Update module github.com/containerd/containerd to v2

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/containerd/containerd	v1.7.32 → v2.3.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

containerd/containerd (github.com/containerd/containerd)

v2.3.1: containerd 2.3.1

Compare Source

Welcome to the v2.3.1 release of containerd!

The first patch release for containerd 2.3 contains various fixes and improvements.

Security Updates

• CVE-2026-46680

Highlights

• Fix bug where failed gRPC plugins were not tolerated when starting listeners (#​13390)

Image Storage

• Ensure metadata and mount plugin boltdb files are closed on server shutdown (#​13379)

Runtime

• Fix handling of out-of-range USER values in OCI spec to avoid unexpected username/group lookups (#​13447)
• Fix sandbox task API endpoints for non-runc runtimes and deprecate task fields in Runc options (#​13422)
• Apply hardening to default seccomp socket policy by blocking AF_ALG (#​13409)

Snapshotters

• Disable overlayfs "rebase" capability when running in user namespace (#​13394)
• Fix transfer plugin error when EROFS differ is configured but mkfs.erofs is unavailable (#​13364)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Maksym Pavlenko
• Akihiro Suda
• Derek McGowan
• Paweł Gronowski
• Brian Goff
• Austin Vazquez
• LEI WANG
• Samuel Karp

Changes

24 commits

• Prepare release notes for v2.3.1 (#​13405)
  • 58af96519 Prepare release notes for v2.3.1
  • 8f0b3ca83 Update api to v1.11.1
• oci: return explicit error for out-of-range USER values (#​13447)
  • a05ae7885 oci: return explicit error for out-of-range USER values
• Prepare release notes for api/v1.11.1 (#​13444)
  • da7aef299 Prepare release notes for api/v1.11.1
• Fix sandbox task API endpoints for non-runc runtimes (#​13422)
  • 5282d4e09 Wire task address and version fields
  • e44f5f9ec protos: include task API address to CreateTaskRequest
• seccomp: Block AF_ALG in default socket policy (#​13409)
  • 4d80a31bf seccomp: Block AF_ALG in default socket policy
  • 2ed0d97b6 seccomp: Document socket rule scope and socketcall limitation
• server: tolerate failed gRPC plugins when starting listeners (#​13390)
  • 3a88fdde0 server: tolerate failed gRPC plugins when starting listeners
• overlay: disable "rebase" capability when running in UserNS (#​13394)
  • 2be0710b8 overlay: disable "rebase" capability when running in UserNS
• Update Go to 1.26.3 (#​13374)
  • 3b199c22b Update Go to 1.26.3
• fix: close boltdb on metadata and mount plugin close (#​13379)
  • 1d601271a fix: close boltdb on metadata and mount plugin close
• Fix optional EROFS differ setup in transfer plugin (#​13364)
  • d666d2e42 Refactor transfer unpack configuration setup
  • ccc3bd7b9 Fix optional transfer differ setup

Dependency Changes

• github.com/containerd/containerd/api v1.11.0 -> v1.11.1

Previous release can be found at v2.3.0

Which file should I download?

• containerd-<VERSION>-<OS>-<ARCH>.tar.gz: ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
• containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install runc
and CNI plugins from their official sites too.

See also the Getting Started documentation.

v2.3.0: containerd 2.3.0

Compare Source

Welcome to the v2.3.0 release of containerd!

The third minor release of containerd 2.x focuses on continued stability alongside
new features and improvements. This is the third time-based release for containerd.

Starting with containerd 2.3, the project has moved to release cadence aligned with
the Kubernetes release schedule, with new minor releases about every 4 months. The
containerd 2.3 release is also the first annual LTS (Long Term Stable) release under
this new schedule, with support planned for at least two years. Direct upgrades
between sequential LTS releases (e.g., 1.7 to 2.3) will be tested and supported.

Highlights

• Add transfer types for container filesystem copy (#​13165)
• Add option to inject trace ID to logs (#​13117)
• Propagate OpenTelemetry traces in outgoing RPCs from plugin clients (#​13113)
• Update plugin config migration to run on load (#​12608)
• Update sandbox API to include spec field (#​12840)

Container Runtime Interface (CRI)

• Allow containers to use user namespaces with host networking (#​12518)
• Wire UpdatePodSandboxResources to Sandbox API (#​13118)
• Unpack images with per-layer labels for specific runtime (#​12835)
• Populate ImageId field in container status (#​12787)
• Set annotations parameter in CreateSandbox request (#​12566)
• Add background stats collector to calculate UsageNanoCores for containers and pod sandboxes (#​12629)

Image Distribution

• Support zstd-wrapped EROFS layers (#​13185)
• Add os.features support for EROFS native container images (#​13091)
• Add EROFS layer media type (#​12567)

Image Storage

• Add dmverity support to the erofs snapshotter (#​12502)
• Use fsmount API to avoid PAGE_SIZE limit for erofs (#​12783)

Node Resource Interface (NRI)

