containerd 2.1.0-beta.0

Welcome to the v2.1.0-beta.0 release of containerd!
This is a pre-release of containerd

The 2.1 beta series is here, see the 2.1 milestone to track
ongoing efforts. Please try out the beta and report any issues!

The first minor release of containerd 2.x focuses on continued stability alongside
new features and improvements. This is the first time-based released for containerd.
Most the feature set and core functionality has long been stable and harderened in production
environments, so now we transition to a balance of timely delivery of new functionality
with the same high confidence in stability and performance.

Highlights

• Erofs snapshotter and differ (#10705)
• Fix race between serve and immediate shutdown on the server (containerd/ttrpc#175)

Container Runtime Interface (CRI)

• Add OCI/Image Volume Source support (#10579)
• Enable Writable cgroups for unprivileged containers (#11131)
• Fix recursive RLock() mutex acquisition (containerd/go-cni#126)
• Support CNI STATUS Verb (containerd/go-cni#123)

Image Distribution

• Add dial timeout field to hosts toml configuration (#11106)

Node Resource Interface (NRI)

• Expose Pod assigned IPs to NRI plugins (#10921)

Runtime

• Support multiple uid/gid mappings (#10722)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Akihiro Suda
• Derek McGowan
• Phil Estes
• Maksym Pavlenko
• Jin Dong
• Sebastiaan van Stijn
• Wei Fu
• Samuel Karp
• Austin Vazquez
• Kazuyoshi Kato
• Henry Wang
• Mike Brown
• Akhil Mohan
• Gao Xiang
• Archit Kulkarni
• Krisztian Litkey
• ningmingxiao
• Alexey Lunev
• Antonio Ojea
• Chris Henzie
• Davanum Srinivas
• Marat Radchenko
• Michael Zappa
• Paweł Gronowski
• Adrien Delorme
• Amit Barve
• Andrey Smirnov
• Divya
• Etienne Champetier
• Kirtana Ashok
• fengwei0328
• zounengren
• Adrian Reber
• Alfred Wingate
• Amal Thundiyil
• Athos Ribeiro
• Brian Goff
• ChengyuZhu6
• Chongyi Zheng
• Craig Ingram
• David Son
• Fupan Li
• Jing Xu
• Jonathan A. Sternberg
• Jose Fernandez
• Kaita Nakamura
• Lei Liu
• Mike Baynton
• Philip Laine
• Qiyuan Liang
• Sameer
• Shiming Zhang
• Vered Rosen
• alingse
• bo.jiang
• chriskery
• luchenhan
• mahmut

