Update module github.com/containerd/containerd to v2

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/containerd/containerd	v1.7.18 -> v2.2.0

---

Release Notes

containerd/containerd (github.com/containerd/containerd)

v2.2.0: containerd 2.2.0

Compare Source

Welcome to the v2.2.0 release of containerd!

The second minor release of containerd 2.x focuses on continued stability alongside
new features and improvements. This is the second time-based released for containerd.

Highlights

• Add mount manager (#​12063)

  The mount manager is a new service that provides lifecycle management for filesystem mounts
  to support more advanced use cases, such as:

  • Device formatting to create formatted filesystems (xfs, ext4) on-demand
  • Mount activation to prepare devices such as loopbacks or network fileystems
  • Mount transformation to allow mount arguments to be filled in dynamically from previous mounts
  • Garbage collection of mounts to ensure temporary mounts are never leaked

• Add conf.d include in the default config (#​12323)

• Add support for back references in the garbage collector (#​12025)

Container Runtime Interface (CRI)

• Pod Sandbox Metrics (#​10691)

  Full implementation of Kubernetes CRI pod-level metrics API

  • ListPodSandboxMetrics: Query metrics for running pods/sandboxes
  • ListMetricsDescriptors: Discover available metrics and their descriptions

• Support image volume mount subpath (#​11578)

Go client

• Update pkg/oci to use fs.FS interface and os.OpenRoot (#​12245)

Image Distribution

• Parallel Unpack (#​12332)

  Adds support for unpacking layers in parallel during pull operations. This feature is supported with overlayfs and EROFS snapshotters.

• OCI Referrers Support (#​12309)

  Adds new referrers fetcher to remote registry interface using the new referrers endpoint added in OCI distribution-spec 1.1

• Tar unpack progress through transfer service (#​11921)

Image Storage

• EROFS enhancements using mount manager (#​12333)

  Improvements to EROFS snapshotter using the new mount manager service

  • Quota Support: Support for sized block devices as the upper layer for overlayfs
  • Mount Lifecycle: Loopback setup, block device creation, and overlayfs argument formatting is moved to the
    mount manager to be performed on-demand or within the runtime.
  • Mount handler: To allow optimization of EROFS mount types based on the current system
  • macOS Support: EROFS snapshotter can now be used on Darwin to natively allow image pulls
  • Tar index mode: Efficiently generate EROFS metadata backed by original tar content (#​11919)

• Add snapshotter and differ for block CIMs (#​12050)

Node Resource Interface (NRI)

• Enable otel traces in NRI (#​12082)
• Add WASM plugin support (containerd/nri#121)

Runtime

• Improve shim load time after restart by loading in parallel (#​12142)
• Fix pidfd leak in UnshareAfterEnterUserns (#​12167)

Deprecations

• Deprecate cgroup v1 (#​12445)
• Postpone v2.2 deprecation items to v2.3 (#​12417)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Phil Estes
• Akihiro Suda
• Maksym Pavlenko
• Wei Fu
• Krisztian Litkey
• Mike Brown
• Akhil Mohan
• Markus Lehtonen
• Samuel Karp
• Sebastiaan van Stijn
• ningmingxiao
• Austin Vazquez
• yashsingh74
• Gao Xiang
• Kirtana Ashok
• Jin Dong
• Chris Henzie
• Aadhar Agarwal
• Etienne Champetier
• Henry Wang
• Rodrigo Campos
• Sascha Grunert
• Aleksa Sarai
• Eric Mountain
• Keith Mattix II
• Paweł Gronowski
• Tõnis Tiigi
• Adrien Delorme
• Apurv Barve
• Enji Cooper
• Kohei Tokunaga
• Max Jonas Werner
• Rehan Khan
• Yang Yang
• jinda.ljd
• jokemanfire
• Amit Barve
• Andrew Halaney
• Antonio Ojea
• Brian Goff
• Carlos Eduardo Arango Gutierrez
• Chenyang Yan
• Dawei Wei
• Divya Rani
• Evan Anderson
• Fabiano Fidêncio
• Iceber Gu
• Jared Ledvina
• Jonathan Perkin
• Jose Fernandez
• Karl Baumgartner
• Michael Weibel
• Osama Abdelkader
• Radostin Stoyanov
• Ruidong Cao
• Sameer
• Sergey Kanzhelev
• Swagat Bora
• Sylvain MOUQUET
• Tom Wieczorek
• Tycho Andersen
• Wuyue (Tony) Sun
• suranmiao
• tanhuaan
• wheat2018
• zounengren

