🌱 Update containerd/containerd to 2.1.3

[syself-bot]

This PR contains the following updates:

Package	Update	Change
containerd/containerd	major	1.7.26 -> 2.1.3

---

Release Notes

containerd/containerd (containerd/containerd)

v2.1.3: containerd 2.1.3

Compare Source

Welcome to the v2.1.3 release of containerd!

The third patch release for containerd 2.1 contains various fixes and updates
to address pull issues with some registries.

Highlights

Image Distribution

• Fix multipart fetch issue when the server does not return content length (#​12003)
• Update transfer service supported platforms logic (#​11999)
• Fix import for local transfer service (#​12000)
• Fix registry errors with transfer service (#​11979)
• Fix fetch always adding range to requests (#​12001)
• Update fetcher errors to include full registry error (#​11997)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Phil Estes
• Adrien Delorme

Changes

15 commits

• Prepare release notes for v2.1.3 (#​12002)
  • 627729341 Prepare release notes for v2.1.3
• Fix multipart fetch issue when the server does not return content length (#​12003)
  • 7636bd5eb fix when multipart fetching and the server does not return content length
• Update transfer service supported platforms logic (#​11999)
  • 3c5ede878 Update transfer supported platforms logic
• Fix import for local transfer service (#​12000)
  • fb752bc8e fix import for local transfer service
• Fix registry errors with transfer service (#​11979)
  • f6d926314 Register remote errors for clients to access registry errors
  • 7c1813345 Decode grpc errors in the transfer client proxy
• Fix fetch always adding range to requests (#​12001)
  • babacebad Fix fetch always adding range to requests
• Update fetcher errors to include full registry error (#​11997)
  • f30be44ad Update fetcher errors to include full registry error

Dependency Changes

This release has no dependency changes

Previous release can be found at v2.1.2

Which file should I download?

• containerd-<VERSION>-<OS>-<ARCH>.tar.gz: ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
• containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install runc
and CNI plugins from their official sites too.

See also the Getting Started documentation.

v2.1.2: containerd 2.1.2

Compare Source

Welcome to the v2.1.2 release of containerd!

The second patch release for containerd 2.1 contains various fixes and updates.

Highlights

• Fix check of wrapped errors in erofs snapshotter (#​11935)

Go client

• Improve mount error message (#​11884)

Image Distribution

• Fix transfer differ selection (#​11936)
• Enable DuplicationSuppressor in transfer service (#​11932)

Runtime

• Properly shutdown non-groupable shims to prevent resource leaks (#​11971)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Akihiro Suda
• Kirtana Ashok
• Austin Vazquez
• Maksym Pavlenko
• ningmingxiao
• Gao Xiang
• Henry Wang
• Jin Dong
• Phil Estes
• Wei Fu

Changes

28 commits

• Prepare release notes for v2.1.2 (#​11962)
  • 63b9eae62 Prepare release notes for v2.1.2
• Properly shutdown non-groupable shims to prevent resource leaks (#​11971)
  • cff1feb28 *: properly shutdown non-groupable shims to prevent resource leaks
• ci: bump golang [1.23.10,1.24.4] in build and release (#​11968)
  • 2ce169aae ci: bump golang [1.23.10,1.24.4] in build and release
• Backport Enable CIs to run on WS2022 and WS2025 (#​11955)
  • 70bcb9b55 Enable CIs to run on WS2022 and WS2025
• cri:use debug level when receive exec process exited events (#​11848)
  • 40575a15f cri:use debug level when receive exec process exited events
• build(deps): bump google.golang.org/grpc from 1.72.0 to 1.72.2 (#​11952)
  • c71f77170 build(deps): bump google.golang.org/grpc from 1.72.0 to 1.72.2
• Fix transfer differ selection (#​11936)
  • 4bcea74de Update differ selection in transfer service to prefer default
  • 0c3cd8a99 Add debug log when transfer returns not implemented
  • 820e56765 Add more error details when unpack fails to extract
• Fetch image with default platform only in TestExportAndImportMultiLayer (#​11943)
  • 9b6c1949a Fetch image with default platform only in TestExportAndImportMultiLayer
• Fix check of wrapped errors in erofs snapshotter (#​11935)
  • 480126f50 erofs-snapshotter: fix to work with wrapped errors
• Enable DuplicationSuppressor in transfer service (#​11932)
  • d82921ff5 Enable DuplicationSuppressor in transfer service
• ci: bump golang [1.23.9, 1.24.3] in build and release (#​11889)
  • 0bb25c3d6 ci: bump golang [1.23.9, 1.24.3] in build and release
• Improve mount error message (#​11884)
  • ac8e84efc client:improve mount error message
• Add symlink breakout test for overriden path (#​11887)
  • dd2ce49d0 Add symlink breakout test for overriden path