Changes

433 commits

• b430e5ac3 Merge commit from fork
• de1341c20 validate uid/gid
• Bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 (#11544)
  • 8028a1d08 Bump github.com/go-jose/go-jose/v4 from v4.0.4 to v4.0.5
  • ce055b530 Bump golang.org/x/text from 0.22.0 to 0.23.0
  • e0aaed012 Bump golang.org/x/term from 0.29.0 to 0.30.0
• fix: repeat args from sub-func call (#11512)
  • b947e0566 fix: repeat args from sub-func call
• build(deps): bump github.com/prometheus/client_golang from 1.20.5 to 1.21.1 (#11525)
  • 75252f975 build(deps): bump github.com/prometheus/client_golang
• integration: update TestUpgrade for 2.1 (#11519)
  • 06daffb4d integration: update TestUpgrade for 2.1
• config:fix config migrate lost timeout config (#11532)
  • 531adbf06 config:fix config migrate lost timeout config
• Add dial timeout field to hosts toml configuration (#11106)
  • c4982bffc Add dial timeout field to hosts toml configuration
• Prepare release notes for v2.1.0-beta.0 (#11510)
  • 12762891d Remove test for issue 10467
  • 93cc1e6eb Fix upgrade test runtime config
  • 833d6bc8e Update release status for 2.1 to beta
  • 71cfe00ee Prepare release notes for v2.1.0-beta.n
  • be8fe50f4 Update the upgrade test to handle 2.1
• build(deps): bump the otel group with 8 updates (#11521)
  • 94dd70f4f build(deps): bump the otel group with 8 updates
• client: Respect client.WithTimeout option (#11508)
  • ee574e76e client: Respect client.WithTimeout option
• build(deps): bump github.com/urfave/cli/v2 from 2.27.5 to 2.27.6 (#11523)
  • 700b98415 build(deps): bump github.com/urfave/cli/v2 from 2.27.5 to 2.27.6
• build(deps): bump the golang-x group with 3 updates (#11520)
  • 85c04ab0e build(deps): bump the golang-x group with 3 updates
• add k8s 1.32 to support table and as tested containerd supported branches at the time of release (#11534)
  • 5bbd3ed1b add k8s 1.32 and as tested containerd supported branches at the time of release
• build(deps): bump google.golang.org/grpc from 1.70.0 to 1.71.0 (#11524)
  • c37e48b07 build(deps): bump google.golang.org/grpc from 1.70.0 to 1.71.0
• Support container restore through CRI/Kubernetes (#10365)
  • 9e6beafd5 Support container restore through CRI/Kubernetes
• build(deps): bump actions/attest-build-provenance from 2.2.2 to 2.2.3 (#11526)
  • d7de182dd build(deps): bump actions/attest-build-provenance from 2.2.2 to 2.2.3
• build(deps): bump github/codeql-action from 3.28.10 to 3.28.11 (#11527)
  • 9f885ea4f build(deps): bump github/codeql-action from 3.28.10 to 3.28.11
• build(deps): bump containerd/project-checks from 1.2.1 to 1.2.2 (#11528)
  • 88faaac97 build(deps): bump containerd/project-checks from 1.2.1 to 1.2.2
• add name in package version (#11518)
  • 405a952c6 add name in package version
• update to go1.23.7 / go1.24.1 (#11513)
  • 4f090fe77 update to go1.23.7 / go1.24.1
• Don't produce unnecessary logs when encountering attestations (#11327)
  • 3cdfc1003 core/remotes: Handle attestations in MakeRefKey
  • e751b6bb1 core/images: Ignore attestations when traversing children
• perf(applyNaive): avoid walking the tree for each file in the same directory (#11337)
  • d8063c30d perf(applyNaive): avoid walking the tree for each file in the same directory
• Update runtime-spec to v1.2.1 (#11460)
  • f8f205382 Update runtime-spec to v1.2.1
• docs: include note about unprivileged sysctls (#11502)
  • edd1cc50d docs: include note about unprivileged sysctls
• ci: update GitHub Actions release runner to ubuntu-24.04 (#11479)
  • 705518e58 ci: update GitHub Actions release runner to ubuntu-24.04
• e2e: use the shim bundled with containerd artifact (#11489)
  • 393ad5b11 e2e: use the shim bundled with containerd artifact
• build(deps): bump go.etcd.io/bbolt from 1.3.11 to 1.4.0 (#11450)
  • e84e5a215 build(deps): bump go.etcd.io/bbolt from 1.3.11 to 1.4.0
  • 00cb73503 Swap to go.etcd.io/bbolt/errors for bbolt errors
• CVE-2025-22869: upgrade golang.org/x/crypto to v0.35.0 (#11482)
  • af5ff5a1f CVE-2025-22869: upgrade golang.org/x/crypto to v0.35.0
• device mapper:fix sometimes blkdiscard doesn't have --version flags (#11330)
  • 44baada6a device mapper:fix sometimes blkdiscard doesn't have --version flags
• docs: add CRI Plugin Config runtime_path (#11402)
  • a1e7457bc docs: add CRI Plugin Config runtime_path
• Consolidate security profile logic into a common pkg (#11080)
  • 71958731e move security profile to cri/sputil pkg
• erofs-snapshotter: two bug-fixes (#11476)
  • 3a5de731c erofs-snapshotter: clear IMMUTABLE_FL only for committed snapshots
  • 971915797 erofs-snapshotter: force the use of loop devices for single-layer images
• CVE-2025-22868: upgrade golang.org/x/oauth2 to v0.27.0 (#11481)
  • 10f2b7fde CVE-2025-22868: upgrade golang.org/x/oauth2 to v0.27.0
• build(deps): bump containerd/project-checks from 1.1.0 to 1.2.1 (#11474)
  • 69c0d7f60 build(deps): bump containerd/project-checks from 1.1.0 to 1.2.1
• build(deps): bump github.com/google/go-cmp from 0.6.0 to 0.7.0 (#11464)
  • 72ac5cad4 build(deps): bump github.com/google/go-cmp from 0.6.0 to 0.7.0
• build(deps): bump github.com/klauspost/compress from 1.17.11 to 1.18.0 (#11467)
  • 001dfeb19 build(deps): bump github.com/klauspost/compress from 1.17.11 to 1.18.0
• build(deps): bump actions/download-artifact from 4.1.8 to 4.1.9 (#11468)
  • 86734729f build(deps): bump actions/download-artifact from 4.1.8 to 4.1.9
• build(deps): bump docker/setup-buildx-action from 3.9.0 to 3.10.0 (#11469)
  • 9b0b67951 build(deps): bump docker/setup-buildx-action from 3.9.0 to 3.10.0