• Pass container user (uid, gids) to plugins (#​12769)
• Pass seccomp policy to plugins (#​12768)
• Pass any POSIX rlimits to plugins (#​12765)
• Pass extended container status to NRI. (#​12770)
• Pass injected CDI devices to plugins (#​12767)
• Pass linux sysctl to plugins (#​12766)
• Use dedicated RPC calls for all pod and container life-cycle events via the NRI wire protocol (containerd/nri#274)
• Add basic metrics collection for the NRI framework (containerd/nri#277)
• Exchange NRI versions between plugins and the runtime during registration (containerd/nri#271)
• Enable adjusting Linux memory policy from NRI plugins (containerd/nri#166)
• Close plugins if initial synchronization fails to prevent unregistered connections (containerd/nri#279)
• Accumulate owners for OCI hook adjustments, disallowing commas in plugin names (containerd/nri#264)
• Add nri_no_wasm build tag to allow disabling WASM support at compile time (containerd/nri#253)
• Support direct adjustment of the intelRdt container configuration (containerd/nri#215)
• Allow setting kernel scheduling policy attributes via NRI (containerd/nri#160)
• Allow adjusting Linux network devices via NRI (containerd/nri#157)
• Add support for sysctl adjustment via NRI (containerd/nri#248)
• Expose container user, group, and supplemental group IDs to plugins (containerd/nri#230)

Runtime

• Add configured socket directory to shim bootstrap protocol (#​12785)
• Introduce shim bootstrap protocol (#​12786)
• Fix binary logging driver not blocking container start on failure (#​12595)
• Use new filtered cgroups stats API (#​12901)
• Update OOMKilled event handling (#​12714)

Snapshotters

• Propagate parent chain ID and diff ID via labels during snapshot preparation (#​13071)

ctr development tool

• Detect vendor in CDI specs to generate device IDs for --gpus in ctr (#​12839)

Breaking

• Accumulate owners for OCI hook adjustments, disallowing commas in plugin names (containerd/nri#264)

Deprecations

• Deprecate shim.Command (#​13319)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Maksym Pavlenko
• Derek McGowan
• Sebastiaan van Stijn
• Krisztian Litkey
• Samuel Karp
• Wei Fu
• Akihiro Suda
• Phil Estes
• Mike Brown
• Markus Lehtonen
• Hudson Zhu
• Davanum Srinivas
• Chris Henzie
• Gao Xiang
• Chengyu Zhu
• Akhil Mohan
• Kazuyoshi Kato
• Sergey Kanzhelev
• Austin Vazquez
• ningmingxiao
• Aadhar Agarwal
• Andrew Halaney
• Apurv Barve
• Bing Hongtao
• Brian Goff
• Michael Zappa
• Paweł Gronowski
• Fabiano Fidêncio
• Hasan Siddiqui
• Jintao Zhang
• Paulo Oliveira
• Shiv Tyagi
• Albin Kerouanton
• Alex Lyn
• Avinesh Singh
• Danny Canter
• Esteban Ginez
• Henry Wang
• Jin Dong
• Jérôme Poulin
• Laura Lorenz
• Luke Hinds
• Mark Dodgson
• Sascha Grunert
• Tianon Gravi
• majianhan
• qiuxue
• Adrien Delorme
• Alessio Biancalana
• Alex Chernyakhovsky
• Andrey Noskov
• Andrey Smirnov
• Annie Cherkaev
• Antti Kervinen
• Anuj Singh
• Benjamin Elder
• Bo Jiang
• Cameron McDermott
• Chris Adeniyi-Jones
• Chris Chang
• Chris Henderson
• Cindy Li
• CrazyMax
• Eldon Stegall
• Evan Lezar
• Fletcher Woodruff
• Gaurav Ghildiyal
• Harsh Rawat
• Hayato Kiwata
• Joseph Zhang
• Justin Chadwell
• Kaleab Ayenew
• Manuel de Brito Fontes
• Mikhail Dmitrichenko
• Mujib Ahasan
• Neeraj Krishna Gopalakrishna
• Pierluigi Lenoci
• Ricardo Branco
• Rob Murray
• Rodrigo Campos
• Sameer
• Sameer Saeed
• Sanil Khurana
• Shachar Tal
• Shaobao Feng
• Shiming Zhang
• Sreeram Venkitesh
• Tariq Ibrahim
• Tim Windelschmidt
• Tõnis Tiigi
• Wade Simmons
• Weixie Cui
• Will Jordan
• William Myers
• Yohei Yamamoto
• You Binhao
• Youfu Zhang
• Yuanliang Zhang
• delthas
• guodong
• jinda.ljd
• jokemanfire
• pandaWall