Dependency Changes

• google.golang.org/grpc v1.72.0 -> v1.72.2

Previous release can be found at v2.1.1

Which file should I download?

• containerd-<VERSION>-<OS>-<ARCH>.tar.gz: ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
• containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install runc
and CNI plugins from their official sites too.

See also the Getting Started documentation.

v2.1.1: containerd 2.1.1

Compare Source

Welcome to the v2.1.1 release of containerd!

The first patch release for containerd 2.1 fixes a critical vulnernability (CVE-2025-47290)
which was first introduced in 2.1.0. See the Github Advisory
for more details. This release also contains a few smaller updates and bux fixes.

Highlights

Image Storage

• Fix erofs media type handling (#​11855)

Runtime

• Reduce shim cleanup log level and add more context (#​11831)

Deprecations

• Update removal version for deprecated registry config fields (#​11835)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Akihiro Suda
• Samuel Karp
• Derek McGowan
• Gao Xiang
• Akhil Mohan
• Chris Henzie
• Phil Estes
• Sebastiaan van Stijn
• ningmingxiao

Changes

17 commits

• cb1076646 Merge commit from fork
• 216667ba0 Prepare release notes for 2.1.1
• ac00b8e61 Revert "perf(applyNaive): avoid walking the tree for each file in the same directory"
• build(deps): bump github.com/Microsoft/hcsshim (#​11847)
  • 444ca17cd update runhcs version to v0.13.0
  • 0684f1c44 build(deps): bump github.com/Microsoft/hcsshim
• Fix erofs media type handling (#​11855)
  • e1817a401 docs/snapshotters/erofs.md: a tip for improved performance
  • 2168cb92c erofs-differ: fix EROFS native image support
• Reduce shim cleanup log level and add more context (#​11831)
  • 7fcbc3c46 core/runtime/v2: cleanup shim-cleanup logs
• Update removal version for deprecated registry config fields (#​11835)
  • 37d6c4236 Update removal version for deprecated registry config fields
• ctr:make sure containerd socket exist before create client (#​11827)
  • e7be076d4 ctr:make sure containerd socket exist before create client
• .github: mark 2.1 releases as latest (#​11821)
  • c90524d5f .github: mark 2.1 releases as latest

Dependency Changes

• github.com/Microsoft/hcsshim v0.13.0-rc.3 -> v0.13.0

Previous release can be found at v2.1.0

Which file should I download?

• containerd-<VERSION>-<OS>-<ARCH>.tar.gz: ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
• containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install runc
and CNI plugins from their official sites too.

See also the Getting Started documentation.

v2.1.0: containerd 2.1.0

Compare Source

Welcome to the v2.1.0 release of containerd!

The first minor release of containerd 2.x focuses on continued stability alongside
new features and improvements. This is the first time-based released for containerd.
Most the feature set and core functionality has long been stable and harderened in production
environments, so now we transition to a balance of timely delivery of new functionality
with the same high confidence in stability and performance.