• build(deps): bump actions/attest-build-provenance from 2.2.0 to 2.2.2 (#11470)
  • 20fa1ca46 build(deps): bump actions/attest-build-provenance from 2.2.0 to 2.2.2
• build(deps): bump golang.org/x/net from 0.23.0 to 0.33.0 in /api (#11472)
  • 37fe1e8b4 build(deps): bump golang.org/x/net from 0.23.0 to 0.33.0 in /api
• build(deps): bump actions/cache from 4.2.1 to 4.2.2 (#11471)
  • 0eea93d68 build(deps): bump actions/cache from 4.2.1 to 4.2.2
• Bump to newer opencontainers/image-spec @ v1.1.1 (#11461)
  • d37ea6977 Bump to newer opencontainers/image-spec @ v1.1.1
• Remove After=local-fs.target from containerd.service (#11116)
  • e0459262b Remove After=local-fs.target from containerd.service
• erofs-snapshotter: protect layer blobs with FS_IMMUTABLE_FL (#11431)
  • b477cf8e9 erofs-snapshotter: protect layer blobs with FS_IMMUTABLE_FL
• Log "container event discarded" as Info (#11115)
  • 6c7b1afe5 Log "container event discarded" as Info
• Fix privileged container sysfs can't be rw because pod is ro by default (#11271)
  • 1fc497218 Fix privileged container sysfs can't be rw because pod is ro by default
• cri,nri: fix initial sync race of registering NRI plugins. (#11384)
  • 6a01ad3e1 cri,nri: block NRI plugin sync. during event processing.
• proxy: break up writes from the remote writer to avoid grpc limits (#11441)
  • f25f36c33 proxy: break up writes from the remote writer to avoid grpc limits
• build(deps): bump github/codeql-action from 3.28.9 to 3.28.10 (#11423)
  • 0500dacf6 build(deps): bump github/codeql-action from 3.28.9 to 3.28.10
• go.{mod,sum}: bump CDI deps to v.0.8.1. (#11449)
  • 22d568fb5 Update CDI dependency to v0.8.1.
• build(deps): bump the k8s group across 1 directory with 6 updates (#11398)
  • d2b5653c1 build(deps): bump the k8s group across 1 directory with 6 updates
• Prefer runtime options for PluginInfo request (#11442)
  • 51f063f07 Prefer runtime options for PluginInfo request
• pkg: prevent oom watcher from depending on shim pkg (#11433)
  • 268880bf5 [improve] prevent oom watcher depend on shim pkg.
• Ignore defunct verifier procs in test (#11435)
  • 76858ac8e Ignore defunct verifier procs in test
• CI: arm64-8core-32gb -> ubuntu-24.04-arm (#11427)
  • 4e7484d3f CI: arm64-8core-32gb -> ubuntu-24.04-arm
• build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 (#11424)
  • 125525d6c build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1
• build(deps): bump actions/cache from 4.2.0 to 4.2.1 (#11426)
  • 86cde823a build(deps): bump actions/cache from 4.2.0 to 4.2.1
• build(deps): bump actions/upload-artifact from 4.6.0 to 4.6.1 (#11425)
  • 49257264f build(deps): bump actions/upload-artifact from 4.6.0 to 4.6.1
• erofs-snapshotter: add fsverity support (#11352)
  • f3b6078f9 erofs-snapshotter: add fsverity support
• Support for importing layers in the block CIM format. (#11179)
  • a1c540085 Support for importing layers in the block CIM format.
• perf(zstd): deactivate the low mem decoder (#11335)
  • c51f5d26f perf(zstd): deactivate the low mem decoder
• build(deps): bump github/codeql-action from 3.28.8 to 3.28.9 (#11370)
  • 6a08d70e6 build(deps): bump github/codeql-action from 3.28.8 to 3.28.9
• move the device after the options when using mkfs.ext4 (#11362)
  • b98378638 move the device after the options when using mkfs.ext4
• build(deps): bump google.golang.org/grpc from 1.69.4 to 1.70.0 (#11313)
  • f23981281 build(deps): bump google.golang.org/grpc from 1.69.4 to 1.70.0
• build(deps): bump golangci/golangci-lint-action from 6.3.2 to 6.5.0 (#11397)
  • b8a759f1f build(deps): bump golangci/golangci-lint-action from 6.3.2 to 6.5.0
• build(deps): bump google.golang.org/protobuf from 1.36.3 to 1.36.5 (#11373)
  • 326fbf074 build(deps): bump google.golang.org/protobuf from 1.36.3 to 1.36.5
• Clarify port handling in hosts.toml (#11393)
  • a502b7931 Clarify port handling in hosts toml
• Move linters-settings.exclude-dirs to issues.exclude-dirs in golangci-lint config (#11399)
  • 480e1039f move exclude-dirs to issues.exclude-dirs
• Add OCI/Image Volume Source support (#10579)
  • 1ec10d9ae Add OCI/Image Volume Source support
• build(deps): bump github.com/vishvananda/netns from 0.0.4 to 0.0.5 (#11374)
  • 17acb356f build(deps): bump github.com/vishvananda/netns from 0.0.4 to 0.0.5
• Revert "Add timestamp to PodSandboxStatusResponse for kubernetes Evented PLEG" (#11323)
  • 83b65e52f Revert "Add timestamp to PodSandboxStatusResponse for kubernetes Evented PLEG"
• Update runc binary to v1.2.5 (#11388)
  • 938775864 Update runc binary to v1.2.5
• build(deps): bump docker/setup-buildx-action from 3.8.0 to 3.9.0 (#11369)
  • 2f971ee2d build(deps): bump docker/setup-buildx-action from 3.8.0 to 3.9.0
• Remove noinline in seccomp/apparmor SpecOpts (#11264)
  • 222308416 Remove noinline in apparmor SpecOpts
  • 2a4164ac8 Remove noinline in seccomp SpecOpts
• build(deps): bump the golang-x group with 3 updates (#11371)
  • 84e07f6b5 build(deps): bump the golang-x group with 3 updates
• update to go 1.24.0 / go1.23.6 (#11377)
  • df99aa321 update to go 1.24.0 / go1.23.6
  • 41eaa41c4 update golangci-lint to v1.64.2
• build(deps): bump lycheeverse/lychee-action from 2.2.0 to 2.3.0 (#11368)
  • 2b8a7f253 build(deps): bump lycheeverse/lychee-action from 2.2.0 to 2.3.0
• build(deps): bump golangci/golangci-lint-action from 6.2.0 to 6.3.2 (#11367)
  • bdb8cb5a8 build(deps): bump golangci/golangci-lint-action from 6.2.0 to 6.3.2
• Erofs snapshotter and differ (#10705)
  • 2f15d6586 Add tests for EROFS snapshotter
  • fd4caef78 Add EROFS snapshotter documentation