Dependency Changes

• dario.cat/mergo v1.0.1 -> v1.0.2
• github.com/Microsoft/hcsshim v0.13.0-rc.3 -> v0.14.0-rc.1
• github.com/StackExchange/wmi cbe6696 new
• github.com/checkpoint-restore/checkpointctl v1.3.0 -> v1.4.0
• github.com/containerd/cgroups/v3 v3.0.5 -> v3.1.0
• github.com/containerd/console v1.0.4 -> v1.0.5
• github.com/containerd/containerd/api v1.9.0 -> v1.10.0
• github.com/containerd/go-cni v1.1.12 -> v1.1.13
• github.com/containerd/nri v0.8.0 -> v0.10.0
• github.com/containerd/platforms v1.0.0-rc.1 -> v1.0.0-rc.2
• github.com/containernetworking/plugins v1.7.1 -> v1.8.0
• github.com/coreos/go-systemd/v22 v22.5.0 -> v22.6.0
• github.com/cpuguy83/go-md2man/v2 v2.0.5 -> v2.0.7
• github.com/emicklei/go-restful/v3 v3.11.0 -> v3.13.0
• github.com/fxamacker/cbor/v2 v2.7.0 -> v2.9.0
• github.com/go-jose/go-jose/v4 v4.0.5 -> v4.1.2
• github.com/go-logr/logr v1.4.2 -> v1.4.3
• github.com/go-ole/go-ole v1.2.6 new
• github.com/golang/groupcache 41bb18b -> 2c02b82
• github.com/google/certtostore v1.0.6 new
• github.com/google/deck 105ad94 new
• github.com/gorilla/websocket v1.5.0 -> e064f32
• github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.0.1 -> v1.1.0
• github.com/hashicorp/errwrap v1.1.0 new
• github.com/intel/goresctrl v0.8.0 -> v0.10.0
• github.com/klauspost/compress v1.18.0 -> v1.18.1
• github.com/knqyf263/go-plugin v0.9.0 new
• github.com/moby/sys/capability v0.4.0 new
• github.com/modern-go/reflect2 v1.0.2 -> 35a7c28
• github.com/opencontainers/runtime-tools 2e043c6 -> 0ea5ed0
• github.com/prometheus/client_golang v1.22.0 -> v1.23.2
• github.com/prometheus/client_model v0.6.1 -> v0.6.2
• github.com/prometheus/common v0.62.0 -> v0.66.1
• github.com/prometheus/procfs v0.15.1 -> v0.16.1
• github.com/stretchr/testify v1.10.0 -> v1.11.1
• github.com/tchap/go-patricia/v2 v2.3.2 -> v2.3.3
• github.com/tetratelabs/wazero v1.9.0 new
• github.com/urfave/cli/v2 v2.27.6 -> v2.27.7
• github.com/vishvananda/netlink 0e7078e -> v1.3.1
• go.etcd.io/bbolt v1.4.0 -> v1.4.3
• go.opentelemetry.io/otel v1.35.0 -> v1.37.0
• go.opentelemetry.io/otel/metric v1.35.0 -> v1.37.0
• go.opentelemetry.io/otel/sdk v1.35.0 -> v1.37.0
• go.opentelemetry.io/otel/trace v1.35.0 -> v1.37.0
• go.uber.org/goleak v1.3.0 new
• go.yaml.in/yaml/v2 v2.4.2 new
• golang.org/x/crypto v0.36.0 -> v0.41.0
• golang.org/x/mod v0.24.0 -> v0.29.0
• golang.org/x/net v0.38.0 -> v0.43.0
• golang.org/x/oauth2 v0.27.0 -> v0.30.0
• golang.org/x/sync v0.14.0 -> v0.17.0
• golang.org/x/sys v0.33.0 -> v0.37.0
• golang.org/x/term v0.30.0 -> v0.34.0
• golang.org/x/text v0.23.0 -> v0.28.0
• golang.org/x/time v0.7.0 -> v0.14.0
• google.golang.org/genproto/googleapis/api 56aae31 -> a7a43d2
• google.golang.org/genproto/googleapis/rpc 56aae31 -> a7a43d2
• google.golang.org/grpc v1.72.0 -> v1.76.0
• google.golang.org/protobuf v1.36.6 -> v1.36.10
• k8s.io/api v0.32.3 -> v0.34.1
• k8s.io/apimachinery v0.32.3 -> v0.34.1
• k8s.io/client-go v0.32.3 -> v0.34.1
• k8s.io/cri-api v0.32.3 -> v0.34.1
• k8s.io/utils 3ea5e8c -> 4c0f3b2
• sigs.k8s.io/json 9aa6b5e -> cfa47c3
• sigs.k8s.io/randfill v1.0.0 new
• sigs.k8s.io/structured-merge-diff/v6 v6.3.0 new
• sigs.k8s.io/yaml v1.4.0 -> v1.6.0