Dependency Changes

• cyphar.com/go-pathrs v0.2.1 new
• github.com/Microsoft/go-winio v0.6.2 -> ad3df93
• github.com/Microsoft/hcsshim v0.14.0-rc.1 -> v0.15.0-rc.1
• github.com/cenkalti/backoff/v5 v5.0.3 new
• github.com/checkpoint-restore/checkpointctl v1.4.0 -> v1.5.0
• github.com/containerd/cgroups/v3 v3.1.0 -> v3.1.3
• github.com/containerd/containerd/api v1.10.0 -> v1.11.0
• github.com/containerd/continuity v0.4.5 -> v0.5.0
• github.com/containerd/go-dmverity v0.1.0 new
• github.com/containerd/imgcrypt/v2 v2.0.1 -> v2.0.2
• github.com/containerd/nri v0.10.0 -> v0.12.0
• github.com/containerd/platforms v1.0.0-rc.2 -> v1.0.0-rc.4
• github.com/containerd/plugin v1.0.0 -> v1.1.0
• github.com/containerd/ttrpc v1.2.7 -> v1.2.8
• github.com/containerd/zfs/v2 v2.0.0-rc.0 -> v2.0.0
• github.com/containernetworking/plugins v1.8.0 -> v1.9.1
• github.com/coreos/go-systemd/v22 v22.6.0 -> v22.7.0
• github.com/cyphar/filepath-securejoin v0.6.0 new
• github.com/davecgh/go-spew v1.1.1 -> d8f796a
• github.com/erofs/go-erofs v0.3.0 new
• github.com/go-jose/go-jose/v4 v4.1.2 -> v4.1.4
• github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1 -> v2.28.0
• github.com/intel/goresctrl v0.10.0 -> v0.12.0
• github.com/klauspost/compress v1.18.1 -> v1.18.5
• github.com/moby/spdystream v0.5.0 -> v0.5.1
• github.com/opencontainers/runtime-spec v1.2.1 -> v1.3.0
• github.com/opencontainers/runtime-tools 0ea5ed0 -> edf4cb3
• github.com/opencontainers/selinux v1.12.0 -> v1.13.1
• github.com/pelletier/go-toml/v2 v2.2.4 -> v2.3.0
• github.com/pmezard/go-difflib v1.0.0 -> 5d4384e
• github.com/prometheus/common v0.66.1 -> v0.67.5
• github.com/prometheus/procfs v0.16.1 -> v0.19.2
• github.com/sirupsen/logrus v1.9.3 -> v1.9.4
• github.com/tetratelabs/wazero v1.9.0 -> v1.11.0
• go.opentelemetry.io/auto/sdk v1.1.0 -> v1.2.1
• go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 -> v0.68.0
• go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 -> v0.68.0
• go.opentelemetry.io/otel v1.37.0 -> v1.43.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 -> v1.43.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0 -> v1.43.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 -> v1.43.0
• go.opentelemetry.io/otel/metric v1.37.0 -> v1.43.0
• go.opentelemetry.io/otel/sdk v1.37.0 -> v1.43.0
• go.opentelemetry.io/otel/trace v1.37.0 -> v1.43.0
• go.opentelemetry.io/proto/otlp v1.5.0 -> v1.10.0
• go.yaml.in/yaml/v2 v2.4.2 -> v2.4.3
• golang.org/x/crypto v0.41.0 -> v0.49.0
• golang.org/x/mod v0.29.0 -> v0.35.0
• golang.org/x/net v0.43.0 -> v0.52.0
• golang.org/x/oauth2 v0.30.0 -> v0.35.0
• golang.org/x/sync v0.17.0 -> v0.20.0
• golang.org/x/sys v0.37.0 -> v0.43.0
• golang.org/x/term v0.34.0 -> v0.41.0
• golang.org/x/text v0.28.0 -> v0.35.0
• golang.org/x/time v0.14.0 -> v0.15.0
• google.golang.org/genproto/googleapis/api a7a43d2 -> 9d38bb4
• google.golang.org/genproto/googleapis/rpc a7a43d2 -> 6f92a3b
• google.golang.org/grpc v1.76.0 -> v1.80.0
• google.golang.org/protobuf v1.36.10 -> f2248ac
• k8s.io/api v0.34.1 -> v0.36.0
• k8s.io/apimachinery v0.34.1 -> v0.36.0
• k8s.io/client-go v0.34.1 -> v0.36.0
• k8s.io/component-base v0.36.0 new
• k8s.io/cri-api v0.34.1 -> v0.36.0
• k8s.io/cri-client v0.36.0 new
• k8s.io/cri-streaming v0.36.0 new
• k8s.io/klog/v2 v2.130.1 -> v2.140.0
• k8s.io/kube-openapi 5883c5e new
• k8s.io/streaming v0.36.0 new
• k8s.io/utils 4c0f3b2 -> 28399d8
• sigs.k8s.io/json cfa47c3 -> 2d32026
• sigs.k8s.io/structured-merge-diff/v6 v6.3.0 -> v6.3.2
• tags.cncf.io/container-device-interface v1.0.1 -> v1.1.0
• tags.cncf.io/container-device-interface/specs-go v1.0.0 -> v1.1.0

Previous release can be found at v2.2.0

Which file should I download?

• containerd-<VERSION>-<OS>-<ARCH>.tar.gz: ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
• containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install runc
and CNI plugins from their official sites too.

See also the Getting Started documentation.

v2.2.4: containerd 2.2.4

Compare Source

Welcome to the v2.2.4 release of containerd!

The fourth patch release for containerd 2.2 contains various fixes
and updates including security patches.

