chore(deps): update module github.com/containerd/containerd to v2

[renovate]

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
github.com/containerd/containerd	indirect	major	v1.7.28 → v2.2.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

containerd/containerd (github.com/containerd/containerd)

v2.2.1: containerd 2.2.1

Compare Source

Welcome to the v2.2.1 release of containerd!

The first patch release for containerd 2.2 contains various fixes and improvements.

Highlights

Container Runtime Interface (CRI)

• Redact all query parameters in CRI error logs (#​12546)

Image Distribution

• Fix image defaults on Darwin to usable configuration (#​12544)
• Fix possible panic from WithMediaTypeKeyPrefix (#​12516)

Runtime

• Update runc binary to v1.3.4 (#​12593)
• Fix parsing of hugetlb..events files (containerd/cgroups#379)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Krisztian Litkey
• Markus Lehtonen
• Akihiro Suda
• Mike Brown
• Sebastiaan van Stijn
• Derek McGowan
• Heran Yang
• Wei Fu
• Phil Estes
• Samuel Karp
• Austin Vazquez
• Sascha Grunert
• Akhil Mohan
• Andrey Noskov
• Brian Goff
• CrazyMax
• Davanum Srinivas
• Gaurav Ghildiyal
• Neeraj Krishna Gopalakrishna
• Paweł Gronowski
• Tariq Ibrahim
• TomerLev
• Tõnis Tiigi
• bo.jiang
• ningmingxiao

Changes

53 commits

• Prepare release notes for v2.2.1 (#​12677)
  • f6bae1f88 Prepare release notes for v2.2.1
• cri,nri: bump NRI dependencies to v0.11.0 (#​12701)
  • c22cf5d49 cri,nri: pass any linux security profile to plugins.
  • d7532de75 cri,nri: pass any linux RDT constraints to plugins.
  • ef36e6181 cri,nri: pass any linux net devices to plugins.
  • d56faf426 cri,nri: pass any linux scheduler attributes to plugins.
  • e1824d261 cri,nri: pass any linux I/O priority to plugins.
  • 01d5490ae go.{mod,sum}: bump NRI deps to v0.11.0, re-vendor.
• pkg/tracing: HTTPStatusCodeAttributes: remove use of deprecated SemConv const (#​12697)
  • 58d23ab63 pkg/tracing: HTTPStatusCodeAttributes: remove use of deprecated SemConv const
• cri/nri: short-circuit nil adjustment. (#​12672)
  • 05ccbb3a7 cri/nri: short-circuit nil adjustment.
• go.{mod,sum}: bump CDI deps to v1.1.0. (#​12664)
  • c166a577d go.{mod,sum} bump CDI deps to v1.1.0.
• go.mod: containerd/zfs v2.0.0; remove exclude rules (#​12654)
  • 73a08aa00 go.mod: remove exclude rules
  • cee08c8af build(deps): bump github.com/containerd/zfs/v2 from 2.0.0-rc.0 to 2.0.0
• go.mod: github.com/containernetworking/plugins v1.9.0 (#​12658)
  • 8a5fc8641 go.mod: github.com/containernetworking/plugins v1.9.0
• go.mod: golang.org/x/crypto v0.45.0 (#​12638)
  • 55c93d6fb go.mod: golang.org/x/crypto v0.45.0
• ci :bump Go 1.24.11, 1.25.5 (#​12625)
  • aedd29bb4 ci: bump Go 1.24.11, 1.25.5
  • 26628f139 ci: bump Go 1.24.10, 1.25.4
  • 8bb0e9be6 ci(release): set GO_VERSION in Dockerfile
• core/runtime/v2: remove uses of otelgrpc.UnaryClientInterceptor (#​12622)
  • ed19c5420 core/runtime/v2: remove uses of otelgrpc.UnaryClientInterceptor
• ci: update CIFuzz actions to support Ubuntu 24.04 (#​12632)
  • 952237d9b ci: update CIFuzz actions to support Ubuntu 24.04
• Update runc binary to v1.3.4 (#​12593)
  • fb5b818a9 runc: Update runc binary to v1.3.4
• : update containerd/cgroups from v3.1.0 to v3.1.2 (#​12598)
  • 51582ed27 bump containerd/cgroups to v3.1.2
  • 50d0e4fd4 build(deps): bump github.com/containerd/cgroups/v3 from 3.1.0 to 3.1.1
• core/mount: should not call removeLoop when set autoclear (#​12587)
  • 41a69eb0d core/mount: should not call removeLoop when set autoclear
• build(deps): bump github.com/opencontainers/selinux (#​12589)
  • e3bf2b80b build(deps): bump github.com/opencontainers/selinux
• .github: skip 5 critest cases for window-2022 (#​12584)
  • da8e846f9 .github: skip 5 critest cases in window CI pipeline
• Fix image defaults on Darwin to usable configuration (#​12544)
  • d154e234b Update the ctr pull defaults when using the transfer service
  • 09364216d Fix transfer unpack defaults on darwin
  • 2055d3c62 Update default differs on darwin
  • 9da97686d Use default writable size in erofs snapshotter for non-Linux hosts
  • eeb0f889a Update default erofs block size on macOS during erofs diff
• Redact all query parameters in CRI error logs (#​12546)
  • c707f771a fix: redact all query parameters in CRI error logs
• Revert "Implement io.ReaderAt on docker fetch reader" (#​12542)
  • 678f944dd Revert "Implement io.ReaderAt on docker fetch reader"
• Fix possible panic from WithMediaTypeKeyPrefix (#​12516)
  • 8b73c2de3 remotes: fix possible panic from WithMediaTypeKeyPrefix