Highlights

• Add no_sync option to boost boltDB performance on ephemeral environments (#​10745)
• Add content create event (#​11006)
• Erofs snapshotter and differ (#​10705)

Container Runtime Interface (CRI)

• Update CRI to use transfer service for image pull by default (#​8515)
• Support multiple cni plugin bin dirs (#​11311)
• Support container restore through CRI/Kubernetes (#​10365)
• Add OCI/Image Volume Source support (#​10579)
• Enable Writable cgroups for unprivileged containers (#​11131)
• Fix recursive RLock() mutex acquisition (containerd/go-cni#126)
• Support CNI STATUS Verb (containerd/go-cni#123)

Image Distribution

• Retry last registry host on 50x responses (#​11484)
• Multipart layer fetch (#​10177)
• Enable HTTP debug and trace for transfer based puller (#​10762)
• Add support for unpacking custom media types (#​11744)
• Add dial timeout field to hosts toml configuration (#​11106)

Node Resource Interface (NRI)

• Expose Pod assigned IPs to NRI plugins (#​10921)

Runtime

• Support multiple uid/gid mappings (#​10722)
• Fix race between serve and immediate shutdown on the server (containerd/ttrpc#175)

Breaking

• Update FreeBSD defaults and re-organize platform defaults (#​11017)

Deprecations

• Postpone cri config deprecations to v2.2 (#​11684)
• Remove deprecated dynamic library plugins (#​11683)
• Remove the support for Schema 1 images (#​11681)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Phil Estes
• Akihiro Suda
• Maksym Pavlenko
• Jin Dong
• Wei Fu
• Sebastiaan van Stijn
• Samuel Karp
• Mike Brown
• Adrien Delorme
• Austin Vazquez
• Akhil Mohan
• Kazuyoshi Kato
• Henry Wang
• Gao Xiang
• ningmingxiao
• Krisztian Litkey
• Yang Yang
• Archit Kulkarni
• Chris Henzie
• Iceber Gu
• Alexey Lunev
• Antonio Ojea
• Davanum Srinivas
• Marat Radchenko
• Michael Zappa
• Paweł Gronowski
• Rodrigo Campos
• Alberto Garcia Hierro
• Amit Barve
• Andrey Smirnov
• Divya
• Etienne Champetier
• Kirtana Ashok
• Philip Laine
• QiPing Wan
• fengwei0328
• zounengren
• Adrian Reber
• Alfred Wingate
• Amal Thundiyil
• Athos Ribeiro
• Brian Goff
• Cesar Talledo
• ChengyuZhu6
• Chongyi Zheng
• Craig Ingram
• Danny Canter
• David Son
• Fupan Li
• HirazawaUi
• Jing Xu
• Jonathan A. Sternberg
• Jose Fernandez
• Kaita Nakamura
• Kohei Tokunaga
• Lei Liu
• Marco Visin
• Mike Baynton
• Qiyuan Liang
• Sameer
• Shiming Zhang
• Swagat Bora
• Teresaliu
• Tony Fang
• Tõnis Tiigi
• Vered Rosen
• Vinayak Goyal
• bo.jiang
• chriskery
• luchenhan
• mahmut
• zhaixiaojuan