• containerd

  • CVE-2026-46680

• go-jose

  • CVE-2026-34986

• Use mount manager during image volume processing to support snapshotters that require writable block volumes (e.g., EROFS) (#​13242)

• Fix handling of out-of-range USER values in OCI spec to avoid unexpected username/group lookups (#​13448)

• Apply hardening to block AF_ALG in default socket policy (#​13408)

• Fix bugs in sandbox service affecting sandbox creation configuration and event publishing (#​13266)

• Set AppArmor abi conditionally to support versions < 3.0 (#​13275)

• Disable overlay "rebase" capability when running in a user namespace to fix layer extraction failures (#​13393)

• Support both "volatile" and "fsync=volatile" mount options for volatile snapshotter (#​13296)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

• Wei Fu
• Akihiro Suda
• Chris Henzie
• Paweł Gronowski
• Samuel Karp
• Brian Goff
• Champ-Goblem
• Chris Chang
• LEI WANG
• Phil Estes
• William Myers

21 commits

• oci: return explicit error for out-of-range USER values (#​13448)
  • d20c6267b oci: return explicit error for out-of-range USER values
• seccomp: Block AF_ALG in default socket policy (#​13408)
  • db34dc4b4 seccomp: Block AF_ALG in default socket policy
  • 214b141ee seccomp: Document socket rule scope and socketcall limitation
• update Go to 1.25.10, 1.26.3 (#​13375)
  • c2b1856fa update Go to 1.25.10, 1.26.3
• overlay: disable "rebase" capability when running in UserNS (#​13393)
  • 63874d262 overlay: disable "rebase" capability when running in UserNS
• Support both styles of volatile mount option (#​13296)
  • 2c7d48acf Support both styles of volatile mount option
• Bump go-jose/go-jose to v4.1.4 to fix GHSA-78h2-9frx-2jm8 (#​13292)
  • 80311db63 chore: update go-jose for CVE-2026-34986
• sandbox: forward Create fields, fix event topics (#​13266)
  • caa29a741 sandbox: forward Create fields, fix event topics
• apparmor: Set abi conditionally (#​13275)
  • 5ab0a1206 apparmor: Set abi conditionally
• Parameterize K8s version in node-e2e workflow (#​13247)
  • f9c34f7b1 Parameterize K8s version in node-e2e workflow
• cri: use mount manager when image has volumes (#​13242)
  • 39dc2a475 cri: use mount manager when image has volumes

• github.com/go-jose/go-jose/v4 v4.1.3 -> v4.1.4

Previous release can be found at v2.2.3

• containerd-<VERSION>-<OS>-<ARCH>.tar.gz: ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
• containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install runc
and CNI plugins from their official sites too.

See also the Getting Started documentation.

v2.2.3: containerd 2.2.3

Compare Source

Welcome to the v2.2.3 release of containerd!

The third patch release for containerd 2.2 contains various fixes
and updates including a security patch.

Security Updates

• spdystream
  • CVE-2026-35469

Highlights

Container Runtime Interface (CRI)

• Preserve cgroup mount options for privileged containers (#​13120)
• Ensure UpdatePodSandbox returns Unimplemented instead of a generic error (#​13023)

Go client

• Handle absolute symlinks in rootfs user lookup to fix regressions when using Go 1.24 (#​13015)

Image Distribution

• Enable mount manager in diff walking to fix layer extraction errors with some snapshotters (e.g., EROFS) (#​13198)
• Apply hardening to prevent TOCTOU race during tar extraction (#​12971)

Runtime

• Restore support for client-mounted roots in Windows containers using process isolation (#​13195)
• Update runc to v1.3.5 (#​13061)
• Apply absolute symlink resolution to /etc/group in OCI spec to fix lookups on NixOS-style systems (#​13019)
• Handle absolute symlinks in rootfs user lookup to fix regressions when using Go 1.24 (#​13015)

Snapshotters

• Fix bug that caused whiteouts to be ignored when parallel unpack was used (#​13125)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Samuel Karp
• Sebastiaan van Stijn
• Maksym Pavlenko
• Chris Henzie
• Derek McGowan
• Paulo Oliveira
• Henry Wang
• Phil Estes
• Wei Fu
• Akihiro Suda
• Gao Xiang
• Ricardo Branco
• Shachar Tal