Changes from containerd/cgroups

13 commits

• ci: bump golangci-lint to v2.6.2 (containerd/cgroups#382)
  • a302e56 ci: bump golangci-lint to v2.6.2
  • 731cf7a ci: suppress errcheck
  • 9bee663 utils: move Close() to defer block
  • 9d7647c rdma: use strings.Cut in Go 1.18
  • 109f063 memory_test: apply De Morgan's law
  • e6fcf3f memory_test: omit type from declaration
• build(deps): bump actions/checkout from 5 to 6 (containerd/cgroups#381)
  • 4e30098 build(deps): bump actions/checkout from 5 to 6
• Fix parsing of hugetlb..events files (containerd/cgroups#379)
  • 2ad7a12 hugetlb: correctly parse hugetlb..events files
• go.mod: github.com/opencontainers/runtime-spec v1.3.0 (containerd/cgroups#376)
  • 34ef430 go.mod: github.com/opencontainers/runtime-spec v1.3.0

Changes from containerd/nri

79 commits

• adaptation: allow compiling out WASM support altogether. (containerd/nri#253)
  • ab88fe6 adaptation: allow compiling out WASM support altogether.
• Support direct editing of the intelRdt config (containerd/nri#215)
  • 8c0c9f6 Implement removal of RDT
  • dfbae8a plugins: add sample rdt plugin
  • d05dd81 pkg/adaptation: support new RDT fields
  • 725289b pkg/runtime-tools/generate: support new RDT fields
  • a7832a2 api: add rdt
• update wazero/wazero version to v1.10.1 (containerd/nri#252)
  • 9eb9a0f update tetratelabs/wazero version to v1.10.1
• support specifying a custom NRI socket path (containerd/nri#249)
  • 2df6565 [plugins] support specifying a custom NRI socket path
• pkg/api: add OptionalRepeatedString type (containerd/nri#212)
  • 687c1a6 pkg/api: add OptionalRepeatedString type
• api,adaptation,generate: allow setting kernel scheduling policy attributes. (containerd/nri#160)
  • 6a371ac device-injector: add scheduling policy adjustment.
  • e06369e api,adaptation,generate: allow setting scheduler attributes.
• device-injector: always log injection summary. (containerd/nri#246)
  • 14cc2e2 device-injector: always log injection summary.
• api,adaptation,generate: allow adjusting linux net devices (containerd/nri#157)
  • 5145c92 device-injector: add network device injection.
  • 8a03823 api,adaptation,generate: allow adjusting linux net devices.
• Add support for sysctl adjustment (containerd/nri#248)
  • 914fbf3 default-validator: restrict sysctl adjustment
  • a418956 api: apply sysctl adjustments
  • 8705f9b api: add sysctl container adjustment
• feat: Make logger a configurable struct member for stub (containerd/nri#239)
  • 08a891a feat: Make logger a configurable struct member for stub
• Drop dependency on opencontainers/runtime-tools (containerd/nri#247)
  • 5e5c2be Drop dependency on opencontainers/runtime-tools
• deps: bump runtime-spec to v1.3.0. (containerd/nri#243)
  • 29c5811 (v0.1.0) examples: lock NRI, runtime spec deps.
