUNC_VERSION=v1.2.3
-ARG CNI_PLUGINS_VERSION=v1.6.1
+ARG RUNC_VERSION=v1.2.4
+ARG CNI_PLUGINS_VERSION=v1.6.2
 
 # Extra deps: Build
 ARG BUILDKIT_VERSION=v0.18.2
@@ -57,18 +57,18 @@ FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-bookworm AS build-base-debia
 COPY --from=xx / /
 ENV DEBIAN_FRONTEND=noninteractive
 RUN apt-get update -qq && apt-get install -qq --no-install-recommends \
-    git \
-    dpkg-dev
+  git \
+  dpkg-dev
 ARG TARGETARCH
 # libbtrfs: for containerd
 # libseccomp: for runc and bypass4netns
 RUN xx-apt-get update -qq && xx-apt-get install -qq --no-install-recommends \
-    binutils \
-    gcc \
-    libc6-dev \
-    libbtrfs-dev \
-    libseccomp-dev \
-    pkg-config
+  binutils \
+  gcc \
+  libc6-dev \
+  libbtrfs-dev \
+  libseccomp-dev \
+  pkg-config
 RUN git config --global advice.detachedHead false
 
 FROM build-base-debian AS build-containerd
@@ -246,12 +246,12 @@ COPY --from=build-full /out /
 FROM ubuntu:${UBUNTU_VERSION} AS base
 # fuse3 is required by stargz snapshotter
 RUN apt-get update -qq && apt-get install -qq -y --no-install-recommends \
-    apparmor \
-    bash-completion \
-    ca-certificates curl \
-    iproute2 iptables \
-    dbus dbus-user-session systemd systemd-sysv \
-    fuse3
+  apparmor \
+  bash-completion \
+  ca-certificates curl \
+  iproute2 iptables \
+  dbus dbus-user-session systemd systemd-sysv \
+  fuse3
 ARG CONTAINERIZED_SYSTEMD_VERSION
 RUN curl -o /docker-entrypoint.sh -fsSL --proto '=https' --tlsv1.2 https://raw.githubusercontent.com/AkihiroSuda/containerized-systemd/${CONTAINERIZED_SYSTEMD_VERSION}/docker-entrypoint.sh && \
   chmod +x /docker-entrypoint.sh
@@ -278,9 +278,9 @@ FROM base AS test-integration
 ARG DEBIAN_FRONTEND=noninteractive
 # `expect` package contains `unbuffer(1)`, which is used for emulating TTY for testing
 RUN apt-get update -qq && apt-get install -qq --no-install-recommends \
-    expect \
-    git \
-    make
+  expect \
+  git \
+  make
 COPY --from=goversion /GOVERSION /GOVERSION
 ARG TARGETARCH
 RUN curl -fsSL --proto '=https' --tlsv1.2 https://golang.org/dl/$(cat /GOVERSION).linux-${TARGETARCH:-amd64}.tar.gz | tar xzvC /usr/local
@@ -325,9 +325,9 @@ FROM test-integration AS test-integration-rootless
 # (`sudo` does not work for this purpose,
 #  OTOH `machinectl shell` can create the session but does not propagate exit code)
 RUN apt-get update -qq && apt-get install -qq --no-install-recommends \
-    uidmap \
-    openssh-server \
-    openssh-client
+  uidmap \
+  openssh-server \
+  openssh-client
 # TODO: update containerized-systemd to enable sshd by default, or allow `systemctl wants <TARGET> ssh` here
 RUN ssh-keygen -q -t rsa -f /root/.ssh/id_rsa -N '' && \
   useradd -m -s /bin/bash rootless && \