  • 2486d542a Introduce EROFS Snapshotter
  • c73c8e5d5 Introduce EROFS differ
• Update RELEASES.md for new release schedule and LTS policy (#11294)
  • 6d1f6e75d Update upgrade section
  • 5f238fa82 Update to time based releases
  • 886d971f8 Update LTS definition and support horizon
• nri: make OCI spec available on StopPodSandbox (#11331)
  • 2eb0aa6b9 nri: make OCI spec available on StopPodSandbox
• build(deps): bump google-github-actions/auth from 2.1.7 to 2.1.8 (#11332)
  • 565b50dbb build(deps): bump google-github-actions/auth from 2.1.7 to 2.1.8
• build(deps): bump google-github-actions/upload-cloud-storage from 2.2.1 to 2.2.2 (#11334)
  • b65f3875b build(deps): bump google-github-actions/upload-cloud-storage
• build(deps): bump github/codeql-action from 3.28.6 to 3.28.8 (#11333)
  • 841ab361c build(deps): bump github/codeql-action from 3.28.6 to 3.28.8
• Fix state/root bug in shim sandbox controller (#11321)
  • 168c49e4d Fix state/root bug in shim sandbox controller
• build(deps): bump github/codeql-action from 3.28.1 to 3.28.6 (#11315)
  • 48d09104d build(deps): bump github/codeql-action from 3.28.1 to 3.28.6
• build(deps): bump actions/attest-build-provenance from 2.1.0 to 2.2.0 (#11317)
  • 0c986c332 build(deps): bump actions/attest-build-provenance from 2.1.0 to 2.2.0
• build(deps): bump actions/stale from 9.0.0 to 9.1.0 (#11316)
  • 575239789 build(deps): bump actions/stale from 9.0.0 to 9.1.0
• build(deps): bump the otel group across 1 directory with 8 updates (#11286)
  • 69e82f9cd build(deps): bump the otel group across 1 directory with 8 updates
• build(deps): bump github.com/tchap/go-patricia/v2 from 2.3.1 to 2.3.2 (#11283)
  • 19c546c97 build(deps): bump github.com/tchap/go-patricia/v2 from 2.3.1 to 2.3.2
• Update cimfs snapshotter & differ for new hcsshim interface (#10033)
  • b81ace872 Update cimfs snapshotter & differ for new hcsshim interface
• update to go1.23.5 / go1.22.11 (#11277)
  • 157faf65c update to go1.23.5 / go1.22.11
• build(deps): bump lycheeverse/lychee-action from 2.1.0 to 2.2.0 (#11287)
  • f572a6db9 build(deps): bump lycheeverse/lychee-action from 2.1.0 to 2.2.0
• client: add WithExtraDialOpts option (#11276)
  • a6dc9905c client: add WithExtraDialOpts option
• build(deps): bump google.golang.org/protobuf from 1.36.1 to 1.36.3 (#11282)
  • 460e5a2e2 build(deps): bump google.golang.org/protobuf from 1.36.1 to 1.36.3
• build(deps): bump actions/upload-artifact from 4.4.3 to 4.6.0 (#11288)
  • 36d3888cf build(deps): bump actions/upload-artifact from 4.4.3 to 4.6.0
• build(deps): bump softprops/action-gh-release from 2.2.0 to 2.2.1 (#11289)
  • 4b77d4e41 build(deps): bump softprops/action-gh-release from 2.2.0 to 2.2.1
• build(deps): bump github/codeql-action from 3.27.9 to 3.28.1 (#11290)
  • 22e77720b build(deps): bump github/codeql-action from 3.27.9 to 3.28.1
• build(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.2.0 (#11291)
  • 53d6f3482 build(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.2.0
• Support multiple uid/gid mappings (#10722)
  • ff0d99e02 Add multiple uid/gid mapping test cases to integration tests
  • ec231cdcf Update ctr to support remapper labels with multiple uid/gid mapping entries
  • 8bbfb6528 Update snapshotter opts to support multiple uid/gid mapping entries
  • 8a030d653 Update overlay snapshotter to support multiple uid/gid mappings
  • 168ec21db Update idmapped mount to support multiple uid/gid mappings
  • a11405975 Add RootPair() and serialization routines to userns idmap
• log: avoid using unsupported field by logrus (#11148)
  • 04f9e30db log: avoid using unsupported field by logrus
• Move all fuzz tests to go native fuzz [part2] (#11251)
  • b49df6af1 move FuzzCRIServer to go native fuzz
  • 6019bcdfb move FuzzContainerdImport to go native fuzz
• Make ovl idmap mounts read-only (#10955)
  • 1e3d10dc2 Make ovl idmap mounts read-only
• runtime/v2: add note about orphan process for runc-shim (#10002)
  • 58bd48ecf add some doc for shim reap orphan process
• Fix panics in CI fuzz integration tests (#11249)
  • b7a117b46 Fix fuzz integration tests
• Move CDI device spec out of the OCI package (#11262)
  • bdc847f1e Remove deprecated WithCDIDevices in oci spec opts
  • e20f7f4a2 Move CDI device spec out of the OCI package
• docs: fix some function names in comment (#11261)
  • 740c5d428 docs: fix some function names in comment
• Use a order-only-prerequisite for mandir creation (#11132)
  • ffbe1b573 Use a order-only-prerequisite for mandir creation
• Update platforms to latest rc (#11257)
  • 6148dbdd7 Update platforms to latest rc
• Remove confusing warning in cri runtime config migration (#10980)
  • fb44e37ff Remove confusing warning in cri runtime config migration
• Unify default transport in docker resolver (#11167)
  • 47c4dba40 Unify default transport in docker resolver
• Clarify Go client API guidance (#11093)
  • 9fc711a8a Clarify Go client API guidance
• build(deps): bump golang.org/x/sys from 0.28.0 to 0.29.0 in the golang-x group (#11225)
  • ef7fa43c9 build(deps): bump golang.org/x/sys in the golang-x group
• Fix runtime platform loading in cri image plugin init (#11165)
  • ef0e70922 Fix runtime platform loading in cri image plugin init
• ci: fix the issue of config_file unset (#11240)
  • e1aeb37cd ci: fix the issue of config_file unset
• Fix go-cni race condition (#11244)
  • 09bf281ec fix go-cni race condition
• make sure console master tty is closed on task exit (#11161)
  • 652e4d0b1 Add integ test to check tty leak
  • aedb079bf fix master tty leak due to leaking init container object