  • d812952 v010-adapter: lock NRI, runtime spec and tools deps.
  • 7dd7c7f api,runtime-tools: adjust for runtime-spec v1.3.0.
  • 5d5d4c4 go.{mod,sum}: update runtime-tools, runtime-spec to v1.3.0.
• adaptation: ensure sync'ed plugins are fully registered in tests. (containerd/nri#234)
  • c840397 adaptation: ensure sync'ed plugins are fully registered in tests.
• Fix wasm example (containerd/nri#237)
  • 44b2861 Fix wasm example
• Makefile: build proto files unconditionally (containerd/nri#229)
  • d99f960 Fix dockerized proto build
  • 9623748 Makefile: build proto files unconditionally
  • 25d9391 build: ensure we use correct version of protoc and its deps.
• adaptation: test with populated initial resources. (containerd/nri#231)
  • b6b98b5 adaptation: test with populated initial resources.
• Install protoc locally in the source tree (containerd/nri#232)
  • 2394daa Install protoc locally in the source tree
• plugins/logger: fix default event subscription mask. (containerd/nri#158)
  • 33b1db1 logger: fix default event subscription mask.
• extract memory and CPU resource helpers (containerd/nri#210)
  • 7afb32a extract memory and CPU resource helpers
• api: expose container user/group ID to plugins. (containerd/nri#230)
  • 22aeb46 docs: update README with container uid/gid info.
  • 71b0335 api,adaptation: add container uid/gid info.
• contrib: add example for enabling per-container RDT monitoring (containerd/nri#228)
  • 91fbf06 contrib: add example for enabling per-container RDT monitoring
• ci: enable image signing (containerd/nri#224)
  • fb54916 ci: enable image signing
• golangci: disable QF1008 from staticcheck linter (containerd/nri#226)
  • 0b3b577 golangci: disable QF1008 from staticcheck linter
• ci: bump golangci-lint to v2.4 (containerd/nri#225)
  • 9787127 Bump golangci-lint to v2.4
  • 1a50ff5 Add nolint directives
  • 00fa1a1 Add and fix comments for exported types
  • ac21da7 pkg/api/seccomp: add comments for exported functions
  • 3aff986 pkg/runtime-tools/generate: remove embedded field "Generator"
  • c0c4bb6 pkg/api/validate: add comments for exported methods
  • c0ba9da adaptation/builtin: add comment for exported symbols
• .gitignore: revert hastily reviewed editor-specific addition. (containerd/nri#221)
  • 02376f3 .gitignore: add comment about global gitignore.
  • 9336a79 Revert "nit: Add .idea folder to gitignore"
• nit: Add .idea folder to gitignore (containerd/nri#218)
  • f578ea2 nit: Add .idea folder to gitignore
• chore: clean and unify nolint directives (containerd/nri#217)
  • 21741b9 chore: clean and unify nolint directives
• Downgrade go to require 1.24.0 (containerd/nri#214)
  • d26e910 Downgrade go to require 1.24.0
• Add dockerized target for building proto files (containerd/nri#211)
  • 13fcc07 Add dockerized target for building proto files