Changes

40 commits

• Prepare release notes for v2.2.3 (#​13224)
  • 8a0f4ed5d Prepare release notes for v2.2.3
• update github.com/moby/spdystream v0.5.1 (#​13217)
  • 31bd34a06 update github.com/moby/spdystream v0.5.1
• vendor: github.com/klauspost/compress v1.18.5 (#​13197)
  • 1336f6c45 vendor: github.com/klauspost/compress v1.18.5
• diff/walking: enable mount manager (#​13198)
  • 409f75be8 diff/walking: enable mount manager
• update runhcs to v0.14.1 (#​13195)
  • 3f33146c1 update runhcs to v0.14.1
• vendor: github.com/Microsoft/hcsshim v0.14.1 (#​13196)
  • 8bd1b74e5 vendor: github.com/Microsoft/hcsshim v0.14.1
  • c6b0be8e1 vendor: github.com/Microsoft/hcsshim v0.14.0
• update to Go 1.25.9, 1.26.2 (#​13190)
  • 2ecde8cfe update to Go 1.25.9, 1.26.2
• Skip TestExportAndImportMultiLayer on s390x (#​13154)
  • be554f478 Skip TestExportAndImportMultiLayer on s390x
• Tweak mount info for overlayfs in case of parallel unpack (#​13125)
  • 660de195b Tweak mount info for overlayfs in case of parallel unpack
  • bc9274a4b Add integration test for issue 13030
• Preserve cgroup mount options for privileged containers (#​13120)
  • c387890b5 Add integration test for privileged container cgroup mounts
  • 047a335a6 Forward RUNC_FLAVOR env var down to integration tests
  • 9b2d72ee0 Preserve host cgroup mount options for privileged containers
  • 5b66cd6a0 Move cgroup namespace placement higher in spec builder
• update runc binary to v1.3.5 (#​13061)
  • 584205c2f [release/2.2] update runc binary to v1.3.5
• Fix vagrant on CI (#​13066)
  • 77c6886df Ignore NOCHANGE error
• Fix TOCTOU race bug in tar extraction (#​12971)
  • fbed68b8f Fix TOCTOU race bug in tar extraction
• cri: UpdatePodSandbox should return Unimplemented (#​13023)
  • a83510103 cri: UpdatePodSandbox should return Unimplemented
• fix(oci): apply absolute symlink resolution to /etc/group (#​13019)
  • ee4179e52 fix(oci): apply absolute symlink resolution to /etc/group
• fix(oci): handle absolute symlinks in rootfs user lookup (#​13015)
  • fd061b848 test(oci): use fstest and mock fs for better symlink coverage
  • 5d44d2c22 fix(oci): handle absolute symlinks in rootfs user lookup
• update to go1.25.8, test go1.26.1 (#​13011)
  • 00c776f07 update to go1.25.8, test go1.26.1

Dependency Changes

• github.com/Microsoft/hcsshim v0.14.0-rc.1 -> v0.14.1
• github.com/klauspost/compress v1.18.1 -> v1.18.5
• github.com/moby/spdystream v0.5.0 -> v0.5.1

Previous release can be found at v2.2.2

Which file should I download?

• containerd-<VERSION>-<OS>-<ARCH>.tar.gz: ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
• containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install runc
and CNI plugins from their official sites too.

See also the Getting Started documentation.

v2.2.2: containerd 2.2.2

Compare Source

Welcome to the v2.2.2 release of containerd!

The second patch release for containerd 2.2 contains various fixes and improvements.

Highlights

Container Runtime Interface (CRI)

• Fix migrated CRI image config when using legacy registry mirrors (#​12987)
• Unpack images with per-layer labels for runtime-specific snapshotters (#​12936)
• Fix CNI issue where DEL is never executed after a restart (#​12926)
• Harden error handling to strip potentially-sensitive registry parameters (#​12804)
• Fix nil pointer dereference in container spec memory metrics when memory constraints are not fully configured (#​12731)
• Use the specified runtime handler when pulling images (#​12721)
• Reduce noisy CDI logs (#​12717)
• Fix regression for pulling encrypted images (#​12712)

Runtime

• Fix unintended dropping of mount flags for read-only bind-mounts in user namespaces (#​12944)
• Fix AppArmor bug disallowing unix domain sockets on newer kernels (#​12897)

ctr development tool

• Fix ctr image mount failing with "no such device" (#​12831)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Maksym Pavlenko
• Akhil Mohan
• Samuel Karp
• Wei Fu
• Michael Zappa
• Phil Estes
• Fabiano Fidêncio
• Jérôme Poulin
• Luke Hinds
• Aadhar Agarwal
• Akihiro Suda
• Alex Chernyakhovsky
• Chris Adeniyi-Jones
• Kazuyoshi Kato
• Rodrigo Campos
• Sebastiaan van Stijn
• You Binhao
• ningmingxiao
• qiuxue