• Move fuzz tests to go native fuzz [part1] (#11189)
  • e70977180 change metadata fuzz operations as const and slice instead of map
  • a4e3218e8 change tmp dir creation in fuzz to t.TempDir
  • a8c643cc5 change copyright from ADA Logics to containerd
  • a55083007 Remove github.com/AdamKorcz/go-118-fuzz-build in go.mod
  • 2de103029 Move fuzz tests to go native fuzz [part1]
• Bump up otelttrpc to 0.1.0 (#11241)
  • 15d3bf9b2 Bump up otelttrpc to 0.1.0
• Add snapshotter exports to unpack platform (#11227)
  • 63f604728 Add snapshotter exports to unpack platform
• ctr: ctr images import --all-platforms: fix unpack (#11229)
  • 79a42eedc ctr: ctr images import --all-platforms: fix unpack
• Deflake TestFailFastWhenConnectShim by making TestContainerCgroupWritable not parallel (#11235)
  • e65283321 make TestContainerCgroupWritable not parallel
• update runc binary to v1.2.4 (#11230)
  • 54ed595e1 update runc binary to v1.2.4
• Enable Writable cgroups for unprivileged containers (#11131)
  • 1363849b0 Add integration test
  • dda702042 Enable Writable cgroups for unprivileged containers
• Avoid duplicated chain ID calculation in unpack (#11219)
  • d156d3df9 Benchamrk chainID calculation in unpack
  • 95f45541e Avoid duplicated chain ID calculation in unpack
• downgrade go-difflib and go-spew to tagged releases (#11220)
  • 00a11e91d downgrade go-difflib and go-spew to tagged releases
• Bump seccomp version to be the same as one in runc repo (#11200)
  • 4f2f12be6 Bump seccomp version to be the same as one in runc repo
• Remove loop variable copies (#11194)
  • bee64b2b9 Remove loop variable copies
• build(deps): bump google.golang.org/protobuf from 1.36.0 to 1.36.1 (#11192)
  • 4a4a027f7 build(deps): bump google.golang.org/protobuf from 1.36.0 to 1.36.1
• bump up ttrpc to use its MD.Clone (#11204)
  • ee6338188 bump up ttrpc to use its MD.Clone
• build(deps): bump google.golang.org/grpc from 1.69.0 to 1.69.2 (#11193)
  • 9bb31b706 build(deps): bump google.golang.org/grpc from 1.69.0 to 1.69.2
• build(deps): bump golang.org/x/net from 0.30.0 to 0.33.0 (#11181)
  • 7f3599f09 build(deps): bump golang.org/x/net from 0.30.0 to 0.33.0
• build(deps): bump github.com/containerd/cgroups/v3 from 3.0.4 to 3.0.5 (#11191)
  • f98d5fdb6 build(deps): bump github.com/containerd/cgroups/v3 from 3.0.4 to 3.0.5
• Update golangci to 1.60.3 (#11185)
  • 26a156f4f Update golangci to 1.60.3
• build(deps): bump softprops/action-gh-release from 2.1.0 to 2.2.0 (#11170)
  • a172d2c11 build(deps): bump softprops/action-gh-release from 2.1.0 to 2.2.0
• Update golangci-lint version in dev tools script (#11180)
  • fa531f808 Update golangci-lint version in dev tools script
• build(deps): bump google.golang.org/protobuf from 1.35.2 to 1.36.0 (#11177)
  • 2f37b9da3 build(deps): bump google.golang.org/protobuf from 1.35.2 to 1.36.0
• build(deps): bump google.golang.org/grpc from 1.68.1 to 1.69.0 (#11176)
  • 4e4537a87 build(deps): bump google.golang.org/grpc from 1.68.1 to 1.69.0
• build(deps): bump github/codeql-action from 3.27.6 to 3.27.9 (#11171)
  • d29751424 build(deps): bump github/codeql-action from 3.27.6 to 3.27.9
• build(deps): bump docker/setup-buildx-action from 3.7.1 to 3.8.0 (#11172)
  • 31e129856 build(deps): bump docker/setup-buildx-action from 3.7.1 to 3.8.0
• build(deps): bump github.com/containerd/imgcrypt/v2 from 2.0.0-rc.1 to 2.0.0 (#11174)
  • f6e956c22 build(deps): bump github.com/containerd/imgcrypt/v2
• build(deps): bump google.golang.org/grpc from 1.67.1 to 1.68.1 (#11126)
  • aeb414021 build(deps): bump google.golang.org/grpc from 1.67.1 to 1.68.1
• test: prevent segfault in imageverifier test (#10851)
  • 1617fd72e test: prevent segfault in imageverifier test
• Report an error when cni confDir removed (#10646)
  • 0c2805a6e Report an error when cni confDir removed
• build(deps): bump actions/attest-build-provenance from 1.4.4 to 2.1.0 (#11122)
  • afee762fb build(deps): bump actions/attest-build-provenance from 1.4.4 to 2.1.0
• vendor: update golang.org/x/ dependencies (#11145)
  • 23e014140 vendor: golang.org/x/crypto v0.31.0
  • 9b3d999bd vendor: golang.org/x/term v0.27.0
  • 1032fad27 vendor: golang.org/x/text v0.21.0
  • 6764e62cf vendor: golang.org/x/sync v0.10.0
  • 160676647 vendor: golang.org/x/sys v0.28.0
• build(deps): bump actions/cache from 4.1.2 to 4.2.0 (#11124)
  • 927012243 build(deps): bump actions/cache from 4.1.2 to 4.2.0
• internal/cri: should not apply IoOwner options if it's not user namespace (#11104)
  • 2c4c04032 internal/cri: should not apply IoOwner options
• update runc binary to v1.2.3 (#11141)
  • 981414521 update runc binary to v1.2.3
• cmd/ctr: allow user to syncfs during unpacking image locally (#11118)
  • 11b78255d cmd: add syncfs option to ctr command
• Update go-cni for CNI STATUS (#11135)
  • 1f220b23e feat: update go-cni version for CNI STATUS
• Complete cri grpc plugin config migration (#11061)
  • ed39dfa5d Add integration test for custom configuration
  • 8540fed77 complete cri grpc config migration
• ctr pull should unpack for default platform when transfer service is used (#11086)
  • 4c11d753c ctr pull unpack for default platform using transfer service
• update xx to v1.6.1 for compatibility with alpine 3.21 and file 5.46+ (#11130)
  • d76f92f24 update xx to v1.6.1 for compatibility with alpine 3.21 and file 5.46+
• build(deps): bump github/codeql-action from 3.27.5 to 3.27.6 (#11123)
  • 73864c520 build(deps): bump github/codeql-action from 3.27.5 to 3.27.6
• CI: update Fedora to 41 (#10930)