Changes from containerd/zfs

11 commits

• go.mod: update to stable containerd v2.0 (containerd/zfs#89)
  • f11f891 go.mod: update to stable containerd v2.0
• ci: update actions, test against go1.23, fix linting, and update golangci-lint (containerd/zfs#88)
  • 662ad3c gha: update golangci/golangci-lint-action@​v9, golangci-lint v2.7
  • b0b2584 remove nolint comments
  • 7c4274b fix error capitalization
  • 24ce1b9 fix inconsistent receiver name
  • c8545c3 gha: update actions/checkout@​v6
  • d23ec04 gha: update actions/setup-go@​v6
  • bb45f6e gha: update containerd/project-checks@​v1.2.2
  • 65bc451 gha: test against go1.23

Dependency Changes

• github.com/containerd/cgroups/v3 v3.1.0 -> v3.1.2
• github.com/containerd/nri v0.10.0 -> v0.11.0
• github.com/containerd/zfs/v2 v2.0.0-rc.0 -> v2.0.0
• github.com/containernetworking/plugins v1.8.0 -> v1.9.0
• github.com/cyphar/filepath-securejoin v0.5.1 new
• github.com/opencontainers/runtime-spec v1.2.1 -> v1.3.0
• github.com/opencontainers/runtime-tools 0ea5ed0 -> edf4cb3
• github.com/opencontainers/selinux v1.12.0 -> v1.13.1
• github.com/tetratelabs/wazero v1.9.0 -> v1.10.1
• golang.org/x/crypto v0.41.0 -> v0.45.0
• golang.org/x/net v0.43.0 -> v0.47.0
• golang.org/x/sync v0.17.0 -> v0.18.0
• golang.org/x/sys v0.37.0 -> v0.38.0
• golang.org/x/term v0.34.0 -> v0.37.0
• golang.org/x/text v0.28.0 -> v0.31.0
• tags.cncf.io/container-device-interface v1.0.1 -> v1.1.0
• tags.cncf.io/container-device-interface/specs-go v1.0.0 -> v1.1.0

Previous release can be found at v2.2.0

Which file should I download?

• containerd-<VERSION>-<OS>-<ARCH>.tar.gz: ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
• containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install runc
and CNI plugins from their official sites too.

See also the Getting Started documentation.

v2.2.0: containerd 2.2.0

Compare Source

Welcome to the v2.2.0 release of containerd!

The second minor release of containerd 2.x focuses on continued stability alongside
new features and improvements. This is the second time-based released for containerd.

Highlights

• Add mount manager (#​12063)

  The mount manager is a new service that provides lifecycle management for filesystem mounts
  to support more advanced use cases, such as:

  • Device formatting to create formatted filesystems (xfs, ext4) on-demand
  • Mount activation to prepare devices such as loopbacks or network fileystems
  • Mount transformation to allow mount arguments to be filled in dynamically from previous mounts
  • Garbage collection of mounts to ensure temporary mounts are never leaked

• Add conf.d include in the default config (#​12323)

• Add support for back references in the garbage collector (#​12025)

Container Runtime Interface (CRI)

• Pod Sandbox Metrics (#​10691)

  Full implementation of Kubernetes CRI pod-level metrics API

  • ListPodSandboxMetrics: Query metrics for running pods/sandboxes
  • ListMetricsDescriptors: Discover available metrics and their descriptions

• Support image volume mount subpath (#​11578)

Go client

• Update pkg/oci to use fs.FS interface and os.OpenRoot (#​12245)

Image Distribution

• Parallel Unpack (#​12332)

  Adds support for unpacking layers in parallel during pull operations. This feature is supported with overlayfs and EROFS snapshotters.

• OCI Referrers Support (#​12309)

  Adds new referrers fetcher to remote registry interface using the new referrers endpoint added in OCI distribution-spec 1.1

• Tar unpack progress through transfer service (#​11921)

Image Storage

• EROFS enhancements using mount manager (#​12333)

  Improvements to EROFS snapshotter using the new mount manager service

  • Quota Support: Support for sized block devices as the upper layer for overlayfs
  • Mount Lifecycle: Loopback setup, block device creation, and overlayfs argument formatting is moved to the
    mount manager to be performed on-demand or within the runtime.
  • Mount handler: To allow optimization of EROFS mount types based on the current system
  • macOS Support: EROFS snapshotter can now be used on Darwin to natively allow image pulls
  • Tar index mode: Efficiently generate EROFS metadata backed by original tar content (#​11919)