Dependency Changes

• github.com/Microsoft/hcsshim v0.12.9 -> v0.13.0-rc.3
• github.com/cilium/ebpf v0.11.0 -> v0.16.0
• github.com/containerd/cgroups/v3 v3.0.3 -> v3.0.5
• github.com/containerd/containerd/api v1.8.0 -> v1.9.0
• github.com/containerd/continuity v0.4.4 -> v0.4.5
• github.com/containerd/go-cni v1.1.10 -> v1.1.12
• github.com/containerd/imgcrypt/v2 v2.0.0-rc.1 -> v2.0.1
• github.com/containerd/otelttrpc ea5083f -> v0.1.0
• github.com/containerd/platforms v1.0.0-rc.0 -> v1.0.0-rc.1
• github.com/containerd/ttrpc v1.2.6 -> v1.2.7
• github.com/containerd/typeurl/v2 v2.2.2 -> v2.2.3
• github.com/containernetworking/cni v1.2.3 -> v1.3.0
• github.com/containernetworking/plugins v1.5.1 -> v1.7.1
• github.com/containers/ocicrypt v1.2.0 -> v1.2.1
• github.com/davecgh/go-spew d8f796a -> v1.1.1
• github.com/fsnotify/fsnotify v1.7.0 -> v1.9.0
• github.com/go-jose/go-jose/v4 v4.0.4 -> v4.0.5
• github.com/google/go-cmp v0.6.0 -> v0.7.0
• github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 -> v2.26.1
• github.com/klauspost/compress v1.17.11 -> v1.18.0
• github.com/mdlayher/socket v0.4.1 -> v0.5.1
• github.com/moby/spdystream v0.4.0 -> v0.5.0
• github.com/moby/sys/user v0.3.0 -> v0.4.0
• github.com/opencontainers/image-spec v1.1.0 -> v1.1.1
• github.com/opencontainers/runtime-spec v1.2.0 -> v1.2.1
• github.com/opencontainers/selinux v1.11.1 -> v1.12.0
• github.com/pelletier/go-toml/v2 v2.2.3 -> v2.2.4
• github.com/petermattis/goid 4fcff4a new
• github.com/pmezard/go-difflib 5d4384e -> v1.0.0
• github.com/prometheus/client_golang v1.20.5 -> v1.22.0
• github.com/prometheus/common v0.55.0 -> v0.62.0
• github.com/sasha-s/go-deadlock v0.3.5 new
• github.com/smallstep/pkcs7 v0.1.1 new
• github.com/stretchr/testify v1.9.0 -> v1.10.0
• github.com/tchap/go-patricia/v2 v2.3.1 -> v2.3.2
• github.com/urfave/cli/v2 v2.27.5 -> v2.27.6
• github.com/vishvananda/netlink v1.3.0 -> 0e7078e
• github.com/vishvananda/netns v0.0.4 -> v0.0.5
• go.etcd.io/bbolt v1.3.11 -> v1.4.0
• go.opentelemetry.io/auto/sdk v1.1.0 new
• go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.56.0 -> v0.60.0
• go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0 -> v0.60.0
• go.opentelemetry.io/otel v1.31.0 -> v1.35.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.31.0 -> v1.35.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.31.0 -> v1.35.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.31.0 -> v1.35.0
• go.opentelemetry.io/otel/metric v1.31.0 -> v1.35.0
• go.opentelemetry.io/otel/sdk v1.31.0 -> v1.35.0
• go.opentelemetry.io/otel/trace v1.31.0 -> v1.35.0
• go.opentelemetry.io/proto/otlp v1.3.1 -> v1.5.0
• golang.org/x/crypto v0.28.0 -> v0.36.0
• golang.org/x/exp aacd6d4 -> 2d47ceb
• golang.org/x/mod v0.21.0 -> v0.24.0
• golang.org/x/net v0.30.0 -> v0.38.0
• golang.org/x/oauth2 v0.22.0 -> v0.27.0
• golang.org/x/sync v0.8.0 -> v0.14.0
• golang.org/x/sys v0.26.0 -> v0.33.0
• golang.org/x/term v0.25.0 -> v0.30.0
• golang.org/x/text v0.19.0 -> v0.23.0
• golang.org/x/time v0.3.0 -> v0.7.0
• google.golang.org/genproto/googleapis/api 5fefd90 -> 56aae31
• google.golang.org/genproto/googleapis/rpc 324edc3 -> 56aae31
• google.golang.org/grpc v1.67.1 -> v1.72.0
• google.golang.org/protobuf v1.35.1 -> v1.36.6
• k8s.io/api v0.31.2 -> v0.32.3
• k8s.io/apimachinery v0.31.2 -> v0.32.3
• k8s.io/apiserver v0.31.2 -> v0.32.3
• k8s.io/client-go v0.31.2 -> v0.32.3
• k8s.io/cri-api v0.31.2 -> v0.32.3
• k8s.io/kubelet v0.31.2 -> v0.32.3
• k8s.io/utils 18e509b -> 3ea5e8c
• sigs.k8s.io/json bc3834c -> 9aa6b5e
• sigs.k8s.io/structured-merge-diff/v4 v4.4.1 -> v4.4.2
• tags.cncf.io/container-device-interface v0.8.0 -> v1.0.1
• tags.cncf.io/container-device-interface/specs-go v0.8.0 -> v1.0.0