  • 6fdc35243 CI: update Fedora to 41
• Fix loop variable capture issue (#11042)
  • 485020ca8 fix: loop variable capture issue
• Add containerd community call to readme. (#11046)
  • 59a2c3523 Add containerd community call to readme.
• update to go1.23.4 / go1.22.10 (#11102)
  • 81780a5dd update to go1.23.4 / go1.22.10
• Fix panic due to nil dereference cgroups v2 (#11069)
  • 0903f203f fix panic due to nil dereference cgroups v2
• The task_dir successfully cleans when the file is absent. (#11043)
  • 4a664772e The task_dir successfully cleans when the file is absent.
• docs: fix snapshots api import (#11073)
  • b78c5c6ed docs: fix snapshots api import
• build(deps): bump github/codeql-action from 3.27.4 to 3.27.5 (#11060)
  • ea9397793 build(deps): bump github/codeql-action from 3.27.4 to 3.27.5
• build(deps): bump github.com/containerd/cgroups/v3 from 3.0.3 to 3.0.4 (#11059)
  • 6c16f3490 build(deps): bump github.com/containerd/cgroups/v3 from 3.0.3 to 3.0.4
• build(deps): bump the k8s group with 5 updates (#11057)
  • 662d64080 build(deps): bump the k8s group with 5 updates
• Update differ to handle zstd media types (#11062)
  • 17f7858b4 Update differ to handle zstd media types
• build(deps): bump github.com/stretchr/testify from 1.9.0 to 1.10.0 (#11058)
  • 5c905fb6c build(deps): bump github.com/stretchr/testify from 1.9.0 to 1.10.0
• Unsorted platform conditionals cleanup (#11065)
  • e9d560f1e Unsorted platform conditionals cleanup
• Publish attestation as release artifact (#11049)
  • 3961dc9c8 Publish attestation as release artifact
• Move rockylinux 9.4 to almalinux/9 in CI (#11050)
  • 288001f68 move rocky 9.4 to almalinux/9 in CI
• Clarify release for deprecated registry field removals (#11045)
  • e24864e48 Clarify release for deprecated registry field removals
• make ListContainerStats handle container that is removed before its sandbox (#10724)
  • c130d93c1 make ListContainerStats handle container that is removed before its sandbox
• Add tests for CNI v2 loopback options (#10915)
  • 34284c507 Add tests for CNI v2 loopback options
• *: should align pipe's owner with init process (#10906)
  • a21b178f1 *: should align pipe's owner with init process
• fix: set the credentials even if not provided (#10917)
  • 11b1353c1 fix: set the credentials even if not provided
• build(deps): bump google.golang.org/protobuf from 1.35.1 to 1.35.2 (#11024)
  • dd2d89167 build(deps): bump google.golang.org/protobuf from 1.35.1 to 1.35.2
• Reorganize per-platform defaults (#11017)
  • f6e30e962 [defaults] Reorganize per-platform defaults
• build(deps): bump github.com/containerd/continuity from 0.4.4 to 0.4.5 (#11025)
  • be2c4504e build(deps): bump github.com/containerd/continuity from 0.4.4 to 0.4.5
• Move content events to metadata (#11013)
  • 9e3ab2332 Move content events to metadata
• build(deps): bump github/codeql-action from 3.27.1 to 3.27.4 (#11026)
  • f5b2c3a07 build(deps): bump github/codeql-action from 3.27.1 to 3.27.4
• Use platform-specific default address (#11016)
  • 9c7a403a2 [containerd-stress] Use platform-specific default address
• Update install-imgcrypt to allow change install repo (#11019)
  • f8819df7c Update install-imgcrypt to allow change install repo
• update runc binary to 1.2.2 (#11022)
  • 9a7bc5423 update runc binary to 1.2.2
• Fix runtimeoptions location in v2 migration script (#11012)
  • 2447936fc Fix runtimeoptions location in v2 migration
• Revert "Disable vagrant strict dependency checking" (#11004)
  • 1b01f396d Revert "Disable vagrant strict dependency checking"
• docs: update schema 1 deprecation information (#11002)
  • 6c1b699bf docs: update schema 1 deprecation information
• fsverity_linux.go: Fix fsverity.IsEnabled() for big endian systems (#10981)
  • 91e4e0967 fsverity_linux.go: Fix fsverity.IsEnabled() for big endian systems
• build(deps): bump lycheeverse/lychee-action from 2.0.2 to 2.1.0 (#10989)
  • 73ae1c66f build(deps): bump lycheeverse/lychee-action from 2.0.2 to 2.1.0
• build(deps): bump github/codeql-action from 3.27.0 to 3.27.1 (#10988)
  • 4bd33276c build(deps): bump github/codeql-action from 3.27.0 to 3.27.1
• build(deps): bump the golang-x group with 3 updates (#10990)
  • cebca6f87 build(deps): bump the golang-x group with 3 updates
• build(deps): bump github.com/containerd/typeurl/v2 from 2.2.2 to 2.2.3 (#10992)
  • 01c489141 build(deps): bump github.com/containerd/typeurl/v2 from 2.2.2 to 2.2.3
• build(deps): bump actions/attest-build-provenance from 1.4.3 to 1.4.4 (#10987)
  • d32ed4a56 build(deps): bump actions/attest-build-provenance from 1.4.3 to 1.4.4
• build(deps): bump softprops/action-gh-release from 2.0.9 to 2.1.0 (#10986)
  • d810c5759 build(deps): bump softprops/action-gh-release from 2.0.9 to 2.1.0
• fsverity_test.go: fix nil pointer derefence, fix test fail, fix minor/major device numbers resolving (#10972)
  • f9537ae12 fsverity_test.go: fix major/minor device number resolving
  • 8a8e50e6d fsverity_test.go: fix nil pointer dereference, fix test fail
• update to go1.23.3 / go1.22.9 (#10970)
  • bcc3cc968 update to go1.23.3 / go1.22.9
• Avoid arch info in the sed/replace when building cri-cni-containerd.tar.gz (#10964)
  • 784116b7d Avoid arch info in the sed/replace when building cri-cni-containerd.tar.gz
• Expose Pod assigned IPs to NRI plugins (#10921)
  • bc056a5c6 nri: report pod ips to the nri plugins
  • a256f326c bump nri version to get PodIPs
• build(deps): bump github.com/fsnotify/fsnotify from 1.7.0 to 1.8.0 (#10948)
  • a17001b42 build(deps): bump github.com/fsnotify/fsnotify from 1.7.0 to 1.8.0