Changes

48 commits

• Prepare release notes for v2.2.2 (#​12998)
  • 7e6ecf434 Prepare release notes for v2.2.2
• Fix migrated CRI image config when using legacy registry mirrors (#​12987)
  • a20dead7c set default config_path in plugin init
• Unpack images with per-layer labels for runtime-specific snapshotters (#​12936)
  • a5f83d8c2 cri: unpack images with per-layer labels for runtime-specific snapshotters
• ci: modprobe xt_comment on almalinux (#​12957)
  • 68855cb0b ci: modprobe xt_comment on almalinux
• Fix unintended dropping of mount flags for read-only bind-mounts in user namespaces (#​12944)
  • ef7a8beb3 core/mount: add test for getUnprivilegedMountFlags
  • 07b2cc07e core/mount: fix getUnprivilegedMountFlags iterating over indices instead of values
• Fix CNI issue where DEL is never executed after a restart (#​12926)
  • 54101116f add integration test for cni result nil
  • d44c4384e address comment
  • f1835270b fix issue where cni del is never executed
• Fix AppArmor bug disallowing unix domain sockets on newer kernels (#​12897)
  • 6c05047b4 apparmor: explicitly set abi/3.0
• ci: add build/test go1.26.0, drop go1.24 (#​12917)
  • 5dbf1b915 update golangci-lint to v2.9.0 with go1.26 support
  • 8ec695ebe remove windows/arm from cross build
  • b9c22a6e3 ci: build/test go1.26.0
• integration: Fix TestImageLoad() failure on CI (#​12906)
  • 09b876a81 integration: Fix TestImageLoad() failure on CI
• cri: Fix image volumes with user namespaces (#​12885)
  • 172ba65b6 cri: Fix image volumes with user namespaces
• update to go1.24.13, go1.25.7 (#​12871)
  • b4240ef87 update to go1.24.13, go1.25.7
  • 94dbfaea7 ci: bump go 1.24.12, 1.25.6
• ci: set fetch-depth for containerd to 0 for version parsing (#​12875)
  • e46a7a286 set fetch-depth for containerd to 0 for version parsing
• Fix ctr image mount failing with "no such device" (#​12831)
  • 1d7908273 core/mount/manager: fix bind mount missing rbind option
  • 3d509bcd3 core/mount/manager: add tests for WithTemporary option
• Harden error handling to strip potentially-sensitive registry parameters (#​12804)
  • cb3ae2119 fix: sanitize error before gRPC return to prevent credential leak in pod events
• bump google.golang.org/grpc from 1.76.0 to 1.78.0 (#​12739)
  • 533a2552e build(deps): bump google.golang.org/grpc from 1.77.0 to 1.78.0
  • b120237fb build(deps): bump google.golang.org/grpc from 1.76.0 to 1.77.0
• Fix nil pointer dereference in container spec memory metrics when memory constraints are not fully configured (#​12731)
  • 4be4e5156 Fix nil pointer dereference in container spec memory metrics
• cri: emit warning for concurrent CreateContainer (#​12735)
  • a76eb698a cri: emit warning for concurrent CreateContainer
• Use the specified runtime handler when pulling images (#​12721)
  • 3d2e188b1 cri: Use the runtimeHandler parameter in PullImage
• Reduce noisy CDI logs (#​12717)
  • 633057382 cri: move noisy CDI logs to debug level
• Fix regression for pulling encrypted images (#​12712)
  • 8a7409e2e Reinstate image decryption

Dependency Changes

• github.com/go-jose/go-jose/v4 v4.1.2 -> v4.1.3
• go.opentelemetry.io/auto/sdk v1.1.0 -> v1.2.1
• go.opentelemetry.io/otel v1.37.0 -> v1.38.0
• go.opentelemetry.io/otel/metric v1.37.0 -> v1.38.0
• go.opentelemetry.io/otel/sdk v1.37.0 -> v1.38.0
• go.opentelemetry.io/otel/trace v1.37.0 -> v1.38.0
• golang.org/x/oauth2 v0.30.0 -> v0.32.0
• google.golang.org/genproto/googleapis/api a7a43d2 -> ab9386a
• google.golang.org/genproto/googleapis/rpc a7a43d2 -> ab9386a
• google.golang.org/grpc v1.76.0 -> v1.78.0

Previous release can be found at v2.2.1

Which file should I download?

• containerd-<VERSION>-<OS>-<ARCH>.tar.gz: ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
• containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install runc
and CNI plugins from their official sites too.

See also the Getting Started documentation.

v2.2.1: containerd 2.2.1

Compare Source

Welcome to the v2.2.1 release of containerd!

The first patch release for containerd 2.2 contains various fixes and improvements.

Highlights

Container Runtime Interface (CRI)

• Redact all query parameters in CRI error logs (#​12546)

Image Distribution

• Fix image defaults on Darwin to usable configuration (#​12544)
• Fix possible panic from WithMediaTypeKeyPrefix (#​12516)

Runtime

• Update runc binary to v1.3.4 (#​12593)
• Fix parsing of hugetlb..events files (containerd/cgroups#379)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Krisztian Litkey
• Markus Lehtonen
• Akihiro Suda
• Mike Brown
• Sebastiaan van Stijn
• Derek McGowan
• Heran Yang
• Wei Fu
• Phil Estes
• Samuel Karp
• Austin Vazquez
• Sascha Grunert
• Akhil Mohan
• Andrey Noskov
• Brian Goff
• CrazyMax
• Davanum Srinivas
• Gaurav Ghildiyal
• Neeraj Krishna Gopalakrishna
• Paweł Gronowski
• Tariq Ibrahim
• TomerLev
• Tõnis Tiigi
• bo.jiang
• ningmingxiao