Dockerfile.d/SHA256SUMS.d/cni-plugins-v1.6.2

@@ -0,0 +1,2 @@
+b8e811578fb66023f90d2e238d80cec3bdfca4b44049af74c374d4fae0f9c090  cni-plugins-linux-amd64-v1.6.2.tgz
+01e0e22acc7f7004e4588c1fe1871cc86d7ab562cd858e1761c4641d89ebfaa4  cni-plugins-linux-arm64-v1.6.2.tgz

cmd/nerdctl/container/container_run_cgroup_linux_test.go

@@ -18,6 +18,7 @@ package container
 
 import (
 	"bytes"
+	"context"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -27,11 +28,14 @@ import (
 	"gotest.tools/v3/assert"
 
 	"github.com/containerd/cgroups/v3"
+	containerd "github.com/containerd/containerd/v2/client"
 	"github.com/containerd/continuity/testutil/loopback"
 
 	"github.com/containerd/nerdctl/v2/pkg/cmd/container"
+	"github.com/containerd/nerdctl/v2/pkg/idutil/containerwalker"
 	"github.com/containerd/nerdctl/v2/pkg/testutil"
 	"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest"
+	"github.com/containerd/nerdctl/v2/pkg/testutil/test"
 )
 
 func TestRunCgroupV2(t *testing.T) {
@@ -170,6 +174,53 @@ func TestRunCgroupV1(t *testing.T) {
 	base.Cmd("run", "--rm", "--cpu-quota", "42000", "--cpu-period", "100000", "--cpuset-mems", "0", "--memory", "42m", "--memory-reservation", "6m", "--memory-swap", "100m", "--memory-swappiness", "0", "--pids-limit", "42", "--cpu-shares", "2000", "--cpuset-cpus", "0-1", testutil.AlpineImage, "cat", quota, period, cpusetMems, memoryLimit, memoryReservation, memorySwap, memorySwappiness, pidsLimit, cpuShare, cpusetCpus).AssertOutExactly(expected)
 }
 
+// TestIssue3781 tests https://github.com/containerd/nerdctl/issues/3781
+func TestIssue3781(t *testing.T) {
+	t.Parallel()
+	testCase := nerdtest.Setup()
+	testCase.Require = test.Not(nerdtest.Docker)
+
+	base := testutil.NewBase(t)
+	info := base.Info()
+	switch info.CgroupDriver {
+	case "none", "":
+		t.Skip("test requires cgroup driver")
+	}
+	containerName := testutil.Identifier(t)
+	base.Cmd("run", "-d", "--name", containerName, testutil.AlpineImage, "sleep", "infinity").AssertOK()
+	defer func() {
+		base.Cmd("rm", "-f", containerName)
+	}()
+	base.Cmd("update", "--cpuset-cpus", "0-1", containerName).AssertOK()
+	addr := base.ContainerdAddress()
+	client, err := containerd.New(addr, containerd.WithDefaultNamespace(testutil.Namespace))
+	assert.NilError(base.T, err)
+	ctx := context.Background()
+
+	// get container id by container name.
+	var cid string
+	var args []string
+	args = append(args, containerName)
+	walker := &containerwalker.ContainerWalker{
+		Client: client,
+		OnFound: func(ctx context.Context, found containerwalker.Found) error {
+			if found.MatchCount > 1 {
+				return fmt.Errorf("multiple IDs found with provided prefix: %s", found.Req)
+			}
+			cid = found.Container.ID()
+			return nil
+		},
+	}
+	err = walker.WalkAll(ctx, args, true)
+	assert.NilError(base.T, err)
+
+	container, err := client.LoadContainer(ctx, cid)
+	assert.NilError(base.T, err)
+	spec, err := container.Spec(ctx)
+	assert.NilError(base.T, err)
+	assert.Equal(t, spec.Linux.Resources.Pids == nil, true)
+}
+
 func TestRunDevice(t *testing.T) {
 	if os.Geteuid() != 0 || userns.RunningInUserNS() {
 		t.Skip("test requires the root in the initial user namespace")