Previous release can be found at v2.1.0

Which file should I download?

• containerd-<VERSION>-<OS>-<ARCH>.tar.gz: ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
• containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install runc
and CNI plugins from their official sites too.

See also the Getting Started documentation.

v2.1.5: containerd 2.1.5

Compare Source

Welcome to the v2.1.5 release of containerd!

The fifth patch release for containerd 2.1 contains various fixes and updates.

Security Updates

• containerd

  • GHSA-pwhc-rpq9-4c8w
  • GHSA-m6hq-p25p-ffr2

• runc

  • GHSA-qw9x-cqr3-wc7r
  • GHSA-cgrx-mc8f-2prm
  • GHSA-9493-h29p-rfm2

Highlights

Container Runtime Interface (CRI)

• Disable event subscriber during task cleanup (#​12410)
• Add SystemdCgroup to default runtime options (#​12253)
• Fix userns with container image VOLUME mounts that need copy (#​12242)

Image Distribution

• Ensure errContentRangeIgnored error when range-get request is ignored (#​12312)

Runtime

• Update runc binary to v1.3.3 (#​12478)

Deprecations

• Postpone v2.2 deprecation items to v2.3 (#​12431)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Phil Estes
• Akihiro Suda
• Derek McGowan
• Austin Vazquez
• Rodrigo Campos
• Maksym Pavlenko
• Wei Fu
• ningmingxiao
• Akhil Mohan
• Henry Wang
• Andrew Halaney
• Divya Rani
• Jose Fernandez
• Swagat Bora
• wheat2018