• Add snapshotter and differ for block CIMs (#​12050)

Node Resource Interface (NRI)

• Enable otel traces in NRI (#​12082)
• Add WASM plugin support (containerd/nri#121)

Runtime

• Improve shim load time after restart by loading in parallel (#​12142)
• Fix pidfd leak in UnshareAfterEnterUserns (#​12167)

Deprecations

• Deprecate cgroup v1 (#​12445)
• Postpone v2.2 deprecation items to v2.3 (#​12417)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Phil Estes
• Akihiro Suda
• Maksym Pavlenko
• Wei Fu
• Krisztian Litkey
• Mike Brown
• Akhil Mohan
• Markus Lehtonen
• Samuel Karp
• Sebastiaan van Stijn
• ningmingxiao
• Austin Vazquez
• yashsingh74
• Gao Xiang
• Kirtana Ashok
• Jin Dong
• Chris Henzie
• Aadhar Agarwal
• Etienne Champetier
• Henry Wang
• Rodrigo Campos
• Sascha Grunert
• Aleksa Sarai
• Eric Mountain
• Keith Mattix II
• Paweł Gronowski
• Tõnis Tiigi
• Adrien Delorme
• Apurv Barve
• Enji Cooper
• Kohei Tokunaga
• Max Jonas Werner
• Rehan Khan
• Yang Yang
• jinda.ljd
• jokemanfire
• Amit Barve
• Andrew Halaney
• Antonio Ojea
• Brian Goff
• Carlos Eduardo Arango Gutierrez
• Chenyang Yan
• Dawei Wei
• Divya Rani
• Evan Anderson
• Fabiano Fidêncio
• Iceber Gu
• Jared Ledvina
• Jonathan Perkin
• Jose Fernandez
• Karl Baumgartner
• Michael Weibel
• Osama Abdelkader
• Radostin Stoyanov
• Ruidong Cao
• Sameer
• Sergey Kanzhelev
• Swagat Bora
• Sylvain MOUQUET
• Tom Wieczorek
• Tycho Andersen
• Wuyue (Tony) Sun
• suranmiao
• tanhuaan
• wheat2018
• zounengren