Previous release can be found at v2.0.0

Which file should I download?

• containerd-<VERSION>-<OS>-<ARCH>.tar.gz: ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
• containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install runc
and CNI plugins from their official sites too.

See also the Getting Started documentation.

v2.0.5: containerd 2.0.5

Compare Source

Welcome to the v2.0.5 release of containerd!

The fifth patch release for containerd 2.0 includes various bug fixes and updates.

Highlights

Build and Release Toolchain

• Update go to 1.23.8 (#​11717)

Container Runtime Interface (CRI)

• Update ImageService to delete images synchronously (#​11599)

Image Distribution

• Prevent panic on zero length push (#​11698)
• Set default differ for the default unpack config of transfer service (#​11688)

Runtime

• Remove invalid error log when stopping container after containerd restart (#​11621)
• Update taskOptions based on runtimeOptions when creating a task (#​11618)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Akihiro Suda
• Akhil Mohan
• Derek McGowan
• Phil Estes
• Wei Fu
• Iceber Gu
• Austin Vazquez
• Maksym Pavlenko
• Cesar Talledo
• Henry Wang
• Jin Dong
• Krisztian Litkey
• Yang Yang

Changes

33 commits

• Update go to 1.23.8 (#​11717)
  • 5bcf0a95e use go1.23.8 as the default go version
  • 4838f33f7 update to go 1.24.2, 1.23.8
• Prepare release notes for v2.0.5 (#​11713)
  • a8082cd60 Prepare release notes for v2.0.5
• Disable criu test on arm64 (#​11710)
  • 58b715ad8 Disable arm64 criu testing in GH Actions
  • b4a53e826 disable portmap test in ubuntu-22 to make CI happy
  • 4bcf472de add option to skip tests in critest
• Prevent panic on zero length push (#​11698)
  • 8a638b71a Prevent panic in Docker pusher.
• Set default differ for the default unpack config of transfer service (#​11688)
  • 84d9658c3 Set default differ for the default unpack config of transfer service
• ci: update GitHub Actions release runner to ubuntu-24.04 (#​11703)
  • b184a97d3 ci: update GitHub Actions release runner to ubuntu-24.04
• Remove invalid error log when stopping container after containerd restart (#​11621)
  • e04543db0 use shimCtx for fifo copy
• Update taskOptions based on runtimeOptions when creating a task (#​11618)
  • 9f46e7a44 integration/client: add tests for TaskOptions is not empty
  • 8a16a6a04 prefer task options for PluginInfo request
  • a183b2d23 update taskOptions based on runtimeOptions when creating a task
• Update ImageService to delete images synchronously (#​11599)
  • 091143135 *: CRIImageService should delete image synchronously
• Update runc binary to v1.2.6 (#​11583)
  • c2372c072 Update runc binary to v1.2.6
• go.{mod,sum}: bump CDI deps to stable v1.0.0. (#​11566)
  • e8506511b go.{mod,sum}: bump CDI deps to stable v1.0.0.
• silence govulncheck false positives (#​11571)
  • 4cfb89430 go.mod: github.com/go-jose/go-jose/v4
  • 2b9e6a29d go.mod: golang.org/x/oauth2 v0.28.0
  • 6df1ea0d9 go.mod: golang.org/x/net v0.37.0
• Fix CI lint error (cherry-picked #​11555) (#​11567)
  • 16f20abdf Fix CI lint error