Changes

58 commits

• Prepare release notes for v2.1.5 (#​12483)
  • fc5bdfeac Prepare release notes for v2.1.5
  • c578c26bf Update mailmap
  • 46a4a03fb Merge commit from fork
  • 232786c90 Fix directory permissions
  • 239ab877d Merge commit from fork
  • 0766796e8 fix goroutine leak of container Attach
• Update runc binary to v1.3.3 (#​12478)
  • 3d713d3d0 runc: Update runc binary to v1.3.3
• Update GHA runners to use latest images for basic binaries build (#​12470)
  • de4221cb7 Update GHA runners to use latest images for basic binaries build
• ci: bump Go 1.24.9, 1.25.3 (#​12467)
  • 2045b1920 ci: bump Go 1.24.9, 1.25.3
• Update GHA runners to use latest image for most jobs (#​12468)
  • 21ec7cc7d Update GHA runners to use latest image for most jobs
• CI: update Fedora to 43 (#​12449)
  • 893b5f92e CI: update Fedora to 43
• Postpone v2.2 deprecation items to v2.3 (#​12431)
  • 6374a8f9d Postpone v2.2 deprecation items to v2.3
• CI: skip ubuntu-24.04-arm on private repos (#​12427)
  • 98e0e73de CI: skip ubuntu-24.04-arm on private repos
• Disable event subscriber during task cleanup (#​12410)
  • a3770cf83 cri/server/podsandbox: disable event subscriber
• Fix lost container logs from quickly closing io (#​12377)
  • 7d9f09ba0 bugfix:fix container logs lost because io close too quickly
• ci: bump Go 1.24.8 (#​12360)
  • d1cab3cc5 ci: bump Go 1.24.8
• Prevent goroutine hangs during ProgressTracker shutdown (#​12336)
  • 9b57a4d35 Prevent goroutine hangs during ProgressTracker shutdown
• Ensure errContentRangeIgnored error when range-get request is ignored (#​12312)
  • ca3de4fe7 Ensure errContentRangeIgnored error when range-get request is ignored by registry
• Remove additional fuzzers from instrumentation repo (#​12313)
  • dfffe3d9c Remove additional fuzzers from CI
• update release builds to 1.24.7 and add 1.25.1 to CI (#​12258)
  • c54585ba7 update release builds to 1.24.7 and add 1.25.1 to CI
• runc:Update runc binary to v1.3.1 (#​12277)
  • f0a48ce38 runc:Update runc binary to v1.3.1
• Add SystemdCgroup to default runtime options (#​12253)
  • f13f8c431 add SystemdCgroup to default runtime options
• install-runhcs-shim: fetch target commit instead of tags (#​12256)
  • 42bb71e1e install-runhcs-shim: fetch target commit instead of tags
• Fix userns with container image VOLUME mounts that need copy (#​12242)
  • 10944e19f integration: Add test for directives with userns
  • 41d74aee2 cri: Fix userns with Dockerfile VOLUME mounts that need copy
• Fix overlayfs issues related to user namespace (#​12222)
  • f40bfc46b core/mount: Retry unmounting idmapped directories
  • 1f51d2dea core/mount: Test cleanup of DoPrepareIDMappedOverlay()
  • 8fbf8c503 core/mount: Properly cleanup on doPrepareIDMappedOverlay errors
  • b9d678e15 core/mount: Don't call nil function on errors
  • 583fe2d24 core/mount: Only idmap once per overlayfs, not per layer
• Add documentation for cgroup_writable field (#​12229)
  • 4832b4d15 Add documentation for cgroup_writable field
• fix: create bootstrap.json with 0644 permission (#​12183)
  • 3c174cf64 fix: create bootstrap.json with 0644 permission
• ci: bump Go 1.23.12, 1.24.6 (#​12186)
  • 74b0505eb ci: bump Go 1.23.12, 1.24.6
• sys: fix pidfd leak in UnshareAfterEnterUserns (#​12179)
  • 5ef6ea747 sys: fix pidfd leak in UnshareAfterEnterUserns

Dependency Changes

This release has no dependency changes

Previous release can be found at v2.1.4

Which file should I download?

• containerd-<VERSION>-<OS>-<ARCH>.tar.gz: ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
• containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install runc
and CNI plugins from their official sites too.

See also the Getting Started documentation.

v2.1.4: containerd 2.1.4

Compare Source

Welcome to the v2.1.4 release of containerd!

The fourth patch release for containerd 2.1 contains various fixes and updates.

Highlights

Container Runtime Interface (CRI)

• Fix containerd panic when sandbox extension is missing (#​12076)
• Update status response to return stable order for runtime handlers (#​12054)

Go client

• Fix lazy gRPC connection mode waiting for connect on client creation (#​12079)

Image Distribution

• Fix resolve deadlock issue in docker fetcher open (#​12127)

Image Storage

• Update erofs snapshotter to make immutable optional (#​12091)
• Fix erofs filesystem UUID for tar-converted layers (#​12058)

Runtime

• Fix close container io not closed when runtime create failed (#​12009)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Phil Estes
• Eric Mountain
• Maksym Pavlenko
• Gao Xiang
• Kirtana Ashok
• ningmingxiao
• Akihiro Suda
• Austin Vazquez
• Paweł Gronowski
• Sebastiaan van Stijn
• Wei Fu
• jinda.ljd