Dependency Changes

• dario.cat/mergo v1.0.1 -> v1.0.2
• github.com/Microsoft/hcsshim v0.13.0-rc.3 -> v0.14.0-rc.1
• github.com/StackExchange/wmi cbe6696 new
• github.com/checkpoint-restore/checkpointctl v1.3.0 -> v1.4.0
• github.com/containerd/cgroups/v3 v3.0.5 -> v3.1.0
• github.com/containerd/console v1.0.4 -> v1.0.5
• github.com/containerd/containerd/api v1.9.0 -> v1.10.0
• github.com/containerd/go-cni v1.1.12 -> v1.1.13
• github.com/containerd/nri v0.8.0 -> v0.10.0
• github.com/containerd/platforms v1.0.0-rc.1 -> v1.0.0-rc.2
• github.com/containernetworking/plugins v1.7.1 -> v1.8.0
• github.com/coreos/go-systemd/v22 v22.5.0 -> v22.6.0
• github.com/cpuguy83/go-md2man/v2 v2.0.5 -> v2.0.7
• github.com/emicklei/go-restful/v3 v3.11.0 -> v3.13.0
• github.com/fxamacker/cbor/v2 v2.7.0 -> v2.9.0
• github.com/go-jose/go-jose/v4 v4.0.5 -> v4.1.2
• github.com/go-logr/logr v1.4.2 -> v1.4.3
• github.com/go-ole/go-ole v1.2.6 new
• github.com/golang/groupcache 41bb18b -> 2c02b82
• github.com/google/certtostore v1.0.6 new
• github.com/google/deck 105ad94 new
• github.com/gorilla/websocket v1.5.0 -> e064f32
• github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.0.1 -> v1.1.0
• github.com/hashicorp/errwrap v1.1.0 new
• github.com/intel/goresctrl v0.8.0 -> v0.10.0
• github.com/klauspost/compress v1.18.0 -> v1.18.1
• github.com/knqyf263/go-plugin v0.9.0 new
• github.com/moby/sys/capability v0.4.0 new
• github.com/modern-go/reflect2 v1.0.2 -> 35a7c28
• github.com/opencontainers/runtime-tools 2e043c6 -> 0ea5ed0
• github.com/prometheus/client_golang v1.22.0 -> v1.23.2
• github.com/prometheus/client_model v0.6.1 -> v0.6.2
• github.com/prometheus/common v0.62.0 -> v0.66.1
• github.com/prometheus/procfs v0.15.1 -> v0.16.1
• github.com/stretchr/testify v1.10.0 -> v1.11.1
• github.com/tchap/go-patricia/v2 v2.3.2 -> v2.3.3
• github.com/tetratelabs/wazero v1.9.0 new
• github.com/urfave/cli/v2 v2.27.6 -> v2.27.7
• github.com/vishvananda/netlink 0e7078e -> v1.3.1
• go.etcd.io/bbolt v1.4.0 -> v1.4.3
• go.opentelemetry.io/otel v1.35.0 -> v1.37.0
• go.opentelemetry.io/otel/metric v1.35.0 -> v1.37.0
• go.opentelemetry.io/otel/sdk v1.35.0 -> v1.37.0
• go.opentelemetry.io/otel/trace v1.35.0 -> v1.37.0
• go.uber.org/goleak v1.3.0 new
• go.yaml.in/yaml/v2 v2.4.2 new
• golang.org/x/crypto v0.36.0 -> v0.41.0
• golang.org/x/mod v0.24.0 -> v0.29.0
• golang.org/x/net v0.38.0 -> v0.43.0
• golang.org/x/oauth2 v0.27.0 -> v0.30.0
• golang.org/x/sync v0.14.0 -> v0.17.0
• golang.org/x/sys v0.33.0 -> v0.37.0
• golang.org/x/term v0.30.0 -> v0.34.0
• golang.org/x/text v0.23.0 -> v0.28.0
• golang.org/x/time v0.7.0 -> v0.14.0
• google.golang.org/genproto/googleapis/api 56aae31 -> a7a43d2
• google.golang.org/genproto/googleapis/rpc 56aae31 -> a7a43d2
• google.golang.org/grpc v1.72.0 -> v1.76.0
• google.golang.org/protobuf v1.36.6 -> v1.36.10
• k8s.io/api v0.32.3 -> v0.34.1
• k8s.io/apimachinery v0.32.3 -> v0.34.1
• k8s.io/client-go v0.32.3 -> v0.34.1
• k8s.io/cri-api v0.32.3 -> v0.34.1
• k8s.io/utils 3ea5e8c -> 4c0f3b2
• sigs.k8s.io/json 9aa6b5e -> cfa47c3
• sigs.k8s.io/randfill v1.0.0 new
• sigs.k8s.io/structured-merge-diff/v6 v6.3.0 new
• sigs.k8s.io/yaml v1.4.0 -> v1.6.0

Previous release can be found at v2.1.0

Which file should I download?

• containerd-<VERSION>-<OS>-<ARCH>.tar.gz: ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
• containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install runc
and CNI plugins from their official sites too.

See also the Getting Started documentation.

v2.1.6: containerd 2.1.6

Compare Source

Welcome to the v2.1.6 release of containerd!

The sixth patch release for containerd 2.1 contains various fixes and updates.