Changes

53 commits

• Prepare release notes for v2.2.1 (#​12677)
  • f6bae1f88 Prepare release notes for v2.2.1
• cri,nri: bump NRI dependencies to v0.11.0 (#​12701)
  • c22cf5d49 cri,nri: pass any linux security profile to plugins.
  • d7532de75 cri,nri: pass any linux RDT constraints to plugins.
  • ef36e6181 cri,nri: pass any linux net devices to plugins.
  • d56faf426 cri,nri: pass any linux scheduler attributes to plugins.
  • e1824d261 cri,nri: pass any linux I/O priority to plugins.
  • 01d5490ae go.{mod,sum}: bump NRI deps to v0.11.0, re-vendor.
• pkg/tracing: HTTPStatusCodeAttributes: remove use of deprecated SemConv const (#​12697)
  • 58d23ab63 pkg/tracing: HTTPStatusCodeAttributes: remove use of deprecated SemConv const
• cri/nri: short-circuit nil adjustment. (#​12672)
  • 05ccbb3a7 cri/nri: short-circuit nil adjustment.
• go.{mod,sum}: bump CDI deps to v1.1.0. (#​12664)
  • [c166a577d](https://redirect.github.com/containerd/containerd/commit/

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 1 additional dependency was updated

Details:

Package	Change
github.com/containernetworking/plugins	v1.4.1 -> v1.5.1

[dd-prapprover]

PRApprover will approve and merge this PR, FAQ, #dx-source-code-management

🛠️ PRApproval Status

• ✅ PR is eligible for auto-approval by rule datadog-agent-renovate - 2026-06-05T12:14:23Z
• ⬜ CI tests passed
• ⬜ Approved
• Manual merge required: this rule does not auto-merge.

➡️ Current phase: CI tests failed. Please fix the failing tests to continue.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 6015cc9797

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Keep the containerd/v2 requirement consistent with the replace

This newly declares github.com/containerd/containerd/v2 at v2.3.1, but the existing replace github.com/containerd/containerd/v2 => ... v2.0.9 later in this same go.mod still forces every /v2 import to build with v2.0.9. In contexts that rely on this PR to pick up the v2.3.1 fixes, the build remains pinned to the older version; either update/remove the replace and resolve the runtime-spec pin conflict called out there, or keep the require at the actually selected version.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Avoid downgrading the v1 containerd module

The repo still has production imports of the old module path, e.g. comp/core/workloadmeta/collectors/internal/containerd and pkg/util/containerd import github.com/containerd/containerd/..., not /v2, so this added direct requirement makes those users resolve to v1.7.30 after the previous v1.7.32 requirement was removed. That silently drops the last two v1.7.x patch releases for existing containerd integrations instead of upgrading them; keep the v1 requirement at least at v1.7.32 unless all old-path imports are migrated.

Useful? React with 👍 / 👎.

[datadog-datadog-prod-us1]

✨ Fix all issues with BitsAI

⚠️ Warnings

🚦 1 Pipeline job failed

DataDog/datadog-agent | bazel:mod-tidy     

See error

Failed to run 'bazel mod tidy' command. Job terminated with exit code 1 due to missing repository declaration for 'com_github_containerd_containerd_v2'.

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 810e09c | Docs | Datadog PR Page | Give us feedback!}

[dd-octo-sts]

Files inventory check summary

File checks results against ancestor cdba151f:

Results for datadog-agent_7.81.0~devel.git.544.8f685fc.pipeline.117227567-1_amd64.deb:

No change detected

[dd-octo-sts]

Static quality checks

✅ Please find below the results from static quality gates
Comparison made with ancestor cdba151
📊 Static Quality Gates Dashboard
🔗 SQG Job

32 successful checks with minimal change (< 2 KiB)

	Quality gate	Current Size
✅	agent_deb_amd64	753.335 MiB
✅	agent_deb_amd64_fips	709.118 MiB
✅	agent_heroku_amd64	312.146 MiB
✅	agent_rpm_amd64	753.319 MiB
✅	agent_rpm_amd64_fips	709.101 MiB
✅	agent_rpm_arm64	728.631 MiB
✅	agent_rpm_arm64_fips	688.157 MiB
✅	agent_suse_amd64	753.319 MiB
✅	agent_suse_amd64_fips	709.101 MiB
✅	agent_suse_arm64	728.631 MiB
✅	agent_suse_arm64_fips	688.157 MiB
✅	docker_agent_amd64	812.892 MiB
✅	docker_agent_arm64	813.228 MiB
✅	docker_agent_jmx_amd64	1003.832 MiB
✅	docker_agent_jmx_arm64	992.821 MiB
✅	docker_cluster_agent_amd64	209.734 MiB
✅	docker_cluster_agent_arm64	222.847 MiB
✅	docker_cws_instrumentation_amd64	7.447 MiB
✅	docker_cws_instrumentation_arm64	6.877 MiB
✅	docker_dogstatsd_amd64	39.829 MiB
✅	docker_dogstatsd_arm64	37.883 MiB
✅	docker_host_profiler_amd64	304.601 MiB
✅	docker_host_profiler_arm64	315.725 MiB
✅	dogstatsd_deb_amd64	30.490 MiB
✅	dogstatsd_deb_arm64	28.487 MiB
✅	dogstatsd_rpm_amd64	30.490 MiB
✅	dogstatsd_suse_amd64	30.490 MiB
✅	iot_agent_deb_amd64	45.615 MiB
✅	iot_agent_deb_arm64	42.338 MiB
✅	iot_agent_deb_armhf	43.129 MiB
✅	iot_agent_rpm_amd64	45.616 MiB
✅	iot_agent_suse_amd64	45.615 MiB

[cit-pr-commenter-54b7da]