Changes

26 commits

• Prepare release notes for v2.1.4 (#​12159)
  • 112e41363 Add release notes for v2.1.4
• Fix resolve deadlock issue in docker fetcher open (#​12127)
  • add2dcf86 Ensure fetcher always closes body and properly calls release
  • 34a1cb1dd fix(dockerFetcher): resolve deadlock issue in dockerFetcher open
• ci: bump Go 1.23.11, 1.24.5 (#​12115)
  • 82c4d6875 ci: bump Go 1.23.11, 1.24.5
• Backport windows test fixes (#​12119)
  • 6cc2a8d77 Fix intermittent test failures on Windows CIs
  • 6adc69312 Remove WS2025 from CIs due to regression
• Update erofs snapshotter to make immutable optional (#​12091)
  • 8d194c19f erofs-snapshotter: make IMMUTABLE_FL optional
• Fix lazy gRPC connection mode waiting for connect on client creation (#​12079)
  • 2df7175d7 client/New: Don't unlazy the gRPC connection implicitly
• backport: update go-md2man binary to v2.0.7 (#​12074)
  • 4902adb92 update go-md2man binary to v2.0.7
• Fix containerd panic when sandbox extension is missing (#​12076)
  • 02298e1a0 cri:fix containerd panic when can't find sandbox extension
• Fix erofs filesystem UUID for tar-converted layers (#​12058)
  • 583133e71 erofs-differ: fix filesystem UUID for tar-converted layers
• Update status response to return stable order for runtime handlers (#​12054)
  • 57db13d50 Amend runtime handler test for stable order
  • d822c9048 CRI: Stable sort for RuntimeHandlers
  • a2fd70639 Test showing RuntimeHandlers in Status() are unordered
• Fix close container io not closed when runtime create failed (#​12009)
  • b74268f86 bugfix:close container io when runtime create failed

Dependency Changes

This release has no dependency changes

Previous release can be found at v2.1.3

Which file should I download?

• containerd-<VERSION>-<OS>-<ARCH>.tar.gz: ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
• containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install runc
and CNI plugins from their official sites too.

See also the Getting Started documentation.

v2.1.3: containerd 2.1.3

Compare Source

Welcome to the v2.1.3 release of containerd!

The third patch release for containerd 2.1 contains various fixes and updates
to address pull issues with some registries.

Highlights

Image Distribution

• Fix multipart fetch issue when the server does not return content length (#​12003)
• Update transfer service supported platforms logic (#​11999)
• Fix import for local transfer service (#​12000)
• Fix registry errors with transfer service (#​11979)
• Fix fetch always adding range to requests (#​12001)
• Update fetcher errors to include full registry error (#​11997)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Phil Estes
• Adrien Delorme

Changes

15 commits

• Prepare release notes for v2.1.3 (#​12002)
  • 627729341 Prepare release notes for v2.1.3
• Fix multipart fetch issue when the server does not return content length (#​12003)
  • 7636bd5eb fix when multipart fetching and the server does not return content length
• Update transfer service supported platforms logic (#​11999)
  • 3c5ede878 Update transfer supported platforms logic
• Fix import for local transfer service (#​12000)
  • fb752bc8e fix import for local transfer service
• Fix registry errors with transfer service (#​11979)
  • f6d926314 Register remote errors for clients to access registry errors
  • 7c1813345 Decode grpc errors in the transfer client proxy
• Fix fetch always adding range to requests (#​12001)
  • babacebad Fix fetch always adding range to requests
• Update fetcher errors to include full registry error (#​11997)
  • f30be44ad Update fetcher errors to include full registry error

Dependency Changes

This release has no dependency changes

Previous release can be found at v2.1.2

Which file should I download?

• containerd-<VERSION>-<OS>-<ARCH>.tar.gz: ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
• containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install runc
and CNI plugins from their official sites too.

See also the Getting Started documentation.

v2.1.2: containerd 2.1.2

Compare Source

Welcome to the v2.1.2 release of containerd!

The second patch release for containerd 2.1 contains various fixes and updates.

Highlights

• Fix check of wrapped errors in erofs snapshotter (#​11935)

Go client

• Improve mount error message (#​11884)

Image Distribution

• Fix transfer differ selection (#​11936)
• Enable DuplicationSuppressor in transfer service (#​11932)

Runtime

• Properly shutdown non-groupable shims to prevent resource leaks (#​11971)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Akihiro Suda
• Kirtana Ashok
• Austin Vazquez
• Maksym Pavlenko
• ningmingxiao
• Gao Xiang
• Henry Wang
• Jin Dong
• Phil Estes
• Wei Fu