Highlights

Runtime

• Update runc binary to v1.3.4 (#​12618)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Akihiro Suda
• Derek McGowan
• Mike Brown
• Phil Estes
• Austin Vazquez
• Kirtana Ashok
• Andrey Noskov
• CrazyMax
• Davanum Srinivas
• Krisztian Litkey
• Maksym Pavlenko
• Michael Weibel
• Paweł Gronowski
• Sebastiaan van Stijn
• Wei Fu

Changes

28 commits

• Prepare release notes for v2.1.6 (#​12653)
  • 93f79087a Prepare release notes for v2.1.6
• go.mod: containerd/zfs v2.0.0 (#​12655)
  • 7e75db3a9 build(deps): bump github.com/containerd/zfs/v2 from 2.0.0-rc.0 to 2.0.0
• cri/nri: short-circuit nil adjustment. (#​12673)
  • 2b8e11b12 cri/nri: short-circuit nil adjustment.
• go.mod: github.com/containernetworking/plugins v1.9.0 (#​12659)
  • 69efd067c go.mod: github.com/containernetworking/plugins v1.9.0
• go.mod: golang.org/x/crypto v0.45.0 (drop support for Go 1.23) (#​12639)
  • e81678853 go.mod: golang.org/x/crypto v0.45.0
  • 55a2d8c8d CI: drop Go 1.23
  • fd8e3c39b Update Go requirements in BUILDING
• core/runtime/v2: remove uses of otelgrpc.UnaryClientInterceptor (#​12623)
  • a4454c49a core/runtime/v2: remove uses of otelgrpc.UnaryClientInterceptor
• Update runc binary to v1.3.4 (#​12618)
  • 251f0a285 runc: Update runc binary to v1.3.4
• ci: bump Go 1.24.11, 1.25.5 (#​12626)
  • c07c29bca ci: bump Go 1.24.11, 1.25.5
  • e52817652 ci: bump Go 1.24.10, 1.25.4
  • 04bbb66e4 ci(release): set GO_VERSION in Dockerfile
• ci: update CIFuzz actions to support Ubuntu 24.04 (#​12633)
  • 492987ccc ci: update CIFuzz actions to support Ubuntu 24.04
• build(deps): bump github.com/opencontainers/selinux (#​12590)
  • 55a25ec6e build(deps): bump github.com/opencontainers/selinux
• Redact all query parameters in CRI error logs (#​12547)
  • b72d0dfe0 fix: redact all query parameters in CRI error logs
• Update 2.1 branch to no longer build as latest (#​12487)
  • ecd58bd65 Update 2.1 branch to no longer build as latest

Changes from containerd/platforms

5 commits

• use windowsMatchComparer for OSVersion match order (containerd/platforms#25)
  • 8c0d9f9 use windowsMatchComparer for OSVersion match order
• Add WS2025 to Windows matcher and code optimizations (containerd/platforms#24)
  • 8447b0a Update ci.yml
  • 4549974 Add WS2025 to Windows matcher and code optimizations

Dependency Changes

• github.com/containerd/platforms v1.0.0-rc.1 -> v1.0.0-rc.2
• github.com/containerd/zfs/v2 v2.0.0-rc.0 -> v2.0.0
• github.com/containernetworking/plugins v1.7.1 -> v1.9.0
• github.com/coreos/go-systemd/v22 v22.5.0 -> v22.6.0
• github.com/cyphar/filepath-securejoin v0.5.1 new
• github.com/go-logr/logr v1.4.2 -> v1.4.3
• github.com/opencontainers/selinux v1.12.0 -> v1.13.1
• github.com/vishvananda/netlink 0e7078e -> v1.3.1
• golang.org/x/crypto v0.36.0 -> v0.45.0
• golang.org/x/mod v0.24.0 -> v0.29.0
• golang.org/x/net v0.38.0 -> v0.47.0
• golang.org/x/sync v0.14.0 -> v0.18.0
• golang.org/x/sys v0.33.0 -> v0.38.0
• golang.org/x/term v0.30.0 -> v0.37.0
• golang.org/x/text v0.23.0 -> v0.31.0
• google.golang.org/protobuf v1.36.6 -> v1.36.7

Previous release can be found at v2.1.5

Which file should I download?

• containerd-<VERSION>-<OS>-<ARCH>.tar.gz: ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
• containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install runc
and CNI plugins from their official sites too.

See also the Getting Started documentation.

v2.1.5: containerd 2.1.5

Compare Source

Welcome to the v2.1.5 release of containerd!

The fifth patch release for containerd 2.1 contains various fixes and updates.