Dependency Changes

• github.com/go-jose/go-jose/v4 v4.0.4 -> v4.0.5
• golang.org/x/crypto v0.31.0 -> v0.36.0
• golang.org/x/net v0.33.0 -> v0.37.0
• golang.org/x/oauth2 v0.23.0 -> v0.28.0
• golang.org/x/sync v0.10.0 -> v0.12.0
• golang.org/x/sys v0.28.0 -> v0.31.0
• golang.org/x/term v0.27.0 -> v0.30.0
• golang.org/x/text v0.21.0 -> v0.23.0
• tags.cncf.io/container-device-interface v0.8.1 -> v1.0.0
• tags.cncf.io/container-device-interface/specs-go v0.8.0 -> v1.0.0

Previous release can be found at v2.0.4

Which file should I download?

• containerd-<VERSION>-<OS>-<ARCH>.tar.gz: ✅Recommended. Dynamically linked with glibc 2.31 (Ubuntu 20.04).
• containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on non-glibc Linux distributions. Not position-independent.

In addition to containerd, typically you will have to install runc
and CNI plugins from their official sites too.

See also the Getting Started documentation.

v2.0.4: containerd 2.0.4

Compare Source

Welcome to the v2.0.4 release of containerd!

The fourth patch release for containerd 2.0 includes various bug fixes and updates.

Highlights

• Fix integer overflow in User ID handling (GHSA-265r-hfxg-fhmg)
• Respect client.WithTimeout option on connect (#​11536)
• Update image type checks to avoid unnecessary logs for attestations (#​11537)

Node Resource Interface (NRI)

• Fix incorrect runtime name being passed to NRI (#​11529)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Akihiro Suda
• Paweł Gronowski
• Akhil Mohan
• Phil Estes
• Samuel Karp
• Craig Ingram
• ningmingxiao

Changes

19 commits

• 1a43cb6a1 Merge commit from fork
• 07a0b5419 (cherry picked from commit de1341c)
• Prepare release notes for v2.0.4 (#​11541)
  • 06a886a8e Prepare release notes for v2.0.4
• Respect client.WithTimeout option on connect (#​11536)
  • 6b5efba83 client: Respect client.WithTimeout option
• Update image type checks to avoid unnecessary logs for attestations (#​11537)
  • 916d48722 core/remotes: Handle attestations in MakeRefKey
  • df4d905a6 core/images: Ignore attestations when traversing children
• Fix incorrect runtime name being passed to NRI (#​11529)
  • 4f037050c add name in package version
• update build to go1.23.7, test go1.24.1 (#​11514)
  • e5ad0d0a0 update build to go1.23.7, test go1.24.1
• docs: include note about unprivileged sysctls (#​11506)
  • a39f1146b docs: include note about unprivileged sysctls
• e2e: use the shim bundled with containerd artifact (#​11503)
  • 81b3384a0 e2e: use the shim bundled with containerd artifact
• build(deps): bump containerd/project-checks from 1.1.0 to 1.2.1 (#​11497)
  • 7215a7d2c build(deps): bump containerd/project-checks from 1.1.0 to 1.2.1

Dependency Changes

This release has no dependency changes

Previous release can be found at v2.0.3

Which file should I download?

• containerd-<VERSION>-<OS>-<ARCH>.tar.gz: ✅Recommended. Dynamically linked with glibc 2.31 (Ubuntu 20.04).
• containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on non-glibc Linux distributions. Not position-independent.

In addition to containerd, typically you will have to install runc
and CNI plugins from their official sites too.

See also the Getting Started documentation.

v2.0.3: containerd 2.0.3

Compare Source

Welcome to the v2.0.3 release of containerd!

The third patch release for containerd 2.0 includes various bug fixes and updates.