Changes

28 commits

• Prepare release notes for v2.1.2 (#​11962)
  • 63b9eae62 Prepare release notes for v2.1.2
• Properly shutdown non-groupable shims to prevent resource leaks (#​11971)
  • cff1feb28 *: properly shutdown non-groupable shims to prevent resource leaks
• ci: bump golang [1.23.10,1.24.4] in build and release (#​11968)
  • 2ce169aae ci: bump golang [1.23.10,1.24.4] in build and release
• Backport Enable CIs to run on WS2022 and WS2025 (#​11955)
  • 70bcb9b55 Enable CIs to run on WS2022 and WS2025
• cri:use debug level when receive exec process exited events (#​11848)
  • 40575a15f cri:use debug level when receive exec process exited events
• build(deps): bump google.golang.org/grpc from 1.72.0 to 1.72.2 (#​11952)
  • c71f77170 build(deps): bump google.golang.org/grpc from 1.72.0 to 1.72.2
• Fix transfer differ selection (#​11936)
  • 4bcea74de Update differ selection in transfer service to prefer default
  • 0c3cd8a99 Add debug log when transfer returns not implemented
  • 820e56765 Add more error details when unpack fails to extract
• Fetch image with default platform only in TestExportAndImportMultiLayer (#​11943)
  • 9b6c1949a Fetch image with default platform only in TestExportAndImportMultiLayer
• Fix check of wrapped errors in erofs snapshotter (#​11935)
  • 480126f50 erofs-snapshotter: fix to work with wrapped errors
• Enable DuplicationSuppressor in transfer service (#​11932)
  • d82921ff5 Enable DuplicationSuppressor in transfer service
• ci: bump golang [1.23.9, 1.24.3] in build and release (#​11889)
  • 0bb25c3d6 ci: bump golang [1.23.9, 1.24.3] in build and release
• Improve mount error message (#​11884)
  • ac8e84efc client:improve mount error message
• Add symlink breakout test for overriden path (#​11887)
  • dd2ce49d0 Add symlink breakout test for overriden path

Dependency Changes

• google.golang.org/grpc v1.72.0 -> v1.72.2

Previous release can be found at v2.1.1

Which file should I download?

• containerd-<VERSION>-<OS>-<ARCH>.tar.gz: ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
• containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install runc
and CNI plugins from their official sites too.

See also the Getting Started documentation.

v2.1.1: containerd 2.1.1

Compare Source

Welcome to the v2.1.1 release of containerd!

The first patch release for containerd 2.1 fixes a critical vulnernability (CVE-2025-47290)
which was first introduced in 2.1.0. See the Github Advisory
for more details. This release also contains a few smaller updates and bux fixes.

Highlights

Image Storage

• Fix erofs media type handling (#​11855)

Runtime

• Reduce shim cleanup log level and add more context (#​11831)

Deprecations

• Update removal version for deprecated registry config fields (#​11835)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Akihiro Suda
• Samuel Karp
• Derek McGowan
• Gao Xiang
• Akhil Mohan
• Chris Henzie
• Phil Estes
• Sebastiaan van Stijn
• ningmingxiao

Changes

17 commits

• cb1076646 Merge commit from fork
• 216667ba0 Prepare release notes for 2.1.1
• ac00b8e61 Revert "perf(applyNaive): avoid walking the tree for each file in the same directory"
• build(deps): bump github.com/Microsoft/hcsshim (#​11847)
  • 444ca17cd update runhcs version to v0.13.0
  • 0684f1c44 build(deps): bump github.com/Microsoft/hcsshim
• Fix erofs media type handling (#​11855)
  • e1817a401 docs/snapshotters/erofs.md: a tip for improved performance
  • 2168cb92c erofs-differ: fix EROFS native image support
• Reduce shim cleanup log level and add more context (#​11831)
  • 7fcbc3c46 core/runtime/v2: cleanup shim-cleanup logs
• Update removal version for deprecated registry config fields (#​11835)
  • 37d6c4236 Update removal version for deprecated registry config fields
• ctr:make sure containerd socket exist before create client (#​11827)
  • e7be076d4 ctr:make sure containerd socket exist before create client
• .github: mark 2.1 releases as latest (#​11821)
  • c90524d5f .github: mark 2.1 releases as latest

Dependency Changes

• github.com/Microsoft/hcsshim v0.13.0-rc.3 -> v0.13.0

Previous release can be found at v2.1.0

Which file should I download?