Security Updates

• containerd

  • GHSA-pwhc-rpq9-4c8w
  • GHSA-m6hq-p25p-ffr2

• runc

  • GHSA-qw9x-cqr3-wc7r
  • GHSA-cgrx-mc8f-2prm
  • GHSA-9493-h29p-rfm2

Highlights

Container Runtime Interface (CRI)

• Disable event subscriber during task cleanup (#​12410)
• Add SystemdCgroup to default runtime options (#​12253)
• Fix userns with container image VOLUME mounts that need copy (#​12242)

Image Distribution

• Ensure errContentRangeIgnored error when range-get request is ignored (#​12312)

Runtime

• Update runc binary to v1.3.3 (#​12478)

Deprecations

• Postpone v2.2 deprecation items to v2.3 (#​12431)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Phil Estes
• Akihiro Suda
• Derek McGowan
• Austin Vazquez
• Rodrigo Campos
• Maksym Pavlenko
• Wei Fu
• ningmingxiao
• Akhil Mohan
• Henry Wang
• Andrew Halaney
• Divya Rani
• Jose Fernandez
• Swagat Bora
• wheat2018

Changes

58 commits

• Prepare release notes for v2.1.5 (#​12483)
  • fc5bdfeac Prepare release notes for v2.1.5
  • c578c26bf Update mailmap
  • 46a4a03fb Merge commit from fork
  • 232786c90 Fix directory permissions
  • 239ab877d Merge commit from fork
  • 0766796e8 fix goroutine leak of container Attach
• Update runc binary to v1.3.3 (#​12478)
  • 3d713d3d0 runc: Update runc binary to v1.3.3
• Update GHA runners to use latest images for basic binaries build (#​12470)
  • de4221cb7 Update GHA runners to use latest images for basic binaries build
• ci: bump Go 1.24.9, 1.25.3 (#​12467)
  • 2045b1920 ci: bump Go 1.24.9, 1.25.3
• Update GHA runners to use latest image for most jobs (#​12468)
  • 21ec7cc7d Update GHA runners to use latest image for most jobs
• CI: update Fedora to 43 (#​12449)
  • 893b5f92e CI: update Fedora to 43
• Postpone v2.2 deprecation items to v2.3 (#​12431)
  • 6374a8f9d Postpone v2.2 deprecation items to v2.3
• CI: skip ubuntu-24.04-arm on private repos (#​12427)
  • 98e0e73de CI: skip ubuntu-24.04-arm on private repos
• Disable event subscriber during task cleanup (#​12410)
  • a3770cf83 cri/server/podsandbox: disable event subscriber
• Fix lost container logs from quickly closing io (#​12377)
  • 7d9f09ba0 bugfix:fix container logs lost because io close too quickly
• ci: bump Go 1.24.8 (#​12360)
  • d1cab3cc5 ci: bump Go 1.24.8
• Prevent goroutine hangs during ProgressTracker shutdown (#​12336)
  • 9b57a4d35 Prevent goroutine hangs during ProgressTracker shutdown
• Ensure errContentRangeIgnored error when range-get request is ignored (#​12312)
  • ca3de4fe7 Ensure errContentRangeIgnored error when range-get request is ignored by registry
• Remove additional fuzzers from instrumentation repo (#​12313)
  • dfffe3d9c Remove additional fuzzers from CI
• update release builds to 1.24.7 and add 1.25.1 to CI (#​12258)
  • c54585ba7 update release builds to 1.24.7 and add 1.25.1 to CI
• runc:Update runc binary to v1.3.1 (#​12277)
  • f0a48ce38 runc:Update runc binary to v1.3.1
• Add SystemdCgroup to default runtime options ([#

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: undefined

Post-upgrade command 'command -v go >/dev/null 2>&1 || exit 0; find . -name "go.mod" -type f -path '*/integration/*' -exec dirname {} \; | while read dir; do echo "Running explicit go mod tidy for integration test in $dir"; cd "$dir" && go mod tidy && cd - > /dev/null; done' has not been added to the allowed list in allowedCommands