Changes from containerd/continuity

17 commits

• fs: fix Ctime returning Mtime (containerd/continuity#261)
  • f4f4fb5 fs: fix Ctime returning Mtime
• fs: implement Atime, Ctime, Mtime for bsd and darwin (containerd/continuity#262)
  • dbe44eb fs: implement Atime, Ctime, Mtime for bsd and darwin
• Makefile: make "lint" target also lint cmd/continuity module and fix linting issues (containerd/continuity#255)
  • 4c00ab7 Makefile: make "lint" target also lint cmd/continuity module
  • cadd3a2 cmd/continuity/continuityfs: SA1019: fuse.ENOENT is deprecated
  • 38fcdae cmd/continuity: fix SA1019: entry.User/entry.Group is deprecated
• assorted linting fixes and minor cleanups (containerd/continuity#259)
  • 38f66a6 TestWalkFS: fix unhandled error
  • 94c0490 rename variables that shadowed package-level type
  • 2200bb4 don't use "ctx" for continuity.Context arguments
  • 583d7ed commands/mount_unsupported: drop nil-assignment (revive)
  • 5158c3f golangci-lint: sort linters
  • a8c7143 golangci-lint: don't use deprecated name for "govet" linter
• cmd/continuity: switch to google.golang.org/protobuf/proto (containerd/continuity#260)
  • fd64705 cmd/continuity: switch to google.golang.org/protobuf/proto

Changes from containerd/go-cni

9 commits

• Fix recursive RLock() mutex acquisition (containerd/go-cni#126)
  • 75a2440 fix: recursive RLock() mutex acquision
• Support CNI STATUS Verb (containerd/go-cni#123)
  • 208eca9 support CNI status verb
• Bump github actions dependencies to match containerd CI repo and fix lint (containerd/go-cni#122)
  • 386f475 Fix ci.yml indent
  • a9b0675 Another doc commit to trigger lint?
  • 14af454 Bump github actions dependency versions
  • 9e0d096 Trivial doc commit to trigger lint

Changes from containerd/otelttrpc

6 commits

• Add dependabot and upgrade golang and dependency versions (containerd/otelttrpc#3)
  • 2d46141 upgrade golang, deps, CI versions
  • 64922e7 Add dependabot CI
• Fix concurrent map panic on metadata (containerd/otelttrpc#2)
  • 2ba3be1 Fix concurrent map panic on inject metadata
  • f50a922 UT for concurrent inject/extract metadata

Changes from containerd/platforms

6 commits

• Move windows matcher logic so all platforms can use (containerd/platforms#22)
  • 7c58292 Move windows matcher logic so all platforms can use
• replace testify with stdlib in tests (containerd/platforms#21)
  • 86a86b7 replace testify with stdlib in tests
• Replace arm64 minor variant logic with lookup table (containerd/platforms#18)
  • 364665a Replace arm64 minor variant logic with lookup table

Changes from containerd/ttrpc

5 commits

• Add MD.Clone function (containerd/ttrpc#177)
  • 430f734 Add MD.Clone
• Fix race between serve and immediate shutdown on the server (containerd/ttrpc#175)
  • c4d96d5 server: fix Serve() vs. immediate Shutdown() race.
  • ed6c3ba server_test: add Serve()/Shutdown() race test.