• containerd-<VERSION>-<OS>-<ARCH>.tar.gz: ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
• containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install runc
and CNI plugins from their official sites too.

See also the Getting Started documentation.

v2.1.0: containerd 2.1.0

Compare Source

Welcome to the v2.1.0 release of containerd!

The first minor release of containerd 2.x focuses on continued stability alongside
new features and improvements. This is the first time-based released for containerd.
Most the feature set and core functionality has long been stable and harderened in production
environments, so now we transition to a balance of timely delivery of new functionality
with the same high confidence in stability and performance.

Highlights

• Add no_sync option to boost boltDB performance on ephemeral environments (#​10745)
• Add content create event (#​11006)
• Erofs snapshotter and differ (#​10705)

Container Runtime Interface (CRI)

• Update CRI to use transfer service for image pull by default (#​8515)
• Support multiple cni plugin bin dirs (#​11311)
• Support container restore through CRI/Kubernetes (#​10365)
• Add OCI/Image Volume Source support (#​10579)
• Enable Writable cgroups for unprivileged containers (#​11131)
• Fix recursive RLock() mutex acquisition (containerd/go-cni#126)
• Support CNI STATUS Verb (containerd/go-cni#123)

Image Distribution

• Retry last registry host on 50x responses (#​11484)
• Multipart layer fetch (#​10177)
• Enable HTTP debug and trace for transfer based puller (#​10762)
• Add support for unpacking custom media types (#​11744)
• Add dial timeout field to hosts toml configuration (#​11106)

Node Resource Interface (NRI)

• Expose Pod assigned IPs to NRI plugins (#​10921)

Runtime

• Support multiple uid/gid mappings (#​10722)
• Fix race between serve and immediate shutdown on the server (containerd/ttrpc#175)

Breaking

• Update FreeBSD defaults and re-organize platform defaults (#​11017)

Deprecations

• Postpone cri config deprecations to v2.2 (#​11684)
• Remove deprecated dynamic library plugins (#​11683)
• Remove the support for Schema 1 images (#​11681)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Phil Estes
• Akihiro Suda
• Maksym Pavlenko
• Jin Dong
• Wei Fu
• Sebastiaan van Stijn
• Samuel Karp
• Mike Brown
• Adrien Delorme
• Austin Vazquez
• Akhil Mohan
• Kazuyoshi Kato
• Henry Wang
• Gao Xiang
• ningmingxiao
• Krisztian Litkey
• Yang Yang
• Archit Kulkarni
• Chris Henzie
• Iceber Gu
• Alexey Lunev
• Antonio Ojea
• Davanum Srinivas
• Marat Radchenko
• Michael Zappa
• Paweł Gronowski
• Rodrigo Campos
• Alberto Garcia Hierro
• Amit Barve
• Andrey Smirnov
• Divya
• Etienne Champetier
• Kirtana Ashok
• Philip Laine
• QiPing Wan
• fengwei0328
• zounengren
• Adrian Reber
• Alfred Wingate
• Amal Thundiyil
• Athos Ribeiro
• Brian Goff
• Cesar Talledo
• ChengyuZhu6
• Chongyi Zheng
• Craig Ingram
• Danny Canter
• David Son
• Fupan Li
• HirazawaUi
• Jing Xu
• Jonathan A. Sternberg
• Jose Fernandez
• Kaita Nakamura
• Kohei Tokunaga
• Lei Liu
• Marco Visin
• Mike Baynton
• Qiyuan Liang
• Sameer
• Shiming Zhang
• Swagat Bora
• Teresaliu
• Tony Fang
• Tõnis Tiigi
• Vered Rosen
• Vinayak Goyal
• bo.jiang
• chriskery
• luchenhan
• mahmut
• zhaixiaojuan

