Update containerd minimal version

PiperOrigin-RevId: 353340554
author: Fabricio Voznika <fvoznika@google.com> 2021-01-22 16:24:17 -0800
committer: gVisor bot <gvisor-bot@google.com> 2021-01-22 16:28:00 -0800
commit: 99aa5eedcfa3f2e458171cbc6b20ee6f78af3229 (patch)
tree: 83f5d1b2afca0b5bc9f2f44bd44ae4df15fc00b4 /g3doc/user_guide/FAQ.md
parent: 18ebec0ec957f1af0af3aa8fc2145c394552e042 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/g3doc/user_guide/FAQ.md b/g3doc/user_guide/FAQ.md
index 69033357c..8e5721ad1 100644
--- a/g3doc/user_guide/FAQ.md
+++ b/g3doc/user_guide/FAQ.md
@@ -137,9 +137,16 @@ sandbox isolation. There are a few different workarounds you can try:
 *   Use IPs instead of container names.
 *   Use [Kubernetes][k8s]. Container name lookup works fine in Kubernetes.
 
+### I'm getting an error like `dial unix /run/containerd/s/09e4...8cff: connect: connection refused: unknown` {#shim-connect}
+
+This error may happen when using `gvisor-containerd-shim` with a `containerd`
+that does not contain the fix for [CVE-2020-15257]. The resolve the issue,
+update containerd to 1.3.9 or 1.4.3 (or newer versions respectively).
+
 [security-model]: /docs/architecture_guide/security/
 [host-net]: /docs/user_guide/networking/#network-passthrough
 [debugging]: /docs/user_guide/debugging/
 [filesystem]: /docs/user_guide/filesystem/
 [docker]: /docs/user_guide/quick_start/docker/
 [k8s]: /docs/user_guide/quick_start/kubernetes/
+[CVE-2020-15257]: https://github.com/containerd/containerd/security/advisories/GHSA-36xw-fx78-c5r4
author	Fabricio Voznika <fvoznika@google.com>	2021-01-22 16:24:17 -0800
committer	gVisor bot <gvisor-bot@google.com>	2021-01-22 16:28:00 -0800
commit	99aa5eedcfa3f2e458171cbc6b20ee6f78af3229 (patch)
tree	83f5d1b2afca0b5bc9f2f44bd44ae4df15fc00b4 /g3doc/user_guide/FAQ.md
parent	18ebec0ec957f1af0af3aa8fc2145c394552e042 (diff)