Dependency Changes

• github.com/Microsoft/hcsshim v0.12.9 -> v0.13.0-rc.3
• github.com/cilium/ebpf v0.11.0 -> v0.16.0
• github.com/containerd/cgroups/v3 v3.0.3 -> v3.0.5
• github.com/containerd/continuity v0.4.4 -> v0.4.5
• github.com/containerd/go-cni v1.1.10 -> v1.1.12
• github.com/containerd/imgcrypt/v2 v2.0.0-rc.1 -> v2.0.0
• github.com/containerd/otelttrpc ea5083fda723 -> v0.1.0
• github.com/containerd/platforms v1.0.0-rc.0 -> v1.0.0-rc.1
• github.com/containerd/ttrpc v1.2.6 -> v1.2.7
• github.com/containerd/typeurl/v2 v2.2.2 -> v2.2.3
• github.com/containers/ocicrypt v1.2.0 -> v1.2.1
• github.com/davecgh/go-spew d8f796af33cc -> v1.1.1
• github.com/fsnotify/fsnotify v1.7.0 -> v1.8.0
• github.com/go-jose/go-jose/v4 v4.0.4 -> v4.0.5
• github.com/google/go-cmp v0.6.0 -> v0.7.0
• github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 -> v2.26.1
• github.com/klauspost/compress v1.17.11 -> v1.18.0
• github.com/moby/spdystream v0.4.0 -> v0.5.0
• github.com/opencontainers/image-spec v1.1.0 -> v1.1.1
• github.com/opencontainers/runtime-spec v1.2.0 -> v1.2.1
• github.com/petermattis/goid 4fcff4a6cae7 new
• github.com/pmezard/go-difflib 5d4384ee4fb2 -> v1.0.0
• github.com/prometheus/client_golang v1.20.5 -> v1.21.1
• github.com/prometheus/common v0.55.0 -> v0.62.0
• github.com/sasha-s/go-deadlock v0.3.5 new
• github.com/smallstep/pkcs7 v0.1.1 new
• github.com/stretchr/testify v1.9.0 -> v1.10.0
• github.com/tchap/go-patricia/v2 v2.3.1 -> v2.3.2
• github.com/urfave/cli/v2 v2.27.5 -> v2.27.6
• github.com/vishvananda/netns v0.0.4 -> v0.0.5
• go.etcd.io/bbolt v1.3.11 -> v1.4.0
• go.opentelemetry.io/auto/sdk v1.1.0 new
• go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.56.0 -> v0.60.0
• go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0 -> v0.60.0
• go.opentelemetry.io/otel v1.31.0 -> v1.35.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.31.0 -> v1.35.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.31.0 -> v1.35.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.31.0 -> v1.35.0
• go.opentelemetry.io/otel/metric v1.31.0 -> v1.35.0
• go.opentelemetry.io/otel/sdk v1.31.0 -> v1.35.0
• go.opentelemetry.io/otel/trace v1.31.0 -> v1.35.0
• go.opentelemetry.io/proto/otlp v1.3.1 -> v1.5.0
• golang.org/x/crypto v0.28.0 -> v0.36.0
• golang.org/x/exp aacd6d4b4611 -> 2d47ceb2692f
• golang.org/x/mod v0.21.0 -> v0.24.0
• golang.org/x/net v0.30.0 -> v0.35.0
• golang.org/x/oauth2 v0.22.0 -> v0.27.0
• golang.org/x/sync v0.8.0 -> v0.12.0
• golang.org/x/sys v0.26.0 -> v0.31.0
• golang.org/x/term v0.25.0 -> v0.30.0
• golang.org/x/text v0.19.0 -> v0.23.0
• golang.org/x/time v0.3.0 -> v0.7.0
• google.golang.org/genproto/googleapis/api 5fefd90f89a9 -> 56aae31c358a
• google.golang.org/genproto/googleapis/rpc 324edc3d5d38 -> 56aae31c358a
• google.golang.org/grpc v1.67.1 -> v1.71.0
• google.golang.org/protobuf v1.35.1 -> v1.36.5
• k8s.io/api v0.31.2 -> v0.32.2
• k8s.io/apimachinery v0.31.2 -> v0.32.2
• k8s.io/apiserver v0.31.2 -> v0.32.2
• k8s.io/client-go v0.31.2 -> v0.32.2
• k8s.io/component-base v0.31.2 -> v0.32.2
• k8s.io/cri-api v0.31.2 -> v0.32.2
• k8s.io/kubelet v0.31.2 -> v0.32.2
• k8s.io/utils 18e509b52bc8 -> 3ea5e8cea738
• sigs.k8s.io/json bc3834ca7abd -> 9aa6b5e7a4b3
• sigs.k8s.io/structured-merge-diff/v4 v4.4.1 -> v4.4.2
• tags.cncf.io/container-device-interface v0.8.0 -> v0.8.1

Previous release can be found at v2.0.0

Which file should I download?

• containerd-<VERSION>-<OS>-<ARCH>.tar.gz: ✅Recommended. Dynamically linked with glibc 2.31 (Ubuntu 20.04).
• containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on non-glibc Linux distributions. Not position-independent.

In addition to containerd, typically you will have to install runc
and CNI plugins from their official sites too.

See also the Getting Started documentation.