Dependency Changes

• github.com/Microsoft/hcsshim v0.12.9 -> v0.13.0-rc.3
• github.com/cilium/ebpf v0.11.0 -> v0.16.0
• github.com/containerd/cgroups/v3 v3.0.3 -> v3.0.5
• github.com/containerd/containerd/api v1.8.0 -> v1.9.0
• github.com/containerd/continuity v0.4.4 -> v0.4.5
• github.com/containerd/go-cni v1.1.10 -> v1.1.12
• github.com/containerd/imgcrypt/v2 v2.0.0-rc.1 -> v2.0.1
• github.com/containerd/otelttrpc ea5083f -> v0.1.0
• github.com/containerd/platforms v1.0.0-rc.0 -> v1.0.0-rc.1
• github.com/containerd/ttrpc v1.2.6 -> v1.2.7
• github.com/containerd/typeurl/v2 v2.2.2 -> v2.2.3
• github.com/containernetworking/cni v1.2.3 -> v1.3.0
• github.com/containernetworking/plugins v1.5.1 -> v1.7.1
• github.com/containers/ocicrypt v1.2.0 -> v1.2.1
• github.com/davecgh/go-spew d8f796a -> v1.1.1
• github.com/fsnotify/fsnotify v1.7.0 -> v1.9.0
• github.com/go-jose/go-jose/v4 v4.0.4 -> v4.0.5
• github.com/google/go-cmp v0.6.0 -> v0.7.0
• github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 -> v2.26.1
• github.com/klauspost/compress v1.17.11 -> v1.18.0
• github.com/mdlayher/socket v0.4.1 -> v0.5.1
• github.com/moby/spdystream v0.4.0 -> v0.5.0
• github.com/moby/sys/user v0.3.0 -> v0.4.0
• github.com/opencontainers/image-spec v1.1.0 -> v1.1.1
• github.com/opencontainers/runtime-spec v1.2.0 -> v1.2.1
• github.com/opencontainers/selinux v1.11.1 -> v1.12.0
• github.com/pelletier/go-toml/v2 v2.2.3 -> v2.2.4
• github.com/petermattis/goid 4fcff4a new
• github.com/pmezard/go-difflib 5d4384e -> v1.0.0
• github.com/prometheus/client_golang v1.20.5 -> v1.22.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 28 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.21 -> 1.24.3
github.com/opencontainers/image-spec	v1.1.0 -> v1.1.1
golang.org/x/exp	v0.0.0-20240613232115-7f521ea00fb8 -> v0.0.0-20241108190413-2d47ceb2692f
golang.org/x/sync	v0.7.0 -> v0.17.0
github.com/AdaLogics/go-fuzz-headers	v0.0.0-20230811130428-ced1acdcaa24 -> v0.0.0-20240806141605-e8a1dd7889d6
github.com/Microsoft/hcsshim	v0.11.5 -> v0.14.0-rc.1
github.com/containerd/continuity	v0.4.3 -> v0.4.5
github.com/containerd/errdefs	v0.1.0 -> v1.0.0
github.com/containerd/ttrpc	v1.2.4 -> v1.2.7
github.com/containerd/typeurl/v2	v2.1.1 -> v2.2.3
github.com/docker/distribution	v2.8.1+incompatible -> v2.8.2+incompatible
github.com/go-logr/logr	v1.3.0 -> v1.4.3
github.com/klauspost/compress	v1.17.4 -> v1.18.1
github.com/moby/sys/signal	v0.7.0 -> v0.7.1
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc	v0.46.1 -> v0.60.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp	v0.46.1 -> v0.60.0
go.opentelemetry.io/otel	v1.21.0 -> v1.37.0
go.opentelemetry.io/otel/metric	v1.21.0 -> v1.37.0
go.opentelemetry.io/otel/sdk	v1.21.0 -> v1.37.0
go.opentelemetry.io/otel/trace	v1.21.0 -> v1.37.0
golang.org/x/crypto	v0.24.0 -> v0.42.0
golang.org/x/mod	v0.18.0 -> v0.29.0
golang.org/x/net	v0.26.0 -> v0.44.0
golang.org/x/sys	v0.21.0 -> v0.37.0
golang.org/x/text	v0.16.0 -> v0.29.0
golang.org/x/tools	v0.22.0 -> v0.37.0
google.golang.org/genproto/googleapis/rpc	v0.0.0-20231016165738-49dd2c1f3d0b -> v0.0.0-20250804133106-a7a43d27e69b
google.golang.org/grpc	v1.59.0 -> v1.76.0
google.golang.org/protobuf	v1.33.0 -> v1.36.10