Allows parsing a hosts.toml file that has no `[host]` or
`[host."https://registry.example.com"]` entries.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

Signed-off-by: Derek McGowan <derek@mcg.dev>

Mention use of pull request labels

Signed-off-by: Derek McGowan <derek@mcg.dev>

…-8250-to-release/1.7

[release/1.7] Update release process after 1.7

Backport the k8s node e2e workflow from release/2.2. This file does not
exist on release/1.7, so a direct copy is simpler than backporting the
full history of commits modifying it.

Wire up the workflow in .github/workflows/ci.yml with a matrix for
Kubernetes 1.30, 1.31, 1.32, and 1.33.

Adjustments made for release/1.7:
- Remove arguments from script/setup/install-cni call to fall back to
  reading version from script/setup/cni-plugins-version, matching other
  integration tests on this branch.
- Skip [Feature:RelaxedEnvironmentVariableValidation] tests because this
  feature is Alpha in Kubernetes 1.31 and disabled by default, causing
  failures when testing against K8s 1.31.
- Skip private registry tests because they rely on hardcoded credentials
  that are no longer valid
  (see kubernetes/kubernetes#133261).

Assisted-by: Antigravity
Signed-off-by: Chris Henzie <chrishenzie@gmail.com>

…8s-version

The "abi" keyword was added for apparmor 3.0
The original change to add this ended up breaking versions < 3.0.
The abi itself is a macro in /etc/apparmor.d so we can check if the
macro exists to determine if we *can* set an abi in the template.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>

…-13268-to-release/1.7

[release/1.7] apparmor: Set abi conditionally

Kernel 6.12.80+ returns 'fsync=volatile' instead of just 'volatile'
in mount options, which breaks containerd's exact string matching
checks.

Fixes this issue by adding support for 'fsync=volatile' in addition
to the existing 'volatile' check in RemoveVolatileOption and
addVolatileOptionOnImageVolumeMount.

Assisted-by: Antigravity
Signed-off-by: Chris Henzie <chrishenzie@gmail.com>
(cherry picked from commit 93f7a62)
Signed-off-by: Chris Henzie <chrishenzie@gmail.com>

[release/1.7] Support both styles of volatile mount option

Detect strconv.ErrRange and validate uid/gid bounds to avoid falling back to username/group lookups.

Signed-off-by: LEI WANG <ssst0n3@gmail.com>
(cherry picked from commit 85706b6)
Signed-off-by: Chris Henzie <chrishenzie@gmail.com>

[release/1.7] Fix issue with empty host tree in hosts.toml

Add a comment explaining the purpose of the socket rules and noting that
on 32-bit x86, socket() goes through socketcall(2) which is allowed
unconditionally, so these arg filters only apply to the direct socket
syscall.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>

AF_ALG (address family 38) exposes the Linux kernel crypto API to
userspace via socket(2). Containers have no legitimate need for this
interface under the default profile, and leaving it accessible widens
the kernel attack surface unnecessarily (see https://copy.fail/).

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>

…-13327-to-release/1.7

[release/1.7] oci: return explicit error for out-of-range USER values

Signed-off-by: Samuel Karp <samuelkarp@google.com>

[release/1.7] Prepare release notes for v1.7.32