Highlights

• Update remote content to break up writes to avoid grpc message size limits (#​11457)
• Update runc binary to v1.2.5 (#​11394)

Container Runtime Interface (CRI)

• Fix privileged container sysfs can't be rw because pod is ro by default (#​11456)
• Fix recursive RLock() mutex acquisition (containerd/go-cni#126)

Node Resource Interface (NRI)

• Fix initial sync race when registering NRI plugins (#​11329)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Akihiro Suda
• Mike Brown
• Phil Estes
• Akhil Mohan
• Chifeng Cai
• Krisztian Litkey
• Wei Fu
• Andrey Smirnov
• Austin Vazquez
• Chris Henzie
• Jing Xu
• Jonathan A. Sternberg
• Jose Fernandez
• Kirtana Ashok
• Lei Liu
• Maksym Pavlenko
• Michael Zappa
• Samuel Karp
• fengwei0328
• zounengren

Changes

42 commits

• Prepare release notes for v2.0.3 (#​11443)
  • b8dde9189 Prepare release notes for v2.0.3
• Update remote content to break up writes to avoid grpc message size limits (#​11457)
  • eaa7ca80d proxy: break up writes from the remote writer to avoid grpc limits
• Fix privileged container sysfs can't be rw because pod is ro by default (#​11456)
  • c7f64196f Fix privileged container sysfs can't be rw because pod is ro by default
• go.{mod,sum}: bump CDI deps to v.0.8.1. (#​11430)
  • 92ae2951f Update CDI dependency to v0.8.1.
• Prefer runtime options for PluginInfo request (#​11446)
  • 569af34cb Prefer runtime options for PluginInfo request
• pkg: prevent oom watcher from depending on shim pkg (#​11439)
  • 0ce93e16a prevent oom watcher depend on shim pkg.
• CI: arm64-8core-32gb -> ubuntu-24.04-arm (#​11436)
  • f3284aa68 CI: arm64-8core-32gb -> ubuntu-24.04-arm
• Revert "Add timestamp to PodSandboxStatusResponse for kubernetes Evented PLEG" (#​11403)
  • b5313993c Revert "Add timestamp to PodSandboxStatusResponse for kubernetes Evented PLEG"
• move the device after the options when using mkfs.ext4 (#​11411)
  • f95a426b8 move the device after the options when using mkfs.ext4
• update build to go1.23.6, test go1.24.0 (#​11410)
  • 4d19a6adf update build to go1.23.6, test go1.24.0
• build(deps): bump actions/cache from 4.1.2 to 4.2.0 (#​11405)
  • c738c3aab build(deps): bump actions/cache from 4.1.2 to 4.2.0
• Upgrade x/net to 0.33.0 to fix vulnerability GHSA-w32m-9786-jp63 (#​11387)
  • fcf64305c Update vendor files to fix build failure
  • d3437eb29 Upgrade x/net to 0.33.0
• Update install-imgcrypt to allow change install repo (#​11357)
  • 0785bd8cc Update install-imgcrypt to allow change install repo
• Update runc binary to v1.2.5 (#​11394)
  • 697c59c63 Update runc binary to v1.2.5
• Update go-cni version to fix Race Condition issue (#​11269)
  • 06891f899 fix go-cni race condition
• Fix initial sync race when registering NRI plugins (#​11329)
  • 79cdbf61b cri,nri: block NRI plugin sync. during event processing.
• Update github.com/containerd/imgcrypt to v2.0.0 (#​11325)
  • 9d5cfce83 Update github.com/containerd/imgcrypt to v2.0.0
• Move CDI device spec out of the OCI package (#​11265)
  • f58939c33 Remove deprecated WithCDIDevices in oci spec opts
  • 3d53430fe Move CDI device spec out of the OCI package
• update to go1.23.5 / go1.22.11 (#​11297)
  • 1f4e5688e update to go1.23.5 / go1.22.11
• build(deps): bump google.golang.org/protobuf from 1.35.1 to 1.35.2 (#​11263)
  • 3a6ab80d0 build(deps): bump google.golang.org/protobuf from 1.35.1 to 1.35.2