Regression Detector

Regression Detector Results

Metrics dashboard
Target profiles
Run ID: d7a1b64e-4f06-4cc0-8ab3-538e32eedf5b

Baseline: cdba151
Comparison: 8f685fc
Diff

Optimization Goals: ✅ No significant changes detected

Fine details of change detection per experiment

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	quality_gate_logs	% cpu utilization	+0.89	[-0.14, +1.92]	1	Logs bounds checks dashboard
➖	quality_gate_metrics_logs	memory utilization	+0.17	[-0.07, +0.41]	1	Logs bounds checks dashboard
➖	quality_gate_idle	memory utilization	+0.17	[+0.11, +0.22]	1	Logs bounds checks dashboard
➖	quality_gate_idle_all_features	memory utilization	-0.03	[-0.07, +0.01]	1	Logs bounds checks dashboard

Bounds Checks: ✅ Passed

perf	experiment	bounds_check_name	replicates_passed	observed_value	links
✅	quality_gate_idle	intake_connections	10/10	3 ≤ 4	bounds checks dashboard
✅	quality_gate_idle	memory_usage	10/10	145.83MiB ≤ 147MiB	bounds checks dashboard
✅	quality_gate_idle	total_bytes_received	10/10	731.95KiB ≤ 819.20KiB	bounds checks dashboard
✅	quality_gate_idle_all_features	intake_connections	10/10	3 ≤ 4	bounds checks dashboard
✅	quality_gate_idle_all_features	memory_usage	10/10	478.80MiB ≤ 495MiB	bounds checks dashboard
✅	quality_gate_idle_all_features	total_bytes_received	10/10	1.12MiB ≤ 1.25MiB	bounds checks dashboard
✅	quality_gate_logs	intake_connections	10/10	3 ≤ 6	bounds checks dashboard
✅	quality_gate_logs	memory_usage	10/10	180.57MiB ≤ 195MiB	bounds checks dashboard
✅	quality_gate_logs	missed_bytes	10/10	0B = 0B	bounds checks dashboard
✅	quality_gate_logs	total_bytes_received	10/10	264.43MiB ≤ 292MiB	bounds checks dashboard
✅	quality_gate_metrics_logs	cpu_usage	10/10	342.85 ≤ 2000	bounds checks dashboard
✅	quality_gate_metrics_logs	intake_connections	10/10	4 ≤ 6	bounds checks dashboard
✅	quality_gate_metrics_logs	memory_usage	10/10	370.39MiB ≤ 430MiB	bounds checks dashboard
✅	quality_gate_metrics_logs	missed_bytes	10/10	0B = 0B	bounds checks dashboard
✅	quality_gate_metrics_logs	total_bytes_received	10/10	0.94GiB ≤ 1.04GiB	bounds checks dashboard

Explanation

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

Performance changes are noted in the perf column of each table:

• ✅ = significantly better comparison variant performance
• ❌ = significantly worse comparison variant performance
• ➖ = no significant change in performance

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

3. Its configuration does not mark it "erratic".

Replicate Execution Details

We run multiple replicates for each experiment/variant. However, we allow replicates to be automatically retried if there are any failures, up to 8 times, at which point the replicate is marked dead and we are unable to run analysis for the entire experiment. We call each of these attempts at running replicates a replicate execution. This section lists all replicate executions that failed due to the target crashing or being oom killed.

Note: In the below tables we bucket failures by experiment, variant, and failure type. For each of these buckets we list out the replicate indexes that failed with an annotation signifying how many times said replicate failed with the given failure mode. In the below example the baseline variant of the experiment named experiment_with_failures had two replicates that failed by oom kills. Replicate 0, which failed 8 executions, and replicate 1 which failed 6 executions, all with the same failure mode.

Experiment	Variant	Replicates	Failure	Logs	Debug Dashboard
experiment_with_failures	baseline	0 (x8) 1 (x6)	Oom killed		Debug Dashboard

The debug dashboard links will take you to a debugging dashboard specifically designed to investigate replicate execution failures.

❌ Retried Profiling Replicate Execution Failures (ddprof)

Note: Profiling replicas may still be executing. See the debug dashboard for up to date status.

Experiment	Variant	Replicates	Failure	Debug Dashboard
quality_gate_idle	baseline	10	Oom killed	Debug Dashboard
quality_gate_idle	comparison	10	Oom killed	Debug Dashboard
quality_gate_idle_all_features	baseline	10	Oom killed	Debug Dashboard
quality_gate_idle_all_features	comparison	10	Oom killed	Debug Dashboard
quality_gate_logs	baseline	10	Oom killed	Debug Dashboard
quality_gate_logs	comparison	10	Oom killed	Debug Dashboard
quality_gate_metrics_logs	baseline	10	Oom killed	Debug Dashboard
quality_gate_metrics_logs	comparison	10	Oom killed	Debug Dashboard

CI Pass/Fail Decision

✅ Passed. All Quality Gates passed.

• quality_gate_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check total_bytes_received: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check total_bytes_received: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check total_bytes_received: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check total_bytes_received: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check intake_connections: 10/10 replicas passed. Gate passed.