cmd/nerdctl/container/container_update.go

@@ -266,16 +266,18 @@ func updateContainer(ctx context.Context, client *containerd.Client, id string,
 		if spec.Linux.Resources == nil {
 			spec.Linux.Resources = &runtimespec.LinuxResources{}
 		}
-		if spec.Linux.Resources.BlockIO == nil {
-			spec.Linux.Resources.BlockIO = &runtimespec.LinuxBlockIO{}
-		}
 		if cmd.Flags().Changed("blkio-weight") {
+			if spec.Linux.Resources.BlockIO == nil {
+				spec.Linux.Resources.BlockIO = &runtimespec.LinuxBlockIO{}
+			}
 			if spec.Linux.Resources.BlockIO.Weight != &opts.BlkioWeight {
 				spec.Linux.Resources.BlockIO.Weight = &opts.BlkioWeight
 			}
 		}
-		if spec.Linux.Resources.CPU == nil {
-			spec.Linux.Resources.CPU = &runtimespec.LinuxCPU{}
+		if cmd.Flags().Changed("cpu-shares") || cmd.Flags().Changed("cpu-quota") || cmd.Flags().Changed("cpu-period") || cmd.Flags().Changed("cpus") || cmd.Flags().Changed("cpuset-mems") || cmd.Flags().Changed("cpuset-cpus") {
+			if spec.Linux.Resources.CPU == nil {
+				spec.Linux.Resources.CPU = &runtimespec.LinuxCPU{}
+			}
 		}
 		if cmd.Flags().Changed("cpu-shares") {
 			if spec.Linux.Resources.CPU.Shares != &opts.CPUShares {
@@ -308,8 +310,10 @@ func updateContainer(ctx context.Context, client *containerd.Client, id string,
 				spec.Linux.Resources.CPU.Cpus = opts.CpusetCpus
 			}
 		}
-		if spec.Linux.Resources.Memory == nil {
-			spec.Linux.Resources.Memory = &runtimespec.LinuxMemory{}
+		if cmd.Flags().Changed("memory") || cmd.Flags().Changed("memory-reservation") {
+			if spec.Linux.Resources.Memory == nil {
+				spec.Linux.Resources.Memory = &runtimespec.LinuxMemory{}
+			}
 		}
 		if cmd.Flags().Changed("memory") {
 			if spec.Linux.Resources.Memory.Limit != &opts.MemoryLimitInBytes {
@@ -324,10 +328,10 @@ func updateContainer(ctx context.Context, client *containerd.Client, id string,
 				spec.Linux.Resources.Memory.Reservation = &opts.MemoryReservation
 			}
 		}
-		if spec.Linux.Resources.Pids == nil {
-			spec.Linux.Resources.Pids = &runtimespec.LinuxPids{}
-		}
 		if cmd.Flags().Changed("pids-limit") {
+			if spec.Linux.Resources.Pids == nil {
+				spec.Linux.Resources.Pids = &runtimespec.LinuxPids{}
+			}
 			if spec.Linux.Resources.Pids.Limit != opts.PidsLimit {
 				spec.Linux.Resources.Pids.Limit = opts.PidsLimit
 			}

cmd/nerdctl/helpers/flagutil.go

@@ -103,6 +103,10 @@ func ProcessRootCmdFlags(cmd *cobra.Command) (types.GlobalCommandOptions, error)
 	if err != nil {
 		return types.GlobalCommandOptions{}, err
 	}
+	kubeHideDupe, err := cmd.Flags().GetBool("kube-hide-dupe")
+	if err != nil {
+		return types.GlobalCommandOptions{}, err
+	}
 	return types.GlobalCommandOptions{
 		Debug:            debug,
 		DebugFull:        debugFull,
@@ -118,6 +122,7 @@ func ProcessRootCmdFlags(cmd *cobra.Command) (types.GlobalCommandOptions, error)
 		Experimental:     experimental,
 		HostGatewayIP:    hostGatewayIP,
 		BridgeIP:         bridgeIP,
+		KubeHideDupe:     kubeHideDupe,
 	}, nil
 }