Changes from containerd/go-cni

2 commits

• Fix recursive RLock() mutex acquisition (containerd/go-cni#126)
  • 75a2440 fix: recursive RLock() mutex acquision

Dependency Changes

• github.com/containerd/go-cni v1.1.11 -> v1.1.12
• github.com/containerd/imgcrypt/v2 v2.0.0-rc.1 -> v2.0.0
• github.com/containers/ocicrypt v1.2.0 -> v1.2.1
• github.com/petermattis/goid 4fcff4a new
• github.com/sasha-s/go-deadlock v0.3.5 new
• github.com/smallstep/pkcs7 v0.1.1 new
• golang.org/x/crypto v0.28.0 -> v0.31.0
• golang.org/x/net v0.30.0 -> v0.33.0
• golang.org/x/oauth2 v0.22.0 -> v0.23.0
• golang.org/x/sync v0.8.0 -> v0.10.0
• golang.org/x/sys v0.26.0 -> v0.28.0
• golang.org/x/term v0.25.0 -> v0.27.0
• golang.org/x/text v0.19.0 -> v0.21.0
• google.golang.org/grpc v1.67.1 -> v1.68.1
• google.golang.org/protobuf v1.35.1 -> v1.35.2
• tags.cncf.io/container-device-interface v0.8.0 -> v0.8.1

Previous release can be found at v2.0.2

Which file should I download?

• containerd-<VERSION>-<OS>-<ARCH>.tar.gz: ✅Recommended. Dynamically linked with glibc 2.31 (Ubuntu 20.04).
• containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on non-glibc Linux distributions. Not position-independent.

In addition to containerd, typically you will have to install runc
and CNI plugins from their official sites too.

See also the Getting Started documentation.

v2.0.2: containerd 2.0.2

Compare Source

Welcome to the v2.0.2 release of containerd!

The second patch release for containerd 2.0 includes a number of bug fixes and improvements.

Highlights

Container Runtime Interface (CRI)

• Remove confusing warning in cri runtime config migration (#​11256)
• Fix runtime platform loading in cri image plugin init (#​11248)

Runtime

• Update runc binary to v1.2.4 (#​11239)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Jin Dong
• Derek McGowan
• Akihiro Suda
• Kazuyoshi Kato
• Henry Wang
• Krisztian Litkey
• Phil Estes
• Samuel Karp
• Sebastiaan van Stijn
• Akhil Mohan
• Brian Goff
• Chongyi Zheng
• Maksym Pavlenko
• Mike Brown
• Pierre Gimalac
• Wei Fu

Changes

23 commits

• Prepare release notes for v2.0.2 (#​11245)
  • cdaf4dfb4 Prepare release notes for v2.0.2
• Update platforms to latest rc (#​11259)
  • eb125e1dd Update platforms to latest rc
• Remove confusing warning in cri runtime config migration (#​11256)
  • 468079c5c Remove confusing warning in cri runtime config migration
• Fix runtime platform loading in cri image plugin init (#​11248)
  • a2d9d4fd5 Fix runtime platform loading in cri image plugin init
• make sure console master tty is closed on task exit (#​11246)
  • 184ffad01 Add integ test to check tty leak
  • 17181ed33 fix master tty leak due to leaking init container object
• Bump up otelttrpc to 0.1.0 (#​11242)
  • 8666e7422 Bump up otelttrpc to 0.1.0
• ctr: ctr images import --all-platforms: fix unpack (#​11236)
  • c4270430d ctr: ctr images import --all-platforms: fix unpack
• Update runc binary to v1.2.4 (#​11239)
  • 7373ddd70 update runc binary to v1.2.4
• downgrade go-difflib and go-spew to tagged releases (#​11222)
  • f34147772 downgrade go-difflib and go-spew to tagged releases
• Add a build tag to disable std plugin import ([#&#

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box